Skip to content

Commit

Permalink
[StepSecurity] ci: Harden GitHub Actions
Browse files Browse the repository at this point in the history 
Signed-off-by: StepSecurity Bot <[email protected]>
  • Loading branch information
@step-security-bot
step-security-bot committed Aug 10, 2023
1 parent ced51cd commit cffab66
Show file tree
Hide file tree
Showing 7 changed files with 20 additions and 20 deletions.
4 changes: 2 additions & 2 deletions .github/workflows/go-pr.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -35,7 +35,7 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Checkout Code
uses: actions/checkout@v2
uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 # v2.7.0
- name: Setup Go
uses: actions/setup-go@44e221478fc6847752e5c574fc7a7b3247b00fbf
with:
Expand All @@ -53,7 +53,7 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Checkout Code
uses: actions/checkout@v2
uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 # v2.7.0
- name: Setup Go
uses: actions/setup-go@44e221478fc6847752e5c574fc7a7b3247b00fbf
with:
Expand Down
4 changes: 2 additions & 2 deletions .github/workflows/java-pr-report.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -28,14 +28,14 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Download Test Report
uses: dawidd6/action-download-artifact@v2
uses: dawidd6/action-download-artifact@246dbf436b23d7c49e21a7ab8204ca9ecd1fe615 # v2.27.0
with:
name: surefire-test-results
workflow: ${{ github.event.workflow.id }}
run_id: ${{ github.event.workflow_run.id }}
if_no_artifact_found: warn
- name: Publish Test Report
uses: mikepenz/action-junit-report@v3
uses: mikepenz/action-junit-report@150e2f992e4fad1379da2056d1d1c279f520e058 # v3.8.0
with:
commit: ${{github.event.workflow_run.head_sha}}
report_paths: '**/surefire-reports/TEST-*.xml'
18 changes: 9 additions & 9 deletions .github/workflows/java-pr.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -42,7 +42,7 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Checkout Code
uses: actions/checkout@v2
uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 # v2.7.0
- name: Setup Environment
id: setup-env
uses: ./.github/actions/setup-env
Expand All @@ -54,7 +54,7 @@ jobs:
runs-on: [self-hosted, it]
steps:
- name: Checkout Code
uses: actions/checkout@v2
uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 # v2.7.0
- name: Setup Environment
id: setup-env
uses: ./.github/actions/setup-env
Expand All @@ -69,14 +69,14 @@ jobs:
runs-on: [self-hosted, it]
steps:
- name: Checkout Code
uses: actions/checkout@v2
uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 # v2.7.0
- name: Setup Environment
id: setup-env
uses: ./.github/actions/setup-env
- name: Run Unit Tests
run: ./cicd/run-unit-tests --changed-files="${{ steps.setup-env.outputs.changed-files }}"
- name: Upload Unit Tests Report
uses: actions/upload-artifact@v3
uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2
if: always() # always run even if the previous step fails
with:
name: surefire-test-results
Expand All @@ -92,7 +92,7 @@ jobs:
runs-on: [self-hosted, it]
steps:
- name: Checkout Code
uses: actions/checkout@v2
uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 # v2.7.0
- name: Setup Environment
id: setup-env
uses: ./.github/actions/setup-env
Expand All @@ -104,7 +104,7 @@ jobs:
--it-project="cloud-teleport-testing" \
--it-artifact-bucket="cloud-teleport-testing-it-gitactions"
- name: Upload Smoke Tests Report
uses: actions/upload-artifact@v3
uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2
if: always() # always run even if the previous step fails
with:
name: surefire-test-results
Expand All @@ -120,7 +120,7 @@ jobs:
runs-on: [self-hosted, it]
steps:
- name: Checkout Code
uses: actions/checkout@v2
uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 # v2.7.0
- name: Setup Environment
id: setup-env
uses: ./.github/actions/setup-env
Expand All @@ -132,7 +132,7 @@ jobs:
--it-project="cloud-teleport-testing" \
--it-artifact-bucket="cloud-teleport-testing-it-gitactions"
- name: Upload Integration Tests Report
uses: actions/upload-artifact@v3
uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2
if: always() # always run even if the previous step fails
with:
name: surefire-test-results
Expand All @@ -149,7 +149,7 @@ jobs:
runs-on: [self-hosted, perf]
steps:
- name: Checkout Code
uses: actions/checkout@v2
uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 # v2.7.0
- name: Setup Environment
id: setup-env
uses: ./.github/actions/setup-env
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/load-tests.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -27,7 +27,7 @@ jobs:
runs-on: [ self-hosted, perf ]
steps:
- name: Checkout code
uses: actions/checkout@v3
uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
with:
fetch-depth: 0
- name: Setup Environment
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/prepare-java-cache.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -58,7 +58,7 @@ jobs:
run: |
echo "CACHE_KEY=''" >> $GITHUB_ENV
- name: Checkout Code
uses: actions/checkout@v2
uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 # v2.7.0
- name: Setup Java
id: setup-java
uses: ./.github/actions/setup-java-env
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/release.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -37,7 +37,7 @@ jobs:
env:
CANDIDATE_NAME: ${{ inputs.candidateName }}
- name: Checkout code
uses: actions/checkout@v3
uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
with:
fetch-depth: 0
token: ${{ secrets.RELEASE_TOKEN }}
Expand Down
8 changes: 4 additions & 4 deletions .github/workflows/scorecards-analysis.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -22,12 +22,12 @@ jobs:

steps:
- name: "Checkout code"
uses: actions/checkout@v2
uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 # v2.7.0
with:
persist-credentials: false

- name: "Run analysis"
uses: ossf/[email protected]
uses: ossf/scorecard-action@ce330fde6b1a5c9c75b417e7efc510b822a35564 # v1.1.2
with:
results_file: results.sarif
results_format: sarif
Expand All @@ -42,14 +42,14 @@ jobs:

# Upload the results as artifacts (optional).
- name: "Upload artifact"
uses: actions/upload-artifact@v2
uses: actions/upload-artifact@82c141cc518b40d92cc801eee768e7aafc9c2fa2 # v2.3.1
with:
name: SARIF file
path: results.sarif
retention-days: 5

# Upload the results to GitHub's code scanning dashboard.
- name: "Upload to code-scanning"
uses: github/codeql-action/upload-sarif@v1
uses: github/codeql-action/upload-sarif@231aa2c8a89117b126725a0e11897209b7118144 # v1.1.39
with:
sarif_file: results.sarif

0 comments on commit cffab66

Please sign in to comment.