[StepSecurity] ci: Harden GitHub Actions (#539)

Signed-off-by: StepSecurity Bot <[email protected]>
morganstanley · Apr 10, 2024 · 2b4664e · 2b4664e
1 parent cc6e45c
commit 2b4664e
Show file tree

Hide file tree

Showing 5 changed files with 19 additions and 16 deletions.
diff --git a/.github/workflows/continuous-integration.yml b/.github/workflows/continuous-integration.yml
@@ -25,10 +25,10 @@ jobs:
         dotnet-version: [ '6.0.x' ]
         node-version: [ '18.x' ]
     steps:
-    - uses: actions/checkout@v3
+    - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
 
     - name: Setup Node.js ${{ matrix.node-version }}
-      uses: actions/setup-node@v3
+      uses: actions/setup-node@1a4442cacd436585916779262731d5b162bc6ec7 # v3.8.2
       with:
         node-version: ${{ matrix.node-version }}
         COMPOSEUI_SKIP_DOWNLOAD: ${{env.COMPOSEUI_SKIP_DOWNLOAD}}
@@ -43,7 +43,7 @@ jobs:
       run: npx lerna run test
 
     - name: Setup .NET Core SDK ${{ matrix.dotnet-version }}
-      uses: actions/setup-dotnet@v4
+      uses: actions/setup-dotnet@4d6c8fcf3c8f7a60068d26b594648e99df24cee3 # v4.0.0
       with:
         dotnet-version: ${{ matrix.dotnet-version }}
 
@@ -93,13 +93,13 @@ jobs:
 
 
     - name: Codecov
-      uses: codecov/[email protected]
+      uses: codecov/codecov-action@54bcd8715eee62d40e33596ef5e8f0f48dbbccab # v4.1.0
       with:
         token: ${{ secrets.CODECOV_TOKEN }}
 
     # By uploading it's shared with the other workflows that are reusing this
     - name: Upload Shell Binaries
-      uses: actions/upload-artifact@v3
+      uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
       with:
         name: shell-binaries
         path: ${{ github.workspace }}/src/shell/dotnet/Shell/bin/Release/net6.0-windows/
diff --git a/.github/workflows/deploy-site.yml b/.github/workflows/deploy-site.yml
@@ -17,17 +17,17 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
       - name: Use Node.js ${{ matrix.node-version }}
-        uses: actions/setup-node@v3
+        uses: actions/setup-node@1a4442cacd436585916779262731d5b162bc6ec7 # v3.8.2
         with:
           node-version: 20
           cache: 'npm'
           cache-dependency-path: './site/package-lock.json'
       - run: npm ci
       - run: npm run build
       - name: Deploy
-        uses: crazy-max/ghaction-github-pages@v4
+        uses: crazy-max/ghaction-github-pages@c05ee637ec73429400a359430db8e5629f3f2564 # v4.0.0
         with:
           target_branch: gh-pages
           build_dir: docs

diff --git a/.github/workflows/deploy-to-npm.yml b/.github/workflows/deploy-to-npm.yml
@@ -10,8 +10,8 @@ jobs:
   deploy-npm:
     runs-on: windows-latest
     steps:
-      - uses: actions/checkout@v3
-      - uses: actions/setup-node@v3
+      - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
+      - uses: actions/setup-node@1a4442cacd436585916779262731d5b162bc6ec7 # v3.8.2
         with:
           node-version: 18
           registry-url: https://registry.npmjs.org/

diff --git a/.github/workflows/pr-build-site.yml b/.github/workflows/pr-build-site.yml
@@ -9,14 +9,17 @@ defaults:
   run:
     working-directory: ./site
 
+permissions:
+  contents: read
+
 jobs:
   build:
     runs-on: ubuntu-latest
 
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
       - name: Use Node.js ${{ matrix.node-version }}
-        uses: actions/setup-node@v4
+        uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4.0.2
         with:
           node-version: ${{ matrix.node-version }}
           cache: 'npm'

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -24,7 +24,7 @@ jobs:
 
       # Using shared artifact from build workflow
       - name: Download Artifact
-        uses: actions/download-artifact@v3
+        uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
         with:
           name: shell-binaries
           path: ${{ github.workspace }}/shell-binaries
@@ -38,7 +38,7 @@ jobs:
 
       - name: Upload Release Asset
         id: upload-release-asset 
-        uses: actions/upload-release-asset@v1
+        uses: actions/upload-release-asset@e8f9f06c4b078e705bd2ea027f0926603fc9b4d5 # v1.0.2
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         with:
@@ -52,8 +52,8 @@ jobs:
     runs-on: windows-latest
     needs: upload
     steps:
-      - uses: actions/checkout@v3
-      - uses: actions/setup-node@v3
+      - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
+      - uses: actions/setup-node@1a4442cacd436585916779262731d5b162bc6ec7 # v3.8.2
         with:
           node-version: 18
           registry-url: https://registry.npmjs.org/