Pin third-party action to commit SHA and move secrets to step env (#14937)

2026-05-28 04:02:46 -04:00 · 2026-04-08 22:17:39 -04:00 · 2026-04-08 22:17:39 -04:00 · e97fe246aa
commit e97fe246aa
parent 0be39e5032
3 changed files with 10 additions and 5 deletions
--- a/.github/workflows/codecov.yml
+++ b/.github/workflows/codecov.yml
@ -18,7 +18,7 @@ jobs:
        make lcov

    - name: Upload coverage reports to Codecov
-      uses: codecov/codecov-action@v4
+      uses: codecov/codecov-action@57e3a136b779b570ffcdbf80b3bdc90e7fab3de2 # v6
      with:
        token: ${{ secrets.CODECOV_TOKEN }}
        file: ./src/redis.info
--- a/.github/workflows/coverity.yml
+++ b/.github/workflows/coverity.yml
@ -14,9 +14,11 @@ jobs:
    - uses: actions/checkout@main
    - name: Download and extract the Coverity Build Tool
      run: |
-          wget -q https://scan.coverity.com/download/cxx/linux64 --post-data "token=${{ secrets.COVERITY_SCAN_TOKEN }}&project=redis-unstable" -O cov-analysis-linux64.tar.gz
+          wget -q https://scan.coverity.com/download/cxx/linux64 --post-data "token=${COVERITY_SCAN_TOKEN}&project=redis-unstable" -O cov-analysis-linux64.tar.gz
          mkdir cov-analysis-linux64
          tar xzf cov-analysis-linux64.tar.gz --strip 1 -C cov-analysis-linux64
+      env:
+        COVERITY_SCAN_TOKEN: ${{ secrets.COVERITY_SCAN_TOKEN }}
    - name: Install Redis dependencies
      run: sudo apt install -y gcc tcl8.6 tclx procps libssl-dev
    - name: Build with cov-build
@ -26,7 +28,10 @@ jobs:
          tar czvf cov-int.tgz cov-int
          curl \
            --form project=redis-unstable \
-            --form email=${{ secrets.COVERITY_SCAN_EMAIL }} \
-            --form token=${{ secrets.COVERITY_SCAN_TOKEN }} \
+            --form email="${COVERITY_SCAN_EMAIL}" \
+            --form token="${COVERITY_SCAN_TOKEN}" \
            --form file=@cov-int.tgz \
            https://scan.coverity.com/builds
+      env:
+        COVERITY_SCAN_EMAIL: ${{ secrets.COVERITY_SCAN_EMAIL }}
+        COVERITY_SCAN_TOKEN: ${{ secrets.COVERITY_SCAN_TOKEN }}
--- a/.github/workflows/daily.yml
+++ b/.github/workflows/daily.yml
@ -1224,7 +1224,7 @@ jobs:
      if: true && !contains(github.event.inputs.skiptests, 'cluster')
      run: ./runtest-cluster --log-req-res --dont-clean --force-resp3 ${{github.event.inputs.cluster_test_args}}
    - name: Install Python dependencies
-      uses: py-actions/py-dependency-install@v4
+      uses: py-actions/py-dependency-install@30aa0023464ed4b5b116bd9fbdab87acf01a484e # v4.1.0
      with:
        path: "./utils/req-res-validator/requirements.txt"
    - name: validator