Merge pull request #7 from amplify-security/ENG-1447/gha-pinned-hashes-rule

lae · web-flow · commit e7643a008ec9 · 2025-09-06T02:09:05.000+09:00
ENG-1447 Add GHA pinned hashes rule
diff --git a/.github/workflows/pre-commit.yml b/.github/workflows/pre-commit.yml
@@ -10,10 +10,10 @@ jobs:
   pre-commit:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v2
-      - uses: actions/setup-python@v5
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      - uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0
         with:
           python-version: '3.10'
-      - uses: pre-commit/action@v2.0.0
+      - uses: pre-commit/action@2c7b3805fd2a0fd8c1884dcaebf91fc102a13ecd # v3.0.1
         env:
           SKIP: yamlfmt
diff --git a/.github/workflows/semgrep-rule-lints.yaml b/.github/workflows/semgrep-rule-lints.yaml
@@ -8,13 +8,13 @@ on:
 
 jobs:
   semgrep:
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-24.04
     name: semgrep-rule-lints
     steps:
       - uses: actions/checkout@v2
       - uses: actions/setup-python@v2
         with:
-          python-version: 3.9.2
+          python-version: 3.9.23
       - name: install semgrep
         run: pip3 install semgrep
       - name: lints for semgrep rules
diff --git a/.github/workflows/semgrep-rules-test.yml b/.github/workflows/semgrep-rules-test.yml
@@ -12,12 +12,12 @@ on:
 jobs:
   test-latest:
     name: rules-test-latest
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-24.04
     steps:
       - uses: actions/checkout@v2
       - uses: actions/setup-python@v2
         with:
-          python-version: 3.9.2
+          python-version: 3.9.23
       - name: install semgrep via pip
         run: pip3 install semgrep
       - name: validate rules
diff --git a/.github/workflows/validate-r2c-registry-metadata.yaml b/.github/workflows/validate-r2c-registry-metadata.yaml
@@ -16,7 +16,7 @@ jobs:
   validate-metadata:
     if: github.repository == 'amplify-security/opengrep-rules'
     name: Validate r2c registry metadata
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-24.04
     steps:
       - uses: actions/checkout@v2
         with:
@@ -35,7 +35,7 @@ jobs:
         run: echo $CHANGED_FILES
       - uses: actions/setup-python@v2
         with:
-          python-version: 3.9.2
+          python-version: 3.9.23
       - name: install deps
         run: pip install jsonschema pyyaml
       - name: validate metadata
diff --git a/configs/amplify.list b/configs/amplify.list
@@ -0,0 +1 @@
+yaml/github-actions/security/third-party-action-not-pinned-to-commit-sha.yml:third-party-action-not-pinned-to-commit-sha

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1 @@`
	`1`	`+yaml/github-actions/security/third-party-action-not-pinned-to-commit-sha.yml:third-party-action-not-pinned-to-commit-sha`