From 4f4f75444e895fc3a4e7a3c79bc82f5889405e81 Mon Sep 17 00:00:00 2001 From: Gabriela Gutierrez Date: Tue, 26 Sep 2023 14:35:08 +0000 Subject: [PATCH 1/2] CI: Bump and ref actions by commit SHA in ci.yml Referencing actions by commit SHA in GitHub workflows guarantees you are using an immutable version. Actions referenced by tags and branches are more vulnerable to attacks, such as the tag being moved to a malicious commit or a malicious commit being pushed to the branch. It's important to make sure the SHA's are from the original repositories and not forks. For reference: https://github.com/actions/checkout/releases/tag/v4.1.0 https://github.com/actions/checkout/commit/8ade135a41bc03ea155e62e844d188df1ea18608 https://github.com/actions/upload-artifact/releases/tag/v3.1.3 https://github.com/actions/upload-artifact/commit/a8a3f3ad30e3422c9c7b888a15615d19a852ae32 Signed-off-by: Gabriela Gutierrez --- .github/workflows/ci.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 79ceb1411..b5582a749 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -27,7 +27,7 @@ jobs: build_system: [autotools, cmake] runs-on: ${{ matrix.os }} steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 #v4.1.0 ######################## # Install Dependencies # @@ -135,7 +135,7 @@ jobs: run: ./build-aux/ci_build.sh -b ${{ matrix.build_system }} -d small -p test -n small # Attempt to upload the test logs as artifacts if any step has failed - - uses: actions/upload-artifact@v3 + - uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 #v3.1.3 if: ${{ failure() }} with: name: ${{ matrix.os }} ${{ matrix.build_system }} Test Logs From 64909e884dca9e79b2eab211f36b87558d683fc7 Mon Sep 17 00:00:00 2001 From: Gabriela Gutierrez Date: Tue, 26 Sep 2023 15:55:13 +0000 Subject: [PATCH 2/2] CI: Bump and ref actions by commit SHA in windows-ci.yml Referencing actions by commit SHA in GitHub workflows guarantees you are using an immutable version. Actions referenced by tags and branches are more vulnerable to attacks, such as the tag being moved to a malicious commit or a malicious commit being pushed to the branch. It's important to make sure the SHA's are from the original repositories and not forks. For reference: https://github.com/msys2/setup-msys2/releases/tag/v2.20.1 https://github.com/msys2/setup-msys2/commit/27b3aa77f672cb6b3054121cfd80c3d22ceebb1d https://github.com/actions/checkout/releases/tag/v4.1.0 https://github.com/actions/checkout/commit/8ade135a41bc03ea155e62e844d188df1ea18608 https://github.com/actions/upload-artifact/releases/tag/v3.1.3 https://github.com/actions/upload-artifact/commit/a8a3f3ad30e3422c9c7b888a15615d19a852ae32 Signed-off-by: Gabriela Gutierrez --- .github/workflows/windows-ci.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/windows-ci.yml b/.github/workflows/windows-ci.yml index cb690ddfe..85562da7e 100644 --- a/.github/workflows/windows-ci.yml +++ b/.github/workflows/windows-ci.yml @@ -40,7 +40,7 @@ jobs: # Rely on the msys2 GitHub Action to set up the msys2 environment. - name: Setup MSYS2 - uses: msys2/setup-msys2@v2 + uses: msys2/setup-msys2@27b3aa77f672cb6b3054121cfd80c3d22ceebb1d #v2.20.1 with: msystem: ${{ matrix.msys2_env }} update: true @@ -56,7 +56,7 @@ jobs: # text file and will not match the output from xzgrep. run: git config --global core.autocrlf false - - uses: actions/checkout@v3 + - uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 #v4.1.0 ######################## @@ -118,7 +118,7 @@ jobs: ############### # Upload the test logs as artifacts if any step has failed. - - uses: actions/upload-artifact@v3 + - uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 #v3.1.3 if: ${{ failure() }} with: name: ${{ matrix.msys2_env }} ${{ matrix.build_system }} Test Logs