Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Pin non-immutable Actions to latest SHA and remediate dependency vulnerability #720

Merged
merged 7 commits into from
Dec 26, 2024
Merged

Pin non-immutable Actions to latest SHA and remediate dependency vulnerability #720

merged 7 commits into from
Dec 26, 2024
+74 −99

Conversation

lindluni
Copy link
Contributor

@lindluni lindluni commented Dec 26, 2024
edited
Loading

This PR resolves all CodeQL and Dependabot alerts by:

  • Using npm audit fix to patch only the vulnerable deps
  • Pinning the SHA's of all immutable Actions (this will also allow us to leverage Dependabot for more frequent updates)
  • Add workflow permissions to files
  • Delete a dead reusable workflow

@Copilot Copilot bot review requested due to automatic review settings December 26, 2024 14:57
Copilot
Copilot AI reviewed Dec 26, 2024
View reviewed changes

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copilot reviewed 5 out of 6 changed files in this pull request and generated no comments.

Files not reviewed (1)
  • package.json: Language not supported

Tip: Turn on automatic Copilot reviews for this repository to get quick feedback on every pull request. Learn more
@lindluni lindluni changed the title Pin non-immutable Actions to latest SHA Pin non-immutable Actions to latest SHA and remediate dependency vulnerability Dec 26, 2024
@lindluni lindluni requested a review from decyjphr December 26, 2024 15:06
@lindluni
Copy link
Contributor Author

@decyjphr, this PR will fix all security-findings flagging issues.

@lindluni lindluni requested a review from Copilot December 26, 2024 15:08
Copilot
Copilot AI reviewed Dec 26, 2024
View reviewed changes

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copilot reviewed 6 out of 8 changed files in this pull request and generated no comments.

Files not reviewed (2)
  • .github/actions/codeql-analysis/action.yml: Language not supported
  • package.json: Language not supported

Tip: Turn on automatic Copilot reviews for this repository to get quick feedback on every pull request. Learn more
decyjphr
decyjphr approved these changes Dec 26, 2024
View reviewed changes
Copy link
Collaborator

@decyjphr decyjphr left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks @lindluni

@decyjphr decyjphr merged commit c1bc922 into main-enterprise Dec 26, 2024
5 checks passed
@decyjphr decyjphr deleted the lindluni-actions-fixes branch December 26, 2024 16:07
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

Copilot Copilot left review comments

@decyjphr decyjphr decyjphr approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@lindluni @decyjphr