(camel-quarkus) 01/01: Github Actions Security Best practices: Pin Actions to Full lenght Commit SHA - CI Build Workflow

Mon, 02 Sep 2024 22:47:20 -0700 

This is an automated email from the ASF dual-hosted git repository.

acosentino pushed a commit to branch commit-sha-workflow-ci-build
in repository https://gitbox.apache.org/repos/asf/camel-quarkus.git

commit 8113799692e27a2353d9b2caa49c8fca4161ebe5
Author: Andrea Cosentino <anco...@gmail.com>
AuthorDate: Tue Sep 3 07:47:02 2024 +0200

     Github Actions Security Best practices: Pin Actions to Full lenght Commit 
SHA - CI Build Workflow
---
 .github/workflows/ci-build.yaml | 50 ++++++++++++++++++++---------------------
 1 file changed, 25 insertions(+), 25 deletions(-)

diff --git a/.github/workflows/ci-build.yaml b/.github/workflows/ci-build.yaml
index c7c7349780..5f2c8880d0 100644
--- a/.github/workflows/ci-build.yaml
+++ b/.github/workflows/ci-build.yaml
@@ -96,13 +96,13 @@ jobs:
             echo "run-checks=false" >> $GITHUB_OUTPUT
           fi
       - name: Set up JDK 17
-        uses: actions/setup-java@v4
+        uses: actions/setup-java@6a0805fcefea3d4657a47ac4c165951e33482018 # 
v4.2.2
         if: steps.init.outputs.run-checks == 'true'
         with:
           distribution: 'temurin'
           java-version: '17'
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # 
v4.1.7
         if: steps.init.outputs.run-checks == 'true'
         with:
           ref: ${{ env.CHECKOUT_REF }}
@@ -130,7 +130,7 @@ jobs:
             echo "continue-build=true" >> $GITHUB_OUTPUT
           fi
       - name: Upload dependabot changeset
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 
# v4.4.0
         if: steps.pre-build-checks.outputs.continue-build == 'false'
         with:
           name: dependabot-pr-changeset
@@ -152,7 +152,7 @@ jobs:
         run: |
           df -h /
       - name: Set up JDK 17
-        uses: actions/setup-java@v4
+        uses: actions/setup-java@6a0805fcefea3d4657a47ac4c165951e33482018 # 
v4.2.2
         with:
           distribution: 'temurin'
           java-version: '17'
@@ -173,7 +173,7 @@ jobs:
             && sed -i '/<module>integration-tests<\/module>/d' pom.xml \
             && ./mvnw ${CQ_MAVEN_ARGS} clean install -Dquickly -Prelocations 
-T1C
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # 
v4.1.7
         with:
           ref: ${{ env.CHECKOUT_REF }}
           fetch-depth: 0
@@ -197,7 +197,7 @@ jobs:
           ls -lh ${{ runner.temp }}/maven-repo.tgz
           df -h /
       - name: Persist Maven Repo
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 
# v4.4.0
         with:
           name: maven-repo
           path: ${{ runner.temp }}/maven-repo.tgz
@@ -240,19 +240,19 @@ jobs:
       matrix: ${{ fromJson(needs.initial-mvn-install.outputs.matrix) }}
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # 
v4.1.7
         with:
           ref: ${{ env.CHECKOUT_REF }}
           fetch-depth: 0
       - name: Reclaim Disk Space
         run: .github/reclaim-disk-space.sh
       - name: Set up JDK 17
-        uses: actions/setup-java@v4
+        uses: actions/setup-java@6a0805fcefea3d4657a47ac4c165951e33482018 # 
v4.2.2
         with:
           distribution: 'temurin'
           java-version: '17'
       - name: Download Maven Repo
-        uses: actions/download-artifact@v4
+        uses: 
actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
         with:
           name: maven-repo
           path: ..
@@ -318,17 +318,17 @@ jobs:
       MAVEN_OPTS: -Xmx3000m
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # 
v4.1.7
         with:
           ref: ${{ env.CHECKOUT_REF }}
           fetch-depth: 0
       - name: Set up JDK 17
-        uses: actions/setup-java@v4
+        uses: actions/setup-java@6a0805fcefea3d4657a47ac4c165951e33482018 # 
v4.2.2
         with:
           distribution: 'temurin'
           java-version: '17'
       - name: Download Maven Repo
-        uses: actions/download-artifact@v4
+        uses: 
actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
         with:
           name: maven-repo
           path: ..
@@ -410,17 +410,17 @@ jobs:
       MAVEN_OPTS: -Xmx3000m
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # 
v4.1.7
         with:
           ref: ${{ env.CHECKOUT_REF }}
           fetch-depth: 0
       - name: Set up JDK ${{ matrix.java }}
-        uses: actions/setup-java@v4
+        uses: actions/setup-java@6a0805fcefea3d4657a47ac4c165951e33482018 # 
v4.2.2
         with:
           distribution: 'temurin'
           java-version: ${{ matrix.java }}
       - name: Download Maven Repo
-        uses: actions/download-artifact@v4
+        uses: 
actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
         with:
           name: maven-repo
           path: ..
@@ -456,19 +456,19 @@ jobs:
       MAVEN_OPTS: -Xmx3000m
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # 
v4.1.7
         with:
           ref: ${{ env.CHECKOUT_REF }}
           fetch-depth: 0
       - name: Reclaim Disk Space
         run: .github/reclaim-disk-space.sh
       - name: Set up JDK 21
-        uses: actions/setup-java@v4
+        uses: actions/setup-java@6a0805fcefea3d4657a47ac4c165951e33482018 # 
v4.2.2
         with:
           distribution: 'temurin'
           java-version: '21'
       - name: Download Maven Repo
-        uses: actions/download-artifact@v4
+        uses: 
actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
         with:
           name: maven-repo
           path: ..
@@ -508,17 +508,17 @@ jobs:
       MAVEN_OPTS: -Xmx3000m
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # 
v4.1.7
         with:
           ref: ${{ env.CHECKOUT_REF }}
           fetch-depth: 0
       - name: Set up JDK 17
-        uses: actions/setup-java@v4
+        uses: actions/setup-java@6a0805fcefea3d4657a47ac4c165951e33482018 # 
v4.2.2
         with:
           distribution: 'temurin'
           java-version: '17'
       - name: Download Maven Repo
-        uses: actions/download-artifact@v4
+        uses: 
actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
         with:
           name: maven-repo
           path: ..
@@ -528,7 +528,7 @@ jobs:
           tar -xzf ../maven-repo.tgz -C ~
           rm -f ../maven-repo.tgz
       - name: PDFBox font cache
-        uses: actions/cache@v4
+        uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2
         if: runner.os == 'Windows'
         with:
           path: ~/.pdfbox.cache
@@ -557,14 +557,14 @@ jobs:
       matrix: ${{ fromJson(needs.initial-mvn-install.outputs.examples-matrix) 
}}
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # 
v4.1.7
       - name: Set up JDK 17
-        uses: actions/setup-java@v4
+        uses: actions/setup-java@6a0805fcefea3d4657a47ac4c165951e33482018 # 
v4.2.2
         with:
           distribution: 'temurin'
           java-version: '17'
       - name: Download Maven Repo
-        uses: actions/download-artifact@v4
+        uses: 
actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
         with:
           name: maven-repo
           path: ..

Reply via email to