[commons-ognl] branch master updated: [StepSecurity] ci: Harden GitHub Actions

Fri, 30 Jun 2023 13:30:17 -0700 

This is an automated email from the ASF dual-hosted git repository.

ggregory pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/commons-ognl.git


The following commit(s) were added to refs/heads/master by this push:
     new 730d042  [StepSecurity] ci: Harden GitHub Actions
     new ab40dd3  Merge pull request #127 from 
step-security-bot/stepsecurity_remediation_1687641140
730d042 is described below

commit 730d04270cd2d2c48bb03c507b9ee0644def3943
Author: StepSecurity Bot <b...@stepsecurity.io>
AuthorDate: Sat Jun 24 21:12:23 2023 +0000

    [StepSecurity] ci: Harden GitHub Actions
    
    Signed-off-by: StepSecurity Bot <b...@stepsecurity.io>
---
 .github/workflows/codeql-analysis.yml     | 10 +++++-----
 .github/workflows/coverage.yml            |  8 ++++----
 .github/workflows/maven.yml               |  4 ++--
 .github/workflows/scorecards-analysis.yml |  4 ++--
 4 files changed, 13 insertions(+), 13 deletions(-)

diff --git a/.github/workflows/codeql-analysis.yml 
b/.github/workflows/codeql-analysis.yml
index d0a02dc..4afa23d 100644
--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@@ -42,10 +42,10 @@ jobs:
 
     steps:
     - name: Checkout repository
-      uses: actions/checkout@v3.5.3
+      uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
       with:
         persist-credentials: false
-    - uses: actions/cache@v3.3.1
+    - uses: actions/cache@88522ab9f39a2ea568f7027eddc7d8d8bc9d59c8 # v3.3.1
       with:
         path: ~/.m2/repository
         key: ${{ runner.os }}-maven-${{ hashFiles('**/pom.xml') }}
@@ -54,7 +54,7 @@ jobs:
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@v2
+      uses: github/codeql-action/init@f6e388ebf0efc915c6c5b165b019ee61a6746a38 
# v2.20.1
       with:
         languages: ${{ matrix.language }}
         # If you wish to specify custom queries, you can do so here or in a 
config file.
@@ -65,7 +65,7 @@ jobs:
     # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
     # If this step fails, then you should remove it and run the build manually 
(see below)
     - name: Autobuild
-      uses: github/codeql-action/autobuild@v2
+      uses: 
github/codeql-action/autobuild@f6e388ebf0efc915c6c5b165b019ee61a6746a38 # 
v2.20.1
 
     # ℹī¸ Command-line programs to run using the OS shell.
     # 📚 https://git.io/JvXDl
@@ -79,4 +79,4 @@ jobs:
     #   make release
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@v2
+      uses: 
github/codeql-action/analyze@f6e388ebf0efc915c6c5b165b019ee61a6746a38 # v2.20.1
diff --git a/.github/workflows/coverage.yml b/.github/workflows/coverage.yml
index 6abcdbe..d984e1f 100644
--- a/.github/workflows/coverage.yml
+++ b/.github/workflows/coverage.yml
@@ -29,17 +29,17 @@ jobs:
         java: [ 8 ]
 
     steps:
-    - uses: actions/checkout@v3.5.3
+    - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
       with:
         persist-credentials: false
-    - uses: actions/cache@v3.3.1
+    - uses: actions/cache@88522ab9f39a2ea568f7027eddc7d8d8bc9d59c8 # v3.3.1
       with:
         path: ~/.m2/repository
         key: ${{ runner.os }}-maven-${{ hashFiles('**/pom.xml') }}
         restore-keys: |
           ${{ runner.os }}-maven-
     - name: Set up JDK ${{ matrix.java }}
-      uses: actions/setup-java@v3
+      uses: actions/setup-java@5ffc13f4174014e2d4d4572b3d74c3fa61aeb2c2 # 
v3.11.0
       with:
         distribution: 'temurin'
         java-version: ${{ matrix.java }}
@@ -47,6 +47,6 @@ jobs:
       run: mvn -V test jacoco:report --file pom.xml --no-transfer-progress
 
     - name: Upload coverage to Codecov
-      uses: codecov/codecov-action@v3
+      uses: codecov/codecov-action@eaaf4bedf32dbdc6b720b63067d99c4d77d6047d # 
v3.1.4
       with:
         files: ./target/site/jacoco/jacoco.xml
diff --git a/.github/workflows/maven.yml b/.github/workflows/maven.yml
index b8a2564..8081cb5 100644
--- a/.github/workflows/maven.yml
+++ b/.github/workflows/maven.yml
@@ -24,11 +24,11 @@ jobs:
       matrix:
         java: [ 8, 11, 17 ]
     steps:
-    - uses: actions/checkout@v3.5.3
+    - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
       with:
         persist-credentials: false
     - name: Set up JDK ${{ matrix.java }}
-      uses: actions/setup-java@v3
+      uses: actions/setup-java@5ffc13f4174014e2d4d4572b3d74c3fa61aeb2c2 # 
v3.11.0
       with:
         distribution: 'temurin'
         java-version: ${{ matrix.java }}
diff --git a/.github/workflows/scorecards-analysis.yml 
b/.github/workflows/scorecards-analysis.yml
index 9461785..2dc3d38 100644
--- a/.github/workflows/scorecards-analysis.yml
+++ b/.github/workflows/scorecards-analysis.yml
@@ -40,7 +40,7 @@ jobs:
     steps:
 
       - name: "Checkout code"
-        uses: actions/checkout@v3.5.3   # 3.1.0
+        uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # 
v3.5.3
         with:
           persist-credentials: false
 
@@ -64,6 +64,6 @@ jobs:
           retention-days: 5
 
       - name: "Upload to code-scanning"
-        uses: github/codeql-action/upload-sarif@v2    # 2.1.22
+        uses: 
github/codeql-action/upload-sarif@f6e388ebf0efc915c6c5b165b019ee61a6746a38 # 
v2.20.1
         with:
           sarif_file: results.sarif

Reply via email to