diff --git a/.github/workflows/main.yaml b/.github/workflows/main.yaml index c709cf72..1160cbeb 100644 --- a/.github/workflows/main.yaml +++ b/.github/workflows/main.yaml @@ -18,10 +18,10 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3 - name: Setup node - uses: actions/setup-node@v3 + uses: actions/setup-node@1a4442cacd436585916779262731d5b162bc6ec7 # v3 with: node-version-file: '.node-version' cache: 'npm' @@ -49,15 +49,15 @@ jobs: image_tag: ${{ github.repository }}:${{ github.sha }} steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3 - name: Build container image - uses: docker/build-push-action@v3 + uses: docker/build-push-action@1104d471370f9806843c095c1db02b5a90c5f8b6 # v3 with: tags: ${{ env.image_tag }} - name: Run Trivy vulnerability scanner - uses: aquasecurity/trivy-action@0.7.1 + uses: aquasecurity/trivy-action@d63413b0a4a4482237085319f7f4a1ce99a8f2ac # 0.7.1 with: image-ref: ${{ env.image_tag }} format: 'sarif' @@ -66,7 +66,7 @@ jobs: security-checks: 'vuln,secret,config' - name: Upload Trivy scan results to GitHub Security tab - uses: github/codeql-action/upload-sarif@v2 + uses: github/codeql-action/upload-sarif@d958b976dc5b990f802df244f2dc5d807113327f # v2 with: sarif_file: 'trivy-results.sarif' @@ -79,7 +79,7 @@ jobs: steps: - name: Login to GitHub Package - uses: docker/login-action@v2 + uses: docker/login-action@465a07811f14bebb1938fbed4728c6a1ff8901fc # v2 with: registry: ${{ env.CONTAINER_REGISTRY }} username: ${{ github.actor }} @@ -87,12 +87,12 @@ jobs: - name: Extract metadata (tags, labels) id: meta - uses: docker/metadata-action@v4 + uses: docker/metadata-action@818d4b7b91585d195f67373fd9cb0332e31a7175 # v4 with: images: ${{ env.CONTAINER_REGISTRY }}/${{ github.repository }} - name: Build and push container image - uses: docker/build-push-action@v3 + uses: docker/build-push-action@1104d471370f9806843c095c1db02b5a90c5f8b6 # v3 with: push: true tags: ${{ steps.meta.outputs.tags }}