From 6d7750543889516a78f63245c745b4916dcf7258 Mon Sep 17 00:00:00 2001
From: StepSecurity Bot <bot@stepsecurity.io>
Date: Wed, 3 Jul 2024 10:40:42 +0000
Subject: [PATCH 1/3] [StepSecurity] ci: Harden GitHub Actions

Signed-off-by: StepSecurity Bot <bot@stepsecurity.io>
---
 .github/workflows/cve-scanning.yml | 4 ++--
 .github/workflows/package.yml      | 8 ++++----
 .github/workflows/semgrep.yml      | 2 +-
 3 files changed, 7 insertions(+), 7 deletions(-)

diff --git a/.github/workflows/cve-scanning.yml b/.github/workflows/cve-scanning.yml
index 9c07dcaca..1bc75a016 100644
--- a/.github/workflows/cve-scanning.yml
+++ b/.github/workflows/cve-scanning.yml
@@ -25,9 +25,9 @@ jobs:
       matrix:
         node-version: [20]
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
       - name: Use Node.js ${{ matrix.node-version }}
-        uses: actions/setup-node@v3
+        uses: actions/setup-node@1a4442cacd436585916779262731d5b162bc6ec7 # v3.8.2
         with:
           node-version: ${{ matrix.node-version }}
           
diff --git a/.github/workflows/package.yml b/.github/workflows/package.yml
index a540aa3de..0538018a5 100644
--- a/.github/workflows/package.yml
+++ b/.github/workflows/package.yml
@@ -36,10 +36,10 @@ jobs:
 
     steps:
       - name: Checkout repo
-        uses: actions/checkout@v4
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
 
       - name: Use Node ${{ matrix.node }}
-        uses: actions/setup-node@v4
+        uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4.0.2
         with:
           node-version: ${{ matrix.node }}
 
@@ -75,10 +75,10 @@ jobs:
            token-name: GITHUB_TOKEN
     steps:
     - name: Checkout repo
-      uses: actions/checkout@v4
+      uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
 
     - name: Configure Node
-      uses: actions/setup-node@v4
+      uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4.0.2
       with:
         node-version: 20
         registry-url: ${{ matrix.registry }}
diff --git a/.github/workflows/semgrep.yml b/.github/workflows/semgrep.yml
index 27f1c5375..3f391efe4 100644
--- a/.github/workflows/semgrep.yml
+++ b/.github/workflows/semgrep.yml
@@ -14,7 +14,7 @@ jobs:
     container:
       image: returntocorp/semgrep
     steps:
-    - uses: actions/checkout@v3
+    - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
     - run: semgrep scan --error --config auto
       env:
         SEMGREP_APP_TOKEN: ${{ secrets.SEMGREP_APP_TOKEN }}

From 788dec955854620f7f099d27d8d2d2d0591940d1 Mon Sep 17 00:00:00 2001
From: Brian Ingenito <28159742+bingenito@users.noreply.github.com>
Date: Mon, 8 Jul 2024 12:38:11 -0400
Subject: [PATCH 2/3] Update cve-scanning.yml versions to match package.yml

---
 .github/workflows/cve-scanning.yml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/cve-scanning.yml b/.github/workflows/cve-scanning.yml
index 1bc75a016..93f631fc0 100644
--- a/.github/workflows/cve-scanning.yml
+++ b/.github/workflows/cve-scanning.yml
@@ -25,9 +25,9 @@ jobs:
       matrix:
         node-version: [20]
     steps:
-      - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
+      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
       - name: Use Node.js ${{ matrix.node-version }}
-        uses: actions/setup-node@1a4442cacd436585916779262731d5b162bc6ec7 # v3.8.2
+        uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4.0.2
         with:
           node-version: ${{ matrix.node-version }}
           

From 70de1c48fd8b0b70f404f7554b3c6c1925319f4d Mon Sep 17 00:00:00 2001
From: Brian Ingenito <28159742+bingenito@users.noreply.github.com>
Date: Mon, 8 Jul 2024 12:38:51 -0400
Subject: [PATCH 3/3] Update semgrep.yml versions to match package.yml

---
 .github/workflows/semgrep.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/semgrep.yml b/.github/workflows/semgrep.yml
index 3f391efe4..f061aa92f 100644
--- a/.github/workflows/semgrep.yml
+++ b/.github/workflows/semgrep.yml
@@ -14,7 +14,7 @@ jobs:
     container:
       image: returntocorp/semgrep
     steps:
-    - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
+    - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
     - run: semgrep scan --error --config auto
       env:
         SEMGREP_APP_TOKEN: ${{ secrets.SEMGREP_APP_TOKEN }}