Skip to content

Commit 5d6e698

Browse files
xophamxopham
authored
ci: pin github actions by hash and update via dependabot (#5193)
* Add dependabot for github actions * Pin all actions by hash
1 parent 386f4e7 commit 5d6e698

27 files changed

+236
-221
lines changed

.github/dependabot.yml

+15
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,15 @@
1+
# To get started with Dependabot version updates, you'll need to specify which
2+
# package ecosystems to update and where the package manifests are located.
3+
# Please see the documentation for all configuration options:
4+
# https://docs.github.com/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file
5+
6+
version: 2
7+
updates:
8+
- package-ecosystem: "github-actions"
9+
directory: "/"
10+
schedule:
11+
interval: "monthly"
12+
groups:
13+
gh-actions-packages:
14+
patterns:
15+
- "*"

.github/workflows/actionlint.yml

+2-2
Original file line numberDiff line numberDiff line change
@@ -11,7 +11,7 @@ jobs:
1111
actionlint:
1212
runs-on: ubuntu-latest
1313
steps:
14-
- uses: actions/checkout@v4
14+
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
1515
- uses: ./.github/actions/node/setup
1616
# NOTE: Ok this next bit seems unnecessary, right? The problem is that
1717
# this repo is currently incompatible with npm, at least with the
@@ -24,7 +24,7 @@ jobs:
2424
npm init -y
2525
- name: actionlint
2626
id: actionlint
27-
uses: raven-actions/actionlint@v2
27+
uses: raven-actions/actionlint@01fce4f43a270a612932cb1c64d40505a029f821 # v2.0.0
2828
with:
2929
matcher: true
3030
fail-on-error: true

.github/workflows/all-green.yml

+1-1
Original file line numberDiff line numberDiff line change
@@ -15,7 +15,7 @@ jobs:
1515
checks: read
1616
contents: read
1717
steps:
18-
- uses: wechuli/allcheckspassed@v1
18+
- uses: wechuli/allcheckspassed@2e5e8bbc775f5680ed5d02e3a22e2fc7219792ac # v1.1.0
1919
with:
2020
retries: 20 # once per minute, some checks take up to 15 min
2121
checks_exclude: devflow.*

.github/workflows/appsec.yml

+35-35
Original file line numberDiff line numberDiff line change
@@ -15,16 +15,16 @@ jobs:
1515
macos:
1616
runs-on: macos-latest
1717
steps:
18-
- uses: actions/checkout@v4
18+
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
1919
- uses: ./.github/actions/node/setup
2020
- uses: ./.github/actions/install
2121
- run: yarn test:appsec:ci
22-
- uses: codecov/codecov-action@v5
22+
- uses: codecov/codecov-action@13ce06bfc6bbe3ecf90edbbf1bc32fe5978ca1d3 # v5.3.1
2323

2424
ubuntu:
2525
runs-on: ubuntu-latest
2626
steps:
27-
- uses: actions/checkout@v4
27+
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
2828
- uses: ./.github/actions/node/setup
2929
- uses: ./.github/actions/install
3030
- uses: ./.github/actions/node/oldest
@@ -33,18 +33,18 @@ jobs:
3333
- run: yarn test:appsec:ci
3434
- uses: ./.github/actions/node/latest
3535
- run: yarn test:appsec:ci
36-
- uses: codecov/codecov-action@v5
36+
- uses: codecov/codecov-action@13ce06bfc6bbe3ecf90edbbf1bc32fe5978ca1d3 # v5.3.1
3737

3838
windows:
3939
runs-on: windows-latest
4040
steps:
41-
- uses: actions/checkout@v4
42-
- uses: actions/setup-node@v4
41+
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
42+
- uses: actions/setup-node@1d0ff469b7ec7b3cb9d8673fde0c81c44821de2a # v4.2.0
4343
with:
4444
node-version: '18'
4545
- uses: ./.github/actions/install
4646
- run: yarn test:appsec:ci
47-
- uses: codecov/codecov-action@v5
47+
- uses: codecov/codecov-action@13ce06bfc6bbe3ecf90edbbf1bc32fe5978ca1d3 # v5.3.1
4848

4949
ldapjs:
5050
runs-on: ubuntu-latest
@@ -62,14 +62,14 @@ jobs:
6262
LDAP_USERS: 'user01,user02'
6363
LDAP_PASSWORDS: 'password1,password2'
6464
steps:
65-
- uses: actions/checkout@v4
65+
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
6666
- uses: ./.github/actions/node/setup
6767
- uses: ./.github/actions/install
6868
- uses: ./.github/actions/node/oldest
6969
- run: yarn test:appsec:plugins:ci
7070
- uses: ./.github/actions/node/latest
7171
- run: yarn test:appsec:plugins:ci
72-
- uses: codecov/codecov-action@v5
72+
- uses: codecov/codecov-action@13ce06bfc6bbe3ecf90edbbf1bc32fe5978ca1d3 # v5.3.1
7373

7474
postgres:
7575
runs-on: ubuntu-latest
@@ -85,7 +85,7 @@ jobs:
8585
PLUGINS: pg|knex
8686
SERVICES: postgres
8787
steps:
88-
- uses: actions/checkout@v4
88+
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
8989
- uses: ./.github/actions/node/setup
9090
- uses: ./.github/actions/install
9191
- uses: ./.github/actions/node/oldest
@@ -94,7 +94,7 @@ jobs:
9494
- run: yarn test:appsec:plugins:ci
9595
- uses: ./.github/actions/node/20
9696
- run: yarn test:appsec:plugins:ci
97-
- uses: codecov/codecov-action@v5
97+
- uses: codecov/codecov-action@13ce06bfc6bbe3ecf90edbbf1bc32fe5978ca1d3 # v5.3.1
9898

9999
mysql:
100100
runs-on: ubuntu-latest
@@ -110,42 +110,42 @@ jobs:
110110
PLUGINS: mysql|mysql2|sequelize
111111
SERVICES: mysql
112112
steps:
113-
- uses: actions/checkout@v4
113+
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
114114
- uses: ./.github/actions/node/setup
115115
- uses: ./.github/actions/install
116116
- uses: ./.github/actions/node/18
117117
- run: yarn test:appsec:plugins:ci
118118
- uses: ./.github/actions/node/20
119119
- run: yarn test:appsec:plugins:ci
120-
- uses: codecov/codecov-action@v5
120+
- uses: codecov/codecov-action@13ce06bfc6bbe3ecf90edbbf1bc32fe5978ca1d3 # v5.3.1
121121

122122
express:
123123
runs-on: ubuntu-latest
124124
env:
125125
PLUGINS: express|body-parser|cookie-parser|multer
126126
steps:
127-
- uses: actions/checkout@v4
127+
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
128128
- uses: ./.github/actions/node/setup
129129
- uses: ./.github/actions/install
130130
- uses: ./.github/actions/node/oldest
131131
- run: yarn test:appsec:plugins:ci
132132
- uses: ./.github/actions/node/latest
133133
- run: yarn test:appsec:plugins:ci
134-
- uses: codecov/codecov-action@v5
134+
- uses: codecov/codecov-action@13ce06bfc6bbe3ecf90edbbf1bc32fe5978ca1d3 # v5.3.1
135135

136136
graphql:
137137
runs-on: ubuntu-latest
138138
env:
139139
PLUGINS: apollo-server|apollo-server-express|apollo-server-fastify|apollo-server-core
140140
steps:
141-
- uses: actions/checkout@v4
141+
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
142142
- uses: ./.github/actions/node/setup
143143
- uses: ./.github/actions/install
144144
- uses: ./.github/actions/node/oldest
145145
- run: yarn test:appsec:plugins:ci
146146
- uses: ./.github/actions/node/latest
147147
- run: yarn test:appsec:plugins:ci
148-
- uses: codecov/codecov-action@v5
148+
- uses: codecov/codecov-action@13ce06bfc6bbe3ecf90edbbf1bc32fe5978ca1d3 # v5.3.1
149149

150150
mongodb-core:
151151
runs-on: ubuntu-latest
@@ -158,14 +158,14 @@ jobs:
158158
PLUGINS: express-mongo-sanitize|mquery
159159
SERVICES: mongo
160160
steps:
161-
- uses: actions/checkout@v4
161+
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
162162
- uses: ./.github/actions/node/setup
163163
- uses: ./.github/actions/install
164164
- uses: ./.github/actions/node/oldest
165165
- run: yarn test:appsec:plugins:ci
166166
- uses: ./.github/actions/node/latest
167167
- run: yarn test:appsec:plugins:ci
168-
- uses: codecov/codecov-action@v5
168+
- uses: codecov/codecov-action@13ce06bfc6bbe3ecf90edbbf1bc32fe5978ca1d3 # v5.3.1
169169

170170
mongoose:
171171
runs-on: ubuntu-latest
@@ -178,21 +178,21 @@ jobs:
178178
PLUGINS: mongoose
179179
SERVICES: mongo
180180
steps:
181-
- uses: actions/checkout@v4
181+
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
182182
- uses: ./.github/actions/node/setup
183183
- uses: ./.github/actions/install
184184
- uses: ./.github/actions/node/oldest
185185
- run: yarn test:appsec:plugins:ci
186186
- uses: ./.github/actions/node/latest
187187
- run: yarn test:appsec:plugins:ci
188-
- uses: codecov/codecov-action@v5
188+
- uses: codecov/codecov-action@13ce06bfc6bbe3ecf90edbbf1bc32fe5978ca1d3 # v5.3.1
189189

190190
sourcing:
191191
runs-on: ubuntu-latest
192192
env:
193193
PLUGINS: cookie
194194
steps:
195-
- uses: actions/checkout@v4
195+
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
196196
- uses: ./.github/actions/node/setup
197197
- uses: ./.github/actions/install
198198
- uses: ./.github/actions/node/18
@@ -201,7 +201,7 @@ jobs:
201201
- run: yarn test:appsec:plugins:ci
202202
- uses: ./.github/actions/node/latest
203203
- run: yarn test:appsec:plugins:ci
204-
- uses: codecov/codecov-action@v5
204+
- uses: codecov/codecov-action@13ce06bfc6bbe3ecf90edbbf1bc32fe5978ca1d3 # v5.3.1
205205

206206
next:
207207
strategy:
@@ -233,9 +233,9 @@ jobs:
233233
PLUGINS: next
234234
PACKAGE_VERSION_RANGE: ${{ matrix.range }}
235235
steps:
236-
- uses: actions/checkout@v4
236+
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
237237
- uses: ./.github/actions/testagent/start
238-
- uses: actions/setup-node@v4
238+
- uses: actions/setup-node@1d0ff469b7ec7b3cb9d8673fde0c81c44821de2a # v4.2.0
239239
with:
240240
cache: yarn
241241
node-version: ${{ matrix.version }}
@@ -245,26 +245,26 @@ jobs:
245245
uses: ./.github/actions/testagent/logs
246246
with:
247247
suffix: appsec-${{ github.job }}-${{ matrix.version }}-${{ matrix.range_clean }}
248-
- uses: codecov/codecov-action@v5
248+
- uses: codecov/codecov-action@13ce06bfc6bbe3ecf90edbbf1bc32fe5978ca1d3 # v5.3.1
249249

250250
lodash:
251251
runs-on: ubuntu-latest
252252
env:
253253
PLUGINS: lodash
254254
steps:
255-
- uses: actions/checkout@v4
255+
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
256256
- uses: ./.github/actions/node/setup
257257
- uses: ./.github/actions/install
258258
- uses: ./.github/actions/node/oldest
259259
- run: yarn test:appsec:plugins:ci
260260
- uses: ./.github/actions/node/latest
261261
- run: yarn test:appsec:plugins:ci
262-
- uses: codecov/codecov-action@v5
262+
- uses: codecov/codecov-action@13ce06bfc6bbe3ecf90edbbf1bc32fe5978ca1d3 # v5.3.1
263263

264264
integration:
265265
runs-on: ubuntu-latest
266266
steps:
267-
- uses: actions/checkout@v4
267+
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
268268
- run: yarn install
269269
- uses: ./.github/actions/node/oldest
270270
- run: yarn test:integration:appsec
@@ -276,39 +276,39 @@ jobs:
276276
env:
277277
PLUGINS: passport-local|passport-http
278278
steps:
279-
- uses: actions/checkout@v4
279+
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
280280
- uses: ./.github/actions/node/setup
281281
- uses: ./.github/actions/install
282282
- uses: ./.github/actions/node/oldest
283283
- run: yarn test:appsec:plugins:ci
284284
- uses: ./.github/actions/node/latest
285285
- run: yarn test:appsec:plugins:ci
286-
- uses: codecov/codecov-action@v5
286+
- uses: codecov/codecov-action@13ce06bfc6bbe3ecf90edbbf1bc32fe5978ca1d3 # v5.3.1
287287

288288
template:
289289
runs-on: ubuntu-latest
290290
env:
291291
PLUGINS: handlebars|pug
292292
steps:
293-
- uses: actions/checkout@v4
293+
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
294294
- uses: ./.github/actions/node/setup
295295
- uses: ./.github/actions/install
296296
- uses: ./.github/actions/node/oldest
297297
- run: yarn test:appsec:plugins:ci
298298
- uses: ./.github/actions/node/latest
299299
- run: yarn test:appsec:plugins:ci
300-
- uses: codecov/codecov-action@v5
300+
- uses: codecov/codecov-action@13ce06bfc6bbe3ecf90edbbf1bc32fe5978ca1d3 # v5.3.1
301301

302302
node-serialize:
303303
runs-on: ubuntu-latest
304304
env:
305305
PLUGINS: node-serialize
306306
steps:
307-
- uses: actions/checkout@v4
307+
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
308308
- uses: ./.github/actions/node/setup
309309
- uses: ./.github/actions/install
310310
- uses: ./.github/actions/node/oldest
311311
- run: yarn test:appsec:plugins:ci
312312
- uses: ./.github/actions/node/latest
313313
- run: yarn test:appsec:plugins:ci
314-
- uses: codecov/codecov-action@v5
314+
- uses: codecov/codecov-action@13ce06bfc6bbe3ecf90edbbf1bc32fe5978ca1d3 # v5.3.1

.github/workflows/ci-visibility-performance.yml

+1-1
Original file line numberDiff line numberDiff line change
@@ -19,7 +19,7 @@ jobs:
1919
env:
2020
ROBOT_CI_GITHUB_PERSONAL_ACCESS_TOKEN: ${{ secrets.ROBOT_CI_GITHUB_PERSONAL_ACCESS_TOKEN }}
2121
steps:
22-
- uses: actions/checkout@v4
22+
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
2323
- uses: ./.github/actions/node/18
2424
- name: CI Visibility Performance Overhead Test
2525
run: yarn bench:e2e:ci-visibility

.github/workflows/codeql-analysis.yml

+4-4
Original file line numberDiff line numberDiff line change
@@ -34,11 +34,11 @@ jobs:
3434

3535
steps:
3636
- name: Checkout repository
37-
uses: actions/checkout@v4
37+
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
3838

3939
# Initializes the CodeQL tools for scanning.
4040
- name: Initialize CodeQL
41-
uses: github/codeql-action/init@v3
41+
uses: github/codeql-action/init@dd746615b3b9d728a6a37ca2045b68ca76d4841a # v3.28.8
4242
with:
4343
languages: ${{ matrix.language }}
4444
config-file: .github/codeql_config.yml
@@ -48,7 +48,7 @@ jobs:
4848
# queries: ./path/to/local/query, your-org/your-repo/queries@main
4949

5050
- name: Autobuild
51-
uses: github/codeql-action/autobuild@v3
51+
uses: github/codeql-action/autobuild@dd746615b3b9d728a6a37ca2045b68ca76d4841a # v3.28.8
5252

5353
- name: Perform CodeQL Analysis
54-
uses: github/codeql-action/analyze@v3
54+
uses: github/codeql-action/analyze@dd746615b3b9d728a6a37ca2045b68ca76d4841a # v3.28.8

.github/workflows/core.yml

+2-2
Original file line numberDiff line numberDiff line change
@@ -15,11 +15,11 @@ jobs:
1515
shimmer:
1616
runs-on: ubuntu-latest
1717
steps:
18-
- uses: actions/checkout@v4
18+
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
1919
- uses: ./.github/actions/node/setup
2020
- uses: ./.github/actions/install
2121
- uses: ./.github/actions/node/oldest
2222
- run: yarn test:shimmer:ci
2323
- uses: ./.github/actions/node/latest
2424
- run: yarn test:shimmer:ci
25-
- uses: codecov/codecov-action@v5
25+
- uses: codecov/codecov-action@13ce06bfc6bbe3ecf90edbbf1bc32fe5978ca1d3 # v5.3.1

.github/workflows/datadog-static-analysis.yml

+2-2
Original file line numberDiff line numberDiff line change
@@ -13,10 +13,10 @@ jobs:
1313
name: Datadog Static Analyzer
1414
steps:
1515
- name: Checkout
16-
uses: actions/checkout@v4
16+
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
1717
- name: Check code meets quality and security standards
1818
id: datadog-static-analysis
19-
uses: DataDog/datadog-static-analyzer-github-action@v1
19+
uses: DataDog/datadog-static-analyzer-github-action@06d501a75f56e4075c67a7dbc61a74b6539a05c8 # v1.2.1
2020
with:
2121
dd_api_key: ${{ secrets.DD_STATIC_ANALYSIS_API_KEY }}
2222
dd_app_key: ${{ secrets.DD_STATIC_ANALYSIS_APP_KEY }}

.github/workflows/debugger.yml

+2-2
Original file line numberDiff line numberDiff line change
@@ -15,7 +15,7 @@ jobs:
1515
ubuntu:
1616
runs-on: ubuntu-latest
1717
steps:
18-
- uses: actions/checkout@v4
18+
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
1919
- uses: ./.github/actions/testagent/start
2020
- uses: ./.github/actions/node/setup
2121
- uses: ./.github/actions/install
@@ -32,4 +32,4 @@ jobs:
3232
uses: ./.github/actions/testagent/logs
3333
with:
3434
suffix: debugger
35-
- uses: codecov/codecov-action@v5
35+
- uses: codecov/codecov-action@13ce06bfc6bbe3ecf90edbbf1bc32fe5978ca1d3 # v5.3.1

0 commit comments

Comments
 (0)