From b35dd881b4dc65f9e1db0d515c4f94e935beac31 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Kim=20Harjam=C3=A4ki?= Date: Tue, 7 Jul 2026 18:46:33 +0300 Subject: [PATCH] ci: pin third-party actions to commit SHAs and add least-privilege permissions (REQ-1.4.10) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - Pin actions/checkout, setup-python, codeql-action init/autobuild/analyze, upload-pages-artifact, deploy-pages, amannn/action-semantic-pull-request, and actions/stale to immutable commit SHAs across ci.yml, codeql.yml, pages.yml, pr-lint.yml, stale.yml - Tags resolved live via gh api (2026-07-07) since files were already bumped past the phase-31-01 baseline (checkout v7, setup-python v6, codeql-action v4, upload-pages-artifact v5, deploy-pages v5, action-semantic-pull-request v6, stale v10) - codeql.yml, pr-lint.yml, and stale.yml already carry permissions: blocks (added ahead of this plan); not modified here — only uses: lines changed - contract-registry-live.yml already SHA-pinned; left untouched --- .github/workflows/ci.yml | 4 ++-- .github/workflows/codeql.yml | 8 ++++---- .github/workflows/pages.yml | 8 ++++---- .github/workflows/pr-lint.yml | 2 +- .github/workflows/stale.yml | 2 +- 5 files changed, 12 insertions(+), 12 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 8ddaee8..c2c5cd9 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -24,10 +24,10 @@ jobs: python-version: ['3.12'] steps: - - uses: actions/checkout@v7 + - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7 - name: Set up Python - uses: actions/setup-python@v6 + uses: actions/setup-python@ece7cb06caefa5fff74198d8649806c4678c61a1 # v6 with: python-version: ${{ matrix.python-version }} cache: pip diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 157cc00..5824f1a 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -19,12 +19,12 @@ jobs: language: [ 'javascript', 'python' ] steps: - name: Checkout repository - uses: actions/checkout@v7 + uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7 - name: Initialize CodeQL - uses: github/codeql-action/init@v4 + uses: github/codeql-action/init@54f647b7e1bb85c95cddabcd46b0c578ec92bc1a # v4 with: languages: ${{ matrix.language }} - name: Autobuild - uses: github/codeql-action/autobuild@v4 + uses: github/codeql-action/autobuild@54f647b7e1bb85c95cddabcd46b0c578ec92bc1a # v4 - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v4 + uses: github/codeql-action/analyze@54f647b7e1bb85c95cddabcd46b0c578ec92bc1a # v4 diff --git a/.github/workflows/pages.yml b/.github/workflows/pages.yml index c562f18..f904732 100644 --- a/.github/workflows/pages.yml +++ b/.github/workflows/pages.yml @@ -14,13 +14,13 @@ jobs: runs-on: ubuntu-latest timeout-minutes: 15 steps: - - uses: actions/checkout@v7 - - uses: actions/setup-python@v6 + - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7 + - uses: actions/setup-python@ece7cb06caefa5fff74198d8649806c4678c61a1 # v6 with: python-version: 3.x - run: pip install mkdocs-material - run: mkdocs build - - uses: actions/upload-pages-artifact@v5 + - uses: actions/upload-pages-artifact@fc324d3547104276b827a68afc52ff2a11cc49c9 # v5 with: path: ./site deploy: @@ -36,4 +36,4 @@ jobs: steps: - name: Deploy to GitHub Pages id: deployment - uses: actions/deploy-pages@v5 + uses: actions/deploy-pages@cd2ce8fcbc39b97be8ca5fce6e763baed58fa128 # v5 diff --git a/.github/workflows/pr-lint.yml b/.github/workflows/pr-lint.yml index ebc13b5..c515ec8 100644 --- a/.github/workflows/pr-lint.yml +++ b/.github/workflows/pr-lint.yml @@ -13,6 +13,6 @@ jobs: permissions: pull-requests: read steps: - - uses: amannn/action-semantic-pull-request@v6 + - uses: amannn/action-semantic-pull-request@48f256284bd46cdaab1048c3721360e808335d50 # v6 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml index 84a62fa..67a151a 100644 --- a/.github/workflows/stale.yml +++ b/.github/workflows/stale.yml @@ -11,7 +11,7 @@ jobs: issues: write pull-requests: write steps: - - uses: actions/stale@v10 + - uses: actions/stale@eb5cf3af3ac0a1aa4c9c45633dd1ae542a27a899 # v10 with: days-before-stale: 60 days-before-close: 7