From c57c42b4462946f3e37c8a04e841b80e6c4669e7 Mon Sep 17 00:00:00 2001 From: OssSecurityBot Date: Fri, 10 Jul 2026 10:29:47 -0400 Subject: [PATCH] Pin GitHub Actions to full-length commit SHAs --- .github/dependabot.yml | 11 +++++++++++ .github/workflows/api-extractor.yaml | 4 ++-- .github/workflows/api-publish.yaml | 6 +++--- .github/workflows/bump-version-pr.yaml | 6 +++--- .github/workflows/feature-request.yml | 2 +- 5 files changed, 20 insertions(+), 9 deletions(-) create mode 100644 .github/dependabot.yml diff --git a/.github/dependabot.yml b/.github/dependabot.yml new file mode 100644 index 000000000..2c48305b7 --- /dev/null +++ b/.github/dependabot.yml @@ -0,0 +1,11 @@ +version: 2 +updates: + - package-ecosystem: "github-actions" + directory: "/" + groups: + github-actions: + patterns: ["*"] + schedule: + interval: "weekly" + cooldown: + default-days: 7 diff --git a/.github/workflows/api-extractor.yaml b/.github/workflows/api-extractor.yaml index 0262aa93d..8293fe17b 100644 --- a/.github/workflows/api-extractor.yaml +++ b/.github/workflows/api-extractor.yaml @@ -20,10 +20,10 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@v3 + uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 - name: Setup node - uses: actions/setup-node@v3 + uses: actions/setup-node@3235b876344d2a9aa001b8d1453c930bba69e610 # v3.9.1 with: node-version-file: .nvmrc diff --git a/.github/workflows/api-publish.yaml b/.github/workflows/api-publish.yaml index baba66fcf..c12df5dab 100644 --- a/.github/workflows/api-publish.yaml +++ b/.github/workflows/api-publish.yaml @@ -12,17 +12,17 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@v3 + uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 - name: Setup node - uses: actions/setup-node@v3 + uses: actions/setup-node@3235b876344d2a9aa001b8d1453c930bba69e610 # v3.9.1 with: node-version-file: .nvmrc - name: Install dependencies run: npm ci - - uses: JS-DevTools/npm-publish@v1 + - uses: JS-DevTools/npm-publish@0f451a94170d1699fd50710966d48fb26194d939 # v1.4.3 name: Publish package with: package: ./api/package.json diff --git a/.github/workflows/bump-version-pr.yaml b/.github/workflows/bump-version-pr.yaml index 4ab48dcbf..62c4a90de 100644 --- a/.github/workflows/bump-version-pr.yaml +++ b/.github/workflows/bump-version-pr.yaml @@ -10,14 +10,14 @@ jobs: bump: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 - name: Bump version id: bump - uses: alexweininger/bump-prerelease-version@v0.1.1 + uses: alexweininger/bump-prerelease-version@91183ecfa908d49e9e7c1c62e9c781a49aa7c307 # v0.1.1 - name: Create pull request - uses: peter-evans/create-pull-request@v4 + uses: peter-evans/create-pull-request@38e0b6e68b4c852a5500a94740f0e535e0d7ba54 # v4.2.4 with: title: ${{ env.MESSAGE }} body: Automatically created by ${{ env.RUN_LINK }} diff --git a/.github/workflows/feature-request.yml b/.github/workflows/feature-request.yml index fb386f2a7..94c5bd426 100644 --- a/.github/workflows/feature-request.yml +++ b/.github/workflows/feature-request.yml @@ -12,7 +12,7 @@ jobs: steps: - name: Checkout Actions if: github.event_name != 'issues' || contains(github.event.issue.labels.*.name, 'feature-request') - uses: actions/checkout@v3 + uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 with: repository: "microsoft/vscode-github-triage-actions" path: ./actions