From 4bac5c6d716fcaf2542361e5fb56a4e39586b376 Mon Sep 17 00:00:00 2001 From: Topi Miettinen Date: Mon, 13 Dec 2021 14:41:24 +0200 Subject: CI: pin GitHub actions to SHAs Pinning actions to SHAs instead of versions improves the supply chain security: https://securitylab.github.com/research/github-actions-preventing-pwn-requests/ --- .github/workflows/build-extra.yml | 6 +++--- .github/workflows/build.yml | 2 +- .github/workflows/codeql-analysis.yml | 8 ++++---- .github/workflows/profile-checks.yml | 2 +- 4 files changed, 9 insertions(+), 9 deletions(-) (limited to '.github/workflows') diff --git a/.github/workflows/build-extra.yml b/.github/workflows/build-extra.yml index fd1f23954..b598c40e3 100644 --- a/.github/workflows/build-extra.yml +++ b/.github/workflows/build-extra.yml @@ -30,7 +30,7 @@ jobs: build-clang: runs-on: ubuntu-20.04 steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 - name: configure run: CC=clang-11 ./configure --enable-fatal-warnings - name: make @@ -38,7 +38,7 @@ jobs: scan-build: runs-on: ubuntu-20.04 steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 - name: install clang-tools-11 run: sudo apt-get install clang-tools-11 - name: configure @@ -48,7 +48,7 @@ jobs: cppcheck: runs-on: ubuntu-20.04 steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 - name: install cppcheck run: sudo apt-get install cppcheck - name: cppcheck diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 141e43168..f321b5f7f 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -22,7 +22,7 @@ jobs: build_and_test: runs-on: ubuntu-20.04 steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 - name: install dependencies run: sudo apt-get install gcc-11 libapparmor-dev libselinux1-dev expect xzdec - name: configure diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index 4476963b5..03f580132 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -43,11 +43,11 @@ jobs: steps: - name: Checkout repository - uses: actions/checkout@v2 + uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL - uses: github/codeql-action/init@v1 + uses: github/codeql-action/init@e095058bfa09de8070f94e98f5dc059531bc6235 with: languages: ${{ matrix.language }} # If you wish to specify custom queries, you can do so here or in a config file. @@ -58,7 +58,7 @@ jobs: # Autobuild attempts to build any compiled languages (C/C++, C#, or Java). # If this step fails, then you should remove it and run the build manually (see below) - name: Autobuild - uses: github/codeql-action/autobuild@v1 + uses: github/codeql-action/autobuild@e095058bfa09de8070f94e98f5dc059531bc6235 # ℹī¸ Command-line programs to run using the OS shell. # 📚 https://git.io/JvXDl @@ -72,4 +72,4 @@ jobs: # make release - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v1 + uses: github/codeql-action/analyze@e095058bfa09de8070f94e98f5dc059531bc6235 diff --git a/.github/workflows/profile-checks.yml b/.github/workflows/profile-checks.yml index 951a8b8cf..57a978d55 100644 --- a/.github/workflows/profile-checks.yml +++ b/.github/workflows/profile-checks.yml @@ -20,7 +20,7 @@ jobs: profile-checks: runs-on: ubuntu-20.04 steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 - name: sort.py run: ./ci/check/profiles/sort.py etc/inc/*.inc etc/{profile-a-l,profile-m-z}/*.profile - name: private-etc-always-required.sh -- cgit v1.2.3-54-g00ecf