From f71170d30d74c135101ee1789b326552be7ee1be Mon Sep 17 00:00:00 2001 From: jcchavezs Date: Tue, 9 Jun 2026 18:02:30 +0200 Subject: [PATCH] chore(security): uses pinned versions of actions --- .github/workflows/build-and-test.yml | 6 +++--- .github/workflows/gradle-wrapper-validation.yml | 4 ++-- .github/workflows/java-release.yml | 2 +- .github/workflows/rl-scanner.yml | 4 ++-- .github/workflows/snyk.yml | 2 +- 5 files changed, 9 insertions(+), 9 deletions(-) diff --git a/.github/workflows/build-and-test.yml b/.github/workflows/build-and-test.yml index 2bc111c..366136b 100644 --- a/.github/workflows/build-and-test.yml +++ b/.github/workflows/build-and-test.yml @@ -10,8 +10,8 @@ jobs: gradle: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v6 - - uses: actions/setup-java@v5 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 + - uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5.2.0 with: distribution: temurin java-version: 17 @@ -26,7 +26,7 @@ jobs: with: flags: unittests - - uses: actions/upload-artifact@v7 + - uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 with: name: Reports path: | diff --git a/.github/workflows/gradle-wrapper-validation.yml b/.github/workflows/gradle-wrapper-validation.yml index b8e30c4..b460a3c 100644 --- a/.github/workflows/gradle-wrapper-validation.yml +++ b/.github/workflows/gradle-wrapper-validation.yml @@ -6,5 +6,5 @@ jobs: name: "validation/gradlew" runs-on: ubuntu-latest steps: - - uses: actions/checkout@v6 - - uses: gradle/actions/wrapper-validation@v6.1.0 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 + - uses: gradle/actions/wrapper-validation@50e97c2cd7a37755bbfafc9c5b7cafaece252f6e # v6.1.0 diff --git a/.github/workflows/java-release.yml b/.github/workflows/java-release.yml index 132f104..ce830b4 100644 --- a/.github/workflows/java-release.yml +++ b/.github/workflows/java-release.yml @@ -32,7 +32,7 @@ jobs: steps: # Checkout the code - - uses: actions/checkout@v6 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 with: fetch-depth: 0 diff --git a/.github/workflows/rl-scanner.yml b/.github/workflows/rl-scanner.yml index 3af7aac..2ce75a3 100644 --- a/.github/workflows/rl-scanner.yml +++ b/.github/workflows/rl-scanner.yml @@ -32,10 +32,10 @@ jobs: steps: - name: Checkout code - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - name: Set up Java - uses: actions/setup-java@v5 + uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5.2.0 with: distribution: temurin java-version: ${{ inputs.java-version }} diff --git a/.github/workflows/snyk.yml b/.github/workflows/snyk.yml index d818e89..561174b 100644 --- a/.github/workflows/snyk.yml +++ b/.github/workflows/snyk.yml @@ -30,7 +30,7 @@ jobs: - if: github.actor == 'dependabot[bot]' || github.event_name == 'merge_group' run: exit 0 # Skip unnecessary test runs for dependabot and merge queues. Artificially flag as successful, as this is a required check for branch protection. - - uses: actions/checkout@v6 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 with: ref: ${{ github.event.pull_request.head.sha || github.ref }}