From 0e39704b3a1527df4b6dd20cd5c967c111622bae Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Marc=20Sch=C3=A4fer?= Date: Tue, 21 Oct 2025 01:53:20 +0200 Subject: [PATCH] ci(actions): pin action versions to commit SHAs for security - Pin actions/checkout to SHA for v5.0.0 - Pin docker/setup-qemu-action to SHA for v3.6.0 - Pin docker/setup-buildx-action to SHA for v3.11.1 - Pin docker/login-action to SHA for v3.6.0 - Pin actions/setup-go to SHA for v6.0.0 - Pin actions/upload-artifact to SHA for v4.6.2 - Pin actions/setup-node to SHA for v6.0.0 - Pin actions/stale to SHA for v10.1.0 --- .github/workflows/cicd.yml | 14 ++++++++------ .github/workflows/linting.yml | 6 +++--- .github/workflows/stale-bot.yml | 4 ++-- .github/workflows/test.yml | 4 ++-- 4 files changed, 15 insertions(+), 13 deletions(-) diff --git a/.github/workflows/cicd.yml b/.github/workflows/cicd.yml index 0d2008f1..21765ee1 100644 --- a/.github/workflows/cicd.yml +++ b/.github/workflows/cicd.yml @@ -12,23 +12,25 @@ jobs: steps: - name: Checkout code - uses: actions/checkout@v5 + uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + + - name: Set up QEMU + uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v3.6.0 - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 + uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1 - name: Log in to Docker Hub - uses: docker/login-action@v3 + uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0 with: username: ${{ secrets.DOCKER_HUB_USERNAME }} password: ${{ secrets.DOCKER_HUB_ACCESS_TOKEN }} - - name: Extract tag name id: get-tag run: echo "TAG=${GITHUB_REF#refs/tags/}" >> $GITHUB_ENV - name: Install Go - uses: actions/setup-go@v6 + uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0 with: go-version: 1.24 @@ -67,7 +69,7 @@ jobs: make go-build-release - name: Upload artifacts from /install/bin - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 with: name: install-bin path: install/bin/ diff --git a/.github/workflows/linting.yml b/.github/workflows/linting.yml index 1a01f1c4..90ce2d0d 100644 --- a/.github/workflows/linting.yml +++ b/.github/workflows/linting.yml @@ -18,10 +18,10 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout code - uses: actions/checkout@v5 + uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 - name: Set up Node.js - uses: actions/setup-node@v5 + uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903 # v6.0.0 with: node-version: '22' @@ -32,4 +32,4 @@ jobs: run: npm run set:oss - name: Run ESLint - run: npx eslint . --ext .js,.jsx,.ts,.tsx \ No newline at end of file + run: npx eslint . --ext .js,.jsx,.ts,.tsx diff --git a/.github/workflows/stale-bot.yml b/.github/workflows/stale-bot.yml index 4a574d91..5b6889da 100644 --- a/.github/workflows/stale-bot.yml +++ b/.github/workflows/stale-bot.yml @@ -14,7 +14,7 @@ jobs: stale: runs-on: ubuntu-latest steps: - - uses: actions/stale@v10 + - uses: actions/stale@5f858e3efba33a5ca4407a664cc011ad407f2008 # v10.1.0 with: days-before-stale: 14 days-before-close: 14 @@ -34,4 +34,4 @@ jobs: operations-per-run: 100 remove-stale-when-updated: true delete-branch: false - enable-statistics: true \ No newline at end of file + enable-statistics: true diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 3d121f68..cd78e8af 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -11,9 +11,9 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v5 + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 - - uses: actions/setup-node@v5 + - uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903 # v6.0.0 with: node-version: '22'