Pin non-immutable Actions to latest SHA and remediate dependency vuln…

…erability (#720) * Update vulnerable dependency Signed-off-by: Brett Logan <[email protected]> * Pin non-immutable Actions in deploy-k8s Signed-off-by: Brett Logan <[email protected]> * Pin non-immutable Actions in rc-release Signed-off-by: Brett Logan <[email protected]> * Pin non-immutable Actions in create-pre-release Signed-off-by: Brett Logan <[email protected]> * Pin non-immutable Actions in create-release Signed-off-by: Brett Logan <[email protected]> * Remove dead reusable workflow Signed-off-by: Brett Logan <[email protected]> * Add workflow permissions Signed-off-by: Brett Logan <[email protected]> --------- Signed-off-by: Brett Logan <[email protected]>
github · Dec 26, 2024 · c1bc922 · c1bc922
1 parent c1ee48c
commit c1bc922
Show file tree

Hide file tree

Showing 8 changed files with 74 additions and 99 deletions.
diff --git a/.github/actions/codeql-analysis/action.yml b/.github/actions/codeql-analysis/action.yml
diff --git a/.github/workflows/create-pre-release.yml b/.github/workflows/create-pre-release.yml
@@ -31,6 +31,10 @@ env:
   REGISTRY: ghcr.io
   IMAGE_NAME: ${{ github.repository }}
 
+permissions:
+  contents: write
+  packages: write
+
 jobs:
   build:
     if: ${{ github.actor != 'dependabot'}}
@@ -46,15 +50,15 @@ jobs:
           cache: 'npm'
       - run: npm install
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
+        uses: docker/setup-buildx-action@6524bf65af31da8d45b59e8c27de4bd072b392f5
       - name: Log in to the Container registry
-        uses: docker/login-action@v3 
+        uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567
         with:
           registry: ${{ env.REGISTRY }}
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
       - name: Build Docker Image Locally
-        uses: docker/build-push-action@master
+        uses: docker/build-push-action@48aba3b46d1b1fec4febb7c5d0c644b249a11355
         with:
           context: .
           file: ./Dockerfile
@@ -73,15 +77,15 @@ jobs:
       - run: echo "${{ github.ref }}"
       - name: Tag a final release 
         id: prerelease
-        uses: actionsdesk/semver@0.6.0-rc.10
+        uses: actionsdesk/semver@82aa4310e4e21c59cd0020007a4278e733e81dcb
         with:
           bump: ${{ inputs.bump }}
           prerelease: ${{ inputs.prerelease }}
           prelabel: ${{ inputs.prelabel }}
           commitish: ${{ github.ref }}
       - name: Push Docker Image
         if: ${{ success() }}
-        uses: docker/build-push-action@master
+        uses: docker/build-push-action@48aba3b46d1b1fec4febb7c5d0c644b249a11355
         with:
           context: .
           file: ./Dockerfile

diff --git a/.github/workflows/create-release.yml b/.github/workflows/create-release.yml
@@ -9,6 +9,10 @@ env:
   REGISTRY: ghcr.io
   IMAGE_NAME: ${{ github.repository }}
 
+permissions:
+  contents: write
+  packages: write
+
 jobs:
   build:
     if: ${{ github.actor != 'dependabot'}}
@@ -24,15 +28,15 @@ jobs:
           cache: "npm"
       - run: npm install
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
+        uses: docker/setup-buildx-action@6524bf65af31da8d45b59e8c27de4bd072b392f5
       - name: Log in to the Container registry
-        uses: docker/login-action@v3 
+        uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567
         with:
           registry: ${{ env.REGISTRY }}
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
       - name: Build Docker Image Locally
-        uses: docker/build-push-action@master
+        uses: docker/build-push-action@48aba3b46d1b1fec4febb7c5d0c644b249a11355
         with:
           context: .
           file: ./Dockerfile
@@ -50,12 +54,12 @@ jobs:
           curl http://localhost:3000
       - name: Tag a final release
         id: finalrelease
-        uses: actionsdesk/semver@0.6.0-rc.10
+        uses: actionsdesk/semver@82aa4310e4e21c59cd0020007a4278e733e81dcb
         with:
           bump: final
       - name: Push Docker Image
         if: ${{ success() }}
-        uses: docker/build-push-action@master
+        uses: docker/build-push-action@48aba3b46d1b1fec4febb7c5d0c644b249a11355
         with:
           context: .
           file: ./Dockerfile

diff --git a/.github/workflows/deploy-k8s.yml b/.github/workflows/deploy-k8s.yml
@@ -29,27 +29,27 @@ jobs:
     steps:
       - name: Checkout repository
         uses: actions/checkout@v4
-      - uses: azure/login@v2
+      - uses: azure/login@a65d910e8af852a8061c627c456678983e180302
         with:
           client-id: ${{ secrets.AZURE_CLIENT_ID }}
           tenant-id: ${{ secrets.AZURE_TENANT_ID }}
           subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} 
-      - uses: azure/aks-set-context@v4
+      - uses: azure/aks-set-context@feeca6405be94202afcb1c395616ff29b1811b9f
         with:
           resource-group: ${{env.AZURE_RESOURCE_GROUP}}
           cluster-name: ${{env.AZURE_AKS_CLUSTER}}
         id: login
       - run: |
           kubectl get deployment
       - name: app-env
-        uses: azure/k8s-create-secret@v5
+        uses: azure/k8s-create-secret@6e0ba8047235646753f2a3a3b359b4d0006ff218
         with:
           namespace: 'default'
           secret-type: 'generic'
           arguments:  --from-literal=APP_ID=${{ secrets.APP_ID }} --from-literal=PRIVATE_KEY=${{ secrets.PRIVATE_KEY }} --from-literal=WEBHOOK_SECRET=${{ secrets.WEBHOOK_SECRET }}
           secret-name: app-env
       - name: Set imagePullSecret
-        uses: azure/k8s-create-secret@v5
+        uses: azure/k8s-create-secret@6e0ba8047235646753f2a3a3b359b4d0006ff218
         with:
           namespace: ${{env.AZURE_AKS_NAMESPACE}}
           container-registry-url: ${{env.IMAGE_REGISTRY_URL}}

diff --git a/.github/workflows/node-ci.yml b/.github/workflows/node-ci.yml
@@ -2,6 +2,9 @@ name: Node.js CI
 on:
   pull_request:
 
+permissions:
+  contents: read
+
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true

diff --git a/.github/workflows/rc-release.yml b/.github/workflows/rc-release.yml
@@ -35,7 +35,7 @@ jobs:
     - name: Tag a rc release 
       if: ${{ !github.event.pull_request.head.repo.fork }}
       id: rcrelease
-      uses: actionsdesk/semver@0.6.0-rc.10
+      uses: actionsdesk/semver@82aa4310e4e21c59cd0020007a4278e733e81dcb
       with:
         prerelease: withBuildNumber
         prelabel: rc
@@ -60,23 +60,23 @@ jobs:
       - run: echo ${{ github.actor }}
 
       - name: Log in to the Container registry
-        uses: docker/login-action@v3
+        uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567
         with:
           registry: ${{ env.REGISTRY }}
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Extract metadata
         id: meta
-        uses: docker/metadata-action@v5
+        uses: docker/metadata-action@369eb591f429131d6889c46b94e711f089e6ca96
         with:
           images: ${{ env.REGISTRY }}/${{ github.repository_owner }}/${{ env.IMAGE_NAME }}
       - name: Set up QEMU
-        uses: docker/setup-qemu-action@v3
+        uses: docker/setup-qemu-action@49b3bc8e6bdd4a60e6116a5414239cba5943d3cf
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
+        uses: docker/setup-buildx-action@6524bf65af31da8d45b59e8c27de4bd072b392f5
       - name: Build and push Docker image
-        uses: docker/build-push-action@master
+        uses: docker/build-push-action@48aba3b46d1b1fec4febb7c5d0c644b249a11355
         with:
           context: .
           push: true

diff --git a/package-lock.json b/package-lock.json