This is an automated email from the ASF dual-hosted git repository.
coheigea pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/shiro.git
The following commit(s) were added to refs/heads/main by this push:
new 969a17ff [StepSecurity] ci: Harden GitHub Actions
new 42ba52d0 Merge pull request #706 from
step-security-bot/stepsecurity_remediation_1675147592
969a17ff is described below
commit 969a17ff98f410fcbaf934c172e98e738183293b
Author: StepSecurity Bot <[email protected]>
AuthorDate: Tue Jan 31 06:46:35 2023 +0000
[StepSecurity] ci: Harden GitHub Actions
Signed-off-by: StepSecurity Bot <[email protected]>
---
.github/workflows/codeql.yml | 11 +++++++----
.github/workflows/maven.yml | 10 +++++-----
2 files changed, 12 insertions(+), 9 deletions(-)
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
index e3f74515..0326919e 100644
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@@ -37,6 +37,9 @@ on:
schedule:
- cron: '41 11 * * 6'
+permissions:
+ contents: read
+
jobs:
analyze:
name: Analyze
@@ -57,7 +60,7 @@ jobs:
steps:
- name: Checkout repository
- uses: actions/checkout@v3
+ uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0
- name: Cache local Maven repository
uses: actions/cache@627f0f41f6904a5b1efbaed9f96d9eb58e92e920 #v3.2.4
@@ -68,7 +71,7 @@ jobs:
# Initializes the CodeQL tools for scanning.
- name: Initialize CodeQL
- uses: github/codeql-action/init@v2
+ uses: github/codeql-action/init@3ebbd71c74ef574dbc558c82f70e52732c8b44fe
# v2.2.1
with:
languages: ${{ matrix.language }}
# If you wish to specify custom queries, you can do so here or in a
config file.
@@ -82,7 +85,7 @@ jobs:
# Autobuild attempts to build any compiled languages (C/C++, C#, Go, or
Java).
# If this step fails, then you should remove it and run the build manually
(see below)
- name: Autobuild
- uses: github/codeql-action/autobuild@v2
+ uses:
github/codeql-action/autobuild@3ebbd71c74ef574dbc558c82f70e52732c8b44fe # v2.2.1
# âšī¸ Command-line programs to run using the OS shell.
# đ See
https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun
@@ -95,6 +98,6 @@ jobs:
# ./location_of_script_within_repo/buildscript.sh
- name: Perform CodeQL Analysis
- uses: github/codeql-action/analyze@v2
+ uses:
github/codeql-action/analyze@3ebbd71c74ef574dbc558c82f70e52732c8b44fe # v2.2.1
with:
category: "/language:${{matrix.language}}"
diff --git a/.github/workflows/maven.yml b/.github/workflows/maven.yml
index 3f874ef3..3b6cc00b 100644
--- a/.github/workflows/maven.yml
+++ b/.github/workflows/maven.yml
@@ -30,10 +30,10 @@ jobs:
steps:
- name: Checkout
- uses: actions/[email protected]
+ uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c #
v3.3.0
- name: Set up JDK
- uses: actions/setup-java@v3
+ uses: actions/setup-java@1df8dbefe2a8cbc99770194893dd902763bee34b #
v3.9.0
with:
java-version: 11
distribution: temurin
@@ -75,10 +75,10 @@ jobs:
steps:
- name: Checkout
- uses: actions/[email protected]
+ uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c #
v3.3.0
- name: Set up JDK
- uses: actions/setup-java@v3
+ uses: actions/setup-java@1df8dbefe2a8cbc99770194893dd902763bee34b #
v3.9.0
with:
java-version: ${{ matrix.jdk }}
distribution: ${{ matrix.dist }}
@@ -96,7 +96,7 @@ jobs:
-Pskip_jakarta_ee_tests
- name: Archive test run logs
- uses: actions/upload-artifact@v3
+ uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce
# v3.1.2
if: always()
with:
name: test-logs-${{ matrix.os }}-${{ matrix.jdk }}-${{ matrix.dist }}
