-
-
Notifications
You must be signed in to change notification settings - Fork 44
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Feature: lock actions against hash instead of tag
- Loading branch information
1 parent
7542378
commit b54ba9a
Showing
8 changed files
with
28 additions
and
17 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,12 @@ | ||
| Vega Strike Git Hub Actions Guidance | ||
| ==================================== | ||
|
|
||
| VS will allow many actions that are beneficial to the project. | ||
| We also apply the OSSF Score Card to our projects. | ||
|
|
||
| To help with reliability of the GH Actions they should be tagged | ||
| against the associated release SHA Hash instead of Git Tag. | ||
|
|
||
| References | ||
| ---------- | ||
| - https://blog.rafaelgss.dev/why-you-should-pin-actions-by-commit-hash |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -155,7 +155,7 @@ jobs: | |
| run: .\script\test.ps1 -Generator ${{ matrix.cmake-generator }} -EnablePIE ${{ matrix.enable-pie }} -BuildType ${{ matrix.build-type }} | ||
|
|
||
| - name: Upload test results | ||
| uses: actions/[email protected] | ||
| uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3 | ||
| if: failure() | ||
| with: | ||
| name: test_results_xml | ||
|
|
||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -16,12 +16,11 @@ jobs: | |
| # Steps represent a sequence of tasks that will be executed as part of the job | ||
| steps: | ||
| # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it | ||
| - uses: actions/[email protected] | ||
| - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 #v4.1.1 | ||
|
|
||
| - name: Fortify on Demand Scan | ||
| # You may pin to the exact commit or the version. | ||
| # uses: fortify/gha-setup-fod-uploader@636f3c3a14aec1747eec5242a02c6349e4f3cce6 | ||
| uses: fortify/[email protected] | ||
| uses: fortify/gha-setup-fod-uploader@16e5036c084b26cee63cb0c38cfc2101cc9fd13d #v1.1.3 | ||
| with: | ||
| # FoDUploader version to use | ||
| version: latest | ||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -329,7 +329,7 @@ jobs: | |
|
|
||
| steps: | ||
| - name: Check out repository | ||
| uses: actions/[email protected] | ||
| uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 #v4.1.1 | ||
| with: | ||
| fetch-depth: 2 | ||
| submodules: false | ||
|
|
@@ -365,7 +365,7 @@ jobs: | |
| # run: ctest -V | ||
|
|
||
| - name: Upload test results | ||
| uses: actions/[email protected] | ||
| uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3 | ||
| if: failure() | ||
| with: | ||
| name: test_results_xml | ||
|
|
||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -160,7 +160,7 @@ jobs: | |
|
|
||
| steps: | ||
| - name: Check out repository | ||
| uses: actions/[email protected] | ||
| uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 #v4.1.1 | ||
| with: | ||
| fetch-depth: 2 | ||
| submodules: false | ||
|
|
@@ -183,7 +183,7 @@ jobs: | |
| IS_RELEASE: 1 | ||
| run: script/cibuild $FLAGS | ||
| - name: Upload the artifacts | ||
| uses: skx/github-action-publish-binaries@master | ||
| uses: skx/github-action-publish-binaries@44887b225ceca96efd8a912d39c09ad70312af31 # master | ||
| env: | ||
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | ||
| ARTIFACT_EXT: ${{ matrix.ARTIFACT_EXT }} | ||
|
|
||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -66,7 +66,7 @@ jobs: | |
| run: brew install openal-soft | ||
|
|
||
| - name: Check out repository | ||
| uses: actions/[email protected] | ||
| uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 #v4.1.1 | ||
| with: | ||
| fetch-depth: 2 | ||
| submodules: false | ||
|
|
@@ -92,7 +92,7 @@ jobs: | |
| run: ctest -V | ||
|
|
||
| - name: Upload test results | ||
| uses: actions/[email protected] | ||
| uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3 | ||
| if: failure() | ||
| with: | ||
| name: test_results_xml | ||
|
|
||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -23,7 +23,7 @@ jobs: | |
|
|
||
| steps: | ||
| - name: "Check out code" | ||
| uses: actions/[email protected] | ||
| uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 #v4.1.1 | ||
| with: | ||
| persist-credentials: false | ||
|
|
||
|
|
@@ -34,7 +34,7 @@ jobs: | |
| gh release download -R octo-org/codeql-bundle --pattern 'codeql-bundle.tar.gz' | ||
| - name: "Run analysis" | ||
| uses: ossf/[email protected] | ||
| uses: ossf/scorecard-action@0864cf19026789058feabb7e87baa5f140aac736 #v2.3.1 | ||
| with: | ||
| results_file: results.sarif | ||
| results_format: sarif | ||
|
|
@@ -49,15 +49,15 @@ jobs: | |
|
|
||
| # Upload the results as artifacts (optional). | ||
| - name: "Upload artifact" | ||
| uses: actions/[email protected] | ||
| uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3 | ||
| with: | ||
| name: SARIF file | ||
| path: results.sarif | ||
| retention-days: 5 | ||
|
|
||
| # Upload the results to GitHub's code scanning dashboard. | ||
| - name: "Upload to code-scanning" | ||
| uses: github/codeql-action/upload-sarif@v2 | ||
| uses: github/codeql-action/upload-sarif@4b6aa0b07da05d6e43d0e5f9c8596a6532ce1c85 #v2.15.3 | ||
| with: | ||
| sarif_file: results.sarif | ||
| tools: codeql-bundle.tar.gz | ||