Skip to content

Commit 93b5e30

Browse files
committed
fix security on github action
1 parent d3b27b0 commit 93b5e30

6 files changed

Lines changed: 26 additions & 16 deletions

File tree

.github/dependabot.yml

Lines changed: 9 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -12,3 +12,12 @@ updates:
1212
ignore:
1313
# Ignore all versions : cf pom.xml comments
1414
- dependency-name: "com.mycila:license-maven-plugin"
15+
16+
- package-ecosystem: "github-actions"
17+
directory: "/"
18+
schedule:
19+
interval: "weekly"
20+
# Keep action update PRs focused and easy to review.
21+
commit-message:
22+
prefix: "ci"
23+

.github/workflows/build.yml

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -20,12 +20,12 @@ jobs:
2020
pull-requests: read # allows SonarCloud to decorate PRs with analysis results
2121
steps:
2222
- name: Checkout
23-
uses: actions/checkout@v4
23+
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
2424
with:
2525
fetch-depth: 0 # Shallow clones should be disabled for a better relevancy of analysis
2626

2727
- name: Set up JDK
28-
uses: actions/setup-java@v4
28+
uses: actions/setup-java@c1e323688fd81a25caa38c78aa6df2d33d3e20d9 # v4
2929
with:
3030
distribution: 'temurin'
3131
java-version: 17
@@ -39,7 +39,7 @@ jobs:
3939
echo "<settings><pluginGroups><pluginGroup>org.sonarsource.scanner.maven</pluginGroup></pluginGroups></settings>" > ~/.m2/settings.xml
4040
4141
- name: Cache SonarQube packages
42-
uses: actions/cache@v4
42+
uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4
4343
with:
4444
path: ~/.sonar/cache
4545
key: ${{ runner.os }}-sonar

.github/workflows/build_container.yml

Lines changed: 6 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -30,26 +30,26 @@ jobs:
3030

3131
steps:
3232
- name: Login to GitHub Container Registry
33-
uses: docker/login-action@v2
33+
uses: docker/login-action@465a07811f14bebb1938fbed4728c6a1ff8901fc # v2
3434
with:
3535
registry: ghcr.io
3636
username: ${{ github.actor }}
3737
password: ${{ secrets.GITHUB_TOKEN }}
3838

3939
- name: Checkout repository
40-
uses: actions/checkout@v3
40+
uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3
4141
with:
4242
fetch-depth: 0
4343

4444
- name: Set up QEMU
45-
uses: docker/setup-qemu-action@v2
45+
uses: docker/setup-qemu-action@2b82ce82d56a2a04d2637cd93a637ae1b359c0a7 # v2
4646

4747
- name: Set up Docker Buildx
48-
uses: docker/setup-buildx-action@v2
48+
uses: docker/setup-buildx-action@885d1462b80bc1c1c7f0b00334ad271f09369c55 # v2
4949

5050
- name: Docker metadata
5151
id: meta
52-
uses: docker/metadata-action@v4
52+
uses: docker/metadata-action@818d4b7b91585d195f67373fd9cb0332e31a7175 # v4
5353
with:
5454
github-token: ${{ secrets.GITHUB_TOKEN }}
5555
images: ${{ env.IMAGES }}
@@ -66,7 +66,7 @@ jobs:
6666
6767
- name: Publish image
6868
id: push
69-
uses: docker/build-push-action@v4
69+
uses: docker/build-push-action@0a97817b6ade9f46837855d676c4cca3a2471fc9 # v4
7070
with:
7171
push: true
7272
tags: ${{ steps.meta.outputs.tags }}

.github/workflows/stale_tag.yml

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -11,7 +11,7 @@ jobs:
1111
contents: read
1212
pull-requests: write
1313
steps:
14-
- uses: actions/stale@v8.0.0
14+
- uses: actions/stale@1160a2240286f5da8ec72b1c0816ce2481aabf84 # v8.0.0
1515
with:
1616
repo-token: ${{ secrets.GITHUB_TOKEN }}
1717
days-before-issue-stale: -1 # We don't want to address issues
@@ -21,4 +21,4 @@ jobs:
2121
stale-pr-label: stale
2222
stale-pr-message: |
2323
This PR has been automatically marked as stale because it has no activity for 30 days.
24-
Please add a comment if you want to keep the issue open. Thank you for your contributions!
24+
Please add a comment if you want to keep the issue open. Thank you for your contributions!

.github/workflows/tag_release.yml

Lines changed: 5 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -19,7 +19,7 @@ jobs:
1919
contents: read
2020
steps:
2121
- name: Check user permissions
22-
uses: 74th/workflow-permission-action@1.0.0
22+
uses: 74th/workflow-permission-action@61b695d54d72c612459668d29fca41281a0f49d4 # 1.0.0
2323
with:
2424
users: dedece35,glalloue,jhertout,olegoaer,zippy1978,utarwyn
2525
build:
@@ -30,7 +30,7 @@ jobs:
3030
contents: write
3131
steps:
3232
- name: Checkout repository
33-
uses: actions/checkout@v3
33+
uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3
3434
with:
3535
fetch-depth: 0
3636

@@ -56,13 +56,13 @@ jobs:
5656
echo "release_tag=$RELEASE_TAG" >> $GITHUB_ENV
5757
5858
- name: Checkout tag "${{ env.release_tag }}"
59-
uses: actions/checkout@v3
59+
uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3
6060
with:
6161
ref: ${{ env.release_tag }}
6262

6363
- name: Extract release notes
6464
id: extract-release-notes
65-
uses: ffurrer2/extract-release-notes@v1
65+
uses: ffurrer2/extract-release-notes@f2dd00dec4102dbc6d7bdf804dfd85546dfa1f0b # v1
6666

6767
- name: Build project
6868
env:
@@ -83,7 +83,7 @@ jobs:
8383
echo "jar_path=$JAR_FILE" >> $GITHUB_ENV
8484
8585
- name: Create release and upload asset
86-
uses: softprops/action-gh-release@v2
86+
uses: softprops/action-gh-release@3bb12739c298aeb8a4eeaf626c5b8d85266b0e65 # v2
8787
with:
8888
tag_name: ${{ env.release_tag }}
8989
name: Release ${{ env.release_tag }}

CHANGELOG.md

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -16,6 +16,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
1616
- [#111](https://github.com/green-code-initiative/creedengo-php/issues/111) refacto to have all the test files in the same place (for UT and IT), to avoid maintaining 2 test directories
1717
- [#111](https://github.com/green-code-initiative/creedengo-php/issues/111) refacto all test files to add sub-directories for each rule, to be more clear and to be able to add more tests for each rule in the future
1818
- [#126](https://github.com/green-code-initiative/creedengo-php/pull/126) Fix NPE on GCI2 and GCI35 + global NPE robustness for these 2 rules
19+
- harden GitHub Actions security by sanitizing dispatch input usage, pinning external actions to commit SHAs, and enabling Dependabot updates for pinned action references
1920

2021
### Deleted
2122

0 commit comments

Comments
 (0)