Skip to content

Commit 3c69716

Browse files
chore(security): uses pinned versions of actions (#1118)
This pull request updates the GitHub Actions workflow files to use pinned commit SHAs for all third-party actions, improving security and reproducibility. <!-- PR created with github.com/jcchavezs/pin-gha --> Co-authored-by: Frederik Prijck <frederik.prijck@okta.com>
1 parent 397b6b9 commit 3c69716

7 files changed

Lines changed: 16 additions & 16 deletions

File tree

.github/workflows/codeql.yml

Lines changed: 4 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -37,18 +37,18 @@ jobs:
3737
run: exit 0 # Skip unnecessary test runs for dependabot and merge queues. Artifically flag as successful, as this is a required check for branch protection.
3838

3939
- name: Checkout
40-
uses: actions/checkout@v6
40+
uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
4141

4242
- name: Initialize CodeQL
43-
uses: github/codeql-action/init@v4
43+
uses: github/codeql-action/init@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4.36.2
4444
with:
4545
languages: ${{ matrix.language }}
4646
queries: +security-and-quality
4747

4848
- name: Autobuild
49-
uses: github/codeql-action/autobuild@v4
49+
uses: github/codeql-action/autobuild@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4.36.2
5050

5151
- name: Perform CodeQL Analysis
52-
uses: github/codeql-action/analyze@v4
52+
uses: github/codeql-action/analyze@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4.36.2
5353
with:
5454
category: '/language:${{ matrix.language }}'

.github/workflows/cross-browser.yml

Lines changed: 4 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -35,20 +35,20 @@ jobs:
3535

3636
steps:
3737
- name: Checkout code
38-
uses: actions/checkout@v6
38+
uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
3939
with:
4040
ref: ${{ github.event.pull_request.head.sha || github.ref }}
4141

4242
- name: Setup Node
43-
uses: actions/setup-node@v6
43+
uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
4444
with:
4545
node-version: ${{ env.NODE_VERSION }}
4646

4747
- name: Install dependencies
4848
run: npm i --include=dev
4949

5050
- name: Run cross-browser tests
51-
uses: cypress-io/github-action@v7
51+
uses: cypress-io/github-action@948d67d3074f1bbb6379c8bdbb04e95d2f8e593f # v7.4.0
5252
with:
5353
browser: ${{ matrix.browser }}
5454
start: npm start
@@ -59,7 +59,7 @@ jobs:
5959

6060
- name: Upload Cypress screenshots
6161
if: failure()
62-
uses: actions/upload-artifact@v7
62+
uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
6363
with:
6464
name: cypress-screenshots-${{ matrix.browser }}-${{ github.run_id }}
6565
path: cypress/screenshots

.github/workflows/integration.yml

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -44,7 +44,7 @@ jobs:
4444

4545
steps:
4646
- name: Checkout code
47-
uses: actions/checkout@v6
47+
uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
4848
with:
4949
ref: ${{ github.event.pull_request.head.sha || github.ref }}
5050

@@ -71,7 +71,7 @@ jobs:
7171

7272
- name: Upload Cypress screenshots
7373
if: failure()
74-
uses: actions/upload-artifact@v7
74+
uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
7575
with:
7676
name: cypress-screenshots-${{ github.run_id }}
7777
path: cypress/screenshots

.github/workflows/npm-release.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -27,7 +27,7 @@ jobs:
2727

2828
steps:
2929
# Checkout the code
30-
- uses: actions/checkout@v6
30+
- uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
3131
with:
3232
fetch-depth: 0
3333

.github/workflows/rl-secure.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -33,7 +33,7 @@ jobs:
3333

3434
steps:
3535
- name: Checkout code
36-
uses: actions/checkout@v6
36+
uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
3737
with:
3838
fetch-depth: 0
3939

.github/workflows/snyk.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -31,7 +31,7 @@ jobs:
3131
- if: github.actor == 'dependabot[bot]' || github.event_name == 'merge_group'
3232
run: exit 0 # Skip unnecessary test runs for dependabot and merge queues. Artifically flag as successful, as this is a required check for branch protection.
3333

34-
- uses: actions/checkout@v6
34+
- uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
3535
with:
3636
ref: ${{ github.event.pull_request.head.sha || github.ref }}
3737

.github/workflows/test.yml

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -28,7 +28,7 @@ jobs:
2828

2929
steps:
3030
- name: Checkout code
31-
uses: actions/checkout@v6
31+
uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
3232
with:
3333
ref: ${{ github.event.pull_request.head.sha || github.ref }}
3434

@@ -45,10 +45,10 @@ jobs:
4545

4646
steps:
4747
- name: Checkout code
48-
uses: actions/checkout@v6
48+
uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
4949

5050
- name: Setup Node
51-
uses: actions/setup-node@v6
51+
uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
5252
with:
5353
node-version: ${{ env.NODE_VERSION }}
5454

0 commit comments

Comments
 (0)