chore(ci): harden github actions

step-security-bot · step-security-bot · commit 660f1dbbe7a9 · 2024-02-16T04:57:36.000Z
Signed-off-by: StepSecurity Bot &lt;bot@stepsecurity.io&gt;
diff --git a/.github/workflows/checks.codeql.yml b/.github/workflows/checks.codeql.yml
@@ -111,7 +111,7 @@ jobs:
         with:
           merge-multiple: true
       - name: "Analysis: Build"
-        uses: gradle/actions/setup-gradle@v3.1.0
+        uses: gradle/actions/setup-gradle@417ae3ccd767c252f5661f1ace9f835f9654f2b5 # v3.1.0
         continue-on-error: true
         env:
           CI: true
diff --git a/.github/workflows/checks.detekt.yml b/.github/workflows/checks.detekt.yml
@@ -91,7 +91,7 @@ jobs:
       - name: "Setup: Git History"
         run: git fetch --unshallow || exit 0
       - name: "Analysis: Detekt"
-        uses: gradle/actions/setup-gradle@v3.1.0
+        uses: gradle/actions/setup-gradle@417ae3ccd767c252f5661f1ace9f835f9654f2b5 # v3.1.0
         continue-on-error: true
         env:
           CI: true
diff --git a/.github/workflows/checks.qodana.yml b/.github/workflows/checks.qodana.yml
@@ -91,7 +91,7 @@ jobs:
         with:
           merge-multiple: true
       - name: "Analysis: Build"
-        uses: gradle/actions/setup-gradle@v3.1.0
+        uses: gradle/actions/setup-gradle@417ae3ccd767c252f5661f1ace9f835f9654f2b5 # v3.1.0
         continue-on-error: true
         with:
           cache-read-only: true
diff --git a/.github/workflows/checks.sonar.yml b/.github/workflows/checks.sonar.yml
@@ -109,7 +109,7 @@ jobs:
       - name: "Setup: Git History"
         run: git fetch --unshallow || exit 0
       - name: "Build: Verify Coverage"
-        uses: gradle/actions/setup-gradle@v3.1.0
+        uses: gradle/actions/setup-gradle@417ae3ccd767c252f5661f1ace9f835f9654f2b5 # v3.1.0
         continue-on-error: true
         env:
           CI: true
@@ -124,7 +124,7 @@ jobs:
             -x nativeCompile
             -x nativeOptimizedCompile
       - name: "Analysis: Sonar"
-        uses: gradle/actions/setup-gradle@v3.1.0
+        uses: gradle/actions/setup-gradle@417ae3ccd767c252f5661f1ace9f835f9654f2b5 # v3.1.0
         continue-on-error: true
         env:
           CI: true
diff --git a/.github/workflows/job.bench.yml b/.github/workflows/job.bench.yml
@@ -93,7 +93,7 @@ jobs:
       - name: "Setup: Yarn"
         run: yarn
       - name: "Run Benchmarks"
-        uses: gradle/actions/setup-gradle@v3.1.0
+        uses: gradle/actions/setup-gradle@417ae3ccd767c252f5661f1ace9f835f9654f2b5 # v3.1.0
         id: gradlebench
         continue-on-error: ${{ matrix.experimental }}
         env:
diff --git a/.github/workflows/job.build.yml b/.github/workflows/job.build.yml
@@ -246,7 +246,7 @@ jobs:
           export_environment_variables: true
           cleanup_credentials: true
       - name: "🛠️ Build"
-        uses: gradle/actions/setup-gradle@v3.1.0
+        uses: gradle/actions/setup-gradle@417ae3ccd767c252f5661f1ace9f835f9654f2b5 # v3.1.0
         id: gradlebuild
         continue-on-error: ${{ matrix.mode == 'labs' }}
         env:
diff --git a/.github/workflows/job.cli.yml b/.github/workflows/job.cli.yml
@@ -207,7 +207,7 @@ jobs:
         with:
           merge-multiple: true
       - name: "Build: CLI (Native/Debug)"
-        uses: gradle/actions/setup-gradle@v3.1.0
+        uses: gradle/actions/setup-gradle@417ae3ccd767c252f5661f1ace9f835f9654f2b5 # v3.1.0
         env:
           CI: true
           BUILDLESS_APIKEY: ${{ secrets.BUILDLESS_APIKEY }}
@@ -380,7 +380,7 @@ jobs:
         with:
           merge-multiple: true
       - name: "Build: CLI (Native/Release)"
-        uses: gradle/actions/setup-gradle@v3.1.0
+        uses: gradle/actions/setup-gradle@417ae3ccd767c252f5661f1ace9f835f9654f2b5 # v3.1.0
         env:
           CI: true
           BUILDLESS_APIKEY: ${{ secrets.BUILDLESS_APIKEY }}
diff --git a/.github/workflows/job.containers.yml b/.github/workflows/job.containers.yml
@@ -238,7 +238,7 @@ jobs:
       ## -- Samples -- ##
       - name: "Build/Push: '${{ matrix.project }}' (JVM)"
         continue-on-error: ${{ fromJson(matrix.labs) }}
-        uses: gradle/actions/setup-gradle@v3.1.0
+        uses: gradle/actions/setup-gradle@417ae3ccd767c252f5661f1ace9f835f9654f2b5 # v3.1.0
         with:
           arguments: |
             --no-daemon
@@ -360,7 +360,7 @@ jobs:
 
       ## -- Samples -- ##
       - name: "Build/Push: '${{ matrix.project }}' (Native)"
-        uses: gradle/actions/setup-gradle@v3.1.0
+        uses: gradle/actions/setup-gradle@417ae3ccd767c252f5661f1ace9f835f9654f2b5 # v3.1.0
         continue-on-error: true
         with:
           arguments: |
diff --git a/.github/workflows/job.site.yml b/.github/workflows/job.site.yml
@@ -79,7 +79,7 @@ jobs:
         run: |
           make docs reports CI=yes JVM=21
       - name: "Build: Site"
-        uses: gradle/actions/setup-gradle@v3.1.0
+        uses: gradle/actions/setup-gradle@417ae3ccd767c252f5661f1ace9f835f9654f2b5 # v3.1.0
         env:
           CI: true
         with:
diff --git a/.github/workflows/job.test.yml b/.github/workflows/job.test.yml
@@ -233,7 +233,7 @@ jobs:
         with:
           merge-multiple: true
       - name: "Testsuite"
-        uses: gradle/actions/setup-gradle@v3.1.0
+        uses: gradle/actions/setup-gradle@417ae3ccd767c252f5661f1ace9f835f9654f2b5 # v3.1.0
         env:
           CI: true
           BUILDLESS_APIKEY: ${{ secrets.BUILDLESS_APIKEY }}
@@ -277,7 +277,7 @@ jobs:
             -PbuildDocs=false
             -PbuildDocsSite=false
       - name: "Analysis: Sonar"
-        uses: gradle/actions/setup-gradle@v3.1.0
+        uses: gradle/actions/setup-gradle@417ae3ccd767c252f5661f1ace9f835f9654f2b5 # v3.1.0
         continue-on-error: true
         env:
           CI: true
@@ -319,7 +319,7 @@ jobs:
             -PbuildDocs=false
             -PbuildDocsSite=false
       - name: "Analysis: Sonar"
-        uses: gradle/actions/setup-gradle@v3.1.0
+        uses: gradle/actions/setup-gradle@417ae3ccd767c252f5661f1ace9f835f9654f2b5 # v3.1.0
         continue-on-error: true
         env:
           CI: true
@@ -362,7 +362,7 @@ jobs:
             -PbuildDocs=false
             -PbuildDocsSite=false
       - name: "Runtime Self-tests (JVM)"
-        uses: gradle/actions/setup-gradle@v3.1.0
+        uses: gradle/actions/setup-gradle@417ae3ccd767c252f5661f1ace9f835f9654f2b5 # v3.1.0
         continue-on-error: true
         env:
           CI: true
@@ -532,7 +532,7 @@ jobs:
         with:
           merge-multiple: true
       - name: "Run Tests (Native)"
-        uses: gradle/actions/setup-gradle@v3.1.0
+        uses: gradle/actions/setup-gradle@417ae3ccd767c252f5661f1ace9f835f9654f2b5 # v3.1.0
         continue-on-error: true
         env:
           CI: true
diff --git a/.github/workflows/on.pr.yml b/.github/workflows/on.pr.yml
@@ -113,7 +113,7 @@ jobs:
           submodules: true
           persist-credentials: false
       - name: "Setup: Buildless"
-        uses: buildless/setup@v1.0.2
+        uses: buildless/setup@30e82389418c7f17046606183bc4c78b2c8913e0 # v1.0.2
       - name: "Setup: GraalVM (Java 21)"
         uses: graalvm/setup-graalvm@2a93b69fdf86ac5a078a98c1a707744632e1da94 # v1.1.5
         with:
@@ -131,7 +131,7 @@ jobs:
             elide-framework-v1-
             elide-framework-
       - name: "Check: Library ABI"
-        uses: gradle/actions/setup-gradle@v3.1.0
+        uses: gradle/actions/setup-gradle@417ae3ccd767c252f5661f1ace9f835f9654f2b5 # v3.1.0
         id: abicheck
         continue-on-error: ${{ contains(github.event.pull_request.labels.*.name, 'ci:api-check-bypass') }}
         env:
diff --git a/.github/workflows/on.scheduled.yml b/.github/workflows/on.scheduled.yml
@@ -160,7 +160,7 @@ jobs:
           export_environment_variables: true
           cleanup_credentials: true
       - name: "🛠️ Build"
-        uses: gradle/actions/setup-gradle@v3.1.0
+        uses: gradle/actions/setup-gradle@417ae3ccd767c252f5661f1ace9f835f9654f2b5 # v3.1.0
         id: gradlebuild
         continue-on-error: ${{ matrix.mode == 'labs' }}
         env:
diff --git a/.github/workflows/publish.maven.yml b/.github/workflows/publish.maven.yml
@@ -191,7 +191,7 @@ jobs:
           echo "APP_VERSION=$(cat .version)" >> $GITHUB_ENV;
           echo "Releasing version $APP_VERSION"
       - name: "Publish: Conventions"
-        uses: gradle/actions/setup-gradle@v3.1.0
+        uses: gradle/actions/setup-gradle@417ae3ccd767c252f5661f1ace9f835f9654f2b5 # v3.1.0
         if: ${{ inputs.conventions }}
         with:
           arguments: |
@@ -208,7 +208,7 @@ jobs:
             -x test
             :conventions:publish
       - name: "Publish: Substrate"
-        uses: gradle/actions/setup-gradle@v3.1.0
+        uses: gradle/actions/setup-gradle@417ae3ccd767c252f5661f1ace9f835f9654f2b5 # v3.1.0
         if: ${{ inputs.substrate }}
         with:
           arguments: |
@@ -225,7 +225,7 @@ jobs:
             -x test
             :substrate:publish
       - name: "Publish: Processor"
-        uses: gradle/actions/setup-gradle@v3.1.0
+        uses: gradle/actions/setup-gradle@417ae3ccd767c252f5661f1ace9f835f9654f2b5 # v3.1.0
         if: ${{ inputs.processor }}
         with:
           arguments: |
@@ -242,7 +242,7 @@ jobs:
             -x test
             :tools:processor:publish
       - name: "Publish: Packages"
-        uses: gradle/actions/setup-gradle@v3.1.0
+        uses: gradle/actions/setup-gradle@417ae3ccd767c252f5661f1ace9f835f9654f2b5 # v3.1.0
         if: ${{ inputs.packages }}
         with:
           arguments: |
