Pin actions by SHA and set permissions for workflow

- Pinned dependencies https://github.com/ossf/scorecard/blob/main/docs/checks.md#pinned-dependencies - Restricting permissions for github actions https://github.com/ossf/scorecard/blob/main/docs/checks.md#token-permissions
2025-03-03 17:47:01 +01:00 · 2022-03-11 22:48:15 +00:00 · 2022-03-11 22:48:15 +00:00 · 8f8c22b829
commit 8f8c22b829
parent dab6dd4a0e
1 changed files with 7 additions and 4 deletions
--- a/.github/workflows/on-tag.yml
+++ b/.github/workflows/on-tag.yml
@ -11,6 +11,9 @@ on:
      - v[0-9]+.[0-9]+.[0-9]+
      - v[0-9]+.[0-9]+.[0-9]+-*
 permissions:
  contents: read
 jobs:
  build:
    strategy:
@ -35,24 +38,24 @@ jobs:
        run: echo "${{ secrets.DOCKER_PASSWORD }}" | docker login -u "${{ secrets.DOCKER_USERNAME }}" --password-stdin
      - name: Checkout project
-        uses: actions/checkout@v2
+        uses: actions/checkout@629c2de402a417ea7690ca6ce3f33229e27606a5 # v2
      - name: Init repo for Dockerization
        run: docker/init.sh "$TAG"
      - name: Set up QEMU
-        uses: docker/setup-qemu-action@v1
+        uses: docker/setup-qemu-action@27d0a4f181a40b142cce983c5393082c365d1480 # v1
        id: qemu
      - name: Setup Docker buildx action
-        uses: docker/setup-buildx-action@v1
+        uses: docker/setup-buildx-action@94ab11c41e45d028884a99163086648e898eed25 # v1
        id: buildx
      - name: Available platforms
        run: echo ${{ steps.buildx.outputs.platforms }}
      - name: Cache Docker layers
-        uses: actions/cache@v2
+        uses: actions/cache@661fd3eb7f2f20d8c7c84bc2b0509efd7a826628 # v2
        id: cache
        with:
          path: /tmp/.buildx-cache