Fix tidy errors, pin actions

.github/workflows/megalinter.yml

@@ -9,6 +9,7 @@ on:
       - main
   workflow_dispatch:
 
+
 permissions:
   contents: write
   issues: write
@@ -41,15 +42,15 @@ jobs:
       # MegaLinter
       - name: MegaLinter
         id: ml
-        uses: oxsecurity/megalinter/flavors/[email protected]
+        uses: oxsecurity/megalinter/flavors/javascript@bacb5f8674e3730b904ca4d20c8bd477bc51b1a7 # pin@v7.13.0
         env:
           VALIDATE_ALL_CODEBASE: true
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
       # Upload MegaLinter artifacts
       - name: Archive production artifacts
         if: always()
-        uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # pin@v3
+        uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # pin@v3
         with:
           name: MegaLinter reports
           path: |
@@ -60,7 +61,7 @@ jobs:
       - name: Create Pull Request with applied fixes
         id: cpr
         if: steps.ml.outputs.has_updated_sources == 1 && (env.APPLY_FIXES_EVENT == 'all' || env.APPLY_FIXES_EVENT == github.event_name) && env.APPLY_FIXES_MODE == 'pull_request' && (github.event_name == 'push' || github.event.pull_request.head.repo.full_name == github.repository)
-        uses: peter-evans/create-pull-request@6d6857d36972b65feb161a90e484f2984215f83e # pin@v5
+        uses: peter-evans/create-pull-request@4e1beaa7521e8b457b572c090b25bd3db56bf1c5 # pin@v5
         with:
           token: ${{ secrets.PAT || secrets.GITHUB_TOKEN }}
           commit-message: "[MegaLinter] Apply linters automatic fixes"
@@ -87,12 +88,12 @@ jobs:
 
       - name: Check to see if the SARIF a was generated
         id: sarif_file_exists
-        uses: andstor/file-existence-action@076e0072799f4942c8bc574a82233e1e4d13e9d6 # pin@v2
+        uses: andstor/file-existence-action@20b4d2e596410855db8f9ca21e96fbe18e12930b # pin@v2
         with:
           files: "megalinter-reports/megalinter-report.sarif"
 
       - name: Upload MegaLinter scan results to GitHub Security tab
         if: steps.sarif_file_exists.outputs.files_exists == 'true'
-        uses: github/codeql-action/upload-sarif@23acc5c183826b7a8a97bce3cecc52db901f8251 # pin@v2
+        uses: github/codeql-action/upload-sarif@3e0e84636c6f5df46a2cb232ae1dd1384713150d # pin@v2
         with:
           sarif_file: "megalinter-reports/megalinter-report.sarif"

.github/workflows/pa11y.yml

@@ -1,16 +1,19 @@
+---
 name: Pa11y Testing
 
-on: [pull_request]
+# yamllint disable-line rule:truthy
+on: [ pull_request ]
 
 jobs:
   build:
     runs-on: ubuntu-latest
-    
+
     steps:
-      - uses: actions/checkout@v3
-
+      - name: Checkout repository
+        uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # pin@v3
+
       - name: Use Node
-        uses: actions/setup-node@v3
+        uses: actions/setup-node@1a4442cacd436585916779262731d5b162bc6ec7 # pin@v3
         with:
           node-version: '17.x'
 

.github/workflows/scorecard.yml

@@ -1,18 +1,22 @@
+---
 # This workflow uses actions that are not certified by GitHub. They are provided
 # by a third-party and are governed by separate terms of service, privacy
 # policy, and support documentation.
 
 name: Scorecard supply-chain security
+
+# yamllint disable-line rule:truthy
 on:
   # For Branch-Protection check. Only the default branch is supported. See
   # https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection
-  branch_protection_rule:
-  # To guarantee Maintained check is occasionally updated. See
+  branch_protection_rule: # To guarantee Maintained check is occasionally updated. See
+
   # https://github.com/ossf/scorecard/blob/main/docs/checks.md#maintained
   schedule:
     - cron: '43 7 * * 3'
   push:
-    branches: [ "main" ]
+    branches:
+      - "main"
 
 # Declare default permissions as read only.
 permissions: read-all
@@ -32,12 +36,12 @@ jobs:
 
     steps:
       - name: "Checkout code"
-        uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 # v3.1.0
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # pin@v4.1.7
         with:
           persist-credentials: false
 
       - name: "Run analysis"
-        uses: ossf/scorecard-action@e38b1902ae4f44df626f11ba0734b14fb91f8f86 # v2.1.2
+        uses: ossf/scorecard-action@62b2cac7ed8198b15735ed49ab1e5cf35480ba46 # pin@v2.4.0
         with:
           results_file: results.sarif
           results_format: sarif
@@ -59,14 +63,14 @@ jobs:
       # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
       # format to the repository Actions tab.
       - name: "Upload artifact"
-        uses: actions/upload-artifact@3cea5372237819ed00197afe530f5a7ea3e805c8 # v3.1.0
+        uses: actions/upload-artifact@0b2256b8c012f0828dc542b3febcab082c67f72b # [email protected]
         with:
           name: SARIF file
           path: results.sarif
           retention-days: 5
 
       # Upload the results to GitHub's code scanning dashboard.
       - name: "Upload to code-scanning"
-        uses: github/codeql-action/upload-sarif@17573ee1cc1b9d061760f3a006fc4aac4f944fd5 # v2.2.4
+        uses: github/codeql-action/upload-sarif@afb54ba388a7dca6ecae48f608c4ff05ff4cc77a # pin@v3
         with:
           sarif_file: results.sarif

.github/workflows/test.yml

@@ -2,18 +2,19 @@
 name: Build and Test
 
 # yamllint disable-line rule:truthy
-on: 
+on:
   pull_request:
 
+
 jobs:
   build:
     runs-on: ubuntu-latest
-    
+
     steps:
-      - uses: actions/checkout@v3
-      
+      - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # pin@v3
+
       - name: Use Node
-        uses: actions/setup-node@v3
+        uses: actions/setup-node@1a4442cacd436585916779262731d5b162bc6ec7 # pin@v3
         with:
           node-version: '17.x'
 
@@ -23,5 +24,5 @@ jobs:
       - name: Build site
         run: npm run build
 
-          #      - name: Run tests
-          #        run: npm run test
+#      - name: Run tests
+#        run: npm run test

.grype.yaml

@@ -1,153 +1,12 @@
-# enable/disable checking for application updates on startup
-# same as GRYPE_CHECK_FOR_APP_UPDATE env var
-# check-for-app-update: true
-
-# allows users to specify which image source should be used to generate the sbom
-# valid values are: registry, docker, podman
-# same as GRYPE_DEFAULT_IMAGE_PULL_SOURCE env var
-# default-image-pull-source: ""
-
-# same as --name; set the name of the target being analyzed
-# name: ""
-
-# upon scanning, if a severity is found at or above the given severity then the return code will be 1
-# default is unset which will skip this validation (options: negligible, low, medium, high, critical)
-# same as --fail-on ; GRYPE_FAIL_ON_SEVERITY env var
+---
 fail-on-severity: "high"
 
-# the output format of the vulnerability report (options: table, json, cyclonedx)
-# same as -o ; GRYPE_OUTPUT env var
-# output: "table"
-
-# suppress all output (except for the vulnerability list)
-# same as -q ; GRYPE_QUIET env var
-# quiet: false
-
-# write output report to a file (default is to write to stdout)
-# same as --file; GRYPE_FILE env var
-# file: ""
-
-# a list of globs to exclude from scanning, for example:
-# exclude:
-#   - '/etc/**'
-#   - './out/**/*.json'
-# same as --exclude ; GRYPE_EXCLUDE env var
 exclude:
   - './node_modules/**'
   - './.git/**'
   - './.github/**'
   - './_site/**'
 
-# os and/or architecture to use when referencing container images (e.g. "windows/armv6" or "arm64")
-# same as --platform; GRYPE_PLATFORM env var
-# platform: ""
-
-# If using SBOM input, automatically generate CPEs when packages have none
-# add-cpes-if-none: false
-
-# Explicitly specify a linux distribution to use as <distro>:<version> like alpine:3.10
-# distro:
-
-# external-sources:
-#   enable: false
-#   maven:
-#     search-upstream-by-sha1: true
-#     base-url: https://search.maven.org/solrsearch/select
-
-# db:
-  # check for database updates on execution
-  # same as GRYPE_DB_AUTO_UPDATE env var
-  # auto-update: true
-
-  # location to write the vulnerability database cache
-  # same as GRYPE_DB_CACHE_DIR env var
-  # cache-dir: "$XDG_CACHE_HOME/grype/db"
-
-  # URL of the vulnerability database
-  # same as GRYPE_DB_UPDATE_URL env var
-  # update-url: "https://toolbox-data.anchore.io/grype/databases/listing.json"
-
-  # it ensures db build is no older than the max-allowed-built-age
-  # set to false to disable check
-  # validate-age: true
-
-  # Max allowed age for vulnerability database,
-  # age being the time since it was built
-  # Default max age is 120h (or five days)
-  # max-allowed-built-age: "120h"
-
-# search:
-  # the search space to look for packages (options: all-layers, squashed)
-  # same as -s ; GRYPE_SEARCH_SCOPE env var
-  # scope: "squashed"
-
-  # search within archives that do contain a file index to search against (zip)
-  # note: for now this only applies to the java package cataloger
-  # same as GRYPE_PACKAGE_SEARCH_INDEXED_ARCHIVES env var
-  # indexed-archives: true
-
-  # search within archives that do not contain a file index to search against (tar, tar.gz, tar.bz2, etc)
-  # note: enabling this may result in a performance impact since all discovered compressed tars will be decompressed
-  # note: for now this only applies to the java package cataloger
-  # same as GRYPE_PACKAGE_SEARCH_UNINDEXED_ARCHIVES env var
-  # unindexed-archives: false
-
-# options when pulling directly from a registry via the "registry:" scheme
-# registry:
-  # skip TLS verification when communicating with the registry
-  # same as GRYPE_REGISTRY_INSECURE_SKIP_TLS_VERIFY env var
-  # insecure-skip-tls-verify: false
-  # use http instead of https when connecting to the registry
-  # same as GRYPE_REGISTRY_INSECURE_USE_HTTP env var
-  # insecure-use-http: false
-
-  # credentials for specific registries
-  # auth:
-    # - # the URL to the registry (e.g. "docker.io", "localhost:5000", etc.)
-      # same as GRYPE_REGISTRY_AUTH_AUTHORITY env var
-      # authority: ""
-      # same as GRYPE_REGISTRY_AUTH_USERNAME env var
-      # username: ""
-      # same as GRYPE_REGISTRY_AUTH_PASSWORD env var
-      # password: ""
-      # note: token and username/password are mutually exclusive
-      # same as GRYPE_REGISTRY_AUTH_TOKEN env var
-      # token: ""
-    # - ... # note, more credentials can be provided via config file only
-
-# log:
-  # use structured logging
-  # same as GRYPE_LOG_STRUCTURED env var
-  # structured: false
-
-  # the log level; note: detailed logging suppress the ETUI
-  # same as GRYPE_LOG_LEVEL env var
-  # Uses logrus logging levels: https://github.com/sirupsen/logrus#level-logging
-  # level: "error"
-
-  # location to write the log file (default is not to have a log file)
-  # same as GRYPE_LOG_FILE env var
-  # file: ""
-
-# match:
-  # sets the matchers below to use cpes when trying to find 
-  # vulnerability matches. The stock matcher is the default
-  # when no primary matcher can be identified 
-  # java:
-  #   using-cpes: true
-  # python:
-  #   using-cpes: true
-  # javascript:
-  #   using-cpes: true
-  # ruby:
-  #   using-cpes: true
-  # dotnet:
-  #   using-cpes: true
-  # golang:
-  #   using-cpes: true
-  # stock:
-  #   using-cpes: true
-
 ignore:
 
   # Ignored by default; disputed and unwarranted CVE that causes Megalinter to fail

.markdown-link-check.json

@@ -4,7 +4,7 @@
   "aliveStatusCodes": [200, 203],
   "ignorePatterns": [
     {
-      "pattern": "^https?://github.com/ccsq-cqp/"
+      "pattern": "^https?://github.com/"
     }
   ]
 }