diff --git a/.github/workflows/ash-full-repository-scan.yml b/.github/workflows/ash-full-repository-scan.yml index 1b0f322..732ee07 100644 --- a/.github/workflows/ash-full-repository-scan.yml +++ b/.github/workflows/ash-full-repository-scan.yml @@ -17,12 +17,13 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout repository - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 with: + persist-credentials: false fetch-depth: 0 - name: Set up Python - uses: actions/setup-python@v5 + uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5 with: python-version: '3.10' @@ -112,7 +113,7 @@ jobs: - name: Upload ASH results as artifacts if: always() - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4 with: name: ash-full-scan-${{ github.run_id }} path: | @@ -123,7 +124,7 @@ jobs: - name: Create issue for critical findings (monthly scan only) if: github.event_name == 'schedule' && steps.scan-summary.outputs.has_findings == 'true' - uses: actions/github-script@v7 + uses: actions/github-script@f28e40c7f34bde8b3046d885e986cb6290c5673b # v7 with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | diff --git a/.github/workflows/ash-security-comment.yml b/.github/workflows/ash-security-comment.yml index 8e4b5b1..9f98102 100644 --- a/.github/workflows/ash-security-comment.yml +++ b/.github/workflows/ash-security-comment.yml @@ -48,7 +48,7 @@ jobs: - name: Post comment on PR if: steps.pr-info.outputs.pr_number - uses: actions/github-script@v7 + uses: actions/github-script@f28e40c7f34bde8b3046d885e986cb6290c5673b # v7 with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | diff --git a/.github/workflows/ash-security-scan.yml b/.github/workflows/ash-security-scan.yml index f00daa2..1230acf 100644 --- a/.github/workflows/ash-security-scan.yml +++ b/.github/workflows/ash-security-scan.yml @@ -13,8 +13,9 @@ jobs: scan: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 with: + persist-credentials: false fetch-depth: 0 - name: Get changed files @@ -49,7 +50,7 @@ jobs: - name: Set up Python if: steps.changed-files.outputs.any_changed == 'true' - uses: actions/setup-python@v5 + uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5 with: python-version: '3.10' @@ -216,7 +217,7 @@ jobs: - name: Upload ASH results and PR metadata if: steps.changed-files.outputs.any_changed == 'true' && always() - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4 with: name: ash-security-results path: /tmp/ash-artifacts/ diff --git a/.github/workflows/dependabot.yml b/.github/workflows/dependabot.yml index d82d58a..a0a73b8 100644 --- a/.github/workflows/dependabot.yml +++ b/.github/workflows/dependabot.yml @@ -15,7 +15,7 @@ jobs: steps: - name: Dependabot metadata id: metadata - uses: dependabot/fetch-metadata@v2 + uses: dependabot/fetch-metadata@21025c705c08248db411dc16f3619e6b5f9ea21a # v2 with: github-token: "${{ secrets.GITHUB_TOKEN }}" diff --git a/.github/workflows/js-lint.yml b/.github/workflows/js-lint.yml index 231e880..26ce5a4 100644 --- a/.github/workflows/js-lint.yml +++ b/.github/workflows/js-lint.yml @@ -14,7 +14,9 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout code - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + with: + persist-credentials: false - name: Get changed JS/TS files id: changed-files @@ -31,7 +33,7 @@ jobs: - name: Set up Node.js if: steps.changed-files.outputs.any_changed == 'true' - uses: actions/setup-node@v4 + uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4 with: node-version: '20' diff --git a/.github/workflows/label.yml b/.github/workflows/label.yml index 4ebbf04..2673193 100644 --- a/.github/workflows/label.yml +++ b/.github/workflows/label.yml @@ -13,6 +13,6 @@ jobs: contents: read pull-requests: write steps: - - uses: actions/labeler@v5 + - uses: actions/labeler@8558fd74291d67161a8a78ce36a881fa63b766a9 # v5 with: repo-token: "${{ secrets.GITHUB_TOKEN }}" diff --git a/.github/workflows/python-lint.yml b/.github/workflows/python-lint.yml index 5642cae..bb304bc 100644 --- a/.github/workflows/python-lint.yml +++ b/.github/workflows/python-lint.yml @@ -14,7 +14,9 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout code - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + with: + persist-credentials: false - name: Get changed Python files id: changed-files @@ -25,13 +27,13 @@ jobs: - name: Set up Python if: steps.changed-files.outputs.any_changed == 'true' - uses: actions/setup-python@v5 + uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5 with: python-version: '3.11' - name: Install uv if: steps.changed-files.outputs.any_changed == 'true' - uses: astral-sh/setup-uv@v3 + uses: astral-sh/setup-uv@caf0cab7a618c569241d31dcd442f54681755d39 # v3 - name: Install ruff if: steps.changed-files.outputs.any_changed == 'true' diff --git a/.github/workflows/repo-stats.yml b/.github/workflows/repo-stats.yml index 79ecbc1..a70e688 100644 --- a/.github/workflows/repo-stats.yml +++ b/.github/workflows/repo-stats.yml @@ -15,7 +15,7 @@ jobs: runs-on: ubuntu-latest steps: - name: run-ghrs - uses: jgehrcke/github-repo-stats@RELEASE + uses: jgehrcke/github-repo-stats@d80572c9029636cd0e97e3a79e7a9c293bea3b02 # RELEASE with: ghtoken: ${{ secrets.GHRS_GITHUB_API_TOKEN }} ghpagesprefix: "https://awslabs.github.io/sample-FAST-applications"