From a3464e6d7f2774450b9d93091c07616ae847c5db Mon Sep 17 00:00:00 2001 From: StepSecurity Bot Date: Wed, 11 Sep 2024 02:11:52 +0000 Subject: [PATCH] [StepSecurity] Apply security best practices Signed-off-by: StepSecurity Bot --- .github/dependabot.yml | 10 ++++++++++ .github/workflows/codeql.yml | 8 ++++---- .github/workflows/main.yml | 4 ++-- .github/workflows/msbuild.yml | 4 ++-- .github/workflows/msvc.yml | 8 ++++---- .github/workflows/test.yml | 6 +++--- .github/workflows/vcpkg.yml | 6 +++--- 7 files changed, 28 insertions(+), 18 deletions(-) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 10b18ae4..c57412a1 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -6,3 +6,13 @@ updates: interval: "weekly" commit-message: prefix: "[nuget] " + + - package-ecosystem: github-actions + directory: / + schedule: + interval: daily + + - package-ecosystem: nuget + directory: /MakeSpriteFont + schedule: + interval: daily diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 359e383c..a1dfdb9b 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -44,16 +44,16 @@ jobs: steps: - name: Checkout repository - uses: actions/checkout@v4 + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - if: matrix.language == 'c-cpp' name: 'Install Ninja' run: choco install ninja - - uses: ilammy/msvc-dev-cmd@v1 + - uses: ilammy/msvc-dev-cmd@0b201ec74fa43914dc39ae48a89fd1d8cb592756 # v1.13.0 - name: Initialize CodeQL - uses: github/codeql-action/init@v3 + uses: github/codeql-action/init@4dd16135b69a43b6c8efb853346f8437d92d3c93 # v3.26.6 with: languages: ${{ matrix.language }} build-mode: manual @@ -74,6 +74,6 @@ jobs: run: msbuild MakeSpriteFont.csproj /p:Configuration=Debug /p:Platform=AnyCPU - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v3 + uses: github/codeql-action/analyze@4dd16135b69a43b6c8efb853346f8437d92d3c93 # v3.26.6 with: category: "/language:${{ matrix.language }}" diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 6dfc3f9d..ff7ad3b3 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -74,12 +74,12 @@ jobs: arch: amd64_arm64 steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - name: 'Install Ninja' run: choco install ninja - - uses: ilammy/msvc-dev-cmd@v1 + - uses: ilammy/msvc-dev-cmd@0b201ec74fa43914dc39ae48a89fd1d8cb592756 # v1.13.0 with: arch: ${{ matrix.arch }} diff --git a/.github/workflows/msbuild.yml b/.github/workflows/msbuild.yml index 0a2c9fef..ccc51301 100644 --- a/.github/workflows/msbuild.yml +++ b/.github/workflows/msbuild.yml @@ -32,10 +32,10 @@ jobs: platform: [x86, x64, ARM64] steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - name: Add MSBuild to PATH - uses: microsoft/setup-msbuild@v2 + uses: microsoft/setup-msbuild@6fb02220983dee41ce7ae257b6f4d8f9bf5ed4ce # v2.0.0 - if: matrix.platform != 'ARM64' name: Build diff --git a/.github/workflows/msvc.yml b/.github/workflows/msvc.yml index 027249c2..79501461 100644 --- a/.github/workflows/msvc.yml +++ b/.github/workflows/msvc.yml @@ -37,9 +37,9 @@ jobs: steps: - name: Checkout repository - uses: actions/checkout@v4 + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - - uses: ilammy/msvc-dev-cmd@v1 + - uses: ilammy/msvc-dev-cmd@0b201ec74fa43914dc39ae48a89fd1d8cb592756 # v1.13.0 with: arch: amd64 @@ -55,7 +55,7 @@ jobs: CompileShadersOutput: ${{ github.workspace }}/out/Shaders/Compiled - name: Initialize MSVC Code Analysis - uses: microsoft/msvc-code-analysis-action@v0.1.1 + uses: microsoft/msvc-code-analysis-action@24c285ab36952c9e9182f4b78dfafbac38a7e5ee # v0.1.1 id: run-analysis with: cmakeBuildDirectory: ./out @@ -64,6 +64,6 @@ jobs: # Upload SARIF file to GitHub Code Scanning Alerts - name: Upload SARIF to GitHub - uses: github/codeql-action/upload-sarif@v3 + uses: github/codeql-action/upload-sarif@4dd16135b69a43b6c8efb853346f8437d92d3c93 # v3.26.6 with: sarif_file: ${{ steps.run-analysis.outputs.sarif }} diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 86fbf518..7d25e3e8 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -75,10 +75,10 @@ jobs: arch: amd64_arm64 steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - name: Clone test repository - uses: actions/checkout@v4 + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 with: repository: walbourn/directxtktest path: Tests @@ -87,7 +87,7 @@ jobs: - name: 'Install Ninja' run: choco install ninja - - uses: ilammy/msvc-dev-cmd@v1 + - uses: ilammy/msvc-dev-cmd@0b201ec74fa43914dc39ae48a89fd1d8cb592756 # v1.13.0 with: arch: ${{ matrix.arch }} diff --git a/.github/workflows/vcpkg.yml b/.github/workflows/vcpkg.yml index a3c27fe9..6838ed04 100644 --- a/.github/workflows/vcpkg.yml +++ b/.github/workflows/vcpkg.yml @@ -41,12 +41,12 @@ jobs: arch: amd64_arm64 steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - name: 'Install Ninja' run: choco install ninja - - uses: ilammy/msvc-dev-cmd@v1 + - uses: ilammy/msvc-dev-cmd@0b201ec74fa43914dc39ae48a89fd1d8cb592756 # v1.13.0 with: arch: ${{ matrix.arch }} @@ -77,7 +77,7 @@ jobs: echo "::error Unknown architecture/build-type triplet mapping" } - - uses: lukka/run-vcpkg@v11 + - uses: lukka/run-vcpkg@7d259227a1fb6471a0253dd5ab7419835228f7d7 # v11 with: runVcpkgInstall: true vcpkgJsonGlob: '**/build/vcpkg.json'