ci: pin varios actions to a proper semver version

2026-02-14 19:06:44 +01:00
4 changed files with 37 additions and 6 deletions
--- a/.gitea/workflows/cd.yaml
+++ b/.gitea/workflows/cd.yaml
@@ -18,9 +18,9 @@ jobs:
          fetch-depth: 0
      - name: Increment tag
        id: tag
-        uses: https://gitea.t000-n.de/t.behrendt/conventional-semantic-git-tag-increment@11c694022eefab5876ac346fc9ffc0464b2548c7 # 0.1.30
+        uses: https://gitea.t000-n.de/t.behrendt/conventional-semantic-git-tag-increment@68d642a9f68c4c00b6809126707aceca432c5e75 # 0.1.25
        with:
          token: ${{ secrets.GITEA_TOKEN }}
-      - uses: https://gitea.t000-n.de/t.behrendt/actions/release-git-tag@f386e2570df6a796ba0a69865c89ea0c1a7109ab # 0.2.2
+      - uses: https://gitea.t000-n.de/t.behrendt/actions/release-git-tag@72551407e761ecdad9bfd421513a1f3b6f252234 # 0.1.2
        with:
          tag: ${{ steps.tag.outputs.new-tag }}
--- a/.gitea/workflows/prerelease.yaml
+++ b/.gitea/workflows/prerelease.yaml
@@ -13,10 +13,10 @@ jobs:
          fetch-depth: 0
      - name: Increment tag
        id: tag
-        uses: https://gitea.t000-n.de/t.behrendt/conventional-semantic-git-tag-increment@11c694022eefab5876ac346fc9ffc0464b2548c7 # 0.1.30
+        uses: https://gitea.t000-n.de/t.behrendt/conventional-semantic-git-tag-increment@68d642a9f68c4c00b6809126707aceca432c5e75 # 0.1.25
        with:
          token: ${{ secrets.GITEA_TOKEN }}
          prerelease: true
-      - uses: https://gitea.t000-n.de/t.behrendt/actions/release-git-tag@f386e2570df6a796ba0a69865c89ea0c1a7109ab # 0.2.2
+      - uses: https://gitea.t000-n.de/t.behrendt/actions/release-git-tag@72551407e761ecdad9bfd421513a1f3b6f252234 # 0.1.2
        with:
-          tag: ${{ steps.tag.outputs.new-tag }}
+          tag: ${{ steps.tag.outputs.new-tag }}
--- a/.gitea/workflows/run-tas.yaml
+++ b/.gitea/workflows/run-tas.yaml
@@ -0,0 +1,31 @@
+name: Run TAS
+
+on:
+  pull_request:
+  workflow_dispatch:
+    inputs:
+      branch:
+        description: "The branch to run TAS on"
+        required: true
+        default: "main"
+  schedule:
+    - cron: "0 6 * * 5"
+
+jobs:
+  run-tas:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      - uses: https://gitea.t000-n.de/t.behrendt/trivy-actions/setup-trivy@d3dadf6c278b1e86c8f292844225e9c6de230c64 # 1.3.1
+      - uses: https://gitea.t000-n.de/t.behrendt/trivy-actions/setup-db@d3dadf6c278b1e86c8f292844225e9c6de230c64 # 1.3.1
+      - env:
+          TRIVY_CACHE_DIR: ${{ runner.temp }}/trivy
+        run: |
+          trivy config --cache-dir "$TRIVY_CACHE_DIR" --exit-code 0 --format sarif --output sarif.json .
+      - uses: https://gitea.t000-n.de/t.behrendt/tas-actions/tas-upload-sarif@cd7a5213f75c28565a24fff5ce7f8161869fb813 # 0.0.2
+        with:
+          tas-base-url: ${{ vars.TAS_BASE_URL }}
+          sarif-file: sarif.json
+          owner: t.behrendt
+          repo: validate-json-by-json-schema-action
+          branch: ${{ inputs.branch || github.head_ref || 'main' }}
--- a/action.yml
+++ b/action.yml
@@ -10,7 +10,7 @@ inputs:
 runs:
  using: "composite"
  steps:
-    - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
+    - uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6.2.0
      with:
        node-version: "latest"
    - name: Extract schema