diff --git a/.github/workflows/canary.yml b/.github/workflows/canary.yml index 1307ee80..c1addaee 100644 --- a/.github/workflows/canary.yml +++ b/.github/workflows/canary.yml @@ -37,13 +37,13 @@ jobs: rc: true - name: Canary test - uses: docker://ghcr.io/step-security/integration-test/int:latest + uses: docker://ghcr.io/step-security/integration-test/int:latest@sha256:e21fc4db56cb2953202c27ce8056cfb550322fde4f1dd4711c96e7ab2ff7f170 env: PAT: ${{ secrets.PAT }} canary: true - name: Canary TLS test - uses: docker://ghcr.io/step-security/integration-test/int:latest + uses: docker://ghcr.io/step-security/integration-test/int:latest@sha256:e21fc4db56cb2953202c27ce8056cfb550322fde4f1dd4711c96e7ab2ff7f170 env: PAT: ${{ secrets.PAT }} canary-tls: true diff --git a/.github/workflows/code-review.yml b/.github/workflows/code-review.yml index 0518582d..fb0f5b24 100644 --- a/.github/workflows/code-review.yml +++ b/.github/workflows/code-review.yml @@ -20,4 +20,4 @@ jobs: int.api.stepsecurity.io:443 - name: Code Review - uses: step-security/ai-codewise@int + uses: step-security/ai-codewise@ab9fe138367d6094b2df7f8469ddc2c5a79c9cf4 # int diff --git a/.github/workflows/recurring-int-tests.yml b/.github/workflows/recurring-int-tests.yml index 20fc63ab..32207a2b 100644 --- a/.github/workflows/recurring-int-tests.yml +++ b/.github/workflows/recurring-int-tests.yml @@ -18,7 +18,7 @@ jobs: egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs - name: Canary test - uses: docker://ghcr.io/step-security/integration-test/int:latest + uses: docker://ghcr.io/step-security/integration-test/int:latest@sha256:e21fc4db56cb2953202c27ce8056cfb550322fde4f1dd4711c96e7ab2ff7f170 env: PAT: ${{ secrets.PAT }} canary: true @@ -33,7 +33,7 @@ jobs: egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs - name: Canary test - uses: docker://ghcr.io/step-security/integration-test/int:latest + uses: docker://ghcr.io/step-security/integration-test/int:latest@sha256:e21fc4db56cb2953202c27ce8056cfb550322fde4f1dd4711c96e7ab2ff7f170 env: PAT: ${{ secrets.PAT }} canary-tls: true diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index e27ded9e..010a4462 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -40,7 +40,7 @@ jobs: rc: true - name: Canary test - uses: docker://ghcr.io/step-security/integration-test/int:latest + uses: docker://ghcr.io/step-security/integration-test/int:latest@sha256:e21fc4db56cb2953202c27ce8056cfb550322fde4f1dd4711c96e7ab2ff7f170 env: PAT: ${{ secrets.PAT }} canary: true diff --git a/.github/workflows/runs-on.yml b/.github/workflows/runs-on.yml index a233b749..87313c62 100644 --- a/.github/workflows/runs-on.yml +++ b/.github/workflows/runs-on.yml @@ -14,7 +14,7 @@ jobs: - image=ubuntu24-stepsecurity-x64 steps: - name: Harden Runner - uses: step-security/harden-runner@rc + uses: step-security/harden-runner@4c8582f45544ce2dafb2cfae82cfbebf0f41bde2 # rc with: egress-policy: audit allowed-endpoints: > @@ -43,7 +43,7 @@ jobs: - image=ubuntu24-stepsecurity-x64 steps: - name: Harden Runner - uses: step-security/harden-runner@rc + uses: step-security/harden-runner@4c8582f45544ce2dafb2cfae82cfbebf0f41bde2 # rc with: egress-policy: block allowed-endpoints: > @@ -89,7 +89,7 @@ jobs: - image=ubuntu24-stepsecurity-x64 steps: - name: Harden Runner - uses: step-security/harden-runner@rc + uses: step-security/harden-runner@4c8582f45544ce2dafb2cfae82cfbebf0f41bde2 # rc with: egress-policy: audit allowed-endpoints: > @@ -137,7 +137,7 @@ jobs: - image=ubuntu24-stepsecurity-x64 steps: - name: Harden Runner - uses: step-security/harden-runner@rc + uses: step-security/harden-runner@4c8582f45544ce2dafb2cfae82cfbebf0f41bde2 # rc with: egress-policy: block allowed-endpoints: >