diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 1d61e5b..4183d70 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -29,12 +29,12 @@ jobs: uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Initialize CodeQL - uses: github/codeql-action/init@45cbd0c69e560cd9e7cd7f8c32362050c9b7ded2 # v3.28.1 + uses: github/codeql-action/init@0d579ffd059c29b07949a3cce3983f0780820c98 # v3.28.1 with: languages: ${{ matrix.language }} build-mode: ${{ matrix.build-mode }} - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@45cbd0c69e560cd9e7cd7f8c32362050c9b7ded2 # v3.28.1 + uses: github/codeql-action/analyze@0d579ffd059c29b07949a3cce3983f0780820c98 # v3.28.1 with: category: "/language:${{ matrix.language }}" diff --git a/.github/workflows/hypatia-scan.yml b/.github/workflows/hypatia-scan.yml index 5d47168..e02ba41 100644 --- a/.github/workflows/hypatia-scan.yml +++ b/.github/workflows/hypatia-scan.yml @@ -25,7 +25,7 @@ jobs: fetch-depth: 0 # Full history for better pattern analysis - name: Setup Elixir for Hypatia scanner - uses: erlef/setup-beam@e6d7c94229049569db56a7ad5a540c051a010af9 # v1.18.2 + uses: erlef/setup-beam@3580539ceec3dc05b0ed51e9e10b08eb7a7c2bb4 # v1.18.2 with: elixir-version: '1.19.4' otp-version: '28.3' diff --git a/.github/workflows/mirror.yml b/.github/workflows/mirror.yml index 5202e55..56e7953 100644 --- a/.github/workflows/mirror.yml +++ b/.github/workflows/mirror.yml @@ -127,7 +127,7 @@ jobs: fetch-depth: 0 - name: Setup Rust - uses: dtolnay/rust-toolchain@f7ccc83f9ed1e5b9c81d8a67d7ad1a747e22a561 # stable + uses: dtolnay/rust-toolchain@efa25f7f19611383d5b0ccf2d1c8914531636bf9 # stable with: toolchain: stable diff --git a/.github/workflows/quality.yml b/.github/workflows/quality.yml index 90f9c3e..4b66265 100644 --- a/.github/workflows/quality.yml +++ b/.github/workflows/quality.yml @@ -18,7 +18,7 @@ jobs: find . -type f -perm /111 -name "*.sh" | head -10 || true - name: Check for secrets - uses: trufflesecurity/trufflehog@6961f2bace57ab32b23b3ba40f8f420f6bc7e004 # v3.93.3 + uses: trufflesecurity/trufflehog@c3e599b7163e8198a55467f3133db0e7b2a492cb # v3.93.7 with: path: ./ base: ${{ github.event.pull_request.base.sha || github.event.before }} diff --git a/.github/workflows/scorecard-enforcer.yml b/.github/workflows/scorecard-enforcer.yml index 7e9d3ef..4ad1f3b 100644 --- a/.github/workflows/scorecard-enforcer.yml +++ b/.github/workflows/scorecard-enforcer.yml @@ -30,7 +30,7 @@ jobs: publish_results: true - name: Upload SARIF - uses: github/codeql-action/upload-sarif@45cbd0c69e560cd9e7cd7f8c32362050c9b7ded2 # v3 + uses: github/codeql-action/upload-sarif@0d579ffd059c29b07949a3cce3983f0780820c98 # v3 with: sarif_file: results.sarif diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml index e1964c7..14642d9 100644 --- a/.github/workflows/scorecard.yml +++ b/.github/workflows/scorecard.yml @@ -27,6 +27,6 @@ jobs: results_format: sarif - name: Upload results - uses: github/codeql-action/upload-sarif@45cbd0c69e560cd9e7cd7f8c32362050c9b7ded2 # v3.31.8 + uses: github/codeql-action/upload-sarif@0d579ffd059c29b07949a3cce3983f0780820c98 # v3.31.8 with: sarif_file: results.sarif diff --git a/.github/workflows/secret-scanner.yml b/.github/workflows/secret-scanner.yml index 31bd2cf..4278ef8 100644 --- a/.github/workflows/secret-scanner.yml +++ b/.github/workflows/secret-scanner.yml @@ -18,7 +18,7 @@ jobs: fetch-depth: 0 # Full history for scanning - name: TruffleHog Secret Scan - uses: trufflesecurity/trufflehog@6961f2bace57ab32b23b3ba40f8f420f6bc7e004 # v3 + uses: trufflesecurity/trufflehog@c3e599b7163e8198a55467f3133db0e7b2a492cb # v3 with: extra_args: --only-verified --fail