Additional GitHub action fixes (ratify-project#335)

Signed-off-by: David Tesar <[email protected]>
ZAFT-Armored-Keeper-of-Unity · Oct 4, 2022 · 529dffc · 529dffc
1 parent 05be298
commit 529dffc
Show file tree

Hide file tree

Showing 2 changed files with 10 additions and 9 deletions.
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -12,12 +12,12 @@ jobs:
     runs-on: ubuntu-latest
     steps:
     - name: Checkout
-      uses: actions/checkout@v3
+      uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b # tag=3.0.2
       with:
           fetch-depth: 0
 
     - name: Set up Go
-      uses: actions/setup-go@v3
+      uses: actions/setup-go@268d8c0ca0432bb2cf416faae41297df9d262d7f # tag=3.3.0
       with:
         go-version: 1.18
 
@@ -33,9 +33,10 @@ jobs:
       run: |
         curl -Lo $RUNNER_TEMP/sbom-tool https://github.com/microsoft/sbom-tool/releases/latest/download/sbom-tool-linux-x64
         chmod +x $RUNNER_TEMP/sbom-tool
-        $RUNNER_TEMP/sbom-tool generate -b ./buildOutput -bc . -pn ratify -pv ${{env.GITHUB_REF_NAME}}-${{env.GITHUB_SHA}} -ps Microsoft -nsb https://microsoft.com -V Verbose
+        $RUNNER_TEMP/sbom-tool generate -b . -bc . -pn ratify -pv $GITHUB_REF_NAME -ps Microsoft -nsb https://microsoft.com -V Verbose
 
     - name: Upload a Build Artifact
-      uses: actions/upload-artifact@v3
+      uses: actions/upload-artifact@3cea5372237819ed00197afe530f5a7ea3e805c8 # tag=v3.1.0
       with:
-        path: buildOutput
+        name: SBOM SPDX files
+        path: _manifest/spdx_2.2/**
diff --git a/.github/workflows/scorecards.yml b/.github/workflows/scorecards.yml
@@ -22,26 +22,26 @@ jobs:
 
     steps:
       - name: "Checkout code"
-        uses: actions/checkout@v3
+        uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b # tag=3.0.2
         with:
           persist-credentials: false
 
       - name: "Run analysis"
-        uses: ossf/[email protected]
+        uses: ossf/scorecard-action@e363bfca00e752f91de7b7d2a77340e2e523cb18 # tag=v2.0.4
         with:
           results_file: results.sarif
           results_format: sarif
           repo_token: ${{ secrets.SCORECARD_READ_TOKEN }}
           publish_results: true
 
       - name: "Upload artifact"
-        uses: actions/[email protected]
+        uses: actions/upload-artifact@3cea5372237819ed00197afe530f5a7ea3e805c8 # tag=v3.1.0
         with:
           name: SARIF file
           path: results.sarif
           retention-days: 5
 
       - name: "Upload to code-scanning"
-        uses: github/codeql-action/upload-sarif@v2.0.4
+        uses: github/codeql-action/upload-sarif@4c8f13758e748234abaa6a831d6f53981844a524 # tag=v2.1.26
         with:
           sarif_file: results.sarif