Skip to content

Commit 82600b4

Browse files
step-security-botstep-security-bot
committed
[StepSecurity] Apply security best practices
Signed-off-by: StepSecurity Bot <[email protected]>
1 parent f2e1fb0 commit 82600b4

23 files changed

+114
-104
lines changed

.github/dependabot.yml

Lines changed: 10 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -16,3 +16,13 @@ updates:
1616
applies-to: version-updates
1717
patterns:
1818
- "*"
19+
20+
- package-ecosystem: pip
21+
directory: /htmlreport
22+
schedule:
23+
interval: daily
24+
25+
- package-ecosystem: pip
26+
directory: /
27+
schedule:
28+
interval: daily

.github/workflows/CI-cygwin.yml

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -37,12 +37,12 @@ jobs:
3737
runs-on: ${{ matrix.os }}
3838

3939
steps:
40-
- uses: actions/checkout@v6
40+
- uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
4141
with:
4242
persist-credentials: false
4343

4444
- name: Set up Cygwin
45-
uses: cygwin/cygwin-install-action@master
45+
uses: cygwin/cygwin-install-action@b9bf9147075ee9811ac11beee9351eeb93e2f2fb # master
4646
with:
4747
platform: ${{ matrix.platform }}
4848
packages: ${{ matrix.packages }}

.github/workflows/CI-mingw.yml

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -33,12 +33,12 @@ jobs:
3333
timeout-minutes: 19 # max + 3*std of the last 7K runs
3434

3535
steps:
36-
- uses: actions/checkout@v6
36+
- uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
3737
with:
3838
persist-credentials: false
3939

4040
- name: Set up MSYS2
41-
uses: msys2/setup-msys2@v2
41+
uses: msys2/setup-msys2@fb197b72ce45fb24f17bf3f807a388985654d1f2 # v2.29.0
4242
with:
4343
release: false # use pre-installed
4444
# TODO: install mingw-w64-x86_64-make and use mingw32.make instead - currently fails with "Windows Subsystem for Linux has no installed distributions."
@@ -49,7 +49,7 @@ jobs:
4949
mingw-w64-x86_64-gcc
5050
5151
- name: ccache
52-
uses: hendrikmuhs/[email protected]
52+
uses: hendrikmuhs/ccache-action@5ebbd400eff9e74630f759d94ddd7b6c26299639 # v1.2.20
5353
with:
5454
key: ${{ github.workflow }}-${{ github.job }}-${{ matrix.os }}
5555

.github/workflows/CI-unixish-docker.yml

Lines changed: 4 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -38,7 +38,7 @@ jobs:
3838
image: ${{ matrix.image }}
3939

4040
steps:
41-
- uses: actions/checkout@v6
41+
- uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
4242
with:
4343
persist-credentials: false
4444

@@ -56,7 +56,7 @@ jobs:
5656
# needs to be called after the package installation since
5757
# - it doesn't call "apt-get update"
5858
- name: ccache
59-
uses: hendrikmuhs/[email protected]
59+
uses: hendrikmuhs/ccache-action@5ebbd400eff9e74630f759d94ddd7b6c26299639 # v1.2.20
6060
with:
6161
key: ${{ github.workflow }}-${{ matrix.image }}
6262

@@ -91,7 +91,7 @@ jobs:
9191
image: ${{ matrix.image }}
9292

9393
steps:
94-
- uses: actions/checkout@v6
94+
- uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
9595
with:
9696
persist-credentials: false
9797

@@ -104,7 +104,7 @@ jobs:
104104
# needs to be called after the package installation since
105105
# - it doesn't call "apt-get update"
106106
- name: ccache
107-
uses: hendrikmuhs/[email protected]
107+
uses: hendrikmuhs/ccache-action@5ebbd400eff9e74630f759d94ddd7b6c26299639 # v1.2.20
108108
with:
109109
key: ${{ github.workflow }}-${{ matrix.image }}
110110

.github/workflows/CI-unixish.yml

Lines changed: 16 additions & 16 deletions
Original file line numberDiff line numberDiff line change
@@ -30,12 +30,12 @@ jobs:
3030
CCACHE_SLOPPINESS: pch_defines,time_macros
3131

3232
steps:
33-
- uses: actions/checkout@v6
33+
- uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
3434
with:
3535
persist-credentials: false
3636

3737
- name: ccache
38-
uses: hendrikmuhs/[email protected]
38+
uses: hendrikmuhs/ccache-action@5ebbd400eff9e74630f759d94ddd7b6c26299639 # v1.2.20
3939
with:
4040
key: ${{ github.workflow }}-${{ github.job }}-${{ matrix.os }}
4141

@@ -85,19 +85,19 @@ jobs:
8585
CCACHE_SLOPPINESS: pch_defines,time_macros
8686

8787
steps:
88-
- uses: actions/checkout@v6
88+
- uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
8989
with:
9090
persist-credentials: false
9191

9292
- name: ccache
93-
uses: hendrikmuhs/[email protected]
93+
uses: hendrikmuhs/ccache-action@5ebbd400eff9e74630f759d94ddd7b6c26299639 # v1.2.20
9494
with:
9595
key: ${{ github.workflow }}-${{ github.job }}-${{ matrix.os }}
9696

9797
# TODO: move latest compiler to separate step
9898
# TODO: bail out on warnings with latest GCC
9999
- name: Set up GCC
100-
uses: egor-tensin/setup-gcc@v1
100+
uses: egor-tensin/setup-gcc@eaa888eb19115a521fa72b65cd94fe1f25bbcaac # v1.3
101101
if: false # matrix.os == 'ubuntu-22.04'
102102
with:
103103
version: 13
@@ -201,12 +201,12 @@ jobs:
201201
runs-on: ${{ matrix.os }}
202202

203203
steps:
204-
- uses: actions/checkout@v6
204+
- uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
205205
with:
206206
persist-credentials: false
207207

208208
- name: ccache
209-
uses: hendrikmuhs/[email protected]
209+
uses: hendrikmuhs/ccache-action@5ebbd400eff9e74630f759d94ddd7b6c26299639 # v1.2.20
210210
with:
211211
key: ${{ github.workflow }}-${{ github.job }}-${{ matrix.os }}
212212

@@ -235,12 +235,12 @@ jobs:
235235
runs-on: ${{ matrix.os }}
236236

237237
steps:
238-
- uses: actions/checkout@v6
238+
- uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
239239
with:
240240
persist-credentials: false
241241

242242
- name: ccache
243-
uses: hendrikmuhs/[email protected]
243+
uses: hendrikmuhs/ccache-action@5ebbd400eff9e74630f759d94ddd7b6c26299639 # v1.2.20
244244
with:
245245
key: ${{ github.workflow }}-${{ github.job }}-${{ matrix.os }}
246246

@@ -269,7 +269,7 @@ jobs:
269269
runs-on: ${{ matrix.os }}
270270

271271
steps:
272-
- uses: actions/checkout@v6
272+
- uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
273273
with:
274274
persist-credentials: false
275275

@@ -297,12 +297,12 @@ jobs:
297297
CCACHE_SLOPPINESS: pch_defines,time_macros
298298

299299
steps:
300-
- uses: actions/checkout@v6
300+
- uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
301301
with:
302302
persist-credentials: false
303303

304304
- name: ccache
305-
uses: hendrikmuhs/[email protected]
305+
uses: hendrikmuhs/ccache-action@5ebbd400eff9e74630f759d94ddd7b6c26299639 # v1.2.20
306306
with:
307307
key: ${{ github.workflow }}-${{ github.job }}-${{ matrix.os }}
308308

@@ -359,12 +359,12 @@ jobs:
359359
runs-on: ${{ matrix.os }}
360360

361361
steps:
362-
- uses: actions/checkout@v6
362+
- uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
363363
with:
364364
persist-credentials: false
365365

366366
- name: ccache
367-
uses: hendrikmuhs/[email protected]
367+
uses: hendrikmuhs/ccache-action@5ebbd400eff9e74630f759d94ddd7b6c26299639 # v1.2.20
368368
with:
369369
key: ${{ github.workflow }}-${{ github.job }}-${{ matrix.os }}
370370

@@ -597,12 +597,12 @@ jobs:
597597
runs-on: ubuntu-22.04 # run on the latest image only
598598

599599
steps:
600-
- uses: actions/checkout@v6
600+
- uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
601601
with:
602602
persist-credentials: false
603603

604604
- name: ccache
605-
uses: hendrikmuhs/[email protected]
605+
uses: hendrikmuhs/ccache-action@5ebbd400eff9e74630f759d94ddd7b6c26299639 # v1.2.20
606606
with:
607607
key: ${{ github.workflow }}-${{ github.job }}-${{ matrix.os }}
608608

.github/workflows/CI-windows.yml

Lines changed: 7 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -33,17 +33,17 @@ jobs:
3333
runs-on: ${{ matrix.os }}
3434

3535
steps:
36-
- uses: actions/checkout@v6
36+
- uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
3737
with:
3838
persist-credentials: false
3939

4040
- name: Set up Visual Studio environment
41-
uses: ilammy/msvc-dev-cmd@v1
41+
uses: ilammy/msvc-dev-cmd@0b201ec74fa43914dc39ae48a89fd1d8cb592756 # v1.13.0
4242
with:
4343
arch: x64
4444

4545
- name: Install Qt ${{ matrix.qt_ver }}
46-
uses: jurplel/install-qt-action@v4
46+
uses: jurplel/install-qt-action@d325aaf2a8baeeda41ad0b5d39f84a6af9bcf005 # v4.3.0
4747
with:
4848
version: ${{ matrix.qt_ver }}
4949
modules: 'qtcharts'
@@ -87,25 +87,25 @@ jobs:
8787
PCRE_VERSION: 8.45
8888

8989
steps:
90-
- uses: actions/checkout@v6
90+
- uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
9191
with:
9292
persist-credentials: false
9393

9494
- name: Set up Python
9595
if: matrix.config == 'release'
96-
uses: actions/setup-python@v6
96+
uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 # v6.1.0
9797
with:
9898
python-version: '3.14'
9999
check-latest: true
100100

101101
- name: Set up Visual Studio environment
102-
uses: ilammy/msvc-dev-cmd@v1
102+
uses: ilammy/msvc-dev-cmd@0b201ec74fa43914dc39ae48a89fd1d8cb592756 # v1.13.0
103103
with:
104104
arch: x64
105105

106106
- name: Cache PCRE
107107
id: cache-pcre
108-
uses: actions/cache@v4
108+
uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0
109109
with:
110110
path: |
111111
externals\pcre.h

.github/workflows/asan.yml

Lines changed: 4 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -28,17 +28,17 @@ jobs:
2828
CCACHE_SLOPPINESS: pch_defines,time_macros
2929

3030
steps:
31-
- uses: actions/checkout@v6
31+
- uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
3232
with:
3333
persist-credentials: false
3434

3535
- name: ccache
36-
uses: hendrikmuhs/[email protected]
36+
uses: hendrikmuhs/ccache-action@5ebbd400eff9e74630f759d94ddd7b6c26299639 # v1.2.20
3737
with:
3838
key: ${{ github.workflow }}-${{ github.job }}-${{ matrix.os }}
3939

4040
- name: Set up Python
41-
uses: actions/setup-python@v6
41+
uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 # v6.1.0
4242
with:
4343
python-version: '3.14'
4444
check-latest: true
@@ -57,7 +57,7 @@ jobs:
5757
sudo ./llvm.sh 21
5858
5959
- name: Install Qt ${{ env.QT_VERSION }}
60-
uses: jurplel/install-qt-action@v4
60+
uses: jurplel/install-qt-action@d325aaf2a8baeeda41ad0b5d39f84a6af9bcf005 # v4.3.0
6161
with:
6262
version: ${{ env.QT_VERSION }}
6363
modules: 'qtcharts'

.github/workflows/buildman.yml

Lines changed: 7 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -19,34 +19,34 @@ jobs:
1919
convert_via_pandoc:
2020
runs-on: ubuntu-24.04
2121
steps:
22-
- uses: actions/checkout@v6
22+
- uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
2323
with:
2424
persist-credentials: false
2525

2626
- run: |
2727
mkdir output
2828
29-
- uses: docker://pandoc/latex:3.6.3
29+
- uses: docker://pandoc/latex:3.6.3@sha256:48831aabd0a24e180a34c0bc5dd09792af43dbd7c2a2d394fbc6b10f9c48fe50
3030
with:
3131
args: --output=output/manual.html man/manual.md
3232

33-
- uses: docker://pandoc/latex:3.6.3
33+
- uses: docker://pandoc/latex:3.6.3@sha256:48831aabd0a24e180a34c0bc5dd09792af43dbd7c2a2d394fbc6b10f9c48fe50
3434
with:
3535
args: --output=output/manual.pdf man/manual.md
3636

37-
- uses: docker://pandoc/latex:3.6.3
37+
- uses: docker://pandoc/latex:3.6.3@sha256:48831aabd0a24e180a34c0bc5dd09792af43dbd7c2a2d394fbc6b10f9c48fe50
3838
with:
3939
args: --output=output/manual-premium.pdf man/manual-premium.md
4040

41-
- uses: actions/upload-artifact@v5
41+
- uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
4242
with:
4343
name: output
4444
path: output
4545

4646
manpage:
4747
runs-on: ubuntu-22.04
4848
steps:
49-
- uses: actions/checkout@v6
49+
- uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
5050
with:
5151
persist-credentials: false
5252

@@ -59,7 +59,7 @@ jobs:
5959
run: |
6060
make man
6161
62-
- uses: actions/upload-artifact@v5
62+
- uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
6363
with:
6464
name: cppcheck.1
6565
path: cppcheck.1

.github/workflows/cifuzz.yml

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -14,20 +14,20 @@ jobs:
1414
steps:
1515
- name: Build Fuzzers
1616
id: build
17-
uses: google/oss-fuzz/infra/cifuzz/actions/build_fuzzers@master
17+
uses: google/oss-fuzz/infra/cifuzz/actions/build_fuzzers@a0ac9cb62cbbbec7fe9a795ce5eab043f4564f77 # master
1818
with:
1919
oss-fuzz-project-name: 'cppcheck'
2020
dry-run: false
2121
language: c++
2222
- name: Run Fuzzers
23-
uses: google/oss-fuzz/infra/cifuzz/actions/run_fuzzers@master
23+
uses: google/oss-fuzz/infra/cifuzz/actions/run_fuzzers@a0ac9cb62cbbbec7fe9a795ce5eab043f4564f77 # master
2424
with:
2525
oss-fuzz-project-name: 'cppcheck'
2626
fuzz-seconds: 300
2727
dry-run: false
2828
language: c++
2929
- name: Upload Crash
30-
uses: actions/upload-artifact@v5
30+
uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
3131
if: failure() && steps.build.outcome == 'success'
3232
with:
3333
name: artifacts

.github/workflows/clang-tidy.yml

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -27,7 +27,7 @@ jobs:
2727
QT_VERSION: 6.10.0
2828

2929
steps:
30-
- uses: actions/checkout@v6
30+
- uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
3131
with:
3232
persist-credentials: false
3333

@@ -47,7 +47,7 @@ jobs:
4747
sudo apt-get install -y clang-tidy-21
4848
4949
- name: Install Qt ${{ env.QT_VERSION }}
50-
uses: jurplel/install-qt-action@v4
50+
uses: jurplel/install-qt-action@d325aaf2a8baeeda41ad0b5d39f84a6af9bcf005 # v4.3.0
5151
with:
5252
version: ${{ env.QT_VERSION }}
5353
modules: 'qtcharts'
@@ -86,7 +86,7 @@ jobs:
8686
run: |
8787
cmake --build cmake.output --target run-clang-tidy-csa 2> /dev/null
8888
89-
- uses: actions/upload-artifact@v5
89+
- uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
9090
if: success() || failure()
9191
with:
9292
name: Compilation Database

0 commit comments

Comments
 (0)