Pin actions to commit SHA (#10204)

## Summary This pull request is created by [Secure Repo](https://app.stepsecurity.io/securerepo) at the request of @zwass. Please merge the Pull Request to incorporate the requested changes. Please tag @zwass on your message if you have any questions related to the PR. You can also engage with the [StepSecurity](https://github.com/step-security) team by tagging @step-security-bot. ## Security Fixes ### Pinned Dependencies GitHub Action tags and Docker tags are mutable. This poses a security risk. GitHub's Security Hardening guide recommends pinning actions to full length commit. - [GitHub Security Guide](https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-third-party-actions) - [The Open Source Security Foundation (OpenSSF) Security Guide](https://github.com/ossf/scorecard/blob/main/docs/checks.md#pinned-dependencies) ## Feedback For bug reports, feature requests, and general feedback; please create an issue in [step-security/secure-repo](https://github.com/step-security/secure-repo). To create such PRs, please visit https://app.stepsecurity.io/securerepo. Signed-off-by: StepSecurity Bot <bot@stepsecurity.io>
2026-05-24 01:18:42 +00:00 · 2023-02-28 17:55:38 -08:00 · 2023-02-28 17:55:38 -08:00 · 2154c13865
commit 2154c13865
parent e28288a618
7 changed files with 10 additions and 10 deletions
--- a/.github/workflows/build-and-push-fleetctl-docker.yml
+++ b/.github/workflows/build-and-push-fleetctl-docker.yml
@ -56,7 +56,7 @@ jobs:

      - name: Push To quay.io
        id: push-to-quay
-        uses: redhat-actions/push-to-registry@v2
+        uses: redhat-actions/push-to-registry@9986a6552bc4571882a4a67e016b17361412b4df # v2.7.1
        with:
          image: fleetdm/fleetctl
          tags: ${{ inputs.image_tag }}
--- a/.github/workflows/deploy-fleet-website.yml
+++ b/.github/workflows/deploy-fleet-website.yml
@ -54,7 +54,7 @@ jobs:

    # Install the right version of Go for the Golang child process that we are currently using for CSR signing
    - name: Set up Go
-      uses: actions/setup-go@v3
+      uses: actions/setup-go@6edd4406fa81c3da01a34fa6f6343087c207a568 # v3.5.0
      with:
        go-version: 1.19

--- a/.github/workflows/dogfood-deploy.yml
+++ b/.github/workflows/dogfood-deploy.yml
@ -49,11 +49,11 @@ jobs:
      - id: fail-on-main
        run: "false"
        if: ${{ github.ref == 'main' }}
-      - uses: aws-actions/configure-aws-credentials@v1
+      - uses: aws-actions/configure-aws-credentials@67fbcbb121271f7775d2e7715933280b06314838 # v1.7.0
        with:
          role-to-assume: ${{env.AWS_IAM_ROLE}}
          aws-region: ${{ env.AWS_REGION }}
-      - uses: hashicorp/setup-terraform@v2
+      - uses: hashicorp/setup-terraform@633666f66e0061ca3b725c73b2ec20cd13a8fdd1 # v2.0.3
        with:
          terraform_version: 1.0.4
          terraform_wrapper: false
--- a/.github/workflows/goreleaser-fleet.yaml
+++ b/.github/workflows/goreleaser-fleet.yaml
@ -64,7 +64,7 @@ jobs:

      - name: Push To quay.io
        id: push-to-quay
-        uses: redhat-actions/push-to-registry@v2
+        uses: redhat-actions/push-to-registry@9986a6552bc4571882a4a67e016b17361412b4df # v2.7.1
        with:
          image: fleetdm/fleet
          tags: ${{ steps.docker.outputs.TAG }}
--- a/.github/workflows/goreleaser-snapshot-fleet.yaml
+++ b/.github/workflows/goreleaser-snapshot-fleet.yaml
@ -65,7 +65,7 @@ jobs:

      - name: Push To quay.io
        id: push-to-quay
-        uses: redhat-actions/push-to-registry@v2
+        uses: redhat-actions/push-to-registry@9986a6552bc4571882a4a67e016b17361412b4df # v2.7.1
        with:
          image: fleetdm/fleet
          tags: ${{ steps.docker.outputs.TAG }}
--- a/.github/workflows/tfvalidate.yml
+++ b/.github/workflows/tfvalidate.yml
@ -34,7 +34,7 @@ jobs:
        uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b

      - name: Install terraform
-        uses: hashicorp/setup-terraform@v2.0.0
+        uses: hashicorp/setup-terraform@17d4c9b8043b238f6f35641cdd8433da1e6f3867 # v2.0.0
        with:
          terraform_version: 1.3.0

--- a/.github/workflows/trivy_scan.yml
+++ b/.github/workflows/trivy_scan.yml
@ -9,10 +9,10 @@ jobs:
    runs-on: ubuntu-20.04
    steps:
      - name: Checkout code
-        uses: actions/checkout@v3
+        uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0

      - name: Run Trivy vulnerability scanner in repo mode
-        uses: aquasecurity/trivy-action@master
+        uses: aquasecurity/trivy-action@8bd2f9fbda2109502356ff8a6a89da55b1ead252 # master
        with:
          scan-type: 'fs'
          ignore-unfixed: true
@ -24,6 +24,6 @@ jobs:
          security-checks: 'vuln'

      - name: Upload Trivy scan results to GitHub Security tab
-        uses: github/codeql-action/upload-sarif@v2
+        uses: github/codeql-action/upload-sarif@32dc499307d133bb5085bae78498c0ac2cf762d5 # v2.2.5
        with:
          sarif_file: 'trivy-results.sarif'