Merge pull request #17477 from step-security-bot/stepsecurity_remedia…

…tion_1685518035 [StepSecurity] Apply security best practices
eclipse-openj9 · May 31, 2023 · ff98e55 · ff98e55
2 parents b58a15e + 075b2f7
commit ff98e55
Show file tree

Hide file tree

Showing 6 changed files with 40 additions and 19 deletions.
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -0,0 +1,21 @@
+version: 2
+updates:
+  - package-ecosystem: github-actions
+    directory: /
+    schedule:
+      interval: daily
+
+  - package-ecosystem: docker
+    directory: /buildenv/docker/aarch64-linux_CC
+    schedule:
+      interval: daily
+
+  - package-ecosystem: docker
+    directory: /buildenv/docker/armhf-linux_CC
+    schedule:
+      interval: daily
+
+  - package-ecosystem: docker
+    directory: /buildenv/docker/test
+    schedule:
+      interval: daily
diff --git a/.github/workflows/autoTestPR.yml b/.github/workflows/autoTestPR.yml
@@ -30,7 +30,7 @@ jobs:
     if: startsWith(github.event.comment.body, 'auto exclude test')
     steps:
       - name: Set up Python 3.8
-        uses: actions/setup-python@v2
+        uses: actions/setup-python@75f3110429a8c05be0e1bf360334e4cced2b63fa # v2.3.3
         with:
           python-version: 3.8
       - name: check python version
@@ -40,11 +40,11 @@ jobs:
         run: |
           pip install lxml
       - name: checkout current repo
-        uses: actions/checkout@v2
+        uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 # v2.7.0
         with:
           path: 'tests'
       - name: checkout TKG repo
-        uses: actions/checkout@v2
+        uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 # v2.7.0
         with:
           repository: 'adoptium/TKG.git'
           ref: 'master'
@@ -60,7 +60,7 @@ jobs:
         run: |
           curl -u github-actions:${{ secrets.GITHUB_TOKEN }} -d '{ "body":  "The specified test cannot be excluded. Action run: https://github.com/${{github.repository}}/actions/runs/${{github.run_id}}" }' -X POST ${{ github.event.issue.comments_url }}
       - name: Create Pull Request
-        uses: peter-evans/create-pull-request@v3
+        uses: peter-evans/create-pull-request@18f7dc018cc2cd597073088f7c7591b9d1c02672 # v3.14.0
         with:
           path: 'tests'
           title: '${{ github.event.comment.body }}'

diff --git a/.github/workflows/presubmit.yml b/.github/workflows/presubmit.yml
@@ -41,7 +41,7 @@ jobs:
   Linter:
     runs-on: ubuntu-16.04
     steps:
-    - uses: actions/checkout@v2
+    - uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 # v2.7.0
     - name: install dependencies
       run: |
         sudo apt-get update -y && \

diff --git a/.github/workflows/runAqa.yml b/.github/workflows/runAqa.yml
@@ -41,12 +41,12 @@ jobs:
       id: workflow_run_info
     # Checkout current repo to access the repo-specific config file `.github/workflows/runAqaConfig.json`
     - name: Checkout current repo
-      uses: actions/checkout@v2
+      uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 # v2.7.0
       with:
         path: 'main'
     # Checkout the main TKG repo to access the shared script `scripts/testRepo/runAqaArgParse.py`
     - name: Checkout main TKG repo
-      uses: actions/checkout@v2
+      uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 # v2.7.0
       with:
         repository: 'adoptium/TKG.git'
         ref: 'master'
@@ -69,7 +69,7 @@ jobs:
       id: output_log
     - name: Create error comment
       if: failure()
-      uses: actions/github-script@v3
+      uses: actions/github-script@ffc2c79a5b2490bd33e0a41c1de74b877714d736 # v3.2.0
       with:
         github-token: ${{secrets.GITHUB_TOKEN}}
         script: |
@@ -91,7 +91,7 @@ jobs:
       run: echo ::set-output name=failed::true
       id: failure_report
     - name: Create success comment
-      uses: actions/github-script@v3
+      uses: actions/github-script@ffc2c79a5b2490bd33e0a41c1de74b877714d736 # v3.2.0
       with:
         github-token: ${{secrets.GITHUB_TOKEN}}
         script: |
@@ -127,14 +127,14 @@ jobs:
       fail-fast: false
       matrix: ${{ fromJson(needs.parseComment.outputs.build_parameters) }}
     steps:
-    - uses: AdoptOpenJDK/install-jdk@v1
+    - uses: AdoptOpenJDK/install-jdk@2f15d3f82051aa50984186fc1184467d0d9f87d0 # v1.1.1
       if: matrix.sdk_resource != 'customized'
       with:
         version: ${{ matrix.jdk_version }}
         source: ${{ matrix.sdk_resource }}
         sourceType: 'buildType'
         impl: ${{ matrix.jdk_impl }}
-    - uses: AdoptOpenJDK/install-jdk@v1
+    - uses: AdoptOpenJDK/install-jdk@2f15d3f82051aa50984186fc1184467d0d9f87d0 # v1.1.1
       if: matrix.sdk_resource == 'customized'
       with:
         version: ${{ matrix.jdk_version }}
@@ -143,7 +143,7 @@ jobs:
         sourceType: 'url'
         impl: ${{ matrix.jdk_impl }}
     # get-pr step by @Simran-B https://github.com/actions/checkout/issues/331#issuecomment-707103442
-    - uses: actions/github-script@v3
+    - uses: actions/github-script@ffc2c79a5b2490bd33e0a41c1de74b877714d736 # v3.2.0
       id: get-pr
       with:
         script: |
@@ -160,7 +160,7 @@ jobs:
             core.setFailed(`Request failed with error ${err}`)
           }
     - name: AQA
-      uses: adoptium/run-aqa@v1
+      uses: adoptium/run-aqa@6fd68688345b96eedd83b69131559f5e965af289 # v1.0.8
       with:
          build_list: ${{ matrix.build_list }}
          target: ${{ matrix.target }}
@@ -169,7 +169,7 @@ jobs:
          openj9_repo: '${{ fromJSON(steps.get-pr.outputs.result).head.repo.full_name }}:${{ fromJSON(steps.get-pr.outputs.result).head.ref }}'
          openjdk_testRepo: ${{ matrix.openjdk_testrepo }}
          tkg_Repo: ${{ matrix.tkg_repo }}
-    - uses: actions/upload-artifact@v2
+    - uses: actions/upload-artifact@82c141cc518b40d92cc801eee768e7aafc9c2fa2 # v2.3.1
       if: failure()
       with:
         name: test_output
@@ -181,7 +181,7 @@ jobs:
     if: failure() && !needs.parseComment.outputs.failed
     steps:
     - name: Create comment
-      uses: actions/github-script@v3
+      uses: actions/github-script@ffc2c79a5b2490bd33e0a41c1de74b877714d736 # v3.2.0
       with:
         github-token: ${{secrets.GITHUB_TOKEN}}
         script: |
@@ -202,7 +202,7 @@ jobs:
     if: cancelled()
     steps:
     - name: Create comment
-      uses: actions/github-script@v3
+      uses: actions/github-script@ffc2c79a5b2490bd33e0a41c1de74b877714d736 # v3.2.0
       with:
         github-token: ${{secrets.GITHUB_TOKEN}}
         script: |
@@ -223,7 +223,7 @@ jobs:
     if: success()
     steps:
     - name: Create comment
-      uses: actions/github-script@v3
+      uses: actions/github-script@ffc2c79a5b2490bd33e0a41c1de74b877714d736 # v3.2.0
       with:
         github-token: ${{secrets.GITHUB_TOKEN}}
         script: |

diff --git a/buildenv/docker/aarch64-linux_CC/Dockerfile b/buildenv/docker/aarch64-linux_CC/Dockerfile
@@ -22,7 +22,7 @@
 #   docker build -t=openj9aarch64 .
 #   docker run -it openj9aarch64
 
-FROM ubuntu:16.04
+FROM ubuntu:16.04@sha256:1f1a2d56de1d604801a9671f301190704c25d604a416f59e03c04f5c6ffee0d6
 
 # Define default user name
 ARG user=jenkins

diff --git a/buildenv/docker/armhf-linux_CC/Dockerfile b/buildenv/docker/armhf-linux_CC/Dockerfile
@@ -18,7 +18,7 @@
 #
 # SPDX-License-Identifier: EPL-2.0 OR Apache-2.0 OR GPL-2.0-only WITH Classpath-exception-2.0 OR GPL-2.0-only WITH OpenJDK-assembly-exception-1.0
 
-FROM ubuntu:16.04
+FROM ubuntu:16.04@sha256:1f1a2d56de1d604801a9671f301190704c25d604a416f59e03c04f5c6ffee0d6
 
 # Define default user name
 ARG user=jenkins