Pin workflow actions to specific SHA (latest minor version)

[Talos0248]

---

name: 🐛 Bug fix or new feature
about: Fixing a problem with Redux

PR Type

Does this PR add a new feature, or fix a bug?

Fix a bug

Why should this PR be included?

I am hoping that it can help Github workflow tests run properly again.

Checklist

• Have you added an explanation of what your changes do and why you'd like us to include them?
• Is there an existing issue for this PR?
  • No
• Have the files been linted and formatted?
  • I ran yarn lint just in case but nothing changed
• Have the docs been updated to match the changes in the PR?
  • I dont think this is applicable
• Have the tests been updated to match the changes in the PR?
  • I dont think this is applicable either
• Have you run the tests locally to confirm they pass?
  • I dont think this is applicable either, since only files in .github/workflows are changed. GitHub actions ran fine when I pushed to my remote branch, though: https://github.com/Talos0248/redux/actions/runs/20124498806

Bug Fixes

What is the current behavior, and the steps to reproduce the issue?

Currently, when opening a PR, Github workflow tests fail, as I believe security policies of the redux repo requires actions to be pinned to a specific SHA; however, current actions only use a generic tag (eg @v4)

What is the expected behavior?

When opening a PR, Github Workflow tests should NOT throw an error when setting up the job and instead should run properly. Example error that this should fix:

Error: The actions actions/checkout@v4 and dorny/paths-filter@v3 are not allowed in reduxjs/redux because all actions must be pinned to a full-length commit SHA.

How does this PR fix the problem?

I have pinned a specific SHA to each GitHub workflow action. I have chosen the latest minor version available at time of writing (e.g. v4.3.0 for actions/download-artifact@v4). Full list of changes as well as link to release and their SHA values is as follows:

actions/checkout@v4

https://github.com/actions/checkout/releases/tag/v4.3.1
34e114876b0b11c390a56381ad16ebd13914f8d5

dorny/paths-filter@v3

https://github.com/dorny/paths-filter/releases/tag/v3.0.2
de90cc6fb38fc0963ad72b210f1f284cd68cea36

actions/setup-node@v4

https://github.com/actions/setup-node/releases/tag/v4.4.0
49933ea5288caeca8642d1e84afbd3f7d6820020

actions/download-artifact@v4

https://github.com/actions/download-artifact/releases/tag/v4.3.0
d3f86a106a0bac45b974a628896c90dbdf5c8093

preactjs/compressed-size-action@v2

https://github.com/preactjs/compressed-size-action/releases/tag/2.8.0
946a292cd35bd1088e0d7eb92b69d1a8d5b5d76a

actions/upload-artifact@v4

https://github.com/actions/upload-artifact/releases/tag/v4.6.2
ea165f8d65b6e75b540449e92b4886f43607fa02

[codesandbox-ci]

This pull request is automatically built and testable in CodeSandbox.

To see build info of the built libraries, click here or the icon next to each commit SHA.

[Talos0248]

Oh, weird, the original workflow checks are working again! I'm guessing the security policies got switched back? :0 Maybe this PR should've been an issue first haha, feel free to close this if not needed! C:

[timdorr]

Yes, we turned off that setting for now. We had done so for RTK's repo, but it was org-wide. We can still do this for each repo and get towards better reproducibility, even with the setting off.