fix: pin 5 unpinned action(s),extract 1 unsafe expression(s) to env vars

Automated security fixes applied by Runner Guard (https://github.com/Vigilant-LLC/runner-guard). Changes: .github/workflows/azure-static-web-apps-ashy-river-0debb7803.yml | 4 ++-- .github/workflows/daily-repo-status.lock.yml | 3 ++- .github/workflows/links.yml | 4 ++-- .github/workflows/lock.yml | 2 +- 4 files changed, 7 insertions(+), 6 deletions(-)
2 weeks ago · 99034cac30
parent ca4ac35584
commit 99034cac30
4 changed files with 7 additions and 6 deletions
--- a/.github/workflows/azure-static-web-apps-ashy-river-0debb7803.yml
+++ b/.github/workflows/azure-static-web-apps-ashy-river-0debb7803.yml
@ -13,7 +13,7 @@ jobs:
          submodules: true
      - name: Build And Deploy
        id: builddeploy
-        uses: Azure/static-web-apps-deploy@v1
+        uses: Azure/static-web-apps-deploy@1a947af9992250f3bc2e68ad0754c0b0c11566c9 # v1
        with:
          azure_static_web_apps_api_token: ${{ secrets.AZURE_STATIC_WEB_APPS_API_TOKEN_ASHY_RIVER_0DEBB7803 }}
          repo_token: ${{ secrets.GITHUB_TOKEN }} # Used for Github integrations (i.e. PR comments)
@ -32,7 +32,7 @@ jobs:
    steps:
      - name: Close Pull Request
        id: closepullrequest
-        uses: Azure/static-web-apps-deploy@v1
+        uses: Azure/static-web-apps-deploy@1a947af9992250f3bc2e68ad0754c0b0c11566c9 # v1
        with:
          azure_static_web_apps_api_token: ${{ secrets.AZURE_STATIC_WEB_APPS_API_TOKEN_ASHY_RIVER_0DEBB7803 }}
          action: "close"
--- a/.github/workflows/daily-repo-status.lock.yml
+++ b/.github/workflows/daily-repo-status.lock.yml
@ -108,12 +108,13 @@ jobs:
        env:
          REPO_NAME: ${{ github.repository }}
          SERVER_URL: ${{ github.server_url }}
+          GITHUB_TOKEN: ${{ github.token }}
        run: |
          git config --global user.email "github-actions[bot]@users.noreply.github.com"
          git config --global user.name "github-actions[bot]"
          # Re-authenticate git with GitHub token
          SERVER_URL_STRIPPED="${SERVER_URL#https://}"
-          git remote set-url origin "https://x-access-token:${{ github.token }}@${SERVER_URL_STRIPPED}/${REPO_NAME}.git"
+          git remote set-url origin "https://x-access-token:${GITHUB_TOKEN}@${SERVER_URL_STRIPPED}/${REPO_NAME}.git"
          echo "Git configured with standard GitHub Actions identity"
      - name: Checkout PR branch
        id: checkout-pr
--- a/.github/workflows/links.yml
+++ b/.github/workflows/links.yml
@ -16,13 +16,13 @@ jobs:

      - name: Link Checker
        id: lychee
-        uses: lycheeverse/lychee-action@v2
+        uses: lycheeverse/lychee-action@8646ba30535128ac92d33dfc9133794bfdd9b411 # v2
        with:
          fail: false

      - name: Create Issue From File
        if: steps.lychee.outputs.exit_code != 0
-        uses: peter-evans/create-issue-from-file@v5
+        uses: peter-evans/create-issue-from-file@e8ef132d6df98ed982188e460ebb3b5d4ef3a9cd # v5
        with:
          title: Link Checker Report
          content-filepath: ./lychee/out.md
--- a/.github/workflows/lock.yml
+++ b/.github/workflows/lock.yml
@ -8,6 +8,6 @@ jobs:
  lock:
    runs-on: ubuntu-latest
    steps:
-    - uses: OSDKDev/lock-issues@v1.1
+    - uses: OSDKDev/lock-issues@2372e7b39b61a49bb1980dbd3544837d7d40f01d # v1.1
      with:
        repo-token: "${{ secrets.GITHUB_TOKEN }}"