[StepSecurity] ci: Harden GitHub Actions

Signed-off-by: StepSecurity Bot <bot@stepsecurity.io>
2024-10-16 05:53:03 +00:00
parent 8b41368e7b
commit bff82e1968
12 changed files with 78 additions and 78 deletions
--- a/.github/workflows/build-test-images.yml
+++ b/.github/workflows/build-test-images.yml
@@ -41,7 +41,7 @@ jobs:
        working-directory: src/github.com/containerd/containerd

    steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
        with:
          path: src/github.com/containerd/containerd

@@ -72,18 +72,18 @@ jobs:
          echo "SSH_PUB_KEY=$(cat ~/.ssh/id_rsa.pub)" >> $GITHUB_ENV

      - name: Azure Login
-        uses: azure/login@v2
+        uses: azure/login@a65d910e8af852a8061c627c456678983e180302 # v2.2.0
        with:
          creds: ${{ secrets.AZURE_CREDS }}

      - name: Create Azure Resource Group
-        uses: azure/CLI@v1
+        uses: azure/CLI@4db43908b9df2e7ac93c8275a8f9a448c59338dd # v1.0.9
        with:
          inlinescript: |
            az group create -n ${{ env.AZURE_RESOURCE_GROUP }} -l ${{ github.event.inputs.azure_location }} --tags creationTimestamp=$(date +%Y-%m-%dT%T%z)

      - name: Create Windows Helper VM
-        uses: azure/CLI@v1
+        uses: azure/CLI@4db43908b9df2e7ac93c8275a8f9a448c59338dd # v1.0.9
        with:
          inlinescript: |
            PASSWORD="$(/usr/bin/tr -dc "a-zA-Z0-9@#$%^&*()_+?><~\`;" < /dev/urandom | /usr/bin/head -c 24; echo '')"
@@ -98,7 +98,7 @@ jobs:
            az vm open-port --resource-group ${{ env.AZURE_RESOURCE_GROUP }} --name WinDockerHelper --port 2376 --priority 102

      - name: Prepare Windows image helper
-        uses: azure/CLI@v1
+        uses: azure/CLI@4db43908b9df2e7ac93c8275a8f9a448c59338dd # v1.0.9
        with:
          inlinescript: |
            # Installs Windows features, opens SSH and Docker port
@@ -120,7 +120,7 @@ jobs:
              --parameters 'SSHPublicKey=${{ env.SSH_PUB_KEY }}'

      - name: Get Windows Helper IPs
-        uses: azure/CLI@v1
+        uses: azure/CLI@4db43908b9df2e7ac93c8275a8f9a448c59338dd # v1.0.9
        with:
          inlinescript: |
            VM_DETAILS=$(az vm show -d -g ${{ env.AZURE_RESOURCE_GROUP }} -n WinDockerHelper -o json)
@@ -142,7 +142,7 @@ jobs:
          scp -i $HOME/.ssh/id_rsa ${{ env.SSH_OPTS }} azureuser@${{ env.PUBLIC_IP }}:/Users/azureuser/.docker/key.pem $HOME/.docker/key.pem

      - name: Login to GitHub Container Registry
-        uses: docker/login-action@v3
+        uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
        with:
          registry: ghcr.io
          username: ${{ github.actor }}
@@ -161,7 +161,7 @@ jobs:

      - name: Cleanup resources
        if: always()
-        uses: azure/CLI@v1
+        uses: azure/CLI@4db43908b9df2e7ac93c8275a8f9a448c59338dd # v1.0.9
        with:
          inlinescript: |
            az group delete -g ${{ env.AZURE_RESOURCE_GROUP }} --yes