From 74bcae0fdd4618b91a8f333136bdf714cbc24dcf Mon Sep 17 00:00:00 2001
From: "Charlotte St. John" <cstjohn@twilio.com>
Date: Thu, 25 Jun 2026 18:26:39 -0500
Subject: [PATCH] ci: migrate runs-on to Twilio runner labels + SHA-pin actions

---
 .github/workflows/ci.yml                | 18 +++++++++---------
 .github/workflows/create-jira.yml       |  8 ++++----
 .github/workflows/e2e-browser-tests.yml | 10 +++++-----
 .github/workflows/e2e-tests.yml         | 10 +++++-----
 .github/workflows/md-link-check.yml     |  6 +++---
 .github/workflows/publish-e2e-cli.yml   | 10 +++++-----
 .github/workflows/release-creator.yml   |  8 ++++----
 7 files changed, 35 insertions(+), 35 deletions(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 0499b8c7d..c35658cdb 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -7,19 +7,19 @@ env:
 jobs:
   analytics-node:
     name: 'analytics-node QA (Node.js v${{ matrix.node-version }})'
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-latest-large
     strategy:
       matrix:
         node-version: [20]
     steps:
-      - uses: actions/checkout@v3
-      - uses: actions/setup-node@v3
+      - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744  # v3
+      - uses: actions/setup-node@3235b876344d2a9aa001b8d1453c930bba69e610  # v3
         with:
           node-version: ${{ matrix.node-version }}
           cache: 'yarn'
       - run: yarn install --immutable
       - name: Turbo cache
-        uses: actions/cache@v3
+        uses: actions/cache@6f8efc29b200d32929f49075959781ed54ec270c  # v3
         with:
           path: node_modules/.cache/turbo
           key: ${{ runner.os }}-turbo-${{ github.sha }}
@@ -28,7 +28,7 @@ jobs:
       - run: yarn turbo run --filter='./packages/node*' lint
       - run: COVERAGE=true yarn turbo run --filter='./packages/node*' test
       - run: yarn turbo run --filter='./packages/node-integration-tests' test:perf-and-durability
-      - uses: codecov/codecov-action@v5
+      - uses: codecov/codecov-action@0fb7174895f61a3b6b78fc075e0cd60383518dac  # v5
         with:
           fail_ci_if_error: true
           flags: node
@@ -36,19 +36,19 @@ jobs:
           token: ${{ secrets.CODECOV_TOKEN }}
   analytics-node-cf-workers:
     name: 'analytics-node QA (Cloudflare Workers)'
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-latest-large
     strategy:
       matrix:
         node-version: [20]
     steps:
-      - uses: actions/checkout@v3
-      - uses: actions/setup-node@v3
+      - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744  # v3
+      - uses: actions/setup-node@3235b876344d2a9aa001b8d1453c930bba69e610  # v3
         with:
           node-version: ${{ matrix.node-version }}
           cache: 'yarn'
       - run: yarn install --immutable
       - name: Turbo cache
-        uses: actions/cache@v3
+        uses: actions/cache@6f8efc29b200d32929f49075959781ed54ec270c  # v3
         with:
           path: node_modules/.cache/turbo
           key: ${{ runner.os }}-turbo-${{ github.sha }}
diff --git a/.github/workflows/create-jira.yml b/.github/workflows/create-jira.yml
index 0b4fa66db..395d10e9f 100644
--- a/.github/workflows/create-jira.yml
+++ b/.github/workflows/create-jira.yml
@@ -8,20 +8,20 @@ on:
 jobs:
   create_jira:
     name: Create Jira Ticket
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-latest-large
     environment: IssueTracker
     steps:
       - name: Checkout
-        uses: actions/checkout@master
+        uses: actions/checkout@61b9e3751b92087fd0b06925ba6dd6314e06f089  # master
       - name: Login
-        uses: atlassian/gajira-login@master
+        uses: atlassian/gajira-login@c22a5debd482401472b285de4f6deedf70ddbb92  # master
         env:
           JIRA_BASE_URL: ${{ secrets.JIRA_BASE_URL }}
           JIRA_USER_EMAIL: ${{ secrets.JIRA_USER_EMAIL }}
           JIRA_API_TOKEN: ${{ secrets.JIRA_TOKEN }}
       - name: Create
         id: create
-        uses: atlassian/gajira-create@master
+        uses: atlassian/gajira-create@1c54357fdde9dab6273a0e26d67cb175ffffe498  # master
         with:
           project: ${{ secrets.JIRA_PROJECT }}
           issuetype: Bug
diff --git a/.github/workflows/e2e-browser-tests.yml b/.github/workflows/e2e-browser-tests.yml
index 37bb480e9..7c7840e68 100644
--- a/.github/workflows/e2e-browser-tests.yml
+++ b/.github/workflows/e2e-browser-tests.yml
@@ -18,7 +18,7 @@ on:
 
 jobs:
   e2e-tests:
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-latest-large
     strategy:
       matrix:
         mode:
@@ -31,19 +31,19 @@ jobs:
 
     steps:
       - name: Checkout SDK
-        uses: actions/checkout@v4
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5  # v4
         with:
           path: sdk
 
       - name: Checkout sdk-e2e-tests
-        uses: actions/checkout@v4
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5  # v4
         with:
           repository: segmentio/sdk-e2e-tests
           token: ${{ secrets.E2E_TESTS_TOKEN }}
           path: sdk-e2e-tests
 
       - name: Setup Node.js
-        uses: actions/setup-node@v4
+        uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020  # v4
         with:
           node-version: '20'
 
@@ -77,7 +77,7 @@ jobs:
 
       - name: Upload test results
         if: always()
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02  # v4
         with:
           name: e2e-test-results-browser-${{ matrix.mode.name }}
           path: sdk-e2e-tests/test-results/
diff --git a/.github/workflows/e2e-tests.yml b/.github/workflows/e2e-tests.yml
index 6ae893390..89467ad22 100644
--- a/.github/workflows/e2e-tests.yml
+++ b/.github/workflows/e2e-tests.yml
@@ -24,16 +24,16 @@ jobs:
   e2e-tests:
     # Skip on fork PRs where repo secrets aren't available
     if: ${{ github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository }}
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-latest-large
 
     steps:
       - name: Checkout SDK
-        uses: actions/checkout@v4
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5  # v4
         with:
           path: sdk
 
       - name: Checkout sdk-e2e-tests
-        uses: actions/checkout@v4
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5  # v4
         with:
           repository: segmentio/sdk-e2e-tests
           ref: ${{ inputs.e2e_tests_ref || 'main' }}
@@ -41,7 +41,7 @@ jobs:
           path: sdk-e2e-tests
 
       - name: Setup Node.js
-        uses: actions/setup-node@v4
+        uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020  # v4
         with:
           node-version: '20'
 
@@ -68,7 +68,7 @@ jobs:
 
       - name: Upload test results
         if: always()
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02  # v4
         with:
           name: e2e-test-results
           path: sdk-e2e-tests/test-results/
diff --git a/.github/workflows/md-link-check.yml b/.github/workflows/md-link-check.yml
index 22bb035c0..be3361350 100644
--- a/.github/workflows/md-link-check.yml
+++ b/.github/workflows/md-link-check.yml
@@ -6,10 +6,10 @@ on:
 jobs:
   check-links:
     name: Check Markdown Links
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-latest-large
     steps:
-      - uses: actions/checkout@master
-      - uses: gaurav-nelson/github-action-markdown-link-check@v1
+      - uses: actions/checkout@61b9e3751b92087fd0b06925ba6dd6314e06f089  # master
+      - uses: gaurav-nelson/github-action-markdown-link-check@5c5dfc0ac2e225883c0e5f03a85311ec2830d368  # v1
         with:
           use-quiet-mode: "yes"
           use-verbose-mode: "yes"
diff --git a/.github/workflows/publish-e2e-cli.yml b/.github/workflows/publish-e2e-cli.yml
index deb7623d2..ef4ea2564 100644
--- a/.github/workflows/publish-e2e-cli.yml
+++ b/.github/workflows/publish-e2e-cli.yml
@@ -20,13 +20,13 @@ on:
 
 jobs:
   publish:
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-latest-large
     steps:
       - name: Checkout SDK
-        uses: actions/checkout@v4
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5  # v4
 
       - name: Setup Node.js
-        uses: actions/setup-node@v4
+        uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020  # v4
         with:
           node-version: '20'
 
@@ -61,14 +61,14 @@ jobs:
           cp packages/browser/e2e-cli/package.json artifacts/analytics-next-browser/
 
       - name: Upload node CLI artifact
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02  # v4
         with:
           name: e2e-cli-node
           path: artifacts/analytics-next-node/
           retention-days: 90
 
       - name: Upload browser CLI artifact
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02  # v4
         with:
           name: e2e-cli-browser
           path: artifacts/analytics-next-browser/
diff --git a/.github/workflows/release-creator.yml b/.github/workflows/release-creator.yml
index 69d10066a..8def76a10 100644
--- a/.github/workflows/release-creator.yml
+++ b/.github/workflows/release-creator.yml
@@ -13,16 +13,16 @@ concurrency: ${{ github.workflow }}-${{ github.ref }}
 jobs:
   release-pr:
     name: Create or Update Release PR
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-latest-large
     steps:
       - name: Checkout Repo
-        uses: actions/checkout@v3
+        uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744  # v3
         with:
           # This makes Actions fetch all Git history so that Changesets can generate changelogs with the correct commits
           fetch-depth: 0
 
       - name: Setup Node.js 20.x
-        uses: actions/setup-node@v3
+        uses: actions/setup-node@3235b876344d2a9aa001b8d1453c930bba69e610  # v3
         with:
           node-version: 20.x
           cache: "yarn"
@@ -32,7 +32,7 @@ jobs:
 
       - name: Create or Update Release PR
         id: changesets
-        uses: changesets/action@v1
+        uses: changesets/action@a45c4d594aa4e2c509dc14a9f2b3b67ba3780d0d  # v1
         with:
           version: yarn update-versions-and-changelogs
         env: