ci: pin GitHub Actions to commit SHAs for security

Pin all GitHub Actions references to specific commit SHAs instead of version tags to improve security and reproducibility:
- actions/checkout@v4 → eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871
- actions/setup-python@v5 → f677139bbe7f9c59b41e40162b753c062f5d49a3
- pypa/gh-action-pypi-publish@v1.12.4 → ab69e431e9c9f48a3310be0a56527c679f56e04d
- actions/github-script@v7 → 60a0d83039c74a4aee543508d2ffcb1c3799cdea
- docker/setup-qemu-action@v3 → 49b3bc8e6bdd4a60e6116a5414239cba5943d3cf
- docker/setup-buildx-action@v3 → c47758b77c9736f4b2ef4073d4d51994fabfe349
- docker/login-action@v3 → 9780b0c442fbb1117ed29e0efdff1e18412f7567
- docker/build-push-action@v5 → 4f58ea79222b3b9dc2c8bbdd6debcef730109a75

This follows GitHub security best practices by ensuring exact versions are used and preventing potential supply chain attacks from compromised tags.

Author: dacoburn

.github/workflows/pr-preview.yml

@@ -11,10 +11,10 @@ jobs:
       contents: read
       pull-requests: write
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871
         with:
           fetch-depth: 0
-      - uses: actions/setup-python@v5
+      - uses: actions/setup-python@f677139bbe7f9c59b41e40162b753c062f5d49a3
         with:
           python-version: '3.x'
 
@@ -43,14 +43,14 @@ jobs:
 
       - name: Publish to Test PyPI
         if: steps.version_check.outputs.exists != 'true'
-        uses: pypa/gh-action-pypi-publish@v1.12.4
+        uses: pypa/gh-action-pypi-publish@ab69e431e9c9f48a3310be0a56527c679f56e04d
         with:
           repository-url: https://test.pypi.org/legacy/
           verbose: true
 
       - name: Comment on PR
         if: steps.version_check.outputs.exists != 'true'
-        uses: actions/github-script@v7
+        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea
         env:
           VERSION: ${{ env.VERSION }}
         with:
@@ -120,21 +120,21 @@ jobs:
           exit 1
 
       - name: Set up QEMU
-        uses: docker/setup-qemu-action@v3
+        uses: docker/setup-qemu-action@49b3bc8e6bdd4a60e6116a5414239cba5943d3cf
 
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
+        uses: docker/setup-buildx-action@c47758b77c9736f4b2ef4073d4d51994fabfe349
 
       - name: Login to Docker Hub with Organization Token
         if: steps.verify_package.outputs.success == 'true'
-        uses: docker/login-action@v3
+        uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567
         with:
           username: ${{ secrets.DOCKERHUB_USERNAME }}
           password: ${{ secrets.DOCKERHUB_TOKEN }}
 
       - name: Build & Push Docker Preview
         if: steps.verify_package.outputs.success == 'true'
-        uses: docker/build-push-action@v5
+        uses: docker/build-push-action@4f58ea79222b3b9dc2c8bbdd6debcef730109a75
         env:
           VERSION: ${{ env.VERSION }}
         with:

.github/workflows/release.yml

@@ -10,10 +10,10 @@ jobs:
       id-token: write
       contents: read
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871
         with:
           fetch-depth: 0
-      - uses: actions/setup-python@v5
+      - uses: actions/setup-python@f677139bbe7f9c59b41e40162b753c062f5d49a3
         with:
           python-version: '3.x'
 
@@ -66,16 +66,16 @@ jobs:
 
       - name: Publish to PyPI
         if: steps.version_check.outputs.pypi_exists != 'true'
-        uses: pypa/gh-action-pypi-publish@v1.12.4
+        uses: pypa/gh-action-pypi-publish@ab69e431e9c9f48a3310be0a56527c679f56e04d
 
       - name: Set up QEMU
-        uses: docker/setup-qemu-action@v3
+        uses: docker/setup-qemu-action@49b3bc8e6bdd4a60e6116a5414239cba5943d3cf
 
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
+        uses: docker/setup-buildx-action@c47758b77c9736f4b2ef4073d4d51994fabfe349
 
       - name: Login to Docker Hub with Organization Token
-        uses: docker/login-action@v3
+        uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567
         with:
           username: ${{ secrets.DOCKERHUB_USERNAME }}
           password: ${{ secrets.DOCKERHUB_TOKEN }}
@@ -102,7 +102,7 @@ jobs:
         if: |
           steps.verify_package.outputs.success == 'true' &&
           steps.docker_check.outputs.docker_exists != 'true'
-        uses: docker/build-push-action@v5
+        uses: docker/build-push-action@4f58ea79222b3b9dc2c8bbdd6debcef730109a75
         env:
           VERSION: ${{ env.VERSION }}
         with:

.github/workflows/version-check.yml

@@ -11,7 +11,7 @@ jobs:
   check_version:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871
         with:
           fetch-depth: 0  # Fetch all history for all branches
 
@@ -39,7 +39,7 @@ jobs:
           "
 
       - name: Manage PR Comment
-        uses: actions/github-script@v7
+        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea
         if: always()
         env:
           MAIN_VERSION: ${{ env.MAIN_VERSION }}

pyproject.toml

@@ -6,7 +6,7 @@ build-backend = "hatchling.build"
 
 [project]
 name = "socketsecurity"
-version = "2.2.11"
+version = "2.2.12"
 requires-python = ">= 3.10"
 license = {"file" = "LICENSE"}
 dependencies = [

socketsecurity/__init__.py

@@ -1,2 +1,2 @@
 __author__ = 'socket.dev'
-__version__ = '2.2.11'
+__version__ = '2.2.12'