chore: Harden CI workflow against supply chain attacks (#678)

ava-silver · web-flow · commit 2e05845c0f31 · 2026-03-31T08:37:26.000-04:00
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -11,10 +11,10 @@ jobs:
 
     steps:
       - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
 
       - name: Set up Node 22
-        uses: actions/setup-node@v3
+        uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4
         with:
           node-version: 24
 
@@ -39,7 +39,7 @@ jobs:
         run: yarn lint
 
       - name: Install depcheck
-        run: npm install -g depcheck
+        run: npm install -g depcheck@1.4.7
 
       - name: Run depcheck
         run: depcheck --ignores="@types/jest,serverless-step-functions"
@@ -53,10 +53,10 @@ jobs:
 
     steps:
       - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
 
       - name: Set up Node ${{ matrix.node-version }}
-        uses: actions/setup-node@v3
+        uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4
         with:
           node-version: ${{ matrix.node-version }}
 
@@ -81,4 +81,4 @@ jobs:
         run: yarn test
 
       - name: Upload code coverage report
-        run: bash <(curl -s https://codecov.io/bash)
+        uses: codecov/codecov-action@75cd11691c0faa626561e295848008c8a7dddffe # v5
