From 117a248faa02be63d4044428f4e8d41255cbe0b0 Mon Sep 17 00:00:00 2001 From: =?utf8?q?Julien=20D=C3=A9ramond?= Date: Wed, 16 Jul 2025 18:11:53 +0200 Subject: [PATCH] Workflows: Use SHA-1 precise references for third-party actions (#41595) --- .github/workflows/browserstack.yml | 4 ++-- .github/workflows/bundlewatch.yml | 4 ++-- .github/workflows/calibreapp-image-actions.yml | 4 ++-- .github/workflows/codeql.yml | 8 ++++---- .github/workflows/cspell.yml | 4 ++-- .github/workflows/css.yml | 4 ++-- .github/workflows/docs.yml | 6 +++--- .github/workflows/issue-close-require.yml | 2 +- .github/workflows/issue-labeled.yml | 2 +- .github/workflows/js.yml | 6 +++--- .github/workflows/lint.yml | 4 ++-- .github/workflows/node-sass.yml | 4 ++-- .github/workflows/release-notes.yml | 2 +- .github/workflows/scorecard.yml | 2 +- 14 files changed, 28 insertions(+), 28 deletions(-) diff --git a/.github/workflows/browserstack.yml b/.github/workflows/browserstack.yml index e22b9804cd..60e3cf7a94 100644 --- a/.github/workflows/browserstack.yml +++ b/.github/workflows/browserstack.yml @@ -22,12 +22,12 @@ jobs: steps: - name: Clone repository - uses: actions/checkout@v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: persist-credentials: false - name: Set up Node.js - uses: actions/setup-node@v4 + uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0 with: node-version: "${{ env.NODE }}" cache: npm diff --git a/.github/workflows/bundlewatch.yml b/.github/workflows/bundlewatch.yml index f196df1b88..72f28b7de9 100644 --- a/.github/workflows/bundlewatch.yml +++ b/.github/workflows/bundlewatch.yml @@ -20,12 +20,12 @@ jobs: steps: - name: Clone repository - uses: actions/checkout@v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: persist-credentials: false - name: Set up Node.js - uses: actions/setup-node@v4 + uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0 with: node-version: "${{ env.NODE }}" cache: npm diff --git a/.github/workflows/calibreapp-image-actions.yml b/.github/workflows/calibreapp-image-actions.yml index 08987b3aae..c97eff995a 100644 --- a/.github/workflows/calibreapp-image-actions.yml +++ b/.github/workflows/calibreapp-image-actions.yml @@ -22,11 +22,11 @@ jobs: pull-requests: write steps: - name: Clone repository - uses: actions/checkout@v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: persist-credentials: false - name: Compress Images - uses: calibreapp/image-actions@1.1.0 + uses: calibreapp/image-actions@737ceeaeed61e17b8d358358a303f1b8d177b779 # v1.1.0 with: githubToken: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index dd7f6e7ef8..d54ecb1627 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -24,21 +24,21 @@ jobs: steps: - name: Checkout repository - uses: actions/checkout@v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: persist-credentials: false - name: Initialize CodeQL - uses: github/codeql-action/init@v3 + uses: github/codeql-action/init@181d5eefc20863364f96762470ba6f862bdef56b # v3.29.2 with: config-file: ./.github/codeql/codeql-config.yml languages: "javascript" queries: +security-and-quality - name: Autobuild - uses: github/codeql-action/autobuild@v3 + uses: github/codeql-action/autobuild@181d5eefc20863364f96762470ba6f862bdef56b # v3.29.2 - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v3 + uses: github/codeql-action/analyze@181d5eefc20863364f96762470ba6f862bdef56b # v3.29.2 with: category: "/language:javascript" diff --git a/.github/workflows/cspell.yml b/.github/workflows/cspell.yml index 44eb025fd8..5d17a1bfb5 100644 --- a/.github/workflows/cspell.yml +++ b/.github/workflows/cspell.yml @@ -23,12 +23,12 @@ jobs: steps: - name: Clone repository - uses: actions/checkout@v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: persist-credentials: false - name: Run cspell - uses: streetsidesoftware/cspell-action@v7 + uses: streetsidesoftware/cspell-action@157048954070986ce4315d0813573a2d8faee361 # v7.1.1 with: config: ".cspell.json" files: "**/*.{md,mdx}" diff --git a/.github/workflows/css.yml b/.github/workflows/css.yml index 1c231ac88b..cd7d32b611 100644 --- a/.github/workflows/css.yml +++ b/.github/workflows/css.yml @@ -20,12 +20,12 @@ jobs: steps: - name: Clone repository - uses: actions/checkout@v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: persist-credentials: false - name: Set up Node.js - uses: actions/setup-node@v4 + uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0 with: node-version: "${{ env.NODE }}" cache: npm diff --git a/.github/workflows/docs.yml b/.github/workflows/docs.yml index d7c88aeb0c..7d1ebfb1b8 100644 --- a/.github/workflows/docs.yml +++ b/.github/workflows/docs.yml @@ -20,12 +20,12 @@ jobs: steps: - name: Clone repository - uses: actions/checkout@v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: persist-credentials: false - name: Set up Node.js - uses: actions/setup-node@v4 + uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0 with: node-version: "${{ env.NODE }}" cache: npm @@ -42,7 +42,7 @@ jobs: run: npm run docs-vnu - name: Run linkinator - uses: JustinBeckwith/linkinator-action@v1 + uses: JustinBeckwith/linkinator-action@3d5ba091319fa7b0ac14703761eebb7d100e6f6d # v1.11.0 with: paths: _site recurse: true diff --git a/.github/workflows/issue-close-require.yml b/.github/workflows/issue-close-require.yml index b5000d8b43..a220402863 100644 --- a/.github/workflows/issue-close-require.yml +++ b/.github/workflows/issue-close-require.yml @@ -17,7 +17,7 @@ jobs: if: github.repository == 'twbs/bootstrap' steps: - name: awaiting reply - uses: actions-cool/issues-helper@v3 + uses: actions-cool/issues-helper@a610082f8ac0cf03e357eb8dd0d5e2ba075e017e # v3.6.0 with: actions: "close-issues" labels: "awaiting-reply" diff --git a/.github/workflows/issue-labeled.yml b/.github/workflows/issue-labeled.yml index 584879dd80..a372d1f8a4 100644 --- a/.github/workflows/issue-labeled.yml +++ b/.github/workflows/issue-labeled.yml @@ -18,7 +18,7 @@ jobs: steps: - name: awaiting reply if: github.event.label.name == 'needs-example' - uses: actions-cool/issues-helper@v3 + uses: actions-cool/issues-helper@a610082f8ac0cf03e357eb8dd0d5e2ba075e017e # v3.6.0 with: actions: "create-comment" token: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/js.yml b/.github/workflows/js.yml index fdc24889b1..83f2bedde6 100644 --- a/.github/workflows/js.yml +++ b/.github/workflows/js.yml @@ -25,12 +25,12 @@ jobs: steps: - name: Clone repository - uses: actions/checkout@v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: persist-credentials: false - name: Set up Node.js - uses: actions/setup-node@v4 + uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0 with: node-version: ${{ env.NODE }} cache: npm @@ -45,7 +45,7 @@ jobs: run: npm run js-test - name: Run Coveralls - uses: coverallsapp/github-action@v2 + uses: coverallsapp/github-action@648a8eb78e6d50909eff900e4ec85cab4524a45b # v2.3.6 if: ${{ !github.event.repository.fork }} with: github-token: "${{ secrets.GITHUB_TOKEN }}" diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml index 1c7aa54f55..4de8b3102b 100644 --- a/.github/workflows/lint.yml +++ b/.github/workflows/lint.yml @@ -20,12 +20,12 @@ jobs: steps: - name: Clone repository - uses: actions/checkout@v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: persist-credentials: false - name: Set up Node.js - uses: actions/setup-node@v4 + uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0 with: node-version: "${{ env.NODE }}" cache: npm diff --git a/.github/workflows/node-sass.yml b/.github/workflows/node-sass.yml index bdb7dbeaf4..de90f81bda 100644 --- a/.github/workflows/node-sass.yml +++ b/.github/workflows/node-sass.yml @@ -20,12 +20,12 @@ jobs: steps: - name: Clone repository - uses: actions/checkout@v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: persist-credentials: false - name: Set up Node.js - uses: actions/setup-node@v4 + uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0 with: node-version: "${{ env.NODE }}" diff --git a/.github/workflows/release-notes.yml b/.github/workflows/release-notes.yml index 813956af20..d37d5e8412 100644 --- a/.github/workflows/release-notes.yml +++ b/.github/workflows/release-notes.yml @@ -18,6 +18,6 @@ jobs: runs-on: ubuntu-latest if: github.repository == 'twbs/bootstrap' steps: - - uses: release-drafter/release-drafter@v6 + - uses: release-drafter/release-drafter@b1476f6e6eb133afa41ed8589daba6dc69b4d3f5 # v6.1.0 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml index 026760fbad..baca1a0c53 100644 --- a/.github/workflows/scorecard.yml +++ b/.github/workflows/scorecard.yml @@ -73,6 +73,6 @@ jobs: # Upload the results to GitHub's code scanning dashboard (optional). # Commenting out will disable upload of results to your repo's Code Scanning dashboard - name: "Upload to code-scanning" - uses: github/codeql-action/upload-sarif@v3 + uses: github/codeql-action/upload-sarif@181d5eefc20863364f96762470ba6f862bdef56b # v3.29.2 with: sarif_file: results.sarif -- 2.47.2