[StepSecurity] ci: Harden GitHub Actions (#235)

step-security-bot · bjohansebas · web-flow · commit 5f13b148d2a1 · 2025-05-17T12:17:51.000-05:00
* [StepSecurity] ci: Harden GitHub Actions

Signed-off-by: StepSecurity Bot &lt;bot@stepsecurity.io&gt;

* ping supertest in ci

Signed-off-by: Sebastian Beltran &lt;bjohansebas@gmail.com&gt;

---------

Signed-off-by: StepSecurity Bot &lt;bot@stepsecurity.io&gt;
Signed-off-by: Sebastian Beltran &lt;bjohansebas@gmail.com&gt;
Co-authored-by: Sebastian Beltran &lt;bjohansebas@gmail.com&gt;
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -24,9 +24,9 @@ jobs:
     name: Lint
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       - name: Setup Node.js
-        uses: actions/setup-node@v4
+        uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
         with:
           node-version: 'lts/*'
 
@@ -113,31 +113,34 @@ jobs:
 
         - name: Node.js 8.x
           node-version: "8"
-          npm-i: mocha@7.2.0 nyc@14.1.1
+          npm-i: mocha@7.2.0 nyc@14.1.1 supertest@6.1.6
 
         - name: Node.js 9.x
           node-version: "9"
-          npm-i: mocha@7.2.0 nyc@14.1.1
+          npm-i: mocha@7.2.0 nyc@14.1.1 supertest@6.1.6
 
         - name: Node.js 10.x
           node-version: "10"
-          npm-i: mocha@8.4.0
+          npm-i: mocha@8.4.0 supertest@6.1.6
 
         - name: Node.js 11.x
           node-version: "11"
-          npm-i: mocha@8.4.0
+          npm-i: mocha@8.4.0 supertest@6.1.6
 
         - name: Node.js 12.x
           node-version: "12"
+          npm-i: "supertest@6.1.6"
 
         - name: Node.js 13.x
           node-version: "13"
+          npm-i: "supertest@6.1.6"
 
         - name: Node.js 14.x
           node-version: "14"
 
         - name: Node.js 15.x
           node-version: "15"
+          npm-i: "supertest@6.1.6"
 
         - name: Node.js 16.x
           node-version: "16"
@@ -164,7 +167,7 @@ jobs:
           node-version: "23"
 
     steps:
-    - uses: actions/checkout@v4
+    - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
     - name: Install Node.js ${{ matrix.node-version }}
       shell: bash -eo pipefail -l {0}
@@ -229,7 +232,7 @@ jobs:
 
     - name: Upload code coverage
       if: steps.list_env.outputs.nyc != ''
-      uses: actions/upload-artifact@v4
+      uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
       with:
         name: coverage-node-${{ matrix.node-version }}
         path: ./coverage/lcov.info
@@ -242,14 +245,14 @@ jobs:
       contents: read
       checks: write
     steps:
-    - uses: actions/checkout@v4
+    - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
     - name: Install lcov
       shell: bash
       run: sudo apt-get -y install lcov
 
     - name: Collect coverage reports
-      uses: actions/download-artifact@v4
+      uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
       with:
         path: ./coverage
         pattern: coverage-node-*
@@ -259,7 +262,7 @@ jobs:
       run: find ./coverage -name lcov.info -exec printf '-a %q\n' {} \; | xargs lcov -o ./lcov.info
 
     - name: Upload coverage report
-      uses: coverallsapp/github-action@v2
+      uses: coverallsapp/github-action@648a8eb78e6d50909eff900e4ec85cab4524a45b # v2.3.6
       with:
         github-token: ${{ secrets.GITHUB_TOKEN }}
         file: ./lcov.info
