[StepSecurity] ci: Harden GitHub Actions (#1698)

Signed-off-by: StepSecurity Bot <bot@stepsecurity.io>
2025-02-05 16:56:30 -08:00 · 2025-02-05 16:56:30 -08:00 · 69fc24ac67
parent 5ac63800fd
commit 69fc24ac67
16 changed files with 53 additions and 53 deletions
--- a/.github/workflows/assign-reviewers.yml
+++ b/.github/workflows/assign-reviewers.yml
@ -12,6 +12,6 @@ jobs:
  assign-reviewers:
    runs-on: ubuntu-latest
    steps:
-      - uses: open-telemetry/assign-reviewers-action@main
+      - uses: open-telemetry/assign-reviewers-action@b101a9c17274e3d4fff0853898007e9e3a366675 # main
        with:
          config-file: .github/component_owners.yml
--- a/.github/workflows/backport.yml
+++ b/.github/workflows/backport.yml
@ -16,7 +16,7 @@ jobs:
            exit 1
          fi

-      - uses: actions/checkout@v4
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
          # history is needed to run git cherry-pick below
          fetch-depth: 0
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@ -16,16 +16,16 @@ jobs:
  build:
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2

      - name: Set up JDK for running Gradle
-        uses: actions/setup-java@v4
+        uses: actions/setup-java@3a4f6e1af504cf6a31855fa899c6aa5355ba6c12 # v4.7.0
        with:
          distribution: temurin
          java-version: 17

      - name: Set up gradle
-        uses: gradle/actions/setup-gradle@v4
+        uses: gradle/actions/setup-gradle@94baf225fe0a508e581a564467443d0e2379123b # v4.3.0
        with:
          cache-read-only: ${{ github.event_name == 'pull_request' }}
      - name: Gradle build and test
@ -43,24 +43,24 @@ jobs:
          - 20
      fail-fast: false
    steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2

      - id: setup-test-java
        name: Set up JDK ${{ matrix.test-java-version }} for running tests
-        uses: actions/setup-java@v4
+        uses: actions/setup-java@3a4f6e1af504cf6a31855fa899c6aa5355ba6c12 # v4.7.0
        with:
          # using zulu because new releases get published quickly
          distribution: zulu
          java-version: ${{ matrix.test-java-version }}

      - name: Set up JDK for running Gradle
-        uses: actions/setup-java@v4
+        uses: actions/setup-java@3a4f6e1af504cf6a31855fa899c6aa5355ba6c12 # v4.7.0
        with:
          distribution: temurin
          java-version: 17

      - name: Set up gradle
-        uses: gradle/actions/setup-gradle@v4
+        uses: gradle/actions/setup-gradle@94baf225fe0a508e581a564467443d0e2379123b # v4.3.0
        with:
          cache-read-only: ${{ github.event_name == 'pull_request' }}
      - name: Gradle test
@ -73,16 +73,16 @@ jobs:
  integration-test:
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2

      - name: Set up JDK for running Gradle
-        uses: actions/setup-java@v4
+        uses: actions/setup-java@3a4f6e1af504cf6a31855fa899c6aa5355ba6c12 # v4.7.0
        with:
          distribution: temurin
          java-version: 17

      - name: Set up gradle
-        uses: gradle/actions/setup-gradle@v4
+        uses: gradle/actions/setup-gradle@94baf225fe0a508e581a564467443d0e2379123b # v4.3.0
        with:
          cache-read-only: ${{ github.event_name == 'pull_request' }}

@ -90,7 +90,7 @@ jobs:
        run: ./gradlew integrationTest

      - name: Save integration test results
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
        if: always()
        with:
          name: integration-test-results
@ -125,16 +125,16 @@ jobs:
      - integration-test
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2

      - name: Set up JDK for running Gradle
-        uses: actions/setup-java@v4
+        uses: actions/setup-java@3a4f6e1af504cf6a31855fa899c6aa5355ba6c12 # v4.7.0
        with:
          distribution: temurin
          java-version: 17

      - name: Set up gradle
-        uses: gradle/actions/setup-gradle@v4
+        uses: gradle/actions/setup-gradle@94baf225fe0a508e581a564467443d0e2379123b # v4.3.0
        # skipping release branches because the versions in those branches are not snapshots
        # (also this skips pull requests)
        if: ${{ github.ref_name == 'main' && github.repository == 'open-telemetry/opentelemetry-java-contrib' }}
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@ -27,19 +27,19 @@ jobs:
      security-events: write  # for github/codeql-action/analyze to upload SARIF results
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2

      - name: Set up Java 17
-        uses: actions/setup-java@v4
+        uses: actions/setup-java@3a4f6e1af504cf6a31855fa899c6aa5355ba6c12 # v4.7.0
        with:
          distribution: temurin
          java-version: 17

      - name: Set up gradle
-        uses: gradle/actions/setup-gradle@v4
+        uses: gradle/actions/setup-gradle@94baf225fe0a508e581a564467443d0e2379123b # v4.3.0

      - name: Initialize CodeQL
-        uses: github/codeql-action/init@v3
+        uses: github/codeql-action/init@dd746615b3b9d728a6a37ca2045b68ca76d4841a # v3.28.8
        with:
          languages: java, actions
          # using "latest" helps to keep up with the latest Kotlin support
@ -53,7 +53,7 @@ jobs:
        run: ./gradlew assemble --no-build-cache --no-daemon

      - name: Perform CodeQL analysis
-        uses: github/codeql-action/analyze@v3
+        uses: github/codeql-action/analyze@dd746615b3b9d728a6a37ca2045b68ca76d4841a # v3.28.8

  workflow-notification:
    needs:
--- a/.github/workflows/gradle-wrapper-validation.yml
+++ b/.github/workflows/gradle-wrapper-validation.yml
@ -11,6 +11,6 @@ jobs:
  gradle-wrapper-validation:
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2

-      - uses: gradle/actions/wrapper-validation@v4.2.2
+      - uses: gradle/actions/wrapper-validation@0bdd871935719febd78681f197cd39af5b6e16a6 # v4.2.2
--- a/.github/workflows/issue-management-feedback-label.yml
+++ b/.github/workflows/issue-management-feedback-label.yml
@ -11,7 +11,7 @@ jobs:
      github.event.comment.user.login == github.event.issue.user.login
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2

      - name: Remove label
        env:
--- a/.github/workflows/issue-management-stale-action.yml
+++ b/.github/workflows/issue-management-stale-action.yml
@ -9,7 +9,7 @@ jobs:
  stale:
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/stale@v9
+      - uses: actions/stale@5bef64f19d7facfb25b37b414482c7164d639639 # v9.1.0
        with:
          repo-token: ${{ secrets.GITHUB_TOKEN }}
          days-before-stale: 7
--- a/.github/workflows/ossf-scorecard.yml
+++ b/.github/workflows/ossf-scorecard.yml
@ -19,7 +19,7 @@ jobs:
      # Needed for GitHub OIDC token if publish_results is true
      id-token: write
    steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
          persist-credentials: false

@ -33,7 +33,7 @@ jobs:
      # uploads of run results in SARIF format to the repository Actions tab.
      # https://docs.github.com/en/actions/advanced-guides/storing-workflow-data-as-artifacts
      - name: "Upload artifact"
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
        with:
          name: SARIF file
          path: results.sarif
@ -42,6 +42,6 @@ jobs:
      # Upload the results to GitHub's code scanning dashboard (optional).
      # Commenting out will disable upload of results to your repo's Code Scanning dashboard
      - name: "Upload to code-scanning"
-        uses: github/codeql-action/upload-sarif@v3
+        uses: github/codeql-action/upload-sarif@dd746615b3b9d728a6a37ca2045b68ca76d4841a # v3.28.8
        with:
          sarif_file: results.sarif
--- a/.github/workflows/prepare-patch-release.yml
+++ b/.github/workflows/prepare-patch-release.yml
@ -6,7 +6,7 @@ jobs:
  prepare-patch-release:
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2

      - run: |
          if [[ ! $GITHUB_REF_NAME =~ ^release/v[0-9]+\.[0-9]+\.x$ ]]; then
--- a/.github/workflows/prepare-release-branch.yml
+++ b/.github/workflows/prepare-release-branch.yml
@ -6,7 +6,7 @@ jobs:
  prereqs:
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2

      - name: Verify prerequisites
        run: |
@ -25,7 +25,7 @@ jobs:
    needs:
      - prereqs
    steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2

      - name: Create release branch
        run: |
@ -74,7 +74,7 @@ jobs:
    needs:
      - prereqs
    steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2

      - name: Set environment variables
        run: |
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@ -6,20 +6,20 @@ jobs:
  build:
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2

      - name: Set up JDK for running Gradle
-        uses: actions/setup-java@v4
+        uses: actions/setup-java@3a4f6e1af504cf6a31855fa899c6aa5355ba6c12 # v4.7.0
        with:
          distribution: temurin
          java-version: 17

      - name: Set up gradle
-        uses: gradle/actions/setup-gradle@v4
+        uses: gradle/actions/setup-gradle@94baf225fe0a508e581a564467443d0e2379123b # v4.3.0
      - name: Gradle build
        run: ./gradlew build

-      - uses: actions/upload-artifact@v4
+      - uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
        name: Save unit test results
        if: always()
        with:
@ -29,20 +29,20 @@ jobs:
  integration-test:
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2

      - name: Set up JDK for running Gradle
-        uses: actions/setup-java@v4
+        uses: actions/setup-java@3a4f6e1af504cf6a31855fa899c6aa5355ba6c12 # v4.7.0
        with:
          distribution: temurin
          java-version: 17

      - name: Set up gradle
-        uses: gradle/actions/setup-gradle@v4
+        uses: gradle/actions/setup-gradle@94baf225fe0a508e581a564467443d0e2379123b # v4.3.0
      - name: Integration test
        run: ./gradlew integrationTest

-      - uses: actions/upload-artifact@v4
+      - uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
        name: Save integration test results
        if: always()
        with:
@ -63,7 +63,7 @@ jobs:
            exit 1
          fi

-      - uses: actions/checkout@v4
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2

      - name: Set environment variables
        run: |
@ -92,7 +92,7 @@ jobs:

        # check out main branch to verify there won't be problems with merging the change log
        # at the end of this workflow
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
          ref: main

@ -107,19 +107,19 @@ jobs:
          fi

        # back to the release branch
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
          # tags are needed for the generate-release-contributors.sh script
          fetch-depth: 0

      - name: Set up JDK for running Gradle
-        uses: actions/setup-java@v4
+        uses: actions/setup-java@3a4f6e1af504cf6a31855fa899c6aa5355ba6c12 # v4.7.0
        with:
          distribution: temurin
          java-version: 17

      - name: Set up gradle
-        uses: gradle/actions/setup-gradle@v4
+        uses: gradle/actions/setup-gradle@94baf225fe0a508e581a564467443d0e2379123b # v4.3.0
      - name: Build and publish artifacts
        run: ./gradlew assemble publishToSonatype closeAndReleaseSonatypeStagingRepository
        env:
@ -190,7 +190,7 @@ jobs:
    needs:
      - release
    steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2

      - name: Copy change log section from release branch
        env:
@ -199,7 +199,7 @@ jobs:
          sed -n "0,/^## Version $VERSION /d;/^## Version /q;p" CHANGELOG.md \
            > /tmp/changelog-section.md

-      - uses: actions/checkout@v4
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
          ref: main

--- a/.github/workflows/reusable-markdown-link-check.yml
+++ b/.github/workflows/reusable-markdown-link-check.yml
@ -7,9 +7,9 @@ jobs:
  markdown-link-check:
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2

-      - uses: lycheeverse/lychee-action@v2
+      - uses: lycheeverse/lychee-action@f613c4a64e50d792e0b31ec34bbcbba12263c6a6 # v2.3.0
        with:
          # excluding links to pull requests and issues is done for performance
          args: >
--- a/.github/workflows/reusable-markdown-lint.yml
+++ b/.github/workflows/reusable-markdown-lint.yml
@ -7,7 +7,7 @@ jobs:
  markdown-lint-check:
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2

      - name: Install markdownlint
        run: npm install -g markdownlint-cli
--- a/.github/workflows/reusable-misspell-check.yml
+++ b/.github/workflows/reusable-misspell-check.yml
@ -7,7 +7,7 @@ jobs:
  misspell-check:
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2

      - name: Install misspell
        run: |
--- a/.github/workflows/reusable-shell-script-check.yml
+++ b/.github/workflows/reusable-shell-script-check.yml
@ -7,7 +7,7 @@ jobs:
  shell-script-check:
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2

      - name: Install shell check
        run: wget -qO- "https://github.com/koalaman/shellcheck/releases/download/stable/shellcheck-stable.linux.x86_64.tar.xz" | tar -xJv
--- a/.github/workflows/reusable-workflow-notification.yml
+++ b/.github/workflows/reusable-workflow-notification.yml
@ -13,7 +13,7 @@ jobs:
  workflow-notification:
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2

      - name: Open issue or add comment if issue already open
        env: