GHA: pin dependencies

Closes #13628

.github/workflows/awslc.yml

@@ -63,7 +63,7 @@ jobs:
         name: 'install prereqs and impacket'
 
       - name: cache awslc
-        uses: actions/cache@v4
+        uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4
         id: cache-awslc
         env:
           cache-name: cache-awslc
@@ -83,7 +83,7 @@ jobs:
           cmake --build . --parallel
           cmake --install .
 
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4
 
       - run: autoreconf -fi
         name: 'autoreconf'
@@ -123,7 +123,7 @@ jobs:
         name: 'install prereqs and impacket'
 
       - name: cache awslc
-        uses: actions/cache@v4
+        uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4
         id: cache-awslc
         env:
           cache-name: cache-awslc
@@ -143,7 +143,7 @@ jobs:
           cmake --build . --parallel
           cmake --install .
 
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4
 
       - run: cmake -Bbuild -DCMAKE_UNITY_BUILD=ON -DCURL_WERROR=ON -DOPENSSL_ROOT_DIR=$HOME/awslc -DBUILD_SHARED_LIBS=ON .
         name: 'cmake generate out-of-tree'

.github/workflows/codeql-analysis.yml

@@ -51,11 +51,11 @@ jobs:
       security-events: write
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4
 
       # Initializes the CodeQL tools for scanning.
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@v3
+        uses: github/codeql-action/init@b7cec7526559c32f1616476ff32d17ba4c59b2d6 # v3
         with:
           languages: cpp
           queries: security-extended
@@ -63,7 +63,7 @@ jobs:
       # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
       # If this step fails, then you should remove it and run the build manually (see below)
       - name: Autobuild
-        uses: github/codeql-action/autobuild@v3
+        uses: github/codeql-action/autobuild@b7cec7526559c32f1616476ff32d17ba4c59b2d6 # v3
 
       # ℹ️ Command-line programs to run using the OS shell.
       # 📚 https://git.io/JvXDl
@@ -77,4 +77,4 @@ jobs:
       #    make release
 
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@v3
+        uses: github/codeql-action/analyze@b7cec7526559c32f1616476ff32d17ba4c59b2d6 # v3

.github/workflows/codespell.yml

@@ -27,7 +27,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4
 
       - name: install
         run: |

.github/workflows/configure-vs-cmake.yml

@@ -30,7 +30,7 @@ jobs:
   check:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4
 
       - name: run configure --with-openssl
         run: |

.github/workflows/curl-for-win.yml

@@ -31,7 +31,7 @@ jobs:
     runs-on: ubuntu-latest
     timeout-minutes: 30
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4
         with:
           path: 'curl'
           fetch-depth: 8
@@ -55,7 +55,7 @@ jobs:
     runs-on: macos-latest
     timeout-minutes: 30
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4
         with:
           path: 'curl'
           fetch-depth: 8
@@ -70,7 +70,7 @@ jobs:
   win-llvm:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4
         with:
           path: 'curl'
           fetch-depth: 8

.github/workflows/distcheck.yml

@@ -24,7 +24,7 @@ jobs:
     runs-on: ubuntu-latest
     timeout-minutes: 30
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4
 
       - run: sudo apt-get purge -y curl libcurl4 libcurl4-doc
         name: 'remove preinstalled curl libcurl4{-doc}'
@@ -50,7 +50,7 @@ jobs:
           mkdir run2; cp -p ./curl-99.98.97.* run2/
           diff run1 run2
 
-      - uses: actions/upload-artifact@v4
+      - uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4
         with:
           name: 'release-tgz'
           path: 'curl-99.98.97.tar.gz'
@@ -74,7 +74,7 @@ jobs:
     timeout-minutes: 30
     needs: maketgz-and-verify-in-tree
     steps:
-      - uses: actions/download-artifact@v4
+      - uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4
         with:
           name: 'release-tgz'
 
@@ -97,7 +97,7 @@ jobs:
     timeout-minutes: 30
     needs: maketgz-and-verify-in-tree
     steps:
-      - uses: actions/download-artifact@v4
+      - uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4
         with:
           name: 'release-tgz'
 
@@ -118,7 +118,7 @@ jobs:
     timeout-minutes: 30
     needs: maketgz-and-verify-in-tree
     steps:
-      - uses: actions/download-artifact@v4
+      - uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4
         with:
           name: 'release-tgz'
 

.github/workflows/hacktoberfest-accepted.yml

@@ -26,7 +26,7 @@ jobs:
       issues: write
       pull-requests: write
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4
         with:
           fetch-depth: 100
 

.github/workflows/label.yml

@@ -21,6 +21,6 @@ jobs:
       pull-requests: write
 
     steps:
-      - uses: actions/labeler@v5
+      - uses: actions/labeler@8558fd74291d67161a8a78ce36a881fa63b766a9 # v5
         with:
           repo-token: "${{ secrets.GITHUB_TOKEN }}"

.github/workflows/linkcheck.yml

@@ -30,12 +30,12 @@ jobs:
   check:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4
         name: checkout
 
       - name: trim the cmdline docs markdown files
         run: find docs/cmdline-opts -name "*.md" ! -name "_*" ! -name MANPAGE.md | xargs -n1 ./.github/scripts/cleancmd.pl
 
-      - uses: gaurav-nelson/github-action-markdown-link-check@v1
+      - uses: gaurav-nelson/github-action-markdown-link-check@5c5dfc0ac2e225883c0e5f03a85311ec2830d368 # v1
         with:
           use-quiet-mode: 'yes'

.github/workflows/linux-old.yml

@@ -77,7 +77,7 @@ jobs:
           httrack --get https://security.debian.org/debian-security/pool/updates/main/g/glibc/libc6_2.28-10+deb10u3_amd64.deb
           dpkg -i libc6_2.28-10+deb10u3_amd64.deb
 
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4
 
       - name: 'cmake build-only (out-of-tree, libssh2)'
         run: |

.github/workflows/linux.yml

@@ -204,7 +204,7 @@ jobs:
           apk add --no-cache build-base autoconf automake libtool perl openssl-dev libssh2-dev zlib-dev brotli-dev zstd-dev libidn2-dev openldap-dev heimdal-dev libpsl-dev py3-impacket py3-asn1 py3-six py3-pycryptodomex perl-time-hires openssh stunnel sudo git
         name: 'install dependencies'
 
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4
 
       - name: Fix kernel mmap rnd bits
         # Asan in llvm 14 provided in ubuntu 22.04 is incompatible with
@@ -226,7 +226,7 @@ jobs:
 
       - name: cache bearssl
         if: contains(matrix.build.install_steps, 'bearssl')
-        uses: actions/cache@v4
+        uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4
         id: cache-bearssl
         env:
           cache-name: cache-bearssl
@@ -247,7 +247,7 @@ jobs:
 
       - name: cache libressl
         if: contains(matrix.build.install_steps, 'libressl')
-        uses: actions/cache@v4
+        uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4
         id: cache-libressl
         env:
           cache-name: cache-libressl
@@ -266,7 +266,7 @@ jobs:
 
       - name: cache mbedtls
         if: contains(matrix.build.install_steps, 'mbedtls')
-        uses: actions/cache@v4
+        uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4
         id: cache-mbedtls
         env:
           cache-name: cache-mbedtls
@@ -284,7 +284,7 @@ jobs:
 
       - name: cache openssl3
         if: contains(matrix.build.install_steps, 'openssl3')
-        uses: actions/cache@v4
+        uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4
         id: cache-openssl3
         env:
           cache-name: cache-openssl3
@@ -302,7 +302,7 @@ jobs:
 
       - name: cache quictls
         if: contains(matrix.build.install_steps, 'quictls')
-        uses: actions/cache@v4
+        uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4
         id: cache-quictls
         env:
           cache-name: cache-quictls
@@ -320,7 +320,7 @@ jobs:
 
       - name: cache msh3
         if: contains(matrix.build.install_steps, 'msh3')
-        uses: actions/cache@v4
+        uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4
         id: cache-msh3
         env:
           cache-name: cache-msh3
@@ -347,7 +347,7 @@ jobs:
 
       - name: cache rustls
         if: contains(matrix.build.install_steps, 'rustls')
-        uses: actions/cache@v4
+        uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4
         id: cache-rustls
         env:
           cache-name: cache-rustls
@@ -389,7 +389,7 @@ jobs:
 
       - name: cache mod_h2
         if: contains(matrix.build.install_steps, 'pytest')
-        uses: actions/cache@v4
+        uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4
         id: cache-mod_h2
         env:
           cache-name: cache-mod_h2

.github/workflows/linux32.yml

@@ -68,7 +68,7 @@ jobs:
           sudo python3 -m pip install impacket
         name: 'install prereqs'
 
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4
 
       - run: autoreconf -fi
         name: 'autoreconf'

.github/workflows/macos.yml

@@ -178,7 +178,7 @@ jobs:
           python3 -m pip install impacket
         name: 'pip3 install'
 
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4
 
       - run: rm -f $HOME/.curlrc
         name: remove $HOME/.curlrc
@@ -249,7 +249,7 @@ jobs:
           esac
         name: 'brew unlink openssl'
 
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4
 
       - run: cmake -B build -DCMAKE_UNITY_BUILD=ON -DCURL_WERROR=ON -DUSE_APPLE_IDN=ON ${{ matrix.build.generate }}
         name: 'cmake generate'

.github/workflows/man-examples.yml

@@ -28,7 +28,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4
 
       - name: render nroff versions
         run: autoreconf -fi && ./configure --without-ssl --without-libpsl && make -C docs

.github/workflows/ngtcp2-linux.yml

@@ -101,7 +101,7 @@ jobs:
         name: 'install prereqs and impacket, pytest, crypto, apache2'
 
       - name: cache quictls
-        uses: actions/cache@v4
+        uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4
         id: cache-quictls-no-deprecated
         env:
           cache-name: cache-quictls-no-deprecated
@@ -125,7 +125,7 @@ jobs:
 
 
       - name: cache gnutls
-        uses: actions/cache@v4
+        uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4
         id: cache-gnutls
         env:
           cache-name: cache-gnutls
@@ -152,7 +152,7 @@ jobs:
         name: 'install gnutls'
 
       - name: cache wolfssl
-        uses: actions/cache@v4
+        uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4
         id: cache-wolfssl
         env:
           cache-name: cache-wolfssl
@@ -178,7 +178,7 @@ jobs:
 
 
       - name: cache nghttp3
-        uses: actions/cache@v4
+        uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4
         id: cache-nghttp3
         env:
           cache-name: cache-nghttp3
@@ -221,7 +221,7 @@ jobs:
         name: 'install nghttp2'
 
       - name: cache mod_h2
-        uses: actions/cache@v4
+        uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4
         id: cache-mod_h2
         env:
           cache-name: cache-mod_h2
@@ -244,7 +244,7 @@ jobs:
           sudo make install
         name: 'install mod_h2'
 
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4
 
       - run: |
           sudo python3 -m pip install -r tests/requirements.txt -r tests/http/requirements.txt

.github/workflows/osslq-linux.yml

@@ -90,7 +90,7 @@ jobs:
 
       - name: cache openssl3
         if: contains(matrix.build.install_steps, 'openssl3')
-        uses: actions/cache@v4
+        uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4
         id: cache-openssl3
         env:
           cache-name: cache-openssl3
@@ -109,7 +109,7 @@ jobs:
 
       - name: cache quictls
         if: contains(matrix.build.install_steps, 'quictls')
-        uses: actions/cache@v4
+        uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4
         id: cache-quictls
         env:
           cache-name: cache-quictls
@@ -118,7 +118,7 @@ jobs:
           key: ${{ runner.os }}-build-${{ env.cache-name }}-quictls-${{ env.quictls-version }}
 
       - name: cache quictls
-        uses: actions/cache@v4
+        uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4
         id: cache-quictls-no-deprecated
         env:
           cache-name: cache-quictls-no-deprecated
@@ -142,7 +142,7 @@ jobs:
 
 
       - name: cache nghttp3
-        uses: actions/cache@v4
+        uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4
         id: cache-nghttp3
         env:
           cache-name: cache-nghttp3
@@ -185,7 +185,7 @@ jobs:
         name: 'install nghttp2'
 
       - name: cache mod_h2
-        uses: actions/cache@v4
+        uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4
         id: cache-mod_h2
         env:
           cache-name: cache-mod_h2
@@ -208,7 +208,7 @@ jobs:
           sudo make install
         name: 'install mod_h2'
 
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4
 
       - run: |
           sudo python3 -m pip install -r tests/requirements.txt -r tests/http/requirements.txt

.github/workflows/proselint.yml

@@ -29,7 +29,7 @@ jobs:
   check:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4
 
       - name: install prereqs
         run: |

.github/workflows/quiche-linux.yml

@@ -89,7 +89,7 @@ jobs:
         name: 'install prereqs and impacket, pytest, crypto'
 
       - name: cache nghttpx
-        uses: actions/cache@v4
+        uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4
         id: cache-nghttpx
         env:
           cache-name: cache-nghttpx
@@ -134,7 +134,7 @@ jobs:
         name: 'install nghttp2'
 
       - name: cache quiche
-        uses: actions/cache@v4
+        uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4
         id: cache-quiche
         env:
           cache-name: cache-quiche
@@ -162,7 +162,7 @@ jobs:
         name: 'build quiche and boringssl'
 
       - name: cache mod_h2
-        uses: actions/cache@v4
+        uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4
         id: cache-mod_h2
         env:
           cache-name: cache-mod_h2
@@ -185,7 +185,7 @@ jobs:
           sudo make install
         name: 'install mod_h2'
 
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4
 
       - run: |
           sudo python3 -m pip install -r tests/requirements.txt -r tests/http/requirements.txt

.github/workflows/reuse.yml

@@ -24,6 +24,6 @@ jobs:
   check:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4
       - name: REUSE Compliance Check
-        uses: fsfe/reuse-action@v3
+        uses: fsfe/reuse-action@a46482ca367aef4454a87620aa37c2be4b2f8106 # v3

.github/workflows/shellcheck.yml

@@ -23,6 +23,6 @@ jobs:
     runs-on: ubuntu-latest
     timeout-minutes: 5
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4
       - name: 'shellcheck'
         run: .github/scripts/shellcheck.sh

.github/workflows/spellcheck.yml

@@ -27,7 +27,7 @@ jobs:
   check:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4
 
       - name: trim all man page *.md files
         run: find docs -name "*.md" ! -name "_*" | xargs -n1 ./.github/scripts/cleancmd.pl
@@ -45,6 +45,6 @@ jobs:
         run: grep -v '^#' .github/scripts/spellcheck.words >  wordlist.txt
 
       - name: Check Spelling
-        uses: rojopolis/spellcheck-github-actions@v0
+        uses: rojopolis/spellcheck-github-actions@dbd2f1da869c05ad874fffeb6fe1ed50cd1a6e98 # v0
         with:
           config_path: .github/scripts/spellcheck.yaml

.github/workflows/synopsis.yml

@@ -24,7 +24,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4
 
       - name: verify-synopsis
         run: ./.github/scripts/verify-synopsis.pl docs/libcurl/curl*.3

.github/workflows/torture.yml

@@ -73,7 +73,7 @@ jobs:
           sudo python3 -m pip install impacket
         name: 'install prereqs and impacket'
 
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4
 
       - run: autoreconf -fi
         name: 'autoreconf'

.github/workflows/wolfssl.yml

@@ -73,7 +73,7 @@ jobs:
           sudo python3 -m pip install impacket
         name: 'install prereqs and impacket'
 
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4
 
       - run: |
           source .github/scripts/VERSIONS