From 0ea7952a7112764d52a3fcabd1ab8956061745bb Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=D0=90=D0=BB=D0=B5=D0=BA=D1=81=D0=B5=D0=B9=20=D0=97=D0=BE?= =?UTF-8?q?=D1=80=D0=B8=D0=BD?= Date: Tue, 14 Jul 2026 21:27:51 +0400 Subject: [PATCH] =?UTF-8?q?security:=20SHA-=D0=BF=D0=B8=D0=BD=D0=BD=D0=B8?= =?UTF-8?q?=D0=BD=D0=B3=20=D0=B2=D1=81=D0=B5=D1=85=20=D1=8D=D0=BA=D1=88?= =?UTF-8?q?=D0=B5=D0=BD=D0=BE=D0=B2=20=D0=B8=20permissions=20CodeQL?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Все 43 вызова сторонних экшенов закреплены на коммит-SHA с комментарием исходной версии (типоискатель переведён с плавающего master на релиз); CodeQL-workflow получил явные минимальные permissions. Требования чеков Pinned-Dependencies и Token-Permissions OpenSSF Scorecard. --- .github/workflows/attest-release.yml | 6 +++--- .github/workflows/auto-merge.yml | 2 +- .github/workflows/benchmark.yml | 6 +++--- .github/workflows/codeql.yml | 11 ++++++++--- .github/workflows/dependency-review.yml | 4 ++-- .github/workflows/deploy-pages.yml | 10 +++++----- .github/workflows/greetings.yml | 2 +- .github/workflows/labeler.yml | 2 +- .github/workflows/links.yml | 4 ++-- .github/workflows/lint-docs.yml | 6 +++--- .github/workflows/lock.yml | 2 +- .github/workflows/pr-title.yml | 2 +- .github/workflows/publish-wiki.yml | 2 +- .github/workflows/quality.yml | 18 +++++++++--------- .github/workflows/release-drafter.yml | 2 +- .github/workflows/scorecard.yml | 6 +++--- .github/workflows/stale.yml | 2 +- .github/workflows/typos.yml | 4 ++-- 18 files changed, 48 insertions(+), 43 deletions(-) diff --git a/.github/workflows/attest-release.yml b/.github/workflows/attest-release.yml index fc7c480..89278a3 100644 --- a/.github/workflows/attest-release.yml +++ b/.github/workflows/attest-release.yml @@ -27,10 +27,10 @@ jobs: steps: - name: Checkout - uses: actions/checkout@v7 + uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7 - name: Setup PHP - uses: shivammathur/setup-php@v2 + uses: shivammathur/setup-php@f3e473d116dcccaddc5834248c87452386958240 # v2 with: php-version: '8.1' tools: composer:v2 @@ -42,6 +42,6 @@ jobs: ls -la dist/ - name: Generate build provenance attestation - uses: actions/attest@v4 + uses: actions/attest@a1948c3f048ba23858d222213b7c278aabede763 # v4 with: subject-path: '${{ github.workspace }}/dist/cloudcastle-clock.zip' diff --git a/.github/workflows/auto-merge.yml b/.github/workflows/auto-merge.yml index c781cf7..fb196e2 100644 --- a/.github/workflows/auto-merge.yml +++ b/.github/workflows/auto-merge.yml @@ -13,7 +13,7 @@ jobs: steps: - name: Fetch dependabot metadata id: meta - uses: dependabot/fetch-metadata@v2 + uses: dependabot/fetch-metadata@21025c705c08248db411dc16f3619e6b5f9ea21a # v2 with: github-token: ${{ secrets.GITHUB_TOKEN }} - name: Enable auto-merge for minor and patch updates diff --git a/.github/workflows/benchmark.yml b/.github/workflows/benchmark.yml index d2ed627..e5830aa 100644 --- a/.github/workflows/benchmark.yml +++ b/.github/workflows/benchmark.yml @@ -24,9 +24,9 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@v7 + uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7 - name: Setup PHP - uses: shivammathur/setup-php@v2 + uses: shivammathur/setup-php@f3e473d116dcccaddc5834248c87452386958240 # v2 with: php-version: '8.3' coverage: none @@ -37,7 +37,7 @@ jobs: - name: Markdown + JSON report run: composer benchmark-report - name: Upload benchmark report - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4 with: name: benchmark-report path: var/benchmark/ diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 0700bcf..78cae6f 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -12,6 +12,11 @@ on: schedule: - cron: '30 1 * * 0' +permissions: + contents: read + security-events: write + actions: read + concurrency: group: codeql-${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true @@ -33,15 +38,15 @@ jobs: steps: - name: Checkout - uses: actions/checkout@v7 + uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7 - name: Initialize CodeQL - uses: github/codeql-action/init@v4 + uses: github/codeql-action/init@99df26d4f13ea111d4ec1a7dddef6063f76b97e9 # v4 with: languages: ${{ matrix.language }} build-mode: none - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v4 + uses: github/codeql-action/analyze@99df26d4f13ea111d4ec1a7dddef6063f76b97e9 # v4 with: category: /language:${{ matrix.language }} diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml index f338b15..74758b0 100644 --- a/.github/workflows/dependency-review.yml +++ b/.github/workflows/dependency-review.yml @@ -10,8 +10,8 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@v7 + uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7 - name: Dependency review - uses: actions/dependency-review-action@v4 + uses: actions/dependency-review-action@2031cfc080254a8a887f58cffee85186f0e49e48 # v4 with: fail-on-severity: high diff --git a/.github/workflows/deploy-pages.yml b/.github/workflows/deploy-pages.yml index 065f50d..f4fadb2 100644 --- a/.github/workflows/deploy-pages.yml +++ b/.github/workflows/deploy-pages.yml @@ -31,10 +31,10 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@v7 + uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7 - name: Setup PHP - uses: shivammathur/setup-php@v2 + uses: shivammathur/setup-php@f3e473d116dcccaddc5834248c87452386958240 # v2 with: php-version: '8.3' extensions: dom, mbstring @@ -55,10 +55,10 @@ jobs: run: php tools/coverage-badge.php var/coverage/clover.xml docs/coverage.json - name: Setup Pages - uses: actions/configure-pages@v5 + uses: actions/configure-pages@983d7736d9b0ae728b81ab479565c72886d7745b # v5 - name: Upload Pages artifact - uses: actions/upload-pages-artifact@v3 + uses: actions/upload-pages-artifact@56afc609e74202658d3ffba0e8f6dda462b719fa # v3 with: path: docs @@ -72,4 +72,4 @@ jobs: steps: - name: Deploy id: deployment - uses: actions/deploy-pages@v4 + uses: actions/deploy-pages@d6db90164ac5ed86f2b6aed7e0febac5b3c0c03e # v4 diff --git a/.github/workflows/greetings.yml b/.github/workflows/greetings.yml index fa11426..aa72667 100644 --- a/.github/workflows/greetings.yml +++ b/.github/workflows/greetings.yml @@ -10,7 +10,7 @@ jobs: greeting: runs-on: ubuntu-latest steps: - - uses: actions/first-interaction@v1 + - uses: actions/first-interaction@2ec0f0fd78838633cd1c1342e4536d49ef72be54 # v1 with: repo-token: ${{ secrets.GITHUB_TOKEN }} issue-message: "Спасибо за первое обращение! Мы посмотрим в ближайшее время. Полезное — в CONTRIBUTING.md и Wiki." diff --git a/.github/workflows/labeler.yml b/.github/workflows/labeler.yml index 8e00a7f..9d4f21a 100644 --- a/.github/workflows/labeler.yml +++ b/.github/workflows/labeler.yml @@ -10,4 +10,4 @@ jobs: labeler: runs-on: ubuntu-latest steps: - - uses: actions/labeler@v5 + - uses: actions/labeler@8558fd74291d67161a8a78ce36a881fa63b766a9 # v5 diff --git a/.github/workflows/links.yml b/.github/workflows/links.yml index f3afd06..a21cc4e 100644 --- a/.github/workflows/links.yml +++ b/.github/workflows/links.yml @@ -13,9 +13,9 @@ jobs: name: Broken links runs-on: ubuntu-latest steps: - - uses: actions/checkout@v7 + - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7 - name: Check links in docs - uses: lycheeverse/lychee-action@v2 + uses: lycheeverse/lychee-action@e7477775783ea5526144ba13e8db5eec57747ce8 # v2 with: args: --verbose --no-progress --exclude-mail './**/*.md' fail: true diff --git a/.github/workflows/lint-docs.yml b/.github/workflows/lint-docs.yml index 5e3a2c2..bb551ca 100644 --- a/.github/workflows/lint-docs.yml +++ b/.github/workflows/lint-docs.yml @@ -16,15 +16,15 @@ jobs: name: Markdown runs-on: ubuntu-latest steps: - - uses: actions/checkout@v7 - - uses: DavidAnson/markdownlint-cli2-action@v16 + - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7 + - uses: DavidAnson/markdownlint-cli2-action@b4c9feab76d8025d1e83c653fa3990936df0e6c8 # v16 with: globs: '**/*.md' yamllint: name: YAML runs-on: ubuntu-latest steps: - - uses: actions/checkout@v7 + - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7 - name: Install yamllint run: pipx install yamllint - name: Run yamllint diff --git a/.github/workflows/lock.yml b/.github/workflows/lock.yml index c6c9527..4892eb0 100644 --- a/.github/workflows/lock.yml +++ b/.github/workflows/lock.yml @@ -16,7 +16,7 @@ jobs: lock: runs-on: ubuntu-latest steps: - - uses: dessant/lock-threads@v5 + - uses: dessant/lock-threads@1bf7ec25051fe7c00bdd17e6a7cf3d7bfb7dc771 # v5 with: issue-inactive-days: 90 pr-inactive-days: 90 diff --git a/.github/workflows/pr-title.yml b/.github/workflows/pr-title.yml index 1304c3f..0373fd2 100644 --- a/.github/workflows/pr-title.yml +++ b/.github/workflows/pr-title.yml @@ -11,6 +11,6 @@ jobs: lint: runs-on: ubuntu-latest steps: - - uses: amannn/action-semantic-pull-request@v5 + - uses: amannn/action-semantic-pull-request@e32d7e603df1aa1ba07e981f2a23455dee596825 # v5 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/publish-wiki.yml b/.github/workflows/publish-wiki.yml index 0735733..fea707a 100644 --- a/.github/workflows/publish-wiki.yml +++ b/.github/workflows/publish-wiki.yml @@ -27,7 +27,7 @@ jobs: steps: - name: Checkout - uses: actions/checkout@v7 + uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7 - name: Publish to GitHub Wiki env: diff --git a/.github/workflows/quality.yml b/.github/workflows/quality.yml index dcb5448..65f5436 100644 --- a/.github/workflows/quality.yml +++ b/.github/workflows/quality.yml @@ -38,10 +38,10 @@ jobs: steps: - name: Checkout - uses: actions/checkout@v7 + uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7 - name: Setup PHP - uses: shivammathur/setup-php@v2 + uses: shivammathur/setup-php@f3e473d116dcccaddc5834248c87452386958240 # v2 with: php-version: ${{ matrix.php-version }} extensions: zip @@ -56,7 +56,7 @@ jobs: run: echo "dir=$(composer config cache-files-dir)" >> "$GITHUB_OUTPUT" - name: Cache dependencies - uses: actions/cache@v6 + uses: actions/cache@55cc8345863c7cc4c66a329aec7e433d2d1c52a9 # v6 with: path: ${{ steps.composer-cache.outputs.dir }} key: ${{ runner.os }}-php-${{ matrix.php-version }}-composer-${{ hashFiles('composer.lock') }} @@ -106,7 +106,7 @@ jobs: run: composer benchmark-report - name: Upload benchmark artifacts - uses: actions/upload-artifact@v7 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7 with: name: benchmark-reports-php-${{ matrix.php-version }} path: var/benchmark/ @@ -118,7 +118,7 @@ jobs: composer test:coverage - name: Upload coverage to Codecov - uses: codecov/codecov-action@v4 + uses: codecov/codecov-action@b9fd7d16f6d7d1b5d2bec1a2887e65ceed900238 # v4 with: files: var/coverage/clover.xml flags: php-${{ matrix.php-version }} @@ -134,7 +134,7 @@ jobs: - name: Upload Infection report on failure if: failure() - uses: actions/upload-artifact@v7 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7 with: name: infection-php-${{ matrix.php-version }} path: var/infection/ @@ -152,7 +152,7 @@ jobs: - name: Upload comparison if: hashFiles('var/benchmark/comparison.json') != '' continue-on-error: true - uses: actions/upload-artifact@v7 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7 with: name: comparison-php-${{ matrix.php-version }} path: var/benchmark/comparison.json @@ -164,10 +164,10 @@ jobs: steps: - name: Checkout - uses: actions/checkout@v7 + uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7 - name: Setup PHP - uses: shivammathur/setup-php@v2 + uses: shivammathur/setup-php@f3e473d116dcccaddc5834248c87452386958240 # v2 with: php-version: '8.3' extensions: dom, mbstring diff --git a/.github/workflows/release-drafter.yml b/.github/workflows/release-drafter.yml index cd44ab1..a8cb0f7 100644 --- a/.github/workflows/release-drafter.yml +++ b/.github/workflows/release-drafter.yml @@ -18,6 +18,6 @@ jobs: pull-requests: read runs-on: ubuntu-latest steps: - - uses: release-drafter/release-drafter@v7 + - uses: release-drafter/release-drafter@4d75298e00d9e34c483e5ff8c68d0ea1c1940c1e # v7 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml index 9a79705..6d1fa89 100644 --- a/.github/workflows/scorecard.yml +++ b/.github/workflows/scorecard.yml @@ -18,16 +18,16 @@ jobs: id-token: write steps: - name: Checkout - uses: actions/checkout@v7 + uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7 with: persist-credentials: false - name: Run analysis - uses: ossf/scorecard-action@v2.4.0 + uses: ossf/scorecard-action@62b2cac7ed8198b15735ed49ab1e5cf35480ba46 # v2.4.0 with: results_file: results.sarif results_format: sarif publish_results: true - name: Upload SARIF - uses: github/codeql-action/upload-sarif@v3 + uses: github/codeql-action/upload-sarif@02c5e83432fe5497fd85b873b6c9f16a8578e1d9 # v3 with: sarif_file: results.sarif diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml index 61da95c..b339a87 100644 --- a/.github/workflows/stale.yml +++ b/.github/workflows/stale.yml @@ -13,7 +13,7 @@ jobs: stale: runs-on: ubuntu-latest steps: - - uses: actions/stale@v10 + - uses: actions/stale@1e223db275d687790206a7acac4d1a11bd6fe629 # v10 with: days-before-stale: 60 days-before-close: 14 diff --git a/.github/workflows/typos.yml b/.github/workflows/typos.yml index 9490b7e..d612b81 100644 --- a/.github/workflows/typos.yml +++ b/.github/workflows/typos.yml @@ -11,6 +11,6 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@v7 + uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7 - name: Check spelling - uses: crate-ci/typos@master + uses: crate-ci/typos@bee27e3a4fd1ea2111cf90ab89cd076c870fce14 # v1.48.0