ci security

.github/dependabot.yml

@@ -10,9 +10,13 @@ updates:
         update-types:
           - version-update:semver-patch
           - version-update:semver-minor
+    cooldown:
+      default-days: 7
   - package-ecosystem: "github-actions"
     directory: "/"
     schedule:
       interval: "daily"
     reviewers:
       - "python-discord/devops"
+    cooldown:
+      default-days: 7

.github/workflows/build-deploy.yaml

@@ -17,7 +17,9 @@ jobs:
     steps:
 
       - name: Checkout code
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        with:
+          persist-credentials: false
 
       # The current version (v3) of Docker's build-push action uses
       # buildx, which comes with BuildKit features that help us speed
@@ -26,10 +28,10 @@ jobs:
       #
       # See https://github.com/docker/build-push-action
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v4
+        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4
 
       - name: Login to Github Container Registry
-        uses: docker/login-action@v4
+        uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4
         with:
           registry: ghcr.io
           username: ${{ github.repository_owner }}
@@ -38,7 +40,7 @@ jobs:
       # Build the container, including an inline cache manifest to
       # allow us to use the registry as a cache source.
       - name: Build and push
-        uses: docker/build-push-action@v7
+        uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7
         with:
           context: .
           file: ./Dockerfile
@@ -59,29 +61,30 @@ jobs:
 
     steps:
       - name: Checkout code
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
         with:
           repository: python-discord/infra
           path: infra
+          persist-credentials: false
 
-      - uses: azure/setup-kubectl@v5.1.0
+      - uses: azure/setup-kubectl@829323503d1be3d00ca8346e5391ca0b07a9ab0d # v5.1.0
 
       - name: Authenticate with Kubernetes
-        uses: azure/k8s-set-context@v5
+        uses: azure/k8s-set-context@89b837d75b40a7bd2ddafde837473c212db8b313 # v5
         with:
           method: kubeconfig
           kubeconfig: ${{ secrets.KUBECONFIG }}
 
       - name: Deploy to Kubernetes
-        uses: Azure/k8s-deploy@v6
+        uses: Azure/k8s-deploy@c7ebd0d5f39477a23f1b5dea0f52e6db04adf28e # v6
         with:
           namespace: web
           manifests: |
             infra/kubernetes/namespaces/web/site/deployment.yaml
           images: 'ghcr.io/python-discord/site:${{ inputs.sha-tag }}'
 
       - name: Purge Cloudflare Edge Cache
-        uses: jakejarvis/cloudflare-purge-action@master
+        uses: jakejarvis/cloudflare-purge-action@eee6dba0236093358f25bb1581bd615dc8b3d8e3 # master
         env:
           CLOUDFLARE_ZONE: 989c984a358bfcd1e9b9d188cc86c1df
           CLOUDFLARE_TOKEN: ${{ secrets.CLOUDFLARE_CACHE_TOKEN }}

.github/workflows/fixup-commit-blocker.yaml

@@ -10,4 +10,4 @@ concurrency:
 jobs:
   block-fixup-commits:
     if: github.ref != 'refs/heads/main'
-    uses: python-discord/.github/.github/workflows/block-fixup-commits.yaml@main
+    uses: python-discord/.github/.github/workflows/block-fixup-commits.yaml@d89f1b58aa1b844ad73eec63daaabc7e7d3e9d1b # main

.github/workflows/lint-test.yaml

@@ -9,10 +9,12 @@ jobs:
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        with:
+          persist-credentials: false
 
       - name: Install uv
-        uses: astral-sh/setup-uv@v7
+        uses: astral-sh/setup-uv@37802adc94f370d6bfd71619e3f0bf239e1f3b78 # v7
         with:
           enable-cache: true
           cache-dependency-glob: "uv.lock"
@@ -50,7 +52,7 @@ jobs:
       # This step will publish the coverage reports coveralls.io and
       # link the report to the commit
       - name: Publish Coverage Report
-        uses: coverallsapp/github-action@v2.3.7
+        uses: coverallsapp/github-action@5cbfd81b66ca5d10c19b062c04de0199c215fb6e # v2.3.7
         with:
           github-token: ${{ secrets.GITHUB_TOKEN }}
           file: ./coverage.lcov
@@ -76,7 +78,7 @@ jobs:
       - name: Upload a Build Artifact
         if: always() && steps.prepare-artifact.outcome == 'success'
         continue-on-error: true
-        uses: actions/upload-artifact@v7
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7
         with:
           path: pull_request_payload.json
           archive: false

.github/workflows/sentry-release.yaml

@@ -8,10 +8,12 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout code
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        with:
+          persist-credentials: false
 
       - name: Create a Sentry.io release
-        uses: getsentry/action-release@v3
+        uses: getsentry/action-release@5657c9e888b4e2cc85f4d29143ea4131fde4a73a # v3
         env:
           SENTRY_AUTH_TOKEN: ${{ secrets.SENTRY_AUTH_TOKEN }}
           SENTRY_ORG: python-discord

.github/workflows/static-preview.yaml

@@ -14,13 +14,15 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        with:
+          persist-credentials: false
 
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v4
+        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4
 
       - name: Login to Github Container Registry
-        uses: docker/login-action@v4
+        uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4
         with:
           registry: ghcr.io
           username: ${{ github.repository_owner }}
@@ -29,7 +31,7 @@ jobs:
       # Build the container, including an inline cache manifest to
       # allow us to use the registry as a cache source.
       - name: Build Docker Image (Main)
-        uses: docker/build-push-action@v7
+        uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7
         if: github.ref == 'refs/heads/main'
         with:
           context: .
@@ -48,12 +50,14 @@ jobs:
         run: |
           mkdir docker_build \
           && docker run --entrypoint /bin/echo --name site \
-          ghcr.io/python-discord/static-site:${{ inputs.sha-tag }} \
+          ghcr.io/python-discord/static-site:${INPUTS_SHA_TAG} \
           && docker cp site:/app docker_build/
+        env:
+          INPUTS_SHA_TAG: ${{ inputs.sha-tag }}
 
       # Build directly to a local folder
       - name: Build Docker Image (PR)
-        uses: docker/build-push-action@v7
+        uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7
         if: github.ref != 'refs/heads/main'
         with:
           context: .
@@ -65,7 +69,7 @@ jobs:
             STATIC_BUILD=TRUE
 
       - name: Upload Build
-        uses: actions/upload-artifact@v7
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7
         with:
           name: static-build
           path: docker_build/app/build/

.github/workflows/status-embed.yaml

@@ -24,7 +24,7 @@ jobs:
         id: pr_info
         if: github.event.workflow_run.event == 'pull_request'
         run: |
-          curl -s -H "Authorization: token $GITHUB_TOKEN" ${{ github.event.workflow_run.artifacts_url }} > artifacts.json
+          curl -s -H "Authorization: token $GITHUB_TOKEN" ${GITHUB_EVENT_WORKFLOW_RUN_ARTIFACTS_URL} > artifacts.json
           DOWNLOAD_URL=$(cat artifacts.json | jq -r '.artifacts[] | select(.name == "pull-request-payload") | .archive_download_url')
           [ -z "$DOWNLOAD_URL" ] && exit 1
           curl -sSL -H "Authorization: token $GITHUB_TOKEN" -o pull_request_payload.zip $DOWNLOAD_URL || exit 2
@@ -36,13 +36,14 @@ jobs:
           echo "pr_source=$(jq -r '.head.label // empty' pull_request_payload.json)" >> $GITHUB_OUTPUT
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          GITHUB_EVENT_WORKFLOW_RUN_ARTIFACTS_URL: ${{ github.event.workflow_run.artifacts_url }}
 
       # Send an informational status embed to Discord instead of the
       # standard embeds that Discord sends. This embed will contain
       # more information and we can fine tune when we actually want
       # to send an embed.
       - name: GitHub Actions Status Embed for Discord
-        uses: SebastiaanZ/github-status-embed-for-discord@v0.3.0
+        uses: SebastiaanZ/github-status-embed-for-discord@67f67a60934c0254efd1ed741b5ce04250ebd508 # v0.3.0
         with:
           # Our GitHub Actions webhook
           webhook_id: '784184528997842985'