From b3c925a0cfb1897d91f80aef8131c41cf39c4aea Mon Sep 17 00:00:00 2001 From: Oliver Davies Date: Fri, 30 Oct 2020 01:26:52 +0000 Subject: [PATCH] Security hardening: lock community action versions As there's no lockfile for GitHub Actions, specify the commit SHAs to use for community actions so that changes can be reviewed before using a new version of a particular action. --- .github/workflows/ci.yml | 24 ++++++++++----------- .github/workflows/deploy.yml | 6 +++--- .github/workflows/unlabel-closed-issues.yml | 2 +- 3 files changed, 16 insertions(+), 16 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index deaeda6..f750ed1 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -13,10 +13,10 @@ jobs: steps: - name: Checkout code - uses: actions/checkout@v2 + uses: actions/checkout@a81bbbf - name: Cache dependencies - uses: actions/cache@v1 + uses: actions/cache@d974700 with: path: | ~/.composer/cache/files @@ -27,7 +27,7 @@ jobs: key: dependencies-composer-${{ hashFiles('composer.json') }} - name: Setup PHP - uses: shivammathur/setup-php@v2 + uses: shivammathur/setup-php@5d27b8f with: php-version: 7.4 extensions: mbstring @@ -67,10 +67,10 @@ jobs: steps: - name: Checkout code - uses: actions/checkout@v2 + uses: actions/checkout@a81bbbf - name: Cache dependencies - uses: actions/cache@v1 + uses: actions/cache@d974700 with: path: | ~/.composer/cache/files @@ -81,7 +81,7 @@ jobs: key: dependencies-composer-${{ hashFiles('composer.json') }} - name: Setup PHP - uses: shivammathur/setup-php@v2 + uses: shivammathur/setup-php@5d27b8f with: php-version: 7.4 extensions: mbstring @@ -107,10 +107,10 @@ jobs: steps: - name: Checkout code - uses: actions/checkout@v2 + uses: actions/checkout@a81bbbf - name: Cache dependencies - uses: actions/cache@v1 + uses: actions/cache@d974700 with: path: | ~/.composer/cache/files @@ -121,7 +121,7 @@ jobs: key: dependencies-composer-${{ hashFiles('composer.json') }} - name: Setup PHP - uses: shivammathur/setup-php@v2 + uses: shivammathur/setup-php@5d27b8f with: php-version: 7.4 tools: composer:v1 @@ -139,10 +139,10 @@ jobs: steps: - name: Checkout code - uses: actions/checkout@v2 + uses: actions/checkout@a81bbbf - name: Cache dependencies - uses: actions/cache@v1 + uses: actions/cache@d974700 with: path: | ~/.composer/cache/files @@ -153,7 +153,7 @@ jobs: key: dependencies-composer-${{ hashFiles('composer.json') }} - name: Setup PHP - uses: shivammathur/setup-php@v2 + uses: shivammathur/setup-php@5d27b8f with: php-version: 7.4 tools: composer:v1 diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml index 6833613..82f19a2 100644 --- a/.github/workflows/deploy.yml +++ b/.github/workflows/deploy.yml @@ -20,17 +20,17 @@ jobs: steps: - name: Checkout the code - uses: actions/checkout@v2 + uses: actions/checkout@a81bbbf - name: Add the deployment SSH key - uses: shimataro/ssh-key-action@v2 + uses: shimataro/ssh-key-action@6f350ca with: key: ${{ secrets.SSH_PRIVATE_KEY }} name: id_rsa known_hosts: ${{ secrets.SSH_KNOWN_HOSTS }} - name: Cache dependencies - uses: actions/cache@v1 + uses: actions/cache@d974700 with: path: tools/ansible/.roles key: dependencies-composer-${{ hashFiles('tools/ansible/requirements.yml') }} diff --git a/.github/workflows/unlabel-closed-issues.yml b/.github/workflows/unlabel-closed-issues.yml index c75fea8..0cce0d1 100644 --- a/.github/workflows/unlabel-closed-issues.yml +++ b/.github/workflows/unlabel-closed-issues.yml @@ -11,7 +11,7 @@ jobs: steps: - name: Unlabel the closed issue - uses: actions-ecosystem/action-remove-labels@v1 + uses: actions-ecosystem/action-remove-labels@556e306 with: github_token: ${{ secrets.GITHUB_TOKEN }} labels: next