diff --git a/.github/workflows/check-new-repos.yml b/.github/workflows/check-new-repos.yml index 2876e81d..5a3f57a7 100644 --- a/.github/workflows/check-new-repos.yml +++ b/.github/workflows/check-new-repos.yml @@ -13,7 +13,7 @@ jobs: steps: - name: Check New Repos id: check-new-repos - uses: actions/github-script@v6 + uses: actions/github-script@d7906e4ad0b1822421a7e6a35d5ca353c962f410 # v6 with: github-token: ${{ secrets.GH_PAT }} script: | @@ -53,7 +53,7 @@ jobs: } return message; - - uses: actions-ecosystem/action-slack-notifier@v1 + - uses: actions-ecosystem/action-slack-notifier@fc778468d09c43a6f4d1b8cccaca59766656996a # v1 if: ${{ fromJson(steps.check-new-repos.outputs.result) != '' }} with: slack_token: ${{ secrets.HOTSPOTS_SLACK_TOKEN }} diff --git a/.github/workflows/full-loop.yml b/.github/workflows/full-loop.yml index 78d2c582..dde211aa 100644 --- a/.github/workflows/full-loop.yml +++ b/.github/workflows/full-loop.yml @@ -13,7 +13,7 @@ jobs: name: full-loop runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4 with: fetch-depth: 0 - uses: ./ diff --git a/.github/workflows/loop.yml b/.github/workflows/loop.yml index 2c70f5c0..279d92c8 100644 --- a/.github/workflows/loop.yml +++ b/.github/workflows/loop.yml @@ -19,7 +19,7 @@ jobs: matrix: language: [ 'generic', 'javascript', '' ] steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4 with: fetch-depth: 0 - run: | diff --git a/.github/workflows/semgrep-self-test.yml b/.github/workflows/semgrep-self-test.yml index 76a713bd..8cff8089 100644 --- a/.github/workflows/semgrep-self-test.yml +++ b/.github/workflows/semgrep-self-test.yml @@ -14,7 +14,7 @@ jobs: name: semgrep-self-test runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4 - run: | python3 -m pip --disable-pip-version-check install -r requirements.txt shell: bash diff --git a/action.yml b/action.yml index 79d4b1de..53b0a9f6 100644 --- a/action.yml +++ b/action.yml @@ -122,7 +122,7 @@ runs: printf '${{ steps.changed-files.outputs.any_changed }}' - id: comments-before if: ${{ steps.reviewdog-enabled-pr.outputs.result == 'true' }} - uses: actions/github-script@v6 + uses: actions/github-script@d7906e4ad0b1822421a7e6a35d5ca353c962f410 # v6 with: script: | var query = `query($owner:String!, $name:String!, $prnumber:Int!) { @@ -190,12 +190,12 @@ runs: - if: ${{ steps.reviewdog-enabled.outputs.result == 'true' }} name: Cache pip cache id: cache-pip - uses: actions/cache@v3 + uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84 # v3 with: path: ~/.cache/pip/ key: ${{ runner.os }}-pip - if: ${{ steps.reviewdog-enabled.outputs.result == 'true' }} - uses: reviewdog/action-setup@v1 + uses: reviewdog/action-setup@80a06617492b461a66508e2dedf16233f0506804 # v1 with: reviewdog_version: latest # Optional. [latest,nightly,v.X.Y.Z] - if: ${{ steps.reviewdog-enabled.outputs.result == 'true' }} @@ -220,7 +220,7 @@ runs: version: 1.0 - if: ${{ steps.reviewdog-enabled.outputs.result == 'true' }} name: Install tfsec - uses: jaxxstorm/action-install-gh-release@v1.10.0 + uses: jaxxstorm/action-install-gh-release@c5ead9a448b4660cf1e7866ee22e4dc56538031a # v1.10.0 with: # Grab a specific tag with caching repo: aquasecurity/tfsec tag: v1.28.1 @@ -251,7 +251,7 @@ runs: - id: comments-after if: ${{ steps.reviewdog-enabled-pr.outputs.result == 'true' }} - uses: actions/github-script@v6 + uses: actions/github-script@d7906e4ad0b1822421a7e6a35d5ca353c962f410 # v6 with: script: | var query = `query($owner:String!, $name:String!, $prnumber:Int!) { @@ -293,7 +293,7 @@ runs: - id: assignees-after if: ${{ steps.reviewdog-enabled-pr.outputs.result == 'true' }} - uses: actions/github-script@v6 + uses: actions/github-script@d7906e4ad0b1822421a7e6a35d5ca353c962f410 # v6 env: ASSIGNEES: ${{ inputs.assignees }} with: @@ -345,7 +345,7 @@ runs: - id: assignee-removed-label if: ${{ steps.reviewdog-enabled-pr.outputs.result == 'true' }} - uses: actions/github-script@v6 + uses: actions/github-script@d7906e4ad0b1822421a7e6a35d5ca353c962f410 # v6 env: ASSIGNEES: ${{ steps.assignees-after.outputs.result && fromJson(steps.assignees-after.outputs.result) }} with: @@ -390,7 +390,7 @@ runs: - id: description-contains-hotwords if: ${{ steps.reviewdog-enabled-pr.outputs.result == 'true' && github.actor != 'renovate[bot]' }} - uses: actions/github-script@v6 + uses: actions/github-script@d7906e4ad0b1822421a7e6a35d5ca353c962f410 # v6 env: HOTWORDS: ${{ inputs.hotwords }} with: @@ -427,12 +427,12 @@ runs: run: | set -x echo "result=true" >> $GITHUB_OUTPUT - - uses: actions-ecosystem/action-add-labels@v1 + - uses: actions-ecosystem/action-add-labels@18f1af5e3544586314bbe15c0273249c770b2daf # v1 if: ${{ steps.reviewdog-enabled-pr.outputs.result == 'true' && steps.should-trigger.outputs.result == 'true' }} with: github_token: ${{ inputs.github_token }} labels: needs-security-review - - uses: actions-ecosystem/action-add-assignees@v1 + - uses: actions-ecosystem/action-add-assignees@ce5019e63cc4f35aba27308dc88d19c8f3686747 # v1 if: ${{ steps.reviewdog-enabled-pr.outputs.result == 'true' && steps.should-trigger.outputs.result == 'true' }} with: github_token: ${{ inputs.github_token }} @@ -449,7 +449,7 @@ runs: run: exit 1 - if: ${{ steps.reviewdog-enabled-pr.outputs.result == 'true' && inputs.slack_token && hashFiles('reviewdog.fail.log') }} id: reviewdog-fail-log-head - uses: actions/github-script@v6 + uses: actions/github-script@d7906e4ad0b1822421a7e6a35d5ca353c962f410 # v6 with: script: | return '\n'+require('fs').readFileSync('reviewdog.fail.log', 'UTF-8').split('\n').slice(0, 4).join('\n') @@ -459,7 +459,7 @@ runs: ASSIGNEES: ${{steps.assignees-after.outputs.result && fromJson(steps.assignees-after.outputs.result)}} run: echo "result=$(echo "$ASSIGNEES" | sed 's|\([^ ]\)|@\1|' | tr -s '\n' ' ')" >> $GITHUB_OUTPUT shell: bash - - uses: actions-ecosystem/action-slack-notifier@v1 + - uses: actions-ecosystem/action-slack-notifier@fc778468d09c43a6f4d1b8cccaca59766656996a # v1 if: ${{ steps.reviewdog-enabled-pr.outputs.result == 'true' && inputs.slack_token && hashFiles('reviewdog.fail.log') }} with: slack_token: ${{ inputs.slack_token }} @@ -468,7 +468,7 @@ runs: channel: secops-hotspots color: red verbose: true - - uses: actions-ecosystem/action-slack-notifier@v1 + - uses: actions-ecosystem/action-slack-notifier@fc778468d09c43a6f4d1b8cccaca59766656996a # v1 if: ${{ steps.reviewdog-enabled-pr.outputs.result == 'true' && inputs.slack_token && steps.should-trigger.outputs.result == 'true' }} with: slack_token: ${{ inputs.slack_token }} @@ -480,21 +480,21 @@ runs: # CodeQL Steps - if: ${{ steps.codeql-enabled.outputs.result == 'true' && hashFiles(inputs.codeql_config) }} name: Initialize CodeQL - uses: github/codeql-action/init@v2 + uses: github/codeql-action/init@701f152f28d4350ad289a5e31435e9ab6169a7ca # v2 with: languages: ${{ matrix.language }} config-file: ${{ inputs.codeql_config }} - if: ${{ steps.codeql-enabled.outputs.result == 'true' && !hashFiles(inputs.codeql_config)}} name: Initialize CodeQL (without config) - uses: github/codeql-action/init@v2 + uses: github/codeql-action/init@701f152f28d4350ad289a5e31435e9ab6169a7ca # v2 with: languages: ${{ matrix.language }} - if: ${{ steps.codeql-enabled.outputs.result == 'true' }} name: Autobuild - uses: github/codeql-action/autobuild@v2 + uses: github/codeql-action/autobuild@701f152f28d4350ad289a5e31435e9ab6169a7ca # v2 - if: ${{ steps.codeql-enabled.outputs.result == 'true' }} name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v2 + uses: github/codeql-action/analyze@701f152f28d4350ad289a5e31435e9ab6169a7ca # v2 # - run: echo ${{ inputs.in-name }} # shell: bash # - id: output-step-id