Remediate OpenSSF Scorecard pinned-dependencies

marcransome · Mar 10, 2024 · 5727ed8 · 5727ed8
1 parent 384ebf8
commit 5727ed8
Show file tree

Hide file tree

Showing 4 changed files with 10 additions and 11 deletions.
diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
@@ -19,11 +19,11 @@ jobs:
       security-events: write
     steps:
     - name: Checkout repository
-      uses: actions/checkout@v4
+      uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
     - name: Install dependencies
       run: brew install popt
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@v3
+      uses: github/codeql-action/init@8a470fddafa5cbb6266ee11b37ef4d8aae19c571 # v3.24.6
       with:
         languages: cpp
         queries: security-and-quality
@@ -33,4 +33,4 @@ jobs:
         cmake -S . -B build
         cmake --build build
     - name: Perform CodeQL analysis
-      uses: github/codeql-action/analyze@v3
+      uses: github/codeql-action/analyze@8a470fddafa5cbb6266ee11b37ef4d8aae19c571 # v3.24.6
diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml
@@ -10,9 +10,9 @@ jobs:
       pull-requests: write
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
       - name: Dependency review
-        uses: actions/dependency-review-action@v4
+        uses: actions/dependency-review-action@9129d7d40b8c12c1ed0f60400d00c92d437adcce # v4.1.3
         with:
           comment-summary-in-pr: true
           fail-on-severity: low

diff --git a/.github/workflows/markdown-links.yml b/.github/workflows/markdown-links.yml
@@ -16,18 +16,18 @@ jobs:
   markdown-links:
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@v4
+    - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
     - name: Check links in modified Markdown files
       if: github.event_name == 'pull_request'
-      uses: gaurav-nelson/github-action-markdown-link-check@v1
+      uses: gaurav-nelson/github-action-markdown-link-check@d53a906aa6b22b8979d33bc86170567e619495ec # 1.0.15
       with:
         base-branch: main
         check-modified-files-only: yes
         use-verbose-mode: yes
         config-file: .github/markdown/markdown-links.json
     - name: Check links in all Markdown files
       if: github.event_name != 'pull_request'
-      uses: gaurav-nelson/github-action-markdown-link-check@v1
+      uses: gaurav-nelson/github-action-markdown-link-check@d53a906aa6b22b8979d33bc86170567e619495ec # 1.0.15
       with:
         use-verbose-mode: yes
         config-file: .github/markdown/markdown-links.json
diff --git a/.github/workflows/openssf-scorecard.yml b/.github/workflows/openssf-scorecard.yml
@@ -17,8 +17,8 @@ jobs:
       security-events: write # Needed to upload the results to code scanning dashboard
       id-token: write # Needed to publish results to OpenSSF API and get a badge (see publish_results below)
     steps:
-      - name: Checkout code
-        uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 # v3.1.0
+      - name: Checkout repository
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
         with:
           persist-credentials: false
       - name: Run analysis
@@ -37,4 +37,3 @@ jobs:
         uses: github/codeql-action/upload-sarif@17573ee1cc1b9d061760f3a006fc4aac4f944fd5 # v2.2.4
         with:
           sarif_file: results.sarif
-