From a6245c8ebd5629c736fbd106d8364f4b99f5edef Mon Sep 17 00:00:00 2001 From: "stepsecurity-app[bot]" <188008098+stepsecurity-app[bot]@users.noreply.github.com> Date: Fri, 29 May 2026 18:35:59 +0000 Subject: [PATCH] [StepSecurity] Apply security best practices Signed-off-by: StepSecurity Bot --- .github/workflows/auto-merge-pr.yml | 2 +- .github/workflows/dependabot-auto-merge.yml | 4 ++-- .github/workflows/release-drafter.yml | 2 +- .github/workflows/release.yml | 2 +- .github/workflows/update-docker-image.yml | 2 +- 5 files changed, 6 insertions(+), 6 deletions(-) diff --git a/.github/workflows/auto-merge-pr.yml b/.github/workflows/auto-merge-pr.yml index e2af567..9a1c820 100644 --- a/.github/workflows/auto-merge-pr.yml +++ b/.github/workflows/auto-merge-pr.yml @@ -15,6 +15,6 @@ jobs: GITHUB_TOKEN: ${{secrets.PERSONAL_ACCESS_TOKEN }} run: gh pr merge --auto --merge "$PR_URL" - name: Auto approve dependabot PRs - uses: hmarr/auto-approve-action@f0939ea97e9205ef24d872e76833fa908a770363 #v4 + uses: step-security/auto-approve-action@0c28339628c8e79ab2f6813291e7e6cd584b4d30 # v4.0.0 with: github-token: ${{ secrets.PERSONAL_ACCESS_TOKEN }} \ No newline at end of file diff --git a/.github/workflows/dependabot-auto-merge.yml b/.github/workflows/dependabot-auto-merge.yml index 5583406..0bb7020 100644 --- a/.github/workflows/dependabot-auto-merge.yml +++ b/.github/workflows/dependabot-auto-merge.yml @@ -11,7 +11,7 @@ jobs: steps: - name: Dependabot metadata id: metadata - uses: dependabot/fetch-metadata@c9c4182bf1b97f5224aee3906fd373f6b61b4526 #v1.6.0 + uses: step-security/dependabot-fetch-metadata@bf8fb6e0be0a711c669dc236de6e7f7374ba626e # v3.1.0 with: github-token: "${{ secrets.PERSONAL_ACCESS_TOKEN }}" - name: Enable auto-merge for Dependabot PRs @@ -20,6 +20,6 @@ jobs: GITHUB_TOKEN: ${{secrets.PERSONAL_ACCESS_TOKEN}} run: gh pr merge --auto --squash "$PR_URL" - name: Auto approve dependabot PRs - uses: hmarr/auto-approve-action@a2e6f2a0ccf5c63ef8754de360464edbf47e66ee #v3 + uses: step-security/auto-approve-action@0c28339628c8e79ab2f6813291e7e6cd584b4d30 # v4.0.0 with: github-token: ${{ secrets.PERSONAL_ACCESS_TOKEN }} diff --git a/.github/workflows/release-drafter.yml b/.github/workflows/release-drafter.yml index 2d58a34..e95c182 100644 --- a/.github/workflows/release-drafter.yml +++ b/.github/workflows/release-drafter.yml @@ -17,6 +17,6 @@ jobs: steps: - name: Create Release id: draf_release - uses: release-drafter/release-drafter@09c613e259eb8d4e7c81c2cb00618eb5fc4575a7 #v5 + uses: step-security/release-drafter@bdf74d4b694b4525e34d030721a58ae1d5d5921c # v7.2.0 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} \ No newline at end of file diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index bd3ee8a..a256589 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -44,7 +44,7 @@ jobs: git push origin "${tag}" - name: Create Release - uses: softprops/action-gh-release@de2c0eb89ae2a093876385947365aca7b0e5f844 #v1 + uses: step-security/action-gh-release@277bfa82abcfdb73e5bbb19e213fd76532ee2be5 # v3.0.0 with: tag_name: ${{ github.event.inputs.tag }} generate_release_notes: true diff --git a/.github/workflows/update-docker-image.yml b/.github/workflows/update-docker-image.yml index 93a6c8f..e0b4512 100644 --- a/.github/workflows/update-docker-image.yml +++ b/.github/workflows/update-docker-image.yml @@ -64,7 +64,7 @@ jobs: - name: Create Pull Request id: cretae_pull_request if: env.CURRENT_TAG != env.RELEASE_TAG - uses: peter-evans/create-pull-request@c5a7806660adbe173f04e3e038b0ccdcd758773c + uses: step-security/create-pull-request@50c103da2b9ca12cd5bc013fc6931051a5aa872b # v8.1.1 with: token: ${{ secrets.AUTOMATION_TOKEN }} commit-message: Update checkmarx-ast-cli to ${{ env.RELEASE_TAG }}