diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 8821b0d..30979b3 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -69,7 +69,7 @@ jobs: steps: - uses: actions/checkout@v6 - name: Initialize CodeQL - uses: github/codeql-action/init@v4 + uses: github/codeql-action/init@v4.36.2 with: # Scan both the Python backend and the Next.js frontend. # `security-extended` adds queries beyond the default @@ -79,7 +79,7 @@ jobs: languages: python, javascript, typescript queries: security-extended - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v4 + uses: github/codeql-action/analyze@v4.36.2 with: # The frontend is a TS/JSX project under frontend/src; # without this filter CodeQL still walks the whole tree but diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 13bb476..67ef46e 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -37,12 +37,12 @@ jobs: - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - name: Initialize CodeQL - uses: github/codeql-action/init@v4 + uses: github/codeql-action/init@v4.36.2 with: languages: ${{ matrix.language }} build-mode: ${{ matrix.build-mode }} - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v4 + uses: github/codeql-action/analyze@v4.36.2 with: category: "/language:${{ matrix.language }}" diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml index 98f7f36..4474036 100644 --- a/.github/workflows/dependency-review.yml +++ b/.github/workflows/dependency-review.yml @@ -15,7 +15,7 @@ jobs: timeout-minutes: 10 steps: - name: Harden Runner - uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0 + uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4 with: egress-policy: audit diff --git a/.github/workflows/lychee.yml b/.github/workflows/lychee.yml index 7e96c22..d00319f 100644 --- a/.github/workflows/lychee.yml +++ b/.github/workflows/lychee.yml @@ -26,7 +26,7 @@ jobs: with: fetch-depth: 0 - name: lychee - uses: lycheeverse/lychee-action@v2.4.0 + uses: lycheeverse/lychee-action@v2.8.0 with: args: --verbose --no-progress --exclude-mail --exclude-loopback env: diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml index 65093db..2fb4c2e 100644 --- a/.github/workflows/scorecard.yml +++ b/.github/workflows/scorecard.yml @@ -22,7 +22,7 @@ jobs: timeout-minutes: 30 steps: - name: Harden Runner - uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0 + uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4 with: egress-policy: audit @@ -40,7 +40,7 @@ jobs: - name: Upload to code-scanning if: always() - uses: github/codeql-action/upload-sarif@dd903d2e4f5405488e5ef1422510ee31c8b32357 # v3.27.5 + uses: github/codeql-action/upload-sarif@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v3.27.5 with: sarif_file: results.sarif category: scorecard diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml index 265f806..8f37878 100644 --- a/.github/workflows/stale.yml +++ b/.github/workflows/stale.yml @@ -18,7 +18,7 @@ jobs: timeout-minutes: 15 steps: - name: Harden Runner - uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0 + uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4 with: egress-policy: audit