diff --git a/.github/workflows/actions-freshness.yml b/.github/workflows/actions-freshness.yml index 18a495f..1acab39 100644 --- a/.github/workflows/actions-freshness.yml +++ b/.github/workflows/actions-freshness.yml @@ -22,12 +22,12 @@ jobs: issues: write steps: - name: Checkout repository - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd with: persist-credentials: false - name: Setup Node.js - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 + uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 with: node-version: '20' @@ -42,7 +42,7 @@ jobs: - name: Upload freshness report artifact if: always() - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 + uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f with: name: actions-freshness-report path: | diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index a853306..29f102a 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -26,17 +26,17 @@ jobs: steps: - name: Checkout repository - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd with: persist-credentials: false - name: Initialize CodeQL - uses: github/codeql-action/init@b5ebac6f4c00c8ccddb7cdcd45fdb248329f808a + uses: github/codeql-action/init@45cbd0c69e560cd9e7cd7f8c32362050c9b7ded2 with: languages: ${{ matrix.language }} config-file: ./.github/codeql/codeql-config.yml - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@b5ebac6f4c00c8ccddb7cdcd45fdb248329f808a + uses: github/codeql-action/analyze@45cbd0c69e560cd9e7cd7f8c32362050c9b7ded2 with: category: /language:${{ matrix.language }} diff --git a/.github/workflows/poutine.yml b/.github/workflows/poutine.yml index cc21a5d..49c7126 100644 --- a/.github/workflows/poutine.yml +++ b/.github/workflows/poutine.yml @@ -22,7 +22,7 @@ jobs: steps: - name: Checkout repository - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd with: persist-credentials: false @@ -38,14 +38,14 @@ jobs: mv results.cleaned.sarif results.sarif - name: Upload poutine SARIF - uses: github/codeql-action/upload-sarif@b5ebac6f4c00c8ccddb7cdcd45fdb248329f808a + uses: github/codeql-action/upload-sarif@45cbd0c69e560cd9e7cd7f8c32362050c9b7ded2 with: sarif_file: results.sarif category: /tool:poutine - name: Upload poutine artifact if: always() - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 + uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f with: name: poutine-sarif path: results.sarif diff --git a/.github/workflows/qa-matrix.yml b/.github/workflows/qa-matrix.yml index 8e569d1..04b70de 100644 --- a/.github/workflows/qa-matrix.yml +++ b/.github/workflows/qa-matrix.yml @@ -23,15 +23,16 @@ jobs: steps: - name: Checkout repository - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd with: persist-credentials: false - name: Setup Node.js - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 + uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 with: node-version: 20 - package-manager-cache: false + cache: npm + cache-dependency-path: package-lock.json - name: Install dependencies run: npm ci @@ -83,7 +84,7 @@ jobs: - name: Upload UI screenshot if: always() && steps.capture_ui_screenshot.outcome == 'success' - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 + uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f with: name: ui-screenshot-${{ runner.os }} path: dist/qa/screenshots/*.png @@ -92,7 +93,7 @@ jobs: - name: Upload Playwright E2E artifacts if: runner.os == 'Linux' && always() - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 + uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f with: name: playwright-e2e-linux path: | @@ -103,7 +104,7 @@ jobs: - name: Upload stress benchmark artifacts if: runner.os == 'Linux' && always() - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 + uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f with: name: stress-benchmarks-linux path: | diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 3438f5f..bdbd3b5 100755 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -15,12 +15,12 @@ jobs: contents: read steps: - name: Check out Git repository - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd with: persist-credentials: false - name: Install Node.js - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 + uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 with: node-version: 20 package-manager-cache: false @@ -40,7 +40,7 @@ jobs: GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Upload Windows Artifacts - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 + uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f with: name: windows-artifacts path: | @@ -56,12 +56,12 @@ jobs: contents: read steps: - name: Check out Git repository - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd with: persist-credentials: false - name: Install Node.js - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 + uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 with: node-version: 20 package-manager-cache: false @@ -110,7 +110,7 @@ jobs: GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Upload Linux Artifacts - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 + uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f with: name: linux-artifacts path: | @@ -126,12 +126,12 @@ jobs: contents: read steps: - name: Check out Git repository - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd with: persist-credentials: false - name: Install Node.js - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 + uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 with: node-version: 20 package-manager-cache: false @@ -151,7 +151,7 @@ jobs: GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Upload macOS Artifacts - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 + uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f with: name: macos-artifacts path: | @@ -168,7 +168,7 @@ jobs: contents: write steps: - name: Check out Git repository - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd with: fetch-depth: 0 persist-credentials: false @@ -198,19 +198,19 @@ jobs: continue-on-error: true - name: Download Windows artifacts - uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 + uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 with: name: windows-artifacts path: artifacts/windows - name: Download Linux artifacts - uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 + uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 with: name: linux-artifacts path: artifacts/linux - name: Download macOS artifacts - uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 + uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 with: name: macos-artifacts path: artifacts/macos diff --git a/.github/workflows/sbom.yml b/.github/workflows/sbom.yml index f3f4bce..9632063 100644 --- a/.github/workflows/sbom.yml +++ b/.github/workflows/sbom.yml @@ -27,7 +27,8 @@ jobs: uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 with: node-version: 20 - package-manager-cache: false + cache: npm + cache-dependency-path: package-lock.json - name: Install dependencies run: npm ci --ignore-scripts diff --git a/.github/workflows/secrets-gate.yml b/.github/workflows/secrets-gate.yml index c26b7c1..2ad96bc 100644 --- a/.github/workflows/secrets-gate.yml +++ b/.github/workflows/secrets-gate.yml @@ -19,7 +19,7 @@ jobs: steps: - name: Checkout repository - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd with: fetch-depth: 0 persist-credentials: false @@ -60,7 +60,7 @@ jobs: - name: Upload gitleaks report if: always() - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 + uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f with: name: gitleaks-report path: gitleaks-report.json diff --git a/.github/workflows/sonarcloud.yml b/.github/workflows/sonarcloud.yml index b26e41d..b697d44 100644 --- a/.github/workflows/sonarcloud.yml +++ b/.github/workflows/sonarcloud.yml @@ -17,15 +17,16 @@ jobs: contents: read steps: - - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd with: fetch-depth: 0 persist-credentials: false - - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 + - uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 with: node-version: 20 - package-manager-cache: false + cache: npm + cache-dependency-path: package-lock.json - name: Install dependencies run: npm ci diff --git a/docs/plan/cicd_security.md b/docs/plan/cicd_security.md index e19c254..d70ad36 100644 --- a/docs/plan/cicd_security.md +++ b/docs/plan/cicd_security.md @@ -65,6 +65,8 @@ This document defines the CI/CD security and quality baseline for `ai-code-fusio - CI workflows now declare job-level `permissions` explicitly, even when matching workflow defaults. - Dependency Review keeps PR summary behavior while disabling OpenSSF scorecard output to reduce third-party token-permission noise unrelated to repository workflow scopes. +- `actions/setup-node` usage is normalized to supported cache inputs (`cache`, `cache-dependency-path`) to avoid unsupported-input warnings. +- Core GitHub Action pins are refreshed to current maintained release SHAs on a recurring basis. ## Example Workflow Pattern