Skip to content

Commit

Permalink
Merge pull request #4 from step-security-bot/stepsecurity_remediation…
Browse files Browse the repository at this point in the history 
…_1704817064

[StepSecurity] ci: Harden GitHub Actions
  • Loading branch information
@gregorywaynepower
gregorywaynepower authored Jan 9, 2024
2 parents 10bfe33 + 5e01050 commit 92c1195
Show file tree
Hide file tree
Showing 17 changed files with 73 additions and 73 deletions.
2 changes: 1 addition & 1 deletion .github/workflows/backport.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,6 @@ jobs:
- name: Backport Bot
id: backport
if: github.event.pull_request.merged && ( ( github.event.action == 'closed' && contains( join( github.event.pull_request.labels.*.name ), 'backport') ) || contains( github.event.label.name, 'backport' ) )
uses: m-kuhn/[email protected]
uses: m-kuhn/backport@7f3cab83e4b3b26aefcffda21851c3dc3d389f45 # v1.2.7
with:
github_token: ${{ secrets.GH_TOKEN_BOT }}
6 changes: 3 additions & 3 deletions .github/workflows/build-docker.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -56,7 +56,7 @@ jobs:

steps:
- name: Free Disk Space (Ubuntu)
uses: jlumbroso/free-disk-space@main
uses: jlumbroso/free-disk-space@54081f138730dfa15788a46383842cd2f914a1be # main
with:
tool-cache: true
large-packages: true
Expand All @@ -78,7 +78,7 @@ jobs:
- name: Cache
id: cache
uses: actions/[email protected]
uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84 # v3.3.2
with:
path: ~/.ccache
key: docker-build-${{ matrix.branch }}-${{ github.sha }}
Expand All @@ -87,7 +87,7 @@ jobs:
docker-build-master-
- name: checkout ${{ matrix.branch }}
uses: actions/checkout@v4
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
with:
ref: ${{ matrix.branch }}

Expand Down
4 changes: 2 additions & 2 deletions .github/workflows/build_artifact_comment.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -16,7 +16,7 @@ jobs:
steps:
- name: 'Download artifact'
id: download_artifact
uses: actions/github-script@v7
uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
with:
script: |
let allArtifacts = await github.rest.actions.listWorkflowRunArtifacts({
Expand Down Expand Up @@ -63,7 +63,7 @@ jobs:
- name: 'Post artifact download link as comment on PR'
if: fromJSON(steps.download_artifact.outputs.artifact_id) > 0
uses: actions/github-script@v7
uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
with:
github-token: ${{ secrets.GITHUB_TOKEN }}
script: |
Expand Down
34 changes: 17 additions & 17 deletions .github/workflows/code_layout.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -16,9 +16,9 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v4
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
- name: Set up Python 3.10
uses: actions/setup-python@v5
uses: actions/setup-python@0a5c61591373683505ea898e09a3ea4f39ef2b9c # v5.0.0
with:
python-version: '3.10'
- name: Install requirements
Expand All @@ -41,7 +41,7 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v4
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
- name: Install Requirements
run: |
sudo apt install -y \
Expand All @@ -55,7 +55,7 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v4
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
- name: Install Requirements
run: |
sudo apt install -y \
Expand All @@ -68,55 +68,55 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v4
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
- name: Run Banned Keywords Test
run: ./tests/code_layout/test_banned_keywords.sh

class_name_check:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v4
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
- name: Run class naming conventions check
run: ./tests/code_layout/test_class_names.sh

def_window_title_check:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v4
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
- name: Def Window Title Test
run: ./tests/code_layout/test_defwindowtitle.sh

qgsscrollarea_check:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v4
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
- name: Run QgsScrollArea check
run: ./tests/code_layout/test_qgsscrollarea.sh

qvariant_no_brace_init:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v4
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
- name: No brace initialization of QVariant variables
run: ./tests/code_layout/test_qvariant_no_brace_init.sh

qt_module_wide_imports:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v4
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
- name: No module-wide imports of Qt modules
run: ./tests/code_layout/test_qt_imports.sh

doxygen_layout_check:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v4
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
- name: Install Requirements
run: |
sudo apt install -y \
Expand All @@ -130,7 +130,7 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v4
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
with:
fetch-depth: 100
- name: Install Requirements
Expand All @@ -146,13 +146,13 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v4
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
- name: Install Requirements
run: |
sudo apt install -y \
expect \
silversearcher-ag
- uses: tj-actions/changed-files@v41
- uses: tj-actions/changed-files@716b1e13042866565e00e85fd4ec490e186c4a2f # v41.0.1
id: changed_files
with:
separator: ' '
Expand All @@ -163,7 +163,7 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Set up Python 3.7
uses: actions/setup-python@v5
uses: actions/setup-python@0a5c61591373683505ea898e09a3ea4f39ef2b9c # v5.0.0
with:
python-version: 3.7
- name: Install Requirements
Expand All @@ -187,7 +187,7 @@ jobs:
python -m pip install --upgrade pip
pip install autopep8 nose2 mock termcolor
- name: Checkout
uses: actions/checkout@v4
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
- name: Sip Checks
run: ./tests/code_layout/sipify/test_sipify.sh
- name: Sip Include Test
Expand All @@ -199,7 +199,7 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v4
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1

- name: Install Requirements
run: |
Expand Down
6 changes: 3 additions & 3 deletions .github/workflows/flake8.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -14,14 +14,14 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Setup Python
uses: actions/setup-python@v5
uses: actions/setup-python@0a5c61591373683505ea898e09a3ea4f39ef2b9c # v5.0.0
with:
python-version: 3.7
architecture: x64
- name: Checkout
uses: actions/checkout@v4
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
- name: Run flake8
uses: julianwachholz/[email protected]
uses: julianwachholz/flake8-action@75749239077651dfd0ecbe405899cdcb0673ee8f # v2.0.2
with:
checkName: 'Python Lint'
env:
Expand Down
10 changes: 5 additions & 5 deletions .github/workflows/macos-build.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -33,10 +33,10 @@ jobs:
if: github.repository == 'qgis/QGIS'
runs-on: macos-latest
steps:
- uses: actions/checkout@v4
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1

- name: Prepare build cache for pull request
uses: pat-s/[email protected]
uses: pat-s/always-upload-cache@9a0d1c3e1a8260b05500f9b67a5be8f2a1299819 # v3.0.11
if: github.event_name == 'pull_request'
with:
path: ${{ env.CCACHE_DIR }}
Expand All @@ -50,7 +50,7 @@ jobs:
- name: Prepare build cache for branch/tag
# use a fork of actions/cache@v2 to upload cache even when the build or test failed
uses: pat-s/[email protected]
uses: pat-s/always-upload-cache@9a0d1c3e1a8260b05500f9b67a5be8f2a1299819 # v3.0.11
if: github.event_name != 'pull_request'
with:
path: ${{ env.CCACHE_DIR }}
Expand All @@ -64,7 +64,7 @@ jobs:
# Qt caching
- name: Cache Qt
id: cache-qt
uses: actions/[email protected]
uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84 # v3.3.2
with:
path: ${{ env.DEPS_CACHE_DIR }}/Qt/${{ env.QT_VERSION }}
key: mac-qt-${{ env.QT_VERSION }}
Expand All @@ -87,7 +87,7 @@ jobs:
# QGIS-deps caching
- name: Cache qgis-deps
id: cache-deps
uses: actions/[email protected]
uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84 # v3.3.2
with:
path: ${{ env.DEPS_CACHE_DIR }}/QGIS/qgis-deps-${{ env.QGIS_DEPS_VERSION }}.${{ env.QGIS_DEPS_PATCH_VERSION }}
key: mac-qgis-deps-${{ env.QGIS_DEPS_VERSION }}.${{ env.QGIS_DEPS_PATCH_VERSION }}
Expand Down
12 changes: 6 additions & 6 deletions .github/workflows/mingw64.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -32,7 +32,7 @@ jobs:
- ${{ github.workspace }}:/w
steps:

- uses: actions/checkout@v4
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1

# To be removed
# Workaround a bug where the initial /etc/dnf/dnf.conf file contains
Expand All @@ -50,7 +50,7 @@ jobs:
run: ./ms-windows/mingw/mingwdeps.sh

# Node.js and Yarn for server landingpage webapp
- uses: actions/setup-node@v4
- uses: actions/setup-node@b39b52d1213e96004bfcb1c61a8a6fa8ab84f3e8 # v4.0.1
with:
node-version: '17'

Expand All @@ -61,7 +61,7 @@ jobs:
run: mkdir -p /w/.ccache/QGIS

- name: Prepare build cache for pull request
uses: pat-s/[email protected]
uses: pat-s/always-upload-cache@9a0d1c3e1a8260b05500f9b67a5be8f2a1299819 # v3.0.11
if: github.event_name == 'pull_request'
with:
path: /w/.ccache/QGIS
Expand All @@ -75,7 +75,7 @@ jobs:
- name: Prepare build cache for branch/tag
# use a fork of actions/cache@v2 to upload cache even when the build or test failed
uses: pat-s/[email protected]
uses: pat-s/always-upload-cache@9a0d1c3e1a8260b05500f9b67a5be8f2a1299819 # v3.0.11
if: github.event_name != 'pull_request'
with:
path: /w/.ccache/QGIS
Expand Down Expand Up @@ -112,13 +112,13 @@ jobs:
zip -u qgis-portable-win64-debugsym.zip git_commit
- name: Upload QGIS for Windows 64bit
uses: actions/upload-artifact@v3
uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
with:
name: QGIS for Windows 64bit
path: qgis-portable-win64.zip

- name: Upload QGIS for Windows 64bit Debug Symbols
uses: actions/upload-artifact@v3
uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
with:
name: QGIS for Windows 64bit Debug Symbols
path: qgis-portable-win64-debugsym.zip
8 changes: 4 additions & 4 deletions .github/workflows/ogc.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -38,10 +38,10 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v4
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1

- name: Prepare build cache for pull request
uses: pat-s/[email protected]
uses: pat-s/always-upload-cache@9a0d1c3e1a8260b05500f9b67a5be8f2a1299819 # v3.0.11
if: github.event_name == 'pull_request'
with:
path: /home/runner/QGIS/.ccache
Expand All @@ -55,7 +55,7 @@ jobs:
- name: Prepare build cache for branch/tag
# use a fork of actions/cache@v2 to upload cache even when the build or test failed
uses: pat-s/[email protected]
uses: pat-s/always-upload-cache@9a0d1c3e1a8260b05500f9b67a5be8f2a1299819 # v3.0.11
if: github.event_name != 'pull_request'
with:
path: /home/runner/QGIS/.ccache
Expand All @@ -67,7 +67,7 @@ jobs:
- name: Build Docker Container with Build Environment
id: docker-build
uses: whoan/docker-build-with-cache-action@v8
uses: whoan/docker-build-with-cache-action@272668ad2d5539177fb43c97b5e6a7df446933c4 # v8.0.2
with:
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/pr-auto-label.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,6 @@ jobs:
pull-requests: write
runs-on: ubuntu-latest
steps:
- uses: actions/labeler@v5
- uses: actions/labeler@8558fd74291d67161a8a78ce36a881fa63b766a9 # v5.0.0
with:
repo-token: "${{ secrets.GITHUB_TOKEN }}"
6 changes: 3 additions & 3 deletions .github/workflows/pr-auto-milestone.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -14,7 +14,7 @@ jobs:
if: github.repository == 'qgis/QGIS'
steps:
# list the tags and milestones
- uses: octokit/[email protected]
- uses: octokit/graphql-action@a5b8ca2d995449cd9b1e8508d36039fb80bf6140 # v2.x
id: graphql_request
with:
query: |
Expand Down Expand Up @@ -110,7 +110,7 @@ jobs:
- name: Create milestone if needed
id: create_milestone
if: steps.extract_data.outputs.has_milestone_to_set == 1 && steps.extract_data.outputs.has_milestone_to_create == 1
uses: octokit/[email protected]
uses: octokit/request-action@ce564d5a5eb207c7f4cb601ac32c7a951e9b6396 # v2.x
with:
route: POST /repos/qgis/QGIS/milestones
title: ${{ steps.extract_data.outputs.milestone_title }}
Expand All @@ -132,7 +132,7 @@ jobs:
# update PR with milestone
- name: update PR milestone
if: steps.extract_data.outputs.has_milestone_to_set == 1
uses: octokit/[email protected]
uses: octokit/request-action@ce564d5a5eb207c7f4cb601ac32c7a951e9b6396 # v2.x
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
with:
Expand Down
Loading

0 comments on commit 92c1195

Please sign in to comment.