From f017057a76b946683971e950e54b1616753ca541 Mon Sep 17 00:00:00 2001 From: Bartlomiej Flis Date: Fri, 30 Jan 2026 22:11:49 +0100 Subject: [PATCH] fix: pin GitHub Actions to full SHA hashes --- .github/workflows/codeql.yml | 6 +++--- .github/workflows/pr-title.yml | 2 +- .github/workflows/release.yml | 10 +++++----- .github/workflows/run_tests.yml | 20 ++++++++++---------- .github/workflows/scorecard.yml | 6 +++--- 5 files changed, 22 insertions(+), 22 deletions(-) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 96aff16..4aef82a 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -16,8 +16,8 @@ jobs: analyze: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v6 - - uses: github/codeql-action/init@v3 + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 + - uses: github/codeql-action/init@2b983b380ce715a6c836c917154509c332c19b3a # v3 with: languages: python - - uses: github/codeql-action/analyze@v3 + - uses: github/codeql-action/analyze@2b983b380ce715a6c836c917154509c332c19b3a # v3 diff --git a/.github/workflows/pr-title.yml b/.github/workflows/pr-title.yml index 57ec256..1e7a171 100644 --- a/.github/workflows/pr-title.yml +++ b/.github/workflows/pr-title.yml @@ -8,6 +8,6 @@ jobs: validate: runs-on: ubuntu-latest steps: - - uses: amannn/action-semantic-pull-request@v6 + - uses: amannn/action-semantic-pull-request@48f256284bd46cdaab1048c3721360e808335d50 # v6.1.1 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 28d5ede..c4d9a03 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -14,7 +14,7 @@ jobs: release_created: ${{ steps.release.outputs.release_created }} tag_name: ${{ steps.release.outputs.tag_name }} steps: - - uses: googleapis/release-please-action@v4 + - uses: googleapis/release-please-action@16a9c90856f42705d54a6fda1823352bdc62cf38 # v4.4.0 id: release with: release-type: python @@ -28,22 +28,22 @@ jobs: id-token: write attestations: write steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 - name: Generate SBOM - uses: anchore/sbom-action@v0 + uses: anchore/sbom-action@deef08a0db64bfad603422135db61477b16cef56 # v0.22.1 with: format: spdx-json output-file: perfectframeai-${{ needs.release-please.outputs.tag_name }}.spdx.json - name: Attest SBOM - uses: actions/attest-sbom@v3 + uses: actions/attest-sbom@4651f806c01d8637787e274ac3bdf724ef169f34 # v3.0.0 with: subject-path: perfectframeai-${{ needs.release-please.outputs.tag_name }}.spdx.json sbom-path: perfectframeai-${{ needs.release-please.outputs.tag_name }}.spdx.json - name: Upload SBOM to release - uses: softprops/action-gh-release@v2 + uses: softprops/action-gh-release@a06a81a03ee405af7f2048a818ed3f03bbf83c7b # v2.5.0 with: tag_name: ${{ needs.release-please.outputs.tag_name }} files: perfectframeai-${{ needs.release-please.outputs.tag_name }}.spdx.json diff --git a/.github/workflows/run_tests.yml b/.github/workflows/run_tests.yml index c2ed9dc..6f358a3 100644 --- a/.github/workflows/run_tests.yml +++ b/.github/workflows/run_tests.yml @@ -10,11 +10,11 @@ jobs: pre-commit: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v6 - - uses: actions/setup-python@v6 + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 + - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 with: python-version: '3.13' - - uses: pre-commit/action@v3.0.1 + - uses: pre-commit/action@2c7b3805fd2a0fd8c1884dcaebf91fc102a13ecd # v3.0.1 env: SKIP: pytest @@ -22,12 +22,12 @@ jobs: needs: pre-commit runs-on: ubuntu-latest steps: - - uses: actions/checkout@v6 - - uses: astral-sh/setup-uv@v7 + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 + - uses: astral-sh/setup-uv@803947b9bd8e9f986429fa0c5a41c367cd732b41 # v7.2.1 - name: Run tests with coverage run: uv run --group test pytest --cov=perfectframe --cov-report=xml --cov-fail-under=100 - name: Upload coverage to Codecov - uses: codecov/codecov-action@v5 + uses: codecov/codecov-action@0561704f0f02c16a585d4c7555e57fa2e44cf909 # v5.5.2 with: token: ${{ secrets.CODECOV_TOKEN }} files: ./coverage.xml @@ -40,20 +40,20 @@ jobs: contents: read security-events: write steps: - - uses: actions/checkout@v6 - - uses: astral-sh/setup-uv@v7 + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 + - uses: astral-sh/setup-uv@803947b9bd8e9f986429fa0c5a41c367cd732b41 # v7.2.1 - name: Build Docker image run: docker compose build - name: Run Docker E2E tests run: uv run --group test pytest tests/e2e/docker_*.py -v --timeout=600 - name: Run Trivy vulnerability scanner - uses: aquasecurity/trivy-action@0.33.1 + uses: aquasecurity/trivy-action@b6643a29fecd7f34b3597bc6acb0a98b03d33ff8 # 0.33.1 with: image-ref: 'perfectframeai-perfectframe:latest' format: 'sarif' output: 'trivy-results.sarif' severity: 'CRITICAL,HIGH' - name: Upload Trivy scan results - uses: github/codeql-action/upload-sarif@v3 + uses: github/codeql-action/upload-sarif@2b983b380ce715a6c836c917154509c332c19b3a # v3 with: sarif_file: 'trivy-results.sarif' diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml index 7598736..1e54da5 100644 --- a/.github/workflows/scorecard.yml +++ b/.github/workflows/scorecard.yml @@ -19,18 +19,18 @@ jobs: steps: - name: Checkout code - uses: actions/checkout@v6 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 with: persist-credentials: false - name: Run Scorecard analysis - uses: ossf/scorecard-action@v2.4.3 + uses: ossf/scorecard-action@99c09fe975337306107572b4fdf4db224cf8e2f2 # v2.4.3 with: results_file: results.sarif results_format: sarif publish_results: true - name: Upload SARIF results - uses: github/codeql-action/upload-sarif@v3 + uses: github/codeql-action/upload-sarif@2b983b380ce715a6c836c917154509c332c19b3a # v3 with: sarif_file: results.sarif