Merge pull request #721 from hartwork/pin-github-actions-at-commit-level

Pin GitHub Actions to specific commits for security
hartwork · Apr 17, 2023 · 5a2690f · 5a2690f
2 parents b545779 + 0bbc220
commit 5a2690f
Show file tree

Hide file tree

Showing 4 changed files with 8 additions and 8 deletions.
diff --git a/.github/workflows/build_and_test_using_docker.yml b/.github/workflows/build_and_test_using_docker.yml
@@ -9,10 +9,10 @@ jobs:
     name: Build and test using Docker
     runs-on: ubuntu-22.04
     steps:
-      - uses: actions/checkout@v3.5.2
+      - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab  # v3.5.2
 
       - name: Set up Python 3.10
-        uses: actions/setup-python@v4
+        uses: actions/setup-python@d27e3f3d7c64b4bbf8e4abfb9b63b83e846e0435  # v4.5.0
         with:
           python-version: '3.10'
 

diff --git a/.github/workflows/dockerignore_detect_out_of_sync.yml b/.github/workflows/dockerignore_detect_out_of_sync.yml
@@ -9,7 +9,7 @@ jobs:
     name: Detect .dockerignore out-of-sync with git ls-files
     runs-on: ubuntu-22.04
     steps:
-      - uses: actions/checkout@v3.5.2
+      - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab  # v3.5.2
 
       - name: Check for out-of-sync .dockerignore
         run: |-

diff --git a/.github/workflows/pre_commit_detect_outdated.yml b/.github/workflows/pre_commit_detect_outdated.yml
@@ -15,10 +15,10 @@ jobs:
     name: Detect outdated pre-commit hooks
     runs-on: ubuntu-22.04
     steps:
-      - uses: actions/checkout@v3.5.2
+      - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab  # v3.5.2
 
       - name: Set up Python 3.10
-        uses: actions/setup-python@v4
+        uses: actions/setup-python@d27e3f3d7c64b4bbf8e4abfb9b63b83e846e0435  # v4.5.0
         with:
           python-version: '3.10'
 
@@ -38,7 +38,7 @@ jobs:
 
       - name: Create pull request from changes (if any)
         id: create-pull-request
-        uses: peter-evans/create-pull-request@v4
+        uses: peter-evans/create-pull-request@5b4a9f6a9e2af26e5f02351490b90d01eb8ec1e5  # v5.0.0
         with:
           author: 'pre-commit <pre-commit@tools.invalid>'
           base: master

diff --git a/.github/workflows/run_pre_commit.yml b/.github/workflows/run_pre_commit.yml
@@ -9,10 +9,10 @@ jobs:
     name: Run pre-commit on all files
     runs-on: ubuntu-22.04
     steps:
-      - uses: actions/checkout@v3.5.2
+      - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab  # v3.5.2
 
       - name: Set up Python 3.10
-        uses: actions/setup-python@v4
+        uses: actions/setup-python@d27e3f3d7c64b4bbf8e4abfb9b63b83e846e0435  # v4.5.0
         with:
           python-version: '3.10'