From 006eb89fae79d139921a306fbe876971660d1bf7 Mon Sep 17 00:00:00 2001 From: Frank Elsinga Date: Fri, 10 Oct 2025 15:55:05 +0200 Subject: [PATCH] chore(sec): pin github deps to shas (#1444) ## Launch Checklist Our CI uses a few actions. For these actions, we currently just use the mutable GitHub tag. Since we use Dependabot to update the versions, we should use SHAs. This makes sure that we are not affected by a certain class of supply chain vulnerability where attackers re-publish bad tags. Using SHAs matches GitHub recommendations and is a part of the OpenSSFs Scorecard. - [x] Confirm **your changes do not include backports from Mapbox projects** (unless with compliant license) - if you are not sure about this, please ask! - [ ] Add an entry to `CHANGELOG.md` under the `## main` section. ^--- not sure if you want this. Other maintenance actions don't show up as well. --- .github/workflows/auto-merge-dependabot.yml | 2 +- .github/workflows/ci.yml | 34 ++++++++++---------- .github/workflows/codeql-analysis.yml | 8 ++--- .github/workflows/create-bump-version-pr.yml | 6 ++-- .github/workflows/deploy.yml | 10 +++--- .github/workflows/release.yml | 18 +++++------ 6 files changed, 39 insertions(+), 39 deletions(-) diff --git a/.github/workflows/auto-merge-dependabot.yml b/.github/workflows/auto-merge-dependabot.yml index 67b39b07..ff05c001 100644 --- a/.github/workflows/auto-merge-dependabot.yml +++ b/.github/workflows/auto-merge-dependabot.yml @@ -11,7 +11,7 @@ jobs: steps: - name: Dependabot metadata id: metadata - uses: dependabot/fetch-metadata@v2.4.0 + uses: dependabot/fetch-metadata@08eff52bf64351f401fb50d4972fa95b9f2c2d1b # v2.4.0 with: github-token: "${{ secrets.GITHUB_TOKEN }}" - name: Approve Dependabot PRs diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index ff6756eb..adb987cd 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -21,9 +21,9 @@ jobs: os: [ ubuntu-latest, windows-latest, macos-latest ] steps: - - uses: actions/checkout@v5 + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 with: { persist-credentials: false } - - uses: actions/setup-node@v5 + - uses: actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444 # v5.0.0 with: node-version-file: '.nvmrc' - run: npm ci @@ -41,22 +41,22 @@ jobs: if: ${{ github.event_name == 'push' || github.event_name == 'pull_request' }} steps: - - uses: actions/checkout@v5 + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 with: { persist-credentials: false } - - uses: actions/setup-node@v5 + - uses: actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444 # v5.0.0 with: node-version-file: '.nvmrc' - run: npm ci - run: npm run build - name: artifacts/maputnik - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 with: name: maputnik path: dist # Build and upload desktop CLI artifacts - name: Set up Go - uses: actions/setup-go@v6 + uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0 with: go-version: ^1.23.x cache-dependency-path: desktop/go.sum @@ -66,19 +66,19 @@ jobs: run: npm run build-desktop - name: Artifacts/linux - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 with: name: maputnik-linux path: ./desktop/bin/linux/ - name: Artifacts/darwin - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 with: name: maputnik-darwin path: ./desktop/bin/darwin/ - name: Artifacts/windows - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 with: name: maputnik-windows path: ./desktop/bin/windows/ @@ -90,12 +90,12 @@ jobs: contents: read steps: - name: Checkout - uses: actions/checkout@v5 + uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 with: { persist-credentials: false } - run: npm ci - run: npm run test-unit-ci - name: Upload coverage reports to Codecov - uses: codecov/codecov-action@v5 + uses: codecov/codecov-action@5a1091511ad55cbe89839c7260b706298ca349f7 # v5.5.1 with: files: ${{ github.workspace }}/coverage/coverage-final.json verbose: true @@ -108,17 +108,17 @@ jobs: contents: read steps: - name: Checkout - uses: actions/checkout@v5 + uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 with: { persist-credentials: false } - run: npm ci - name: Cypress run - uses: cypress-io/github-action@v6 + uses: cypress-io/github-action@b8ba51a856ba5f4c15cf39007636d4ab04f23e3c # v6.10.2 with: build: npm run build start: npm run start browser: chrome - name: Upload coverage reports to Codecov - uses: codecov/codecov-action@v5 + uses: codecov/codecov-action@5a1091511ad55cbe89839c7260b706298ca349f7 # v5.5.1 with: files: ${{ github.workspace }}/.nyc_output/out.json verbose: true @@ -129,17 +129,17 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@v5 + uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 with: { persist-credentials: false } - run: npm ci - name: Cypress run - uses: cypress-io/github-action@v6 + uses: cypress-io/github-action@b8ba51a856ba5f4c15cf39007636d4ab04f23e3c # v6.10.2 with: build: docker build -t maputnik . start: docker run --rm --network host maputnik --port=8888 browser: chrome - name: Upload coverage reports to Codecov - uses: codecov/codecov-action@v5 + uses: codecov/codecov-action@5a1091511ad55cbe89839c7260b706298ca349f7 # v5.5.1 with: files: ${{ github.workspace }}/.nyc_output/out.json verbose: true diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index 1af2ef9e..41a39cad 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -38,11 +38,11 @@ jobs: steps: - name: Checkout repository - uses: actions/checkout@v5 + uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL - uses: github/codeql-action/init@v4 + uses: github/codeql-action/init@e296a935590eb16afc0c0108289f68c87e2a89a5 # v4.30.7 with: languages: ${{ matrix.language }} # If you wish to specify custom queries, you can do so here or in a config file. @@ -53,7 +53,7 @@ jobs: # Autobuild attempts to build any compiled languages (C/C++, C#, or Java). # If this step fails, then you should remove it and run the build manually (see below) - name: Autobuild - uses: github/codeql-action/autobuild@v4 + uses: github/codeql-action/autobuild@e296a935590eb16afc0c0108289f68c87e2a89a5 # v4.30.7 # ℹī¸ Command-line programs to run using the OS shell. # 📚 https://git.io/JvXDl @@ -67,4 +67,4 @@ jobs: # make release - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v4 + uses: github/codeql-action/analyze@e296a935590eb16afc0c0108289f68c87e2a89a5 # v4.30.7 diff --git a/.github/workflows/create-bump-version-pr.yml b/.github/workflows/create-bump-version-pr.yml index 95e3523f..c2269e5a 100644 --- a/.github/workflows/create-bump-version-pr.yml +++ b/.github/workflows/create-bump-version-pr.yml @@ -16,13 +16,13 @@ jobs: run: shell: bash steps: - - uses: actions/checkout@v5 + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 with: fetch-depth: 0 ref: main - name: Use Node.js from nvmrc - uses: actions/setup-node@v5 + uses: actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444 # v5.0.0 with: node-version-file: ".nvmrc" @@ -32,7 +32,7 @@ jobs: ./build/bump-version-changelog.js ${{ inputs.version }} - name: Create Pull Request - uses: peter-evans/create-pull-request@v7 + uses: peter-evans/create-pull-request@271a8d0340265f705b14b6d32b9829c1cb33d45e # v7.0.8 with: commit-message: Bump version to ${{ inputs.version }} branch: bump-version-to-${{ inputs.version }} diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml index 1259ac88..d41cc091 100644 --- a/.github/workflows/deploy.yml +++ b/.github/workflows/deploy.yml @@ -12,11 +12,11 @@ jobs: contents: write if: ${{ github.event_name == 'push' }} steps: - - uses: actions/checkout@v5 + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 with: { persist-credentials: false } - name: Use Node.js from nvmrc - uses: actions/setup-node@v5 + uses: actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444 # v5.0.0 with: node-version-file: '.nvmrc' @@ -27,7 +27,7 @@ jobs: run: npm run build - name: Upload to GitHub Pages - uses: peaceiris/actions-gh-pages@v4 + uses: peaceiris/actions-gh-pages@4f9cc6602d3f66b9c108549d475ec49e8ef4d45e # v4.0.0 with: github_token: ${{ secrets.GITHUB_TOKEN }} publish_dir: dist @@ -45,11 +45,11 @@ jobs: steps: - name: Login to GitHub Container Registry - uses: docker/login-action@v3 + uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0 with: registry: ghcr.io username: ${{ github.actor }} password: ${{ secrets.GITHUB_TOKEN }} - - uses: actions/checkout@v5 + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 - run: docker build -t ghcr.io/maplibre/maputnik:main . - run: docker push ghcr.io/maplibre/maputnik:main diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 5b69f683..1704940c 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -15,20 +15,20 @@ jobs: permissions: contents: read steps: - - uses: actions/checkout@v5 + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 with: fetch-depth: 0 ref: main persist-credentials: false - name: Use Node.js from nvmrc - uses: actions/setup-node@v5 + uses: actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444 # v5.0.0 with: node-version-file: ".nvmrc" - name: Check if version has been updated id: check - uses: EndBug/version-check@v2 + uses: EndBug/version-check@d17247dd94ca7b39d0b0691399be8d7c510622c9 # latest outputs: publish: ${{ steps.check.outputs.changed }} @@ -42,19 +42,19 @@ jobs: run: shell: bash steps: - - uses: actions/checkout@v5 + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 with: fetch-depth: 0 ref: main - name: Use Node.js from nvmrc - uses: actions/setup-node@v5 + uses: actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444 # v5.0.0 with: node-version-file: ".nvmrc" registry-url: "https://registry.npmjs.org" - name: Set up Go for desktop build - uses: actions/setup-go@v6 + uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0 with: go-version: ^1.23.x cache-dependency-path: desktop/go.sum @@ -62,7 +62,7 @@ jobs: - name: Get version id: package-version - uses: martinbeentjes/npm-get-version-action@v1.3.1 + uses: martinbeentjes/npm-get-version-action@3cf273023a0dda27efcd3164bdfb51908dd46a5b # v1.3.1 - name: Install run: npm ci @@ -73,7 +73,7 @@ jobs: - name: Tag commit and push id: tag_version - uses: mathieudutour/github-tag-action@v6.2 + uses: mathieudutour/github-tag-action@a22cf08638b34d5badda920f9daf6e72c477b07b # v6.2 with: github_token: ${{ secrets.GITHUB_TOKEN }} custom_tag: ${{ steps.package-version.outputs.current-version }} @@ -91,7 +91,7 @@ jobs: - name: Create GitHub Release id: create_regular_release - uses: ncipollo/release-action@v1 + uses: ncipollo/release-action@b7eabc95ff50cbeeedec83973935c8f306dfcd0b # v1.20.0 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} with: