feat(sec): harden GHA ref by using its SHA ID to prevent accidental usage of compromised actions (#38782)

Signed-off-by: hainenber <dotronghai96@gmail.com>
2026-04-19 16:14:52 +00:00 · 2026-03-21 21:27:30 +07:00
parent 7004369c68
commit 83823911b5
40 changed files with 126 additions and 126 deletions
--- a/.github/workflows/superset-frontend.yml
+++ b/.github/workflows/superset-frontend.yml
@@ -23,7 +23,7 @@ jobs:
      should-run: ${{ steps.check.outputs.frontend }}
    steps:
      - name: Checkout Code
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
        with:
          persist-credentials: false
          fetch-depth: 0
@@ -58,7 +58,7 @@ jobs:

      - name: Upload Docker Image Artifact
        if: steps.check.outputs.frontend
-        uses: actions/upload-artifact@v7
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7
        with:
          name: docker-image
          path: docker-image.tar.zst
@@ -73,7 +73,7 @@ jobs:
    runs-on: ubuntu-24.04
    steps:
      - name: Download Docker Image Artifact
-        uses: actions/download-artifact@v8
+        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8
        with:
          name: docker-image

@@ -91,7 +91,7 @@ jobs:
          "npm run test -- --coverage --shard=${{ matrix.shard }}/8 --coverageReporters=json"

      - name: Upload Coverage Artifact
-        uses: actions/upload-artifact@v7
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7
        with:
          name: coverage-artifacts-${{ matrix.shard }}
          path: superset-frontend/coverage
@@ -104,14 +104,14 @@ jobs:
      id-token: write
    steps:
      - name: Checkout Code
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
        with:
          persist-credentials: false
          fetch-depth: 0
          ref: ${{ github.event_name == 'pull_request' && github.event.pull_request.head.sha || github.sha }}

      - name: Download Coverage Artifacts
-        uses: actions/download-artifact@v8
+        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8
        with:
          pattern: coverage-artifacts-*
          path: coverage/
@@ -128,7 +128,7 @@ jobs:
        run: npx nyc merge coverage/ merged-output/coverage-summary.json

      - name: Upload Code Coverage
-        uses: codecov/codecov-action@v5
+        uses: codecov/codecov-action@1af58845a975a7985b0beb0cbe6fbbb71a41dbad # v5
        with:
          flags: javascript
          use_oidc: true
@@ -143,7 +143,7 @@ jobs:
    runs-on: ubuntu-24.04
    steps:
      - name: Download Docker Image Artifact
-        uses: actions/download-artifact@v8
+        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8
        with:
          name: docker-image

@@ -167,7 +167,7 @@ jobs:
    runs-on: ubuntu-24.04
    steps:
      - name: Download Docker Image Artifact
-        uses: actions/download-artifact@v8
+        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8
        with:
          name: docker-image

@@ -186,7 +186,7 @@ jobs:
    runs-on: ubuntu-24.04
    steps:
      - name: Download Docker Image Artifact
-        uses: actions/download-artifact@v8
+        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8
        with:
          name: docker-image