#151: addressing Aquasec findings (#152)

* #151: addressing Aquasec findings

* Aquasec related automation we implement in each repo as our standard (just PR generation, not auto merge, frequency: each Sunday)

Author: lsulak

.github/dependabot.yml

@@ -0,0 +1,31 @@
+version: 2
+updates:
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    target-branch: "master"
+    schedule:
+      interval: "weekly"
+      day: "sunday"
+    labels:
+      - "auto update"
+      - "infrastructure"
+      - "no RN"
+    open-pull-requests-limit: 3
+    commit-message:
+      prefix: "chore"
+      include: "scope"
+
+  - package-ecosystem: "sbt"
+    directory: "/"
+    target-branch: "master"
+    schedule:
+      interval: "weekly"
+      day: "sunday"
+    labels:
+      - "auto update"
+      - "dependencies"
+      - "no RN"
+    open-pull-requests-limit: 3
+    commit-message:
+      prefix: "chore"
+      include: "scope"

.github/workflows/build.yml

@@ -45,11 +45,15 @@ jobs:
         scala: [2.12.17, 2.13.12]
     steps:
       - name: Checkout code
-        uses: actions/checkout@v2
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8
+        with:
+          persist-credentials: false
+
       - name: Setup Scala
-        uses: olafurpg/setup-scala@v14
+        uses: olafurpg/setup-scala@32ffa16635ff8f19cc21ea253a987f0fdf29844c
         with:
           java-version: "adopt@1.8"
+
       - name: Build and run unit tests
         run: sbt ++${{matrix.scala}} test
       - name: Generate documentation

.github/workflows/dependent_items.yml

@@ -28,7 +28,7 @@ jobs:
     name: Dependent Items Check
     runs-on: ubuntu-latest
     steps:
-      - uses: z0al/dependent-issues@v1.5.2
+      - uses: z0al/dependent-issues@950226e7ca8fc43dc209a7febf67c655af3bdb43
         env:
           # (Required) The token to use to make API calls to GitHub.
           GITHUB_TOKEN: ${{ secrets.PAT_REPO_PROJECT_DISCUSS }}

.github/workflows/jacoco_report.yml

@@ -49,50 +49,59 @@ jobs:
 
     steps:
       - name: Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8
+        with:
+          persist-credentials: false
+
       - name: Setup Scala
-        uses: olafurpg/setup-scala@v14
+        uses: olafurpg/setup-scala@32ffa16635ff8f19cc21ea253a987f0fdf29844c
         with:
           java-version: "adopt@1.8"
+
       - name: Prepare testing database
         run: sbt flywayMigrate
+
       - name: Build and run tests
         continue-on-error: true
         id: jacocorun
         run: sbt ++${{env.scalaLong}} jacoco
+
       - name: Add coverage to PR (core)
         if: steps.jacocorun.outcome == 'success'
         id: jacoco-core
-        uses: madrapps/jacoco-report@v1.6.1
+        uses: madrapps/jacoco-report@50d3aff4548aa991e6753342d9ba291084e63848
         with:
           paths: ${{ github.workspace }}/core/target/scala-${{ env.scalaShort }}/jacoco/report/jacoco.xml
           token: ${{ secrets.GITHUB_TOKEN }}
           min-coverage-overall: ${{ env.coverage-overall }}
           min-coverage-changed-files: ${{ env.coverage-changed-files }}
           title: JaCoCo `core` module code coverage report - scala ${{ env.scalaLong }}
           update-comment: true
+
       - name: Add coverage to PR (doobie)
         if: steps.jacocorun.outcome == 'success'
         id: jacoco-doobie
-        uses: madrapps/jacoco-report@v1.6.1
+        uses: madrapps/jacoco-report@50d3aff4548aa991e6753342d9ba291084e63848
         with:
           paths: ${{ github.workspace }}/doobie/target/scala-${{ env.scalaShort }}/jacoco/report/jacoco.xml
           token: ${{ secrets.GITHUB_TOKEN }}
           min-coverage-overall: ${{ env.coverage-overall }}
           min-coverage-changed-files: ${{ env.coverage-changed-files }}
           title: JaCoCo `doobie` module code coverage report - scala ${{ env.scalaLong }}
           update-comment: true
+
       - name: Add coverage to PR (slick)
         if: steps.jacocorun.outcome == 'success'
         id: jacoco-slick
-        uses: madrapps/jacoco-report@v1.6.1
+        uses: madrapps/jacoco-report@50d3aff4548aa991e6753342d9ba291084e63848
         with:
           paths: ${{ github.workspace }}/slick/target/scala-${{ env.scalaShort }}/jacoco/report/jacoco.xml
           token: ${{ secrets.GITHUB_TOKEN }}
           min-coverage-overall: ${{env.coverage-overall }}
           min-coverage-changed-files: ${{ env.coverage-changed-files }}
           title: JaCoCo `slick` module code coverage report - scala ${{ env.scalaLong }}
           update-comment: true
+
       - name: Get the Coverage info
         if: steps.jacocorun.outcome == 'success'
         run: |
@@ -102,9 +111,10 @@ jobs:
           echo "Changed Files coverage ${{ steps.jacoco-doobie.outputs.coverage-changed-files }}"
           echo "Total `slick` module coverage ${{ steps.jacoco-slick.outputs.coverage-overall }}"
           echo "Changed Files coverage ${{ steps.jacoco-slick.outputs.coverage-changed-files }}"
+
       - name: Fail PR if changed files coverage is less than ${{ env.coverage-changed-files }}%
         if: steps.jacocorun.outcome == 'success'
-        uses: actions/github-script@v6
+        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd
         with:
           script: |
             const coverageCheckFailed =
@@ -114,9 +124,10 @@ jobs:
             if (coverageCheckFailed) {
               core.setFailed('Changed files coverage is less than ${{ env.coverage-changed-files }}%!');
             }
+
       - name: Fail PR if overall files coverage is less than ${{ env.coverage-overall }}%
         if: ${{ (steps.jacocorun.outcome == 'success') && (env.check-overall-coverages == 'true') }}
-        uses: actions/github-script@v6
+        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd
         with:
           script: |
             const coverageCheckFailed =
@@ -126,9 +137,10 @@ jobs:
             if (coverageCheckFailed) {
               core.setFailed('Overall coverage is less than ${{ env.coverage-overall }}%!');
             }
+
       - name: Edit JaCoCo comments on build failure
         if: steps.jacocorun.outcome != 'success'
-        uses: actions/github-script@v6
+        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd
         with:
           script: |
             const issue_number = context.issue.number;

.github/workflows/license_check.yml

@@ -29,9 +29,13 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout code
-        uses: actions/checkout@v2
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8
+        with:
+          persist-credentials: false
+
       - name: Setup Scala
-        uses: olafurpg/setup-scala@v10
+        uses: olafurpg/setup-scala@32ffa16635ff8f19cc21ea253a987f0fdf29844c
         with:
           java-version: "adopt@1.8"
+
       - run: sbt headerCheck

.github/workflows/release.yml

@@ -22,10 +22,17 @@ jobs:
   publish:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v2.3.4
+      - name: Checkout code
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8
         with:
           fetch-depth: 0
-      - uses: olafurpg/setup-scala@v13
+          persist-credentials: false
+
+      - name: Setup Scala
+        uses: olafurpg/setup-scala@32ffa16635ff8f19cc21ea253a987f0fdf29844c
+        with:
+          java-version: "adopt@1.8"
+
       - run: sbt ci-release
         env:
           PGP_PASSPHRASE: ${{ secrets.PGP_PASSPHRASE }}

.github/workflows/test_filenames_check.yml

@@ -27,11 +27,13 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout code
-        uses: actions/checkout@v2
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8
+        with:
+          persist-credentials: false
 
       - name: Filename Inspector
         id: scan-test-files
-        uses: AbsaOSS/filename-inspector@v0.1.0
+        uses: AbsaOSS/filename-inspector@355108975e656fac9faaa04209b6df3f9997c8fa
         with:
           name-patterns: '*UnitTests.*,*IntegrationTests.*'
           paths: '**/src/test/scala/**'