From a5097422a4f18adb1d10e8dde05350d4936cd50a Mon Sep 17 00:00:00 2001 From: Codacy Security Bot Date: Tue, 24 Mar 2026 17:40:01 +0000 Subject: [PATCH] Security: pin GitHub Actions to SHA hashes Replaces mutable tag/branch references with immutable SHA hashes to prevent supply chain attacks (ref: TeamPCP/Trivy March 2026). Actions left as tags: 0 --- .github/workflows/auto-merge.yml | 2 +- .github/workflows/codeql.yml | 8 ++++---- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/.github/workflows/auto-merge.yml b/.github/workflows/auto-merge.yml index 5d5d5301d..b4198e6bb 100644 --- a/.github/workflows/auto-merge.yml +++ b/.github/workflows/auto-merge.yml @@ -13,7 +13,7 @@ jobs: steps: - name: Fetch Dependabot metadata id: dependabot-metadata - uses: dependabot/fetch-metadata@v1 + uses: dependabot/fetch-metadata@8348ea7f5d949b08c7f125a44b569c9626b05db3 # v1 with: github-token: ${{ secrets.GITHUB_TOKEN }} - name: Approve PR diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 9041ade65..6ddf5af13 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -24,18 +24,18 @@ jobs: steps: - name: Checkout - uses: actions/checkout@v3 + uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3 - name: Initialize CodeQL - uses: github/codeql-action/init@v2 + uses: github/codeql-action/init@b8d3b6e8af63cde30bdc382c0bc28114f4346c88 # v2 with: languages: ${{ matrix.language }} queries: +security-and-quality - name: Autobuild - uses: github/codeql-action/autobuild@v2 + uses: github/codeql-action/autobuild@b8d3b6e8af63cde30bdc382c0bc28114f4346c88 # v2 - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v2 + uses: github/codeql-action/analyze@b8d3b6e8af63cde30bdc382c0bc28114f4346c88 # v2 with: category: "/language:${{ matrix.language }}"