pin new actions to commit.

all previous actions already pinned. limits exposure to something like https://arstechnica.com/information-technology/2025/03/supply-chain-attack-exposing-credentials-affects-23k-users-of-tj-actions/ to explicit actions update PRs
2025-11-30 23:16:04 +07:00 · 2025-03-19 13:05:25 -07:00
parent b45e65c931
commit cad01ef340
1 changed files with 2 additions and 2 deletions
--- a/.github/workflows/vm.yaml
+++ b/.github/workflows/vm.yaml
@@ -44,11 +44,11 @@ jobs:
          check-latest: true

      - name: "Install Lima"
-        uses: lima-vm/lima-actions/setup@v1
+        uses: lima-vm/lima-actions/setup@be564a1408f84557d067b099a475652288074b2e # v1
        id: lima-actions-setup

      - name: "Cache ~/.cache/lima"
-        uses: actions/cache@v4
+        uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 # v4.2.3
        with:
          path: ~/.cache/lima
          key: lima-${{ steps.lima-actions-setup.outputs.version }}