chore: add new GH policy requirements #248
Conversation
Luisfc68
requested review from
gsoares85,
Dominikkq,
rafaiovlabs and
MaximStanciu8
|
| @@ -22,16 +25,16 @@ jobs: | |||
| # Steps represent a sequence of tasks that will be executed as part of the job | |||
| steps: | |||
| # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it | |||
| - uses: actions/checkout@v3 | |||
| - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 | |||
There was a problem hiding this comment.
suggestion:
uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # 4.2.0
| runs-on: ubuntu-latest | ||
| steps: | ||
| - name: 'Checkout Repository' | ||
| uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 |
There was a problem hiding this comment.
suggestion:
uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # 4.2.0
| - name: 'Checkout Repository' | ||
| uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 | ||
| - name: 'Dependency Review' | ||
| uses: actions/dependency-review-action@72eb03d02c7872a771aacd928f3123ac62ad6d3a # v4.3.3 |
There was a problem hiding this comment.
suggestion:
actions/dependency-review-action@5a2ce3f5b92ee19cbb1541a4984c76d921601d7c # v4.3.4
| persist-credentials: false | ||
|
|
||
| - name: "Run analysis" | ||
| uses: ossf/scorecard-action@0864cf19026789058feabb7e87baa5f140aac736 # v2.3.1 |
There was a problem hiding this comment.
I suggest to use the updated version 2.4.0
uses: ossf/scorecard-action@62b2cac7ed8198b15735ed49ab1e5cf35480ba46 # v2.4.0
more details: https://github.com/ossf/scorecard-action/releases
|
|
||
| steps: | ||
| - name: "Checkout code" | ||
| uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 |
There was a problem hiding this comment.
suggestion:
uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # 4.2.0
| publish_results: true | ||
|
|
||
| - name: "Upload artifact" | ||
| uses: actions/upload-artifact@97a0fba1372883ab732affbe8f94b823f91727db # v3.pre.node20 |
There was a problem hiding this comment.
I suggest to use the last updated stable version 2.4.0
uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0
more details: https://github.com/actions/upload-artifact/releases
| retention-days: 5 | ||
|
|
||
| - name: "Upload to code-scanning" | ||
| uses: github/codeql-action/upload-sarif@1b1aada464948af03b950897e5eb522f92603cc2 # v3.24.9 |
There was a problem hiding this comment.
I suggest to use the last updated stable version 3.26.9
uses: github/codeql-action/upload-sarif@461ef6c76dfe95d5c364de2f431ddbd31a417628 # v3.26.9
| jobs: | ||
| analyze: | ||
| runs-on: ubuntu-latest | ||
| permissions: | ||
| security-events: write | ||
| steps: | ||
| - uses: actions/checkout@v3 | ||
| - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 |
There was a problem hiding this comment.
suggestion:
uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # 4.2.0
| id: slither | ||
| with: | ||
| sarif: results.sarif | ||
| fail-on: none | ||
| target: . | ||
|
|
||
| - name: Upload SARIF file | ||
| uses: github/codeql-action/upload-sarif@v2 | ||
| uses: github/codeql-action/upload-sarif@85b07cf1e13dd512be7c27c37a33c5864c252fcc # v2 |
There was a problem hiding this comment.
I suggest to use the last updated stable version 3.26.9
uses: github/codeql-action/upload-sarif@461ef6c76dfe95d5c364de2f431ddbd31a417628 # v3.26.9
What
Why
In order to be compliant with the organization's GH policy
Task
https://rsklabs.atlassian.net/browse/GBI-2134
Important
The BBP for this repo is not live yet, I think we should wait until it is to merge this PR