From e3d12a16b1fa877b951b5f263e7f85a4c773cb0e Mon Sep 17 00:00:00 2001
From: Emmanuel Engelhart <kelson@kiwix.org>
Date: Mon, 29 Jul 2024 09:16:16 +0200
Subject: [PATCH 1/5] Add debian-bookworm to CI

---
 .github/workflows/package.yml | 14 +++++++++++---
 1 file changed, 11 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/package.yml b/.github/workflows/package.yml
index 174a05ae4..720733e34 100644
--- a/.github/workflows/package.yml
+++ b/.github/workflows/package.yml
@@ -16,6 +16,7 @@ jobs:
       matrix:
         distro:
           - debian-unstable
+          - debian-bookworm
           - debian-bullseye
           - ubuntu-jammy
           - ubuntu-focal
@@ -40,20 +41,27 @@ jobs:
         env:
           REF: ${{ github.ref }}
 
-      - uses: legoktm/gh-action-auto-dch@18025761b70898aac9ddb5bdc726bcd083926714 # master
+      - uses: legoktm/gh-action-auto-dch@main
         with:
           fullname: Kiwix builder
           email: release+launchpad@kiwix.org
           distro: ${{ matrix.distro }}
 
-      - uses: legoktm/gh-action-build-deb@4f3fbf87de8bf0870f44624693cae17b7ad34ca2 # debian-unstable
+      - uses: legoktm/gh-action-build-deb@debian-unstable
         if: matrix.distro == 'debian-unstable'
         name: Build package for debian-unstable
         id: build-debian-unstable
         with:
           args: --no-sign
 
-      - uses: legoktm/gh-action-build-deb@1f7501377e7c229f373748af433e5c3818eeae6e # debian-bullseye
+      - uses: legoktm/gh-action-build-deb@debian-bookworm
+        if: matrix.distro == 'debian-bookworm'
+        name: Build package for debian-bookworm
+        id: build-debian-bookworm
+        with:
+          args: --no-sign
+
+      - uses: legoktm/gh-action-build-deb@debian-bullseye
         if: matrix.distro == 'debian-bullseye'
         name: Build package for debian-bullseye
         id: build-debian-bullseye

From 30a9693f86daff63a72af6b3497e4048708cf00f Mon Sep 17 00:00:00 2001
From: Emmanuel Engelhart <kelson@kiwix.org>
Date: Mon, 29 Jul 2024 09:25:49 +0200
Subject: [PATCH 2/5] Add Debian Trixie to package CI

---
 .github/workflows/package.yml | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/.github/workflows/package.yml b/.github/workflows/package.yml
index 720733e34..91ef6a949 100644
--- a/.github/workflows/package.yml
+++ b/.github/workflows/package.yml
@@ -16,6 +16,7 @@ jobs:
       matrix:
         distro:
           - debian-unstable
+          - debian-trixie
           - debian-bookworm
           - debian-bullseye
           - ubuntu-jammy
@@ -54,6 +55,13 @@ jobs:
         with:
           args: --no-sign
 
+      - uses: legoktm/gh-action-build-deb@debian-trixie
+        if: matrix.distro == 'debian-trixie'
+        name: Build package for debian-trixie
+        id: build-debian-trixie
+        with:
+          args: --no-sign
+
       - uses: legoktm/gh-action-build-deb@debian-bookworm
         if: matrix.distro == 'debian-bookworm'
         name: Build package for debian-bookworm

From 0bcd59f0a9e437c06175891e897ccb5d845d7bbb Mon Sep 17 00:00:00 2001
From: Emmanuel Engelhart <kelson@kiwix.org>
Date: Mon, 29 Jul 2024 09:33:34 +0200
Subject: [PATCH 3/5] Add Ubuntu 24.04 (Noble) to package CI

---
 .github/workflows/package.yml | 13 +++++++++++--
 1 file changed, 11 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/package.yml b/.github/workflows/package.yml
index 91ef6a949..f0fa0429d 100644
--- a/.github/workflows/package.yml
+++ b/.github/workflows/package.yml
@@ -19,6 +19,7 @@ jobs:
           - debian-trixie
           - debian-bookworm
           - debian-bullseye
+          - ubuntu-noble
           - ubuntu-jammy
           - ubuntu-focal
     steps:
@@ -76,7 +77,15 @@ jobs:
         with:
           args: --no-sign
 
-      - uses: legoktm/gh-action-build-deb@56d1c4bc50f5525fa9b66ac6d7a984ece0428d46 # ubuntu-jammy
+      - uses: legoktm/gh-action-build-deb@ubuntu-noble
+        if: matrix.distro == 'ubuntu-noble'
+        name: Build package for ubuntu-noble
+        id: build-ubuntu-noble
+        with:
+          args: --no-sign
+          ppa: ${{ steps.ppa.outputs.ppa }}
+
+      - uses: legoktm/gh-action-build-deb@ubuntu-jammy
         if: matrix.distro == 'ubuntu-jammy'
         name: Build package for ubuntu-jammy
         id: build-ubuntu-jammy
@@ -84,7 +93,7 @@ jobs:
           args: --no-sign
           ppa: ${{ steps.ppa.outputs.ppa }}
 
-      - uses: legoktm/gh-action-build-deb@e58c0b09a3955e39a4ab83ffe03025d622dda039 # ubuntu-focal
+      - uses: legoktm/gh-action-build-deb@ubuntu-focal
         if: matrix.distro == 'ubuntu-focal'
         name: Build package for ubuntu-focal
         id: build-ubuntu-focal

From b15e9ef94dad0372164f73a7252f87c0e6b94611 Mon Sep 17 00:00:00 2001
From: Emmanuel Engelhart <kelson@kiwix.org>
Date: Mon, 29 Jul 2024 09:37:12 +0200
Subject: [PATCH 4/5] Pin actions

---
 .github/workflows/package.yml | 28 ++++++++++++++--------------
 1 file changed, 14 insertions(+), 14 deletions(-)

diff --git a/.github/workflows/package.yml b/.github/workflows/package.yml
index f0fa0429d..45cef504a 100644
--- a/.github/workflows/package.yml
+++ b/.github/workflows/package.yml
@@ -6,7 +6,7 @@ on:
     branches:
       - main
   release:
-    types: [published]
+    types: [ published ]
 
 jobs:
   build-deb:
@@ -24,11 +24,11 @@ jobs:
           - ubuntu-focal
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@a4aa98b93cab29d9b1101a6143fb8bce00e2eac4 # v2.7.1
+        uses: step-security/harden-runner@0d381219ddf674d61a7572ddd19d7941e271515c # pin@v2
         with:
           egress-policy: audit
 
-      - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
+      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # pin@v4
 
       # Determine which PPA we should upload to
       - name: PPA
@@ -43,41 +43,41 @@ jobs:
         env:
           REF: ${{ github.ref }}
 
-      - uses: legoktm/gh-action-auto-dch@main
+      - uses: legoktm/gh-action-auto-dch@2b7d6a33db93a408d4b5e2edf38be7fd578b11d7 # pin@main
         with:
           fullname: Kiwix builder
           email: release+launchpad@kiwix.org
           distro: ${{ matrix.distro }}
 
-      - uses: legoktm/gh-action-build-deb@debian-unstable
+      - uses: legoktm/gh-action-build-deb@7a6b22239275ae4e425fefc6f1aeb1118160500d # pin@debian-unstable
         if: matrix.distro == 'debian-unstable'
         name: Build package for debian-unstable
         id: build-debian-unstable
         with:
           args: --no-sign
 
-      - uses: legoktm/gh-action-build-deb@debian-trixie
+      - uses: legoktm/gh-action-build-deb@b47978ba8498dc8b8153cc3b5f99a5fc1afa5de1 # pin@debian-trixie
         if: matrix.distro == 'debian-trixie'
         name: Build package for debian-trixie
         id: build-debian-trixie
         with:
           args: --no-sign
 
-      - uses: legoktm/gh-action-build-deb@debian-bookworm
+      - uses: legoktm/gh-action-build-deb@1f4e86a6bb34aaad388167eaf5eb85d553935336 # pin@debian-bookworm
         if: matrix.distro == 'debian-bookworm'
         name: Build package for debian-bookworm
         id: build-debian-bookworm
         with:
           args: --no-sign
 
-      - uses: legoktm/gh-action-build-deb@debian-bullseye
+      - uses: legoktm/gh-action-build-deb@084b4263209252ec80a75d2c78a586192c17f18d # pin@debian-bullseye
         if: matrix.distro == 'debian-bullseye'
         name: Build package for debian-bullseye
         id: build-debian-bullseye
         with:
           args: --no-sign
 
-      - uses: legoktm/gh-action-build-deb@ubuntu-noble
+      - uses: legoktm/gh-action-build-deb@9114a536498b65c40b932209b9833aa942bf108d # pin@ubuntu-noble
         if: matrix.distro == 'ubuntu-noble'
         name: Build package for ubuntu-noble
         id: build-ubuntu-noble
@@ -85,7 +85,7 @@ jobs:
           args: --no-sign
           ppa: ${{ steps.ppa.outputs.ppa }}
 
-      - uses: legoktm/gh-action-build-deb@ubuntu-jammy
+      - uses: legoktm/gh-action-build-deb@1553bc52b826020691af83a7354a047f2727106c # pin@ubuntu-jammy
         if: matrix.distro == 'ubuntu-jammy'
         name: Build package for ubuntu-jammy
         id: build-ubuntu-jammy
@@ -93,7 +93,7 @@ jobs:
           args: --no-sign
           ppa: ${{ steps.ppa.outputs.ppa }}
 
-      - uses: legoktm/gh-action-build-deb@ubuntu-focal
+      - uses: legoktm/gh-action-build-deb@77900afcbdc12874b7177e0e9fca2f4da043cd05 # pin@ubuntu-focal
         if: matrix.distro == 'ubuntu-focal'
         name: Build package for ubuntu-focal
         id: build-ubuntu-focal
@@ -101,12 +101,12 @@ jobs:
           args: --no-sign
           ppa: ${{ steps.ppa.outputs.ppa }}
 
-      - uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
+      - uses: actions/upload-artifact@0b2256b8c012f0828dc542b3febcab082c67f72b # pin@v4
         with:
           name: Packages for ${{ matrix.distro }}
           path: output
 
-      - uses: legoktm/gh-action-dput@a41ede69b89b473fb9de31db5f82aef098ca6492 # master
+      - uses: legoktm/gh-action-dput@4f46c373c7d114c8885c376be07f9ad5490c4f51 # pin@main
         name: Upload dev package
         # Only upload on pushes to main
         if: github.event_name == 'push' && github.event.ref == 'refs/heads/main' && startswith(matrix.distro, 'ubuntu-')
@@ -115,7 +115,7 @@ jobs:
           repository: ppa:kiwixteam/dev
           packages: output/*_source.changes
 
-      - uses: legoktm/gh-action-dput@a41ede69b89b473fb9de31db5f82aef098ca6492 # master
+      - uses: legoktm/gh-action-dput@4f46c373c7d114c8885c376be07f9ad5490c4f51 # pin@main
         name: Upload release package
         if: github.event_name == 'release' && startswith(matrix.distro, 'ubuntu-')
         with:

From fbd55967e54701b3948b6b6b15962b2cc09294e8 Mon Sep 17 00:00:00 2001
From: Emmanuel Engelhart <kelson@kiwix.org>
Date: Mon, 29 Jul 2024 09:39:37 +0200
Subject: [PATCH 5/5] Add howto comment to pin depedencies

---
 .github/workflows/package.yml | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/.github/workflows/package.yml b/.github/workflows/package.yml
index 45cef504a..83cc9a38d 100644
--- a/.github/workflows/package.yml
+++ b/.github/workflows/package.yml
@@ -22,6 +22,8 @@ jobs:
           - ubuntu-noble
           - ubuntu-jammy
           - ubuntu-focal
+
+    # Pin your dependencies with https://github.com/mheap/pin-github-action
     steps:
       - name: Harden Runner
         uses: step-security/harden-runner@0d381219ddf674d61a7572ddd19d7941e271515c # pin@v2