diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml index 0a91213..b84f7eb 100644 --- a/.github/workflows/dependency-review.yml +++ b/.github/workflows/dependency-review.yml @@ -23,17 +23,17 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout scan target - uses: actions/checkout@v4 + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - name: Checkout licenses - uses: actions/checkout@v4 + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: repository: coveo/dependency-allowed-licenses path: coveo-dependency-allowed-licenses - name: Select configuration id: select-config - uses: actions/github-script@v7 + uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1 env: INPUTS: ${{ toJSON(inputs) }} with: @@ -53,7 +53,7 @@ jobs: core.setFailure(`Could not determine configuration for inputs: ${inputs}`) - name: Scan - uses: actions/dependency-review-action@v4 + uses: actions/dependency-review-action@9129d7d40b8c12c1ed0f60400d00c92d437adcce # v4.1.3 with: comment-summary-in-pr: ${{ inputs.comment-summary-in-pr }} fail-on-severity: high diff --git a/.github/workflows/java-maven-openjdk-codeql.yml b/.github/workflows/java-maven-openjdk-codeql.yml index 52d419d..206cf61 100644 --- a/.github/workflows/java-maven-openjdk-codeql.yml +++ b/.github/workflows/java-maven-openjdk-codeql.yml @@ -25,6 +25,9 @@ on: required: true type: number +permissions: + contents: read + jobs: analyze-java: name: Analyze Java @@ -44,15 +47,15 @@ jobs: - run: echo "HOME=/root" >> $GITHUB_ENV - name: Checkout repository - uses: actions/checkout@v4 + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - name: Initialize CodeQL - uses: github/codeql-action/init@v3 + uses: github/codeql-action/init@3ab4101902695724f9365a384f86c1074d94e18c # v3.24.7 with: languages: java - name: Cache maven dependencies - uses: actions/cache@v4 + uses: actions/cache@ab5e6d0c87105b4c9c2047343972218f562e4319 # v4.0.1 with: path: ~/.m2 key: ${{ runner.os }}-maven-${{ hashFiles('**/pom.xml') }} @@ -63,6 +66,6 @@ jobs: run: mvn ${{ inputs.mvn-additional-arguments }} -T1C --also-make --batch-mode --strict-checksums --update-snapshots -Dmaven.gitcommitid.skip=true -DskipTests clean test-compile - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v3 + uses: github/codeql-action/analyze@3ab4101902695724f9365a384f86c1074d94e18c # v3.24.7 with: category: "/language:java" diff --git a/.github/workflows/java-maven-openjdk-dependency-submission.yml b/.github/workflows/java-maven-openjdk-dependency-submission.yml index 5918a94..d7be74b 100644 --- a/.github/workflows/java-maven-openjdk-dependency-submission.yml +++ b/.github/workflows/java-maven-openjdk-dependency-submission.yml @@ -25,6 +25,9 @@ on: required: true type: number +permissions: + contents: read + jobs: submit-dependencies: name: Submit dependencies @@ -41,10 +44,10 @@ jobs: steps: - name: Checkout repository - uses: actions/checkout@v4 + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - name: Cache maven dependencies - uses: actions/cache@v4 + uses: actions/cache@ab5e6d0c87105b4c9c2047343972218f562e4319 # v4.0.1 with: path: ~/.m2 key: ${{ runner.os }}-maven-${{ hashFiles('**/pom.xml') }} @@ -52,7 +55,7 @@ jobs: ${{ runner.os }}-maven- - name: Submit Dependency Snapshot - uses: advanced-security/maven-dependency-submission-action@v3 + uses: advanced-security/maven-dependency-submission-action@fcd7eab6b6d22946badc98d1e62665cdee93e0ae # v3.0.3 with: directory: ${{ inputs.directory }} maven-args: -Dscopes=compile,provided,runtime,system