Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly
Appearance settings

Commit da39a99

Browse filesBrowse files
hartworkhartwork
committed
Pin GitHub Actions to specific commits for security
1 parent 1ef61cf commit da39a99
Copy full SHA for da39a99

File tree

Expand file treeCollapse file tree

8 files changed

+29
-29
lines changed
Filter options
Expand file treeCollapse file tree

8 files changed

+29
-29
lines changed

‎.github/workflows/build.yml

Copy file name to clipboardExpand all lines: .github/workflows/build.yml
+16-16Lines changed: 16 additions & 16 deletions
Original file line numberDiff line numberDiff line change
@@ -37,7 +37,7 @@ jobs:
3737
outputs:
3838
run_tests: ${{ steps.check.outputs.run_tests }}
3939
steps:
40-
- uses: actions/checkout@v3
40+
- uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2
4141
- name: Check for source changes
4242
id: check
4343
run: |
@@ -68,14 +68,14 @@ jobs:
6868
needs: check_source
6969
if: needs.check_source.outputs.run_tests == 'true'
7070
steps:
71-
- uses: actions/checkout@v3
72-
- uses: actions/setup-python@v3
71+
- uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2
72+
- uses: actions/setup-python@d27e3f3d7c64b4bbf8e4abfb9b63b83e846e0435 # v4.5.0
7373
- name: Install Dependencies
7474
run: sudo ./.github/workflows/posix-deps-apt.sh
7575
- name: Add ccache to PATH
7676
run: echo "PATH=/usr/lib/ccache:$PATH" >> $GITHUB_ENV
7777
- name: Configure ccache action
78-
uses: hendrikmuhs/ccache-action@v1.2
78+
uses: hendrikmuhs/ccache-action@ca3acd2731eef11f1572ccb126356c2f9298d35e # v1.2.9
7979
- name: Check Autoconf version 2.69 and aclocal 1.16.3
8080
run: |
8181
grep "Generated by GNU Autoconf 2.69" configure
@@ -126,7 +126,7 @@ jobs:
126126
env:
127127
IncludeUwp: 'true'
128128
steps:
129-
- uses: actions/checkout@v3
129+
- uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2
130130
- name: Build CPython
131131
run: .\PCbuild\build.bat -e -d -p Win32
132132
- name: Display build info
@@ -143,7 +143,7 @@ jobs:
143143
env:
144144
IncludeUwp: 'true'
145145
steps:
146-
- uses: actions/checkout@v3
146+
- uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2
147147
- name: Register MSVC problem matcher
148148
run: echo "::add-matcher::.github/problem-matchers/msvc.json"
149149
- name: Build CPython
@@ -165,7 +165,7 @@ jobs:
165165
HOMEBREW_NO_INSTALL_CLEANUP: 1
166166
PYTHONSTRICTEXTENSIONBUILD: 1
167167
steps:
168-
- uses: actions/checkout@v3
168+
- uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2
169169
- name: Install Homebrew dependencies
170170
run: brew install pkg-config openssl@1.1 xz gdbm tcl-tk
171171
- name: Configure CPython
@@ -194,7 +194,7 @@ jobs:
194194
OPENSSL_VER: 1.1.1t
195195
PYTHONSTRICTEXTENSIONBUILD: 1
196196
steps:
197-
- uses: actions/checkout@v3
197+
- uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2
198198
- name: Register gcc problem matcher
199199
run: echo "::add-matcher::.github/problem-matchers/gcc.json"
200200
- name: Install Dependencies
@@ -206,7 +206,7 @@ jobs:
206206
echo "LD_LIBRARY_PATH=${GITHUB_WORKSPACE}/multissl/openssl/${OPENSSL_VER}/lib" >> $GITHUB_ENV
207207
- name: 'Restore OpenSSL build'
208208
id: cache-openssl
209-
uses: actions/cache@v3
209+
uses: actions/cache@88522ab9f39a2ea568f7027eddc7d8d8bc9d59c8 # v3.3.1
210210
with:
211211
path: ./multissl/openssl/${{ env.OPENSSL_VER }}
212212
key: ${{ runner.os }}-multissl-openssl-${{ env.OPENSSL_VER }}
@@ -217,7 +217,7 @@ jobs:
217217
run: |
218218
echo "PATH=/usr/lib/ccache:$PATH" >> $GITHUB_ENV
219219
- name: Configure ccache action
220-
uses: hendrikmuhs/ccache-action@v1.2
220+
uses: hendrikmuhs/ccache-action@ca3acd2731eef11f1572ccb126356c2f9298d35e # v1.2.9
221221
- name: Setup directory envs for out-of-tree builds
222222
run: |
223223
echo "CPYTHON_RO_SRCDIR=$(realpath -m ${GITHUB_WORKSPACE}/../cpython-ro-srcdir)" >> $GITHUB_ENV
@@ -258,7 +258,7 @@ jobs:
258258
OPENSSL_DIR: ${{ github.workspace }}/multissl/openssl/${{ matrix.openssl_ver }}
259259
LD_LIBRARY_PATH: ${{ github.workspace }}/multissl/openssl/${{ matrix.openssl_ver }}/lib
260260
steps:
261-
- uses: actions/checkout@v3
261+
- uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2
262262
- name: Register gcc problem matcher
263263
run: echo "::add-matcher::.github/problem-matchers/gcc.json"
264264
- name: Install Dependencies
@@ -270,7 +270,7 @@ jobs:
270270
echo "LD_LIBRARY_PATH=${GITHUB_WORKSPACE}/multissl/openssl/${OPENSSL_VER}/lib" >> $GITHUB_ENV
271271
- name: 'Restore OpenSSL build'
272272
id: cache-openssl
273-
uses: actions/cache@v3
273+
uses: actions/cache@88522ab9f39a2ea568f7027eddc7d8d8bc9d59c8 # v3.3.1
274274
with:
275275
path: ./multissl/openssl/${{ env.OPENSSL_VER }}
276276
key: ${{ runner.os }}-multissl-openssl-${{ env.OPENSSL_VER }}
@@ -281,7 +281,7 @@ jobs:
281281
run: |
282282
echo "PATH=/usr/lib/ccache:$PATH" >> $GITHUB_ENV
283283
- name: Configure ccache action
284-
uses: hendrikmuhs/ccache-action@v1.2
284+
uses: hendrikmuhs/ccache-action@ca3acd2731eef11f1572ccb126356c2f9298d35e # v1.2.9
285285
- name: Configure CPython
286286
run: ./configure --with-pydebug --with-openssl=$OPENSSL_DIR
287287
- name: Build CPython
@@ -303,7 +303,7 @@ jobs:
303303
PYTHONSTRICTEXTENSIONBUILD: 1
304304
ASAN_OPTIONS: detect_leaks=0:allocator_may_return_null=1:handle_segv=0
305305
steps:
306-
- uses: actions/checkout@v3
306+
- uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2
307307
- name: Register gcc problem matcher
308308
run: echo "::add-matcher::.github/problem-matchers/gcc.json"
309309
- name: Install Dependencies
@@ -315,7 +315,7 @@ jobs:
315315
echo "LD_LIBRARY_PATH=${GITHUB_WORKSPACE}/multissl/openssl/${OPENSSL_VER}/lib" >> $GITHUB_ENV
316316
- name: 'Restore OpenSSL build'
317317
id: cache-openssl
318-
uses: actions/cache@v3
318+
uses: actions/cache@88522ab9f39a2ea568f7027eddc7d8d8bc9d59c8 # v3.3.1
319319
with:
320320
path: ./multissl/openssl/${{ env.OPENSSL_VER }}
321321
key: ${{ runner.os }}-multissl-openssl-${{ env.OPENSSL_VER }}
@@ -326,7 +326,7 @@ jobs:
326326
run: |
327327
echo "PATH=/usr/lib/ccache:$PATH" >> $GITHUB_ENV
328328
- name: Configure ccache action
329-
uses: hendrikmuhs/ccache-action@v1.2
329+
uses: hendrikmuhs/ccache-action@ca3acd2731eef11f1572ccb126356c2f9298d35e # v1.2.9
330330
- name: Configure CPython
331331
run: ./configure --with-address-sanitizer --without-pymalloc
332332
- name: Build CPython

‎.github/workflows/build_msi.yml

Copy file name to clipboardExpand all lines: .github/workflows/build_msi.yml
+1-1Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -31,6 +31,6 @@ jobs:
3131
matrix:
3232
type: [x86, x64, arm64]
3333
steps:
34-
- uses: actions/checkout@v3
34+
- uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2
3535
- name: Build CPython installer
3636
run: .\Tools\msi\build.bat -${{ matrix.type }}

‎.github/workflows/doc.yml

Copy file name to clipboardExpand all lines: .github/workflows/doc.yml
+5-5Lines changed: 5 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -38,11 +38,11 @@ jobs:
3838
runs-on: ubuntu-latest
3939
timeout-minutes: 60
4040
steps:
41-
- uses: actions/checkout@v3
41+
- uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2
4242
- name: Register Sphinx problem matcher
4343
run: echo "::add-matcher::.github/problem-matchers/sphinx.json"
4444
- name: 'Set up Python'
45-
uses: actions/setup-python@v4
45+
uses: actions/setup-python@d27e3f3d7c64b4bbf8e4abfb9b63b83e846e0435 # v4.5.0
4646
with:
4747
python-version: '3'
4848
cache: 'pip'
@@ -57,7 +57,7 @@ jobs:
5757
# Add pull request annotations for Sphinx nitpicks (missing references)
5858
- name: 'Get list of changed files'
5959
id: changed_files
60-
uses: Ana06/get-changed-files@v2.2.0
60+
uses: Ana06/get-changed-files@e0c398b7065a8d84700c471b6afc4116d1ba4e96 # v2.2.0
6161
with:
6262
filter: "Doc/**"
6363
- name: 'Build changed files in nit-picky mode'
@@ -83,10 +83,10 @@ jobs:
8383
runs-on: ubuntu-latest
8484
timeout-minutes: 60
8585
steps:
86-
- uses: actions/checkout@v3
86+
- uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2
8787
- name: Register Sphinx problem matcher
8888
run: echo "::add-matcher::.github/problem-matchers/sphinx.json"
89-
- uses: actions/cache@v3
89+
- uses: actions/cache@88522ab9f39a2ea568f7027eddc7d8d8bc9d59c8 # v3.3.1
9090
with:
9191
path: ~/.cache/pip
9292
key: ubuntu-doc-${{ hashFiles('Doc/requirements.txt') }}

‎.github/workflows/new-bugs-announce-notifier.yml

Copy file name to clipboardExpand all lines: .github/workflows/new-bugs-announce-notifier.yml
+2-2Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -13,12 +13,12 @@ jobs:
1313
runs-on: ubuntu-latest
1414
timeout-minutes: 10
1515
steps:
16-
- uses: actions/setup-node@v3
16+
- uses: actions/setup-node@64ed1c7eab4cce3362f8c340dee64e5eaeef8f7c # v3.6.0
1717
with:
1818
node-version: 14
1919
- run: npm install mailgun.js form-data
2020
- name: Send notification
21-
uses: actions/github-script@v6
21+
uses: actions/github-script@d7906e4ad0b1822421a7e6a35d5ca353c962f410 # v6.4.1
2222
env:
2323
MAILGUN_API_KEY: ${{ secrets.MAILGUN_PYTHON_ORG_MAILGUN_KEY }}
2424
with:

‎.github/workflows/project-updater.yml

Copy file name to clipboardExpand all lines: .github/workflows/project-updater.yml
+1-1Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -23,7 +23,7 @@ jobs:
2323
- { project: 32, label: sprint }
2424

2525
steps:
26-
- uses: actions/add-to-project@v0.1.0
26+
- uses: actions/add-to-project@31b3f3ccdc584546fc445612dec3f38ff5edb41c # v0.5.0
2727
with:
2828
project-url: https://github.com/orgs/python/projects/${{ matrix.project }}
2929
github-token: ${{ secrets.ADD_TO_PROJECT_PAT }}

‎.github/workflows/require-pr-label.yml

Copy file name to clipboardExpand all lines: .github/workflows/require-pr-label.yml
+1-1Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -11,7 +11,7 @@ jobs:
1111
timeout-minutes: 10
1212

1313
steps:
14-
- uses: mheap/github-action-required-labels@v4
14+
- uses: mheap/github-action-required-labels@422e4c352ef83db91089e6acfbf09d8725e08abc # v4
1515
with:
1616
mode: exactly
1717
count: 0

‎.github/workflows/stale.yml

Copy file name to clipboardExpand all lines: .github/workflows/stale.yml
+1-1Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -16,7 +16,7 @@ jobs:
1616

1717
steps:
1818
- name: "Check PRs"
19-
uses: actions/stale@v8
19+
uses: actions/stale@1160a2240286f5da8ec72b1c0816ce2481aabf84 # v8.0.0
2020
with:
2121
repo-token: ${{ secrets.GITHUB_TOKEN }}
2222
stale-pr-message: 'This PR is stale because it has been open for 30 days with no activity.'

‎.github/workflows/verify-ensurepip-wheels.yml

Copy file name to clipboardExpand all lines: .github/workflows/verify-ensurepip-wheels.yml
+2-2Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -25,8 +25,8 @@ jobs:
2525
runs-on: ubuntu-latest
2626
timeout-minutes: 10
2727
steps:
28-
- uses: actions/checkout@v3
29-
- uses: actions/setup-python@v4
28+
- uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2
29+
- uses: actions/setup-python@d27e3f3d7c64b4bbf8e4abfb9b63b83e846e0435 # v4.5.0
3030
with:
3131
python-version: '3'
3232
- name: Compare checksum of bundled wheels to the ones published on PyPI

0 commit comments

Comments
0 (0)
Morty Proxy This is a proxified and sanitized view of the page, visit original site.