Security hardening: lock community action versions
As there's no lockfile for GitHub Actions, specify the commit SHAs to use for community actions so that changes can be reviewed before using a new version of a particular action.
This commit is contained in:
parent
d5d9bdf7bf
commit
b3c925a0cf
24
.github/workflows/ci.yml
vendored
24
.github/workflows/ci.yml
vendored
|
|
@ -13,10 +13,10 @@ jobs:
|
||||||
|
|
||||||
steps:
|
steps:
|
||||||
- name: Checkout code
|
- name: Checkout code
|
||||||
uses: actions/checkout@v2
|
uses: actions/checkout@a81bbbf
|
||||||
|
|
||||||
- name: Cache dependencies
|
- name: Cache dependencies
|
||||||
uses: actions/cache@v1
|
uses: actions/cache@d974700
|
||||||
with:
|
with:
|
||||||
path: |
|
path: |
|
||||||
~/.composer/cache/files
|
~/.composer/cache/files
|
||||||
|
|
@ -27,7 +27,7 @@ jobs:
|
||||||
key: dependencies-composer-${{ hashFiles('composer.json') }}
|
key: dependencies-composer-${{ hashFiles('composer.json') }}
|
||||||
|
|
||||||
- name: Setup PHP
|
- name: Setup PHP
|
||||||
uses: shivammathur/setup-php@v2
|
uses: shivammathur/setup-php@5d27b8f
|
||||||
with:
|
with:
|
||||||
php-version: 7.4
|
php-version: 7.4
|
||||||
extensions: mbstring
|
extensions: mbstring
|
||||||
|
|
@ -67,10 +67,10 @@ jobs:
|
||||||
|
|
||||||
steps:
|
steps:
|
||||||
- name: Checkout code
|
- name: Checkout code
|
||||||
uses: actions/checkout@v2
|
uses: actions/checkout@a81bbbf
|
||||||
|
|
||||||
- name: Cache dependencies
|
- name: Cache dependencies
|
||||||
uses: actions/cache@v1
|
uses: actions/cache@d974700
|
||||||
with:
|
with:
|
||||||
path: |
|
path: |
|
||||||
~/.composer/cache/files
|
~/.composer/cache/files
|
||||||
|
|
@ -81,7 +81,7 @@ jobs:
|
||||||
key: dependencies-composer-${{ hashFiles('composer.json') }}
|
key: dependencies-composer-${{ hashFiles('composer.json') }}
|
||||||
|
|
||||||
- name: Setup PHP
|
- name: Setup PHP
|
||||||
uses: shivammathur/setup-php@v2
|
uses: shivammathur/setup-php@5d27b8f
|
||||||
with:
|
with:
|
||||||
php-version: 7.4
|
php-version: 7.4
|
||||||
extensions: mbstring
|
extensions: mbstring
|
||||||
|
|
@ -107,10 +107,10 @@ jobs:
|
||||||
|
|
||||||
steps:
|
steps:
|
||||||
- name: Checkout code
|
- name: Checkout code
|
||||||
uses: actions/checkout@v2
|
uses: actions/checkout@a81bbbf
|
||||||
|
|
||||||
- name: Cache dependencies
|
- name: Cache dependencies
|
||||||
uses: actions/cache@v1
|
uses: actions/cache@d974700
|
||||||
with:
|
with:
|
||||||
path: |
|
path: |
|
||||||
~/.composer/cache/files
|
~/.composer/cache/files
|
||||||
|
|
@ -121,7 +121,7 @@ jobs:
|
||||||
key: dependencies-composer-${{ hashFiles('composer.json') }}
|
key: dependencies-composer-${{ hashFiles('composer.json') }}
|
||||||
|
|
||||||
- name: Setup PHP
|
- name: Setup PHP
|
||||||
uses: shivammathur/setup-php@v2
|
uses: shivammathur/setup-php@5d27b8f
|
||||||
with:
|
with:
|
||||||
php-version: 7.4
|
php-version: 7.4
|
||||||
tools: composer:v1
|
tools: composer:v1
|
||||||
|
|
@ -139,10 +139,10 @@ jobs:
|
||||||
|
|
||||||
steps:
|
steps:
|
||||||
- name: Checkout code
|
- name: Checkout code
|
||||||
uses: actions/checkout@v2
|
uses: actions/checkout@a81bbbf
|
||||||
|
|
||||||
- name: Cache dependencies
|
- name: Cache dependencies
|
||||||
uses: actions/cache@v1
|
uses: actions/cache@d974700
|
||||||
with:
|
with:
|
||||||
path: |
|
path: |
|
||||||
~/.composer/cache/files
|
~/.composer/cache/files
|
||||||
|
|
@ -153,7 +153,7 @@ jobs:
|
||||||
key: dependencies-composer-${{ hashFiles('composer.json') }}
|
key: dependencies-composer-${{ hashFiles('composer.json') }}
|
||||||
|
|
||||||
- name: Setup PHP
|
- name: Setup PHP
|
||||||
uses: shivammathur/setup-php@v2
|
uses: shivammathur/setup-php@5d27b8f
|
||||||
with:
|
with:
|
||||||
php-version: 7.4
|
php-version: 7.4
|
||||||
tools: composer:v1
|
tools: composer:v1
|
||||||
|
|
|
||||||
6
.github/workflows/deploy.yml
vendored
6
.github/workflows/deploy.yml
vendored
|
|
@ -20,17 +20,17 @@ jobs:
|
||||||
|
|
||||||
steps:
|
steps:
|
||||||
- name: Checkout the code
|
- name: Checkout the code
|
||||||
uses: actions/checkout@v2
|
uses: actions/checkout@a81bbbf
|
||||||
|
|
||||||
- name: Add the deployment SSH key
|
- name: Add the deployment SSH key
|
||||||
uses: shimataro/ssh-key-action@v2
|
uses: shimataro/ssh-key-action@6f350ca
|
||||||
with:
|
with:
|
||||||
key: ${{ secrets.SSH_PRIVATE_KEY }}
|
key: ${{ secrets.SSH_PRIVATE_KEY }}
|
||||||
name: id_rsa
|
name: id_rsa
|
||||||
known_hosts: ${{ secrets.SSH_KNOWN_HOSTS }}
|
known_hosts: ${{ secrets.SSH_KNOWN_HOSTS }}
|
||||||
|
|
||||||
- name: Cache dependencies
|
- name: Cache dependencies
|
||||||
uses: actions/cache@v1
|
uses: actions/cache@d974700
|
||||||
with:
|
with:
|
||||||
path: tools/ansible/.roles
|
path: tools/ansible/.roles
|
||||||
key: dependencies-composer-${{ hashFiles('tools/ansible/requirements.yml') }}
|
key: dependencies-composer-${{ hashFiles('tools/ansible/requirements.yml') }}
|
||||||
|
|
|
||||||
2
.github/workflows/unlabel-closed-issues.yml
vendored
2
.github/workflows/unlabel-closed-issues.yml
vendored
|
|
@ -11,7 +11,7 @@ jobs:
|
||||||
|
|
||||||
steps:
|
steps:
|
||||||
- name: Unlabel the closed issue
|
- name: Unlabel the closed issue
|
||||||
uses: actions-ecosystem/action-remove-labels@v1
|
uses: actions-ecosystem/action-remove-labels@556e306
|
||||||
with:
|
with:
|
||||||
github_token: ${{ secrets.GITHUB_TOKEN }}
|
github_token: ${{ secrets.GITHUB_TOKEN }}
|
||||||
labels: next
|
labels: next
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue