taiars/nora
1
0
Fork 0
mirror of https://github.com/getnora-io/nora.git synced 2026-04-12 09:10:32 +00:00
Code Issues Packages Projects Releases Wiki Activity

chore: pin dependencies to SHA digests for OpenSSF scorecard (#104)

Browse Source 
Pin scorecard-action and codeql-action to commit SHA in scorecard.yml.
Pin base images to digest in Dockerfile.redos and Dockerfile.astra.
Replace curl|bash with direct binary download for actionlint.
Remove unused pip install cargo-audit-sarif.
This commit is contained in:
DevITWay | Pavel Volkov
2026-04-06 02:28:02 +03:00
committed by GitHub
parent b949ef49b8
commit 69b7f1fb4e
4 changed files with 8 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
.github/workflows/scorecard.yml vendored
View File

@@ -24,7 +24,7 @@ jobs:
persist-credentials: false
- name: Run OpenSSF Scorecard
uses: ossf/scorecard-action@v2.4.3
uses: ossf/scorecard-action@4eaacf0543bb3f2c246792bd56e8cdeffafb205a # v2.4.3
with:
results_file: results.sarif
results_format: sarif
@@ -32,7 +32,7 @@ jobs:
repo_token: ${{ secrets.SCORECARD_TOKEN || secrets.GITHUB_TOKEN }}
- name: Upload Scorecard results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v4 # tag required by scorecard webapp verification
uses: github/codeql-action/upload-sarif@a60c4df7a135c7317c1e9ddf9b5a9b07a910dda9 # v4
with:
sarif_file: results.sarif
category: scorecard