Skip to content

Improve CI security and maintanability #8034

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
Harvester57 wants to merge 9 commits into
base: main
Choose a base branch
from
Open

Improve CI security and maintanability #8034

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
9 commits
Select commit Hold shift + click to select a range
59fc1db
Create dependabot.yml
Harvester57 Dec 8, 2025
f2b78a1
actions: bump the actions-dependencies group with 5 updates
dependabot[bot] Dec 8, 2025
f2e1fb0
Merge pull request #1 from Harvester57/dependabot/github_actions/acti…
Harvester57 Dec 8, 2025
9a911ef
actions: bump actions/cache in the actions-dependencies group
dependabot[bot] Dec 12, 2025
2d5dde9
Merge pull request #3 from Harvester57/dependabot/github_actions/acti…
Harvester57 Dec 13, 2025
e7f0ee6
Merge branch 'danmar:main' into main
Harvester57 Dec 13, 2025
e11ded1
[StepSecurity] ci: Harden GitHub Actions
step-security-bot Dec 13, 2025
0363a4a
Update Cygwin install action to version 6
Harvester57 Dec 13, 2025
549302b
Merge pull request #4 from step-security-bot/chore/GHA-131157-stepsec…
Harvester57 Dec 13, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
18 changes: 18 additions & 0 deletions .github/dependabot.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,18 @@
# To get started with Dependabot version updates, you'll need to specify which
# package ecosystems to update and where the package manifests are located.
# Please see the documentation for all configuration options:
# https://docs.github.com/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file

version: 2
updates:
- package-ecosystem: "github-actions"
directory: "/"
commit-message:
prefix: "actions"
schedule:
interval: "daily"
groups:
actions-dependencies:
applies-to: version-updates
patterns:
- "*"
4 changes: 2 additions & 2 deletions .github/workflows/CI-cygwin.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -37,12 +37,12 @@ jobs:
runs-on: ${{ matrix.os }}

steps:
- uses: actions/checkout@v4
- uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
with:
persist-credentials: false

- name: Set up Cygwin
uses: cygwin/cygwin-install-action@master
uses: cygwin/cygwin-install-action@f2009323764960f80959895c7bc3bb30210afe4d # v6
with:
platform: ${{ matrix.platform }}
packages: ${{ matrix.packages }}
Expand Down
6 changes: 3 additions & 3 deletions .github/workflows/CI-mingw.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -33,12 +33,12 @@ jobs:
timeout-minutes: 19 # max + 3*std of the last 7K runs

steps:
- uses: actions/checkout@v4
- uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
with:
persist-credentials: false

- name: Set up MSYS2
uses: msys2/setup-msys2@v2
uses: msys2/setup-msys2@fb197b72ce45fb24f17bf3f807a388985654d1f2 # v2.29.0
with:
release: false # use pre-installed
# TODO: install mingw-w64-x86_64-make and use mingw32.make instead - currently fails with "Windows Subsystem for Linux has no installed distributions."
Expand All @@ -49,7 +49,7 @@ jobs:
mingw-w64-x86_64-gcc

- name: ccache
uses: hendrikmuhs/[email protected]
uses: hendrikmuhs/ccache-action@5ebbd400eff9e74630f759d94ddd7b6c26299639 # v1.2.20
with:
key: ${{ github.workflow }}-${{ github.job }}-${{ matrix.os }}

Expand Down
8 changes: 4 additions & 4 deletions .github/workflows/CI-unixish-docker.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -38,7 +38,7 @@ jobs:
image: ${{ matrix.image }}

steps:
- uses: actions/checkout@v4
- uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
with:
persist-credentials: false

Expand All @@ -56,7 +56,7 @@ jobs:
# needs to be called after the package installation since
# - it doesn't call "apt-get update"
- name: ccache
uses: hendrikmuhs/[email protected]
uses: hendrikmuhs/ccache-action@5ebbd400eff9e74630f759d94ddd7b6c26299639 # v1.2.20
with:
key: ${{ github.workflow }}-${{ matrix.image }}

Expand Down Expand Up @@ -91,7 +91,7 @@ jobs:
image: ${{ matrix.image }}

steps:
- uses: actions/checkout@v4
- uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
with:
persist-credentials: false

Expand All @@ -104,7 +104,7 @@ jobs:
# needs to be called after the package installation since
# - it doesn't call "apt-get update"
- name: ccache
uses: hendrikmuhs/[email protected]
uses: hendrikmuhs/ccache-action@5ebbd400eff9e74630f759d94ddd7b6c26299639 # v1.2.20
with:
key: ${{ github.workflow }}-${{ matrix.image }}

Expand Down
32 changes: 16 additions & 16 deletions .github/workflows/CI-unixish.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -30,12 +30,12 @@ jobs:
CCACHE_SLOPPINESS: pch_defines,time_macros

steps:
- uses: actions/checkout@v4
- uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
with:
persist-credentials: false

- name: ccache
uses: hendrikmuhs/[email protected]
uses: hendrikmuhs/ccache-action@5ebbd400eff9e74630f759d94ddd7b6c26299639 # v1.2.20
with:
key: ${{ github.workflow }}-${{ github.job }}-${{ matrix.os }}

Expand Down Expand Up @@ -85,19 +85,19 @@ jobs:
CCACHE_SLOPPINESS: pch_defines,time_macros

steps:
- uses: actions/checkout@v4
- uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
with:
persist-credentials: false

- name: ccache
uses: hendrikmuhs/[email protected]
uses: hendrikmuhs/ccache-action@5ebbd400eff9e74630f759d94ddd7b6c26299639 # v1.2.20
with:
key: ${{ github.workflow }}-${{ github.job }}-${{ matrix.os }}

# TODO: move latest compiler to separate step
# TODO: bail out on warnings with latest GCC
- name: Set up GCC
uses: egor-tensin/setup-gcc@v1
uses: egor-tensin/setup-gcc@eaa888eb19115a521fa72b65cd94fe1f25bbcaac # v1.3
if: false # matrix.os == 'ubuntu-22.04'
with:
version: 13
Expand Down Expand Up @@ -201,12 +201,12 @@ jobs:
runs-on: ${{ matrix.os }}

steps:
- uses: actions/checkout@v4
- uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
with:
persist-credentials: false

- name: ccache
uses: hendrikmuhs/[email protected]
uses: hendrikmuhs/ccache-action@5ebbd400eff9e74630f759d94ddd7b6c26299639 # v1.2.20
with:
key: ${{ github.workflow }}-${{ github.job }}-${{ matrix.os }}

Expand Down Expand Up @@ -235,12 +235,12 @@ jobs:
runs-on: ${{ matrix.os }}

steps:
- uses: actions/checkout@v4
- uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
with:
persist-credentials: false

- name: ccache
uses: hendrikmuhs/[email protected]
uses: hendrikmuhs/ccache-action@5ebbd400eff9e74630f759d94ddd7b6c26299639 # v1.2.20
with:
key: ${{ github.workflow }}-${{ github.job }}-${{ matrix.os }}

Expand Down Expand Up @@ -269,7 +269,7 @@ jobs:
runs-on: ${{ matrix.os }}

steps:
- uses: actions/checkout@v4
- uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
with:
persist-credentials: false

Expand Down Expand Up @@ -297,12 +297,12 @@ jobs:
CCACHE_SLOPPINESS: pch_defines,time_macros

steps:
- uses: actions/checkout@v4
- uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
with:
persist-credentials: false

- name: ccache
uses: hendrikmuhs/[email protected]
uses: hendrikmuhs/ccache-action@5ebbd400eff9e74630f759d94ddd7b6c26299639 # v1.2.20
with:
key: ${{ github.workflow }}-${{ github.job }}-${{ matrix.os }}

Expand Down Expand Up @@ -359,12 +359,12 @@ jobs:
runs-on: ${{ matrix.os }}

steps:
- uses: actions/checkout@v4
- uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
with:
persist-credentials: false

- name: ccache
uses: hendrikmuhs/[email protected]
uses: hendrikmuhs/ccache-action@5ebbd400eff9e74630f759d94ddd7b6c26299639 # v1.2.20
with:
key: ${{ github.workflow }}-${{ github.job }}-${{ matrix.os }}

Expand Down Expand Up @@ -597,12 +597,12 @@ jobs:
runs-on: ubuntu-22.04 # run on the latest image only

steps:
- uses: actions/checkout@v4
- uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
with:
persist-credentials: false

- name: ccache
uses: hendrikmuhs/[email protected]
uses: hendrikmuhs/ccache-action@5ebbd400eff9e74630f759d94ddd7b6c26299639 # v1.2.20
with:
key: ${{ github.workflow }}-${{ github.job }}-${{ matrix.os }}

Expand Down
14 changes: 7 additions & 7 deletions .github/workflows/CI-windows.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -33,17 +33,17 @@ jobs:
runs-on: ${{ matrix.os }}

steps:
- uses: actions/checkout@v4
- uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
with:
persist-credentials: false

- name: Set up Visual Studio environment
uses: ilammy/msvc-dev-cmd@v1
uses: ilammy/msvc-dev-cmd@0b201ec74fa43914dc39ae48a89fd1d8cb592756 # v1.13.0
with:
arch: x64

- name: Install Qt ${{ matrix.qt_ver }}
uses: jurplel/install-qt-action@v4
uses: jurplel/install-qt-action@d325aaf2a8baeeda41ad0b5d39f84a6af9bcf005 # v4.3.0
with:
version: ${{ matrix.qt_ver }}
modules: 'qtcharts'
Expand Down Expand Up @@ -87,25 +87,25 @@ jobs:
PCRE_VERSION: 8.45

steps:
- uses: actions/checkout@v4
- uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
with:
persist-credentials: false

- name: Set up Python
if: matrix.config == 'release'
uses: actions/setup-python@v5
uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 # v6.1.0
with:
python-version: '3.14'
check-latest: true

- name: Set up Visual Studio environment
uses: ilammy/msvc-dev-cmd@v1
uses: ilammy/msvc-dev-cmd@0b201ec74fa43914dc39ae48a89fd1d8cb592756 # v1.13.0
with:
arch: x64

- name: Cache PCRE
id: cache-pcre
uses: actions/cache@v4
uses: actions/cache@9255dc7a253b0ccc959486e2bca901246202afeb # v5.0.1
with:
path: |
externals\pcre.h
Expand Down
8 changes: 4 additions & 4 deletions .github/workflows/asan.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -28,17 +28,17 @@ jobs:
CCACHE_SLOPPINESS: pch_defines,time_macros

steps:
- uses: actions/checkout@v4
- uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
with:
persist-credentials: false

- name: ccache
uses: hendrikmuhs/[email protected]
uses: hendrikmuhs/ccache-action@5ebbd400eff9e74630f759d94ddd7b6c26299639 # v1.2.20
with:
key: ${{ github.workflow }}-${{ github.job }}-${{ matrix.os }}

- name: Set up Python
uses: actions/setup-python@v5
uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 # v6.1.0
with:
python-version: '3.14'
check-latest: true
Expand All @@ -57,7 +57,7 @@ jobs:
sudo ./llvm.sh 21

- name: Install Qt ${{ env.QT_VERSION }}
uses: jurplel/install-qt-action@v4
uses: jurplel/install-qt-action@d325aaf2a8baeeda41ad0b5d39f84a6af9bcf005 # v4.3.0
with:
version: ${{ env.QT_VERSION }}
modules: 'qtcharts'
Expand Down
14 changes: 7 additions & 7 deletions .github/workflows/buildman.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19,34 +19,34 @@ jobs:
convert_via_pandoc:
runs-on: ubuntu-24.04
steps:
- uses: actions/checkout@v4
- uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
with:
persist-credentials: false

- run: |
mkdir output

- uses: docker://pandoc/latex:3.6.3
- uses: docker://pandoc/latex:3.6.3@sha256:48831aabd0a24e180a34c0bc5dd09792af43dbd7c2a2d394fbc6b10f9c48fe50
with:
args: --output=output/manual.html man/manual.md

- uses: docker://pandoc/latex:3.6.3
- uses: docker://pandoc/latex:3.6.3@sha256:48831aabd0a24e180a34c0bc5dd09792af43dbd7c2a2d394fbc6b10f9c48fe50
with:
args: --output=output/manual.pdf man/manual.md

- uses: docker://pandoc/latex:3.6.3
- uses: docker://pandoc/latex:3.6.3@sha256:48831aabd0a24e180a34c0bc5dd09792af43dbd7c2a2d394fbc6b10f9c48fe50
with:
args: --output=output/manual-premium.pdf man/manual-premium.md

- uses: actions/upload-artifact@v4
- uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
with:
name: output
path: output

manpage:
runs-on: ubuntu-22.04
steps:
- uses: actions/checkout@v4
- uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
with:
persist-credentials: false

Expand All @@ -59,7 +59,7 @@ jobs:
run: |
make man

- uses: actions/upload-artifact@v4
- uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
with:
name: cppcheck.1
path: cppcheck.1
6 changes: 3 additions & 3 deletions .github/workflows/cifuzz.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,20 +14,20 @@ jobs:
steps:
- name: Build Fuzzers
id: build
uses: google/oss-fuzz/infra/cifuzz/actions/build_fuzzers@master
uses: google/oss-fuzz/infra/cifuzz/actions/build_fuzzers@6f5791d8b0ca004e5d35f8d75407347c7848f3b0 # master
with:
oss-fuzz-project-name: 'cppcheck'
dry-run: false
language: c++
- name: Run Fuzzers
uses: google/oss-fuzz/infra/cifuzz/actions/run_fuzzers@master
uses: google/oss-fuzz/infra/cifuzz/actions/run_fuzzers@6f5791d8b0ca004e5d35f8d75407347c7848f3b0 # master
with:
oss-fuzz-project-name: 'cppcheck'
fuzz-seconds: 300
dry-run: false
language: c++
- name: Upload Crash
uses: actions/upload-artifact@v4
uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
if: failure() && steps.build.outcome == 'success'
with:
name: artifacts
Expand Down
6 changes: 3 additions & 3 deletions .github/workflows/clang-tidy.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -27,7 +27,7 @@ jobs:
QT_VERSION: 6.10.0

steps:
- uses: actions/checkout@v4
- uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
with:
persist-credentials: false

Expand All @@ -47,7 +47,7 @@ jobs:
sudo apt-get install -y clang-tidy-21

- name: Install Qt ${{ env.QT_VERSION }}
uses: jurplel/install-qt-action@v4
uses: jurplel/install-qt-action@d325aaf2a8baeeda41ad0b5d39f84a6af9bcf005 # v4.3.0
with:
version: ${{ env.QT_VERSION }}
modules: 'qtcharts'
Expand Down Expand Up @@ -86,7 +86,7 @@ jobs:
run: |
cmake --build cmake.output --target run-clang-tidy-csa 2> /dev/null

- uses: actions/upload-artifact@v4
- uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
if: success() || failure()
with:
name: Compilation Database
Expand Down
Loading