Skip to content

Commit acf6c77

Browse files
jorgebrazCodacy Security Botafsmeira
authored
Security: pin GitHub Actions to SHA hashes (#326)
* Security: pin GitHub Actions to SHA hashes Replaces mutable tag/branch references with immutable SHA hashes to prevent supply chain attacks (ref: TeamPCP/Trivy March 2026). Actions left as tags: 0 * fix: Use correct GH token --------- Co-authored-by: Codacy Security Bot <security-bot@codacy.com> Co-authored-by: André Meira <6381457+afsmeira@users.noreply.github.com>
1 parent 1fee850 commit acf6c77

5 files changed

Lines changed: 20 additions & 20 deletions

File tree

.github/workflows/enforce-labels.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -8,7 +8,7 @@ jobs:
88
enforce-label:
99
runs-on: ubuntu-latest
1010
steps:
11-
- uses: yogevbd/enforce-label-action@2.2.2
11+
- uses: yogevbd/enforce-label-action@a3c219da6b8fa73f6ba62b68ff09c469b3a1c024 # 2.2.2
1212
with:
1313
BANNED_LABELS: "don't merge"
1414

.github/workflows/jira.yml

Lines changed: 4 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -10,15 +10,15 @@ jobs:
1010
steps:
1111
- name: Jira login
1212
id: login
13-
uses: atlassian/gajira-login@v3.0.1
13+
uses: atlassian/gajira-login@45fd029b9f1d6d8926c6f04175aa80c0e42c9026 # v3.0.1
1414
env:
1515
JIRA_BASE_URL: ${{ secrets.JIRA_BASE_URL }}
1616
JIRA_USER_EMAIL: ${{ secrets.JIRA_USER_EMAIL }}
1717
JIRA_API_TOKEN: ${{ secrets.JIRA_API_TOKEN }}
1818

1919
- name: Create Jira issue
2020
id: create_jira_issue
21-
uses: atlassian/gajira-create@v3.0.1
21+
uses: atlassian/gajira-create@59e177c4f6451399df5b4911c2211104f171e669 # v3.0.1
2222
with:
2323
project: DOCS
2424
issuetype: Bug
@@ -33,7 +33,7 @@ jobs:
3333
fields: '{"customfield_10009": "DOCS-162", "labels": ["Pulse"]}'
3434

3535
- name: Update title of GitHub issue
36-
uses: actions/github-script@v7
36+
uses: actions/github-script@f28e40c7f34bde8b3046d885e986cb6290c5673b # v7
3737
env:
3838
JIRA_ISSUE_NUMBER: ${{ steps.create_jira_issue.outputs.issue }}
3939
GITHUB_ORIGINAL_TITLE: ${{ github.event.issue.title }}
@@ -49,7 +49,7 @@ jobs:
4949
})
5050
5151
- name: Add comment to GitHub issue
52-
uses: actions/github-script@v7
52+
uses: actions/github-script@f28e40c7f34bde8b3046d885e986cb6290c5673b # v7
5353
with:
5454
github-token: ${{ secrets.GITHUB_TOKEN }}
5555
script: |

.github/workflows/mkdocs.yml

Lines changed: 7 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -7,15 +7,15 @@ jobs:
77
runs-on: ubuntu-latest
88
steps:
99
- name: Checkout code
10-
uses: actions/checkout@v4
10+
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
1111
with:
12-
token: ${{ secrets.DEPLOYMENT_PERSONAL_ACCESS_TOKEN }}
12+
token: ${{ secrets.GITHUB_TOKEN }}
1313
submodules: true
1414
# git-revision-date-localized-plugin and mkdocs-rss-plugin need full git history depth
1515
fetch-depth: 0
1616

1717
- name: Set up Python
18-
uses: actions/setup-python@v5
18+
uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5
1919
with:
2020
python-version: "3.x"
2121
cache: "pip"
@@ -29,7 +29,7 @@ jobs:
2929
mkdocs -v build
3030
3131
- name: Upload meta descriptions artifact
32-
uses: actions/upload-artifact@v4
32+
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4
3333
with:
3434
name: meta-descriptions
3535
path: ./site/meta-descriptions.csv
@@ -42,13 +42,13 @@ jobs:
4242
- name: Obtain Netlify alias from branch name
4343
id: branch
4444
if: github.ref != 'refs/heads/master'
45-
uses: common-fate/branch-name@v1.1.2
45+
uses: common-fate/branch-name@baca702844ae4e7dfd7bfdfa6a9bd4235bc9f08e # v1.1.2
4646
with:
4747
max-length: 35
4848

4949
- name: Deploy docs (branch preview)
5050
if: github.ref != 'refs/heads/master'
51-
uses: nwtgck/actions-netlify@v3.0
51+
uses: nwtgck/actions-netlify@4cbaf4c08f1a7bfa537d6113472ef4424e4eb654 # v3.0
5252
with:
5353
publish-dir: ./site
5454
production-branch: master
@@ -79,7 +79,7 @@ jobs:
7979
echo -e "User-agent: *\nSitemap: https://${{ env.CUSTOM_DOMAIN }}/sitemap.xml" > "./site/robots.txt"
8080
8181
- name: Deploy docs
82-
uses: peaceiris/actions-gh-pages@v4
82+
uses: peaceiris/actions-gh-pages@4f9cc6602d3f66b9c108549d475ec49e8ef4d45e # v4
8383
if: github.ref == 'refs/heads/master'
8484
with:
8585
personal_token: ${{ secrets.DEPLOYMENT_PERSONAL_ACCESS_TOKEN }}

.github/workflows/scheduled.yml

Lines changed: 6 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -9,11 +9,11 @@ jobs:
99
runs-on: ubuntu-latest
1010
steps:
1111
- name: Checkout code
12-
uses: actions/checkout@v4
12+
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
1313

1414
- name: Check for broken links
1515
id: lychee
16-
uses: lycheeverse/lychee-action@v1.10.0
16+
uses: lycheeverse/lychee-action@2b973e86fc7b1f6b36a93795fe2c9c6ae1118621 # v1.10.0
1717
with:
1818
args: --verbose ./docs/**/*.md
1919
jobSummary: true
@@ -22,7 +22,7 @@ jobs:
2222

2323
- name: Create issue
2424
if: env.lychee_exit_code != 0
25-
uses: peter-evans/create-issue-from-file@v5
25+
uses: peter-evans/create-issue-from-file@e8ef132d6df98ed982188e460ebb3b5d4ef3a9cd # v5
2626
with:
2727
title: Broken link report
2828
content-filepath: ./lychee/out.md
@@ -32,18 +32,18 @@ jobs:
3232
runs-on: ubuntu-latest
3333
steps:
3434
- name: Checkout code
35-
uses: actions/checkout@v4
35+
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
3636

3737
- name: Compress images
3838
id: calibre
39-
uses: calibreapp/image-actions@main
39+
uses: calibreapp/image-actions@03c976c29803442fc4040a9de5509669e7759b81 # main
4040
with:
4141
githubToken: ${{ secrets.GITHUB_TOKEN }}
4242
compressOnly: true
4343

4444
- name: Create pull request
4545
if: steps.calibre.outputs.markdown != ''
46-
uses: peter-evans/create-pull-request@v6
46+
uses: peter-evans/create-pull-request@c5a7806660adbe173f04e3e038b0ccdcd758773c # v6
4747
with:
4848
title: "clean: Compress images"
4949
branch-suffix: timestamp

.github/workflows/vale.yml

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -8,13 +8,13 @@ jobs:
88
runs-on: ubuntu-latest
99
steps:
1010
- name: Checkout code
11-
uses: actions/checkout@v4
11+
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
1212
with:
1313
token: ${{ secrets.GITHUB_TOKEN }}
1414
submodules: false
1515

1616
- name: Vale
17-
uses: errata-ai/vale-action@v2.1.0
17+
uses: errata-ai/vale-action@38bf078c328061f59879b347ca344a718a736018 # v2.1.0
1818
with:
1919
filter_mode: added
2020
debug: true

0 commit comments

Comments
 (0)