From 2cbe1f3ebc15e5adf5ea68b9371a16a2d26724b3 Mon Sep 17 00:00:00 2001 From: StepSecurity Bot Date: Mon, 27 Feb 2023 10:06:50 +0000 Subject: [StepSecurity] ci: Harden GitHub Actions Signed-off-by: StepSecurity Bot --- .github/workflows/codeql-analysis.yml | 4 ++-- .github/workflows/dependabot_automerge.yml | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) (limited to '.github/workflows') diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index b7ddb928dc..2087052cc7 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -82,7 +82,7 @@ jobs: output: sarif-results - name: filter-sarif - uses: advanced-security/filter-sarif@v1 + uses: advanced-security/filter-sarif@eac3ea6a5e1270952681bf7287598a6cd1a4d49d # v1.0 with: patterns: | +**/*.rb @@ -98,6 +98,6 @@ jobs: if: ${{ matrix.language == 'ruby' }} - name: Upload SARIF - uses: github/codeql-action/upload-sarif@v2 + uses: github/codeql-action/upload-sarif@32dc499307d133bb5085bae78498c0ac2cf762d5 # v2.2.5 with: sarif_file: sarif-results/${{ matrix.language }}.sarif diff --git a/.github/workflows/dependabot_automerge.yml b/.github/workflows/dependabot_automerge.yml index 1247f32538..4754b3c9fe 100644 --- a/.github/workflows/dependabot_automerge.yml +++ b/.github/workflows/dependabot_automerge.yml @@ -9,10 +9,10 @@ jobs: if: ${{ github.actor == 'dependabot[bot]' }} steps: - name: Dependabot metadata - uses: dependabot/fetch-metadata@v1 + uses: dependabot/fetch-metadata@4de7a6c08ce727a42e0adbbdc345f761a01240ce # v1.3.6 id: metadata - name: Wait for status checks - uses: lewagon/wait-on-check-action@v1.3.1 + uses: lewagon/wait-on-check-action@e106e5c43e8ca1edea6383a39a01c5ca495fd812 # v1.3.1 with: repo-token: ${{ secrets.MATZBOT_GITHUB_TOKEN }} ref: ${{ github.event.pull_request.head.sha || github.sha }} -- cgit v1.2.1