From 8d1745b5872d28181d6a0dd4ddc0b054faf4c0ad Mon Sep 17 00:00:00 2001 From: Bryan Kendall Date: Wed, 24 Jun 2026 15:08:20 -0700 Subject: [PATCH] tighten security posture of workflows --- .github/workflows/agent-evals.yaml | 6 ++- .github/workflows/functions.yaml | 8 ++-- .github/workflows/node-test.yml | 69 +++++++++++++++++++----------- 3 files changed, 52 insertions(+), 31 deletions(-) diff --git a/.github/workflows/agent-evals.yaml b/.github/workflows/agent-evals.yaml index 1f64ba9157c..3877a3328a8 100644 --- a/.github/workflows/agent-evals.yaml +++ b/.github/workflows/agent-evals.yaml @@ -26,8 +26,10 @@ jobs: env: GEMINI_API_KEY: ${{ secrets.GEMINI_API_KEY }} steps: - - uses: actions/checkout@v4 - - uses: actions/setup-node@v3 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + with: + persist-credentials: false + - uses: actions/setup-node@3235b876344d2a9aa001b8d1453c930bba69e610 # v3 with: node-version: ${{ matrix.node-version }} cache: npm diff --git a/.github/workflows/functions.yaml b/.github/workflows/functions.yaml index 3e9cc8bddd5..fad3fb334a2 100644 --- a/.github/workflows/functions.yaml +++ b/.github/workflows/functions.yaml @@ -23,12 +23,14 @@ jobs: deploy: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 - - uses: actions/setup-node@v3 + - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3 + with: + persist-credentials: false + - uses: actions/setup-node@3235b876344d2a9aa001b8d1453c930bba69e610 # v3 with: node-version: "24" - - uses: google-github-actions/auth@v0 + - uses: google-github-actions/auth@09cecabe1f169596b81c2ef22b40faff87acc460 # v0 with: credentials_json: "${{ secrets.CF3_INTEGRATION_TEST_GOOGLE_CREDENTIALS }}" create_credentials_file: true diff --git a/.github/workflows/node-test.yml b/.github/workflows/node-test.yml index e771335e042..06bd01ba042 100644 --- a/.github/workflows/node-test.yml +++ b/.github/workflows/node-test.yml @@ -29,10 +29,11 @@ jobs: node-version: - "24" steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 with: fetch-depth: 0 - - uses: actions/setup-node@v3 + persist-credentials: false + - uses: actions/setup-node@3235b876344d2a9aa001b8d1453c930bba69e610 # v3 with: node-version: ${{ matrix.node-version }} cache: npm @@ -52,8 +53,10 @@ jobs: - "22" - "24" steps: - - uses: actions/checkout@v4 - - uses: actions/setup-node@v3 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + with: + persist-credentials: false + - uses: actions/setup-node@3235b876344d2a9aa001b8d1453c930bba69e610 # v3 with: node-version: ${{ matrix.node-version }} cache: npm @@ -67,7 +70,7 @@ jobs: working-directory: firebase-vscode - run: npm run test:unit working-directory: firebase-vscode - - uses: codecov/codecov-action@v5 + - uses: codecov/codecov-action@0fb7174895f61a3b6b78fc075e0cd60383518dac # v5 if: matrix.node-version == '24' # vscode_integration: @@ -135,8 +138,10 @@ jobs: node-version: - "24" steps: - - uses: actions/checkout@v4 - - uses: actions/setup-node@v3 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + with: + persist-credentials: false + - uses: actions/setup-node@3235b876344d2a9aa001b8d1453c930bba69e610 # v3 with: node-version: ${{ matrix.node-version }} cache: npm @@ -157,15 +162,17 @@ jobs: - "22" - "24" steps: - - uses: actions/checkout@v4 - - uses: actions/setup-node@v3 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + with: + persist-credentials: false + - uses: actions/setup-node@3235b876344d2a9aa001b8d1453c930bba69e610 # v3 with: node-version: ${{ matrix.node-version }} cache: npm cache-dependency-path: npm-shrinkwrap.json - name: Cache ESLint - uses: actions/cache@v4 + uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4 with: path: .eslintcache key: eslint-${{ runner.os }}-node${{ matrix.node-version }}-${{ hashFiles('**/*.ts', '**/*.js') }} @@ -176,7 +183,7 @@ jobs: - run: npm ci - run: npm test -- -- --forbid-only - - uses: codecov/codecov-action@v5 + - uses: codecov/codecov-action@0fb7174895f61a3b6b78fc075e0cd60383518dac # v5 if: matrix.node-version == '24' with: files: ./.coverage/lcov.info @@ -218,24 +225,26 @@ jobs: - node-version: "22" script: "npm run test:storage-emulator-integration" steps: - - uses: actions/checkout@v4 - - uses: actions/setup-node@v3 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + with: + persist-credentials: false + - uses: actions/setup-node@3235b876344d2a9aa001b8d1453c930bba69e610 # v3 with: node-version: ${{ matrix.node-version }} cache: npm cache-dependency-path: npm-shrinkwrap.json - name: Setup Java JDK - uses: actions/setup-java@v3.3.0 + uses: actions/setup-java@860f60056505705214d223b91ed7a30f173f6142 # v3.3.0 with: java-version: 21 distribution: temurin - name: Setup Chrome - uses: browser-actions/setup-chrome@v1.7.2 + uses: browser-actions/setup-chrome@facf10a55b9caf92e0cc749b4f82bf8220989148 # v1.7.2 with: install-dependencies: true install-chromedriver: true - name: Cache firebase emulators - uses: actions/cache@v3 + uses: actions/cache@6f8efc29b200d32929f49075959781ed54ec270c # v3 with: path: ${{ env.FIREBASE_EMULATORS_PATH }} key: ${{ runner.os }}-firebase-emulators-${{ hashFiles('emulator-cache/**') }} @@ -288,20 +297,22 @@ jobs: script: "npm run test:functions-discover" steps: - name: Setup Java JDK - uses: actions/setup-java@v3.3.0 + uses: actions/setup-java@860f60056505705214d223b91ed7a30f173f6142 # v3.3.0 with: java-version: 21 distribution: temurin - - uses: actions/checkout@v4 - - uses: actions/setup-node@v3 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + with: + persist-credentials: false + - uses: actions/setup-node@3235b876344d2a9aa001b8d1453c930bba69e610 # v3 with: node-version: ${{ matrix.node-version }} cache: npm cache-dependency-path: npm-shrinkwrap.json - name: Cache firebase emulators - uses: actions/cache@v3 + uses: actions/cache@6f8efc29b200d32929f49075959781ed54ec270c # v3 with: path: ${{ env.FIREBASE_EMULATORS_PATH }} key: ${{ runner.os }}-firebase-emulators-${{ hashFiles('emulator-cache/**') }} @@ -325,9 +336,11 @@ jobs: - "24" steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + with: + persist-credentials: false - name: Use Node.js ${{ matrix.node-version }} - uses: actions/setup-node@v3 + uses: actions/setup-node@3235b876344d2a9aa001b8d1453c930bba69e610 # v3 with: node-version: ${{ matrix.node-version }} - run: npm i -g npm@11.9 @@ -344,9 +357,11 @@ jobs: - "24" steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + with: + persist-credentials: false - name: Use Node.js ${{ matrix.node-version }} - uses: actions/setup-node@v3 + uses: actions/setup-node@3235b876344d2a9aa001b8d1453c930bba69e610 # v3 with: node-version: ${{ matrix.node-version }} - run: npm i -g npm@11.9 @@ -363,9 +378,11 @@ jobs: - "24" steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + with: + persist-credentials: false - name: Use Node.js ${{ matrix.node-version }} - uses: actions/setup-node@v3 + uses: actions/setup-node@3235b876344d2a9aa001b8d1453c930bba69e610 # v3 with: node-version: ${{ matrix.node-version }} cache: npm