Merge pull request #305 from AikidoSec/aikido-security-concerns

Lock 3rd party gh actions + .aikido file

Author: willem-delbare

.aikido

@@ -0,0 +1,6 @@
+exclude:
+  paths:
+    - benchmarks/
+    - end2end/
+    - docs/
+    - sample-apps/

.github/workflows/benchmark.yml

@@ -47,7 +47,7 @@ jobs:
         working-directory: ./sample-apps/flask-mysql
         run: nohup make runBenchmark & nohup make runZenDisabled &
       - name: Install K6
-        uses: grafana/setup-k6-action@v1
+        uses: grafana/setup-k6-action@ffe7d7290dfa715e48c2ccc924d068444c94bde2 # v1
       - name: Run flask-mysql k6 Benchmark
         run: |
           k6 run -q ./benchmarks/flask-mysql-benchmarks.js

.github/workflows/publish.yml

@@ -56,7 +56,7 @@ jobs:
     - name: Download binaries & build
       run: make build
     - name: Publish package distributions to PyPI
-      uses: pypa/gh-action-pypi-publish@release/v1
+      uses: pypa/gh-action-pypi-publish@67339c736fd9354cd4f8cb0b744f2b82a74b5c70 # release/v1
     - name: Store the distribution packages
       uses: actions/upload-artifact@v3
       with:

.github/workflows/unit-test.yml

@@ -32,7 +32,7 @@ jobs:
         make cov
 
     - name: Upload coverage report to Codecov
-      uses: codecov/codecov-action@v4
+      uses: codecov/codecov-action@b9fd7d16f6d7d1b5d2bec1a2887e65ceed900238 # v4
       with:
         fail_ci_if_error: true
         files: ./coverage.xml