[StepSecurity] ci: Harden GitHub Actions (AcademySoftwareFoundation#1707

) Signed-off-by: StepSecurity Bot <[email protected]>
mtpgrafx · Apr 9, 2024 · 7a31cd5 · 7a31cd5
1 parent 6c12cc1
commit 7a31cd5
Show file tree

Hide file tree

Showing 12 changed files with 45 additions and 45 deletions.
diff --git a/.github/workflows/analysis_workflow.yml b/.github/workflows/analysis_workflow.yml
@@ -39,7 +39,7 @@ jobs:
       - name: Setup container
         run: sudo rm -rf /usr/local/lib64/cmake/glew
       - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
         with:
           fetch-depth: 50
       - name: Create build directories
@@ -109,7 +109,7 @@ jobs:
       - name: Setup container
         run: sudo rm -rf /usr/local/lib64/cmake/glew
       - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
         with:
           fetch-depth: 50
       - name: Create build directories
@@ -188,7 +188,7 @@ jobs:
       - name: Setup container
         run: sudo rm -rf /usr/local/lib64/cmake/glew
       - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
         with:
           fetch-depth: 50
       - name: Create build directories

diff --git a/.github/workflows/bazel_build.yml b/.github/workflows/bazel_build.yml
@@ -45,10 +45,10 @@ jobs:
     runs-on: ubuntu-22.04
 
     steps:
-    - uses: actions/[email protected]
+    - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
 
     - name: Mount Bazel cache
-      uses: actions/[email protected]
+      uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2
       with:
         path: "/home/runner/.cache/bazel"
         key: bazel-ubuntu-22
@@ -63,10 +63,10 @@ jobs:
     runs-on: windows-2022
 
     steps:
-    - uses: actions/[email protected]
+    - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
 
     - name: Mount Bazel cache
-      uses: actions/[email protected]
+      uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2
       with:
         path: "/home/runner/.cache/bazel"
         key: bazel-windows-2022
@@ -81,10 +81,10 @@ jobs:
     runs-on: macos-13
 
     steps:
-    - uses: actions/[email protected]
+    - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
 
     - name: Mount Bazel cache
-      uses: actions/[email protected]
+      uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2
       with:
         path: "/home/runner/.cache/bazel"
         key: bazel-macos-13
@@ -99,10 +99,10 @@ jobs:
     runs-on: macos-14
 
     steps:
-    - uses: actions/[email protected]
+    - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
 
     - name: Mount Bazel cache
-      uses: actions/[email protected]
+      uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2
       with:
         path: "/home/runner/.cache/bazel"
         key: bazel-macos-14

diff --git a/.github/workflows/ci_workflow.yml b/.github/workflows/ci_workflow.yml
@@ -225,7 +225,7 @@ jobs:
       CC: ${{ matrix.cc-compiler }}
     steps:
       - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
       - name: Create build directories
         run: |
           mkdir _install
@@ -359,7 +359,7 @@ jobs:
 
     steps:
       - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
       - name: Create build directories
         run: |
           mkdir _install
@@ -487,7 +487,7 @@ jobs:
 
     steps:
       - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
       - name: Create build directories
         run: |
           mkdir _install

diff --git a/.github/workflows/ossfuzz_workflow.yml b/.github/workflows/ossfuzz_workflow.yml
@@ -41,20 +41,20 @@ jobs:
     steps:
     - name: Build Fuzzers
       id: build
-      uses: google/oss-fuzz/infra/cifuzz/actions/build_fuzzers@master
+      uses: google/oss-fuzz/infra/cifuzz/actions/build_fuzzers@32f1d4deadc82279ec9001a837f2424e185c69a2 # master
       with:
         oss-fuzz-project-name: 'openexr'
         dry-run: false
         language: c++
     - name: Run Fuzzers
-      uses: google/oss-fuzz/infra/cifuzz/actions/run_fuzzers@master
+      uses: google/oss-fuzz/infra/cifuzz/actions/run_fuzzers@32f1d4deadc82279ec9001a837f2424e185c69a2 # master
       with:
         oss-fuzz-project-name: 'openexr'
         fuzz-seconds: 300
         dry-run: false
         language: c++
     - name: Upload Crash
-      uses: actions/upload-artifact@v3
+      uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
       if: failure() && steps.build.outcome == 'success'
       with:
         name: artifacts

diff --git a/.github/workflows/python-wheels-publish-test.yml b/.github/workflows/python-wheels-publish-test.yml
@@ -33,10 +33,10 @@ jobs:
 
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
 
       - name: Install Python 
-        uses: actions/setup-python@v5
+        uses: actions/setup-python@82c7e631bb3cdc910f68e0081d67478d79c6982d # v5.1.0
         with:
           python-version: '3.x'
 
@@ -48,7 +48,7 @@ jobs:
         run: pipx run build --sdist . --outdir wheelhouse
 
       - name: Build wheel
-        uses: pypa/[email protected]
+        uses: pypa/cibuildwheel@8d945475ac4b1aac4ae08b2fd27db9917158b6ce # v2.17.0
         with:
           output-dir: wheelhouse
         env:
@@ -62,7 +62,7 @@ jobs:
           CIBW_ENVIRONMENT: OPENEXR_RELEASE_CANDIDATE_TAG="${{ github.ref_name }}"
 
       - name: Upload artifact
-        uses: actions/[email protected]
+        uses: actions/upload-artifact@c7d193f32edcb7bfad88892161225aeda64e9392 # v4.0.0
         with:
           name: wheels-${{ matrix.os }}
           path: |
@@ -84,21 +84,21 @@ jobs:
 
     steps:
     - name: Download Linux artifacts
-      uses: actions/[email protected]
+      uses: actions/download-artifact@c850b930e6ba138125429b7e5c93fc707a7f8427 # v4.1.4
       with:
         name: wheels-ubuntu-latest
         path: dist
     - name: Download macOS artifacts
-      uses: actions/[email protected]
+      uses: actions/download-artifact@c850b930e6ba138125429b7e5c93fc707a7f8427 # v4.1.4
       with:
         name: wheels-macos-latest
         path: dist
     - name: Download Windows artifacts
-      uses: actions/[email protected]
+      uses: actions/download-artifact@c850b930e6ba138125429b7e5c93fc707a7f8427 # v4.1.4
       with:
         name: wheels-windows-latest
         path: dist
     - name: Publish distribution 📦 to TestPyPI
-      uses: pypa/gh-action-pypi-publish@release/v1
+      uses: pypa/gh-action-pypi-publish@81e9d935c883d0b210363ab89cf05f3894778450 # release/v1
       with:
         repository-url: https://test.pypi.org/legacy/
diff --git a/.github/workflows/python-wheels-publish.yml b/.github/workflows/python-wheels-publish.yml
@@ -29,10 +29,10 @@ jobs:
 
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
 
       - name: Install Python 
-        uses: actions/setup-python@v5
+        uses: actions/setup-python@82c7e631bb3cdc910f68e0081d67478d79c6982d # v5.1.0
         with:
           python-version: '3.x'
 
@@ -42,7 +42,7 @@ jobs:
         run: pipx run build --sdist . --outdir wheelhouse
 
       - name: Build wheel
-        uses: pypa/[email protected]
+        uses: pypa/cibuildwheel@8d945475ac4b1aac4ae08b2fd27db9917158b6ce # v2.17.0
         with:
           output-dir: wheelhouse
         env:
@@ -56,7 +56,7 @@ jobs:
           CIBW_TEST_SKIP: "*arm64"
 
       - name: Upload artifact
-        uses: actions/[email protected]
+        uses: actions/upload-artifact@c7d193f32edcb7bfad88892161225aeda64e9392 # v4.0.0
         with:
           name: wheels-${{ matrix.os }}
           path: |
@@ -78,19 +78,19 @@ jobs:
 
     steps:
     - name: Download Linux artifacts
-      uses: actions/[email protected]
+      uses: actions/download-artifact@c850b930e6ba138125429b7e5c93fc707a7f8427 # v4.1.4
       with:
         name: wheels-ubuntu-latest
         path: dist
     - name: Download macOS artifacts
-      uses: actions/[email protected]
+      uses: actions/download-artifact@c850b930e6ba138125429b7e5c93fc707a7f8427 # v4.1.4
       with:
         name: wheels-macos-latest
         path: dist
     - name: Download Windows artifacts
-      uses: actions/[email protected]
+      uses: actions/download-artifact@c850b930e6ba138125429b7e5c93fc707a7f8427 # v4.1.4
       with:
         name: wheels-windows-latest
         path: dist
     - name: Publish distribution 📦 to PyPI
-      uses: pypa/gh-action-pypi-publish@release/v1
+      uses: pypa/gh-action-pypi-publish@81e9d935c883d0b210363ab89cf05f3894778450 # release/v1
diff --git a/.github/workflows/python-wheels.yml b/.github/workflows/python-wheels.yml
@@ -42,10 +42,10 @@ jobs:
     steps:
 
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
 
       - name: Install Python 
-        uses: actions/setup-python@v5
+        uses: actions/setup-python@82c7e631bb3cdc910f68e0081d67478d79c6982d # v5.1.0
         with:
           python-version: '3.x'
 
@@ -55,7 +55,7 @@ jobs:
         run: pipx run build --sdist . --outdir wheelhouse
 
       - name: Build wheel
-        uses: pypa/[email protected]
+        uses: pypa/cibuildwheel@8d945475ac4b1aac4ae08b2fd27db9917158b6ce # v2.17.0
         env:
           CIBW_ARCHS_MACOS: x86_64 arm64 universal2
           # Skip python 3.6 since scikit-build-core requires 3.7+
@@ -65,7 +65,7 @@ jobs:
           CIBW_TEST_SKIP: "*-macosx*arm64"
 
       - name: Upload artifact
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1
         with:
           name: wheels-${{ matrix.os }}
           path: |

diff --git a/.github/workflows/release-notice.yml b/.github/workflows/release-notice.yml
@@ -25,7 +25,7 @@ jobs:
         slack_bot_token: ${{ secrets.SLACK_BOT_TOKEN }}
         slack_channel: "#release-announcements"
         project_logo: "https://artwork.aswf.io/projects/openexr/icon/color/openexr-icon-color.png"
-      uses: jmertic/slack-release-notifier@main
+      uses: jmertic/slack-release-notifier@fbbf40c3020ca7707ae09ff9160206381c592fd7 # main
 
     - name: 'Notify Slack #openexr'
       id: slack2
@@ -34,5 +34,5 @@ jobs:
         slack_bot_token: ${{ secrets.SLACK_BOT_TOKEN }}
         slack_channel: "#openexr"
         project_logo: "https://artwork.aswf.io/projects/openexr/icon/color/openexr-icon-color.png"
-      uses: jmertic/slack-release-notifier@main
+      uses: jmertic/slack-release-notifier@fbbf40c3020ca7707ae09ff9160206381c592fd7 # main
 
diff --git a/.github/workflows/release-sign.yml b/.github/workflows/release-sign.yml
@@ -49,13 +49,13 @@ jobs:
         shell: bash
 
       - name: Checkout
-        uses: actions/checkout@v2
+        uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 # v2.7.0
 
       - name: Create archive
         run: git archive --format=tar.gz -o ${OPENEXR_TARBALL} --prefix ${OPENEXR_PREFIX} ${TAG}
 
       - name: Sign archive with Sigstore
-        uses: sigstore/[email protected]
+        uses: sigstore/gh-action-sigstore-python@61f6a500bbfdd9a2a339cf033e5421951fbc1cd2 # v2.1.1
         with:
           inputs: ${{ env.OPENEXR_TARBALL }}
 

diff --git a/.github/workflows/snyk-scan-cron.yml b/.github/workflows/snyk-scan-cron.yml
@@ -17,9 +17,9 @@ jobs:
     runs-on: ubuntu-latest
     if: github.repository == 'AcademySoftwareFoundation/openexr'
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
 
-      - uses: snyk/actions/setup@master
+      - uses: snyk/actions/setup@8349f9043a8b7f0f3ee8885bf28f0b388d2446e8 # master
         id: snyk
 
       - name: Snyk version

diff --git a/.github/workflows/website.yml b/.github/workflows/website.yml
@@ -54,7 +54,7 @@ jobs:
 
     steps:
       - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
       - name: Create build directory
         run: mkdir _build
       - name: Install doxygen

diff --git a/.github/workflows/website_preview_link.yml b/.github/workflows/website_preview_link.yml
@@ -27,7 +27,7 @@ jobs:
   pull-request-links:
     runs-on: ubuntu-latest
     steps:
-      - uses: readthedocs/actions/preview@v1
+      - uses: readthedocs/actions/preview@cc0920454cf03ca8a3fbd3cbaa2ce2e509e70636 # v1.2
         with:
           project-slug: "openexr"
           message-template: "Website preview: {docs-pr-index-url}"