From e858cb9646ef1a857d64da82e6aa1b8590cb7c89 Mon Sep 17 00:00:00 2001
From: Sagent <sage@cabillot.eu>
Date: Mon, 8 Jun 2026 16:25:59 +0000
Subject: [PATCH] fix: pin actions to SHA and use Gitea-compatible artifact
 actions

- Pin all actions to commit SHAs for supply chain security
- Replace actions/upload-artifact@v4 with ChristopherHX/gitea-upload-artifact
- Replace actions/download-artifact@v4 with ChristopherHX/gitea-download-artifact
- These forks work on Gitea Actions (GHES-compatible)
---
 .gitea/workflows/docker-build.yaml | 16 ++++++++--------
 1 file changed, 8 insertions(+), 8 deletions(-)

diff --git a/.gitea/workflows/docker-build.yaml b/.gitea/workflows/docker-build.yaml
index e4edc04..c7fe0fb 100644
--- a/.gitea/workflows/docker-build.yaml
+++ b/.gitea/workflows/docker-build.yaml
@@ -13,10 +13,10 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10  # v6
 
       - name: Hadolint
-        uses: hadolint/hadolint-action@v3.1.0
+        uses: hadolint/hadolint-action@54c9adbab1582c2ef04b2016b760714a4bfde3cf  # v3.1.0
         with:
           dockerfile: Dockerfile
 
@@ -24,7 +24,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10  # v6
 
       - name: Build image
         run: docker build -t ci-image:${{ github.sha }} .
@@ -33,7 +33,7 @@ jobs:
         run: docker save -o image.tar ci-image:${{ github.sha }}
 
       - name: Upload artifact
-        uses: actions/upload-artifact@v4
+        uses: https://github.com/ChristopherHX/gitea-upload-artifact@62ac910c5d3dfa85c7cb2df15afe2e342b2407c2  # main
         with:
           name: docker-image
           path: image.tar
@@ -44,10 +44,10 @@ jobs:
     needs: [lint, build]
     steps:
       - name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10  # v6
 
       - name: Download artifact
-        uses: actions/download-artifact@v4
+        uses: https://github.com/ChristopherHX/gitea-download-artifact@75635f32b4c1c41c4b3d64e8f85210112ed4c9c7  # main
         with:
           name: docker-image
 
@@ -63,7 +63,7 @@ jobs:
     if: github.event_name != 'pull_request'
     steps:
       - name: Download artifact
-        uses: actions/download-artifact@v4
+        uses: https://github.com/ChristopherHX/gitea-download-artifact@75635f32b4c1c41c4b3d64e8f85210112ed4c9c7  # main
         with:
           name: docker-image
 
@@ -71,7 +71,7 @@ jobs:
         run: docker load < image.tar
 
       - name: Login to Docker Hub
-        uses: docker/login-action@v4
+        uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee  # v4
         with:
           username: ${{ secrets.DOCKERHUB_USERNAME }}
           password: ${{ secrets.DOCKERHUB_TOKEN }}