fix: pin github workflow actions to commit hash (#393)

opengovsg · Jan 9, 2025 · 594f0ba · 594f0ba · vercel · Jan 9, 2025
1 parent 46b77e1
commit 594f0ba
Show file tree

Hide file tree

Showing 2 changed files with 10 additions and 5 deletions.
diff --git a/.github/workflows/chromatic.yml b/.github/workflows/chromatic.yml
@@ -29,12 +29,14 @@ jobs:
         if: env.CHROMATIC_PROJECT_TOKEN != ''
       - name: Load .env file
         if: env.CHROMATIC_PROJECT_TOKEN != ''
-        uses: xom9ikk/dotenv@v2
+        # xom9ikk/dotenv@v2, using commit hash to pin as tags may be updated in supply chain attack
+        uses: xom9ikk/dotenv@eff1dce037c4c0143cc4180a810511024c2560c0
         with:
           mode: test
       - name: Publish to Chromatic
         if: env.CHROMATIC_PROJECT_TOKEN != ''
-        uses: chromaui/action@latest
+        # chromaui/action@latest, using commit hash to pin to silence codeQL
+        uses: chromaui/action@012a0241a4df3f0f831c99f02e2085c9641a25ba
         with:
           projectToken: ${{ secrets.CHROMATIC_PROJECT_TOKEN }}
           onlyChanged: true

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -48,7 +48,8 @@ jobs:
           DD_SERVICE_NAME: ${{ secrets.DD_SERVICE_NAME }}
           DD_API_KEY: ${{ secrets.DD_API_KEY }}
         if: env.DD_SERVICE_NAME != '' && env.DD_API_KEY != ''
-        uses: datadog/test-visibility-github-action@v2
+        # datadog/[email protected], using commit hash to pin to silence codeQL
+        uses: datadog/test-visibility-github-action@fd12a97414bee507eff1270d8ac3286313e3797e
         with:
           languages: js
           service: ${{ secrets.DD_SERVICE_NAME }}
@@ -71,7 +72,8 @@ jobs:
       - name: Install Playwright (Chromium)
         run: npx playwright install chromium
       - name: Load .env file
-        uses: xom9ikk/dotenv@v2
+        # xom9ikk/dotenv@v2, using commit hash to pin as tags may be updated in supply chain attack
+        uses: xom9ikk/dotenv@eff1dce037c4c0143cc4180a810511024c2560c0
         with:
           mode: test
       - name: Next.js cache
@@ -98,7 +100,8 @@ jobs:
           DD_SERVICE_NAME: ${{ secrets.DD_SERVICE_NAME }}
           DD_API_KEY: ${{ secrets.DD_API_KEY }}
         if: env.DD_SERVICE_NAME != '' && env.DD_API_KEY != ''
-        uses: datadog/test-visibility-github-action@v2
+        # datadog/[email protected], using commit hash to pin to silence codeQL
+        uses: datadog/test-visibility-github-action@fd12a97414bee507eff1270d8ac3286313e3797e
         with:
           languages: js
           service: ${{ secrets.DD_SERVICE_NAME }}