fix: pin all GitHub Actions to full commit SHAs (resolves SonarCloud S7637) (#90)
Pin all floating version tags (@v1, @v2, @v3, @v4, @master) to full commit SHAs across all workflow files to eliminate supply chain security risk. Actions pinned: - actions/checkout@v3 -> f43a0e5 (v3.6.0) in release.yml, sync-wiki.yml - actions/checkout@v4 -> 34e1148 (v4) in tests.yml - shivammathur/setup-php@v2 -> accd612 (v2) in all workflows - actions/setup-node@v4 -> 49933ea (v4) in playground-tests*.yml, wordpress-tests.yml - actions/upload-artifact@v4 -> ea165f8 (v4) in playground-tests*.yml, wordpress-tests.yml - softprops/action-gh-release@v1 -> de2c0eb (v1) in release.yml - codacy/codacy-analysis-cli-action@v4 -> 562ee3e (v4) in code-quality.yml - github/codeql-action/upload-sarif@v3 -> 603b797 (v3) in code-quality.yml - swissspidy/wp-performance-action@v2.0.3 -> b7e3ffc (v2.0.3) in playground-tests.yml - SonarSource/sonarqube-scan-action@master -> 9598b8a in sonarcloud.yml Closes #89
This commit is contained in:
GitHub
12
.github/workflows/code-quality.yml
vendored
12
.github/workflows/code-quality.yml
vendored
@@ -20,7 +20,7 @@ jobs:
|
||||
clean: 'true'
|
||||
|
||||
- name: Setup PHP
|
||||
uses: shivammathur/setup-php@v2
|
||||
uses: shivammathur/setup-php@accd6127cb78bee3e8082180cb391013d204ef9f # v2
|
||||
with:
|
||||
php-version: '8.1'
|
||||
extensions: mbstring, intl, zip
|
||||
@@ -47,7 +47,7 @@ jobs:
|
||||
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
|
||||
|
||||
- name: Setup PHP
|
||||
uses: shivammathur/setup-php@v2
|
||||
uses: shivammathur/setup-php@accd6127cb78bee3e8082180cb391013d204ef9f # v2
|
||||
with:
|
||||
php-version: '8.1'
|
||||
extensions: mbstring, intl, zip
|
||||
@@ -68,7 +68,7 @@ jobs:
|
||||
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
|
||||
|
||||
- name: Setup PHP
|
||||
uses: shivammathur/setup-php@v2
|
||||
uses: shivammathur/setup-php@accd6127cb78bee3e8082180cb391013d204ef9f # v2
|
||||
with:
|
||||
php-version: '8.1'
|
||||
extensions: mbstring, intl, zip
|
||||
@@ -119,7 +119,7 @@ jobs:
|
||||
#
|
||||
# - name: SonarCloud Scan
|
||||
# if: steps.check_sonar_token.outputs.skip != 'true'
|
||||
# uses: SonarSource/sonarqube-scan-action@master
|
||||
# uses: SonarSource/sonarqube-scan-action@9598b8a83feef37de07f549027fab50ecffe6a6e # master
|
||||
# env:
|
||||
# GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|
||||
# SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
|
||||
@@ -152,7 +152,7 @@ jobs:
|
||||
fi
|
||||
|
||||
- name: Run Codacy Analysis CLI
|
||||
uses: codacy/codacy-analysis-cli-action@v4
|
||||
uses: codacy/codacy-analysis-cli-action@562ee3e92b8e92df8b67e0a5ff8aa8e261919c08 # v4
|
||||
with:
|
||||
project-token: ${{ secrets.CODACY_PROJECT_TOKEN }}
|
||||
verbose: true
|
||||
@@ -167,7 +167,7 @@ jobs:
|
||||
|
||||
- name: Upload SARIF results file
|
||||
if: steps.check_codacy_token.outputs.skip_upload != 'true'
|
||||
uses: github/codeql-action/upload-sarif@v3
|
||||
uses: github/codeql-action/upload-sarif@603b797f8b14b413fe025cd935a91c16c4782713 # v3
|
||||
with:
|
||||
sarif_file: results.sarif
|
||||
continue-on-error: true
|
||||
|
||||
Reference in New Issue
Block a user