From 7865eebd82c85960fa3ce9c742ca1ecd9801ef59 Mon Sep 17 00:00:00 2001 From: Gabriela Gutierrez Date: Wed, 7 Jun 2023 16:51:26 -0300 Subject: [PATCH 1/7] Ref actions by commit SHA in build_test.yml It's important to make sure the SHA's are from the original repositories and not forks. For reference: https://github.com/actions/setup-go/releases/tag/v4.0.1 https://github.com/actions/setup-go/commit/fac708d6674e30b6ba41289acaab6d4b75aa0753 https://github.com/actions/checkout/releases/tag/v3.5.2 https://github.com/actions/checkout/commit/8e5e7e5ab8b370d6c329ec480221332ada57f0ab https://github.com/actions/cache/releases/tag/v3.3.1 https://github.com/actions/cache/commit/88522ab9f39a2ea568f7027eddc7d8d8bc9d59c8 Signed-off-by: Gabriela Gutierrez --- .github/workflows/build_test.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/build_test.yml b/.github/workflows/build_test.yml index bb91d9e2a..daa56dd7e 100644 --- a/.github/workflows/build_test.yml +++ b/.github/workflows/build_test.yml @@ -22,17 +22,17 @@ jobs: runs-on: ubuntu-22.04 steps: - name: Install Go - uses: actions/setup-go@v4 + uses: actions/setup-go@fac708d6674e30b6ba41289acaab6d4b75aa0753 # v4.0.1 with: go-version: ${{ matrix.go-version }} - name: Checkout code - uses: actions/checkout@v3 + uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 - id: cache-paths run: | echo "::set-output name=cache::$(go env GOCACHE)" echo "::set-output name=mod-cache::$(go env GOMODCACHE)" - name: Cache go modules - uses: actions/cache@v3 + uses: actions/cache@88522ab9f39a2ea568f7027eddc7d8d8bc9d59c8 # v3.3.1 with: path: | ${{ steps.cache-paths.outputs.cache }} From 2d8c888a003601dae2b065ef4bdcc3a47d9b9068 Mon Sep 17 00:00:00 2001 From: Gabriela Gutierrez Date: Wed, 7 Jun 2023 16:53:15 -0300 Subject: [PATCH 2/7] Ref actions by commit SHA in labeler.yml It's important to make sure the SHA's are from the original repositories and not forks. For reference: https://github.com/actions/labeler/releases/tag/v4.1.0 https://github.com/actions/labeler/commit/9fcb2c2f5584144ca754f8bfe8c6f81e77753375 Signed-off-by: Gabriela Gutierrez --- .github/workflows/labeler.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/labeler.yml b/.github/workflows/labeler.yml index 218b89eef..4c27e7704 100644 --- a/.github/workflows/labeler.yml +++ b/.github/workflows/labeler.yml @@ -12,6 +12,6 @@ jobs: pull-requests: write # for actions/labeler to add labels to PRs runs-on: ubuntu-latest steps: - - uses: actions/labeler@v4 + - uses: actions/labeler@9fcb2c2f5584144ca754f8bfe8c6f81e77753375 # v4.1.0 with: repo-token: "${{ secrets.GITHUB_TOKEN }}" From 0f90ed48338caf7cc805602b8e914327e5535c11 Mon Sep 17 00:00:00 2001 From: Gabriela Gutierrez Date: Wed, 7 Jun 2023 16:58:00 -0300 Subject: [PATCH 3/7] Ref actions by commit SHA in lint.yml It's important to make sure the SHA's are from the original repositories and not forks. For reference: https://github.com/actions/setup-go/releases/tag/v4.0.1 https://github.com/actions/setup-go/commit/fac708d6674e30b6ba41289acaab6d4b75aa0753 https://github.com/actions/checkout/releases/tag/v3.5.2 https://github.com/actions/checkout/commit/8e5e7e5ab8b370d6c329ec480221332ada57f0ab https://github.com/golangci/golangci-lint-action/releases/tag/v3.5.0 https://github.com/golangci/golangci-lint-action/commit/5f1fec7010f6ae3b84ea4f7b2129beb8639b564f Signed-off-by: Gabriela Gutierrez --- .github/workflows/lint.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml index 6e0058975..28d469901 100644 --- a/.github/workflows/lint.yml +++ b/.github/workflows/lint.yml @@ -16,13 +16,13 @@ jobs: runs-on: ubuntu-latest steps: - name: Setup go - uses: actions/setup-go@v4 + uses: actions/setup-go@fac708d6674e30b6ba41289acaab6d4b75aa0753 # v4.0.1 with: go-version: 1.17 - name: Checkout repository - uses: actions/checkout@v3 + uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 - name: Setup golangci-lint - uses: golangci/golangci-lint-action@v3 + uses: golangci/golangci-lint-action@5f1fec7010f6ae3b84ea4f7b2129beb8639b564f # v3.5.0 with: args: --verbose version: latest From f6afa2b95f15feb31bf6621ca83ee996b6bb1467 Mon Sep 17 00:00:00 2001 From: Gabriela Gutierrez Date: Wed, 7 Jun 2023 16:58:50 -0300 Subject: [PATCH 4/7] Ref actions by commit SHA in release.yml It's important to make sure the SHA's are from the original repositories and not forks. For reference: https://github.com/actions/checkout/releases/tag/v3.5.2 https://github.com/actions/checkout/commit/8e5e7e5ab8b370d6c329ec480221332ada57f0ab Signed-off-by: Gabriela Gutierrez --- .github/workflows/release.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index fccd4902c..7bdcaaa77 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -10,6 +10,6 @@ jobs: release: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 - name: Release run: make release From 346f7bc0fd371464d16b6a3b87952da09008afe0 Mon Sep 17 00:00:00 2001 From: Gabriela Gutierrez Date: Wed, 7 Jun 2023 17:03:30 -0300 Subject: [PATCH 5/7] Ref actions by commit SHA in sbom_generator.yml It's important to make sure the SHA's are from the original repositories and not forks. For reference: https://github.com/actions/checkout/releases/tag/v3.5.2 https://github.com/actions/checkout/commit/8e5e7e5ab8b370d6c329ec480221332ada57f0ab https://github.com/advanced-security/sbom-generator-action/releases/tag/v0.0.1 https://github.com/advanced-security/sbom-generator-action/commit/375dee8e6144d9fd0ec1f5667b4f6fb4faacefed https://github.com/actions/upload-artifact/releases/tag/v3.1.2 https://github.com/actions/upload-artifact/commit/0b7f8abb1508181956e8e162db84b466c27e18ce Signed-off-by: Gabriela Gutierrez --- .github/workflows/sbom_generator.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/sbom_generator.yml b/.github/workflows/sbom_generator.yml index 58c13453e..c8a0a4d05 100644 --- a/.github/workflows/sbom_generator.yml +++ b/.github/workflows/sbom_generator.yml @@ -13,13 +13,13 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 - - uses: advanced-security/sbom-generator-action@v0.0.1 + - uses: advanced-security/sbom-generator-action@375dee8e6144d9fd0ec1f5667b4f6fb4faacefed # v0.0.1 id: sbom env: GITHUB_TOKEN: ${{ github.token }} - - uses: actions/upload-artifact@v3.1.2 + - uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2 with: path: ${{steps.sbom.outputs.fileName }} name: "SBOM" From 404301103d940a01e216032ad603eb60e47e2f51 Mon Sep 17 00:00:00 2001 From: Gabriela Gutierrez Date: Wed, 7 Jun 2023 17:05:55 -0300 Subject: [PATCH 6/7] Ref actions by commit SHA in shellcheck.yml It's important to make sure the SHA's are from the original repositories and not forks. For reference: https://github.com/actions/checkout/releases/tag/v3.5.2 https://github.com/actions/checkout/commit/8e5e7e5ab8b370d6c329ec480221332ada57f0ab https://github.com/ludeeus/action-shellcheck/releases/tag/2.0.0 https://github.com/ludeeus/action-shellcheck/commit/00cae500b08a931fb5698e11e79bfbd38e612a38 Signed-off-by: Gabriela Gutierrez --- .github/workflows/shellcheck.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/shellcheck.yml b/.github/workflows/shellcheck.yml index 04bb575a4..a348af158 100644 --- a/.github/workflows/shellcheck.yml +++ b/.github/workflows/shellcheck.yml @@ -8,6 +8,6 @@ jobs: name: Shellcheck runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 - name: Run ShellCheck - uses: ludeeus/action-shellcheck@master \ No newline at end of file + uses: ludeeus/action-shellcheck@00cae500b08a931fb5698e11e79bfbd38e612a38 # v2.0.0 From 147902f4cb2c5a29e761934431402c2fdbeb6161 Mon Sep 17 00:00:00 2001 From: Gabriela Gutierrez Date: Wed, 7 Jun 2023 17:07:16 -0300 Subject: [PATCH 7/7] Ref actions by commit SHA in test.yml It's important to make sure the SHA's are from the original repositories and not forks. For reference: https://github.com/actions/setup-go/releases/tag/v4.0.1 https://github.com/actions/setup-go/commit/fac708d6674e30b6ba41289acaab6d4b75aa0753 https://github.com/actions/checkout/releases/tag/v3.5.2 https://github.com/actions/checkout/commit/8e5e7e5ab8b370d6c329ec480221332ada57f0ab https://github.com/actions/cache/releases/tag/v3.3.1 https://github.com/actions/cache/commit/88522ab9f39a2ea568f7027eddc7d8d8bc9d59c8 Signed-off-by: Gabriela Gutierrez --- .github/workflows/test.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 13dac3bc8..9ae3838d8 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -23,17 +23,17 @@ jobs: runs-on: ${{ matrix.os }} steps: - name: Install Go - uses: actions/setup-go@v4 + uses: actions/setup-go@fac708d6674e30b6ba41289acaab6d4b75aa0753 # v4.0.1 with: go-version: ${{ matrix.go-version }} - name: Checkout code - uses: actions/checkout@v3 + uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 - id: go-env run: | echo "::set-output name=cache::$(go env GOCACHE)" echo "::set-output name=mod-cache::$(go env GOMODCACHE)" - name: Cache go modules - uses: actions/cache@v3 + uses: actions/cache@88522ab9f39a2ea568f7027eddc7d8d8bc9d59c8 # v3.3.1 with: path: | ${{ steps.go-env.outputs.cache }}