From ec3d270bd4b29e5081f59c8af5ab237247ba89e1 Mon Sep 17 00:00:00 2001 From: StepSecurity Bot Date: Wed, 17 Jan 2024 09:02:50 -0800 Subject: [PATCH] [StepSecurity] ci: Harden GitHub Actions (#2880) Signed-off-by: StepSecurity Bot Co-authored-by: D. Ror --- .github/workflows/backend.yml | 6 +++--- .github/workflows/combine_deploy_image.yml | 2 +- .github/workflows/deploy_qa.yml | 2 +- .github/workflows/frontend.yml | 4 ++-- 4 files changed, 7 insertions(+), 7 deletions(-) diff --git a/.github/workflows/backend.yml b/.github/workflows/backend.yml index 2214a11ba1..092abda41f 100644 --- a/.github/workflows/backend.yml +++ b/.github/workflows/backend.yml @@ -41,14 +41,14 @@ jobs: with: dotnet-version: ${{ matrix.dotnet }} - name: Install ffmpeg - uses: FedericoCarboni/setup-ffmpeg@v2 # v2.0.0 + uses: FedericoCarboni/setup-ffmpeg@583042d32dd1cabb8bd09df03bde06080da5c87c # v2 # Coverage. - name: Run coverage tests run: dotnet test Backend.Tests/Backend.Tests.csproj shell: bash - name: Upload coverage artifact - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@c7d193f32edcb7bfad88892161225aeda64e9392 # v4.0.0 with: if-no-files-found: error name: coverage @@ -85,7 +85,7 @@ jobs: - name: Checkout repository uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - name: Download coverage artifact - uses: actions/download-artifact@v4 + uses: actions/download-artifact@6b208ae046db98c579e8a3aa621ab581ff575935 # v4.1.1 with: name: coverage - name: Upload coverage report diff --git a/.github/workflows/combine_deploy_image.yml b/.github/workflows/combine_deploy_image.yml index bd4e0e006f..ab7fa38548 100644 --- a/.github/workflows/combine_deploy_image.yml +++ b/.github/workflows/combine_deploy_image.yml @@ -42,7 +42,7 @@ jobs: - name: Set up Docker Buildx uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3.0.0 - name: Configure AWS credentials - uses: aws-actions/configure-aws-credentials@v4.0.1 + uses: aws-actions/configure-aws-credentials@010d0da01d0b5a38af31e9c3470dbfdabdecca3a # v4.0.1 with: aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} diff --git a/.github/workflows/deploy_qa.yml b/.github/workflows/deploy_qa.yml index c68231a4cc..798856c832 100644 --- a/.github/workflows/deploy_qa.yml +++ b/.github/workflows/deploy_qa.yml @@ -84,7 +84,7 @@ jobs: sts.${{ secrets.AWS_DEFAULT_REGION }}.amazonaws.com:443 - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - name: Configure AWS credentials - uses: aws-actions/configure-aws-credentials@v4.0.1 + uses: aws-actions/configure-aws-credentials@010d0da01d0b5a38af31e9c3470dbfdabdecca3a # v4.0.1 with: aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} diff --git a/.github/workflows/frontend.yml b/.github/workflows/frontend.yml index 92b357a6e2..59e46d2538 100644 --- a/.github/workflows/frontend.yml +++ b/.github/workflows/frontend.yml @@ -68,7 +68,7 @@ jobs: env: CI: true - name: Upload coverage artifact - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@c7d193f32edcb7bfad88892161225aeda64e9392 # v4.0.0 with: if-no-files-found: error name: coverage @@ -95,7 +95,7 @@ jobs: - name: Checkout repository uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - name: Download coverage artifact - uses: actions/download-artifact@v4 + uses: actions/download-artifact@6b208ae046db98c579e8a3aa621ab581ff575935 # v4.1.1 with: name: coverage - name: Upload coverage report