From 9e0df887cde71329cf8c311b3f346a2a3467d61b Mon Sep 17 00:00:00 2001 From: StepSecurity Bot Date: Thu, 12 Sep 2024 13:13:28 +0000 Subject: [PATCH] [StepSecurity] ci: Harden GitHub Actions Signed-off-by: StepSecurity Bot --- .github/workflows/auto-assign.yaml | 2 +- .github/workflows/build-multi-stage.yaml | 2 +- .github/workflows/codespell.yaml | 2 +- .github/workflows/commitlint.yaml | 2 +- .github/workflows/dependency-review.yaml | 4 ++-- .github/workflows/go-test.yaml | 8 ++++---- .github/workflows/golangci-lint.yaml | 2 +- .github/workflows/lint-extras.yaml | 2 +- .github/workflows/mergify-copy-labels.yaml | 2 +- .github/workflows/mod-check.yaml | 2 +- .github/workflows/publish-artifacts.yaml | 4 ++-- .github/workflows/pull-request-commentor.yaml | 12 ++++++------ .github/workflows/retest.yaml | 2 +- .github/workflows/snyk-container-image.yaml | 6 +++--- .github/workflows/snyk.yaml | 4 ++-- .github/workflows/stale.yaml | 2 +- .github/workflows/test-retest-action.yaml | 2 +- .github/workflows/tickgit.yaml | 2 +- 18 files changed, 31 insertions(+), 31 deletions(-) diff --git a/.github/workflows/auto-assign.yaml b/.github/workflows/auto-assign.yaml index fce7665e5..3b69fbffb 100644 --- a/.github/workflows/auto-assign.yaml +++ b/.github/workflows/auto-assign.yaml @@ -11,7 +11,7 @@ jobs: runs-on: ubuntu-latest steps: - name: take the issue - uses: bdougie/take-action@main + uses: bdougie/take-action@1439165ac45a7461c2d89a59952cd7d941964b87 # main with: message: > Thanks for taking this issue! diff --git a/.github/workflows/build-multi-stage.yaml b/.github/workflows/build-multi-stage.yaml index 333bcc13b..5b1039993 100644 --- a/.github/workflows/build-multi-stage.yaml +++ b/.github/workflows/build-multi-stage.yaml @@ -13,7 +13,7 @@ jobs: name: multi-arch-build runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - name: multi-arch-build # yamllint disable-line rule:line-length if: ${{ ! contains(github.event.pull_request.labels.*.name, 'ci/skip/multi-arch-build') }} diff --git a/.github/workflows/codespell.yaml b/.github/workflows/codespell.yaml index ece48c9f1..081023e5a 100644 --- a/.github/workflows/codespell.yaml +++ b/.github/workflows/codespell.yaml @@ -15,6 +15,6 @@ jobs: name: codespell runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - name: codespell run: make containerized-test TARGET=codespell diff --git a/.github/workflows/commitlint.yaml b/.github/workflows/commitlint.yaml index 7b7b653ba..e315c1ccc 100644 --- a/.github/workflows/commitlint.yaml +++ b/.github/workflows/commitlint.yaml @@ -14,7 +14,7 @@ jobs: if: ${{ github.event.pull_request.user.login != 'dependabot[bot]' }} runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 with: ref: ${{ github.event.pull_request.head.sha }} - name: commitlint diff --git a/.github/workflows/dependency-review.yaml b/.github/workflows/dependency-review.yaml index fd204ebee..20e344bfd 100644 --- a/.github/workflows/dependency-review.yaml +++ b/.github/workflows/dependency-review.yaml @@ -15,8 +15,8 @@ jobs: runs-on: ubuntu-latest steps: - name: 'Checkout Repository' - uses: actions/checkout@v4 + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - name: 'Dependency Review' - uses: actions/dependency-review-action@v4 + uses: actions/dependency-review-action@5a2ce3f5b92ee19cbb1541a4984c76d921601d7c # v4.3.4 with: allow-ghsas: GHSA-f4w6-3rh6-6q4q diff --git a/.github/workflows/go-test.yaml b/.github/workflows/go-test.yaml index da1adca2d..507874160 100644 --- a/.github/workflows/go-test.yaml +++ b/.github/workflows/go-test.yaml @@ -14,7 +14,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout the repo - uses: actions/checkout@v4 + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - name: Check generated deploy code run: make generate-deploy @@ -29,20 +29,20 @@ jobs: name: e2e-build-test runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - name: e2e-build-test run: make containerized-build TARGET=e2e.test go-test: name: go-test runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - name: go-test run: make containerized-test TARGET=go-test go-test-api: name: go-test-api runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - name: go-test-api run: make containerized-test TARGET=go-test-api diff --git a/.github/workflows/golangci-lint.yaml b/.github/workflows/golangci-lint.yaml index 7d18eafb0..822db7920 100644 --- a/.github/workflows/golangci-lint.yaml +++ b/.github/workflows/golangci-lint.yaml @@ -13,6 +13,6 @@ jobs: name: golangci-lint runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - name: golangci-lint run: make containerized-test TARGET=go-lint diff --git a/.github/workflows/lint-extras.yaml b/.github/workflows/lint-extras.yaml index de6fcd363..85e985fe4 100644 --- a/.github/workflows/lint-extras.yaml +++ b/.github/workflows/lint-extras.yaml @@ -13,6 +13,6 @@ jobs: name: lint-extras runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - name: lint-extras run: make containerized-test TARGET=lint-extras diff --git a/.github/workflows/mergify-copy-labels.yaml b/.github/workflows/mergify-copy-labels.yaml index 3323b438c..cf296e30e 100644 --- a/.github/workflows/mergify-copy-labels.yaml +++ b/.github/workflows/mergify-copy-labels.yaml @@ -12,7 +12,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Copying labels - uses: Mergifyio/gha-mergify-merge-queue-labels-copier@main + uses: Mergifyio/gha-mergify-merge-queue-labels-copier@1d2b277f94d52987008ec05b571fb68f2357e63f # main with: additional-labels: 'ok-to-test' token: ${{ secrets.CEPH_CSI_BOT_TOKEN }} diff --git a/.github/workflows/mod-check.yaml b/.github/workflows/mod-check.yaml index b94460ad3..a70058820 100644 --- a/.github/workflows/mod-check.yaml +++ b/.github/workflows/mod-check.yaml @@ -13,6 +13,6 @@ jobs: name: mod-check runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - name: mod-check run: make containerized-test TARGET=mod-check diff --git a/.github/workflows/publish-artifacts.yaml b/.github/workflows/publish-artifacts.yaml index b29f7cf2f..912b73d48 100644 --- a/.github/workflows/publish-artifacts.yaml +++ b/.github/workflows/publish-artifacts.yaml @@ -18,10 +18,10 @@ jobs: runs-on: ubuntu-latest if: github.repository == 'ceph/ceph-csi' steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - name: Login to Quay - uses: docker/login-action@v3 + uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0 with: registry: quay.io username: ${{ secrets.QUAY_IO_USERNAME }} diff --git a/.github/workflows/pull-request-commentor.yaml b/.github/workflows/pull-request-commentor.yaml index 4941651a5..54aa562f5 100644 --- a/.github/workflows/pull-request-commentor.yaml +++ b/.github/workflows/pull-request-commentor.yaml @@ -51,7 +51,7 @@ jobs: Add comment to trigger external storage tests for Kubernetes ${{ matrix.k8s }} if: ${{ github.base_ref == matrix.branch }} - uses: peter-evans/create-or-update-comment@v4 + uses: peter-evans/create-or-update-comment@71345be0265236311c031f5c7866368bd1eff043 # v4.0.0 with: token: ${{ secrets.CEPH_CSI_BOT_TOKEN }} issue-number: ${{ github.event.pull_request.number }} @@ -62,7 +62,7 @@ jobs: Add comment to trigger helm E2E tests for Kubernetes ${{ matrix.k8s }} if: ${{ github.base_ref == matrix.branch }} - uses: peter-evans/create-or-update-comment@v4 + uses: peter-evans/create-or-update-comment@71345be0265236311c031f5c7866368bd1eff043 # v4.0.0 with: token: ${{ secrets.CEPH_CSI_BOT_TOKEN }} issue-number: ${{ github.event.pull_request.number }} @@ -70,7 +70,7 @@ jobs: /test ci/centos/mini-e2e-helm/k8s-${{ matrix.k8s }} - name: Add comment to trigger E2E tests for Kubernetes ${{ matrix.k8s }} - uses: peter-evans/create-or-update-comment@v4 + uses: peter-evans/create-or-update-comment@71345be0265236311c031f5c7866368bd1eff043 # v4.0.0 if: ${{ github.base_ref == matrix.branch }} with: token: ${{ secrets.CEPH_CSI_BOT_TOKEN }} @@ -87,7 +87,7 @@ jobs: steps: - name: Add comment to trigger cephfs upgrade tests - uses: peter-evans/create-or-update-comment@v4 + uses: peter-evans/create-or-update-comment@71345be0265236311c031f5c7866368bd1eff043 # v4.0.0 with: token: ${{ secrets.CEPH_CSI_BOT_TOKEN }} issue-number: ${{ github.event.pull_request.number }} @@ -95,7 +95,7 @@ jobs: /test ci/centos/upgrade-tests-cephfs - name: Add comment to trigger rbd upgrade tests - uses: peter-evans/create-or-update-comment@v4 + uses: peter-evans/create-or-update-comment@71345be0265236311c031f5c7866368bd1eff043 # v4.0.0 with: token: ${{ secrets.CEPH_CSI_BOT_TOKEN }} issue-number: ${{ github.event.pull_request.number }} @@ -116,7 +116,7 @@ jobs: steps: - name: remove ok-to-test-label after commenting - uses: actions/github-script@v7 + uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1 with: github-token: ${{ secrets.CEPH_CSI_BOT_TOKEN }} script: | diff --git a/.github/workflows/retest.yaml b/.github/workflows/retest.yaml index 818796275..405d11491 100644 --- a/.github/workflows/retest.yaml +++ b/.github/workflows/retest.yaml @@ -15,7 +15,7 @@ jobs: runs-on: ubuntu-latest steps: # path to the retest action - - uses: ceph/ceph-csi/actions/retest@devel + - uses: ceph/ceph-csi/actions/retest@d2ddd521516965aa25532355ae8fd190effbdf69 # devel with: GITHUB_TOKEN: ${{ secrets.CEPH_CSI_BOT_TOKEN }} required-label: "ci/retry/e2e" diff --git a/.github/workflows/snyk-container-image.yaml b/.github/workflows/snyk-container-image.yaml index 74b9b55d2..f1738b00c 100644 --- a/.github/workflows/snyk-container-image.yaml +++ b/.github/workflows/snyk-container-image.yaml @@ -26,18 +26,18 @@ jobs: if: github.repository == 'ceph/ceph-csi' runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - name: Build a Docker image run: make image-cephcsi - name: Run Snyk to check Docker image for vulnerabilities continue-on-error: true - uses: snyk/actions/docker@master + uses: snyk/actions/docker@cdb760004ba9ea4d525f2e043745dfe85bb9077e # master env: SNYK_TOKEN: ${{ secrets.SYNK_TOKEN }} with: image: quay.io/cephcsi/cephcsi:${{ github.base_ref }} args: --file=Dockerfilei - name: Upload result to GitHub Code Scanning - uses: github/codeql-action/upload-sarif@v3 + uses: github/codeql-action/upload-sarif@4dd16135b69a43b6c8efb853346f8437d92d3c93 # v3.26.6 with: sarif_file: snyk.sarif diff --git a/.github/workflows/snyk.yaml b/.github/workflows/snyk.yaml index dd1ed75f7..861ab163c 100644 --- a/.github/workflows/snyk.yaml +++ b/.github/workflows/snyk.yaml @@ -20,11 +20,11 @@ jobs: runs-on: ubuntu-latest steps: - name: checkout - uses: actions/checkout@v4 + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 with: fetch-depth: 0 - name: run Snyk to check for code vulnerabilities - uses: snyk/actions/golang@master + uses: snyk/actions/golang@cdb760004ba9ea4d525f2e043745dfe85bb9077e # master env: SNYK_TOKEN: ${{ secrets.SYNK_TOKEN }} diff --git a/.github/workflows/stale.yaml b/.github/workflows/stale.yaml index 01fa31fe3..d87cc663f 100644 --- a/.github/workflows/stale.yaml +++ b/.github/workflows/stale.yaml @@ -18,7 +18,7 @@ jobs: runs-on: ubuntu-latest if: github.repository == 'ceph/ceph-csi' steps: - - uses: actions/stale@v9 + - uses: actions/stale@28ca1036281a5e5922ead5184a1bbf96e5fc984e # v9.0.0 with: repo-token: ${{ secrets.GITHUB_TOKEN }} days-before-issue-stale: 30 diff --git a/.github/workflows/test-retest-action.yaml b/.github/workflows/test-retest-action.yaml index e8578179b..f5cc32c0d 100644 --- a/.github/workflows/test-retest-action.yaml +++ b/.github/workflows/test-retest-action.yaml @@ -15,7 +15,7 @@ jobs: build: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - name: Docker build # Run cd to avoid loading complete cephcsi directory in docker context diff --git a/.github/workflows/tickgit.yaml b/.github/workflows/tickgit.yaml index 2b49b48eb..87a8d8f51 100644 --- a/.github/workflows/tickgit.yaml +++ b/.github/workflows/tickgit.yaml @@ -14,5 +14,5 @@ jobs: name: tickgit runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - run: make containerized-test TARGET=tickgit