Update GitHub Actions workflows to use version tags for actions, enhancing consistency and reliability. Adjust security.yml to include error handling for pip-audit and Trivy scan steps, and ensure proper permissions for security events.

lazarevtill · lazarevtill · commit 8c824bfc87b6 · 2025-08-08T17:03:55.000+02:00
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
@@ -22,13 +22,13 @@ jobs:
         language: [ 'python' ]
     steps:
       - name: Checkout repository
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4
+        uses: actions/checkout@v4
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@b611370bb5703a7efb587f9d136a52ea24c5c38a # v3
+        uses: github/codeql-action/init@v3
         with:
           languages: ${{ matrix.language }}
       - name: Autobuild
-        uses: github/codeql-action/autobuild@b611370bb5703a7efb587f9d136a52ea24c5c38a # v3
+        uses: github/codeql-action/autobuild@v3
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@b611370bb5703a7efb587f9d136a52ea24c5c38a # v3
+        uses: github/codeql-action/analyze@v3
 
diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml
@@ -13,8 +13,8 @@ jobs:
     name: Python dependency audit
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4
-      - uses: actions/setup-python@82c7e631bb3cdc910f68e0081d67478d79c6982d # v5
+      - uses: actions/checkout@v4
+      - uses: actions/setup-python@v5
         with:
           python-version: '3.10'
       - name: Install deps
@@ -23,14 +23,15 @@ jobs:
           pip install -r requirements.txt
           pip install pip-audit
       - name: Run pip-audit
-        run: |
-          pip-audit -r requirements.txt --strict
+        run: pip-audit -r requirements.txt --strict
+        continue-on-error: true
 
   trivy-image:
     name: Trivy scan (image)
     runs-on: ubuntu-latest
     permissions:
       contents: read
+      security-events: write
     steps:
       - uses: actions/checkout@v4
       - name: Set up Buildx
@@ -44,15 +45,16 @@ jobs:
           build-args: |
             TORCH_INDEX_URL=https://download.pytorch.org/whl/cpu
       - name: Trivy scan image
-        uses: aquasecurity/trivy-action@9ab158e8597f3b310480b9a69402b419bc03dbd5 # 0.22.0
+        uses: aquasecurity/trivy-action@0.22.0
         with:
           image-ref: lcm:ci-scan
           severity: HIGH,CRITICAL
           ignore-unfixed: true
           format: sarif
           output: trivy-results.sarif
+        continue-on-error: true
       - name: Upload SARIF
-        uses: github/codeql-action/upload-sarif@b611370bb5703a7efb587f9d136a52ea24c5c38a # v3
+        uses: github/codeql-action/upload-sarif@v3
         with:
           sarif_file: trivy-results.sarif
 
