From daff3a2826ce571d3452fc89d043947c370d36c9 Mon Sep 17 00:00:00 2001 From: StepSecurity Bot Date: Thu, 13 Oct 2022 23:13:06 +0000 Subject: [PATCH] [StepSecurity] ci: Harden GitHub Actions Signed-off-by: StepSecurity Bot --- .github/workflows/release-draft.yml | 2 +- .github/workflows/release-tag.yml | 2 +- .github/workflows/test.yml | 10 +++++----- .github/workflows/update-syft-release.yml | 6 +++--- 4 files changed, 10 insertions(+), 10 deletions(-) diff --git a/.github/workflows/release-draft.yml b/.github/workflows/release-draft.yml index 09aa893d..62335820 100644 --- a/.github/workflows/release-draft.yml +++ b/.github/workflows/release-draft.yml @@ -10,6 +10,6 @@ jobs: runs-on: ubuntu-latest steps: - name: Draft release notes - uses: release-drafter/release-drafter@v5 + uses: release-drafter/release-drafter@df69d584deac33d8569990cb6413f82447181076 env: GITHUB_TOKEN: ${{ github.token }} diff --git a/.github/workflows/release-tag.yml b/.github/workflows/release-tag.yml index ee1f5a84..15484a6d 100644 --- a/.github/workflows/release-tag.yml +++ b/.github/workflows/release-tag.yml @@ -8,7 +8,7 @@ jobs: actions-tagger: runs-on: ubuntu-latest steps: - - uses: Actions-R-Us/actions-tagger@v2 + - uses: Actions-R-Us/actions-tagger@f411bd910a5ad370d4511517e3eac7ff887c90ea env: GITHUB_TOKEN: ${{ github.token }} with: diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 3c92ffcf..c1c0248c 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -17,7 +17,7 @@ jobs: build: # make sure build/ci work properly and there is no faked build ncc built scripts runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 - run: npm ci - run: npm audit --production - run: npm run package @@ -31,12 +31,12 @@ jobs: os: [ubuntu-latest, windows-latest] runs-on: ${{ matrix.os }} steps: - - uses: Vampire/setup-wsl@v1 + - uses: Vampire/setup-wsl@4304e1b2e7cefe12eeea8346114dac27ae5cbcc1 if: ${{ matrix.os == 'windows-latest' }} with: distribution: Alpine - - uses: actions/checkout@v3 + - uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 with: path: ./ @@ -66,7 +66,7 @@ jobs: ports: - 5000:5000 steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 - name: Build images run: | for distro in alpine centos debian; do @@ -79,7 +79,7 @@ jobs: test-as-action: # make sure the action works on a clean machine without building runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 with: path: ./ diff --git a/.github/workflows/update-syft-release.yml b/.github/workflows/update-syft-release.yml index ea125dc2..63172bbd 100644 --- a/.github/workflows/update-syft-release.yml +++ b/.github/workflows/update-syft-release.yml @@ -12,7 +12,7 @@ jobs: runs-on: ubuntu-latest if: github.repository == 'anchore/sbom-action' steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 - run: | LATEST_VERSION=$(curl "https://api.github.com/repos/anchore/syft/releases/latest" 2>/dev/null | jq -r '.tag_name') echo "export const VERSION = \"$LATEST_VERSION\";" > src/SyftVersion.ts @@ -21,12 +21,12 @@ jobs: # export the version for use with create-pull-request: echo "::set-output name=LATEST_VERSION::$LATEST_VERSION" id: latest-version - - uses: tibdex/github-app-token@v1 + - uses: tibdex/github-app-token@f717b5ecd4534d3c4df4ce9b5c1c2214f0f7cd06 id: generate-token with: app_id: ${{ secrets.TOKEN_APP_ID }} private_key: ${{ secrets.TOKEN_APP_PRIVATE_KEY }} - - uses: peter-evans/create-pull-request@v4 + - uses: peter-evans/create-pull-request@671dc9c9e0c2d73f07fa45a3eb0220e1622f0c5f with: signoff: true delete-branch: true