From 5570313421a27bd8a7a7e04de975e64769df8cf8 Mon Sep 17 00:00:00 2001 From: Evgeny Vereshchagin Date: Thu, 11 Nov 2021 01:56:02 +0000 Subject: ci: pin labeler Turns out GHActions where `pull_request_target` is used are capable of pwning repositories: https://securitylab.github.com/research/github-actions-preventing-pwn-requests/ labeler doesn't check out the source code or build anything so it's safe in its current form but to avoid surprises let's just pin it to the latest version. It's annoying to manage dependencies like this manually so additionally dependabot.yml is introduced to make it easier to keep GHActions up to date more or less automatically: https://docs.github.com/en/code-security/supply-chain-security/keeping-your-dependencies-updated-automatically/keeping-your-actions-up-to-date-with-dependabot --- .github/dependabot.yml | 6 ++++++ .github/workflows/labeler.yml | 2 +- 2 files changed, 7 insertions(+), 1 deletion(-) create mode 100644 .github/dependabot.yml diff --git a/.github/dependabot.yml b/.github/dependabot.yml new file mode 100644 index 0000000000..123014908b --- /dev/null +++ b/.github/dependabot.yml @@ -0,0 +1,6 @@ +version: 2 +updates: + - package-ecosystem: "github-actions" + directory: "/" + schedule: + interval: "daily" diff --git a/.github/workflows/labeler.yml b/.github/workflows/labeler.yml index aad5d2157f..ee238c2fa7 100644 --- a/.github/workflows/labeler.yml +++ b/.github/workflows/labeler.yml @@ -11,7 +11,7 @@ jobs: triage: runs-on: ubuntu-latest steps: - - uses: actions/labeler@main + - uses: actions/labeler@69da01b8e0929f147b8943611bee75ee4175a49e with: repo-token: "${{ secrets.GITHUB_TOKEN }}" configuration-path: .github/labeler.yml -- cgit v1.2.1 From 3fec0e6cbfbfa17e018d88efbdf2e7a9231f364b Mon Sep 17 00:00:00 2001 From: Evgeny Vereshchagin Date: Thu, 11 Nov 2021 05:04:56 +0000 Subject: ci: pin some workflows to SHAs to let Dependabot keep track of them using SHAs codeql-actions doesn't point to SHAs because it isn't clear whether Dependabot supports their release cycle mentioned at https://github.com/github/codeql-action/issues/307 --- .github/workflows/build_test.yml | 2 +- .github/workflows/cifuzz.yml | 2 +- .github/workflows/linter.yml | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/build_test.yml b/.github/workflows/build_test.yml index ae03f591b3..5f2959871b 100644 --- a/.github/workflows/build_test.yml +++ b/.github/workflows/build_test.yml @@ -30,6 +30,6 @@ jobs: env: ${{ matrix.env }} steps: - name: Repository checkout - uses: actions/checkout@v1 + uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 - name: Build check (${{ env.COMPILER }}-${{ env.COMPILER_VERSION }}) run: sudo -E .github/workflows/build_test.sh diff --git a/.github/workflows/cifuzz.yml b/.github/workflows/cifuzz.yml index 730bf9d8e6..2b5dba1757 100644 --- a/.github/workflows/cifuzz.yml +++ b/.github/workflows/cifuzz.yml @@ -44,7 +44,7 @@ jobs: dry-run: false sanitizer: ${{ matrix.sanitizer }} - name: Upload Crash - uses: actions/upload-artifact@v1 + uses: actions/upload-artifact@27121b0bdffd731efa15d66772be8dc71245d074 if: failure() && steps.build.outcome == 'success' with: name: ${{ matrix.sanitizer }}-artifacts diff --git a/.github/workflows/linter.yml b/.github/workflows/linter.yml index 2c3c58ad58..cb12b0a5d1 100644 --- a/.github/workflows/linter.yml +++ b/.github/workflows/linter.yml @@ -25,7 +25,7 @@ jobs: fetch-depth: 0 - name: Lint Code Base - uses: github/super-linter@v3 + uses: github/super-linter@fd9c4286d3de3fdd9258a395570cae287f13f974 env: DEFAULT_BRANCH: main # Excludes: -- cgit v1.2.1