ICU-22482 Hash-pin GHA, add dependabot to keep them updated

Signed-off-by: Pedro Kaj Kjellerup Nacht <pnacht@google.com> Use latest version, uses a version >= 2.0.6 to overcome invalid key bug
2025-04-04 21:15:35 +00:00 · 2023-11-16 22:25:59 +00:00 · 2023-11-16 22:25:59 +00:00 · 80a01a475b
commit 80a01a475b
parent 5e95ed8294
9 changed files with 94 additions and 79 deletions
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@ -0,0 +1,15 @@
+# To get started with Dependabot version updates, you'll need to specify which
+# package ecosystems to update and where the package manifests are located.
+# Please see the documentation for all configuration options:
+# https://docs.github.com/github/administering-a-repository/configuration-options-for-dependency-updates
+
+version: 2
+updates:
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "monthly"
+    groups:
+      github-actions:
+        patterns:
+          - "*"
--- a/.github/workflows/cache_retain.yml
+++ b/.github/workflows/cache_retain.yml
@ -38,17 +38,17 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout and setup
-        uses: actions/checkout@v3
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
        with:
          lfs: true
      - name: Checkout lfs objects
        run: git lfs pull
-      - uses: actions/setup-java@v3
+      - uses: actions/setup-java@0ab4596768b603586c0de567f2430c30f5b0d2b0 # v3.13.0
        with:
          distribution: 'temurin'
          java-version: '11'
      - name: Restore read-only cache of local Maven repository
-        uses: actions/cache/restore@v3
+        uses: actions/cache/restore@704facf57e6136b1bc63b828d79edcd491f0ee84 # v3.3.2
        id: cache
        with:
          path: ~/.m2/repository
--- a/.github/workflows/icu4c.yml
+++ b/.github/workflows/icu4c.yml
@ -31,7 +31,7 @@ jobs:
  icu4c-docs-build:
    runs-on: ubuntu-20.04
    steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1

      - name: ICU4C doc
        run: |
@ -54,7 +54,7 @@ jobs:
  gcc-debug-build-and-test:
    runs-on: ubuntu-20.04
    steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1

      - name: ICU4C with gcc
        env:
@ -77,7 +77,7 @@ jobs:
  clang-release-build-and-test:
    runs-on: ubuntu-20.04
    steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1

      - name: Install doxygen
        run: |
@ -119,7 +119,7 @@ jobs:
         # --disable-shared has a build problem.
    runs-on: ubuntu-20.04
    steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1

      - name: Build ICU4C with clang
        run: |
@ -135,7 +135,7 @@ jobs:
  gcc-10-stdlib17:
    runs-on: ubuntu-20.04
    steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1

      - name: ICU4C with gcc 10 and c++17 and extra warnings.
        env:
@ -156,7 +156,7 @@ jobs:
  clang-asan:
    runs-on: ubuntu-20.04
    steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1

      - name: ICU4C with clang and asan
        run: |
@ -170,7 +170,7 @@ jobs:
  clang-ubsan:
    runs-on: ubuntu-20.04
    steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1

      - name: ICU4C with clang and ubsan +alignment
        run: |
@ -185,7 +185,7 @@ jobs:
  clang-cfi:
    runs-on: ubuntu-20.04
    steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1

      - name: ICU4C with clang using CFI
        run: |
@ -204,7 +204,7 @@ jobs:
  clang-tsan:
    runs-on: ubuntu-20.04
    steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1

      - name: ICU4C with clang and tsan
        run: |
@ -222,7 +222,7 @@ jobs:
  macos-clang:
    runs-on: macos-latest
    steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1

      - name: ICU4C with clang on MacOS
        run: |
@ -234,7 +234,7 @@ jobs:
  run-with-stubdata:
    runs-on: ubuntu-20.04
    steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1

      - name: ICU4C tests with stubdata
        run: |
@ -277,7 +277,7 @@ jobs:
  u-charset-is-utf8-test:
    runs-on: ubuntu-20.04
    steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
      - run: |
          cd icu4c/source;
          ./runConfigureICU Linux CPPFLAGS="-DU_CHARSET_IS_UTF8=1";
@ -287,7 +287,7 @@ jobs:
  u-override-cxx-allocation-is-0-test:
    runs-on: ubuntu-20.04
    steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
      - run: |
          cd icu4c/source;
          ./runConfigureICU Linux CPPFLAGS="-DU_OVERRIDE_CXX_ALLOCATION=0";
@ -298,7 +298,7 @@ jobs:
  lstm-test:
    runs-on: ubuntu-20.04
    steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
      - run: |
          cd icu4c/source;
          ICU_DATA_FILTER_FILE=../../.github/lstm_for_th_my.json ./runConfigureICU --enable-debug --disable-release Linux -disable-layoutex;
@ -309,7 +309,7 @@ jobs:
  adaboost-test:
    runs-on: ubuntu-20.04
    steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
      - run: |
          cd icu4c/source;
          ICU_DATA_FILTER_FILE=../../.github/adaboost.json CPPFLAGS=-DUCONFIG_USE_ML_PHRASE_BREAKING=1 ./runConfigureICU --enable-debug --disable-release Linux -disable-layoutex;
@ -320,7 +320,7 @@ jobs:
  testmap:
    runs-on: ubuntu-20.04
    steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
      - run: |
          cd icu4c/source;
          ./runConfigureICU Linux;
@ -333,21 +333,21 @@ jobs:
  copyright-scan:
    runs-on: ubuntu-20.04
    steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
      - run: perl tools/scripts/cpysearch/cpyscan.pl

  # Check compilation of internal headers.
  internal-header-compilation:
    runs-on: ubuntu-20.04
    steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
      - run: cd icu4c/source; test/hdrtst/testinternalheaders.sh

  # Check source files for valid UTF-8 and for absence of BOM.
  valid-UTF-8-and-no-BOM-check:
    runs-on: ubuntu-20.04
    steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
      - run: tools/scripts/icu-file-utf8-check.py

  # Run unit tests with UCONFIG_NO_XXX variations.
@ -375,7 +375,7 @@ jobs:
         - "-DUCONFIG_NO_LEGACY_CONVERSION=1 -DUCONFIG_NO_NORMALIZATION=1 -DUCONFIG_NO_BREAK_ITERATION=1 -DUCONFIG_NO_IDNA=1 -DUCONFIG_NO_COLLATION=1 -DUCONFIG_NO_FORMATTING=1 -DUCONFIG_NO_TRANSLITERATION=1 -DUCONFIG_NO_REGULAR_EXPRESSIONS=1 -DUCONFIG_NO_SERVICE=1 -DUCONFIG_NO_FILTERED_BREAK_ITERATION=1"
    steps:
      - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
      - name: Verify no additional new UCONFIG_NO_xxx added
        run: |
          # Test that we have exactly 12 "#ifndef UCONFIG_NO_" in uconfig.h. If the number changes, we need to also
@ -421,7 +421,7 @@ jobs:
         - "-DUCONFIG_NO_LEGACY_CONVERSION=1 -DUCONFIG_NO_NORMALIZATION=1 -DUCONFIG_NO_BREAK_ITERATION=1 -DUCONFIG_NO_IDNA=1 -DUCONFIG_NO_COLLATION=1 -DUCONFIG_NO_FORMATTING=1 -DUCONFIG_NO_TRANSLITERATION=1 -DUCONFIG_NO_REGULAR_EXPRESSIONS=1 -DUCONFIG_NO_SERVICE=1 -DUCONFIG_NO_FILTERED_BREAK_ITERATION=1"
    steps:
      - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
      - name: Verify no additional new UCONFIG_NO_xxx added
        run: |
          # Test that we have exactly 12 "#ifndef UCONFIG_NO_" in uconfig.h. If the number changes, we need to also
@ -450,14 +450,14 @@ jobs:
  unicode-update-tools:
    runs-on: ubuntu-20.04
    steps:
-    - uses: actions/checkout@v3
-    - uses: bazelbuild/setup-bazelisk@v2
+    - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+    - uses: bazelbuild/setup-bazelisk@95c9bf48d0c570bb3e28e57108f3450cd67c1a44 # v2.0.0
    - name: Get CI Linux runner VM version
      id: linux-version
      run: |
        echo "LINUX_VERSION=$(grep -F VERSION_ID /etc/os-release | cut -d'"' -f2)" >> $GITHUB_OUTPUT
    - name: Mount bazel cache
-      uses: actions/cache@v3
+      uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84 # v3.3.2
      with:
        path: "~/.cache/bazel"
        key: bazel-${{ runner.os }}-${{ steps.linux-version.outputs.LINUX_VERSION }}
@ -489,7 +489,7 @@ jobs:
  icu4c-test-samples:
      runs-on: ubuntu-20.04
      steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1

      - name: ICU4C configure and build
        run: |
@ -514,7 +514,7 @@ jobs:
  icu4c-without-collation-rule-strings:
    runs-on: ubuntu-20.04
    steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
      - name: Install hjson dependency
        run: |
          sudo apt-get install python3-pip
@ -554,7 +554,7 @@ jobs:
  icu4c-uconfig-no-conversion:
    runs-on: ubuntu-20.04
    steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
      - name: Set UCONFIG_NO_CONVERSION and configure ICU4C
        env:
          UCONFIG_NO_CONVERSION: 1
--- a/.github/workflows/icu_envtest.yml
+++ b/.github/workflows/icu_envtest.yml
@ -43,7 +43,7 @@ jobs:
        run: |
          locale -a;
      - name: Checkout and setup
-        uses: actions/checkout@v3
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
      - name: Build
        run: |
          cd icu4c/source/;
@ -102,7 +102,7 @@ jobs:
          find /usr/share/zoneinfo/ -type f,l|egrep -v "/(right|posix)/"|egrep -v "\.tab"|wc -l;
          find /usr/share/zoneinfo/ -type f,l|egrep -v "/(right|posix)/"|egrep -v "\.tab"|cut -d '/' -f5-50;
      - name: Checkout and setup
-        uses: actions/checkout@v3
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
      - name: Build
        run: |
          cd icu4c/source/;
--- a/.github/workflows/icu_merge_ci.yml
+++ b/.github/workflows/icu_merge_ci.yml
@ -32,17 +32,17 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout and setup
-        uses: actions/checkout@v3
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
        with:
          lfs: true
      - name: Checkout lfs objects
        run: git lfs pull
      - name: Cache local Maven repository
-        uses: actions/cache@v3
+        uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84 # v3.3.2
        with:
          path: ~/.m2/repository
          key: ${{ runner.os }}-maven-${{ hashFiles('**/pom.xml') }}
-      - uses: actions/setup-java@v3
+      - uses: actions/setup-java@0ab4596768b603586c0de567f2430c30f5b0d2b0 # v3.13.0
        with:
          distribution: 'temurin'
          java-version: '8'
@ -58,20 +58,20 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout and setup
-        uses: actions/checkout@v3
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
        with:
          lfs: true
      - name: Checkout lfs objects
        run: git lfs pull
      - name: Lookup read-only cache of local Maven repository
-        uses: actions/cache@v3
+        uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84 # v3.3.2
        with:
          path: ~/.m2/repository
          key: ${{ runner.os }}-maven-${{ hashFiles('**/pom.xml') }}
          restore-keys: |
            ${{ runner.os }}-maven-
          lookup-only: true
-      - uses: actions/setup-java@v3
+      - uses: actions/setup-java@0ab4596768b603586c0de567f2430c30f5b0d2b0 # v3.13.0
        with:
          distribution: 'temurin'
          java-version: '11'
@ -92,7 +92,7 @@ jobs:
    if: github.repository == 'unicode-org/icu' && github.ref == 'refs/heads/main'
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1

      - name: Build ICU libraries
        run: |
@ -102,7 +102,7 @@ jobs:
          cd lib;
          cp -Ps ../tools/ctestfw/libicutest* .
      - name: Upload ICU libraries
-        uses: actions/upload-artifact@v3
+        uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
        with:
          name: icu-perf-libs
          path: icu4c/source/lib
@ -133,11 +133,11 @@ jobs:

    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
      - name: Create directory for lib files
        run: mkdir icu4c/source/perflib
      - name: Get ICU libs
-        uses: actions/download-artifact@v3
+        uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
        with:
          name: icu-perf-libs
          path: icu4c/source/lib
@ -207,11 +207,11 @@ jobs:

    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
      - name: Create directory for lib files
        run: mkdir icu4c/source/perflib
      - name: Get ICU libs
-        uses: actions/download-artifact@v3
+        uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
        with:
          name: icu-perf-libs
          path: icu4c/source/lib
@ -272,11 +272,11 @@ jobs:

    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
      - name: Create directory for lib files
        run: mkdir icu4c/source/perflib
      - name: Get ICU libs
-        uses: actions/download-artifact@v3
+        uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
        with:
          name: icu-perf-libs
          path: icu4c/source/lib
@ -322,20 +322,20 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout and setup
-        uses: actions/checkout@v3
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
        with:
          lfs: true
      - name: Checkout lfs objects
        run: git lfs pull
      - name: Lookup read-only cache of local Maven repository
-        uses: actions/cache@v3
+        uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84 # v3.3.2
        with:
          path: ~/.m2/repository
          key: ${{ runner.os }}-maven-${{ hashFiles('**/pom.xml') }}
          restore-keys: |
            ${{ runner.os }}-maven-
          lookup-only: true
-      - uses: actions/setup-java@v3
+      - uses: actions/setup-java@0ab4596768b603586c0de567f2430c30f5b0d2b0 # v3.13.0
        with:
          distribution: 'temurin'
          java-version: '8'
@ -384,20 +384,20 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout and setup
-        uses: actions/checkout@v3
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
        with:
          lfs: true
      - name: Checkout lfs objects
        run: git lfs pull
      - name: Lookup read-only cache of local Maven repository
-        uses: actions/cache@v3
+        uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84 # v3.3.2
        with:
          path: ~/.m2/repository
          key: ${{ runner.os }}-maven-${{ hashFiles('**/pom.xml') }}
          restore-keys: |
            ${{ runner.os }}-maven-
          lookup-only: true
-      - uses: actions/setup-java@v3
+      - uses: actions/setup-java@0ab4596768b603586c0de567f2430c30f5b0d2b0 # v3.13.0
        with:
          distribution: 'temurin'
          java-version: '8'
@ -448,20 +448,20 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout and setup
-        uses: actions/checkout@v3
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
        with:
          lfs: true
      - name: Checkout lfs objects
        run: git lfs pull
      - name: Lookup read-only cache of local Maven repository
-        uses: actions/cache@v3
+        uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84 # v3.3.2
        with:
          path: ~/.m2/repository
          key: ${{ runner.os }}-maven-${{ hashFiles('**/pom.xml') }}
          restore-keys: |
            ${{ runner.os }}-maven-
          lookup-only: true
-      - uses: actions/setup-java@v3
+      - uses: actions/setup-java@0ab4596768b603586c0de567f2430c30f5b0d2b0 # v3.13.0
        with:
          distribution: 'temurin'
          java-version: '8'
@ -517,20 +517,20 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout and setup
-        uses: actions/checkout@v3
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
        with:
          lfs: true
      - name: Checkout lfs objects
        run: git lfs pull
      - name: Lookup read-only cache of local Maven repository
-        uses: actions/cache@v3
+        uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84 # v3.3.2
        with:
          path: ~/.m2/repository
          key: ${{ runner.os }}-maven-${{ hashFiles('**/pom.xml') }}
          restore-keys: |
            ${{ runner.os }}-maven-
          lookup-only: true
-      - uses: actions/setup-java@v3
+      - uses: actions/setup-java@0ab4596768b603586c0de567f2430c30f5b0d2b0 # v3.13.0
        with:
          distribution: 'temurin'
          java-version: '8'
@ -656,20 +656,20 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout and setup
-        uses: actions/checkout@v3
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
        with:
          lfs: true
      - name: Checkout lfs objects
        run: git lfs pull
      - name: Lookup read-only cache of local Maven repository
-        uses: actions/cache@v3
+        uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84 # v3.3.2
        with:
          path: ~/.m2/repository
          key: ${{ runner.os }}-maven-${{ hashFiles('**/pom.xml') }}
          restore-keys: |
            ${{ runner.os }}-maven-
          lookup-only: true
-      - uses: actions/setup-java@v3
+      - uses: actions/setup-java@0ab4596768b603586c0de567f2430c30f5b0d2b0 # v3.13.0
        with:
          distribution: 'temurin'
          java-version: '8'
@ -739,20 +739,20 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout and setup
-        uses: actions/checkout@v3
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
        with:
          lfs: true
      - name: Checkout lfs objects
        run: git lfs pull
      - name: Lookup read-only cache of local Maven repository
-        uses: actions/cache@v3
+        uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84 # v3.3.2
        with:
          path: ~/.m2/repository
          key: ${{ runner.os }}-maven-${{ hashFiles('**/pom.xml') }}
          restore-keys: |
            ${{ runner.os }}-maven-
          lookup-only: true
-      - uses: actions/setup-java@v3
+      - uses: actions/setup-java@0ab4596768b603586c0de567f2430c30f5b0d2b0 # v3.13.0
        with:
          distribution: 'temurin'
          java-version: '8'
@ -802,7 +802,7 @@ jobs:
    needs: [icu4c-performance-tests, icu4c-performance-tests-with-files, icu4c-strsrchperf, icu4j-unicodesetperf, icu4j-ucharacterperf, icu4j-decimalformatperf, icu4j-normperf, icu4j-converterperf, icu4j-dateformatperf]
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1

      - name: Switch to benchmark data storage branch.
        run: |
@ -810,7 +810,7 @@ jobs:
          git checkout perfdata

      - name: Publish data
-        uses: peaceiris/actions-gh-pages@v3
+        uses: peaceiris/actions-gh-pages@373f7f263a76c20808c831209c920827a82a2847 # v3.9.3
        with:
          deploy_key: ${{ secrets.ACTIONS_DEPLOY_KEY }}
          external_repository: unicode-org/icu-perf
--- a/.github/workflows/icu_valgrind.yml
+++ b/.github/workflows/icu_valgrind.yml
@ -33,7 +33,7 @@ jobs:
          sudo apt-get -y update;
          sudo apt-get install -y valgrind;
      - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
      - name: Build with debug enable
        env:
          CC: clang
@ -78,7 +78,7 @@ jobs:
          sudo apt-get -y update;
          sudo apt-get install -y valgrind;
      - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
      - name: Build with debug enable
        env:
          CC: clang
--- a/.github/workflows/jekyll-gh-pages.yml
+++ b/.github/workflows/jekyll-gh-pages.yml
@ -37,16 +37,16 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
      - name: Setup Ruby
-        uses: ruby/setup-ruby@v1
+        uses: ruby/setup-ruby@8575951200e472d5f2d95c625da0c7bec8217c42 # v1.161.0
        with:
          ruby-version: '2.7.4' # Not needed with a .ruby-version file
          bundler-cache: true # runs 'bundle install' and caches installed gems automatically
          cache-version: 0 # Increment this number if you need to re-download cached gems
      - name: Setup Pages
        id: pages
-        uses: actions/configure-pages@v3
+        uses: actions/configure-pages@f156874f8191504dae5b037505266ed5dda6c382 # v3.0.6
        with:
          generator_config_file: docs/_config.yml
      - name: Build with Jekyll
@ -59,7 +59,7 @@ jobs:
        env:
          JEKYLL_ENV: production
      - name: Upload artifact
-        uses: actions/upload-pages-artifact@v1
+        uses: actions/upload-pages-artifact@a753861a5debcf57bf8b404356158c8e1e33150c # v2.0.0
        with:
          path: docs/_site

@ -76,4 +76,4 @@ jobs:
    steps:
      - name: Deploy to GitHub Pages
        id: deployment
-        uses: actions/deploy-pages@v2
+        uses: actions/deploy-pages@9dbe3824824f8a1377b8e298bafde1a50ede43e5 # v2.0.4
--- a/.github/workflows/maven.yaml
+++ b/.github/workflows/maven.yaml
@ -18,10 +18,10 @@ jobs:
    permissions:
      packages: write
    steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
        with:
          lfs: true
-      - uses: actions/setup-java@v3
+      - uses: actions/setup-java@0ab4596768b603586c0de567f2430c30f5b0d2b0 # v3.13.0
        with:
          distribution: 'temurin'
          java-version: '11'
--- a/.github/workflows/scorecard.yml
+++ b/.github/workflows/scorecard.yml
@ -29,12 +29,12 @@ jobs:

    steps:
      - name: "Checkout code"
-        uses: actions/checkout@v3.5.3
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
        with:
          persist-credentials: false

      - name: "Run analysis"
-        uses: ossf/scorecard-action@v2.2.0
+        uses: ossf/scorecard-action@0864cf19026789058feabb7e87baa5f140aac736 # v2.3.1
        with:
          results_file: results.sarif
          results_format: sarif
@ -51,7 +51,7 @@ jobs:
      # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
      # format to the repository Actions tab.
      - name: "Upload artifact"
-        uses: actions/upload-artifact@v3.1.2
+        uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
        with:
          name: SARIF file
          path: results.sarif
@ -59,6 +59,6 @@ jobs:

      # Upload the results to GitHub's code scanning dashboard.
      - name: "Upload to code-scanning"
-        uses: github/codeql-action/upload-sarif@v2.20.1
+        uses: github/codeql-action/upload-sarif@66b90a5db151a8042fa97405c6cf843bbe433f7b # v2.22.7
        with:
          sarif_file: results.sarif