From 15c9b355044b3ff7a3c41b1bfbd4f7d7ee86e876 Mon Sep 17 00:00:00 2001
From: Hannes <h@nnes.dev>
Date: Thu, 28 Nov 2024 08:51:59 +0800
Subject: [PATCH 1/2] Add ratchet

---
 .pre-commit-config.yaml | 6 ++++++
 Justfile                | 3 +++
 flake.nix               | 1 +
 3 files changed, 10 insertions(+)

diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
index d00b2d6..13db90f 100644
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@@ -77,6 +77,12 @@ repos:
         entry: actionlint
         types: [yaml]
         files: \.github/workflows/.*\.ya?ml$
+      - name: Check GitHub Actions are pinned
+        id: github-workflows-check-pinned
+        language: system
+        entry: ratchet check
+        types: [yaml]
+        files: \.github/workflows/.*\.ya?ml$
 
   # Nix
   - repo: local
diff --git a/Justfile b/Justfile
index 476e8e9..82e6a64 100644
--- a/Justfile
+++ b/Justfile
@@ -16,3 +16,6 @@ examples:
 
 docs:
     roc docs src/main.roc
+
+ratchet:
+    ratchet upgrade .github/workflows/*.yaml
diff --git a/flake.nix b/flake.nix
index 55e75e5..d7b1299 100644
--- a/flake.nix
+++ b/flake.nix
@@ -40,6 +40,7 @@
               pkgs.nodePackages.prettier
               pkgs.pre-commit
               pkgs.python312Packages.pre-commit-hooks
+              pkgs.ratchet
             ];
             shellHook = "pre-commit install --overwrite";
           };

From 6f990baf264db3ea15fb8974fe6c4326b49b9c9d Mon Sep 17 00:00:00 2001
From: Hannes <h@nnes.dev>
Date: Thu, 28 Nov 2024 09:02:05 +0800
Subject: [PATCH 2/2] Pin actions

---
 .github/workflows/bundle.yaml               | 6 +++---
 .github/workflows/check-pr-labels.yaml      | 4 ++--
 .github/workflows/generate-docs.yaml        | 8 ++++----
 .github/workflows/run-pre-commit.yaml       | 8 ++++----
 .github/workflows/test.yaml                 | 4 ++--
 .github/workflows/update-draft-release.yaml | 2 +-
 6 files changed, 16 insertions(+), 16 deletions(-)

diff --git a/.github/workflows/bundle.yaml b/.github/workflows/bundle.yaml
index 0b8741e..5b928f9 100644
--- a/.github/workflows/bundle.yaml
+++ b/.github/workflows/bundle.yaml
@@ -14,13 +14,13 @@ jobs:
       contents: write
     steps:
       - name: Check out the repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # ratchet:actions/checkout@v4
       - name: Install Roc
-        uses: hasnep/setup-roc@main
+        uses: hasnep/setup-roc@80f4b4a1b94a7a89b3152e9b4e635367e7c0a940 # ratchet:hasnep/setup-roc@main
         with:
           roc-version: nightly
       - name: Bundle and release the library
-        uses: hasnep/bundle-roc-library@v0.1.0
+        uses: hasnep/bundle-roc-library@4364d15b4ae83c99e0bc0caab8a254a5d0a9369f # ratchet:hasnep/bundle-roc-library@v0.1.0
         with:
           library: src/main.roc
           token: ${{ github.token }}
diff --git a/.github/workflows/check-pr-labels.yaml b/.github/workflows/check-pr-labels.yaml
index b8ac2fa..df8d67b 100644
--- a/.github/workflows/check-pr-labels.yaml
+++ b/.github/workflows/check-pr-labels.yaml
@@ -15,12 +15,12 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Check for PR category labels
-        uses: yogevbd/enforce-label-action@2.2.2
+        uses: yogevbd/enforce-label-action@a3c219da6b8fa73f6ba62b68ff09c469b3a1c024 # ratchet:yogevbd/enforce-label-action@2.2.2
         with:
           REQUIRED_LABELS_ANY: feature,fix,chore
           REQUIRED_LABELS_ANY_DESCRIPTION: Please tag your PR with one of `feature`, `fix`, or `chore`.
       - name: Check for PR version labels
-        uses: yogevbd/enforce-label-action@2.2.2
+        uses: yogevbd/enforce-label-action@a3c219da6b8fa73f6ba62b68ff09c469b3a1c024 # ratchet:yogevbd/enforce-label-action@2.2.2
         with:
           REQUIRED_LABELS_ANY: major,minor,patch
           REQUIRED_LABELS_ANY_DESCRIPTION: Please tag your PR with one of `major`, `minor`, `patch`.
diff --git a/.github/workflows/generate-docs.yaml b/.github/workflows/generate-docs.yaml
index c85bf27..df5de89 100644
--- a/.github/workflows/generate-docs.yaml
+++ b/.github/workflows/generate-docs.yaml
@@ -15,9 +15,9 @@ jobs:
       id-token: write
     steps:
       - name: Check out the repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # ratchet:actions/checkout@v4
       - name: Install Roc
-        uses: hasnep/setup-roc@main
+        uses: hasnep/setup-roc@80f4b4a1b94a7a89b3152e9b4e635367e7c0a940 # ratchet:hasnep/setup-roc@main
         with:
           roc-version: nightly
       - name: Generate docs
@@ -26,8 +26,8 @@ jobs:
         run: |
           find generated-docs/ -type f -name '*.html' -exec sed -i "s/\(href\|src\)=\"\//\1=\"\/${{ github.event.repository.name }}\//g" {} +
       - name: Upload docs artifact
-        uses: actions/upload-pages-artifact@v3
+        uses: actions/upload-pages-artifact@56afc609e74202658d3ffba0e8f6dda462b719fa # ratchet:actions/upload-pages-artifact@v3
         with:
           path: generated-docs
       - name: Deploy docs
-        uses: actions/deploy-pages@v4
+        uses: actions/deploy-pages@d6db90164ac5ed86f2b6aed7e0febac5b3c0c03e # ratchet:actions/deploy-pages@v4
diff --git a/.github/workflows/run-pre-commit.yaml b/.github/workflows/run-pre-commit.yaml
index 123638e..416d610 100644
--- a/.github/workflows/run-pre-commit.yaml
+++ b/.github/workflows/run-pre-commit.yaml
@@ -14,13 +14,13 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Check out the repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # ratchet:actions/checkout@v4
       - name: Install Nix
-        uses: DeterminateSystems/nix-installer-action@v16
+        uses: DeterminateSystems/nix-installer-action@e50d5f73bfe71c2dd0aa4218de8f4afa59f8f81d # ratchet:DeterminateSystems/nix-installer-action@v16
       - name: Cache Nix environment
-        uses: DeterminateSystems/magic-nix-cache-action@v8
+        uses: DeterminateSystems/magic-nix-cache-action@87b14cf437d03d37989d87f0fa5ce4f5dc1a330b # ratchet:DeterminateSystems/magic-nix-cache-action@v8
       - name: Use Nix dev shell for subsequent steps
-        uses: rrbutani/use-nix-shell-action@v1
+        uses: rrbutani/use-nix-shell-action@59a52b2b9bbfe3cc0e7deb8f9059abe37a439edf # ratchet:rrbutani/use-nix-shell-action@v1
         with:
           extraNixOptions: --accept-flake-config
       - name: Run Pre-commit
diff --git a/.github/workflows/test.yaml b/.github/workflows/test.yaml
index 2134067..c4239a7 100644
--- a/.github/workflows/test.yaml
+++ b/.github/workflows/test.yaml
@@ -20,9 +20,9 @@ jobs:
       contents: write
     steps:
       - name: Check out the repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # ratchet:actions/checkout@v4
       - name: Install Roc
-        uses: hasnep/setup-roc@main
+        uses: hasnep/setup-roc@80f4b4a1b94a7a89b3152e9b4e635367e7c0a940 # ratchet:hasnep/setup-roc@main
         with:
           roc-version: nightly
       - name: Test the library
diff --git a/.github/workflows/update-draft-release.yaml b/.github/workflows/update-draft-release.yaml
index 198fe04..ed35584 100644
--- a/.github/workflows/update-draft-release.yaml
+++ b/.github/workflows/update-draft-release.yaml
@@ -19,7 +19,7 @@ jobs:
     steps:
       - name: Update the draft release
         id: update-draft-release
-        uses: release-drafter/release-drafter@v6
+        uses: release-drafter/release-drafter@3f0f87098bd6b5c5b9a36d49c41d998ea58f9348 # ratchet:release-drafter/release-drafter@v6
         with:
           config-name: release-drafter.yaml
           disable-autolabeler: true