From 51bec6fd2238ab5a594b17d4d59948931c55f3bd Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micha=C5=82=20Go=C5=82e=CC=A8biowski-Owczarek?= Date: Sat, 3 Feb 2024 02:08:00 +0100 Subject: [PATCH] Build: Improve security of the GitHub Actions setup Changes: 1. Reference concrete hashes of actions with versions in comments 2. Update actions to recent versions 3. Set up automatic dependabot montly PRs updating actions Fortunately, hashes with versions in comments is syntax recognized by dependabot automatic updates; we're using it with success in jQuery Core. --- .github/dependabot.yml | 6 ++++++ .github/workflows/node.js.yml | 6 +++--- 2 files changed, 9 insertions(+), 3 deletions(-) create mode 100644 .github/dependabot.yml diff --git a/.github/dependabot.yml b/.github/dependabot.yml new file mode 100644 index 00000000..6fff16c7 --- /dev/null +++ b/.github/dependabot.yml @@ -0,0 +1,6 @@ +version: 2 +updates: + - package-ecosystem: github-actions + directory: "/" + schedule: + interval: monthly diff --git a/.github/workflows/node.js.yml b/.github/workflows/node.js.yml index 9c2402ea..04f9f296 100644 --- a/.github/workflows/node.js.yml +++ b/.github/workflows/node.js.yml @@ -12,10 +12,10 @@ jobs: NODE_VERSION: [10.x, 18.x] steps: - name: Checkout - uses: actions/checkout@v2 + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - name: Cache - uses: actions/cache@v2 + uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84 # v3.3.2 with: path: ~/.npm key: ${{ runner.os }}-node-${{ matrix.NODE_VERSION }}-npm-lock-${{ hashFiles('**/package-lock.json') }} @@ -23,7 +23,7 @@ jobs: ${{ runner.os }}-node-${{ matrix.NODE_VERSION }}-npm-lock- - name: Use Node.js ${{ matrix.NODE_VERSION }} - uses: actions/setup-node@v2.1.2 + uses: actions/setup-node@b39b52d1213e96004bfcb1c61a8a6fa8ab84f3e8 # v4.0.1 with: node-version: ${{ matrix.NODE_VERSION }}