From d676d4928d069c067a76db1d3b082c7d341a0ed6 Mon Sep 17 00:00:00 2001 From: Will Da Silva Date: Sat, 15 Mar 2025 10:50:34 -0400 Subject: [PATCH] chore: pin GitHub Actions versions to commit hashes This will help prevent attacks such as [this one](https://semgrep.dev/blog/2025/popular-github-action-tj-actionschanged-files-is-compromised/). Dependabot is able to update these versions automatically, and it will preserve the readable version comments. --- .github/workflows/project_add.yml | 2 +- .github/workflows/release.yml | 6 +++--- .github/workflows/test.yml | 8 ++++---- 3 files changed, 8 insertions(+), 8 deletions(-) diff --git a/.github/workflows/project_add.yml b/.github/workflows/project_add.yml index 42efcfe..3cfbaca 100644 --- a/.github/workflows/project_add.yml +++ b/.github/workflows/project_add.yml @@ -19,7 +19,7 @@ jobs: runs-on: ubuntu-latest if: ${{ github.actor != 'dependabot[bot]' }} steps: - - uses: actions/add-to-project@v1.0.2 + - uses: actions/add-to-project@244f685bbc3b7adfa8466e08b698b5577571133e # v1.0.2 with: project-url: https://github.com/orgs/MeltanoLabs/projects/3 github-token: ${{ secrets.MELTYBOT_PROJECT_ADD_PAT }} diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 1fc3353..df46823 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -14,20 +14,20 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: fetch-depth: 0 - run: git fetch --force --tags - name: Set up Go - uses: actions/setup-go@v5 + uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34 # v5.3.0 with: go-version: 1.24 cache: true - name: Run GoReleaser - uses: goreleaser/goreleaser-action@v6 + uses: goreleaser/goreleaser-action@90a3faa9d0182683851fbfa97ca1a2cb983bfca3 # v6.2.1 with: distribution: goreleaser version: latest diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index eeb76b7..067e997 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -26,9 +26,9 @@ jobs: runs-on: ${{ matrix.os }} steps: - name: Checkout code - uses: actions/checkout@v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: Install Go - uses: actions/setup-go@v5 + uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34 # v5.3.0 with: go-version: ${{ matrix.go-version }} cache: true @@ -50,7 +50,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout code - uses: actions/checkout@v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: Start MinIO if: ${{ matrix.fs == 's3' }} @@ -66,7 +66,7 @@ jobs: quay.io/minio/minio server /data --console-address ":9090" - name: Install Go - uses: actions/setup-go@v5 + uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34 # v5.3.0 with: go-version: stable cache: true