Pin github workflow dependencies by hash #16579
Description
If you are reporting any crash or any potential security issue, do not
open an issue in this repo. Please report the issue via emailing
envoy-security@googlegroups.com where the issue will be triaged appropriately.
Title: Reduce attack surface by pinning github workflow dependencies by hash
Description:
scorecard reports:
!! frozen-deps - .github/workflows/codeql-daily.yml has non-pinned dependency 'actions/checkout@v2' (job "CodeQL-Build")
!! frozen-deps - .github/workflows/codeql-daily.yml has non-pinned dependency 'github/codeql-action/init@v1' (job "CodeQL-Build")
!! frozen-deps - .github/workflows/codeql-daily.yml has non-pinned dependency 'github/codeql-action/analyze@v1' (job "CodeQL-Build")
!! frozen-deps - .github/workflows/codeql-push.yml has non-pinned dependency 'actions/checkout@v2' (job "CodeQL-Build")
!! frozen-deps - .github/workflows/codeql-push.yml has non-pinned dependency 'github/codeql-action/init@v1' (job "CodeQL-Build")
!! frozen-deps - .github/workflows/codeql-push.yml has non-pinned dependency 'github/codeql-action/analyze@v1' (job "CodeQL-Build")
Fix:
Pi all dependencies by hash. Examples can be found here