diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 5cf279f8b..e3cc8e1eb 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -43,7 +43,7 @@ jobs: steps: - name: "Harden Runner" - uses: "step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6" # v2.8.1 + uses: "step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0" # v2.12.0 with: egress-policy: "audit" @@ -52,7 +52,7 @@ jobs: # Initializes the CodeQL tools for scanning. - name: "Initialize CodeQL" - uses: "github/codeql-action/init@1b1aada464948af03b950897e5eb522f92603cc2" # v3.24.9 + uses: "github/codeql-action/init@ff0a06e83cb2de871e5a09832bc6a81e7276941f" # v3.28.18 with: languages: "${{ matrix.language }}" # If you wish to specify custom queries, you can do so here or in a config file. @@ -62,7 +62,7 @@ jobs: # Autobuild attempts to build any compiled languages (C/C++, C#, or Java). # If this step fails, then you should remove it and run the build manually (see below) - name: "Autobuild" - uses: "github/codeql-action/autobuild@1b1aada464948af03b950897e5eb522f92603cc2" # v3.24.9 + uses: "github/codeql-action/autobuild@ff0a06e83cb2de871e5a09832bc6a81e7276941f" # v3.28.18 # ℹī¸ Command-line programs to run using the OS shell. # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun @@ -75,6 +75,6 @@ jobs: # ./location_of_script_within_repo/buildscript.sh - name: "Perform CodeQL Analysis" - uses: "github/codeql-action/analyze@1b1aada464948af03b950897e5eb522f92603cc2" # v3.24.9 + uses: "github/codeql-action/analyze@ff0a06e83cb2de871e5a09832bc6a81e7276941f" # v3.28.18 with: category: "/language:${{matrix.language}}" diff --git a/.github/workflows/comment-issue.yml b/.github/workflows/comment-issue.yml index 7233c1882..b65bc5c8c 100644 --- a/.github/workflows/comment-issue.yml +++ b/.github/workflows/comment-issue.yml @@ -16,7 +16,7 @@ jobs: issues: "write" steps: - name: "Harden Runner" - uses: "step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6" # v2.8.1 + uses: "step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0" # v2.12.0 with: egress-policy: "audit" diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml index 48d9d4737..a0808bc70 100644 --- a/.github/workflows/dependency-review.yml +++ b/.github/workflows/dependency-review.yml @@ -21,7 +21,7 @@ jobs: runs-on: "ubuntu-latest" steps: - name: "Harden Runner" - uses: "step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6" # v2.8.1 + uses: "step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0" # v2.12.0 with: egress-policy: "audit" @@ -33,4 +33,4 @@ jobs: EMAIL: "github-actions[bot]@users.noreply.github.com" - name: "Dependency Review" - uses: "actions/dependency-review-action@4081bf99e2866ebe428fc0477b69eb4fcda7220a" # v4.4.0 + uses: "actions/dependency-review-action@da24556b548a50705dd671f47852072ea4c105d9" # v4.7.1 diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml index a95cc3e7a..16bf65602 100644 --- a/.github/workflows/lint.yml +++ b/.github/workflows/lint.yml @@ -35,7 +35,7 @@ jobs: package_json_lintable: "${{ steps.changes.outputs.package_json_lintable }}" steps: - name: "Harden Runner" - uses: "step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6" # v2.8.1 + uses: "step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0" # v2.12.0 with: egress-policy: "audit" @@ -60,7 +60,7 @@ jobs: runs-on: "ubuntu-latest" steps: - name: "Harden Runner" - uses: "step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6" # v2.8.1 + uses: "step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0" # v2.12.0 with: egress-policy: "audit" @@ -77,7 +77,7 @@ jobs: - name: "Derive appropriate SHAs for base and head for `nx affected` commands" id: "setSHAs" - uses: "nrwl/nx-set-shas@76907e7e5d3cd17ddb5e2b123389f054bffcdd03" # v4 + uses: "nrwl/nx-set-shas@dbe0650947e5f2c81f59190a38512cf49126fe6b" # v4 - name: "Setup resources and environment" id: "setup" @@ -111,7 +111,7 @@ jobs: runs-on: "ubuntu-latest" steps: - name: "Harden Runner" - uses: "step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6" # v2.8.1 + uses: "step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0" # v2.12.0 with: egress-policy: "audit" @@ -128,7 +128,7 @@ jobs: - name: "Derive appropriate SHAs for base and head for `nx affected` commands" id: "setSHAs" - uses: "nrwl/nx-set-shas@76907e7e5d3cd17ddb5e2b123389f054bffcdd03" # v4 + uses: "nrwl/nx-set-shas@dbe0650947e5f2c81f59190a38512cf49126fe6b" # v4 - name: "Setup resources and environment" id: "setup" @@ -162,7 +162,7 @@ jobs: runs-on: "ubuntu-latest" steps: - name: "Harden Runner" - uses: "step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6" # v2.8.1 + uses: "step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0" # v2.12.0 with: egress-policy: "audit" @@ -179,7 +179,7 @@ jobs: - name: "Derive appropriate SHAs for base and head for `nx affected` commands" id: "setSHAs" - uses: "nrwl/nx-set-shas@76907e7e5d3cd17ddb5e2b123389f054bffcdd03" # v4 + uses: "nrwl/nx-set-shas@dbe0650947e5f2c81f59190a38512cf49126fe6b" # v4 - name: "Setup resources and environment" id: "setup" @@ -213,7 +213,7 @@ jobs: runs-on: "ubuntu-latest" steps: - name: "Harden Runner" - uses: "step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6" # v2.8.1 + uses: "step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0" # v2.12.0 with: egress-policy: "audit" @@ -237,7 +237,7 @@ jobs: runs-on: "ubuntu-latest" steps: - name: "Harden Runner" - uses: "step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6" # v2.8.1 + uses: "step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0" # v2.12.0 with: egress-policy: "audit" @@ -262,7 +262,7 @@ jobs: runs-on: "ubuntu-latest" steps: - name: "Harden Runner" - uses: "step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6" # v2.8.1 + uses: "step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0" # v2.12.0 with: egress-policy: "audit" @@ -278,9 +278,9 @@ jobs: run_install: false - name: "Use Node.js 18.x" - uses: "actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8" # v4.0.2 + uses: "actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020" # v4.4.0 with: - node-version: "18.x" + node-version: "18.20.8" cache: "pnpm" - name: "Verify the integrity of provenance attestations and registry signatures for installed dependencies" @@ -312,7 +312,7 @@ jobs: # If any jobs we depend on fail, we will fail since this is a required check # NOTE: A timeout is considered a failure - name: "Harden Runner" - uses: "step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6" # v2.8.1 + uses: "step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0" # v2.12.0 with: egress-policy: "audit" diff --git a/.github/workflows/lock-file-maintenance.yml b/.github/workflows/lock-file-maintenance.yml index 5f585d471..b6d4d2886 100644 --- a/.github/workflows/lock-file-maintenance.yml +++ b/.github/workflows/lock-file-maintenance.yml @@ -21,7 +21,7 @@ jobs: steps: - name: "Harden Runner" - uses: "step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6" # v2.8.1 + uses: "step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0" # v2.12.0 with: egress-policy: "audit" @@ -48,7 +48,7 @@ jobs: - name: "Commit lock file" if: "success()" - uses: "stefanzweifel/git-auto-commit-action@8621497c8c39c72f3e2a999a26b4ca1b5058a842" # v5.0.1 + uses: "stefanzweifel/git-auto-commit-action@b863ae1933cb653a53c021fe36dbb774e1fb9403" # v5.2.0 with: file_pattern: "pnpm-lock.yaml" commit_message: "chore: updated lock file [ci skip]" diff --git a/.github/workflows/preview-release.yaml b/.github/workflows/preview-release.yaml index e2f6a3d07..ea1e9e654 100644 --- a/.github/workflows/preview-release.yaml +++ b/.github/workflows/preview-release.yaml @@ -26,7 +26,7 @@ jobs: steps: - name: "Harden Runner" - uses: "step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6" # v2.8.1 + uses: "step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0" # v2.12.0 with: egress-policy: "audit" @@ -43,7 +43,7 @@ jobs: - name: "Derive appropriate SHAs for base and head for `nx affected` commands" id: "setSHAs" - uses: "nrwl/nx-set-shas@76907e7e5d3cd17ddb5e2b123389f054bffcdd03" # v4 + uses: "nrwl/nx-set-shas@dbe0650947e5f2c81f59190a38512cf49126fe6b" # v4 - name: "Setup resources and environment" id: "setup" diff --git a/.github/workflows/require-allow-edits.yml b/.github/workflows/require-allow-edits.yml index d23bd5e71..4c0a6424d 100644 --- a/.github/workflows/require-allow-edits.yml +++ b/.github/workflows/require-allow-edits.yml @@ -16,7 +16,7 @@ jobs: steps: - name: "Harden Runner" - uses: "step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6" # v2.8.1 + uses: "step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0" # v2.12.0 with: egress-policy: "audit" diff --git a/.github/workflows/scorecards.yml b/.github/workflows/scorecards.yml index 2284d225d..6c7d37795 100644 --- a/.github/workflows/scorecards.yml +++ b/.github/workflows/scorecards.yml @@ -33,7 +33,7 @@ jobs: steps: - name: "Harden Runner" - uses: "step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6" # v2.8.1 + uses: "step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0" # v2.12.0 with: egress-policy: "audit" @@ -43,7 +43,7 @@ jobs: persist-credentials: false - name: "Run analysis" - uses: "ossf/scorecard-action@dc50aa9510b46c811795eb24b2f1ba02a914e534" # v2.3.3 + uses: "ossf/scorecard-action@f49aabe0b5af0936a0987cfb85d86b75731b0186" # v2.4.1 with: results_file: "results.sarif" results_format: "sarif" @@ -65,7 +65,7 @@ jobs: # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF # format to the repository Actions tab. - name: "Upload artifact" - uses: "actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808" # v4.3.3 + uses: "actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02" # v4.6.2 with: name: "SARIF file" path: "results.sarif" @@ -73,6 +73,6 @@ jobs: # Upload the results to GitHub's code scanning dashboard. - name: "Upload to code-scanning" - uses: "github/codeql-action/upload-sarif@1b1aada464948af03b950897e5eb522f92603cc2" # v3.24.9 + uses: "github/codeql-action/upload-sarif@ff0a06e83cb2de871e5a09832bc6a81e7276941f" # v3.28.18 with: sarif_file: "results.sarif" diff --git a/.github/workflows/semantic-pull-request.yml b/.github/workflows/semantic-pull-request.yml index ac1ac45d6..94f213f65 100644 --- a/.github/workflows/semantic-pull-request.yml +++ b/.github/workflows/semantic-pull-request.yml @@ -23,7 +23,7 @@ jobs: name: "Semantic Pull Request" steps: - name: "Harden Runner" - uses: "step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6" # v2.8.1 + uses: "step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0" # v2.12.0 with: egress-policy: "audit" @@ -46,7 +46,7 @@ jobs: revert test - - uses: "marocchino/sticky-pull-request-comment@331f8f5b4215f0445d3c07b4967662a32a2d3e31" # v2.9.0 + - uses: "marocchino/sticky-pull-request-comment@67d0dec7b07ed060a405f9b2a64b8ab319fdd7db" # v2.9.2 # When the previous steps fail, the workflow would stop. By adding this # condition you can continue the execution with the populated error message. if: "always() && (steps.lint_pr_title.outputs.error_message != null)" @@ -65,7 +65,7 @@ jobs: # Delete a previous comment when the issue has been resolved - if: "${{ steps.lint_pr_title.outputs.error_message == null }}" - uses: "marocchino/sticky-pull-request-comment@331f8f5b4215f0445d3c07b4967662a32a2d3e31" # v2.9.0 + uses: "marocchino/sticky-pull-request-comment@67d0dec7b07ed060a405f9b2a64b8ab319fdd7db" # v2.9.2 with: header: "pr-title-lint-error" message: | diff --git a/.github/workflows/semantic-release.yml b/.github/workflows/semantic-release.yml index 4943bd5c9..f2ee74dcc 100644 --- a/.github/workflows/semantic-release.yml +++ b/.github/workflows/semantic-release.yml @@ -29,7 +29,7 @@ jobs: steps: - name: "Harden Runner" - uses: "step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6" # v2.8.1 + uses: "step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0" # v2.12.0 with: egress-policy: "audit" diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 02cdbcaf6..9c2ef9ae5 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -32,7 +32,7 @@ jobs: codecov: "${{ steps.changes.outputs.codecov }}" steps: - name: "Harden Runner" - uses: "step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6" # v2.8.1 + uses: "step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0" # v2.12.0 with: egress-policy: "audit" @@ -72,7 +72,7 @@ jobs: NODE: "${{ matrix.node_version }}" steps: - name: "Harden Runner" - uses: "step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6" # v2.8.1 + uses: "step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0" # v2.12.0 with: egress-policy: "audit" @@ -89,7 +89,7 @@ jobs: - name: "Derive appropriate SHAs for base and head for `nx affected` commands" id: "setSHAs" - uses: "nrwl/nx-set-shas@76907e7e5d3cd17ddb5e2b123389f054bffcdd03" # v4 + uses: "nrwl/nx-set-shas@dbe0650947e5f2c81f59190a38512cf49126fe6b" # v4 - name: "Setup resources and environment" id: "setup" @@ -141,7 +141,7 @@ jobs: # If any jobs we depend on fail, we will fail since this is a required check # NOTE: A timeout is considered a failure - name: "Harden Runner" - uses: "step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6" # v2.8.1 + uses: "step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0" # v2.12.0 with: egress-policy: "audit"