CI: pin GitHub actions to SHAs

Pinning actions to SHAs instead of versions improves the supply chain security: https://securitylab.github.com/research/github-actions-preventing-pwn-requests/
netblue30 · Dec 26, 2021 · 4bac5c6 · 4bac5c6
1 parent d038aa1
commit 4bac5c6
Show file tree

Hide file tree

Showing 4 changed files with 9 additions and 9 deletions.
diff --git a/.github/workflows/build-extra.yml b/.github/workflows/build-extra.yml
@@ -30,15 +30,15 @@ jobs:
  build-clang:
  runs-on: ubuntu-20.04
  steps:
- - uses: actions/checkout@v2
+ - uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579
  - name: configure
  run: CC=clang-11 ./configure --enable-fatal-warnings
  - name: make
  run: make
  scan-build:
  runs-on: ubuntu-20.04
  steps:
- - uses: actions/checkout@v2
+ - uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579
  - name: install clang-tools-11
  run: sudo apt-get install clang-tools-11
  - name: configure
@@ -48,7 +48,7 @@ jobs:
  cppcheck:
  runs-on: ubuntu-20.04
  steps:
- - uses: actions/checkout@v2
+ - uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579
  - name: install cppcheck
  run: sudo apt-get install cppcheck
  - name: cppcheck

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -22,7 +22,7 @@ jobs:
  build_and_test:
  runs-on: ubuntu-20.04
  steps:
- - uses: actions/checkout@v2
+ - uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579
  - name: install dependencies
  run: sudo apt-get install gcc-11 libapparmor-dev libselinux1-dev expect xzdec
  - name: configure

diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
@@ -43,11 +43,11 @@ jobs:
 
  steps:
  - name: Checkout repository
- uses: actions/checkout@v2
+ uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579
 
  # Initializes the CodeQL tools for scanning.
  - name: Initialize CodeQL
- uses: github/codeql-action/init@v1
+ uses: github/codeql-action/init@e095058bfa09de8070f94e98f5dc059531bc6235
  with:
  languages: ${{ matrix.language }}
  # If you wish to specify custom queries, you can do so here or in a config file.
@@ -58,7 +58,7 @@ jobs:
  # Autobuild attempts to build any compiled languages (C/C++, C#, or Java).
  # If this step fails, then you should remove it and run the build manually (see below)
  - name: Autobuild
- uses: github/codeql-action/autobuild@v1
+ uses: github/codeql-action/autobuild@e095058bfa09de8070f94e98f5dc059531bc6235
 
  # ℹ️ Command-line programs to run using the OS shell.
  # 📚 https://git.io/JvXDl
@@ -72,4 +72,4 @@ jobs:
  # make release
 
  - name: Perform CodeQL Analysis
- uses: github/codeql-action/analyze@v1
+ uses: github/codeql-action/analyze@e095058bfa09de8070f94e98f5dc059531bc6235
diff --git a/.github/workflows/profile-checks.yml b/.github/workflows/profile-checks.yml
@@ -20,7 +20,7 @@ jobs:
  profile-checks:
  runs-on: ubuntu-20.04
  steps:
- - uses: actions/checkout@v2
+ - uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579
  - name: sort.py
  run: ./ci/check/profiles/sort.py etc/inc/*.inc etc/{profile-a-l,profile-m-z}/*.profile
  - name: private-etc-always-required.sh