[StepSecurity] ci: Harden GitHub Actions (Pinned Dependencies)

[step-security-bot]

Summary

This pull request is created by StepSecurity at the request of @bingenito. Please merge the Pull Request to incorporate the requested changes. Please tag @bingenito on your message if you have any questions related to the PR.
Fixes #1245

Security Fixes

Pinned Dependencies

GitHub Action tags and Docker tags are mutable. This poses a security risk. GitHub's Security Hardening guide recommends pinning actions to full length commit.

• GitHub Security Guide
• The Open Source Security Foundation (OpenSSF) Security Guide

Feedback

For bug reports, feature requests, and general feedback; please email support@stepsecurity.io. To create such PRs, please visit https://app.stepsecurity.io/securerepo.

Signed-off-by: StepSecurity Bot bot@stepsecurity.io

[linux-foundation-easycla]

The committers listed above are authorized under a signed CLA.

• ✅ login: step-security-bot / name: StepSecurity Bot (6d77505)
• ✅ login: bingenito / name: Brian Ingenito (70de1c4, 788dec9)

[netlify]

✅ Deploy Preview for fdc3 canceled.

Name	Link
🔨 Latest commit	70de1c4
🔍 Latest deploy log	https://app.netlify.com/sites/fdc3/deploys/668c161d7c96a80008c47c21

[kriswest]

LGTM - although you could try bumping those deps to the current releases in the CVE-scanning and semgrep workflows

[kriswest]

@maoo @robmoffat do we need to get step-security added to easy CLA (some sort of exception)? Or are we ok to just merge its changes after review?

@bingenito will we no longer be able to merge without the easycla check passing if we implement all the governance / github settings changes proposed?

[maoo]

@maoo @robmoffat do we need to get step-security added to easy CLA (some sort of exception)? Or are we ok to just merge its changes after review?

If the PR is time-sensitive, go ahead and merge (or ask help@finos.org to force the merge, if you're not able to).

I've created a ticket to the EasyCLA team to add step-security-bot as a bot (and if there's a way for us to do it on our own).

Make sure to keep @TheJuanAndOnly99 in the loop (also for similar issues in the future), as I'll be off until the 16th of July.

Thank you!

[kriswest]

We may change the set up to require checks to pass before merging is allowed so this might become an issue in future - hence, great if you are getting the bot setup. For now we can move ahead - although I'll defer to @bingenito on when to merge this ;-) .

[bingenito]

will we no longer be able to merge without the easycla check passing if we implement all the governance / github settings changes proposed?

Only if we add easycla as one of the required status checks (which arguably we should)

[maoo]

/easycla

[kriswest]

/easycla

[kriswest]

/easycla

[kriswest]

@bingenito @maoo apparently locking the conversation blocks EasyCLA updating its comments! The Step-security now passes the easycla check

[bingenito]

@kriswest I updated versions to match across actions

[kriswest]

@bingenito great! I'm closing and reopening this PR as it should trigger 2 of the 3 workflows on reopen (we can test the package workflow on releasing the NPM module once I have a necessary review for a/the 2.1.1 release).

[kriswest]

All is well! It did actually run the package workflow as well. LGTM

[bingenito]

@TheJuanAndOnly99 You ok with this from a security stance?

[TheJuanAndOnly99]

@bingenito Yes definitely! This tool is very interesting. I think it could be useful to others.