Skip to content

Commit

Permalink
Merge pull request #2479 from jku/dont-pin-code-scanner-actions
Browse files Browse the repository at this point in the history
workflows: Stop pinning actions that are not security relevant
  • Loading branch information
jku authored Oct 9, 2023
2 parents c7f3f6b + f005825 commit 00b67c0
Show file tree
Hide file tree
Showing 3 changed files with 10 additions and 7 deletions.
7 changes: 4 additions & 3 deletions .github/workflows/codeql-analysis.yml
Original file line number Diff line number Diff line change
Expand Up @@ -16,18 +16,19 @@ jobs:
name: Analyze
runs-on: ubuntu-latest
permissions:
# NOTE: If you add security critical permissions, start pinning used actions
actions: read
contents: read
security-events: write
security-events: write # for uploading to code-scanning dashboard

steps:
- name: Checkout repository
uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0

- name: Initialize CodeQL
uses: github/codeql-action/init@6a28655e3dcb49cb0840ea372fd6d17733edd8a4 # v2.21.8
uses: github/codeql-action/init@v2 # unpinned since this is not security critical
with:
languages: 'python'

- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@6a28655e3dcb49cb0840ea372fd6d17733edd8a4 # v2.21.8
uses: github/codeql-action/analyze@v2 # unpinned since this is not security critical
3 changes: 2 additions & 1 deletion .github/workflows/dependency-review.yml
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,7 @@ name: 'Dependency Review'
on: [pull_request]

permissions:
# NOTE: If you add security critical permissions, start pinning used actions
contents: read

jobs:
Expand All @@ -17,4 +18,4 @@ jobs:
- name: 'Checkout Repository'
uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
- name: 'Dependency Review'
uses: actions/dependency-review-action@6c5ccdad469c9f8a2996bfecaec55a631a347034 # v3.1.0
uses: actions/dependency-review-action@v3 # unpinned since this is not security critical
7 changes: 4 additions & 3 deletions .github/workflows/scorecards.yml
Original file line number Diff line number Diff line change
Expand Up @@ -14,8 +14,9 @@ jobs:
name: Scorecards analysis
runs-on: ubuntu-latest
permissions:
# NOTE: If you add security critical permissions, start pinning used actions
security-events: write # for uploading to code-scanning dashboard
id-token: write # for signing results
id-token: write # for publishing results in scorecard public dataset
actions: read
contents: read

Expand All @@ -24,7 +25,7 @@ jobs:
uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0

- name: "Run analysis"
uses: ossf/scorecard-action@08b4669551908b1024bb425080c797723083c031 # v2.2.0
uses: ossf/scorecard-action@v2 # unpinned since this is not security critical
with:
results_file: results.sarif
# sarif format required by upload-sarif action
Expand All @@ -34,6 +35,6 @@ jobs:
publish_results: true

- name: "Upload to code-scanning dashboard"
uses: github/codeql-action/upload-sarif@6a28655e3dcb49cb0840ea372fd6d17733edd8a4 # v2.21.8
uses: github/codeql-action/upload-sarif@v2 # unpinned since this is not security critical
with:
sarif_file: results.sarif

0 comments on commit 00b67c0

Please sign in to comment.