diff options
| author | StepSecurity Bot <bot@stepsecurity.io> | 2022-11-25 10:26:10 +0000 |
|---|---|---|
| committer | Hiroshi SHIBATA <hsbt@ruby-lang.org> | 2022-11-25 20:12:23 +0900 |
| commit | e15cd01149afe4924460f81cb6e27dd96de06657 (patch) | |
| tree | d95d0bc97f0ec1300a85892b5a01d29a66b2673f /.github | |
| parent | 8a50db7dfa9383326854ddfa47c7003722567d61 (diff) | |
[StepSecurity] ci: Harden GitHub Actions
Signed-off-by: StepSecurity Bot <bot@stepsecurity.io>
Notes
Notes:
Merged: https://github.com/ruby/ruby/pull/6810
Diffstat (limited to '.github')
| -rw-r--r-- | .github/workflows/baseruby.yml | 8 | ||||
| -rw-r--r-- | .github/workflows/bundled_gems.yml | 4 | ||||
| -rw-r--r-- | .github/workflows/check_dependencies.yml | 6 | ||||
| -rw-r--r-- | .github/workflows/check_misc.yml | 6 | ||||
| -rw-r--r-- | .github/workflows/cirrus-notify.yml | 4 | ||||
| -rw-r--r-- | .github/workflows/codeql-analysis.yml | 10 | ||||
| -rw-r--r-- | .github/workflows/compilers.yml | 6 | ||||
| -rw-r--r-- | .github/workflows/macos.yml | 6 | ||||
| -rw-r--r-- | .github/workflows/mingw.yml | 8 | ||||
| -rw-r--r-- | .github/workflows/mjit-bindgen.yml | 8 | ||||
| -rw-r--r-- | .github/workflows/mjit.yml | 6 | ||||
| -rw-r--r-- | .github/workflows/spec_guards.yml | 6 | ||||
| -rw-r--r-- | .github/workflows/ubuntu.yml | 6 | ||||
| -rw-r--r-- | .github/workflows/wasm.yml | 2 | ||||
| -rw-r--r-- | .github/workflows/windows.yml | 14 | ||||
| -rw-r--r-- | .github/workflows/yjit-ubuntu.yml | 8 |
16 files changed, 54 insertions, 54 deletions
diff --git a/.github/workflows/baseruby.yml b/.github/workflows/baseruby.yml index 8152cad768..590670e488 100644 --- a/.github/workflows/baseruby.yml +++ b/.github/workflows/baseruby.yml @@ -40,12 +40,12 @@ jobs: - ruby-3.1 steps: - - uses: actions/checkout@v3 - - uses: actions/cache@v3 + - uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 # v3.1.0 + - uses: actions/cache@9b0c1fce7a93df8e3bb8926b0d6e9d89e92f20a7 # v3.0.11 with: path: .downloaded-cache key: downloaded-cache - - uses: ruby/setup-ruby@v1 + - uses: ruby/setup-ruby@de6f5b9c340068d049670c6b6ae8dc94cff4667a # v1.125.0 with: ruby-version: ${{ matrix.ruby }} bundler: none @@ -57,7 +57,7 @@ jobs: - run: make incs - run: make all - run: make test - - uses: ruby/action-slack@v3.0.0 + - uses: ruby/action-slack@b6882ea6ef8f556f9f9af9ec1220d3f1ced74acf # v3.0.0 with: payload: | { diff --git a/.github/workflows/bundled_gems.yml b/.github/workflows/bundled_gems.yml index 471f32b25f..f9a7a822cd 100644 --- a/.github/workflows/bundled_gems.yml +++ b/.github/workflows/bundled_gems.yml @@ -29,9 +29,9 @@ jobs: echo "GNUMAKEFLAGS=-j$((1 + $(nproc --all)))" >> $GITHUB_ENV echo "TODAY=$(date +%F)" >> $GITHUB_ENV - - uses: actions/checkout@v3 + - uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 # v3.1.0 - - uses: actions/cache@v3 + - uses: actions/cache@9b0c1fce7a93df8e3bb8926b0d6e9d89e92f20a7 # v3.0.11 with: path: .downloaded-cache key: downloaded-cache-${{ github.sha }} diff --git a/.github/workflows/check_dependencies.yml b/.github/workflows/check_dependencies.yml index 16e2829f73..797b1a04a3 100644 --- a/.github/workflows/check_dependencies.yml +++ b/.github/workflows/check_dependencies.yml @@ -45,8 +45,8 @@ jobs: run: | git config --global advice.detachedHead 0 git config --global init.defaultBranch garbage - - uses: actions/checkout@v3 - - uses: actions/cache@v3 + - uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 # v3.1.0 + - uses: actions/cache@9b0c1fce7a93df8e3bb8926b0d6e9d89e92f20a7 # v3.0.11 with: path: .downloaded-cache key: downloaded-cache @@ -56,7 +56,7 @@ jobs: - run: make all golf - run: ruby tool/update-deps --fix - run: git diff --no-ext-diff --ignore-submodules --exit-code - - uses: ruby/action-slack@v3.0.0 + - uses: ruby/action-slack@b6882ea6ef8f556f9f9af9ec1220d3f1ced74acf # v3.0.0 with: payload: | { diff --git a/.github/workflows/check_misc.yml b/.github/workflows/check_misc.yml index e897015d56..3bc990a3ef 100644 --- a/.github/workflows/check_misc.yml +++ b/.github/workflows/check_misc.yml @@ -9,7 +9,7 @@ jobs: checks: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 # v3.1.0 - name: Check if C-sources are US-ASCII run: | ! grep -r -n '[^ -~]' *.[chy] include internal win32/*.[ch] @@ -23,7 +23,7 @@ jobs: done | grep -F . working-directory: include - - uses: actions/cache@v3 + - uses: actions/cache@9b0c1fce7a93df8e3bb8926b0d6e9d89e92f20a7 # v3.0.11 with: path: .downloaded-cache key: downloaded-cache-${{ github.sha }} @@ -98,7 +98,7 @@ jobs: GIT_COMMITTER_NAME: git if: ${{ github.repository == 'ruby/ruby' && !startsWith(github.event_name, 'pull') && steps.diff.outcome == 'failure' }} - - uses: ruby/action-slack@v3.0.0 + - uses: ruby/action-slack@b6882ea6ef8f556f9f9af9ec1220d3f1ced74acf # v3.0.0 with: payload: | { diff --git a/.github/workflows/cirrus-notify.yml b/.github/workflows/cirrus-notify.yml index fff717f1d6..45aefa78cd 100644 --- a/.github/workflows/cirrus-notify.yml +++ b/.github/workflows/cirrus-notify.yml @@ -13,7 +13,7 @@ jobs: && github.event.check_suite.head_branch == 'master' runs-on: ubuntu-latest steps: - - uses: octokit/request-action@v2.x + - uses: octokit/request-action@4579f9e1e690974421f9f6928a30fb448e967c60 # v2.x id: get_failed_check_run with: route: GET /repos/${{ github.repository }}/check-suites/${{ github.event.check_suite.id }}/check-runs?status=completed @@ -28,7 +28,7 @@ jobs: env: CHECK_RUNS: ${{ steps.get_failed_check_run.outputs.data }} run: echo "$CHECK_RUNS" - - uses: ruby/action-slack@v3.0.0 + - uses: ruby/action-slack@b6882ea6ef8f556f9f9af9ec1220d3f1ced74acf # v3.0.0 with: payload: | { diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index 42f1494b1d..114f4220a9 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -43,9 +43,9 @@ jobs: sudo apt-get install --no-install-recommends -q -y build-essential libssl-dev libyaml-dev libreadline6-dev zlib1g-dev libncurses5-dev libffi-dev bison autoconf ruby - name: Checkout repository - uses: actions/checkout@v3 + uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 # v3.1.0 - - uses: actions/cache@v3 + - uses: actions/cache@9b0c1fce7a93df8e3bb8926b0d6e9d89e92f20a7 # v3.0.11 with: path: .downloaded-cache key: downloaded-cache @@ -54,7 +54,7 @@ jobs: run: sudo rm /usr/lib/ruby/vendor_ruby/rubygems/defaults/operating_system.rb - name: Initialize CodeQL - uses: github/codeql-action/init@v2 + uses: github/codeql-action/init@678fc3afe258fb2e0cdc165ccf77b85719de7b3c # v2.1.33 with: config-file: ./.github/codeql/codeql-config.yml @@ -62,7 +62,7 @@ jobs: run: echo "GNUMAKEFLAGS=-j$((1 + $(nproc --all)))" >> $GITHUB_ENV - name: Autobuild - uses: github/codeql-action/autobuild@v2 + uses: github/codeql-action/autobuild@678fc3afe258fb2e0cdc165ccf77b85719de7b3c # v2.1.33 - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v2 + uses: github/codeql-action/analyze@678fc3afe258fb2e0cdc165ccf77b85719de7b3c # v2.1.33 diff --git a/.github/workflows/compilers.yml b/.github/workflows/compilers.yml index 60fcc94c5e..af56ebb6f1 100644 --- a/.github/workflows/compilers.yml +++ b/.github/workflows/compilers.yml @@ -231,10 +231,10 @@ jobs: - name: setenv run: | echo "GNUMAKEFLAGS=-sj$((1 + $(nproc --all)))" >> $GITHUB_ENV - - uses: actions/checkout@v3 + - uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 # v3.1.0 with: path: src - - uses: actions/cache@v3 + - uses: actions/cache@9b0c1fce7a93df8e3bb8926b0d6e9d89e92f20a7 # v3.0.11 with: path: src/.downloaded-cache key: downloaded-cache @@ -268,7 +268,7 @@ jobs: - run: make test-annocheck if: ${{ matrix.entry.check && endsWith(matrix.entry.name, 'annocheck') }} - - uses: ruby/action-slack@v3.0.0 + - uses: ruby/action-slack@b6882ea6ef8f556f9f9af9ec1220d3f1ced74acf # v3.0.0 with: payload: | { diff --git a/.github/workflows/macos.yml b/.github/workflows/macos.yml index 6865c218b1..f8809f7cc9 100644 --- a/.github/workflows/macos.yml +++ b/.github/workflows/macos.yml @@ -41,10 +41,10 @@ jobs: run: | git config --global advice.detachedHead 0 git config --global init.defaultBranch garbage - - uses: actions/checkout@v3 + - uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 # v3.1.0 with: path: src - - uses: actions/cache@v3 + - uses: actions/cache@9b0c1fce7a93df8e3bb8926b0d6e9d89e92f20a7 # v3.0.11 with: path: src/.downloaded-cache key: downloaded-cache @@ -86,7 +86,7 @@ jobs: PRECHECK_BUNDLED_GEMS: "no" if: ${{ matrix.test_task == 'check' && matrix.skipped_tests != '' }} continue-on-error: ${{ matrix.continue-on-skipped_tests || false }} - - uses: ruby/action-slack@v3.0.0 + - uses: ruby/action-slack@b6882ea6ef8f556f9f9af9ec1220d3f1ced74acf # v3.0.0 with: payload: | { diff --git a/.github/workflows/mingw.yml b/.github/workflows/mingw.yml index 6f7af8ccf8..e1af98c250 100644 --- a/.github/workflows/mingw.yml +++ b/.github/workflows/mingw.yml @@ -57,15 +57,15 @@ jobs: git config --global core.eol lf git config --global advice.detachedHead 0 git config --global init.defaultBranch garbage - - uses: actions/checkout@v3 + - uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 # v3.1.0 with: path: src - - uses: actions/cache@v3 + - uses: actions/cache@9b0c1fce7a93df8e3bb8926b0d6e9d89e92f20a7 # v3.0.11 with: path: src/.downloaded-cache key: downloaded-cache - name: Set up Ruby & MSYS2 - uses: ruby/setup-ruby@v1 + uses: ruby/setup-ruby@de6f5b9c340068d049670c6b6ae8dc94cff4667a # v1.125.0 with: ruby-version: ${{ matrix.base_ruby }} - name: set env @@ -151,7 +151,7 @@ jobs: make ${{ StartsWith(matrix.test_task, 'spec/') && matrix.test_task || 'test-spec' }} if: ${{matrix.test_task == 'check' || matrix.test_task == 'test-spec' || StartsWith(matrix.test_task, 'spec/')}} - - uses: ruby/action-slack@v3.0.0 + - uses: ruby/action-slack@b6882ea6ef8f556f9f9af9ec1220d3f1ced74acf # v3.0.0 with: payload: | { diff --git a/.github/workflows/mjit-bindgen.yml b/.github/workflows/mjit-bindgen.yml index 7c1575634d..fa8af3de6f 100644 --- a/.github/workflows/mjit-bindgen.yml +++ b/.github/workflows/mjit-bindgen.yml @@ -48,17 +48,17 @@ jobs: bison autoconf sudo apt-get install -q -y pkg-config || : - name: Set up Ruby - uses: ruby/setup-ruby@v1 + uses: ruby/setup-ruby@de6f5b9c340068d049670c6b6ae8dc94cff4667a # v1.125.0 with: ruby-version: '3.1' - name: git config run: | git config --global advice.detachedHead 0 git config --global init.defaultBranch garbage - - uses: actions/checkout@v3 + - uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 # v3.1.0 with: path: src - - uses: actions/cache@v3 + - uses: actions/cache@9b0c1fce7a93df8e3bb8926b0d6e9d89e92f20a7 # v3.0.11 with: path: src/.downloaded-cache key: downloaded-cache @@ -77,7 +77,7 @@ jobs: - run: make ${{ matrix.task }} - run: git diff --exit-code working-directory: src - - uses: ruby/action-slack@v3.0.0 + - uses: ruby/action-slack@b6882ea6ef8f556f9f9af9ec1220d3f1ced74acf # v3.0.0 with: payload: | { diff --git a/.github/workflows/mjit.yml b/.github/workflows/mjit.yml index c468e01811..f8fc6647b3 100644 --- a/.github/workflows/mjit.yml +++ b/.github/workflows/mjit.yml @@ -46,10 +46,10 @@ jobs: run: | git config --global advice.detachedHead 0 git config --global init.defaultBranch garbage - - uses: actions/checkout@v3 + - uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 # v3.1.0 with: path: src - - uses: actions/cache@v3 + - uses: actions/cache@9b0c1fce7a93df8e3bb8926b0d6e9d89e92f20a7 # v3.0.11 with: path: src/.downloaded-cache key: downloaded-cache @@ -84,7 +84,7 @@ jobs: ulimit -c unlimited make -s test-spec RUN_OPTS="$RUN_OPTS" timeout-minutes: 60 - - uses: ruby/action-slack@v3.0.0 + - uses: ruby/action-slack@b6882ea6ef8f556f9f9af9ec1220d3f1ced74acf # v3.0.0 with: payload: | { diff --git a/.github/workflows/spec_guards.yml b/.github/workflows/spec_guards.yml index 1991e016a3..41c7d5badf 100644 --- a/.github/workflows/spec_guards.yml +++ b/.github/workflows/spec_guards.yml @@ -28,8 +28,8 @@ jobs: - ruby-3.1 steps: - - uses: actions/checkout@v3 - - uses: ruby/setup-ruby@v1 + - uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 # v3.1.0 + - uses: ruby/setup-ruby@de6f5b9c340068d049670c6b6ae8dc94cff4667a # v1.125.0 with: ruby-version: ${{ matrix.ruby }} bundler: none @@ -38,7 +38,7 @@ jobs: working-directory: spec/ruby env: CHECK_LEAKS: true - - uses: ruby/action-slack@v3.0.0 + - uses: ruby/action-slack@b6882ea6ef8f556f9f9af9ec1220d3f1ced74acf # v3.0.0 with: payload: | { diff --git a/.github/workflows/ubuntu.yml b/.github/workflows/ubuntu.yml index 508d2c7733..0e3580bebf 100644 --- a/.github/workflows/ubuntu.yml +++ b/.github/workflows/ubuntu.yml @@ -72,10 +72,10 @@ jobs: run: | git config --global advice.detachedHead 0 git config --global init.defaultBranch garbage - - uses: actions/checkout@v3 + - uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 # v3.1.0 with: path: src - - uses: actions/cache@v3 + - uses: actions/cache@9b0c1fce7a93df8e3bb8926b0d6e9d89e92f20a7 # v3.0.11 with: path: src/.downloaded-cache key: downloaded-cache @@ -120,7 +120,7 @@ jobs: TESTS: ${{ matrix.skipped_tests }} if: ${{ matrix.test_task == 'check' && matrix.skipped_tests != '' }} continue-on-error: ${{ matrix.continue-on-skipped_tests || false }} - - uses: ruby/action-slack@v3.0.0 + - uses: ruby/action-slack@b6882ea6ef8f556f9f9af9ec1220d3f1ced74acf # v3.0.0 with: payload: | { diff --git a/.github/workflows/wasm.yml b/.github/workflows/wasm.yml index 6999ea5882..28c043b787 100644 --- a/.github/workflows/wasm.yml +++ b/.github/workflows/wasm.yml @@ -51,7 +51,7 @@ jobs: run: | git config --global advice.detachedHead 0 git config --global init.defaultBranch garbage - - uses: actions/checkout@v3 + - uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 # v3.1.0 with: path: src - name: Install libraries diff --git a/.github/workflows/windows.yml b/.github/workflows/windows.yml index 7f96d3464b..0eb6fc0212 100644 --- a/.github/workflows/windows.yml +++ b/.github/workflows/windows.yml @@ -39,7 +39,7 @@ jobs: steps: - run: md build working-directory: - - uses: msys2/setup-msys2@v2 + - uses: msys2/setup-msys2@d40200dc2db4c351366b048a9565ad82919e1c24 # v2 id: setup-msys2 with: update: true @@ -50,14 +50,14 @@ jobs: shell: msys2 {0} run: echo PATCH=$(cygpath -wa $(command -v patch)) >> $GITHUB_ENV if: ${{ steps.setup-msys2.outcome == 'success' }} - - uses: actions/cache@v3 + - uses: actions/cache@9b0c1fce7a93df8e3bb8926b0d6e9d89e92f20a7 # v3.0.11 with: path: C:\vcpkg\downloads key: ${{ runner.os }}-vcpkg-download-${{ env.OS_VER }}-${{ github.sha }} restore-keys: | ${{ runner.os }}-vcpkg-download-${{ env.OS_VER }}- ${{ runner.os }}-vcpkg-download- - - uses: actions/cache@v3 + - uses: actions/cache@9b0c1fce7a93df8e3bb8926b0d6e9d89e92f20a7 # v3.0.11 with: path: C:\vcpkg\installed key: ${{ runner.os }}-vcpkg-installed-${{ matrix.os }}-${{ github.sha }} @@ -67,7 +67,7 @@ jobs: - name: Install libraries with vcpkg run: | vcpkg --triplet x64-windows install libffi libyaml openssl readline zlib - - uses: actions/cache@v3 + - uses: actions/cache@9b0c1fce7a93df8e3bb8926b0d6e9d89e92f20a7 # v3.0.11 with: path: C:\Users\runneradmin\AppData\Local\Temp\chocolatey key: ${{ runner.os }}-chocolatey-${{ env.OS_VER }}-${{ github.sha }} @@ -86,10 +86,10 @@ jobs: git config --global core.eol lf git config --global advice.detachedHead 0 git config --global init.defaultBranch garbage - - uses: actions/checkout@v3 + - uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 # v3.1.0 with: path: src - - uses: actions/cache@v3 + - uses: actions/cache@9b0c1fce7a93df8e3bb8926b0d6e9d89e92f20a7 # v3.0.11 with: path: src/.downloaded-cache key: downloaded-cache @@ -138,7 +138,7 @@ jobs: env: RUBY_TESTOPTS: -j${{env.TEST_JOBS}} --job-status=normal timeout-minutes: 60 - - uses: ruby/action-slack@v3.0.0 + - uses: ruby/action-slack@b6882ea6ef8f556f9f9af9ec1220d3f1ced74acf # v3.0.0 with: payload: | { diff --git a/.github/workflows/yjit-ubuntu.yml b/.github/workflows/yjit-ubuntu.yml index c38743ff02..eeb2b65630 100644 --- a/.github/workflows/yjit-ubuntu.yml +++ b/.github/workflows/yjit-ubuntu.yml @@ -27,7 +27,7 @@ jobs: # GitHub Action's image seems to already contain a Rust 1.58.0. runs-on: ubuntu-20.04 steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 # v3.1.0 # For now we can't run cargo test --offline because it complains about the # capstone dependency, even though the dependency is optional #- run: cargo test --offline @@ -90,10 +90,10 @@ jobs: run: | git config --global advice.detachedHead 0 git config --global init.defaultBranch garbage - - uses: actions/checkout@v3 + - uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 # v3.1.0 with: path: src - - uses: actions/cache@v3 + - uses: actions/cache@9b0c1fce7a93df8e3bb8926b0d6e9d89e92f20a7 # v3.0.11 with: path: src/.downloaded-cache key: downloaded-cache @@ -135,7 +135,7 @@ jobs: BASE_REPO: ${{ github.event.pull_request.base.repo.full_name }} BASE_SHA: ${{ github.event.pull_request.base.sha }} if: ${{ matrix.test_task == 'yjit-bench' && startsWith(github.event_name, 'pull') }} - - uses: ruby/action-slack@v3.0.0 + - uses: ruby/action-slack@b6882ea6ef8f556f9f9af9ec1220d3f1ced74acf # v3.0.0 with: payload: | { |