Skip to content

Commit eaacc5c

Browse files
authored
Merge branch 'main' into lmendoza/PD-3931
2 parents 16a3d4e + 6ce128d commit eaacc5c

18 files changed

Lines changed: 444 additions & 50 deletions

.github/workflows/bld_docker.yml

Lines changed: 9 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -120,14 +120,19 @@ jobs:
120120

121121
runs-on: ubuntu-latest
122122
steps:
123+
- name: Harden the runner (Audit all outbound calls)
124+
uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0
125+
with:
126+
egress-policy: audit
127+
123128
- name: git-checkout-ref-action
124129
id: ref
125130
uses: ORCID/git-checkout-ref-action@main
126131
with:
127132
default_branch: ${{ github.event.repository.default_branch }}
128133
ref: ${{ inputs.ref }}
129134

130-
- uses: actions/checkout@v4
135+
- uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
131136
with:
132137
ref: ${{ steps.ref.outputs.ref }}
133138
# checkout some history so we can scan commits for bump messages
@@ -141,10 +146,10 @@ jobs:
141146
version_tag: ${{ inputs.version_tag }}
142147
bump: ${{ inputs.bump }}
143148

144-
- uses: docker/setup-buildx-action@v3
149+
- uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0
145150

146151
- name: Login to private registry
147-
uses: docker/login-action@v3
152+
uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0
148153
with:
149154
registry: ${{ secrets.DOCKER_REG_PRIVATE }}
150155
username: ${{ secrets.DOCKER_USER }}
@@ -160,7 +165,7 @@ jobs:
160165
run: |
161166
echo ${{ steps.dynamic_defaults.outputs.default_file }}
162167
163-
- uses: docker/build-push-action@v6
168+
- uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6.19.2
164169
with:
165170
push: ${{ inputs.push }}
166171
tags: ${{ secrets.DOCKER_REG_PRIVATE }}/${{ matrix.docker_name}}:${{ steps.version.outputs.version_tag_numeric }}

.github/workflows/bld_mvn.yml

Lines changed: 7 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -53,14 +53,19 @@ jobs:
5353
bld_mvn:
5454
runs-on: ubuntu-latest
5555
steps:
56+
- name: Harden the runner (Audit all outbound calls)
57+
uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0
58+
with:
59+
egress-policy: audit
60+
5661
- name: git-checkout-ref-action
5762
id: ref
5863
uses: ORCID/git-checkout-ref-action@main
5964
with:
6065
default_branch: ${{ github.event.repository.default_branch }}
6166
ref: ${{ inputs.ref }}
6267

63-
- uses: actions/checkout@v4
68+
- uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
6469
with:
6570
ref: ${{ steps.ref.outputs.ref }}
6671
# checkout some history so we can scan commits for bump messages
@@ -75,7 +80,7 @@ jobs:
7580
bump: ${{ inputs.bump }}
7681

7782
- name: Set up Open JDK 11
78-
uses: actions/setup-java@v4
83+
uses: actions/setup-java@c1e323688fd81a25caa38c78aa6df2d33d3e20d9 # v4.8.0
7984
with:
8085
distribution: 'temurin'
8186
java-version: '11'

.github/workflows/bld_yarn.yml

Lines changed: 7 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -14,8 +14,13 @@ jobs:
1414
runs-on: ubuntu-latest
1515
timeout-minutes: 15
1616
steps:
17-
- uses: actions/checkout@v4
18-
- uses: actions/setup-node@v4
17+
- name: Harden the runner (Audit all outbound calls)
18+
uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0
19+
with:
20+
egress-policy: audit
21+
22+
- uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
23+
- uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
1924
with:
2025
node-version: 'v20.x'
2126
cache: 'yarn'

.github/workflows/deploy-ui-docs-pr.yml

Lines changed: 11 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -17,14 +17,19 @@ on:
1717
jobs:
1818
build-and-deploy-preview:
1919
runs-on: ubuntu-latest
20-
20+
2121
permissions:
2222
contents: write
2323
pull-requests: write # To comment on PR with preview URL
24-
24+
2525
steps:
26+
- name: Harden the runner (Audit all outbound calls)
27+
uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0
28+
with:
29+
egress-policy: audit
30+
2631
- name: Checkout repository
27-
uses: actions/checkout@v4
32+
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
2833
with:
2934
fetch-depth: 0
3035

@@ -50,7 +55,7 @@ jobs:
5055
echo "Extracted ticket ID: $TICKET_ID"
5156
5257
- name: Setup Node.js
53-
uses: actions/setup-node@v4
58+
uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
5459
with:
5560
node-version: '20'
5661
cache: 'yarn'
@@ -89,7 +94,7 @@ jobs:
8994
echo "✅ SPA support configured: 404.html created for PR preview"
9095
9196
- name: Deploy to GitHub Pages (PR Preview)
92-
uses: peaceiris/actions-gh-pages@v3
97+
uses: peaceiris/actions-gh-pages@373f7f263a76c20808c831209c920827a82a2847 # v3.9.3
9398
with:
9499
github_token: ${{ secrets.GITHUB_TOKEN }}
95100
publish_dir: ${{ steps.set-output.outputs.directory }}
@@ -98,7 +103,7 @@ jobs:
98103
cname: false
99104

100105
- name: Comment on PR with preview URL
101-
uses: actions/github-script@v7
106+
uses: actions/github-script@f28e40c7f34bde8b3046d885e986cb6290c5673b # v7.1.0
102107
if: github.event_name == 'pull_request'
103108
with:
104109
script: |

.github/workflows/deploy-ui-docs.yml

Lines changed: 10 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -17,18 +17,23 @@ on:
1717
jobs:
1818
build-and-deploy:
1919
runs-on: ubuntu-latest
20-
20+
2121
permissions:
2222
contents: write
23-
23+
2424
steps:
25+
- name: Harden the runner (Audit all outbound calls)
26+
uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0
27+
with:
28+
egress-policy: audit
29+
2530
- name: Checkout repository
26-
uses: actions/checkout@v4
31+
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
2732
with:
2833
fetch-depth: 0
2934

3035
- name: Setup Node.js
31-
uses: actions/setup-node@v4
36+
uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
3237
with:
3338
node-version: '20'
3439
cache: 'yarn'
@@ -63,7 +68,7 @@ jobs:
6368
echo "✅ SPA support configured: 404.html created for root deployment"
6469
6570
- name: Deploy to GitHub Pages
66-
uses: peaceiris/actions-gh-pages@v3
71+
uses: peaceiris/actions-gh-pages@373f7f263a76c20808c831209c920827a82a2847 # v3.9.3
6772
if: github.ref == 'refs/heads/main' || github.event_name == 'workflow_dispatch'
6873
with:
6974
github_token: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/format_i18n.yml

Lines changed: 7 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -8,12 +8,17 @@ jobs:
88
format_i18n:
99
runs-on: ubuntu-latest
1010
steps:
11-
- uses: actions/checkout@v4
11+
- name: Harden the runner (Audit all outbound calls)
12+
uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0
13+
with:
14+
egress-policy: audit
15+
16+
- uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
1217
with:
1318
# token with write permissions to protected branches
1419
# standard github token does not allow this
1520
token: ${{ secrets.RELEASE_TOKEN }}
16-
- uses: actions/setup-node@v4
21+
- uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
1722
with:
1823
node-version: 'v20.x'
1924
cache: 'yarn'

.github/workflows/format_prettier.yml

Lines changed: 7 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -8,13 +8,18 @@ jobs:
88
format_prettier:
99
runs-on: ubuntu-latest
1010
steps:
11-
- uses: actions/checkout@v4
11+
- name: Harden the runner (Audit all outbound calls)
12+
uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0
13+
with:
14+
egress-policy: audit
15+
16+
- uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
1217
with:
1318
# token with write permissions to protected branches
1419
# standard github token does not allow this
1520
token: ${{ secrets.RELEASE_TOKEN }}
1621

17-
- uses: actions/setup-node@v4
22+
- uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
1823
with:
1924
node-version: 'v20.x'
2025
cache: 'yarn'

.github/workflows/lint.yml

Lines changed: 7 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -16,8 +16,13 @@ jobs:
1616
pre-commit:
1717
runs-on: ubuntu-latest
1818
steps:
19-
- uses: actions/checkout@v4
20-
- uses: actions/setup-python@v5
19+
- name: Harden the runner (Audit all outbound calls)
20+
uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0
21+
with:
22+
egress-policy: audit
23+
24+
- uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
25+
- uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0
2126
with:
2227
python-version: '3.10'
2328
- uses: pre-commit/action@576ff52938d158a24ac7e009dfa94b1455e7df99

.github/workflows/pull-translations.yml

Lines changed: 7 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -20,8 +20,13 @@ jobs:
2020
TX_TOKEN: ${{ secrets.TRANSIFEX_TOKEN }}
2121
GH_PAT: ${{ secrets.GH_PAT }}
2222
steps:
23+
- name: Harden the runner (Audit all outbound calls)
24+
uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0
25+
with:
26+
egress-policy: audit
27+
2328
- name: Checkout repository
24-
uses: actions/checkout@v4
29+
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
2530
with:
2631
fetch-depth: 0
2732
# Use GH_PAT so pushes trigger downstream workflows (not GITHUB_TOKEN)
@@ -198,7 +203,7 @@ jobs:
198203
- name: Open PR to main if differences (PAT)
199204
if: steps.diff.outputs.differs == 'true' && env.GH_PAT != ''
200205
id: openpr
201-
uses: actions/github-script@v7
206+
uses: actions/github-script@f28e40c7f34bde8b3046d885e986cb6290c5673b # v7.1.0
202207
with:
203208
github-token: ${{ env.GH_PAT }}
204209
script: |

.github/workflows/rel_tag.yml

Lines changed: 6 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -56,6 +56,11 @@ jobs:
5656
rel_tag:
5757
runs-on: ubuntu-latest
5858
steps:
59+
- name: Harden the runner (Audit all outbound calls)
60+
uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0
61+
with:
62+
egress-policy: audit
63+
5964
- name: git-checkout-ref-action
6065
id: ref
6166
uses: ORCID/git-checkout-ref-action@main
@@ -64,7 +69,7 @@ jobs:
6469
ref: ${{ inputs.ref }}
6570

6671

67-
- uses: actions/checkout@v4
72+
- uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
6873
with:
6974
# token with write permissions to protected branches
7075
# standard github token does not allow this

0 commit comments

Comments
 (0)