feat(security): Pin github actions (#569)

chouetz · web-flow · commit 7d61da84b30e · 2025-02-12T10:51:06.000+01:00
* feat(security): Pin github actions

* fix ci
diff --git a/.github/dependabot.yaml b/.github/dependabot.yaml
@@ -0,0 +1,7 @@
+---
+version: 2
+updates:
+  - package-ecosystem: github-actions
+    directory: /
+    schedule:
+      interval: monthly
diff --git a/.github/workflows/no-auto-bump.yml b/.github/workflows/no-auto-bump.yml
@@ -14,6 +14,6 @@ jobs:
       pull-requests: write
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/labeler@v5
+      - uses: actions/labeler@8558fd74291d67161a8a78ce36a881fa63b766a9 # v5.0.0
         with:
           sync-labels: true
diff --git a/.github/workflows/open-datadog-agent-pr.yml b/.github/workflows/open-datadog-agent-pr.yml
@@ -14,15 +14,15 @@ jobs:
 
     steps:
       - name: Create Token
-        uses: actions/create-github-app-token@v1
+        uses: actions/create-github-app-token@67e27a7eb7db372a1c61a7f9bdab8699e9ee57f7 # v1.11.3
         id: app-token
         with:
           app-id: ${{ vars.DATADOG_APP_ID }}
           private-key: ${{ secrets.DATADOG_APP_PRIVATE_KEY }}
           repositories: datadog-agent
 
       - name: Clone datadog-agent repo
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           repository: datadog/datadog-agent
           persist-credentials: false
@@ -31,7 +31,7 @@ jobs:
           fetch-depth: 0
 
       - name: Clone omnibus-software repo
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           repository: datadog/omnibus-software
           persist-credentials: false
@@ -41,7 +41,7 @@ jobs:
           fetch-depth: 0
 
       - name: Setup Python3
-        uses: actions/setup-python@v4
+        uses: actions/setup-python@42375524e23c412d93fb67b49958b491fce71c38 # v5.4.0
         with:
           python-version: "3.11.8"
           cache: "pip"
@@ -69,7 +69,7 @@ jobs:
           inv -e release.set-release-json 'nightly-a7::OMNIBUS_SOFTWARE_VERSION' ${{ steps.new_sha.outputs.NEW_SHA }}
 
       - name: create datadog-agent PR
-        uses: peter-evans/create-pull-request@v5
+        uses: peter-evans/create-pull-request@67ccf781d68cd99b580ae25a5c18a1cc84ffff1f # v7.0.6
         with:
           token: ${{ steps.app-token.outputs.token }}
           base: main
diff --git a/config/software/openssl3.rb b/config/software/openssl3.rb
@@ -81,7 +81,7 @@
 
   if windows?
     configure_args << "zlib-dynamic"
-    if ENV['AGENT_FLAVOR'] == "fips"
+    if ENV["AGENT_FLAVOR"] == "fips"
       configure_args << '--openssldir="C:/Program Files/Datadog/Datadog Agent/embedded3/ssl"'
       # Provide a context name for our configuration through the registry
       configure_args << "-DOSSL_WINCTX=datadog-fips-agent"
