From b36891847293afb822b2fe971c6067bf7ea631e6 Mon Sep 17 00:00:00 2001
From: Reto Schneider <code@reto-schneider.ch>
Date: Fri, 15 Nov 2024 15:07:42 +0100
Subject: [PATCH 1/2] ci: Pin GitHub actions versions

One step to improve our OpenSSF score card result.
---
 .github/workflows/build.yaml                 | 4 ++--
 .github/workflows/build_and_test.yaml        | 2 +-
 .github/workflows/clang-static-analyzer.yaml | 4 ++--
 .github/workflows/codeql-analysis.yml        | 6 +++---
 .github/workflows/compliance.yaml            | 2 +-
 .github/workflows/coverage.yaml              | 4 ++--
 .github/workflows/documentation.yaml         | 4 ++--
 .github/workflows/macos.yaml                 | 2 +-
 .github/workflows/multiarch.yaml             | 4 ++--
 .github/workflows/scorecard.yml              | 2 +-
 .github/workflows/sonarcloud-scan.yaml       | 4 ++--
 11 files changed, 19 insertions(+), 19 deletions(-)

diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml
index 176b82dcd..caeaab79e 100644
--- a/.github/workflows/build.yaml
+++ b/.github/workflows/build.yaml
@@ -14,7 +14,7 @@ jobs:
 
     steps:
     - name: Checkout code including full history and submodules
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       with:
         submodules: true
         fetch-depth: 0
@@ -42,7 +42,7 @@ jobs:
 
     steps:
     - name: Checkout code including full history and submodules
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       with:
         submodules: true
         fetch-depth: 0
diff --git a/.github/workflows/build_and_test.yaml b/.github/workflows/build_and_test.yaml
index 033e925ac..13cf76be7 100644
--- a/.github/workflows/build_and_test.yaml
+++ b/.github/workflows/build_and_test.yaml
@@ -17,7 +17,7 @@ jobs:
 
     steps:
     - name: Checkout code including full history and submodules
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       with:
         submodules: true
         fetch-depth: 0
diff --git a/.github/workflows/clang-static-analyzer.yaml b/.github/workflows/clang-static-analyzer.yaml
index b128cb0fb..a4d390a7c 100644
--- a/.github/workflows/clang-static-analyzer.yaml
+++ b/.github/workflows/clang-static-analyzer.yaml
@@ -8,7 +8,7 @@ jobs:
 
     steps:
     - name: Checkout code including full history and submodules
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       with:
         submodules: true
         fetch-depth: 0
@@ -22,7 +22,7 @@ jobs:
       run: tools/ci/run_ci.sh --run-build --scan-build scan-build-14
 
     - name: Upload scan build reports
-      uses: actions/upload-artifact@v4
+      uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
       with:
         name: Clang Static Analyzer Reports
         path: build-wakaama/clang-static-analyzer
diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
index 5062c1dc3..8b81ba3bb 100644
--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@@ -14,7 +14,7 @@ jobs:
 
     steps:
     - name: Checkout code including full history and submodules
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       with:
         submodules: true
         fetch-depth: 0
@@ -25,7 +25,7 @@ jobs:
         sudo apt-get install cmake libcunit1-dev ninja-build unzip wget
 
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@v3
+      uses: github/codeql-action/init@ea9e4e37992a54ee68a9622e985e60c8e8f12d9f # v3.27.4
       with:
         languages: cpp
 
@@ -33,4 +33,4 @@ jobs:
       run: tools/ci/run_ci.sh --run-build
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@v3
+      uses: github/codeql-action/analyze@ea9e4e37992a54ee68a9622e985e60c8e8f12d9f # v3.27.4
diff --git a/.github/workflows/compliance.yaml b/.github/workflows/compliance.yaml
index 77ffd8b05..55a5dc6d3 100644
--- a/.github/workflows/compliance.yaml
+++ b/.github/workflows/compliance.yaml
@@ -9,7 +9,7 @@ jobs:
 
     steps:
     - name: Checkout code including full history
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       with:
         fetch-depth: 0
 
diff --git a/.github/workflows/coverage.yaml b/.github/workflows/coverage.yaml
index 567660da3..ceb41115d 100644
--- a/.github/workflows/coverage.yaml
+++ b/.github/workflows/coverage.yaml
@@ -8,7 +8,7 @@ jobs:
 
     steps:
     - name: Checkout code including full history and submodules
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       with:
         submodules: true
         fetch-depth: 0
@@ -26,7 +26,7 @@ jobs:
           --test-coverage html
 
     - name: Upload HTML coverage report
-      uses: actions/upload-artifact@v4
+      uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
       with:
         name: Coverage Report (HTML)
         path: build-wakaama/coverage
diff --git a/.github/workflows/documentation.yaml b/.github/workflows/documentation.yaml
index 326544d57..887e16789 100644
--- a/.github/workflows/documentation.yaml
+++ b/.github/workflows/documentation.yaml
@@ -10,7 +10,7 @@ jobs:
 
     steps:
     - name: Checkout code including full history and submodules
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
     - name: Install dependencies from APT repository
       run:  |
@@ -21,7 +21,7 @@ jobs:
       run: tools/ci/run_ci.sh --run-doxygen
 
     - name: Upload Doxygen documentation
-      uses: actions/upload-artifact@v4
+      uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
       with:
         name: Doxygen documentation (HTML)
         path: build-wakaama/doxygen
diff --git a/.github/workflows/macos.yaml b/.github/workflows/macos.yaml
index 3033e274b..b7b3609be 100644
--- a/.github/workflows/macos.yaml
+++ b/.github/workflows/macos.yaml
@@ -12,7 +12,7 @@ jobs:
 
     steps:
     - name: Checkout code including full history and submodules
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       with:
         submodules: true
         fetch-depth: 0
diff --git a/.github/workflows/multiarch.yaml b/.github/workflows/multiarch.yaml
index 71fa53fcc..061b7799a 100644
--- a/.github/workflows/multiarch.yaml
+++ b/.github/workflows/multiarch.yaml
@@ -11,12 +11,12 @@ jobs:
         arch: ["armv6", "armv7", "aarch64", "s390x", "ppc64le"]
     steps:
     - name: Checkout code including full history and submodules
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       with:
         submodules: true
         fetch-depth: 0
     - name: Build and test
-      uses: uraimo/run-on-arch-action@v2.8.1
+      uses: uraimo/run-on-arch-action@5397f9e30a9b62422f302092631c99ae1effcd9e # v2.8.1
       id: runcmd
       with:
         arch: ${{ matrix.arch }}
diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml
index bdbe751e7..5dca7ae71 100644
--- a/.github/workflows/scorecard.yml
+++ b/.github/workflows/scorecard.yml
@@ -52,7 +52,7 @@ jobs:
       # Upload the results to GitHub's code scanning dashboard (optional).
       # Commenting out will disable upload of results to your repo's Code Scanning dashboard
       - name: "Upload to code-scanning"
-        uses: github/codeql-action/upload-sarif@v3
+        uses: github/codeql-action/upload-sarif@ea9e4e37992a54ee68a9622e985e60c8e8f12d9f # v3.27.4
         with:
           sarif_file: results.sarif
 
diff --git a/.github/workflows/sonarcloud-scan.yaml b/.github/workflows/sonarcloud-scan.yaml
index 367c670b2..19c89c955 100644
--- a/.github/workflows/sonarcloud-scan.yaml
+++ b/.github/workflows/sonarcloud-scan.yaml
@@ -8,7 +8,7 @@ jobs:
 
     steps:
     - name: Checkout code including full history and submodules
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       with:
         submodules: true
         fetch-depth: 0
@@ -19,7 +19,7 @@ jobs:
         sudo apt-get install cmake gcovr libcunit1-dev ninja-build unzip wget
 
     - name:  Install sonar-scanner and build-wrapper
-      uses: sonarsource/sonarcloud-github-c-cpp@v2
+      uses: sonarsource/sonarcloud-github-c-cpp@e4882e1621ad2fb48dddfa48287411bed34789b1 # v2.0.2
 
     - name: Collect test coverage data
       run: |

From 6e49116c09116de9fccaa023adfd3387364d1f26 Mon Sep 17 00:00:00 2001
From: Reto Schneider <code@reto-schneider.ch>
Date: Fri, 15 Nov 2024 15:13:56 +0100
Subject: [PATCH 2/2] ci: Remove pip upgrade

OpenSSF scorecard does not want us to upgrade to unspecified versions.

Removing the update seems like the simplest solution, as the version
contained in the ubuntu-20.04 base image is recent enough.
---
 .github/workflows/build_and_test.yaml | 1 -
 1 file changed, 1 deletion(-)

diff --git a/.github/workflows/build_and_test.yaml b/.github/workflows/build_and_test.yaml
index 13cf76be7..581a432c4 100644
--- a/.github/workflows/build_and_test.yaml
+++ b/.github/workflows/build_and_test.yaml
@@ -56,7 +56,6 @@ jobs:
 
     - name: Install dependencies
       run: |
-          python -m pip install --upgrade pip
           pip install -r tests/integration/requirements.txt
 
     - name: Execute integration tests