[StepSecurity] Apply security best practices (#12)

Signed-off-by: StepSecurity Bot <[email protected]>
NixOS · Dec 15, 2023 · 6a724f5 · 6a724f5
1 parent 8f6dd55
commit 6a724f5
Show file tree

Hide file tree

Showing 5 changed files with 20 additions and 14 deletions.
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -0,0 +1,6 @@
+version: 2
+updates:
+  - package-ecosystem: github-actions
+    directory: /
+    schedule:
+      interval: daily
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -17,9 +17,9 @@ jobs:
           - labels: [self-hosted, linux, ARM64]
             system: aarch64-linux
     steps:
-      - uses: actions/checkout@v4
-      - uses: DeterminateSystems/nix-installer-action@v7
-      - uses: DeterminateSystems/magic-nix-cache-action@v2
+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+      - uses: DeterminateSystems/nix-installer-action@5620eb4af6b562c53e4d4628c0b6e4f9d9ae8612 # v7
+      - uses: DeterminateSystems/magic-nix-cache-action@8a218f9e264e9c3803c9a1ee1c30d8e4ab55be63 # v2
         if: ${{ matrix.runs-on.system != 'aarch64-linux' }}
         #TODO: aarch64-linux build is crashing the runner
       - run: nix build .#amazonImage -L --system ${{ matrix.runs-on.system }}

diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml
@@ -9,10 +9,10 @@ jobs:
   deploy:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
-      - uses: DeterminateSystems/nix-installer-action@v7
-      - uses: DeterminateSystems/magic-nix-cache-action@v2
-      - uses: aws-actions/configure-aws-credentials@v4
+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+      - uses: DeterminateSystems/nix-installer-action@5620eb4af6b562c53e4d4628c0b6e4f9d9ae8612 # v7
+      - uses: DeterminateSystems/magic-nix-cache-action@8a218f9e264e9c3803c9a1ee1c30d8e4ab55be63 # v2
+      - uses: aws-actions/configure-aws-credentials@010d0da01d0b5a38af31e9c3470dbfdabdecca3a # v4.0.1
         with:
           role-to-assume: arn:aws:iam::686862074153:role/deploy 
           aws-region: eu-central-1

diff --git a/.github/workflows/update-flake-lock.yml b/.github/workflows/update-flake-lock.yml
@@ -9,6 +9,6 @@ jobs:
   update-flake-lock:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
-      - uses: DeterminateSystems/nix-installer-action@v6
-      - uses: DeterminateSystems/update-flake-lock@v19
+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+      - uses: DeterminateSystems/nix-installer-action@bc7b19257469c8029b46f45ac99ecc11156c8b2d # v6
+      - uses: DeterminateSystems/update-flake-lock@dec3bc3c9b11c3b9d547f47dfb579b91a6051603 # v19
diff --git a/.github/workflows/upload-ami.yml b/.github/workflows/upload-ami.yml
@@ -16,14 +16,14 @@ jobs:
           - x86_64-linux
           - aarch64-linux
     steps:
-      - uses: actions/checkout@v4
-      - uses: DeterminateSystems/nix-installer-action@v7
-      - uses: DeterminateSystems/magic-nix-cache-action@v2
+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+      - uses: DeterminateSystems/nix-installer-action@5620eb4af6b562c53e4d4628c0b6e4f9d9ae8612 # v7
+      - uses: DeterminateSystems/magic-nix-cache-action@8a218f9e264e9c3803c9a1ee1c30d8e4ab55be63 # v2
       - name: Download AMI from Hydra
         run: |
           out=$(curl --location --silent --header 'Accept: application/json' https://hydra.nixos.org/job/nixos/release-23.11/nixos.amazonImage.${{ matrix.system }}/latest-finished  | jq --raw-output '.buildoutputs.out.path')
           nix-store --realise $out --add-root ./result
-      - uses: aws-actions/configure-aws-credentials@v4
+      - uses: aws-actions/configure-aws-credentials@010d0da01d0b5a38af31e9c3470dbfdabdecca3a # v4.0.1
         with:
           role-to-assume: arn:aws:iam::686862074153:role/upload-ami
           aws-region: eu-central-1