Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Pin non-immutable Actions to latest SHA and remediate dependency vulnerability #720

Merged
merged 7 commits into from
Dec 26, 2024

Conversation

lindluni
Copy link
Contributor

@lindluni lindluni commented Dec 26, 2024

This PR resolves all CodeQL and Dependabot alerts by:

  • Using npm audit fix to patch only the vulnerable deps
  • Pinning the SHA's of all immutable Actions (this will also allow us to leverage Dependabot for more frequent updates)
  • Add workflow permissions to files
  • Delete a dead reusable workflow

Signed-off-by: Brett Logan <lindluni@github.com>
Signed-off-by: Brett Logan <lindluni@github.com>
Signed-off-by: Brett Logan <lindluni@github.com>
Signed-off-by: Brett Logan <lindluni@github.com>
Signed-off-by: Brett Logan <lindluni@github.com>
@Copilot Copilot bot review requested due to automatic review settings December 26, 2024 14:57

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copilot reviewed 5 out of 6 changed files in this pull request and generated no comments.

Files not reviewed (1)
  • package.json: Language not supported

Tip: Turn on automatic Copilot reviews for this repository to get quick feedback on every pull request. Learn more

@lindluni lindluni changed the title Pin non-immutable Actions to latest SHA Pin non-immutable Actions to latest SHA and remediate dependency vulnerability Dec 26, 2024
Signed-off-by: Brett Logan <lindluni@github.com>
Signed-off-by: Brett Logan <lindluni@github.com>
@lindluni lindluni requested a review from decyjphr December 26, 2024 15:06
@lindluni
Copy link
Contributor Author

@decyjphr, this PR will fix all security-findings flagging issues.

@lindluni lindluni requested a review from Copilot December 26, 2024 15:08

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copilot reviewed 6 out of 8 changed files in this pull request and generated no comments.

Files not reviewed (2)
  • .github/actions/codeql-analysis/action.yml: Language not supported
  • package.json: Language not supported

Tip: Turn on automatic Copilot reviews for this repository to get quick feedback on every pull request. Learn more

Copy link
Collaborator

@decyjphr decyjphr left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks @lindluni

@decyjphr decyjphr merged commit c1bc922 into main-enterprise Dec 26, 2024
5 checks passed
@decyjphr decyjphr deleted the lindluni-actions-fixes branch December 26, 2024 16:07
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants