GitHub workflow vulnerabilities fixes - NEXT (#799)

chrngc · web-flow · commit d3728a2b0d7a · 2026-03-09T16:58:46.000+08:00
* Update github workflow to use hashes instead of tag

* Added tag version comments alongside with the hashes

* Fix for injection vulnerability in workflows/check-files.yml

* Removed empty spaces
diff --git a/.github/actions/checkout-with-stable-pkgs/action.yml b/.github/actions/checkout-with-stable-pkgs/action.yml
@@ -7,7 +7,7 @@ runs:
   using: "composite"
   steps:
     - name: Checkout repository
-      uses: actions/checkout@v4
+      uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5    #v4
       with:
         fetch-depth: 0
         fetch-tags: true
diff --git a/.github/workflows/check-circular-deps.yml b/.github/workflows/check-circular-deps.yml
@@ -21,7 +21,7 @@ jobs:
     steps:
       # Checkout the branch of our repo that triggered this action
       - name: Workflow trigger checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5    #v4
         with:
           persist-credentials: false
 
diff --git a/.github/workflows/check-entangled-specs.yml b/.github/workflows/check-entangled-specs.yml
@@ -20,13 +20,13 @@ jobs:
     steps:
       # Checkout the branch of our repo that triggered this action
       - name: Workflow trigger checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5    #v4
         with:
           persist-credentials: false
 
       # We use the same major/minor version of Python that Azure Linux ships
       - name: Setup Python 3.12
-        uses: actions/setup-python@v5
+        uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065    #v5
         with:
           python-version: 3.12
 
diff --git a/.github/workflows/check-files.yml b/.github/workflows/check-files.yml
@@ -17,14 +17,16 @@ jobs:
     steps:
 
     - name: Check out code
-      uses: actions/checkout@v4
+      uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5    #v4
 
     - name: Get base commit for PRs
       if: ${{ github.event_name == 'pull_request' }}
       run: |
-        git fetch origin ${{ github.base_ref }}
-        echo "base_sha=$(git rev-parse origin/${{ github.base_ref }})" >> $GITHUB_ENV
-        echo "Merging ${{ github.sha }} into ${{ github.base_ref }}"
+        git fetch origin ${ORIGIN_BASE_REF}
+        echo "base_sha=$(git rev-parse origin/${ORIGIN_BASE_REF})" >> $GITHUB_ENV
+        echo "Merging ${{ github.sha }} into ${ORIGIN_BASE_REF}"
+      env:
+        ORIGIN_BASE_REF: ${{ github.base_ref }}
 
     - name: Get base commit for Pushes
       if: ${{ github.event_name == 'push' }}
diff --git a/.github/workflows/check-license-map.yml b/.github/workflows/check-license-map.yml
@@ -24,12 +24,12 @@ jobs:
     steps:
       # Checkout the branch of our repo that triggered this action
       - name: Workflow trigger checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5    #v4
         with:
           persist-credentials: false
 
       - name: Setup Python 3.12
-        uses: actions/setup-python@v5
+        uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065    #v5
         with:
           python-version: 3.12
 
diff --git a/.github/workflows/check-manifests.yml b/.github/workflows/check-manifests.yml
@@ -21,7 +21,7 @@ jobs:
 
     steps:
       - name: Check out code
-        uses: actions/checkout@v4
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5    #v4
         with:
           persist-credentials: false
 
diff --git a/.github/workflows/check-package-builds.yml b/.github/workflows/check-package-builds.yml
@@ -119,7 +119,7 @@ jobs:
               sed -i "/^%license/a %doc $license_file_name" "$REGULAR_PKG_SPEC_PATH"
 
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5    #v4
 
       - name: Checkout a stable version of the specs
         uses: ./.github/actions/checkout-with-stable-pkgs
diff --git a/.github/workflows/check-package-cgmanifest.yml b/.github/workflows/check-package-cgmanifest.yml
@@ -21,7 +21,7 @@ jobs:
 
     steps:
       - name: Check out code
-        uses: actions/checkout@v4
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5    #v4
         with:
           persist-credentials: false
 
diff --git a/.github/workflows/check-source-signatures.yml b/.github/workflows/check-source-signatures.yml
@@ -24,14 +24,14 @@ jobs:
     steps:
       # Checkout the branch of our repo that triggered this action
       - name: Workflow trigger checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5    #v4
         with:
           persist-credentials: false
           fetch-depth: 0
 
       # For consistency, we use the same major/minor version of Python that Azure Linux ships
       - name: Setup Python 3.12
-        uses: actions/setup-python@v5
+        uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065    #v5
         with:
           python-version: 3.12
 
diff --git a/.github/workflows/check-spec.yml b/.github/workflows/check-spec.yml
@@ -21,14 +21,14 @@ jobs:
     steps:
       # Checkout the branch of our repo that triggered this action
       - name: Workflow trigger checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5    #v4
         with:
           fetch-depth: 0
           persist-credentials: false
 
       # For consistency, we use the same major/minor version of Python that Azure Linux ships
       - name: Setup Python 3.12
-        uses: actions/setup-python@v5
+        uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065    #v5
         with:
           python-version: 3.12
 
@@ -63,7 +63,7 @@ jobs:
           echo "toolchain-spec-list=$(make --no-print-directory -sC toolkit printvar-toolchain_spec_list)" >> "$GITHUB_ENV"
 
       - name: Main branch checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5    #v4
         with:
           ref: '3.0'
           path: '3.0-checkout'
diff --git a/.github/workflows/check-srpm-duplicates.yml b/.github/workflows/check-srpm-duplicates.yml
@@ -27,11 +27,11 @@ jobs:
     steps:
       # Checkout the branch of our repo that triggered this action
       - name: Workflow trigger checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5    #v4
 
       # For consistency, we use the same major/minor version of Python that Azure Linux ships
       - name: Setup Python 3.12
-        uses: actions/setup-python@v5
+        uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065    #v5
         with:
           python-version: 3.12
 
diff --git a/.github/workflows/check-static-glibc.yml b/.github/workflows/check-static-glibc.yml
@@ -21,13 +21,13 @@ jobs:
     steps:
       # Checkout the branch of our repo that triggered this action
       - name: Workflow trigger checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5    #v4
         with:
           persist-credentials: false
 
       # For consistency, we use the same major/minor version of Python that Azure Linux ships
       - name: Setup Python 3.12
-        uses: actions/setup-python@v5
+        uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065    #v5
         with:
           python-version: 3.12
 
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
@@ -28,24 +28,24 @@ jobs:
             build-mode: none
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5    #v4
         with:
           persist-credentials: false
 
       # Initializes the CodeQL tools for scanning.
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@v3
+        uses: github/codeql-action/init@ae9ef3a1d2e3413523c3741725c30064970cc0d4    #v3
         with:
           languages: ${{ matrix.language }}
           build-mode: ${{ matrix.build-mode }}
 
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@v3
+        uses: github/codeql-action/analyze@ae9ef3a1d2e3413523c3741725c30064970cc0d4    #v3
         with:
           category: "/language:${{matrix.language}}"
 
       - name: Generate Security Report
-        uses: rsdmike/github-security-report-action@v3.0.4
+        uses: rsdmike/github-security-report-action@a149b24539044c92786ec39af8ba38c93496495d    #v3.0.4
         with:
           template: report
           token: ${{ secrets.SECURITY_TOKEN }}
@@ -55,7 +55,7 @@ jobs:
           mv ./report.pdf ./report-${{ matrix.language }}.pdf
 
       - name: GitHub Upload Release Artifacts
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02    #v4
         with:
           name: report-${{ matrix.language }}
           path: |
diff --git a/.github/workflows/go-test-coverage.yml b/.github/workflows/go-test-coverage.yml
@@ -22,7 +22,7 @@ jobs:
 
     steps:
         #- name: Set up Go 1.x
-        # uses: actions/setup-go@v5
+        # uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff    #v5
         #with:
         #go-version: '${{ env.EXPECTED_GO_VERSION }}'
         #id: go
@@ -32,7 +32,7 @@ jobs:
         #go version && which go
 
       - name: Check out code into the Go module directory
-        uses: actions/checkout@v4
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5    #v4
         with:
           persist-credentials: false
 
@@ -97,7 +97,7 @@ jobs:
         shell: bash
 
       - name: Upload test coverage
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02    #v4
         with:
           name: TestCoverage
           path: toolkit/out/tools/test_coverage_report.html
diff --git a/.github/workflows/lint-specs.yml b/.github/workflows/lint-specs.yml
@@ -21,7 +21,7 @@ jobs:
     steps:
       # Checkout the branch of our repo that triggered this action
       - name: Workflow trigger checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5    #v4
         with:
           fetch-depth: 0
           persist-credentials: false
@@ -50,7 +50,7 @@ jobs:
           echo "updated-specs=${changed_specs}" >> "$GITHUB_ENV"
 
       - name: Main branch checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5    #v4
         with:
           ref: '3.0'
           path: '3.0-checkout'
@@ -59,7 +59,7 @@ jobs:
       # Our linter is based on the spec-cleaner tool from the folks at openSUSE
       # We apply a patch to modify it for our needs
       - name: spec-cleaner checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5    #v4
         with:
           repository: 'rpm-software-management/spec-cleaner'
           ref: 'spec-cleaner-1.2.0'
@@ -68,7 +68,7 @@ jobs:
 
       # For consistency, we use the same major/minor version of Python that Azure Linux ships
       - name: Setup Python 3.12
-        uses: actions/setup-python@v5
+        uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065    #v5
         with:
           python-version: 3.12
 
@@ -103,7 +103,7 @@ jobs:
           fi
           exit 0
 
-      - uses: actions/upload-artifact@v4
+      - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02    #v4
         if: ${{ always() }}
         with:
           name: linted_specs
diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml
@@ -33,13 +33,13 @@ jobs:
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5    #v4
         with:
           fetch-depth: 0
           persist-credentials: false
 
       - name: Lint
-        uses: github/super-linter/slim@v7
+        uses: github/super-linter/slim@b807e99ddd37e444d189cfd2c2ca1274d8ae8ef1    #v7
         env:
           # the default branch for this stream is 3.0.
           #github.event.repository.default_branch will return main which is not correct
diff --git a/.github/workflows/merge-conflict-check.yml b/.github/workflows/merge-conflict-check.yml
@@ -17,7 +17,7 @@ jobs:
     steps:
       # Checkout the branch of our repo that triggered this action
       - name: Workflow trigger checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5    #v4
         with:
           persist-credentials: false
 
diff --git a/.github/workflows/verify-osguard-imageconfigs.yml b/.github/workflows/verify-osguard-imageconfigs.yml
@@ -9,10 +9,10 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5    #v4
 
       - name: Set up Python
-        uses: actions/setup-python@v5
+        uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065    #v5
         with:
           python-version: '3.x'
 
