fix: security updates on commitlint action and workflows (#48)

- Updated immutable tag for commitlint actions - Updated immutable hash for action workflows
opensource-nepal · Jul 1, 2024 · b98c73f · b98c73f
1 parent 50cc744
commit b98c73f
Show file tree

Hide file tree

Showing 2 changed files with 11 additions and 14 deletions.
diff --git a/.github/workflows/release-please.yml b/.github/workflows/release-please.yml
@@ -1,23 +1,19 @@
 on:
   push:
-    branches:
-      - main
-  workflow_dispatch:
-
-permissions:
-  id-token: write # for PYPI release
+    branches: ['main']
 
 name: release-please
 
 jobs:
   release-please:
     runs-on: ubuntu-latest
+    permissions:
+      id-token: write # for PYPI release
+
     steps:
       - name: Release
         id: release
-        uses: google-github-actions/release-please-action@v4
-        with:
-          token: ${{ secrets.BOT_TOKEN }}
+        uses: google-github-actions/release-please-action@e4dc86ba9405554aeba3c6bb2d169500e7d3b4ee # v4.1.1
 
       - uses: actions/checkout@v3
         if: ${{ steps.release.outputs.release_created }}
@@ -40,4 +36,4 @@ jobs:
 
       - name: Publish package
         if: ${{ steps.release.outputs.release_created }}
-        uses: pypa/gh-action-pypi-publish@v1.8.14
+        uses: pypa/gh-action-pypi-publish@ec4db0b4ddc65acdf4bff5fa45ac92d78b56bdf0 # v1.9.0
diff --git a/action.yml b/action.yml
@@ -23,12 +23,12 @@ runs:
   using: 'composite'
   steps:
     - name: Install Python
-      uses: actions/setup-python@v5
+      uses: actions/setup-python@v5.1.0
       with:
         python-version: '3.8'
 
     - name: Install Commitlint
-      run: python -m pip install -e ${{ github.action_path }}
+      run: python -m pip install --disable-pip-version-check -e ${{ github.action_path }}
       shell: bash
 
     # checkout to the source code
@@ -40,17 +40,18 @@ runs:
         echo "count=$(echo '${{ toJson(github.event.commits) }}' | jq '. | length')" \
           >> $GITHUB_OUTPUT
       shell: bash
+
     - name: Checkout to pushed commits
       if: github.event_name == 'push'
-      uses: actions/checkout@v4
+      uses: actions/checkout@v4.1.7
       with:
         ref: ${{ github.sha }}
         fetch-depth: ${{ steps.push_commit_count.outputs.count }}
 
     # for pull_request event
     - name: Checkout to PR source branch
       if: github.event_name == 'pull_request'
-      uses: actions/checkout@v4
+      uses: actions/checkout@v4.1.7
       with:
         ref: ${{ github.event.pull_request.head.sha }}
         fetch-depth: ${{ github.event.pull_request.commits }}