Skip to content

Commit b6bd6b6

Browse files
gkorlandCopilot
gkorland
and
Copilot
authored
ci(workflows): pin GitHub Actions dependencies to commit SHAs (#503)
Pin all third-party GitHub Actions to their full commit SHA instead of mutable version tags. This is a supply-chain security best practice that prevents tag-mutation attacks. Changed files: dependency-review.yml, playwright.yml, publish-docker.yml, pylint.yml, spellcheck.yml, tests.yml Total actions pinned: 17 Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
1 parent c975ce2 commit b6bd6b6

6 files changed

Lines changed: 18 additions & 18 deletions

File tree

.github/workflows/dependency-review.yml

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -29,9 +29,9 @@ jobs:
2929
runs-on: ubuntu-latest
3030
steps:
3131
- name: 'Checkout repository'
32-
uses: actions/checkout@v6
32+
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
3333
- name: 'Dependency Review'
34-
uses: actions/dependency-review-action@v4
34+
uses: actions/dependency-review-action@2031cfc080254a8a887f58cffee85186f0e49e48 # v4
3535
# Commonly enabled options, see https://github.com/actions/dependency-review-action#configuration-options for all available options.
3636
with:
3737
comment-summary-in-pr: always

.github/workflows/playwright.yml

Lines changed: 6 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -23,11 +23,11 @@ jobs:
2323
runs-on: ubuntu-latest
2424

2525
steps:
26-
- uses: actions/checkout@v6
26+
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
2727

2828
# Setup Python
2929
- name: Set up Python
30-
uses: actions/setup-python@v6
30+
uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6
3131
with:
3232
python-version: ${{ env.PYTHON_VERSION }}
3333

@@ -38,7 +38,7 @@ jobs:
3838
version: "0.7.12"
3939

4040
# Setup Node.js
41-
- uses: actions/setup-node@v6
41+
- uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6
4242
with:
4343
node-version: ${{ env.NODE_VERSION }}
4444
cache: 'npm'
@@ -58,7 +58,7 @@ jobs:
5858
# Cache Playwright browsers
5959
- name: Cache Playwright browsers
6060
id: playwright-cache
61-
uses: actions/cache@v5
61+
uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5
6262
with:
6363
path: ~/.cache/ms-playwright
6464
key: playwright-browsers-${{ runner.os }}-${{ hashFiles('package-lock.json') }}
@@ -165,15 +165,15 @@ jobs:
165165
CI: true
166166

167167
# Upload test results on failure
168-
- uses: actions/upload-artifact@v7
168+
- uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7
169169
if: failure()
170170
with:
171171
name: playwright-report
172172
path: playwright-report/
173173
retention-days: 30
174174

175175
# Upload test screenshots on failure
176-
- uses: actions/upload-artifact@v7
176+
- uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7
177177
if: failure()
178178
with:
179179
name: test-results

.github/workflows/publish-docker.yml

Lines changed: 4 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -12,22 +12,22 @@ jobs:
1212
runs-on: ubuntu-latest
1313
steps:
1414
- name: Check out the repo
15-
uses: actions/checkout@v6
15+
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
1616

1717
- name: Log in to Docker Hub
18-
uses: docker/login-action@v4
18+
uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4
1919
with:
2020
username: ${{ secrets.DOCKER_USERNAME }}
2121
password: ${{ secrets.DOCKER_PASSWORD }}
2222

2323
- name: Extract metadata (tags, labels) for Docker
2424
id: meta
25-
uses: docker/metadata-action@v6
25+
uses: docker/metadata-action@030e881283bb7a6894de51c315a6bfe6a94e05cf # v6
2626
with:
2727
images: falkordb/queryweaver
2828

2929
- name: Build and push Docker image
30-
uses: docker/build-push-action@v7
30+
uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7
3131
with:
3232
context: .
3333
push: true

.github/workflows/pylint.yml

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -9,10 +9,10 @@ jobs:
99
runs-on: ubuntu-latest
1010

1111
steps:
12-
- uses: actions/checkout@v6
12+
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
1313

1414
- name: Set up Python
15-
uses: actions/setup-python@v6
15+
uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6
1616
with:
1717
python-version: '3.12'
1818

.github/workflows/spellcheck.yml

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -10,9 +10,9 @@ jobs:
1010
spellcheck:
1111
runs-on: ubuntu-latest
1212
steps:
13-
- uses: actions/checkout@v6
13+
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
1414
- name: Spellcheck
15-
uses: rojopolis/spellcheck-github-actions@0.59.0
15+
uses: rojopolis/spellcheck-github-actions@79c6662f156bc4faa184a458c39cd672783804b3 # 0.59.0
1616
with:
1717
config_path: .github/spellcheck-settings.yml
1818
task_name: Markdown

.github/workflows/tests.yml

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -29,10 +29,10 @@ jobs:
2929
--health-retries 5
3030
3131
steps:
32-
- uses: actions/checkout@v6
32+
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
3333

3434
- name: Set up Python
35-
uses: actions/setup-python@v6
35+
uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6
3636
with:
3737
python-version: '3.12'
3838

0 commit comments

Comments
 (0)