From a48d5e2b37e68e2fd10c87ba2ea1adccc45f6206 Mon Sep 17 00:00:00 2001 From: Simon Smallchua <40650011+simonsmallchua@users.noreply.github.com> Date: Wed, 27 May 2026 20:28:17 +1000 Subject: [PATCH] Pin actions to SHAs, harden checkout --- .github/actions/fly-setup/action.yml | 4 +- .github/workflows/auto-release.yml | 10 ++-- .github/workflows/changelog-check.yml | 5 +- .github/workflows/cleanup-orphaned-apps.yml | 2 +- .github/workflows/fly-deploy.yml | 42 +++++++++---- .github/workflows/release-cli.yml | 11 ++-- .github/workflows/review-apps.yml | 48 ++++++++++----- .github/workflows/test-grafana-annotation.yml | 2 +- .github/workflows/test.yml | 60 +++++++++++-------- .github/workflows/webflow-extension.yml | 6 +- CHANGELOG.md | 6 +- 11 files changed, 126 insertions(+), 70 deletions(-) diff --git a/.github/actions/fly-setup/action.yml b/.github/actions/fly-setup/action.yml index e5223c26d..d5ac83eab 100644 --- a/.github/actions/fly-setup/action.yml +++ b/.github/actions/fly-setup/action.yml @@ -35,12 +35,12 @@ runs: using: composite steps: - name: Set up Go - uses: actions/setup-go@v6 + uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6 with: go-version: "1.26.2" - name: Load secrets from 1Password - uses: 1password/load-secrets-action@v2 + uses: 1password/load-secrets-action@581a835fb51b8e7ec56b71cf2ffddd7e68bb25e0 # v2 with: export-env: true env: diff --git a/.github/workflows/auto-release.yml b/.github/workflows/auto-release.yml index eabc9dea3..9447aae07 100644 --- a/.github/workflows/auto-release.yml +++ b/.github/workflows/auto-release.yml @@ -31,7 +31,7 @@ jobs: pull-requests: read steps: - name: Load secrets from 1Password - uses: 1password/load-secrets-action@v2 + uses: 1password/load-secrets-action@581a835fb51b8e7ec56b71cf2ffddd7e68bb25e0 # v2 with: export-env: true env: @@ -39,14 +39,14 @@ jobs: PAT_TOKEN: op://Good Native/hover-github/PAT_TOKEN - name: Checkout code - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: fetch-depth: 0 token: ${{ env.PAT_TOKEN }} - name: Check for no-release label id: skip - uses: actions/github-script@v8 + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | const sha = context.sha; @@ -97,7 +97,7 @@ jobs: if: steps.check.outputs.should_release == 'true' && steps.skip.outputs.should_skip != 'true' - uses: actions/setup-node@v6 + uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6 with: node-version: "20" @@ -198,7 +198,7 @@ jobs: if: steps.check.outputs.should_release == 'true' && steps.skip.outputs.should_skip != 'true' - uses: actions/github-script@v8 + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 env: NEW_VERSION: ${{ steps.check.outputs.next_version }} RUNNER_TEMP: ${{ runner.temp }} diff --git a/.github/workflows/changelog-check.yml b/.github/workflows/changelog-check.yml index dd84a364a..729eb7e24 100644 --- a/.github/workflows/changelog-check.yml +++ b/.github/workflows/changelog-check.yml @@ -25,8 +25,9 @@ jobs: pull-requests: write steps: - name: Checkout code - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: + persist-credentials: false fetch-depth: 0 - name: Check for changelog updates @@ -93,7 +94,7 @@ jobs: echo "✅ Changelog has new content under [Unreleased]" - name: Comment on PR with version info - uses: actions/github-script@v8 + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 env: RELEASE_TYPE: ${{ steps.check.outputs.release_type }} CURRENT_VERSION: ${{ steps.check.outputs.current_version }} diff --git a/.github/workflows/cleanup-orphaned-apps.yml b/.github/workflows/cleanup-orphaned-apps.yml index adf2a2cfb..296169fbc 100644 --- a/.github/workflows/cleanup-orphaned-apps.yml +++ b/.github/workflows/cleanup-orphaned-apps.yml @@ -12,7 +12,7 @@ jobs: steps: - name: Load secrets from 1Password - uses: 1password/load-secrets-action@v2 + uses: 1password/load-secrets-action@581a835fb51b8e7ec56b71cf2ffddd7e68bb25e0 # v2 with: export-env: true env: diff --git a/.github/workflows/fly-deploy.yml b/.github/workflows/fly-deploy.yml index 21727487e..0ced3c455 100644 --- a/.github/workflows/fly-deploy.yml +++ b/.github/workflows/fly-deploy.yml @@ -51,7 +51,9 @@ jobs: outputs: image: ${{ steps.image.outputs.image }} steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + with: + persist-credentials: false - uses: ./.github/actions/fly-setup with: op-service-account-token: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }} @@ -86,7 +88,9 @@ jobs: outputs: image: ${{ steps.image.outputs.image }} steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + with: + persist-credentials: false - uses: ./.github/actions/fly-setup with: op-service-account-token: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }} @@ -120,7 +124,9 @@ jobs: runs-on: blacksmith-4vcpu-ubuntu-2404 needs: [build-shared] steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + with: + persist-credentials: false - uses: ./.github/actions/fly-setup with: op-service-account-token: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }} @@ -163,7 +169,9 @@ jobs: runs-on: blacksmith-4vcpu-ubuntu-2404 needs: [build-analysis] steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + with: + persist-credentials: false - uses: ./.github/actions/fly-setup with: op-service-account-token: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }} @@ -204,7 +212,9 @@ jobs: # the consumer-before-producer invariant. needs: [build-shared, release-analysis] steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + with: + persist-credentials: false - uses: ./.github/actions/fly-setup with: op-service-account-token: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }} @@ -254,7 +264,9 @@ jobs: runs-on: blacksmith-4vcpu-ubuntu-2404 needs: [build-analysis, release-analysis] steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + with: + persist-credentials: false - uses: ./.github/actions/fly-setup with: op-service-account-token: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }} @@ -271,7 +283,9 @@ jobs: runs-on: blacksmith-4vcpu-ubuntu-2404 needs: [build-shared, release-worker] steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + with: + persist-credentials: false - uses: ./.github/actions/fly-setup with: op-service-account-token: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }} @@ -294,7 +308,9 @@ jobs: runs-on: blacksmith-4vcpu-ubuntu-2404 needs: [reconcile-worker-pool] steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + with: + persist-credentials: false - uses: ./.github/actions/fly-setup with: op-service-account-token: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }} @@ -302,7 +318,7 @@ jobs: - name: Load fly-autoscaler tokens from 1Password # Loaded inline (not in the shared fly-setup composite) so review-app # CI doesn't need these 1Password fields to exist. - uses: 1password/load-secrets-action@v2 + uses: 1password/load-secrets-action@581a835fb51b8e7ec56b71cf2ffddd7e68bb25e0 # v2 with: export-env: true env: @@ -341,7 +357,9 @@ jobs: runs-on: blacksmith-4vcpu-ubuntu-2404 needs: [reconcile-analysis-pool] steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + with: + persist-credentials: false - uses: ./.github/actions/fly-setup with: op-service-account-token: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }} @@ -349,7 +367,7 @@ jobs: - name: Load fly-autoscaler tokens from 1Password # Loaded inline (not in the shared fly-setup composite) so review-app # CI doesn't need these 1Password fields to exist. - uses: 1password/load-secrets-action@v2 + uses: 1password/load-secrets-action@581a835fb51b8e7ec56b71cf2ffddd7e68bb25e0 # v2 with: export-env: true env: @@ -403,7 +421,7 @@ jobs: steps: - name: Load Grafana annotation secrets continue-on-error: true - uses: 1password/load-secrets-action@v2 + uses: 1password/load-secrets-action@581a835fb51b8e7ec56b71cf2ffddd7e68bb25e0 # v2 with: export-env: true env: diff --git a/.github/workflows/release-cli.yml b/.github/workflows/release-cli.yml index 3190dbef8..629bbd3e2 100644 --- a/.github/workflows/release-cli.yml +++ b/.github/workflows/release-cli.yml @@ -13,11 +13,12 @@ jobs: name: Build and Release CLI runs-on: blacksmith-4vcpu-ubuntu-2404 steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 with: + persist-credentials: false fetch-depth: 0 - - uses: actions/setup-go@v5 + - uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5 with: go-version-file: go.mod @@ -31,7 +32,7 @@ jobs: git tag -f "$SEMVER_TAG" HEAD echo "SEMVER_TAG=$SEMVER_TAG" >> $GITHUB_ENV - - uses: goreleaser/goreleaser-action@v6 + - uses: goreleaser/goreleaser-action@e435ccd777264be153ace6237001ef4d979d3a7a # v6 with: version: "~> v2" args: release --clean --skip=validate @@ -52,14 +53,14 @@ jobs: dist/hover_*.tar.gz dist/hover_*.zip dist/checksums.txt - name: Load secrets from 1Password - uses: 1password/load-secrets-action@v2 + uses: 1password/load-secrets-action@581a835fb51b8e7ec56b71cf2ffddd7e68bb25e0 # v2 with: export-env: true env: OP_SERVICE_ACCOUNT_TOKEN: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }} NPM_TOKEN: op://Good Native/npm/npm_access_token - - uses: actions/setup-node@v4 + - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4 with: node-version: 20 registry-url: https://registry.npmjs.org diff --git a/.github/workflows/review-apps.yml b/.github/workflows/review-apps.yml index 8169b4d0f..8d2ad74bb 100644 --- a/.github/workflows/review-apps.yml +++ b/.github/workflows/review-apps.yml @@ -61,7 +61,9 @@ jobs: ${{ steps.naming.outputs.autoscaler_analysis_app }} api_url: ${{ steps.naming.outputs.api_url }} steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + with: + persist-credentials: false - uses: ./.github/actions/fly-setup with: op-service-account-token: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }} @@ -72,7 +74,7 @@ jobs: - name: Load Stripe test keys # Review apps deliberately use Stripe TEST keys so PR work can't move # real money. These overlay any prod values that might leak in. - uses: 1password/load-secrets-action@v2 + uses: 1password/load-secrets-action@581a835fb51b8e7ec56b71cf2ffddd7e68bb25e0 # v2 with: export-env: true env: @@ -85,7 +87,7 @@ jobs: op://Good Native/hover-stripe/_TEST_STRIPE_PUBLISHABLE_KEY - name: Setup Supabase CLI - uses: supabase/setup-cli@v1 + uses: supabase/setup-cli@ab058987d8d6c725971f6cf9d0b5c98467e30bd1 # v1 with: version: "2.67.1" @@ -468,7 +470,9 @@ jobs: outputs: image: ${{ steps.image.outputs.image }} steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + with: + persist-credentials: false - uses: ./.github/actions/fly-setup with: op-service-account-token: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }} @@ -504,7 +508,9 @@ jobs: outputs: image: ${{ steps.image.outputs.image }} steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + with: + persist-credentials: false - uses: ./.github/actions/fly-setup with: op-service-account-token: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }} @@ -538,7 +544,9 @@ jobs: runs-on: blacksmith-4vcpu-ubuntu-2404 needs: [provision, build-shared] steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + with: + persist-credentials: false - uses: ./.github/actions/fly-setup with: op-service-account-token: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }} @@ -563,7 +571,9 @@ jobs: runs-on: blacksmith-4vcpu-ubuntu-2404 needs: [provision, build-analysis] steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + with: + persist-credentials: false - uses: ./.github/actions/fly-setup with: op-service-account-token: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }} @@ -585,7 +595,9 @@ jobs: runs-on: blacksmith-4vcpu-ubuntu-2404 needs: [provision, release-analysis] steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + with: + persist-credentials: false - uses: ./.github/actions/fly-setup with: op-service-account-token: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }} @@ -605,7 +617,9 @@ jobs: # consumer-before-producer invariant. needs: [provision, build-shared, release-analysis] steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + with: + persist-credentials: false - uses: ./.github/actions/fly-setup with: op-service-account-token: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }} @@ -630,7 +644,9 @@ jobs: runs-on: blacksmith-4vcpu-ubuntu-2404 needs: [provision, release-worker] steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + with: + persist-credentials: false - uses: ./.github/actions/fly-setup with: op-service-account-token: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }} @@ -653,7 +669,9 @@ jobs: runs-on: blacksmith-4vcpu-ubuntu-2404 needs: [provision, reconcile-worker-pool] steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + with: + persist-credentials: false - uses: ./.github/actions/fly-setup with: op-service-account-token: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }} @@ -674,7 +692,9 @@ jobs: runs-on: blacksmith-4vcpu-ubuntu-2404 needs: [provision, reconcile-analysis-pool] steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + with: + persist-credentials: false - uses: ./.github/actions/fly-setup with: op-service-account-token: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }} @@ -701,7 +721,7 @@ jobs: pull-requests: write steps: - name: Comment PR with app URL - uses: actions/github-script@v8 + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 env: API_URL: ${{ needs.provision.outputs.api_url }} with: @@ -731,7 +751,7 @@ jobs: - uses: superfly/flyctl-actions/setup-flyctl@63da3ecc5e2793b98a3f2519b3d75d4f4c11cec2 # pinned - name: Load secrets from 1Password - uses: 1password/load-secrets-action@v2 + uses: 1password/load-secrets-action@581a835fb51b8e7ec56b71cf2ffddd7e68bb25e0 # v2 with: export-env: true env: diff --git a/.github/workflows/test-grafana-annotation.yml b/.github/workflows/test-grafana-annotation.yml index b74ac0370..07408e092 100644 --- a/.github/workflows/test-grafana-annotation.yml +++ b/.github/workflows/test-grafana-annotation.yml @@ -23,7 +23,7 @@ jobs: steps: - name: Load Grafana annotation secrets continue-on-error: true - uses: 1password/load-secrets-action@v2 + uses: 1password/load-secrets-action@581a835fb51b8e7ec56b71cf2ffddd7e68bb25e0 # v2 with: export-env: true env: diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 3c083337a..79816d800 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -37,10 +37,12 @@ jobs: GOFLAGS: "-mod=mod" GOPROXY: "https://proxy.golang.org,direct" steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + with: + persist-credentials: false - name: Set up Go - uses: actions/setup-go@v6 + uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6 with: go-version: "1.26.3" cache: true @@ -52,7 +54,7 @@ jobs: echo "gocache=$(go env GOCACHE)" >> $GITHUB_OUTPUT - name: Cache Go modules - uses: actions/cache@v5 + uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5 with: path: | ${{ steps.go-env.outputs.gomodcache }} @@ -68,7 +70,7 @@ jobs: run: go list -deps -test ./... - name: golangci-lint - uses: golangci/golangci-lint-action@v8 + uses: golangci/golangci-lint-action@4afd733a84b1f43292c63897423277bb7f4313a9 # v8 with: version: v2.9.0 args: --config .golangci.yml --modules-download-mode=mod @@ -77,10 +79,12 @@ jobs: name: Format Check runs-on: blacksmith-4vcpu-ubuntu-2404 steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + with: + persist-credentials: false - name: Set up Go - uses: actions/setup-go@v6 + uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6 with: go-version: "1.26.3" cache: true @@ -99,7 +103,7 @@ jobs: echo "✅ All Go files are properly formatted" - name: Set up Node.js - uses: actions/setup-node@v6 + uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6 with: node-version: "20" @@ -122,10 +126,12 @@ jobs: runs-on: blacksmith-4vcpu-ubuntu-2404 needs: [lint, format] steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + with: + persist-credentials: false - name: Set up Go - uses: actions/setup-go@v6 + uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6 with: go-version: "1.26.3" cache: true @@ -137,13 +143,13 @@ jobs: go test -v -race -short -shuffle=on -covermode=atomic -coverprofile=coverage-unit.out -coverpkg=./... ./... - name: Upload unit test coverage - uses: actions/upload-artifact@v6 + uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6 with: name: coverage-unit path: coverage-unit.out - name: Load secrets from 1Password - uses: 1password/load-secrets-action@v2 + uses: 1password/load-secrets-action@581a835fb51b8e7ec56b71cf2ffddd7e68bb25e0 # v2 with: export-env: true env: @@ -152,7 +158,7 @@ jobs: - name: Upload unit test coverage to Codecov if: env.CODECOV_TOKEN != '' - uses: codecov/codecov-action@v5 + uses: codecov/codecov-action@75cd11691c0faa626561e295848008c8a7dddffe # v5 with: token: ${{ env.CODECOV_TOKEN }} files: ./coverage-unit.out @@ -165,10 +171,12 @@ jobs: runs-on: blacksmith-4vcpu-ubuntu-2404 needs: [lint, format] steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + with: + persist-credentials: false - name: Set up Go - uses: actions/setup-go@v6 + uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6 with: go-version: "1.26.3" cache: true @@ -201,21 +209,21 @@ jobs: - name: Upload integration test coverage if: always() - uses: actions/upload-artifact@v6 + uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6 with: name: coverage-integration path: coverage-integration.out - name: Upload test results if: always() - uses: actions/upload-artifact@v6 + uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6 with: name: test-results path: junit.xml - name: Load secrets from 1Password if: always() - uses: 1password/load-secrets-action@v2 + uses: 1password/load-secrets-action@581a835fb51b8e7ec56b71cf2ffddd7e68bb25e0 # v2 with: export-env: true env: @@ -224,7 +232,7 @@ jobs: - name: Upload integration test coverage to Codecov if: always() && env.CODECOV_TOKEN != '' - uses: codecov/codecov-action@v5 + uses: codecov/codecov-action@75cd11691c0faa626561e295848008c8a7dddffe # v5 with: token: ${{ env.CODECOV_TOKEN }} files: ./coverage-integration.out @@ -234,7 +242,7 @@ jobs: - name: Upload test results to Codecov if: always() && env.CODECOV_TOKEN != '' - uses: codecov/test-results-action@v1 + uses: codecov/test-results-action@0fa95f0e1eeaafde2c782583b36b28ad0d8c77d3 # v1 with: token: ${{ env.CODECOV_TOKEN }} files: ./junit.xml @@ -247,16 +255,18 @@ jobs: always() && (needs.unit-tests.result == 'success' || needs.integration-tests.result == 'success') steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + with: + persist-credentials: false - name: Set up Go - uses: actions/setup-go@v6 + uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6 with: go-version: "1.26.3" cache: true - name: Download coverage files - uses: actions/download-artifact@v5 + uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5 with: pattern: coverage-* merge-multiple: true @@ -284,7 +294,7 @@ jobs: fi - name: Load secrets from 1Password - uses: 1password/load-secrets-action@v2 + uses: 1password/load-secrets-action@581a835fb51b8e7ec56b71cf2ffddd7e68bb25e0 # v2 with: export-env: true env: @@ -295,7 +305,7 @@ jobs: - name: Upload combined coverage to Codecov if: env.CODECOV_TOKEN != '' - uses: codecov/codecov-action@v5 + uses: codecov/codecov-action@75cd11691c0faa626561e295848008c8a7dddffe # v5 with: token: ${{ env.CODECOV_TOKEN }} files: ./coverage.out @@ -305,7 +315,7 @@ jobs: - name: Upload static analysis to Codecov if: env.CODECOV_STATIC_TOKEN != '' - uses: codecov/codecov-action@v5 + uses: codecov/codecov-action@75cd11691c0faa626561e295848008c8a7dddffe # v5 with: token: ${{ env.CODECOV_STATIC_TOKEN }} flags: static-analysis diff --git a/.github/workflows/webflow-extension.yml b/.github/workflows/webflow-extension.yml index 356d37acb..ff674fad1 100644 --- a/.github/workflows/webflow-extension.yml +++ b/.github/workflows/webflow-extension.yml @@ -23,10 +23,12 @@ jobs: working-directory: webflow-designer-extension-cli steps: - name: Checkout code - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + with: + persist-credentials: false - name: Set up Node.js - uses: actions/setup-node@v6 + uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6 with: node-version: "20" diff --git a/CHANGELOG.md b/CHANGELOG.md index f0a81bd96..39b27836b 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -28,7 +28,11 @@ On merge, CI will: ## [Unreleased] -_Add unreleased changes here._ +### Changed + +- Pin all third-party GitHub Actions to commit SHAs and set + `persist-credentials: false` on checkout steps, completing the workflow + hardening deferred from PR #392. ## Full changelog history