Skip to content

⬆️ (dependencies): Update zgosalvez/github-actions-ensure-sha-pinned-actions action to v3.0.10 #424

⬆️ (dependencies): Update zgosalvez/github-actions-ensure-sha-pinned-actions action to v3.0.10

⬆️ (dependencies): Update zgosalvez/github-actions-ensure-sha-pinned-actions action to v3.0.10 #424

# Copyright 2024
#
# Everyone is permitted to copy, distribute, modify, merge, sell, publish,
# sublicense or whatever the fuck they want with this software but at their
# OWN RISK.
# The author has absolutely no fucking clue what the code in this project
# does. It might just fucking work or not, there is no third option.
#
# IN NO EVENT SHALL THE AUTHORS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
# FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER
# DEALINGS IN THE SOFTWARE.
---
name: 🔒️ Security hardening (Github Actions workflows)
on:
merge_group: {}
pull_request:
types: [opened, synchronize]
paths: [.github/workflows/**]
permissions: {}
jobs:
ci_harden_security:
name: 🔒️ Github Action security hardening
runs-on: ubuntu-latest
permissions:
contents: read
steps:
- name: ⬇️ Checkout repository
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
- name: 📄 Lint Github Actions
run: |
curl -O https://raw.githubusercontent.com/rhysd/actionlint/main/.github/actionlint-matcher.json
echo "::add-matcher::actionlint-matcher.json"
bash <(curl https://raw.githubusercontent.com/rhysd/actionlint/main/scripts/download-actionlint.bash)
./actionlint -color
- name: ✅ Ensure SHA pinned actions
uses: zgosalvez/github-actions-ensure-sha-pinned-actions@b88cd0aad2c36a63e42c71f81cb1958fed95ac87 # v3.0.10