[StepSecurity] ci: Harden GitHub Actions (#1426)

Co-authored-by: nils måsén <nils@piksel.se>
2 years ago · 9a2f9c48c7
parent 0a0998f83c
commit 9a2f9c48c7
3 changed files with 8 additions and 8 deletions
--- a/.github/workflows/pull-request.yml
+++ b/.github/workflows/pull-request.yml
@ -19,7 +19,7 @@ jobs:
        uses: actions/setup-go@v3
        with:
          go-version: 1.18.x
-      - uses: dominikh/staticcheck-action@v1.2.0
+      - uses: dominikh/staticcheck-action@a3513ade2e5cb8075ba1c1ed1890a989cf0f2aa0 #v1.2.0
        with:
          version: "2022.1.1"
  test:
@ -63,7 +63,7 @@ jobs:
        with:
          go-version: 1.18.x
      - name: Build
-        uses: goreleaser/goreleaser-action@v3
+        uses: goreleaser/goreleaser-action@ff11ca24a9b39f2d36796d1fbd7a4e39c182630a #v3
        with:
          version: v0.155.0
          args: --snapshot --skip-publish --debug
--- a/.github/workflows/release-dev.yaml
+++ b/.github/workflows/release-dev.yaml
@ -39,7 +39,7 @@ jobs:
    steps:
      - uses: actions/checkout@v3
      - name: Publish to Docker Hub
-        uses: jerray/publish-docker-action@master
+        uses: jerray/publish-docker-action@87d84711629b0dc9f6bb127b568413cc92a2088e #master@2022-10-14
        with:
          username: ${{ secrets.DOCKERHUB_USERNAME }}
          password: ${{ secrets.DOCKERHUB_PASSWORD }}
@ -47,7 +47,7 @@ jobs:
          repository: containrrr/watchtower
          tags: latest-dev
      - name: Publish to GHCR
-        uses: jerray/publish-docker-action@master
+        uses: jerray/publish-docker-action@87d84711629b0dc9f6bb127b568413cc92a2088e #master@2022-10-14
        with:
          username: ${{ secrets.BOT_USERNAME }}
          password: ${{ secrets.BOT_GHCR_PAT }}
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@ -72,18 +72,18 @@ jobs:
        with:
          go-version: 1.18.x
      - name: Login to Docker Hub
-        uses: docker/login-action@v2
+        uses: docker/login-action@f4ef78c080cd8ba55a85445d5b36e214a81df20a #v2
        with:
          username: ${{ secrets.DOCKERHUB_USERNAME }}
          password: ${{ secrets.DOCKERHUB_TOKEN }}
      - name: Login to GHCR
-        uses: docker/login-action@v2
+        uses: docker/login-action@f4ef78c080cd8ba55a85445d5b36e214a81df20a #v2
        with:
          username: ${{ secrets.BOT_USERNAME }}
          password: ${{ secrets.BOT_GHCR_PAT }}
          registry: ghcr.io
      - name: Build
-        uses: goreleaser/goreleaser-action@v3
+        uses: goreleaser/goreleaser-action@ff11ca24a9b39f2d36796d1fbd7a4e39c182630a #v3
        with:
          version: v0.155.0
          args: --debug
@ -193,7 +193,7 @@ jobs:
    runs-on: ubuntu-latest
    steps:
    - name: Pull new module version
-      uses: andrewslotin/go-proxy-pull-action@master
+      uses: andrewslotin/go-proxy-pull-action@bfc19ec6536e1638181b2ad6a03e16c7ccfb122f #master@2022-10-14