diff --git a/.github/workflows/blocked-issue.yml b/.github/workflows/blocked-issue.yml index aa565ce8..80e9b2a6 100644 --- a/.github/workflows/blocked-issue.yml +++ b/.github/workflows/blocked-issue.yml @@ -15,7 +15,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout repo - uses: actions/checkout@v4 + uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4 - name: Add blocked label if issue is blocked run: | body=$BODY diff --git a/.github/workflows/branch-hotfix.yml b/.github/workflows/branch-hotfix.yml index fe9511b5..9f7af424 100644 --- a/.github/workflows/branch-hotfix.yml +++ b/.github/workflows/branch-hotfix.yml @@ -30,7 +30,7 @@ jobs: needs: [get-version] runs-on: ubuntu-latest steps: - - uses: actions/checkout@v5 + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5 with: ref: ${{ github.head_ref }} - name: Increment Version @@ -38,7 +38,7 @@ jobs: run: | echo "patch_version=$(($(cat semver.json | jq -r '.patch')+1))" > $GITHUB_OUTPUT - name: Store New Version - uses: Afterlife-Guide/SemVer.Action@1.2.1.19 + uses: Afterlife-Guide/SemVer.Action@a62c1899c671a07f16d200cfc7edaf6b6eaf081b # 1.2.1.19 with: path: semver.json major-version: ${{ needs.get-version.outputs.major }} @@ -46,7 +46,7 @@ jobs: patch-version: ${{ steps.increment_version.outputs.patch_version }} build-version: ${{ github.run_number }} - name: Update changelog - uses: thomaseizinger/keep-a-changelog-new-release@3.1.0 + uses: thomaseizinger/keep-a-changelog-new-release@f62c3c390716df5af712ba5d94f4f4a8efc1306d # 3.1.0 with: tag: ${{ needs.get-version.outputs.major }}.${{ needs.get-version.outputs.minor }}.${{ steps.increment_version.outputs.patch_version }}.${{ github.run_number }} - name: Commit Changes diff --git a/.github/workflows/branch-master.yml b/.github/workflows/branch-master.yml index 5c93e259..14d6596e 100644 --- a/.github/workflows/branch-master.yml +++ b/.github/workflows/branch-master.yml @@ -39,7 +39,7 @@ jobs: needs: [publish-to-nuget] runs-on: ubuntu-latest steps: - - uses: actions/checkout@v5 + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5 - name: Create Pull Request env: GH_TOKEN: ${{ secrets.CREATE_PR_TOKEN }} diff --git a/.github/workflows/completed-feature-workflow.yml b/.github/workflows/completed-feature-workflow.yml index 2db7aea1..2d3f94fe 100644 --- a/.github/workflows/completed-feature-workflow.yml +++ b/.github/workflows/completed-feature-workflow.yml @@ -11,7 +11,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout repo - uses: actions/checkout@v5 + uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5 - name: Extract Issue Number shell: bash run: echo "##[set-output name=issue;]$(echo ${{ github.event.pull_request.head.ref }} | sed 's|[^0-9]||g')" diff --git a/.github/workflows/copilot-setup-steps.yml b/.github/workflows/copilot-setup-steps.yml index 54381efd..34210597 100644 --- a/.github/workflows/copilot-setup-steps.yml +++ b/.github/workflows/copilot-setup-steps.yml @@ -19,10 +19,10 @@ jobs: # If you do not check out your code, Copilot will do this for you. steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4 with: ref: ${{ inputs.checkout-ref }} - name: Setup .NET Core - uses: actions/setup-dotnet@v4 + uses: actions/setup-dotnet@67a3573c9a986a3f9c594539f4ab511d57bb3ce9 # v4 with: dotnet-version: 8.0.x diff --git a/.github/workflows/draft-new-release.yml b/.github/workflows/draft-new-release.yml index c8f07d72..b1ef682a 100644 --- a/.github/workflows/draft-new-release.yml +++ b/.github/workflows/draft-new-release.yml @@ -19,12 +19,12 @@ jobs: name: "Draft a new release" runs-on: ubuntu-latest steps: - - uses: actions/checkout@v5 + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5 - name: Create release branch run: git checkout -b release/${{ github.event.inputs.major_version }}.${{ github.event.inputs.minor_version }}.${{ github.event.inputs.patch_version }}.${{ github.run_number }} - name: Update Version Number - uses: Afterlife-Guide/SemVer.Action@1.2.1.19 + uses: Afterlife-Guide/SemVer.Action@a62c1899c671a07f16d200cfc7edaf6b6eaf081b # 1.2.1.19 with: path: semver.json major-version: ${{ github.event.inputs.major_version }} @@ -33,7 +33,7 @@ jobs: build-version: ${{ github.run_number }} - name: Update changelog - uses: thomaseizinger/keep-a-changelog-new-release@3.1.0 + uses: thomaseizinger/keep-a-changelog-new-release@f62c3c390716df5af712ba5d94f4f4a8efc1306d # 3.1.0 with: tag: ${{ github.event.inputs.major_version }}.${{ github.event.inputs.minor_version }}.${{ github.event.inputs.patch_version }}.${{ github.run_number }} diff --git a/.github/workflows/gitstream.yml b/.github/workflows/gitstream.yml index 5356846a..938b6388 100644 --- a/.github/workflows/gitstream.yml +++ b/.github/workflows/gitstream.yml @@ -35,7 +35,7 @@ jobs: name: gitStream workflow automation steps: - name: Evaluate Rules - uses: linear-b/gitstream-github-action@v2 + uses: linear-b/gitstream-github-action@3614828f9c5629e95e9ac40e3bb5deb44fcd0a18 # v2 id: rules-engine with: full_repository: ${{ github.event.inputs.full_repository }} diff --git a/.github/workflows/in-progress-feature-workflow.yml b/.github/workflows/in-progress-feature-workflow.yml index b3d80d45..1edf3e39 100644 --- a/.github/workflows/in-progress-feature-workflow.yml +++ b/.github/workflows/in-progress-feature-workflow.yml @@ -10,7 +10,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout repo - uses: actions/checkout@v5 + uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5 - name: Extract Issue Number shell: bash run: echo "##[set-output name=issue;]$(echo ${GITHUB_REF#refs/heads/} | sed 's|[^0-9]||g')" diff --git a/.github/workflows/label-configurer.yml b/.github/workflows/label-configurer.yml index 6558c187..2e8fd1ba 100644 --- a/.github/workflows/label-configurer.yml +++ b/.github/workflows/label-configurer.yml @@ -11,9 +11,9 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@v5 + uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5 - name: Run Labeler - uses: crazy-max/ghaction-github-labeler@v5 + uses: crazy-max/ghaction-github-labeler@24d110aa46a59976b8a7f35518cb7f14f434c916 # v5 with: github-token: ${{ secrets.GITHUB_TOKEN }} exclude: | diff --git a/.github/workflows/publish-docs.yml b/.github/workflows/publish-docs.yml index 4a1ca834..a8ce6a70 100644 --- a/.github/workflows/publish-docs.yml +++ b/.github/workflows/publish-docs.yml @@ -12,7 +12,7 @@ jobs: runs-on: ubuntu-latest environment: github-pages steps: - - uses: DenverCoder1/doxygen-github-pages-action@v2.0.0 + - uses: DenverCoder1/doxygen-github-pages-action@a30f9538f8ef1305aeceb563018f452c7a62d200 # v2.0.0 with: github_token: ${{ secrets.PUBLISH_DOCS_TOKEN }} branch: gh-pages diff --git a/.github/workflows/stale-issues-prs.yml b/.github/workflows/stale-issues-prs.yml index 2a75f20e..54bb9f65 100644 --- a/.github/workflows/stale-issues-prs.yml +++ b/.github/workflows/stale-issues-prs.yml @@ -11,7 +11,7 @@ jobs: issues: write pull-requests: write steps: - - uses: actions/stale@v10 + - uses: actions/stale@5f858e3efba33a5ca4407a664cc011ad407f2008 # v10 with: days-before-issue-stale: 30 days-before-issue-close: 14 diff --git a/.github/workflows/static-analysis.yml b/.github/workflows/static-analysis.yml index 1d2857c2..fbefee8b 100644 --- a/.github/workflows/static-analysis.yml +++ b/.github/workflows/static-analysis.yml @@ -28,22 +28,22 @@ jobs: runs-on: ubuntu-latest steps: - name: Set up JDK 17 - uses: actions/setup-java@v4 + uses: actions/setup-java@c5195efecf7bdfc987ee8bae7a71cb8b11521c00 # v4 with: java-version: 17 distribution: 'zulu' - - uses: actions/checkout@v4 + - uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4 with: fetch-depth: 0 # This disables shallow clones. This allows SonarQube to access the history of the project to perform analysis. - name: Cache SonarQube Cloud packages - uses: actions/cache@v4 + uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4 with: path: ~/.sonar/cache key: ${{ runner.os }}-sonar restore-keys: ${{ runner.os }}-sonar - name: Cache SonarQube Cloud scanner id: cache-sonar-scanner - uses: actions/cache@v4 + uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4 with: path: .sonar/scanner key: ${{ runner.os }}-sonar-scanner diff --git a/.github/workflows/step-build.yml b/.github/workflows/step-build.yml index 4e94a4c6..4d6c05bd 100644 --- a/.github/workflows/step-build.yml +++ b/.github/workflows/step-build.yml @@ -18,43 +18,43 @@ jobs: run: | echo "Branch: ${{ inputs.checkout-ref }}" - name: Checkout - uses: actions/checkout@v5 + uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5 with: ref: ${{ inputs.checkout-ref }} - name: Setup .NET Core - uses: actions/setup-dotnet@v5 + uses: actions/setup-dotnet@d4c94342e560b34958eacfc5d055d21461ed1c5d # v5 with: dotnet-version: 8.0.x - name: Restore - uses: cake-build/cake-action@v3 + uses: cake-build/cake-action@82c155d0304bc759d2d5b2cf24d5238b79dcb469 # v3 with: target: Restore - name: Build - uses: cake-build/cake-action@v3 + uses: cake-build/cake-action@82c155d0304bc759d2d5b2cf24d5238b79dcb469 # v3 with: target: Build arguments: | versionNumber: ${{inputs.version}} - name: Run tests - uses: cake-build/cake-action@v3 + uses: cake-build/cake-action@82c155d0304bc759d2d5b2cf24d5238b79dcb469 # v3 env: TestPath: /home/runner/work/Html2Markdown/Html2Markdown/test/Html2Markdown.Test/Files/ with: target: Test - name: Publish Unit Test Results if: ${{ github.actor != 'dependabot[bot]' }} - uses: EnricoMi/publish-unit-test-result-action/linux@v2 + uses: EnricoMi/publish-unit-test-result-action/linux@6e8f8c55b476f977d1c58cfbd7e337cbf86d917f # v2 with: files: "**/TestResults/*.xml" - name: Build NuGet Package - uses: cake-build/cake-action@v3 + uses: cake-build/cake-action@82c155d0304bc759d2d5b2cf24d5238b79dcb469 # v3 with: target: Pack arguments: | versionNumber: ${{inputs.version}} - name: Upload Package if: ${{ github.actor != 'dependabot[bot]' }} - uses: actions/upload-artifact@v5 + uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5 with: name: Html2Markdown path: ./src/Html2Markdown/bin/Release/*.nupkg \ No newline at end of file diff --git a/.github/workflows/step-check-markdown.yml b/.github/workflows/step-check-markdown.yml index 121f6134..e74ba09e 100644 --- a/.github/workflows/step-check-markdown.yml +++ b/.github/workflows/step-check-markdown.yml @@ -6,7 +6,7 @@ jobs: runs-on: ubuntu-latest steps: - name: markdownlint-cli - uses: nosborn/github-action-markdown-cli@v3.3.0 + uses: nosborn/github-action-markdown-cli@f5d8cad27b5690b173425c45f762f8662ecf47e8 # v3.3.0 with: files: . config_file: .markdownlint.json diff --git a/.github/workflows/step-mutation-testing.yml b/.github/workflows/step-mutation-testing.yml index 2a92284f..1f13293e 100644 --- a/.github/workflows/step-mutation-testing.yml +++ b/.github/workflows/step-mutation-testing.yml @@ -15,11 +15,11 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout code - uses: actions/checkout@v5 + uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5 with: fetch-depth: 0 - name: Setup .NET Core - uses: actions/setup-dotnet@v5 + uses: actions/setup-dotnet@d4c94342e560b34958eacfc5d055d21461ed1c5d # v5 with: dotnet-version: ${{ env.MAJOR_DOTNET_VERSION }}.0.x - name: Install Stryker @@ -29,7 +29,7 @@ jobs: run: | dotnet stryker --since:${{ inputs.comparison }} - name: Upload Report - uses: actions/upload-artifact@v5 + uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5 with: name: Mutation-Report path: ./StrykerOutput/*/reports/mutation-report.html \ No newline at end of file diff --git a/.github/workflows/step-publish-package.yml b/.github/workflows/step-publish-package.yml index 89630f25..b12e8aeb 100644 --- a/.github/workflows/step-publish-package.yml +++ b/.github/workflows/step-publish-package.yml @@ -24,12 +24,12 @@ jobs: environment: ${{ inputs.deploy-env }} steps: - name: Download Package - uses: actions/download-artifact@v6 + uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6 with: name: ${{ inputs.package-name }} path: ./src/Html2Markdown/bin/Release - name: Setup .NET Core - uses: actions/setup-dotnet@v5 + uses: actions/setup-dotnet@d4c94342e560b34958eacfc5d055d21461ed1c5d # v5 with: dotnet-version: 8.0.x - name: Push package to NuGet diff --git a/.github/workflows/step-tag-release.yml b/.github/workflows/step-tag-release.yml index 6aa0f938..2095e0b0 100644 --- a/.github/workflows/step-tag-release.yml +++ b/.github/workflows/step-tag-release.yml @@ -11,7 +11,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@v5 + uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5 - name: Create tag run: | git config --global user.name "GitHub Action Bot" diff --git a/.github/workflows/step-version.yml b/.github/workflows/step-version.yml index f65224fa..89bd53ed 100644 --- a/.github/workflows/step-version.yml +++ b/.github/workflows/step-version.yml @@ -39,10 +39,10 @@ jobs: build: ${{ steps.set-version.outputs.build }} steps: - name: Get Code - uses: actions/checkout@v5 + uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5 - name: Get Version id: get-version - uses: Afterlife-Guide/SemVer.Action@1.2.1.19 + uses: Afterlife-Guide/SemVer.Action@a62c1899c671a07f16d200cfc7edaf6b6eaf081b # 1.2.1.19 with: path: 'semver.json' - id: set-version diff --git a/CHANGELOG.md b/CHANGELOG.md index 6075d5d4..a2979bf6 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -7,6 +7,10 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 ## [Unreleased] +### Security + +- Pinned all third-party GitHub Actions to full commit SHA1 hashes for improved security (#643) + ### Changed - Migrated from HtmlAgilityPack to AngleSharp for HTML parsing (#580)