Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ci: Apply CodeQL workflow fixes #1319

Draft
wants to merge 4 commits into
base: main
Choose a base branch
from
Draft

ci: Apply CodeQL workflow fixes #1319

wants to merge 4 commits into from

Conversation

DaveSkender
Copy link
Owner

@DaveSkender DaveSkender commented Jan 15, 2025
edited
Loading

Done when:

  • add least privilege permissions for actions
  • pin SHA for action steps

@DaveSkender DaveSkender self-assigned this Jan 15, 2025
@Copilot Copilot bot review requested due to automatic review settings January 15, 2025 14:57
Copilot
Copilot AI reviewed Jan 15, 2025
View reviewed changes

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copilot reviewed 5 out of 9 changed files in this pull request and generated no comments.

Files not reviewed (4)
  • .github/workflows/test-performance.yml: Evaluated as low risk
  • .github/workflows/test-website-a11y.yml: Evaluated as low risk
  • .github/workflows/test-website-links.yml: Evaluated as low risk
  • .github/workflows/deploy-website.yml: Evaluated as low risk
github-advanced-security[bot]
github-advanced-security bot found potential problems Jan 15, 2025
View reviewed changes
.github/workflows/deploy-website.yml Fixed Show fixed Hide fixed
.github/workflows/deploy-website.yml Fixed Show fixed Hide fixed
.github/workflows/deploy-website.yml
@@ -60,7 +63,7 @@

- name: Publish to Cloudflare Pages
id: deploy
uses: cloudflare/wrangler-action@v3
uses: cloudflare/wrangler-action@v3.1.0

Check warning

Code scanning / CodeQL

Unpinned tag for a non-immutable Action in workflow Medium

Unpinned 3rd party Action 'Deploy website' step
Uses Step: deploy
Loading
uses 'cloudflare/wrangler-action' with ref 'v3.1.0', not a pinned commit hash
.github/workflows/lint-pull-request.yml
@@ -16,7 +16,7 @@
runs-on: ubuntu-latest

steps:
- uses: amannn/action-semantic-pull-request@v5
- uses: amannn/action-semantic-pull-request@v5.1.0

Check warning

Code scanning / CodeQL

Unpinned tag for a non-immutable Action in workflow Medium

Unpinned 3rd party Action 'Pull request' step
Uses Step: lint_pr_title
Loading
uses 'amannn/action-semantic-pull-request' with ref 'v5.1.0', not a pinned commit hash
.github/workflows/lint-pull-request.yml
@@ -29,7 +29,7 @@
bot
dependencies

- uses: marocchino/sticky-pull-request-comment@v2
- uses: marocchino/sticky-pull-request-comment@v2.1.0

Check warning

Code scanning / CodeQL

Unpinned tag for a non-immutable Action in workflow Medium

Unpinned 3rd party Action 'Pull request' step
Uses Step
Loading
uses 'marocchino/sticky-pull-request-comment' with ref 'v2.1.0', not a pinned commit hash
.github/workflows/test-website-a11y.yml Fixed Show fixed Hide fixed
.github/workflows/test-website-a11y.yml Fixed Show fixed Hide fixed
.github/workflows/test-website-links.yml Fixed Show fixed Hide fixed
.github/workflows/test-website-links.yml Fixed Show fixed Hide fixed
.github/workflows/test-website-links.yml Fixed Show fixed Hide fixed
github-advanced-security[bot]
github-advanced-security bot found potential problems Jan 15, 2025
View reviewed changes
.github/workflows/deploy-website.yml
@@ -28,7 +31,7 @@
uses: actions/checkout@v4

- name: Setup Ruby
uses: ruby/setup-ruby@v1
uses: ruby/setup-ruby@v1.207.0

Check warning

Code scanning / CodeQL

Unpinned tag for a non-immutable Action in workflow Medium

Unpinned 3rd party Action 'Deploy website' step
Uses Step
Loading
uses 'ruby/setup-ruby' with ref 'v1.207.0', not a pinned commit hash
.github/workflows/lock-issues-pr.yml
@@ -19,7 +19,7 @@
timeout-minutes: 10

steps:
- uses: dessant/lock-threads@v5
- uses: dessant/lock-threads@v5.0.1

Check warning

Code scanning / CodeQL

Unpinned tag for a non-immutable Action in workflow Medium

Unpinned 3rd party Action 'Lock closed threads' step
Uses Step
Loading
uses 'dessant/lock-threads' with ref 'v5.0.1', not a pinned commit hash
.github/workflows/test-website-a11y.yml
@@ -27,7 +30,7 @@
uses: actions/checkout@v4

- name: Setup Ruby
uses: ruby/setup-ruby@v1
uses: ruby/setup-ruby@v1.207.0

Check warning

Code scanning / CodeQL

Unpinned tag for a non-immutable Action in workflow Medium test

Unpinned 3rd party Action 'Website a11y' step
Uses Step
Loading
uses 'ruby/setup-ruby' with ref 'v1.207.0', not a pinned commit hash
.github/workflows/test-website-links.yml
@@ -27,7 +30,7 @@
uses: actions/checkout@v4

- name: Setup Ruby
uses: ruby/setup-ruby@v1
uses: ruby/setup-ruby@v1.207.0

Check warning

Code scanning / CodeQL

Unpinned tag for a non-immutable Action in workflow Medium test

Unpinned 3rd party Action 'Website URLs' step
Uses Step
Loading
uses 'ruby/setup-ruby' with ref 'v1.207.0', not a pinned commit hash
@DaveSkender DaveSkender marked this pull request as draft January 15, 2025 15:15
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

@DaveSkender DaveSkender

Labels
None yet
Projects
Stock Indicators for .NET
Status: In Review
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@DaveSkender