Skip to content

chore(deps): bump actions/dependency-review-action from 4.3.1 to 4.3.2 #1648

chore(deps): bump actions/dependency-review-action from 4.3.1 to 4.3.2

chore(deps): bump actions/dependency-review-action from 4.3.1 to 4.3.2 #1648

name: Lockdown untrusted workflows
# PROCESS
#
# 1. Scans for any external GitHub Action being used without version pinning (@<commit-sha> vs @v3)
# 2. Scans for insecure practices for inline bash scripts (shellcheck)
# 3. Fail CI and prevent PRs to be merged if any malpractice is found
# USAGE
#
# Always triggered on new PR, PR changes and PR merge.
on:
push:
paths:
- ".github/workflows/**"
pull_request:
paths:
- ".github/workflows/**"
permissions:
contents: read
jobs:
enforce_pinned_workflows:
name: Harden Security
runs-on: ubuntu-latest
permissions:
contents: read # checkout code and subsequently GitHub action workflows
steps:
- name: Checkout code
uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
- name: Ensure 3rd party workflows have SHA pinned
uses: zgosalvez/github-actions-ensure-sha-pinned-actions@19ebcb0babbd282ae1822a0b9c28f3f1f25cea45 # v3.0.4
with:
allowlist: slsa-framework/slsa-github-generator