From d53693fb58c2e51c88e026d87f28cb0bf6b9d720 Mon Sep 17 00:00:00 2001 From: StepSecurity Bot Date: Fri, 28 Nov 2025 10:44:11 -0800 Subject: [PATCH] Fix GitHub Actions not pinned by hash (#178917) Use explicit pinned dependencies per: - [The Open Source Security Foundation (OpenSSF) Security Guide](https://github.com/ossf/scorecard/blob/main/docs/checks.md#pinned-dependencies) This pull request is created by [StepSecurity](https://app.stepsecurity.io/securerepo) at the request of @guidezpl. Please merge the Pull Request to incorporate the requested changes. Signed-off-by: StepSecurity Bot Co-authored-by: Pierre-Louis Co-authored-by: Zachary Anderson --- .github/workflows/content-aware-hash.yml | 2 +- .github/workflows/files-changed.yml | 4 ++-- .github/workflows/merge-changelog.yml | 2 +- .github/workflows/tool-test-general.yml | 2 +- 4 files changed, 5 insertions(+), 5 deletions(-) diff --git a/.github/workflows/content-aware-hash.yml b/.github/workflows/content-aware-hash.yml index 50e089b7b5d..4c9fb3efed2 100644 --- a/.github/workflows/content-aware-hash.yml +++ b/.github/workflows/content-aware-hash.yml @@ -11,7 +11,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout code - uses: actions/checkout@v6 + uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 - name: Generate Hash run: | diff --git a/.github/workflows/files-changed.yml b/.github/workflows/files-changed.yml index 582ddc036aa..ca858fdc48a 100644 --- a/.github/workflows/files-changed.yml +++ b/.github/workflows/files-changed.yml @@ -15,7 +15,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout code - uses: actions/checkout@v6 + uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 - name: Fetch base commit and origin/master # Fetch what to compare the commit against @@ -35,7 +35,7 @@ jobs: ./bin/dart run dev/tools/bin/get_files_changed.dart --since="${{ github.event.pull_request.base.sha }}" > changed_files.json - name: Upload artifact - uses: actions/upload-artifact@v5 + uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0 with: name: changed-files path: changed_files.json diff --git a/.github/workflows/merge-changelog.yml b/.github/workflows/merge-changelog.yml index bad3b822ecf..0e40867a860 100644 --- a/.github/workflows/merge-changelog.yml +++ b/.github/workflows/merge-changelog.yml @@ -15,7 +15,7 @@ jobs: steps: - name: Setup Repository - uses: actions/checkout@v6 + uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 with: repository: ${{ github.repository }} ref: master diff --git a/.github/workflows/tool-test-general.yml b/.github/workflows/tool-test-general.yml index d036140ff93..d326db08ebe 100644 --- a/.github/workflows/tool-test-general.yml +++ b/.github/workflows/tool-test-general.yml @@ -22,7 +22,7 @@ jobs: steps: # Note: we must check out the tree for the composite action to be available - - uses: actions/checkout@v6 + - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 - uses: ./.github/actions/composite-flutter-setup - name: Tool Test