From a63f7b900be54921c7186a41ef034e35761530ab Mon Sep 17 00:00:00 2001 From: "stepsecurity-app[bot]" <188008098+stepsecurity-app[bot]@users.noreply.github.com> Date: Tue, 25 Mar 2025 00:15:58 +0000 Subject: [PATCH] fix: [StepSecurity] Apply security best practices --- .github/workflows/lint-pr-title-preview-ignoreLabels.yml | 4 ++-- .../lint-pr-title-preview-outputErrorMessage.yml | 8 ++++---- .../lint-pr-title-preview-validateSingleCommit.yml | 4 ++-- .github/workflows/lint-pr-title-preview.yml | 4 ++-- .github/workflows/lint-pr-title.yml | 6 +++--- .github/workflows/test.yml | 6 +++--- 6 files changed, 16 insertions(+), 16 deletions(-) diff --git a/.github/workflows/lint-pr-title-preview-ignoreLabels.yml b/.github/workflows/lint-pr-title-preview-ignoreLabels.yml index dad45f0..d8ef66d 100644 --- a/.github/workflows/lint-pr-title-preview-ignoreLabels.yml +++ b/.github/workflows/lint-pr-title-preview-ignoreLabels.yml @@ -17,11 +17,11 @@ jobs: runs-on: ubuntu-latest steps: - name: Harden Runner - uses: step-security/harden-runner@v2 + uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0 with: egress-policy: audit - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - uses: ./ env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/lint-pr-title-preview-outputErrorMessage.yml b/.github/workflows/lint-pr-title-preview-outputErrorMessage.yml index 1a8da13..276c54f 100644 --- a/.github/workflows/lint-pr-title-preview-outputErrorMessage.yml +++ b/.github/workflows/lint-pr-title-preview-outputErrorMessage.yml @@ -15,16 +15,16 @@ jobs: runs-on: ubuntu-latest steps: - name: Harden Runner - uses: step-security/harden-runner@v2 + uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0 with: egress-policy: audit - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - uses: ./ id: lint_pr_title env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - - uses: marocchino/sticky-pull-request-comment@v2 + - uses: marocchino/sticky-pull-request-comment@52423e01640425a022ef5fd42c6fb5f633a02728 # v2.9.1 # When the previous steps fails, the workflow would stop. By adding this # condition you can continue the execution with the populated error message. if: always() && (steps.lint_pr_title.outputs.error_message != null) @@ -42,7 +42,7 @@ jobs: ``` # Delete a previous comment when the issue has been resolved - if: ${{ steps.lint_pr_title.outputs.error_message == null }} - uses: marocchino/sticky-pull-request-comment@v2 + uses: marocchino/sticky-pull-request-comment@52423e01640425a022ef5fd42c6fb5f633a02728 # v2.9.1 with: header: pr-title-lint-error delete: true \ No newline at end of file diff --git a/.github/workflows/lint-pr-title-preview-validateSingleCommit.yml b/.github/workflows/lint-pr-title-preview-validateSingleCommit.yml index e2e05ab..5414a0b 100644 --- a/.github/workflows/lint-pr-title-preview-validateSingleCommit.yml +++ b/.github/workflows/lint-pr-title-preview-validateSingleCommit.yml @@ -15,11 +15,11 @@ jobs: runs-on: ubuntu-latest steps: - name: Harden Runner - uses: step-security/harden-runner@v2 + uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0 with: egress-policy: audit - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - uses: ./ env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/lint-pr-title-preview.yml b/.github/workflows/lint-pr-title-preview.yml index 8578eb9..1808d8d 100644 --- a/.github/workflows/lint-pr-title-preview.yml +++ b/.github/workflows/lint-pr-title-preview.yml @@ -15,11 +15,11 @@ jobs: runs-on: ubuntu-latest steps: - name: Harden Runner - uses: step-security/harden-runner@v2 + uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0 with: egress-policy: audit - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - uses: ./ env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/lint-pr-title.yml b/.github/workflows/lint-pr-title.yml index 7013258..a48c966 100644 --- a/.github/workflows/lint-pr-title.yml +++ b/.github/workflows/lint-pr-title.yml @@ -15,12 +15,12 @@ jobs: runs-on: ubuntu-latest steps: - name: Harden Runner - uses: step-security/harden-runner@v2 + uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0 with: egress-policy: audit - - uses: actions/checkout@v4 - - uses: actions/setup-node@v3 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + - uses: actions/setup-node@1a4442cacd436585916779262731d5b162bc6ec7 # v3.8.2 with: node-version: 20 - uses: ./ diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index ff2db72..4b6dfb3 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -14,13 +14,13 @@ jobs: runs-on: ubuntu-latest steps: - name: Harden Runner - uses: step-security/harden-runner@v2 + uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0 with: egress-policy: audit - - uses: actions/setup-node@v3 + - uses: actions/setup-node@1a4442cacd436585916779262731d5b162bc6ec7 # v3.8.2 with: node-version: 20 - run: yarn install - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - run: yarn install - run: yarn lint && yarn test