diff --git a/.github/workflows/javascript-npm-packages.yml b/.github/workflows/javascript-npm-packages.yml index 5e32b35..13691d5 100644 --- a/.github/workflows/javascript-npm-packages.yml +++ b/.github/workflows/javascript-npm-packages.yml @@ -30,7 +30,7 @@ jobs: if: ${{ github.ref_type == 'branch' }} runs-on: ubuntu-latest steps: - - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - uses: coroboros/ci/.github/actions/check-docs@v0 - uses: coroboros/ci/.github/actions/javascript/base@v0 @@ -41,7 +41,7 @@ jobs: contents: write # for GitHub Release creation + commit-back to main id-token: write # for npm OIDC Trusted Publisher steps: - - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: ref: main fetch-depth: 0 diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml index 86192e1..a34cd93 100644 --- a/.github/workflows/security.yml +++ b/.github/workflows/security.yml @@ -17,12 +17,12 @@ jobs: gitleaks: runs-on: ubuntu-latest steps: - - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: fetch-depth: 0 - name: Checkout canonical gitleaks config - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: repository: coroboros/ci path: .coroboros-ci @@ -74,7 +74,7 @@ jobs: - name: Upload SARIF report if: always() - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 with: name: gitleaks-report path: results.sarif @@ -85,8 +85,8 @@ jobs: if: ${{ github.event_name == 'pull_request' }} runs-on: ubuntu-latest steps: - - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 - - uses: actions/dependency-review-action@2031cfc080254a8a887f58cffee85186f0e49e48 # v4 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/dependency-review-action@a1d282b36b6f3519aa1f3fc636f609c47dddb294 # v4 with: fail-on-severity: high comment-summary-in-pr: never @@ -94,7 +94,7 @@ jobs: osv-scanner: runs-on: ubuntu-latest steps: - - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - uses: google/osv-scanner-action/osv-scanner-action@9a498708959aeaef5ef730655706c5a1df1edbc2 # v2.3.8 with: scan-args: |- diff --git a/.github/workflows/self.yml b/.github/workflows/self.yml index 9e36986..23565cb 100644 --- a/.github/workflows/self.yml +++ b/.github/workflows/self.yml @@ -18,7 +18,7 @@ jobs: actionlint: runs-on: ubuntu-latest steps: - - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Install actionlint shell: bash @@ -41,7 +41,7 @@ jobs: yamllint: runs-on: ubuntu-latest steps: - - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Install yamllint shell: bash @@ -54,7 +54,7 @@ jobs: shellcheck: runs-on: ubuntu-latest steps: - - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Run shellcheck on inline workflow scripts uses: ludeeus/action-shellcheck@00cae500b08a931fb5698e11e79bfbd38e612a38 # v2.0.0 env: