[StepSecurity] ci: Harden GitHub Actions

Signed-off-by: StepSecurity Bot <bot@stepsecurity.io>
2024-10-16 05:53:03 +00:00
parent 8b41368e7b
commit bff82e1968
12 changed files with 78 additions and 78 deletions
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -29,7 +29,7 @@ jobs:

    steps:
      - name: Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
        with:
          ref: ${{ github.ref }}
          path: src/github.com/containerd/containerd
@@ -57,7 +57,7 @@ jobs:
        working-directory: src/github.com/containerd/containerd

      - name: Save release notes
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
        with:
          name: containerd-release-notes
          path: src/github.com/containerd/containerd/release-notes.md
@@ -93,7 +93,7 @@ jobs:
          releasever="${releasever#refs/tags/}"
          echo "RELEASE_VER=${releasever}" >> $GITHUB_ENV
      - name: Checkout containerd
-        uses: actions/checkout@v4
+        uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
        with:
          # Intentionally use github.repository instead of containerd/containerd to
          # make this action runnable on forks.
@@ -103,10 +103,10 @@ jobs:
          path: src/github.com/containerd/containerd

      - name: Setup buildx instance
-        uses: docker/setup-buildx-action@v3
+        uses: docker/setup-buildx-action@c47758b77c9736f4b2ef4073d4d51994fabfe349 # v3.7.1
        with:
          use: true
-      - uses: crazy-max/ghaction-github-runtime@v3 # sets up needed vars for caching to github
+      - uses: crazy-max/ghaction-github-runtime@b3a9207c0e1ef41f4cf215303c976869d0c2c1c4 # v3.0.0
      - name: Make
        shell: bash
        run: |
@@ -127,7 +127,7 @@ jobs:
        env:
          PLATFORM: ${{ matrix.dockerfile-platform }}
      - name: Save Artifacts
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
        with:
          name: release-tars-${{env.PLATFORM_CLEAN}}
          path: src/github.com/containerd/containerd/releases/*.tar.gz*
@@ -144,11 +144,11 @@ jobs:
    needs: [build, check]
    steps:
      - name: Download builds and release notes
-        uses: actions/download-artifact@v4
+        uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
        with:
          path: builds
      - name: Create Release
-        uses: softprops/action-gh-release@v2
+        uses: softprops/action-gh-release@c062e08bd532815e2082a85e87e3ef29c3e6d191 # v2.0.8
        with:
          token: ${{ secrets.GITHUB_TOKEN }}
          fail_on_unmatched_files: true
@@ -160,6 +160,6 @@ jobs:
            builds/release-tars-**/*
          make_latest: false
      - name: Attest Artifacts
-        uses: actions/attest-build-provenance@v1
+        uses: actions/attest-build-provenance@1c608d11d69870c2092266b3f9a6f3abbf17002c # v1.4.3
        with:
          subject-path: ./builds/release-tars-**/*.tar.gz