From 0b5b77fa1dbe60e251f141e067f7f873be582f70 Mon Sep 17 00:00:00 2001 From: Wouter Born Date: Tue, 18 Mar 2025 16:03:36 +0100 Subject: [PATCH] Pin GitHub Action versions using commit SHAs The tags can be changed by bad actors causing supply chain security issues such as CVE-2025-30066. GitHub is still working on immutable actions (https://github.com/github/roadmap/issues/592) which is a solution to this problem. --- .github/workflows/ci_cd.yml | 8 ++++---- .github/workflows/release.yml | 4 ++-- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/.github/workflows/ci_cd.yml b/.github/workflows/ci_cd.yml index af6388f..3a4611d 100644 --- a/.github/workflows/ci_cd.yml +++ b/.github/workflows/ci_cd.yml @@ -25,16 +25,16 @@ jobs: steps: - name: Cancel previous runs - uses: styfle/cancel-workflow-action@0.12.1 + uses: styfle/cancel-workflow-action@85880fa0301c86cca9da44039ee3bb12d3bedbfa # 0.12.1 with: access_token: ${{ github.token }} - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 - name: Set up JDK 17 and gradle cache id: java - uses: actions/setup-java@v4 + uses: actions/setup-java@3a4f6e1af504cf6a31855fa899c6aa5355ba6c12 # v4 with: distribution: 'temurin' java-version: '17' @@ -72,7 +72,7 @@ jobs: - name: Upload build outputs if: success() - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@4cec3d8aa04e39d1a68397de0c4cd6fb9dce8ec1 # v4 with: name: build-outputs path: | diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index fc4ba75..3e59a00 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -32,10 +32,10 @@ jobs: steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 - name: Set up JDK 17 and gradle cache - uses: actions/setup-java@v4 + uses: actions/setup-java@3a4f6e1af504cf6a31855fa899c6aa5355ba6c12 # v4 with: distribution: 'temurin' java-version: '17'