[StepSecurity] Apply security best practices

Signed-off-by: StepSecurity Bot <bot@stepsecurity.io>
fpaul-1A · Mar 6, 2024 · 0d71876 · 0d71876
1 parent a9e7643
commit 0d71876
Show file tree

Hide file tree

Showing 15 changed files with 137 additions and 49 deletions.
diff --git a/.github/workflows/audit.yml b/.github/workflows/audit.yml
@@ -21,7 +21,7 @@ jobs:
   audit:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
       - name: Setup
         uses: ./tools/github-actions/setup
       - name: Audit

diff --git a/.github/workflows/clean-cache.yml b/.github/workflows/clean-cache.yml
@@ -10,17 +10,20 @@ on:
     branches:
       - '**'
 
+permissions:
+  contents: read
+
 jobs:
   clean-cache:
     runs-on: ubuntu-latest
     permissions:
       actions: write
       contents: read
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
       - name: Clean Branch Cache
         if: inputs.branch || github.event.ref_type == 'branch'
-        uses: actions/github-script@v7
+        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
         env:
           branchName: ${{ inputs.branch || github.event.ref }}
           hash: ${{ hashFiles('package.json', 'tsconfig.base.json', 'tsconfig.build.json', 'nx.json') }}

diff --git a/.github/workflows/code-check.yml b/.github/workflows/code-check.yml
@@ -26,8 +26,8 @@ jobs:
     runs-on: ubuntu-latest
     continue-on-error: true
     steps:
-    - uses: actions/checkout@master
-    - uses: gaurav-nelson/github-action-markdown-link-check@v1
+    - uses: actions/checkout@61b9e3751b92087fd0b06925ba6dd6314e06f089 # master
+    - uses: gaurav-nelson/github-action-markdown-link-check@5c5dfc0ac2e225883c0e5f03a85311ec2830d368 # v1
       with:
         base-branch: 'main'
         config-file: '.github/markdown-links.config.json'
@@ -42,7 +42,7 @@ jobs:
     env:
       NX_CLOUD_ACCESS_TOKEN: ${{ secrets.NX_CLOUD_ACCESS_TOKEN }}
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
         with:
           fetch-depth: ${{ inputs.affected && '0' || '1' }}
       - name: Setup
@@ -51,7 +51,7 @@ jobs:
         with:
           install-jdk: 'true'
       - name: Cache Jest
-        uses: actions/cache@v4
+        uses: actions/cache@ab5e6d0c87105b4c9c2047343972218f562e4319 # v4.0.1
         env:
           hash: ${{ hashFiles('package.json', 'tsconfig.base.json', 'tsconfig.build.json', 'nx.json') }}
         with:
@@ -71,7 +71,7 @@ jobs:
       - name: Publish tests reports
         if: always()
         # TODO upgrade to v4 when https://github.com/AmadeusITGroup/otter/issues/1198 is fixed
-        uses: actions/upload-artifact@v3
+        uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
         with:
           name: ut-reports-${{ matrix.os }}
           path: |
@@ -83,13 +83,13 @@ jobs:
     env:
       NX_CLOUD_ACCESS_TOKEN: ${{ secrets.NX_CLOUD_ACCESS_TOKEN }}
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
         with:
           fetch-depth: ${{ inputs.affected && '0' || '1' }}
       - name: Setup
         uses: ./tools/github-actions/setup
       - name: Cache Eslint
-        uses: actions/cache@v4
+        uses: actions/cache@ab5e6d0c87105b4c9c2047343972218f562e4319 # v4.0.1
         with:
           path: .cache/eslint
           key: ${{ runner.os }}-eslint-${{ hashFiles('yarn.lock') }}

diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
@@ -26,6 +26,9 @@ on:
   schedule:
     - cron: '31 2 * * 6'
 
+permissions:
+  contents: read
+
 jobs:
   analyze:
     name: Analyze
@@ -43,19 +46,19 @@ jobs:
 
     steps:
     - name: Checkout repository
-      uses: actions/checkout@v4
+      uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@v3
+      uses: github/codeql-action/init@8a470fddafa5cbb6266ee11b37ef4d8aae19c571 # v3.24.6
       with:
         languages: ${{ matrix.language }}
         config-file: ./.github/codeql/codeql-config.yml
 
     - name: Autobuild
-      uses: github/codeql-action/autobuild@v3
+      uses: github/codeql-action/autobuild@8a470fddafa5cbb6266ee11b37ef4d8aae19c571 # v3.24.6
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@v3
+      uses: github/codeql-action/analyze@8a470fddafa5cbb6266ee11b37ef4d8aae19c571 # v3.24.6
       with:
         category: "/language:${{matrix.language}}"
diff --git a/.github/workflows/deploy-showcase.yml b/.github/workflows/deploy-showcase.yml
@@ -31,16 +31,16 @@ jobs:
       NX_CLOUD_ACCESS_TOKEN: ${{ secrets.NX_CLOUD_ACCESS_TOKEN }}
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
       - uses: ./tools/github-actions/setup
       - name: build
         run: yarn nx build showcase
       - name: Setup Pages
-        uses: actions/configure-pages@v4
+        uses: actions/configure-pages@1f0c5cde4bc74cd7e1254d0cb4de8d49e9068c7d # v4.0.0
       - name: Upload artifact
-        uses: actions/upload-pages-artifact@v3
+        uses: actions/upload-pages-artifact@56afc609e74202658d3ffba0e8f6dda462b719fa # v3.0.1
         with:
           path: './apps/showcase/dist/browser'
       - name: Deploy to GitHub Pages
         id: deployment
-        uses: actions/deploy-pages@v4
+        uses: actions/deploy-pages@decdde0ac072f6dcbe43649d82d9c635fff5b4e4 # v4.0.4
diff --git a/.github/workflows/documentation.yml b/.github/workflows/documentation.yml
@@ -32,7 +32,7 @@ jobs:
   build:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
       - uses: ./tools/github-actions/setup
       - name: Generate doc
         run: yarn doc:generate
@@ -43,7 +43,7 @@ jobs:
         run: yarn update-package ${{ inputs.docFolder }}/package.json --name ${{ inputs.packageName }} --version ${{ inputs.version }}
       - run: zip -q -r ${{ inputs.artifactName }}.zip "${{ inputs.docFolder }}" -x "*/node_modules/*" ".cache/*"
         shell: bash
-      - uses: actions/upload-artifact@v4
+      - uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1
         with:
           name: ${{ inputs.artifactName }}
           path: ${{ inputs.artifactName }}.zip
@@ -57,8 +57,8 @@ jobs:
       name: azure-static-webapp
       url: ${{ steps.deploy.outputs.static_web_app_url }}
     steps:
-      - uses: actions/checkout@v4
-      - uses: actions/download-artifact@v4
+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+      - uses: actions/download-artifact@c850b930e6ba138125429b7e5c93fc707a7f8427 # v4.1.4
         with:
           name: ${{ inputs.artifactName }}
           path: '.'
@@ -68,7 +68,7 @@ jobs:
         shell: bash
       - name: deploy
         id: deploy
-        uses: Azure/static-web-apps-deploy@v1
+        uses: Azure/static-web-apps-deploy@c514ae36604047560e33605b78f71804967bfb7a # v1
         with:
           azure_static_web_apps_api_token: ${{ secrets.AZURE_STATIC_WEB_APPS_API_TOKEN }}
           repo_token: ${{ secrets.GITHUB_TOKEN }}

diff --git a/.github/workflows/e2e-tests.yml b/.github/workflows/e2e-tests.yml
@@ -22,7 +22,7 @@ jobs:
     env:
       NX_CLOUD_ACCESS_TOKEN: ${{ secrets.NX_CLOUD_ACCESS_TOKEN }}
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
       - uses: ./tools/github-actions/download-build-output
       - uses: ./tools/github-actions/setup
       - run: yarn playwright install
@@ -38,7 +38,7 @@ jobs:
       - name: Publish tests reports
         if: failure()
         # TODO upgrade to v4 when https://github.com/AmadeusITGroup/otter/issues/1198 is fixed
-        uses: actions/upload-artifact@v3
+        uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
         with:
           name: e2e-report
           path: apps/showcase/playwright-reports
diff --git a/.github/workflows/it-tests.yml b/.github/workflows/it-tests.yml
@@ -22,7 +22,7 @@ jobs:
     env:
       NX_CLOUD_ACCESS_TOKEN: ${{ secrets.NX_CLOUD_ACCESS_TOKEN }}
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
       - uses: ./tools/github-actions/download-build-output
       - uses: ./tools/github-actions/setup
       - name: Setup verdaccio once for all tests
@@ -37,7 +37,7 @@ jobs:
         run: zip -r verdaccio.zip ./.verdaccio
         shell: bash
       - name: Publish verdaccio storage
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1
         with:
           name: verdaccio
           path: verdaccio.zip
@@ -59,7 +59,7 @@ jobs:
       ENFORCED_PACKAGE_MANAGER: ${{ matrix.packageManager }}
       PREPARE_TEST_ENV_TYPE: ${{ matrix.testEnvironment }}
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
       - uses: ./tools/github-actions/download-build-output
       - uses: ./tools/github-actions/setup
       - uses: ./.github/actions/setup-java
@@ -69,7 +69,7 @@ jobs:
         run: echo "currentMonth=$(date +'%Y-%m')" >> $GITHUB_ENV
         shell: bash
       - name: Cache test-app yarn
-        uses: actions/cache@v4
+        uses: actions/cache@ab5e6d0c87105b4c9c2047343972218f562e4319 # v4.0.1
         with:
           path: |
             .cache/test-app
@@ -84,7 +84,7 @@ jobs:
           npm cache --cache=.cache/test-app/npm-cache ls | grep 127.0.0.1:4873 | xargs -d'\n' -r -n 1 npm cache --cache=.cache/test-app/npm-cache clean || true
           npx --yes -p replace-in-files-cli replace-in-files --regex=".*127.0.0.1:4873.*" --replacement="" ".cache/test-app/npm-cache/_cacache/index-v5/**/*"
         shell: bash
-      - uses: actions/download-artifact@v4
+      - uses: actions/download-artifact@c850b930e6ba138125429b7e5c93fc707a7f8427 # v4.1.4
         name: Download verdaccio storage prepared in the previous job
         with:
           name: verdaccio
@@ -117,14 +117,14 @@ jobs:
         shell: bash
       - name: Publish generated tests environment on failure
         if: failure() && steps.it-tests.conclusion == 'failure'
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1
         with:
           name: it-tests-${{ matrix.os }}-${{ matrix.packageManager }}
           path: it-tests.zip
       - name: Publish tests reports
         if: always()
         # TODO upgrade to v4 when https://github.com/AmadeusITGroup/otter/issues/1198 is fixed
-        uses: actions/upload-artifact@v3
+        uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
         with:
           name: it-reports-${{ matrix.os }}-${{ matrix.packageManager }}
           path: 'packages/**/dist-test/it-report.xml'

diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
@@ -23,7 +23,7 @@ jobs:
       NX_CLOUD_ACCESS_TOKEN: ${{ secrets.NX_CLOUD_ACCESS_TOKEN }}
       NX_SKIP_NX_CACHE: ${{ github.event_name == 'push' && startsWith(github.ref, 'refs/heads/release') }}
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
       - uses: ./tools/github-actions/setup
       - uses: ./.github/actions/setup-java
         with:
@@ -40,7 +40,7 @@ jobs:
       nextVersionTag: ${{ steps.newVersion.outputs.nextVersionTag }}
       isPreRelease: ${{ contains( steps.newVersion.outputs.nextVersionTag, '-' ) || github.event_name == 'pull_request' || github.event_name == 'merge_group'}}
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
       - uses: ./tools/github-actions/setup
       - name: New Version
         if: github.event_name != 'merge_group'

diff --git a/.github/workflows/md-external-links-check.yml b/.github/workflows/md-external-links-check.yml
@@ -10,8 +10,8 @@ jobs:
   markdown-link-check:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
-      - uses: gaurav-nelson/github-action-markdown-link-check@v1
+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+      - uses: gaurav-nelson/github-action-markdown-link-check@5c5dfc0ac2e225883c0e5f03a85311ec2830d368 # v1
         with:
           use-quiet-mode: 'yes'
           base-branch: 'main'
@@ -21,9 +21,9 @@ jobs:
     needs: [markdown-link-check]
     if: failure()
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
       - name: Create an issue
-        uses: JasonEtco/create-an-issue@v2
+        uses: JasonEtco/create-an-issue@1b14a70e4d8dc185e5cc76d3bec9eab20257b2c5 # v2.9.2
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           RUN_URL: ${{ format('https://github.com/{0}/actions/runs/{1}/attempts/{2}', github.repository, github.run_id, github.run_attempt || 1) }}

diff --git a/.github/workflows/pr-labels.yml b/.github/workflows/pr-labels.yml
@@ -2,6 +2,9 @@ name: Pull Request Label
 
 on: pull_request
 
+permissions:
+  contents: read
+
 jobs:
   setup-label:
     runs-on: ubuntu-latest
@@ -10,7 +13,7 @@ jobs:
     permissions:
       pull-requests: write
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
         with:
           fetch-depth: 0
       - name: Setup
@@ -19,7 +22,7 @@ jobs:
         run: |
           LABELS="$(yarn pr-labels --target="${{ github.base_ref || github.ref_name }}")"
           echo "LABELS=$LABELS" >> $GITHUB_ENV
-      - uses: actions/github-script@v7
+      - uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
         if: env.LABELS != '[]'
         continue-on-error: true
         with:

diff --git a/.github/workflows/publish-pr.yml b/.github/workflows/publish-pr.yml
@@ -6,6 +6,9 @@ on:
     types:
       - completed
 
+permissions:
+  contents: read
+
 jobs:
   version:
     if: ${{ github.event.workflow_run.event == 'pull_request' }}
@@ -16,7 +19,7 @@ jobs:
       nextVersionTag: ${{ steps.newVersion.outputs.nextVersionTag }}
     steps:
       - name: get logs from workflow run
-        uses: actions/github-script@v7
+        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
         with:
           script: |
             let download = await github.rest.actions.downloadWorkflowRunAttemptLogs({
@@ -53,7 +56,7 @@ jobs:
       checks: write
     steps:
       - name: Update triggering workflow
-        uses: actions/github-script@v7
+        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
         env:
           PUBLISH_RESULT: ${{ needs.publish-packages-pr.result }}
         with: