From 784b9ba6e403997161113aa56d1747baed4e0767 Mon Sep 17 00:00:00 2001 From: Gabriela Gutierrez Date: Tue, 13 Jun 2023 21:22:07 +0000 Subject: [PATCH] Build: Reference GitHub Actions by commit SHAs The SHAs are verified to come from the original repositories and not forks. For reference: https://github.com/github/codeql-action/releases/tag/v2.3.6 https://github.com/github/codeql-action/commit/83f0fe6c4988d98a455712a27f0255212bba9bd4 https://github.com/actions/checkout/releases/tag/v3.5.2 https://github.com/actions/checkout/commit/8e5e7e5ab8b370d6c329ec480221332ada57f0ab https://github.com/actions/cache/releases/tag/v3.3.1 https://github.com/actions/cache/commit/88522ab9f39a2ea568f7027eddc7d8d8bc9d59c8 https://github.com/actions/setup-node/releases/tag/v3.6.0 https://github.com/actions/setup-node/commit/64ed1c7eab4cce3362f8c340dee64e5eaeef8f7c Fixes gh-5266 Closes gh-5269 Signed-off-by: Gabriela Gutierrez --- .github/workflows/codeql-analysis.yml | 8 ++++---- .github/workflows/node.js.yml | 6 +++--- 2 files changed, 7 insertions(+), 7 deletions(-) diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index 68f55358f..61d5ec95a 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -20,7 +20,7 @@ jobs: steps: - name: Checkout repository - uses: actions/checkout@v3 + uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 with: # We must fetch at least the immediate parents so that if this is # a pull request then we can checkout the head. @@ -33,7 +33,7 @@ jobs: # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL - uses: github/codeql-action/init@v2 + uses: github/codeql-action/init@83f0fe6c4988d98a455712a27f0255212bba9bd4 # v2.3.6 # Override language selection by uncommenting this and choosing your languages # with: # languages: go, javascript, csharp, python, cpp, java @@ -41,7 +41,7 @@ jobs: # Autobuild attempts to build any compiled languages (C/C++, C#, or Java). # If this step fails, then you should remove it and run the build manually (see below) - name: Autobuild - uses: github/codeql-action/autobuild@v2 + uses: github/codeql-action/autobuild@83f0fe6c4988d98a455712a27f0255212bba9bd4 # v2.3.6 # ℹ️ Command-line programs to run using the OS shell. # 📚 https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun @@ -55,4 +55,4 @@ jobs: # make release - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v2 + uses: github/codeql-action/analyze@83f0fe6c4988d98a455712a27f0255212bba9bd4 # v2.3.6 diff --git a/.github/workflows/node.js.yml b/.github/workflows/node.js.yml index cd47a7349..92497822d 100644 --- a/.github/workflows/node.js.yml +++ b/.github/workflows/node.js.yml @@ -46,10 +46,10 @@ jobs: BROWSERS: "FirefoxHeadless" steps: - name: Checkout - uses: actions/checkout@v3 + uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 - name: Cache - uses: actions/cache@v3 + uses: actions/cache@88522ab9f39a2ea568f7027eddc7d8d8bc9d59c8 # v3.3.1 with: path: ~/.npm key: ${{ runner.os }}-node-${{ matrix.NODE_VERSION }}-npm-lock-${{ hashFiles('**/package-lock.json') }} @@ -57,7 +57,7 @@ jobs: ${{ runner.os }}-node-${{ matrix.NODE_VERSION }}-npm-lock- - name: Use Node.js ${{ matrix.NODE_VERSION }} - uses: actions/setup-node@v3.6.0 + uses: actions/setup-node@64ed1c7eab4cce3362f8c340dee64e5eaeef8f7c # v3.6.0 with: node-version: ${{ matrix.NODE_VERSION }} -- 2.39.5