diff options
author | Topi Miettinen <toiwoton@gmail.com> | 2021-12-13 14:41:24 +0200 |
---|---|---|
committer | Topi Miettinen <topimiettinen@users.noreply.github.com> | 2021-12-26 21:52:05 +0000 |
commit | 4bac5c6d716fcaf2542361e5fb56a4e39586b376 (patch) | |
tree | 38331c4d90f0c1343f6e81b99fbd89317959bf14 | |
parent | Fix a typo (diff) | |
download | firejail-4bac5c6d716fcaf2542361e5fb56a4e39586b376.tar.gz firejail-4bac5c6d716fcaf2542361e5fb56a4e39586b376.tar.zst firejail-4bac5c6d716fcaf2542361e5fb56a4e39586b376.zip |
CI: pin GitHub actions to SHAs
Pinning actions to SHAs instead of versions improves the supply chain
security:
https://securitylab.github.com/research/github-actions-preventing-pwn-requests/
-rw-r--r-- | .github/workflows/build-extra.yml | 6 | ||||
-rw-r--r-- | .github/workflows/build.yml | 2 | ||||
-rw-r--r-- | .github/workflows/codeql-analysis.yml | 8 | ||||
-rw-r--r-- | .github/workflows/profile-checks.yml | 2 |
4 files changed, 9 insertions, 9 deletions
diff --git a/.github/workflows/build-extra.yml b/.github/workflows/build-extra.yml index fd1f23954..b598c40e3 100644 --- a/.github/workflows/build-extra.yml +++ b/.github/workflows/build-extra.yml | |||
@@ -30,7 +30,7 @@ jobs: | |||
30 | build-clang: | 30 | build-clang: |
31 | runs-on: ubuntu-20.04 | 31 | runs-on: ubuntu-20.04 |
32 | steps: | 32 | steps: |
33 | - uses: actions/checkout@v2 | 33 | - uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 |
34 | - name: configure | 34 | - name: configure |
35 | run: CC=clang-11 ./configure --enable-fatal-warnings | 35 | run: CC=clang-11 ./configure --enable-fatal-warnings |
36 | - name: make | 36 | - name: make |
@@ -38,7 +38,7 @@ jobs: | |||
38 | scan-build: | 38 | scan-build: |
39 | runs-on: ubuntu-20.04 | 39 | runs-on: ubuntu-20.04 |
40 | steps: | 40 | steps: |
41 | - uses: actions/checkout@v2 | 41 | - uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 |
42 | - name: install clang-tools-11 | 42 | - name: install clang-tools-11 |
43 | run: sudo apt-get install clang-tools-11 | 43 | run: sudo apt-get install clang-tools-11 |
44 | - name: configure | 44 | - name: configure |
@@ -48,7 +48,7 @@ jobs: | |||
48 | cppcheck: | 48 | cppcheck: |
49 | runs-on: ubuntu-20.04 | 49 | runs-on: ubuntu-20.04 |
50 | steps: | 50 | steps: |
51 | - uses: actions/checkout@v2 | 51 | - uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 |
52 | - name: install cppcheck | 52 | - name: install cppcheck |
53 | run: sudo apt-get install cppcheck | 53 | run: sudo apt-get install cppcheck |
54 | - name: cppcheck | 54 | - name: cppcheck |
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 141e43168..f321b5f7f 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml | |||
@@ -22,7 +22,7 @@ jobs: | |||
22 | build_and_test: | 22 | build_and_test: |
23 | runs-on: ubuntu-20.04 | 23 | runs-on: ubuntu-20.04 |
24 | steps: | 24 | steps: |
25 | - uses: actions/checkout@v2 | 25 | - uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 |
26 | - name: install dependencies | 26 | - name: install dependencies |
27 | run: sudo apt-get install gcc-11 libapparmor-dev libselinux1-dev expect xzdec | 27 | run: sudo apt-get install gcc-11 libapparmor-dev libselinux1-dev expect xzdec |
28 | - name: configure | 28 | - name: configure |
diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index 4476963b5..03f580132 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml | |||
@@ -43,11 +43,11 @@ jobs: | |||
43 | 43 | ||
44 | steps: | 44 | steps: |
45 | - name: Checkout repository | 45 | - name: Checkout repository |
46 | uses: actions/checkout@v2 | 46 | uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 |
47 | 47 | ||
48 | # Initializes the CodeQL tools for scanning. | 48 | # Initializes the CodeQL tools for scanning. |
49 | - name: Initialize CodeQL | 49 | - name: Initialize CodeQL |
50 | uses: github/codeql-action/init@v1 | 50 | uses: github/codeql-action/init@e095058bfa09de8070f94e98f5dc059531bc6235 |
51 | with: | 51 | with: |
52 | languages: ${{ matrix.language }} | 52 | languages: ${{ matrix.language }} |
53 | # If you wish to specify custom queries, you can do so here or in a config file. | 53 | # If you wish to specify custom queries, you can do so here or in a config file. |
@@ -58,7 +58,7 @@ jobs: | |||
58 | # Autobuild attempts to build any compiled languages (C/C++, C#, or Java). | 58 | # Autobuild attempts to build any compiled languages (C/C++, C#, or Java). |
59 | # If this step fails, then you should remove it and run the build manually (see below) | 59 | # If this step fails, then you should remove it and run the build manually (see below) |
60 | - name: Autobuild | 60 | - name: Autobuild |
61 | uses: github/codeql-action/autobuild@v1 | 61 | uses: github/codeql-action/autobuild@e095058bfa09de8070f94e98f5dc059531bc6235 |
62 | 62 | ||
63 | # âšī¸ Command-line programs to run using the OS shell. | 63 | # âšī¸ Command-line programs to run using the OS shell. |
64 | # đ https://git.io/JvXDl | 64 | # đ https://git.io/JvXDl |
@@ -72,4 +72,4 @@ jobs: | |||
72 | # make release | 72 | # make release |
73 | 73 | ||
74 | - name: Perform CodeQL Analysis | 74 | - name: Perform CodeQL Analysis |
75 | uses: github/codeql-action/analyze@v1 | 75 | uses: github/codeql-action/analyze@e095058bfa09de8070f94e98f5dc059531bc6235 |
diff --git a/.github/workflows/profile-checks.yml b/.github/workflows/profile-checks.yml index 951a8b8cf..57a978d55 100644 --- a/.github/workflows/profile-checks.yml +++ b/.github/workflows/profile-checks.yml | |||
@@ -20,7 +20,7 @@ jobs: | |||
20 | profile-checks: | 20 | profile-checks: |
21 | runs-on: ubuntu-20.04 | 21 | runs-on: ubuntu-20.04 |
22 | steps: | 22 | steps: |
23 | - uses: actions/checkout@v2 | 23 | - uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 |
24 | - name: sort.py | 24 | - name: sort.py |
25 | run: ./ci/check/profiles/sort.py etc/inc/*.inc etc/{profile-a-l,profile-m-z}/*.profile | 25 | run: ./ci/check/profiles/sort.py etc/inc/*.inc etc/{profile-a-l,profile-m-z}/*.profile |
26 | - name: private-etc-always-required.sh | 26 | - name: private-etc-always-required.sh |