From 5727ed859d268ee4c5ac5b679417bb770e4ac1ab Mon Sep 17 00:00:00 2001 From: Marc Ransome Date: Sun, 10 Mar 2024 19:16:30 +0000 Subject: [PATCH] Remediate OpenSSF Scorecard pinned-dependencies --- .github/workflows/codeql-analysis.yml | 6 +++--- .github/workflows/dependency-review.yml | 4 ++-- .github/workflows/markdown-links.yml | 6 +++--- .github/workflows/openssf-scorecard.yml | 5 ++--- 4 files changed, 10 insertions(+), 11 deletions(-) diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index d3aef6e..a55078e 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -19,11 +19,11 @@ jobs: security-events: write steps: - name: Checkout repository - uses: actions/checkout@v4 + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - name: Install dependencies run: brew install popt - name: Initialize CodeQL - uses: github/codeql-action/init@v3 + uses: github/codeql-action/init@8a470fddafa5cbb6266ee11b37ef4d8aae19c571 # v3.24.6 with: languages: cpp queries: security-and-quality @@ -33,4 +33,4 @@ jobs: cmake -S . -B build cmake --build build - name: Perform CodeQL analysis - uses: github/codeql-action/analyze@v3 + uses: github/codeql-action/analyze@8a470fddafa5cbb6266ee11b37ef4d8aae19c571 # v3.24.6 diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml index 2507259..bb7de4c 100644 --- a/.github/workflows/dependency-review.yml +++ b/.github/workflows/dependency-review.yml @@ -10,9 +10,9 @@ jobs: pull-requests: write steps: - name: Checkout repository - uses: actions/checkout@v4 + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - name: Dependency review - uses: actions/dependency-review-action@v4 + uses: actions/dependency-review-action@9129d7d40b8c12c1ed0f60400d00c92d437adcce # v4.1.3 with: comment-summary-in-pr: true fail-on-severity: low diff --git a/.github/workflows/markdown-links.yml b/.github/workflows/markdown-links.yml index 56c685c..4836e6b 100644 --- a/.github/workflows/markdown-links.yml +++ b/.github/workflows/markdown-links.yml @@ -16,10 +16,10 @@ jobs: markdown-links: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - name: Check links in modified Markdown files if: github.event_name == 'pull_request' - uses: gaurav-nelson/github-action-markdown-link-check@v1 + uses: gaurav-nelson/github-action-markdown-link-check@d53a906aa6b22b8979d33bc86170567e619495ec # 1.0.15 with: base-branch: main check-modified-files-only: yes @@ -27,7 +27,7 @@ jobs: config-file: .github/markdown/markdown-links.json - name: Check links in all Markdown files if: github.event_name != 'pull_request' - uses: gaurav-nelson/github-action-markdown-link-check@v1 + uses: gaurav-nelson/github-action-markdown-link-check@d53a906aa6b22b8979d33bc86170567e619495ec # 1.0.15 with: use-verbose-mode: yes config-file: .github/markdown/markdown-links.json diff --git a/.github/workflows/openssf-scorecard.yml b/.github/workflows/openssf-scorecard.yml index 254d85c..729b4d9 100644 --- a/.github/workflows/openssf-scorecard.yml +++ b/.github/workflows/openssf-scorecard.yml @@ -17,8 +17,8 @@ jobs: security-events: write # Needed to upload the results to code scanning dashboard id-token: write # Needed to publish results to OpenSSF API and get a badge (see publish_results below) steps: - - name: Checkout code - uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 # v3.1.0 + - name: Checkout repository + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: persist-credentials: false - name: Run analysis @@ -37,4 +37,3 @@ jobs: uses: github/codeql-action/upload-sarif@17573ee1cc1b9d061760f3a006fc4aac4f944fd5 # v2.2.4 with: sarif_file: results.sarif -