From 369ef51ac0ed37e50c2085f267871facec8f6606 Mon Sep 17 00:00:00 2001 From: Ivan Valdes Date: Fri, 2 Aug 2024 10:48:45 -0700 Subject: [PATCH] github/workflows: pin dependency versions GitHub action dependencies weren't pointing to commit hashes. Pin them to improve the OpenSSF Scorecard Report score. Signed-off-by: Ivan Valdes --- .github/workflows/codeql-analysis.yml | 8 ++++---- .github/workflows/gh-workflow-approve.yaml | 2 +- .github/workflows/govuln.yaml | 4 ++-- .github/workflows/static-analysis.yaml | 8 ++++---- .github/workflows/test_amd64.yaml | 6 +++--- .github/workflows/test_template.yaml | 4 ++-- 6 files changed, 16 insertions(+), 16 deletions(-) diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index 92b0bd76..88ed462f 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -39,11 +39,11 @@ jobs: steps: - name: Checkout repository - uses: actions/checkout@v4 + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL - uses: github/codeql-action/init@v3 + uses: github/codeql-action/init@2d790406f505036ef40ecba973cc774a50395aac # v3.25.13 with: languages: ${{ matrix.language }} # If you wish to specify custom queries, you can do so here or in a config file. @@ -54,7 +54,7 @@ jobs: # Autobuild attempts to build any compiled languages (C/C++, C#, or Java). # If this step fails, then you should remove it and run the build manually (see below) - name: Autobuild - uses: github/codeql-action/autobuild@v3 + uses: github/codeql-action/autobuild@2d790406f505036ef40ecba973cc774a50395aac # v3.25.13 # ℹī¸ Command-line programs to run using the OS shell. # 📚 https://git.io/JvXDl @@ -68,4 +68,4 @@ jobs: # make release - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v3 + uses: github/codeql-action/analyze@2d790406f505036ef40ecba973cc774a50395aac # v3.25.13 diff --git a/.github/workflows/gh-workflow-approve.yaml b/.github/workflows/gh-workflow-approve.yaml index e748f26b..8c905390 100644 --- a/.github/workflows/gh-workflow-approve.yaml +++ b/.github/workflows/gh-workflow-approve.yaml @@ -18,7 +18,7 @@ jobs: actions: write steps: - name: Update PR - uses: actions/github-script@v7.0.1 + uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1 continue-on-error: true with: github-token: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/govuln.yaml b/.github/workflows/govuln.yaml index d280c2c1..d2323df4 100644 --- a/.github/workflows/govuln.yaml +++ b/.github/workflows/govuln.yaml @@ -4,10 +4,10 @@ jobs: test: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - id: goversion run: echo "goversion=$(cat .go-version)" >> "$GITHUB_OUTPUT" - - uses: actions/setup-go@v5 + - uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2 with: go-version: ${{ steps.goversion.outputs.goversion }} - run: date diff --git a/.github/workflows/static-analysis.yaml b/.github/workflows/static-analysis.yaml index 787c9b6f..edf32e1f 100644 --- a/.github/workflows/static-analysis.yaml +++ b/.github/workflows/static-analysis.yaml @@ -4,18 +4,18 @@ jobs: run: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - id: goversion run: echo "goversion=$(cat .go-version)" >> "$GITHUB_OUTPUT" - - uses: actions/setup-go@v5 + - uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2 with: go-version: ${{ steps.goversion.outputs.goversion }} - name: golangci-lint - uses: golangci/golangci-lint-action@v6 + uses: golangci/golangci-lint-action@aaa42aa0628b4ae2578232a66b541047968fac86 # v6.1.0 with: version: v1.55.2 - name: protoc - uses: arduino/setup-protoc@v1 + uses: arduino/setup-protoc@149f6c87b92550901b26acd1632e11c3662e381f # v1.3.0 with: version: '3.20.3' - run: make verify diff --git a/.github/workflows/test_amd64.yaml b/.github/workflows/test_amd64.yaml index 240e7b73..9d2780cc 100644 --- a/.github/workflows/test_amd64.yaml +++ b/.github/workflows/test_amd64.yaml @@ -17,10 +17,10 @@ jobs: - test-linux-386 runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - id: goversion run: echo "goversion=$(cat .go-version)" >> "$GITHUB_OUTPUT" - - uses: actions/setup-go@v5 + - uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2 with: go-version: ${{ steps.goversion.outputs.goversion }} - - run: make test \ No newline at end of file + - run: make test diff --git a/.github/workflows/test_template.yaml b/.github/workflows/test_template.yaml index 99b9db01..0a12758a 100644 --- a/.github/workflows/test_template.yaml +++ b/.github/workflows/test_template.yaml @@ -20,10 +20,10 @@ jobs: matrix: target: ${{ fromJSON(inputs.targets) }} steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - id: goversion run: echo "goversion=$(cat .go-version)" >> "$GITHUB_OUTPUT" - - uses: actions/setup-go@v5 + - uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2 with: go-version: ${{ steps.goversion.outputs.goversion }} - env: