Skip to content

Commit ff8d105

Browse files
step-security-botstep-security-bot
committed
[StepSecurity] ci: Harden GitHub Actions
Signed-off-by: StepSecurity Bot <bot@stepsecurity.io>
1 parent d2ed574 commit ff8d105

21 files changed

Lines changed: 59 additions & 59 deletions

.github/actions/publish-site-report/action.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -32,7 +32,7 @@ runs:
3232
shell: bash
3333
run: mvn -B surefire-report:report-only -f pom.xml -Daggregate=true -Denforcer.skip=true
3434
- name: Publish Site Report
35-
uses: actions/upload-artifact@v4
35+
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
3636
with:
3737
name: ${{ inputs.output-zip-file }}
3838
path: |

.github/workflows/bigtable-pr.yml

Lines changed: 5 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -107,7 +107,7 @@ jobs:
107107
./cicd/run-unit-tests \
108108
--modules-to-build="BIGTABLE"
109109
- name: Upload Unit Tests Report
110-
uses: actions/upload-artifact@v7
110+
uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
111111
if: always() # always run even if the previous step fails
112112
with:
113113
name: surefire-unit-test-results
@@ -117,7 +117,7 @@ jobs:
117117
**/surefire-reports/html/**
118118
retention-days: 1
119119
- name: Upload coverage reports to Codecov
120-
uses: codecov/codecov-action@v6.0.1
120+
uses: codecov/codecov-action@e79a6962e0d4c0c17b229090214935d2e33f8354 # v6.0.1
121121
with:
122122
token: ${{ secrets.CODECOV_TOKEN }}
123123
slug: GoogleCloudPlatform/DataflowTemplates
@@ -145,7 +145,7 @@ jobs:
145145
--it-artifact-bucket="cloud-teleport-testing-it-gitactions" \
146146
--it-private-connectivity="datastream-connect-2"
147147
- name: Upload Smoke Tests Report
148-
uses: actions/upload-artifact@v7
148+
uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
149149
if: always() # always run even if the previous step fails
150150
with:
151151
name: surefire-smoke-test-results
@@ -177,7 +177,7 @@ jobs:
177177
--it-artifact-bucket="cloud-teleport-testing-it-gitactions" \
178178
--it-private-connectivity="datastream-connect-2"
179179
- name: Upload Integration Tests Report
180-
uses: actions/upload-artifact@v7
180+
uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
181181
if: always() # always run even if the previous step fails
182182
with:
183183
name: surefire-integration-test-results
@@ -187,7 +187,7 @@ jobs:
187187
**/surefire-reports/html/**
188188
retention-days: 10 # Increased retention similar to Spanner
189189
- name: Integration Test report on GitHub
190-
uses: dorny/test-reporter@v3
190+
uses: dorny/test-reporter@a43b3a5f7366b97d083190328d2c652e1a8b6aa2 # v3.0.0
191191
if: always()
192192
with:
193193
name: Integration Test report on GitHub

.github/workflows/bqmonitor-pr.yml

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -50,7 +50,7 @@ jobs:
5050
- name: Checkout Code
5151
uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
5252
- name: Set up Python
53-
uses: actions/setup-python@v6
53+
uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
5454
with:
5555
python-version: '3.11'
5656
- name: Install dependencies and run tests
@@ -99,7 +99,7 @@ jobs:
9999
--it-private-connectivity="datastream-connect-2" \
100100
--test="BigQueryAnomalyDetectionIT"
101101
- name: Upload Integration Tests Report
102-
uses: actions/upload-artifact@v7
102+
uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
103103
if: always()
104104
with:
105105
name: surefire-integration-test-results

.github/workflows/cleanup-spanner-test-infra.yml

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -35,7 +35,7 @@ jobs:
3535
- name: Checkout Code
3636
uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
3737
- name: Set up Python
38-
uses: actions/setup-python@v6
38+
uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
3939
with:
4040
python-version: '3.12'
4141
- name: Install dependencies
@@ -63,7 +63,7 @@ jobs:
6363
- name: Checkout Code
6464
uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
6565
- name: Set up Python
66-
uses: actions/setup-python@v6
66+
uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
6767
with:
6868
python-version: '3.12'
6969
- name: Install dependencies

.github/workflows/datastream-pr.yml

Lines changed: 5 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -110,7 +110,7 @@ jobs:
110110
./cicd/run-unit-tests \
111111
--modules-to-build="DATASTREAM"
112112
- name: Upload Unit Tests Report
113-
uses: actions/upload-artifact@v7
113+
uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
114114
if: always() # always run even if the previous step fails
115115
with:
116116
name: surefire-unit-test-results
@@ -120,7 +120,7 @@ jobs:
120120
**/surefire-reports/html/**
121121
retention-days: 1
122122
- name: Upload coverage reports to Codecov
123-
uses: codecov/codecov-action@v6.0.1
123+
uses: codecov/codecov-action@e79a6962e0d4c0c17b229090214935d2e33f8354 # v6.0.1
124124
with:
125125
token: ${{ secrets.CODECOV_TOKEN }}
126126
slug: GoogleCloudPlatform/DataflowTemplates
@@ -148,7 +148,7 @@ jobs:
148148
--it-artifact-bucket="cloud-teleport-testing-it-gitactions" \
149149
--it-private-connectivity="datastream-connect-2"
150150
- name: Upload Smoke Tests Report
151-
uses: actions/upload-artifact@v7
151+
uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
152152
if: always() # always run even if the previous step fails
153153
with:
154154
name: surefire-smoke-test-results
@@ -180,7 +180,7 @@ jobs:
180180
--it-artifact-bucket="cloud-teleport-testing-it-gitactions" \
181181
--it-private-connectivity="datastream-connect-2"
182182
- name: Upload Integration Tests Report
183-
uses: actions/upload-artifact@v7
183+
uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
184184
if: always() # always run even if the previous step fails
185185
with:
186186
name: surefire-integration-test-results
@@ -190,7 +190,7 @@ jobs:
190190
**/surefire-reports/html/**
191191
retention-days: 1
192192
- name: Integration Test report on GitHub
193-
uses: dorny/test-reporter@v3
193+
uses: dorny/test-reporter@a43b3a5f7366b97d083190328d2c652e1a8b6aa2 # v3.0.0
194194
if: always()
195195
with:
196196
name: Integration Test report on GitHub

.github/workflows/java-pr.yml

Lines changed: 5 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -114,7 +114,7 @@ jobs:
114114
- name: Run Unit Tests
115115
run: ./cicd/run-unit-tests
116116
- name: Upload Unit Tests Report
117-
uses: actions/upload-artifact@v7
117+
uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
118118
if: always() # always run even if the previous step fails
119119
with:
120120
name: surefire-unit-test-results
@@ -124,7 +124,7 @@ jobs:
124124
**/surefire-reports/html/**
125125
retention-days: 1
126126
- name: Upload coverage reports to Codecov
127-
uses: codecov/codecov-action@v6.0.1
127+
uses: codecov/codecov-action@e79a6962e0d4c0c17b229090214935d2e33f8354 # v6.0.1
128128
with:
129129
token: ${{ secrets.CODECOV_TOKEN }}
130130
slug: GoogleCloudPlatform/DataflowTemplates
@@ -153,7 +153,7 @@ jobs:
153153
--it-artifact-bucket="cloud-teleport-testing-it-gitactions" \
154154
--it-private-connectivity="datastream-connect-2"
155155
- name: Upload Smoke Tests Report
156-
uses: actions/upload-artifact@v7
156+
uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
157157
if: always() # always run even if the previous step fails
158158
with:
159159
name: surefire-smoke-test-results
@@ -188,7 +188,7 @@ jobs:
188188
--it-artifact-bucket="cloud-teleport-testing-it-gitactions" \
189189
--it-private-connectivity="datastream-connect-2"
190190
- name: Upload Integration Tests Report
191-
uses: actions/upload-artifact@v7
191+
uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
192192
if: always() # always run even if the previous step fails
193193
with:
194194
name: surefire-integration-test-results
@@ -198,7 +198,7 @@ jobs:
198198
**/surefire-reports/html/**
199199
retention-days: 1
200200
- name: Integration Test report on GitHub
201-
uses: dorny/test-reporter@v3
201+
uses: dorny/test-reporter@a43b3a5f7366b97d083190328d2c652e1a8b6aa2 # v3.0.0
202202
if: always()
203203
with:
204204
name: Integration Test report on GitHub

.github/workflows/kafka-pr.yml

Lines changed: 5 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -110,7 +110,7 @@ jobs:
110110
./cicd/run-unit-tests \
111111
--modules-to-build="KAFKA"
112112
- name: Upload Unit Tests Report
113-
uses: actions/upload-artifact@v7
113+
uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
114114
if: always() # always run even if the previous step fails
115115
with:
116116
name: surefire-unit-test-results
@@ -120,7 +120,7 @@ jobs:
120120
**/surefire-reports/html/**
121121
retention-days: 1
122122
- name: Upload coverage reports to Codecov
123-
uses: codecov/codecov-action@v6.0.1
123+
uses: codecov/codecov-action@e79a6962e0d4c0c17b229090214935d2e33f8354 # v6.0.1
124124
with:
125125
token: ${{ secrets.CODECOV_TOKEN }}
126126
slug: GoogleCloudPlatform/DataflowTemplates
@@ -148,7 +148,7 @@ jobs:
148148
--it-artifact-bucket="cloud-teleport-testing-it-gitactions" \
149149
--it-private-connectivity="datastream-connect-2"
150150
- name: Upload Smoke Tests Report
151-
uses: actions/upload-artifact@v7
151+
uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
152152
if: always() # always run even if the previous step fails
153153
with:
154154
name: surefire-smoke-test-results
@@ -181,7 +181,7 @@ jobs:
181181
--it-integration-test-parallelism=4 \
182182
--it-private-connectivity="datastream-connect-2"
183183
- name: Upload Integration Tests Report
184-
uses: actions/upload-artifact@v7
184+
uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
185185
if: always() # always run even if the previous step fails
186186
with:
187187
name: surefire-integration-test-results
@@ -191,7 +191,7 @@ jobs:
191191
**/surefire-reports/html/**
192192
retention-days: 1
193193
- name: Integration Test report on GitHub
194-
uses: dorny/test-reporter@v3
194+
uses: dorny/test-reporter@a43b3a5f7366b97d083190328d2c652e1a8b6aa2 # v3.0.0
195195
if: always()
196196
with:
197197
name: Integration Test report on GitHub

.github/workflows/label-dependabot-prs.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -29,7 +29,7 @@ jobs:
2929
if: ${{ github.actor == 'dependabot[bot]' }}
3030
steps:
3131
- name: Add extra labels to Dependabot PRs
32-
uses: actions-ecosystem/action-add-labels@v1.1.3
32+
uses: actions-ecosystem/action-add-labels@18f1af5e3544586314bbe15c0273249c770b2daf # v1.1.3
3333
with:
3434
github_token: ${{ secrets.GITHUB_TOKEN }}
3535
labels: ignore-for-release

.github/workflows/load-tests.yml

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -42,15 +42,15 @@ jobs:
4242
HOST_IP: ${{ steps.variables.outputs.hostIP }}
4343
- name: Create Github issue on failure
4444
if: failure()
45-
uses: JasonEtco/create-an-issue@v2
45+
uses: JasonEtco/create-an-issue@1b14a70e4d8dc185e5cc76d3bec9eab20257b2c5 # v2.9.2
4646
env:
4747
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
4848
JOB_URL: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}
4949
DATE: ${{ steps.date.outputs.date }}
5050
with:
5151
filename: .github/ISSUE_TEMPLATE/load-test-failure-issue-template.md
5252
- name: Upload Load Tests Report
53-
uses: actions/upload-artifact@v7
53+
uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
5454
if: always() # always run even if the previous step fails
5555
with:
5656
name: surefire-test-results
@@ -60,7 +60,7 @@ jobs:
6060
**/surefire-reports/html/**
6161
retention-days: 1
6262
- name: Integration Test report on GitHub
63-
uses: dorny/test-reporter@v3
63+
uses: dorny/test-reporter@a43b3a5f7366b97d083190328d2c652e1a8b6aa2 # v3.0.0
6464
if: always()
6565
with:
6666
name: Integration Test report on GitHub

.github/workflows/run-it-tests-beam-snapshots.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -134,7 +134,7 @@ jobs:
134134
shell: bash
135135

136136
- name: Upload Integration Tests Report
137-
uses: actions/upload-artifact@v7
137+
uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
138138
if: always() # always run even if the previous step fails
139139
with:
140140
name: surefire-integration-test-results-beam-snapshots

0 commit comments

Comments
 (0)