From a9957162128440ca41917054a413b8041230523b Mon Sep 17 00:00:00 2001
From: cy <cy@cy7.sh>
Date: Sun, 11 May 2025 01:04:15 -0400
Subject: [PATCH] pin workflows by sha

---
 .github/workflows/build.yml | 7 +++----
 .github/workflows/check.yml | 6 ++++--
 .github/workflows/test.yml  | 6 ++++--
 3 files changed, 11 insertions(+), 8 deletions(-)

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 8332f1c..090eec8 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -25,7 +25,7 @@ jobs:
         run: echo -n "${{ secrets.NIX_CACHE_SECRET_KEY }}" | xxd -p -r > ${{ runner.temp }}/cache-priv-key.pem
 
       - name: Install Nix
-        uses: cachix/install-nix-action@v30
+        uses: cachix/install-nix-action@526118121621777ccd86f79b04685a9319637641
         with:
           enable_kvm: true
           extra_nix_config: |
@@ -35,8 +35,7 @@ jobs:
             extra-substituters = https://nixcache.cy7.sh
             extra-trusted-public-keys = nixcache.cy7.sh:DN3d1dt0wnXfTH03oVmTee4KgmdNdB0NY3SuzA8Fwx8=
 
-      - name: Sync repository
-        uses: actions/checkout@v4
+      - uses: actions/checkout@85e6279cec87321a52edac9c87bce653a07cf6c2
         with:
           persist-credentials: false
 
@@ -54,7 +53,7 @@ jobs:
         run: nix run github:nixos/nixpkgs#gnutar hcvf result.tar result
 
       - name: upload result
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@6027e3dd177782cd8ab9af838c04fd81a07f1d47
         with:
           name: ${{ matrix.os }}.tar
           path: result.tar
diff --git a/.github/workflows/check.yml b/.github/workflows/check.yml
index 896aad1..0b9ac66 100644
--- a/.github/workflows/check.yml
+++ b/.github/workflows/check.yml
@@ -10,7 +10,7 @@ jobs:
 
     steps:
       - name: Install Nix
-        uses: cachix/install-nix-action@v30
+        uses: cachix/install-nix-action@526118121621777ccd86f79b04685a9319637641
         with:
           enable_kvm: true
           extra_nix_config: |
@@ -19,7 +19,9 @@ jobs:
             extra-substituters = https://nixcache.cy7.sh
             extra-trusted-public-keys = nixcache.cy7.sh:DN3d1dt0wnXfTH03oVmTee4KgmdNdB0NY3SuzA8Fwx8=
 
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@85e6279cec87321a52edac9c87bce653a07cf6c2
+        with:
+          persist-credentials: false
 
       - name: Run checks
         run: nix flake check -L
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index 12ef747..cc7fabc 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -13,7 +13,7 @@ jobs:
 
     steps:
       - name: Install Nix
-        uses: cachix/install-nix-action@v30
+        uses: cachix/install-nix-action@526118121621777ccd86f79b04685a9319637641
         with:
           enable_kvm: true
           extra_nix_config: |
@@ -22,7 +22,9 @@ jobs:
             extra-substituters = https://nixcache.cy7.sh
             extra-trusted-public-keys = nixcache.cy7.sh:DN3d1dt0wnXfTH03oVmTee4KgmdNdB0NY3SuzA8Fwx8=
 
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@85e6279cec87321a52edac9c87bce653a07cf6c2
+        with:
+          persist-credentials: false
 
       - name: Run tests
         run: nix develop -c cargo test --verbose