workflows: use explicit SHA for all action references

Port the improvements from nvme-cli to libnvme.

Signed-off-by: Daniel Wagner <[email protected]>

Author: igaw

.github/workflows/build.yml

@@ -19,11 +19,11 @@ jobs:
     container:
       image: ghcr.io/linux-nvme/debian.python:latest
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
       - name: build
         run: |
           scripts/build.sh -b ${{ matrix.buildtype }} -c ${{ matrix.compiler }} -x
-      - uses: actions/upload-artifact@v5
+      - uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
         name: upload logs
         if: failure()
         with:
@@ -40,26 +40,24 @@ jobs:
           - arch: s390x
           - arch: ppc64le
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
       - name: enable foreign arch
-        uses: dbhi/qus/action@main
+        uses: docker/setup-qemu-action@ce360397dd3f832beb865e1373c09c0e9f86d70a # v4.0.0
       - name: Login to GitHub Container Registry
-        uses: docker/login-action@v3
+        uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
         with:
           registry: ghcr.io
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
       - name: compile and run unit tests
-        uses: mosteo-actions/docker-run@v2
-        with:
-          image: ghcr.io/linux-nvme/ubuntu-cross-${{ matrix.arch }}:latest
-          guest-dir: /build
-          host-dir: ${{ github.workspace }}
-          command: |
-            scripts/build.sh -b release -c gcc -t ${{ matrix.arch }} cross
-          params: "--platform linux/amd64"
-          pull-params: "--platform linux/amd64"
-      - uses: actions/upload-artifact@v5
+        run: |
+          docker run --rm \
+            --platform linux/amd64 \
+            -v "${{ github.workspace }}:/build" \
+            -w /build \
+            ghcr.io/linux-nvme/ubuntu-cross-${{ matrix.arch }}:latest \
+            sh -c "git config --global --add safe.directory /build && scripts/build.sh -b release -c gcc -t ${{ matrix.arch }} cross"
+      - uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
         name: upload logs
         if: failure()
         with:
@@ -73,11 +71,11 @@ jobs:
     container:
       image: ghcr.io/linux-nvme/debian:latest
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
       - name: build
         run: |
           scripts/build.sh -b release -c gcc libdbus
-      - uses: actions/upload-artifact@v5
+      - uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
         name: upload logs
         if: failure()
         with:
@@ -92,11 +90,11 @@ jobs:
       image: ghcr.io/linux-nvme/debian:latest
     if: github.ref == 'refs/heads/master'
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
       - name: build
         run: |
           scripts/build.sh -b release -c gcc fallback
-      - uses: actions/upload-artifact@v5
+      - uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
         if: failure()
         with:
           name: log files
@@ -109,7 +107,7 @@ jobs:
     container:
       image: ghcr.io/linux-nvme/debian:latest
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
       - name: build
         run: |
           scripts/build.sh -m muon

.github/workflows/checkpatch.yml

@@ -7,9 +7,9 @@ jobs:
     steps:
     - name: 'Calculate PR commits + 1'
       run: echo "PR_FETCH_DEPTH=$(( ${{ github.event.pull_request.commits }} + 1 ))" >> $GITHUB_ENV
-    - uses: actions/checkout@v5
+    - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
       with:
         ref: ${{ github.event.pull_request.head.sha }}
         fetch-depth: 0
     - name: Run checkpatch review
-      uses: webispy/checkpatch-action@v9
+      uses: webispy/checkpatch-action@58374fe5bb03358b23d3d6871e2ff290ce77fcd2 # v9

.github/workflows/coverage.yml

@@ -14,11 +14,11 @@ jobs:
     container:
       image: ghcr.io/linux-nvme/debian.python:latest
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
       - name: build
         run: |
           scripts/build.sh coverage
-      - uses: codecov/codecov-action@v5
+      - uses: codecov/codecov-action@57e3a136b779b570ffcdbf80b3bdc90e7fab3de2 # v6.0.0
         with:
           token: ${{ secrets.CODECOV_TOKEN }}
           fail_ci_if_error: true

.github/workflows/docs.yaml

@@ -16,7 +16,7 @@ jobs:
     container:
       image: ghcr.io/linux-nvme/debian:latest
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
       - name: build
         run: |
           scripts/build.sh docs

.github/workflows/release-python.yml

@@ -21,7 +21,7 @@ jobs:
     container:
       image: ghcr.io/linux-nvme/debian.python:latest
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
 
       - name: Allow workspace
         run: |
@@ -35,7 +35,7 @@ jobs:
         run: |
           pipx run twine check dist/*.tar.gz
 
-      - uses: actions/upload-artifact@v5
+      - uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
         with:
           path: dist/*.tar.gz
           retention-days: 5
@@ -49,7 +49,7 @@ jobs:
       image: ghcr.io/linux-nvme/debian.python:latest
     steps:
       - name: Check out repository (with tags)
-        uses: actions/checkout@v5
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           fetch-depth: 0  # Required for `git describe`
 
@@ -79,7 +79,7 @@ jobs:
         run: |
           pipx run twine check dist/*.tar.gz
 
-      - uses: actions/upload-artifact@v5
+      - uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
         with:
           name: test_pypi
           path: dist/*.tar.gz
@@ -95,13 +95,13 @@ jobs:
       id-token: write
     if: github.repository == 'linux-nvme/libnvme'
     steps:
-      - uses: actions/download-artifact@v6
+      - uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # v8.0.0
         with:
           name: test_pypi
           path: dist
 
       - name: Publish package to TestPyPI
-        uses: pypa/gh-action-pypi-publish@v1.13.0
+        uses: pypa/gh-action-pypi-publish@cef221092ed1bacb1cc03d23a2d87d1d172e277b # v1.14.0
         with:
           repository-url: https://test.pypi.org/legacy/
 
@@ -123,12 +123,12 @@ jobs:
            fi
 
       - name: Download artifiact
-        uses: actions/download-artifact@v6
+        uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # v8.0.0
         if: steps.check-tag.outputs.match == 'true'
         with:
           name: artifact
           path: dist
 
       - name: Publish package to PyPI
-        uses: pypa/gh-action-pypi-publish@v1.13.0
+        uses: pypa/gh-action-pypi-publish@cef221092ed1bacb1cc03d23a2d87d1d172e277b # v1.14.0
         if: steps.check-tag.outputs.match == 'true'

.github/workflows/release.yml

@@ -14,7 +14,9 @@ jobs:
     permissions:
       contents: write
     steps:
-      - uses: actions/checkout@v5
-      - uses: ncipollo/release-action@v1
-        with:
-          token: ${{ secrets.GITHUB_TOKEN }}
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      - name: Create Release
+        run: |
+          gh release create "${GITHUB_REF_NAME}" --generate-notes
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}