From d69806ccc4eddd4b3fa232f6a7ffb0e8ba3f1fcf Mon Sep 17 00:00:00 2001 From: OssSecurityBot Date: Fri, 10 Jul 2026 10:26:34 -0400 Subject: [PATCH] Pin GitHub Actions to full-length commit SHAs --- .github/dependabot.yml | 11 +++++++++++ .github/workflows/check-basis.yml | 2 +- .github/workflows/codeql-analysis.yml | 8 ++++---- .github/workflows/go.yml | 10 +++++----- .github/workflows/java-sdk-release.yml | 4 ++-- .github/workflows/maven.yml | 6 +++--- .github/workflows/rust.yml | 2 +- 7 files changed, 27 insertions(+), 16 deletions(-) create mode 100644 .github/dependabot.yml diff --git a/.github/dependabot.yml b/.github/dependabot.yml new file mode 100644 index 00000000..2c48305b --- /dev/null +++ b/.github/dependabot.yml @@ -0,0 +1,11 @@ +version: 2 +updates: + - package-ecosystem: "github-actions" + directory: "/" + groups: + github-actions: + patterns: ["*"] + schedule: + interval: "weekly" + cooldown: + default-days: 7 diff --git a/.github/workflows/check-basis.yml b/.github/workflows/check-basis.yml index 141f12a2..f95f9565 100644 --- a/.github/workflows/check-basis.yml +++ b/.github/workflows/check-basis.yml @@ -7,7 +7,7 @@ jobs: no-basis: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 # v2.7.0 - name: Check for Basis run: | if grep -iR basis --exclude-dir=.github --exclude-dir=.git .; then diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index a0d5958a..3df501c9 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -38,11 +38,11 @@ jobs: steps: - name: Checkout repository - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL - uses: github/codeql-action/init@v3 + uses: github/codeql-action/init@02c5e83432fe5497fd85b873b6c9f16a8578e1d9 # v3.37.0 with: languages: ${{ matrix.language }} # If you wish to specify custom queries, you can do so here or in a config file. @@ -53,7 +53,7 @@ jobs: # Autobuild attempts to build any compiled languages (C/C++, C#, or Java). # If this step fails, then you should remove it and run the build manually (see below) - name: Autobuild - uses: github/codeql-action/autobuild@v3 + uses: github/codeql-action/autobuild@02c5e83432fe5497fd85b873b6c9f16a8578e1d9 # v3.37.0 # â„šī¸ Command-line programs to run using the OS shell. # 📚 https://git.io/JvXDl @@ -67,4 +67,4 @@ jobs: # make release - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v3 + uses: github/codeql-action/analyze@02c5e83432fe5497fd85b873b6c9f16a8578e1d9 # v3.37.0 diff --git a/.github/workflows/go.yml b/.github/workflows/go.yml index e98c9ac5..636800dc 100644 --- a/.github/workflows/go.yml +++ b/.github/workflows/go.yml @@ -11,10 +11,10 @@ jobs: build: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 # v2.7.0 - name: Set up Go - uses: actions/setup-go@v2 + uses: actions/setup-go@bfdd3570ce990073878bf10f6b2d79082de49492 # v2.2.0 with: go-version: 1.17 @@ -24,10 +24,10 @@ jobs: test: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 # v2.7.0 - name: Set up Go - uses: actions/setup-go@v2 + uses: actions/setup-go@bfdd3570ce990073878bf10f6b2d79082de49492 # v2.2.0 with: go-version: 1.17 - name: Test @@ -36,7 +36,7 @@ jobs: check-version-update: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 # v2.7.0 with: fetch-depth: 0 - name: Check Go SDK package version updated diff --git a/.github/workflows/java-sdk-release.yml b/.github/workflows/java-sdk-release.yml index 35c87fc2..df0cedb1 100644 --- a/.github/workflows/java-sdk-release.yml +++ b/.github/workflows/java-sdk-release.yml @@ -15,8 +15,8 @@ jobs: contents: read packages: write steps: - - uses: actions/checkout@v2 - - uses: actions/setup-java@v2 + - uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 # v2.7.0 + - uses: actions/setup-java@91d3aa4956ec4a53e477c4907347b5e3481be8c9 # v2.5.1 with: java-version: "11" distribution: "adopt" diff --git a/.github/workflows/maven.yml b/.github/workflows/maven.yml index b6411176..2488d126 100644 --- a/.github/workflows/maven.yml +++ b/.github/workflows/maven.yml @@ -18,14 +18,14 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 # v2.7.0 - name: Set up JDK 11 - uses: actions/setup-java@v2 + uses: actions/setup-java@91d3aa4956ec4a53e477c4907347b5e3481be8c9 # v2.5.1 with: java-version: "11" distribution: "microsoft" - name: Cache Maven dependencies - uses: actions/cache@v3 + uses: actions/cache@6f8efc29b200d32929f49075959781ed54ec270c # v3.5.0 with: path: ~/.m2/repository key: ${{ runner.os }}-maven-${{ hashFiles('**/pom.xml') }} diff --git a/.github/workflows/rust.yml b/.github/workflows/rust.yml index 671db906..c69cb085 100644 --- a/.github/workflows/rust.yml +++ b/.github/workflows/rust.yml @@ -15,7 +15,7 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 - name: Build run: cargo build --features connections --verbose --manifest-path=rs/Cargo.toml - name: Run tests