diff --git a/.github/workflows/release-binaries.yml b/.github/workflows/release-binaries.yml index e8052ad8..e229f253 100644 --- a/.github/workflows/release-binaries.yml +++ b/.github/workflows/release-binaries.yml @@ -166,7 +166,7 @@ jobs: # generate-builder.sh extracts the version from the ref to download the builder # binary from a GitHub release and rejects non-tag refs. See CI-001 exception # and slsa-framework/slsa-github-generator#150. - uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v2.1.0 + uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@f7dd8c54c2067bafc12ca7a55595d5ee9b75204a # v2.1.0 with: base64-subjects: "${{ needs.combine-hashes.outputs.digests }}" upload-assets: true diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml index f2ccbac0..f8db4ea0 100644 --- a/.github/workflows/scorecard.yml +++ b/.github/workflows/scorecard.yml @@ -40,6 +40,6 @@ jobs: publish_results: true - name: Upload SARIF to GitHub Security tab - uses: github/codeql-action/upload-sarif@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4.35.2 + uses: github/codeql-action/upload-sarif@e46ed2cbd01164d986452f91f178727624ae40d7 # v4.35.3 with: sarif_file: results.sarif