Security: Pin all actions to commit SHAs and upgrade checkout/setup-python

jmrplens · jmrplens · commit 562e8491c28b · 2026-01-05T20:29:15.000+01:00
diff --git a/.github/workflows/python-app.yml b/.github/workflows/python-app.yml
@@ -13,11 +13,11 @@ jobs:
   ci:
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@v3
+    - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.2.2
       with:
         fetch-depth: 0  # Shallow clones should be disabled for a better relevancy of analysis
     - name: Set up Python 3.13
-      uses: actions/setup-python@v3
+      uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.3.0
       with:
         python-version: "3.13"
     - name: Install dependencies
@@ -47,23 +47,22 @@ jobs:
         python generate_graphs.py
 
     - name: Snyk Security Scan
-      uses: snyk/actions/python@9adf32b1121593767fc3c057af55b55db032dc04
+      uses: snyk/actions/python@9adf32b1121593767fc3c057af55b55db032dc04 # master
       env:
         SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
       continue-on-error: true
       with:
         args: --sarif-file-output=snyk.sarif
 
     - name: Upload Snyk scan results to GitHub Code Scanning
-      uses: github/codeql-action/upload-sarif@6bb031afdd747485962ca697cffec0a92e622a33
+      uses: github/codeql-action/upload-sarif@45c373516f557556c15d420e3f5e0aa3d64366bc # v3.28.5
       continue-on-error: true
       with:
         sarif_file: snyk.sarif
 
     - name: SonarQube Scan
-      uses: SonarSource/sonarqube-scan-action@bfd4e558cda28cda6b5defafb9232d191be8c203
+      uses: SonarSource/sonarqube-scan-action@bfd4e558cda28cda6b5defafb9232d191be8c203 # v4.2.1
       env:
         SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
         GITHUB_TOKEN: ${{ secrets.TOKEN_GH }}
-      continue-on-error: true
-
+      continue-on-error: true
