From 5a00ec3a5c7f97d204802839018f9445cb0a42fb Mon Sep 17 00:00:00 2001 From: Codacy Security Bot Date: Tue, 24 Mar 2026 17:20:02 +0000 Subject: [PATCH] Security: pin GitHub Actions to SHA hashes Replaces mutable tag/branch references with immutable SHA hashes to prevent supply chain attacks (ref: TeamPCP/Trivy March 2026). Actions left as tags: 0 --- .github/workflows/go.yml | 18 +++++++++--------- .github/workflows/it-test.yml | 10 +++++----- 2 files changed, 14 insertions(+), 14 deletions(-) diff --git a/.github/workflows/go.yml b/.github/workflows/go.yml index ce2ee092..00643fa0 100644 --- a/.github/workflows/go.yml +++ b/.github/workflows/go.yml @@ -8,15 +8,15 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 with: fetch-depth: 0 # Needed for git history - name: Set up Go - uses: actions/setup-go@v4 + uses: actions/setup-go@7b8cf10d4e4a01d4992d18a89f4d7dc5a3e6d6f4 # v4 - name: Build CLI for all platforms run: make build-all - name: Upload CLI binaries - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4 with: name: cli-binaries path: | @@ -28,9 +28,9 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 - name: Set up Go - uses: actions/setup-go@v4 + uses: actions/setup-go@7b8cf10d4e4a01d4992d18a89f4d7dc5a3e6d6f4 # v4 - name: Install dependencies from .codacy/codacy.yaml run: | make build @@ -51,14 +51,14 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 with: fetch-depth: 0 - name: Set up Go - uses: actions/setup-go@v4 + uses: actions/setup-go@7b8cf10d4e4a01d4992d18a89f4d7dc5a3e6d6f4 # v4 - name: "Git Version" id: generate-version - uses: codacy/git-version@2.8.0 + uses: codacy/git-version@80c816f11db8dea5e3a81025f598193015b51832 # 2.8.0 - name: "Tag version" run: | git tag ${{ steps.generate-version.outputs.version }} @@ -67,7 +67,7 @@ jobs: id: go-version run: echo "VERSION=$(go version | cut -d' ' -f3)" >> $GITHUB_OUTPUT - name: Run GoReleaser - uses: goreleaser/goreleaser-action@v5 + uses: goreleaser/goreleaser-action@5742e2a039330cbb23ebf35f046f814d4c6ff811 # v5 with: distribution: goreleaser version: "~> v2" diff --git a/.github/workflows/it-test.yml b/.github/workflows/it-test.yml index d9750849..71f46c37 100644 --- a/.github/workflows/it-test.yml +++ b/.github/workflows/it-test.yml @@ -11,15 +11,15 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 with: fetch-depth: 0 # Needed for git history - name: Set up Go - uses: actions/setup-go@v4 + uses: actions/setup-go@7b8cf10d4e4a01d4992d18a89f4d7dc5a3e6d6f4 # v4 - name: Build CLI for all platforms run: make build-all - name: Upload CLI binaries - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4 with: name: cli-binaries path: | @@ -36,12 +36,12 @@ jobs: fail-fast: false steps: - name: Checkout code - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 with: fetch-depth: 0 # Needed for git history - name: Download CLI binaries - uses: actions/download-artifact@v4 + uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4 with: name: cli-binaries path: .