Skip to content

Commit

Permalink
Merge pull request #2686 from Abdullah-Benomar-Shahen/feature-2665-pi…
Browse files Browse the repository at this point in the history 
…n-github-actions-to-commit

Security: pinned 3rd party GitHub actions to commit hash instead of version tag #2665
  • Loading branch information
@sven-dmlr
sven-dmlr committed Nov 22, 2023
2 parents edf3d37 + 90625ac commit caae24b
Show file tree
Hide file tree
Showing 9 changed files with 96 additions and 96 deletions.
4 changes: 2 additions & 2 deletions .github/workflows/_build+publish-pds-solution.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -37,10 +37,10 @@ jobs:
echo "pds-version '${{ inputs.pds-version }}'"
- name: Checkout git repository
uses: actions/checkout@v4
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11

- name: Docker login to ghcr.io
uses: docker/login-action@v3
uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d
with:
registry: ghcr.io
username: ${{ github.repository_owner }}
Expand Down
16 changes: 8 additions & 8 deletions .github/workflows/documentation-build.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -31,28 +31,28 @@ jobs:
fi
- name: Git checkout
uses: actions/checkout@v4
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11
with:
fetch-tags: true
fetch-depth: 0

- name: Set up JDK 17
uses: actions/setup-java@v3
uses: actions/setup-java@0ab4596768b603586c0de567f2430c30f5b0d2b0
with:
java-version: 17
distribution: temurin

- name: Set up Gradle
uses: gradle/gradle-build-action@v2
uses: gradle/gradle-build-action@842c587ad8aa4c68eeba24c396e15af4c2e9f30a
with:
cache-read-only: false

- name: Set up Go
uses: actions/setup-go@v4
uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe
with:
go-version: 1.20.4

- uses: actions/cache@v3.3.2
- uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84
with:
path: |
~/.cache/go-build
Expand All @@ -74,14 +74,14 @@ jobs:
# Upload documentation
# -----------------------------------------
- name: Archive documentation HTML
uses: actions/upload-artifact@v3
uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32
with:
name: sechub-docs-html
path: sechub-doc/build/docs/final-html/
retention-days: 14

- name: Archive documentation PDF
uses: actions/upload-artifact@v3
uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32
with:
name: sechub-docs-pdf
path: sechub-doc/build/docs/asciidoc/*.pdf
Expand All @@ -105,7 +105,7 @@ jobs:
- name: Update documentation - Create pull request
if: (inputs.publish-documentation != '') && (github.ref_name == env.ACTIONS_SECHUB_DOC_RELEASE_BRANCH)
id: pr_release_documentation
uses: peter-evans/create-pull-request@v5.0.2
uses: peter-evans/create-pull-request@153407881ec5c347639a548ade7d8ad1d6740e38
with:
branch: release-documentation
branch-suffix: short-commit-hash
Expand Down
4 changes: 2 additions & 2 deletions .github/workflows/github-action-scan.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -11,12 +11,12 @@ jobs:

steps:
- name: Checkout
uses: actions/checkout@v4
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11

- name: Use Node.js
# We do not define a dedicated node version here, we just use the default environment
# which should be the default environment for the github actions runtime as well
uses: actions/setup-node@v3
uses: actions/setup-node@8f152de45cc393bb48ce5d89d36b731f54556e65

- name: Clean install
run: npm ci
Expand Down
24 changes: 12 additions & 12 deletions .github/workflows/gradle.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -19,25 +19,25 @@ jobs:
build:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11

- name: Set up JDK 17
uses: actions/setup-java@v3
uses: actions/setup-java@0ab4596768b603586c0de567f2430c30f5b0d2b0
with:
java-version: 17
distribution: temurin

- name: Set up Gradle
uses: gradle/gradle-build-action@v2
uses: gradle/gradle-build-action@842c587ad8aa4c68eeba24c396e15af4c2e9f30a
with:
cache-read-only: false

- name: Set up Go
uses: actions/setup-go@v4
uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe
with:
go-version: 1.20.4

- uses: actions/cache@v3.3.2
- uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84
with:
path: |
~/.cache/go-build
Expand Down Expand Up @@ -72,45 +72,45 @@ jobs:
# -----------------------------------------
- name: Archive combined test report
if: always()
uses: actions/upload-artifact@v3
uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32
with:
name: combined-sechub-testreport
path: build/reports/combined-report
retention-days: 14

- name: Archive sechub server artifacts
if: always()
uses: actions/upload-artifact@v3
uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32
with:
name: sechub-server
path: sechub-server/build/libs
retention-days: 14

- name: Archive pds server artifacts
if: always()
uses: actions/upload-artifact@v3
uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32
with:
name: sechub-pds
path: sechub-pds/build/libs

- name: Archive pds tools artifacts
if: always()
uses: actions/upload-artifact@v3
uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32
with:
name: sechub-pds-tools
path: sechub-pds-tools/build/libs

- name: Archive developer tools artifacts
if: always()
uses: actions/upload-artifact@v3
uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32
with:
name: sechub-developertools
path: sechub-developertools/build/libs
retention-days: 14

- name: Archive sechub client artifacts
if: always()
uses: actions/upload-artifact@v3
uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32
with:
name: sechub-client
path: sechub-cli/build/go
Expand All @@ -125,7 +125,7 @@ jobs:
retention-days: 14

- name: Archive openAPI3 JSON files
uses: actions/upload-artifact@v3
uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32
with:
name: sechub-api-spec
path: sechub-doc/build/api-spec/
Expand Down
12 changes: 6 additions & 6 deletions .github/workflows/publish-libraries.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -17,7 +17,7 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Checkout master
uses: actions/checkout@v4
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11
with:
ref: master
# Create temporary local tags, so we build documentation for this tag...
Expand All @@ -28,13 +28,13 @@ jobs:

# Build
- name: Set up JDK 17
uses: actions/setup-java@v3
uses: actions/setup-java@0ab4596768b603586c0de567f2430c30f5b0d2b0
with:
java-version: 17
distribution: temurin

- name: Set up Gradle
uses: gradle/gradle-build-action@v2
uses: gradle/gradle-build-action@842c587ad8aa4c68eeba24c396e15af4c2e9f30a
with:
cache-read-only: false

Expand All @@ -55,14 +55,14 @@ jobs:
# -----------------------------------------
- name: Archive combined test report
if: always()
uses: actions/upload-artifact@v3
uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32
with:
name: combined-sechub-testreport
path: build/reports/combined-report
retention-days: 14
- name: Archive GIT status
if: always()
uses: actions/upload-artifact@v3
uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32
with:
name: git-status.txt
path: build/reports/git-status.txt
Expand All @@ -88,7 +88,7 @@ jobs:
# Create release
- name: Create libraries release
id: create_libraries_release
uses: actions/create-release@v1
uses: actions/create-release@0cb9c9b65d5d1901c1f53e5e66eaf4afd303e70e
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # This token is provided by Actions, you do not need to create your own token
with:
Expand Down
Loading

0 comments on commit caae24b

Please sign in to comment.