From 0d262e787818daedffe962a42381e4531ad64988 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Mon, 27 Apr 2026 12:38:17 +0000 Subject: [PATCH] fix: pin GitHub Actions to specific commit SHAs to resolve high-severity unpinned-uses security issues Agent-Logs-Url: https://github.com/idvoretskyi/dev/sessions/3c92063d-fc90-42a5-9cec-b871c70c1766 Co-authored-by: idvoretskyi <118459+idvoretskyi@users.noreply.github.com> --- .github/workflows/ci.yml | 13 ++++++++----- .github/workflows/security.yml | 15 ++++++++------- 2 files changed, 16 insertions(+), 12 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index e11d27c..f494349 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -16,17 +16,18 @@ jobs: name: Build and Validate steps: - name: Checkout - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: fetch-depth: 0 + persist-credentials: false - name: Lint Dockerfile - uses: hadolint/hadolint-action@v3.3.0 + uses: hadolint/hadolint-action@2332a7b74a6de0dda2e2221d575162eba76ba5e5 # v3.3.0 with: dockerfile: .devcontainer/Dockerfile - name: Check for secrets - uses: gitleaks/gitleaks-action@v2 + uses: gitleaks/gitleaks-action@ff98106e4c7b2bc287b24eaf42907196329070c7 # v2 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} @@ -40,10 +41,12 @@ jobs: needs: build steps: - name: Checkout - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + with: + persist-credentials: false - name: Test devcontainer functionality - uses: devcontainers/ci@v0.3 + uses: devcontainers/ci@b63b30de439b47a52267f241112c5b453b673db5 # v0.3 with: push: never runCmd: | diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml index 5e8b9fb..e2d9f11 100644 --- a/.github/workflows/security.yml +++ b/.github/workflows/security.yml @@ -19,9 +19,10 @@ jobs: name: Security and SBOM Analysis steps: - name: Checkout - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: fetch-depth: 0 + persist-credentials: false - name: Build Docker image for scanning run: | @@ -30,7 +31,7 @@ jobs: echo "IMAGE_NAME=$IMAGE_NAME" >> $GITHUB_ENV - name: Run Trivy vulnerability scanner - uses: aquasecurity/trivy-action@v0.36.0 + uses: aquasecurity/trivy-action@ed142fd0673e97e23eac54620cfb913e5ce36c25 # v0.36.0 with: image-ref: '${{ env.IMAGE_NAME }}' format: 'sarif' @@ -39,28 +40,28 @@ jobs: exit-code: '0' - name: Upload Trivy scan results to GitHub Security tab - uses: github/codeql-action/upload-sarif@v4 + uses: github/codeql-action/upload-sarif@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4 if: always() with: sarif_file: 'trivy-results.sarif' category: 'security-analysis/trivy-image' - name: Generate SBOM - uses: anchore/sbom-action@v0 + uses: anchore/sbom-action@e22c389904149dbc22b58101806040fa8d37a610 # v0 with: image: '${{ env.IMAGE_NAME }}' format: 'spdx-json' output-file: 'sbom.spdx.json' - name: Upload SBOM as artifact - uses: actions/upload-artifact@v7 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7 with: name: sbom-${{ github.sha }} path: sbom.spdx.json retention-days: 30 - name: Run Trivy filesystem scan - uses: aquasecurity/trivy-action@v0.36.0 + uses: aquasecurity/trivy-action@ed142fd0673e97e23eac54620cfb913e5ce36c25 # v0.36.0 with: scan-type: 'fs' scan-ref: '.' @@ -70,7 +71,7 @@ jobs: exit-code: '0' - name: Upload filesystem scan results - uses: github/codeql-action/upload-sarif@v4 + uses: github/codeql-action/upload-sarif@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4 if: always() with: sarif_file: 'trivy-fs-results.sarif'