From 5a1df7528179a42a0e013fcb9a3b23b6bab78662 Mon Sep 17 00:00:00 2001 From: Vitor George Date: Mon, 6 Apr 2026 16:09:32 +0100 Subject: [PATCH 1/2] ci: pin GitHub Actions to commit SHAs Address zizmor unpinned-uses findings by pinning all actions to immutable commit SHAs. Fixes #1973 --- .github/workflows/checks.yml | 34 +++++++++++------------ .github/workflows/conventional-commit.yml | 2 +- .github/workflows/release.yml | 14 +++++----- 3 files changed, 25 insertions(+), 25 deletions(-) diff --git a/.github/workflows/checks.yml b/.github/workflows/checks.yml index 8748b1bdc..c6b699125 100644 --- a/.github/workflows/checks.yml +++ b/.github/workflows/checks.yml @@ -23,20 +23,20 @@ jobs: steps: - name: Cancel Previous Runs - uses: styfle/cancel-workflow-action@0.9.1 + uses: styfle/cancel-workflow-action@a40b8845c0683271d9f53dfcb887a7e181d3918b # 0.9.1 with: access_token: ${{ github.token }} - name: Checkout - uses: actions/checkout@v3 + uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3 - name: Use Node.js ${{ env.NODE }} - uses: actions/setup-node@v3 + uses: actions/setup-node@3235b876344d2a9aa001b8d1453c930bba69e610 # v3 with: node-version: ${{ env.NODE }} - name: Cache node_modules - uses: actions/cache@v3 + uses: actions/cache@6f8efc29b200d32929f49075959781ed54ec270c # v3 id: cache-node-modules with: path: node_modules @@ -51,15 +51,15 @@ jobs: steps: - name: Checkout - uses: actions/checkout@v2 + uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 # v2 - name: Use Node.js ${{ env.NODE }} - uses: actions/setup-node@v3 + uses: actions/setup-node@3235b876344d2a9aa001b8d1453c930bba69e610 # v3 with: node-version: ${{ env.NODE }} - name: Cache node_modules - uses: actions/cache@v3 + uses: actions/cache@6f8efc29b200d32929f49075959781ed54ec270c # v3 id: cache-node-modules with: path: node_modules @@ -80,15 +80,15 @@ jobs: steps: - name: Checkout - uses: actions/checkout@v2 + uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 # v2 - name: Use Node.js ${{ env.NODE }} - uses: actions/setup-node@v3 + uses: actions/setup-node@3235b876344d2a9aa001b8d1453c930bba69e610 # v3 with: node-version: ${{ env.NODE }} - name: Cache node_modules - uses: actions/cache@v3 + uses: actions/cache@6f8efc29b200d32929f49075959781ed54ec270c # v3 id: cache-node-modules with: path: node_modules @@ -109,15 +109,15 @@ jobs: steps: - name: Checkout - uses: actions/checkout@v2 + uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 # v2 - name: Use Node.js ${{ env.NODE }} - uses: actions/setup-node@v3 + uses: actions/setup-node@3235b876344d2a9aa001b8d1453c930bba69e610 # v3 with: node-version: ${{ env.NODE }} - name: Cache node_modules - uses: actions/cache@v3 + uses: actions/cache@6f8efc29b200d32929f49075959781ed54ec270c # v3 id: cache-node-modules with: path: node_modules @@ -142,15 +142,15 @@ jobs: steps: - name: Checkout - uses: actions/checkout@v2 + uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 # v2 - name: Use Node.js ${{ env.NODE }} - uses: actions/setup-node@v3 + uses: actions/setup-node@3235b876344d2a9aa001b8d1453c930bba69e610 # v3 with: node-version: ${{ env.NODE }} - name: Cache node_modules - uses: actions/cache@v3 + uses: actions/cache@6f8efc29b200d32929f49075959781ed54ec270c # v3 id: cache-node-modules with: path: node_modules @@ -166,7 +166,7 @@ jobs: run: npx playwright install --with-deps - name: Run Playwright tests run: MAPBOX_TOKEN="${{secrets.MAPBOX_TOKEN}}" yarn test:e2e - - uses: actions/upload-artifact@v4 + - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4 if: always() with: name: playwright-report diff --git a/.github/workflows/conventional-commit.yml b/.github/workflows/conventional-commit.yml index 5d6721454..0ada69db9 100644 --- a/.github/workflows/conventional-commit.yml +++ b/.github/workflows/conventional-commit.yml @@ -10,7 +10,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Conventional Commit Validation - uses: ytanikin/pr-conventional-commits@1.4.0 + uses: ytanikin/pr-conventional-commits@6ac1cea04190fc076b0e539025501d7e7d241ac1 # 1.4.0 with: task_types: '["feat","fix", "docs", "test", "ci", "refactor", "chore", "revert"]' add_label: 'false' \ No newline at end of file diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 910c64c49..ab193e665 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -21,7 +21,7 @@ jobs: steps: - name: Generate a token id: generate-token - uses: actions/create-github-app-token@v1 + uses: actions/create-github-app-token@d72941d797fd3113feb6b93fd0dec494b13a2547 # v1 with: app-id: ${{ secrets.APP_ID }} private-key: ${{ secrets.APP_PEM }} @@ -30,14 +30,14 @@ jobs: veda-ui veda-config next-veda-ui - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 with: fetch-depth: 0 token: ${{ steps.generate-token.outputs.token }} - name: Cache node modules id: cache-npm - uses: actions/cache@v4 + uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4 env: cache-name: cache-node-modules with: @@ -49,7 +49,7 @@ jobs: git config user.name "${GITHUB_ACTOR}" git config user.email "${GITHUB_ACTOR}@users.noreply.github.com" - name: Use Node.js ${{ env.NODE }} - uses: actions/setup-node@v3 + uses: actions/setup-node@3235b876344d2a9aa001b8d1453c930bba69e610 # v3 with: node-version: ${{ env.NODE }} registry-url: https://registry.npmjs.org/ @@ -94,7 +94,7 @@ jobs: yarn buildlib npx npm@^11.5.1 publish - name: Repository Dispatch - uses: peter-evans/repository-dispatch@v3 + uses: peter-evans/repository-dispatch@ff45666b9427631e3450c54a1bcbee4d9ff4d7c0 # v3 with: token: ${{steps.generate-token.outputs.token}} repository: nasa-impact/veda-config @@ -109,7 +109,7 @@ jobs: steps: - name: Notify failure through Slack if: needs.release.outputs.no_commit != 'true' - uses: slackapi/slack-github-action@v2.0.0 + uses: slackapi/slack-github-action@485a9d42d3a73031f12ec201c457e2162c45d02d # v2.0.0 with: webhook: ${{ secrets.SLACK_WEBHOOK_URL }} webhook-type: incoming-webhook @@ -122,7 +122,7 @@ jobs: text: "*VEDA UI Release failed*: Check action page to see the details: https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}" - name: Notify no commit through Slack if: needs.release.outputs.no_commit == 'true' - uses: slackapi/slack-github-action@v2.0.0 + uses: slackapi/slack-github-action@485a9d42d3a73031f12ec201c457e2162c45d02d # v2.0.0 with: webhook: ${{ secrets.SLACK_WEBHOOK_URL }} webhook-type: incoming-webhook From 8df06df5103eccf3e81d32446072602724dab0ea Mon Sep 17 00:00:00 2001 From: Vitor George Date: Mon, 6 Apr 2026 16:09:44 +0100 Subject: [PATCH 2/2] ci: add Dependabot config for GitHub Actions Enable automatic updates for pinned GitHub Actions via Dependabot. --- .github/dependabot.yml | 9 +++++++++ 1 file changed, 9 insertions(+) create mode 100644 .github/dependabot.yml diff --git a/.github/dependabot.yml b/.github/dependabot.yml new file mode 100644 index 000000000..91a6f0487 --- /dev/null +++ b/.github/dependabot.yml @@ -0,0 +1,9 @@ +version: 2 +updates: + - package-ecosystem: "github-actions" + directory: "/" + schedule: + interval: "weekly" + labels: + - "dependencies" + - "github-actions"