Mercurial > p > roundup > code

diff .github/workflows/anchore.yml @ 7148:cc49ac11850f

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
Pin actions by using hashes removing tags like @v2. or @master Now that actions are being scanned by dependabot, this is easier to keep up with. This also clears multiple security issues flagged by ossf-scorecard.
author John Rouillard <rouilj@ieee.org>
date Thu, 16 Feb 2023 20:12:55 -0500
parents 7f4d20ebae4a
children fcf7e210a0f9
line wrap: on
line diff
--- a/.github/workflows/anchore.yml	Wed Feb 15 18:50:53 2023 -0500
+++ b/.github/workflows/anchore.yml	Thu Feb 16 20:12:55 2023 -0500
@@ -36,18 +36,20 @@
     runs-on: ubuntu-latest
     steps:
     - name: Checkout the code
-      uses: actions/checkout@v3
+      uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c
+  # v3.3.0
     - name: Build the Docker image
       run: docker pull python:3-alpine; docker build . --file scripts/Docker/Dockerfile --tag localbuild/testimage:latest
     - name: Run the Anchore scan action itself with GitHub Advanced Security code scanning integration enabled
-      uses: anchore/scan-action@v3
+      uses: anchore/scan-action@dafbc97d7259af88b61bd260f2fde565d0668a72 # v3.3.4
       id: scan
       with:
         image: "localbuild/testimage:latest"
         fail-build: true
     - name: Upload Anchore Scan Report
       if: always()
-      uses: github/codeql-action/upload-sarif@v2
+      uses: github/codeql-action/upload-sarif@17573ee1cc1b9d061760f3a006fc4aac4f944fd5
+  # v2.2.4
       with:
         sarif_file: ${{ steps.scan.outputs.sarif }}
     - name: Inspect action SARIF report
Roundup Issue Tracker: http://roundup-tracker.org/