Skip to content

Commit 2f5d876

Browse files
step-security-botrvolosatovs
step-security-bot
authored and
rvolosatovs
committed
ci: apply security best practices
Signed-off-by: StepSecurity Bot <[email protected]>
1 parent 2385411 commit 2f5d876

File tree

4 files changed

+40
-20
lines changed

4 files changed

+40
-20
lines changed

.github/dependabot.yml

Lines changed: 20 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -22,3 +22,23 @@ updates:
2222
directory: "/.github/actions/install-nix"
2323
schedule:
2424
interval: "daily"
25+
26+
- package-ecosystem: gomod
27+
directory: /examples/go/complex-server
28+
schedule:
29+
interval: daily
30+
31+
- package-ecosystem: gomod
32+
directory: /examples/go/hello-client
33+
schedule:
34+
interval: daily
35+
36+
- package-ecosystem: gomod
37+
directory: /examples/go/hello-server
38+
schedule:
39+
interval: daily
40+
41+
- package-ecosystem: gomod
42+
directory: /tests/go
43+
schedule:
44+
interval: daily

.github/workflows/nix.yml

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -13,7 +13,7 @@ jobs:
1313
fmt:
1414
runs-on: ubuntu-latest
1515
steps:
16-
- uses: actions/[email protected]
16+
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
1717
- uses: ./.github/actions/install-nix
1818
with:
1919
cachixAuthToken: '${{ secrets.CACHIX_AUTH_TOKEN }}'
@@ -22,7 +22,7 @@ jobs:
2222
run:
2323
runs-on: ubuntu-latest
2424
steps:
25-
- uses: actions/[email protected]
25+
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
2626
- uses: ./.github/actions/install-nix
2727
with:
2828
cachixAuthToken: '${{ secrets.CACHIX_AUTH_TOKEN }}'
@@ -32,7 +32,7 @@ jobs:
3232
develop:
3333
runs-on: ubuntu-latest
3434
steps:
35-
- uses: actions/[email protected]
35+
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
3636
- uses: ./.github/actions/install-nix
3737
with:
3838
cachixAuthToken: '${{ secrets.CACHIX_AUTH_TOKEN }}'

.github/workflows/update.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -9,7 +9,7 @@ jobs:
99
nix-flake-update:
1010
runs-on: ubuntu-latest
1111
steps:
12-
- uses: rvolosatovs/nix-flake-update-action@v2
12+
- uses: rvolosatovs/nix-flake-update-action@60ed905545151a290d73ce1302c23f4fb7ff43f0 # v2.0.4
1313
with:
1414
app-id: ${{ secrets.BOT_APP_ID }}
1515
private-key: ${{ secrets.BOT_APP_PRIVATE_KEY }}

.github/workflows/wrpc.yml

Lines changed: 16 additions & 16 deletions
Original file line numberDiff line numberDiff line change
@@ -66,7 +66,7 @@ jobs:
6666
name: wrpc-${{ matrix.config.target }}
6767
runs-on: ubuntu-latest
6868
steps:
69-
- uses: actions/[email protected]
69+
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
7070
- uses: ./.github/actions/install-nix
7171
with:
7272
cachixAuthToken: '${{ secrets.CACHIX_AUTH_TOKEN }}'
@@ -86,11 +86,11 @@ jobs:
8686
needs: build-bin
8787
runs-on: macos-latest
8888
steps:
89-
- uses: actions/download-artifact@v4
89+
- uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
9090
with:
9191
name: wrpc-aarch64-apple-darwin
9292
path: aarch64
93-
- uses: actions/download-artifact@v4
93+
- uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
9494
with:
9595
name: wrpc-x86_64-apple-darwin
9696
path: x86_64
@@ -104,7 +104,7 @@ jobs:
104104
- run: chmod +x ./artifact/bin/wit-bindgen-wrpc
105105
- run: ./artifact/bin/wit-bindgen-wrpc --version
106106

107-
- uses: actions/[email protected]
107+
- uses: actions/upload-artifact@834a144ee995460fba8ed112a2fc961b36a5ec5a # v4.3.6
108108
with:
109109
name: wrpc-universal-darwin
110110
path: artifact
@@ -113,7 +113,7 @@ jobs:
113113
runs-on: ubuntu-latest
114114
needs: build-bin
115115
steps:
116-
- uses: actions/download-artifact@v4
116+
- uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
117117
with:
118118
name: wrpc-x86_64-unknown-linux-musl
119119
- run: chmod +x ./bin/wit-bindgen-wrpc
@@ -123,7 +123,7 @@ jobs:
123123
runs-on: windows-latest
124124
needs: build-bin
125125
steps:
126-
- uses: actions/download-artifact@v4
126+
- uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
127127
with:
128128
name: wrpc-x86_64-pc-windows-gnu
129129
- run: .\bin\wit-bindgen-wrpc.exe --version
@@ -140,7 +140,7 @@ jobs:
140140
name: cargo ${{ matrix.check }}
141141
runs-on: ubuntu-latest
142142
steps:
143-
- uses: actions/[email protected]
143+
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
144144
- uses: ./.github/actions/install-nix
145145
with:
146146
cachixAuthToken: '${{ secrets.CACHIX_AUTH_TOKEN }}'
@@ -153,7 +153,7 @@ jobs:
153153
build-doc:
154154
runs-on: ubuntu-latest
155155
steps:
156-
- uses: actions/[email protected]
156+
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
157157
- uses: ./.github/actions/install-nix
158158
with:
159159
cachixAuthToken: '${{ secrets.CACHIX_AUTH_TOKEN }}'
@@ -171,7 +171,7 @@ jobs:
171171
<meta http-equiv="refresh" content="0; URL=wrpc/index.html">
172172
<link rel="canonical" href="https://${{ github.repository_owner }}.github.io/wrpc/wrpc/index.html">
173173
EOF
174-
- uses: actions/[email protected]
174+
- uses: actions/upload-pages-artifact@56afc609e74202658d3ffba0e8f6dda462b719fa # v3.0.1
175175
with:
176176
path: doc
177177

@@ -186,7 +186,7 @@ jobs:
186186
url: ${{ steps.deployment.outputs.page_url }}
187187
if: github.ref == 'refs/heads/main'
188188
steps:
189-
- uses: actions/[email protected]
189+
- uses: actions/deploy-pages@d6db90164ac5ed86f2b6aed7e0febac5b3c0c03e # v4.0.5
190190
id: deployment
191191

192192
oci:
@@ -197,7 +197,7 @@ jobs:
197197
- build-bin
198198
- test-linux
199199
steps:
200-
- uses: actions/[email protected]
200+
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
201201
- uses: ./.github/actions/install-nix
202202
with:
203203
cachixAuthToken: '${{ secrets.CACHIX_AUTH_TOKEN }}'
@@ -218,7 +218,7 @@ jobs:
218218
219219
- name: Login to GitHub Container Registry
220220
if: startswith(github.ref, format('refs/tags/{0}v', matrix.prefix)) || github.ref == 'refs/heads/main'
221-
uses: docker/login-action@v3
221+
uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
222222
with:
223223
registry: ghcr.io
224224
username: ${{ github.repository_owner }}
@@ -272,8 +272,8 @@ jobs:
272272
permissions:
273273
contents: write
274274
steps:
275-
- uses: actions/[email protected]
276-
- uses: actions/download-artifact@v4
275+
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
276+
- uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
277277
with:
278278
path: artifacts
279279
- run: |
@@ -296,7 +296,7 @@ jobs:
296296
done
297297
done
298298
299-
- uses: softprops/action-gh-release@v2
299+
- uses: softprops/action-gh-release@c062e08bd532815e2082a85e87e3ef29c3e6d191 # v2.0.8
300300
if: startsWith(github.ref, 'refs/tags/v')
301301
with:
302302
draft: true
@@ -325,7 +325,7 @@ jobs:
325325
needs: cargo
326326
runs-on: ubuntu-latest
327327
steps:
328-
- uses: actions/[email protected]
328+
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
329329

330330
- name: Extract tag context
331331
id: ctx

0 commit comments

Comments
 (0)