#50: addressing Aquasec findings

lsulak · lsulak · commit 1523b57e2387 · 2025-12-22T17:38:30.000+01:00
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -27,11 +27,16 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout code
-        uses: actions/checkout@v2
-      - uses: coursier/cache-action@v5
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8
+        with:
+          persist-credentials: false
+
+      - uses: coursier/cache-action@bebeeb0e6f48ebad66d3783946588ecf43114433
+
       - name: Setup Scala
-        uses: olafurpg/setup-scala@v10
+        uses: olafurpg/setup-scala@32ffa16635ff8f19cc21ea253a987f0fdf29844c
         with:
           java-version: "adopt@1.8"
+
       - name: Build and run tests
         run: sbt test doc
diff --git a/.github/workflows/jacoco_check.yml b/.github/workflows/jacoco_check.yml
@@ -34,90 +34,106 @@ jobs:
       changed: 80.0
     steps:
       - name: Checkout code
-        uses: actions/checkout@v2
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8
+        with:
+          persist-credentials: false
+
       - name: Setup Scala
-        uses: olafurpg/setup-scala@v10
+        uses: olafurpg/setup-scala@32ffa16635ff8f19cc21ea253a987f0fdf29844c
         with:
           java-version: "adopt@1.8"
+
       - name: Build and run tests
         run: sbt jacoco
+
       - name: Add coverage to PR for scala 2.11 & spark 2.4
         id: jacoco1
-        uses: madrapps/jacoco-report@v1.3
+        uses: madrapps/jacoco-report@50d3aff4548aa991e6753342d9ba291084e63848
         with:
           paths: ${{ github.workspace }}/spark-partition-sizing/target/spark2.4-jvm-2.11/jacoco/report/jacoco.xml
           token: ${{ secrets.GITHUB_TOKEN }}
           min-coverage-overall: $overall
           min-coverage-changed-files: $changed
           title: JaCoCo code coverage report - scala $scala_2_11 - spark $spark_24
           update-comment: true
+
       - name: Get the Coverage info
         run: |
           echo "Total coverage ${{ steps.jacoco1.outputs.coverage-overall }}"
           echo "Changed Files coverage ${{ steps.jacoco1.outputs.coverage-changed-files }}"
+
       - name: Fail PR if changed files coverage is less than $changed%
         if: ${{ steps.jacoco1.outputs.coverage-changed-files < 80.0 }}
-        uses: actions/github-script@v6
+        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd
         with:
           script: |
             core.setFailed('Changed files coverage is less than $changed%!')
+
       - name: Add coverage to PR for scala 2.12 & spark 2.4
         id: jacoco2
-        uses: madrapps/jacoco-report@v1.3
+        uses: madrapps/jacoco-report@50d3aff4548aa991e6753342d9ba291084e63848
         with:
           paths: ${{ github.workspace }}/spark-partition-sizing/target/spark2.4-jvm-2.12/jacoco/report/jacoco.xml
           token: ${{ secrets.GITHUB_TOKEN }}
           min-coverage-overall: $overall
           min-coverage-changed-files: $changed
           title: JaCoCo code coverage report - scala $scala_2_12 - spark $spark_24
           update-comment: true
+
       - name: Get the Coverage info
         run: |
           echo "Total coverage ${{ steps.jacoco2.outputs.coverage-overall }}"
           echo "Changed Files coverage ${{ steps.jacoco2.outputs.coverage-changed-files }}"
+
       - name: Fail PR if changed files coverage is less than $changed%
         if: ${{ steps.jacoco2.outputs.coverage-changed-files < 80.0 }}
-        uses: actions/github-script@v6
+        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd
         with:
           script: |
             core.setFailed('Changed files coverage is less than $changed%!')
+
       - name: Add coverage to PR for scala 2.12 & spark 3.2
         id: jacoco3
-        uses: madrapps/jacoco-report@v1.3
+        uses: madrapps/jacoco-report@50d3aff4548aa991e6753342d9ba291084e63848
         with:
           paths: ${{ github.workspace }}/spark-partition-sizing/target/spark3.2-jvm-2.12/jacoco/report/jacoco.xml
           token: ${{ secrets.GITHUB_TOKEN }}
           min-coverage-overall: $overall
           min-coverage-changed-files: $changed
           title: JaCoCo code coverage report - scala $scala_2_12 - spark $spark_32
           update-comment: true
+
       - name: Get the Coverage info
         run: |
           echo "Total coverage ${{ steps.jacoco3.outputs.coverage-overall }}"
           echo "Changed Files coverage ${{ steps.jacoco3.outputs.coverage-changed-files }}"
+
       - name: Fail PR if changed files coverage is less than $changed%
         if: ${{ steps.jacoco3.outputs.coverage-changed-files < 80.0 }}
-        uses: actions/github-script@v6
+        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd
         with:
           script: |
             core.setFailed('Changed files coverage is less than $changed%!')
+
       - name: Add coverage to PR for scala 2.12 & spark 3.3
         id: jacoco4
-        uses: madrapps/jacoco-report@v1.3
+        uses: madrapps/jacoco-report@50d3aff4548aa991e6753342d9ba291084e63848
         with:
           paths: ${{ github.workspace }}/spark-partition-sizing/target/spark3.3-jvm-2.12/jacoco/report/jacoco.xml
           token: ${{ secrets.GITHUB_TOKEN }}
           min-coverage-overall: $overall
           min-coverage-changed-files: $changed
           title: JaCoCo code coverage report - scala $scala_2_12 - spark $spark_33
           update-comment: true
+
       - name: Get the Coverage info
         run: |
           echo "Total coverage ${{ steps.jacoco4.outputs.coverage-overall }}"
           echo "Changed Files coverage ${{ steps.jacoco4.outputs.coverage-changed-files }}"
+
       - name: Fail PR if changed files coverage is less than $changed%
         if: ${{ steps.jacoco4.outputs.coverage-changed-files < 80.0 }}
-        uses: actions/github-script@v6
+        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd
         with:
           script: |
             core.setFailed('Changed files coverage is less than $changed%!')
diff --git a/.github/workflows/license_check.yml b/.github/workflows/license_check.yml
@@ -27,9 +27,13 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout code
-        uses: actions/checkout@v2
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8
+        with:
+          persist-credentials: false
+
       - name: Setup Scala
-        uses: olafurpg/setup-scala@v10
+        uses: olafurpg/setup-scala@32ffa16635ff8f19cc21ea253a987f0fdf29844c
         with:
           java-version: "adopt@1.8"
+
       - run: sbt headerCheck
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -22,10 +22,17 @@ jobs:
   publish:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v2.3.4
+      - name: Checkout code
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8
         with:
+          persist-credentials: false
           fetch-depth: 0
-      - uses: olafurpg/setup-scala@v13
+
+      - name: Setup Scala
+        uses: olafurpg/setup-scala@32ffa16635ff8f19cc21ea253a987f0fdf29844c
+        with:
+          java-version: "adopt@1.8"
+
       - run: sbt ci-release
         env:
           PGP_PASSPHRASE: ${{ secrets.PGP_PASSPHRASE }}
