[StepSecurity] ci: Harden GitHub Actions (#488)

Signed-off-by: StepSecurity Bot <bot@stepsecurity.io>
2026-02-04 05:56:21 +00:00 · 2024-11-14 05:19:16 -08:00
parent 186c2e4795
commit 091b5866d4
25 changed files with 135 additions and 66 deletions
--- a/.github/workflows/check.yml
+++ b/.github/workflows/check.yml
@@ -10,12 +10,12 @@ jobs:

    steps:
      - name: Checkout sources
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
          path: src/pg_stat_monitor

      - name: Checkout cppcheck sources
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
          repository: "danmar/cppcheck"
          ref: "2.13.4"
@@ -43,13 +43,13 @@ jobs:

    steps:
      - name: Clone postgres repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
          repository: 'postgres/postgres'
          ref: 'REL_17_STABLE'

      - name: Checkout sources
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
          path: 'contrib/pg_stat_monitor'

@@ -87,9 +87,9 @@ jobs:

    steps:
      - name: Checkout sources
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2

      - name: Check license headers
-        uses: apache/skywalking-eyes/header@v0.6.0
+        uses: apache/skywalking-eyes/header@cd7b195c51fd3d6ad52afceb760719ddc6b3ee91 # v0.6.0
        with:
          token: "" # Prevent comments