Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

chore: pin workflows dependencies #2208

Merged
merged 5 commits into from
Jul 13, 2023
Merged

chore: pin workflows dependencies #2208

merged 5 commits into from
Jul 13, 2023

Conversation

step-security-bot
Copy link
Contributor

Summary

This pull request is created by Secure Repo at the request of @prisis. Please merge the Pull Request to incorporate the requested changes. Please tag @prisis on your message if you have any questions related to the PR. You can also engage with the StepSecurity team by tagging @step-security-bot.

Security Fixes

Pinned Dependencies

GitHub Action tags and Docker tags are mutatble. This poses a security risk. GitHub's Security Hardening guide recommends pinning actions to full length commit.

Feedback

For bug reports, feature requests, and general feedback; please create an issue in step-security/secure-repo. To create such PRs, please visit https://app.stepsecurity.io/securerepo.

Signed-off-by: StepSecurity Bot bot@stepsecurity.io

@step-security-bot
[StepSecurity] ci: Harden GitHub Actions
b57df54 
Signed-off-by: StepSecurity Bot <bot@stepsecurity.io>
@step-security-bot step-security-bot requested a review from a team as a code owner June 12, 2023 09:00
@prisis prisis changed the title [StepSecurity] ci: Harden GitHub Actions chore: [StepSecurity] ci: Harden GitHub Actions Jun 12, 2023
@prisis prisis added c: chore PR that doesn't affect the runtime behavior s: needs decision Needs team/maintainer decision labels Jun 12, 2023
@prisis prisis changed the title chore: [StepSecurity] ci: Harden GitHub Actions chore: [StepSecurity] Pin Dependencies on the workflows Jun 12, 2023
ST-DDT
ST-DDT reviewed Jun 12, 2023
View reviewed changes
Copy link
Member

@ST-DDT ST-DDT left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please also add the required renovate config.

@codecov
Copy link

codecov bot commented Jun 12, 2023
edited
Loading

Codecov Report

Merging #2208 (a9e1443) into next (82f1fd3) will decrease coverage by 0.01%.
The diff coverage is n/a.

Additional details and impacted files 
@@            Coverage Diff             @@
##             next    #2208      +/-   ##
==========================================
- Coverage   99.60%   99.59%   -0.01%     
==========================================
  Files        2641     2641              
  Lines      245760   245760              
  Branches     1157     1155       -2     
==========================================
- Hits       244783   244766      -17     
- Misses        950      967      +17     
  Partials       27       27

see 1 file with indirect coverage changes

@varunsh-coder
Copy link

Please also add the required renovate config.

I am not an expert in renovate config, but I believe the default config:base should cause Actions to be updated, so no change should be needed to the renovate config. I found a few examples, and this is one of them:
https://github.com/target/flottbot/blob/main/.github/renovate.json
target/flottbot#465

@prisis
Copy link
Member

prisis commented Jun 12, 2023

It looks like its there renovatebot/renovate#12488 but somehow im not sure myself, so i added it to the config

@ST-DDT ST-DDT added s: accepted Accepted feature / Confirmed bug p: 1-normal Nothing urgent and removed s: needs decision Needs team/maintainer decision labels Jul 13, 2023
@ST-DDT
Copy link
Member

ST-DDT commented Jul 13, 2023

Team Decision

We will give this a try.

@ST-DDT ST-DDT requested review from a team July 13, 2023 17:07
@ST-DDT ST-DDT changed the title chore: [StepSecurity] Pin Dependencies on the workflows chore: pin workflows dependencies Jul 13, 2023
@ST-DDT ST-DDT merged commit 348c0da into faker-js:next Jul 13, 2023
@matthewmayer matthewmayer mentioned this pull request Oct 23, 2023
Merged
1 task
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@xDivisionByZerox xDivisionByZerox xDivisionByZerox approved these changes

@Shinigami92 Shinigami92 Shinigami92 approved these changes

@ST-DDT ST-DDT ST-DDT approved these changes

Assignees

@step-security-bot step-security-bot

Labels
c: chore PR that doesn't affect the runtime behavior p: 1-normal Nothing urgent s: accepted Accepted feature / Confirmed bug
Projects
None yet
Milestone
v8.x
Development

Successfully merging this pull request may close these issues.
6 participants
@step-security-bot @varunsh-coder @prisis @ST-DDT @Shinigami92 @xDivisionByZerox