From c8780d2dde1ce6bcdf53dc24b4283134aa32a8bf Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Thu, 29 Jan 2026 07:57:45 +0000 Subject: [PATCH 1/3] Initial plan From c7c1b704af53f6a9710c9223edbe2586466b3a4c Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Thu, 29 Jan 2026 08:01:24 +0000 Subject: [PATCH 2/3] Pin all GitHub Actions dependencies by commit hash for improved security Co-authored-by: thomasturrell <1552612+thomasturrell@users.noreply.github.com> --- .github/workflows/codeql.yml | 10 +++++----- .github/workflows/copilot-setup-steps.yml | 4 ++-- .github/workflows/dependabot-auto-approve-merge.yml | 2 +- .github/workflows/manual-release.yml | 6 +++--- .github/workflows/maven_pull_request.yml | 4 ++-- .github/workflows/maven_push.yml | 6 +++--- .github/workflows/stale.yml | 2 +- 7 files changed, 17 insertions(+), 17 deletions(-) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 0e6e8f51..c683cdf1 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -52,9 +52,9 @@ jobs: steps: - name: Checkout repository - uses: actions/checkout@v6 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 - - uses: actions/setup-java@v5 + - uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5 with: distribution: 'temurin' java-version: '25' @@ -62,7 +62,7 @@ jobs: # Initializes the CodeQL tools for scanning. # Uses custom configuration file to exclude test directories from analysis. - name: Initialize CodeQL - uses: github/codeql-action/init@v4 + uses: github/codeql-action/init@ab28d5ce09b08e4700b2296d39d684a7ac71d1e7 # v4 with: languages: ${{ matrix.language }} config-file: ./.github/codeql-config.yml @@ -77,7 +77,7 @@ jobs: # Autobuild attempts to build any compiled languages (C/C++, C#, Go, or Java). # If this step fails, then you should remove it and run the build manually (see below) - name: Autobuild - uses: github/codeql-action/autobuild@v4 + uses: github/codeql-action/autobuild@ab28d5ce09b08e4700b2296d39d684a7ac71d1e7 # v4 # ℹī¸ Command-line programs to run using the OS shell. # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun @@ -90,6 +90,6 @@ jobs: # ./location_of_script_within_repo/buildscript.sh - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v4 + uses: github/codeql-action/analyze@ab28d5ce09b08e4700b2296d39d684a7ac71d1e7 # v4 with: category: "/language:${{matrix.language}}" diff --git a/.github/workflows/copilot-setup-steps.yml b/.github/workflows/copilot-setup-steps.yml index d023e7bd..6d69ca14 100644 --- a/.github/workflows/copilot-setup-steps.yml +++ b/.github/workflows/copilot-setup-steps.yml @@ -30,10 +30,10 @@ jobs: # If you do not check out your code, Copilot will do this for you. steps: - name: Checkout code - uses: actions/checkout@v6 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 - name: Set up JDK 25 - uses: actions/setup-java@v5 + uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5 with: java-version: "25" distribution: "temurin" diff --git a/.github/workflows/dependabot-auto-approve-merge.yml b/.github/workflows/dependabot-auto-approve-merge.yml index f33d44e2..4596966b 100644 --- a/.github/workflows/dependabot-auto-approve-merge.yml +++ b/.github/workflows/dependabot-auto-approve-merge.yml @@ -16,7 +16,7 @@ jobs: steps: - name: Get Dependabot metadata id: metadata - uses: dependabot/fetch-metadata@v2 + uses: dependabot/fetch-metadata@21025c705c08248db411dc16f3619e6b5f9ea21a # v2 with: github-token: ${{ github.token }} diff --git a/.github/workflows/manual-release.yml b/.github/workflows/manual-release.yml index 195a3e5b..7d7597f9 100644 --- a/.github/workflows/manual-release.yml +++ b/.github/workflows/manual-release.yml @@ -104,14 +104,14 @@ jobs: run: | echo "Manual draft release for tag: ${{ steps.release.outputs.tag_name }}" - - uses: actions/create-github-app-token@v2 + - uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2 id: app-token with: app-id: ${{ secrets.APP_ID }} private-key: ${{ secrets.APP_PRIVATE_KEY }} - name: Checkout target commitish with full history (needed to commit & tag) - uses: actions/checkout@v6 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 with: ref: ${{ steps.release.outputs.target_commitish }} token: ${{ steps.app-token.outputs.token }} @@ -141,7 +141,7 @@ jobs: echo "Tag $TAG_NAME does not exist. Proceeding with release." - name: Set up JDK 25 - uses: actions/setup-java@v5 + uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5 with: java-version: "25" distribution: "temurin" diff --git a/.github/workflows/maven_pull_request.yml b/.github/workflows/maven_pull_request.yml index c13d27bd..eff25f8a 100644 --- a/.github/workflows/maven_pull_request.yml +++ b/.github/workflows/maven_pull_request.yml @@ -11,9 +11,9 @@ jobs: build: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 - name: Set up JDK 25 - uses: actions/setup-java@v5 + uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5 with: java-version: "25" distribution: "temurin" diff --git a/.github/workflows/maven_push.yml b/.github/workflows/maven_push.yml index 3105af05..29da0bb1 100644 --- a/.github/workflows/maven_push.yml +++ b/.github/workflows/maven_push.yml @@ -11,11 +11,11 @@ jobs: build: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 with: fetch-depth: 0 - name: Set up JDK 25 - uses: actions/setup-java@v5 + uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5 with: java-version: "25" distribution: "temurin" @@ -35,4 +35,4 @@ jobs: # Optional: Uploads the full dependency graph to GitHub to improve the quality of Dependabot alerts this repository can receive - name: Update dependency graph - uses: advanced-security/maven-dependency-submission-action@v5 + uses: advanced-security/maven-dependency-submission-action@3a183dc11227df3dd6351cfffb472965b9265da1 # v5 diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml index 0052fb97..d1f40daf 100644 --- a/.github/workflows/stale.yml +++ b/.github/workflows/stale.yml @@ -18,7 +18,7 @@ jobs: pull-requests: write steps: - - uses: actions/stale@v10 + - uses: actions/stale@997185467fa4f803885201cee163a9f38240193d # v10 with: repo-token: ${{ secrets.GITHUB_TOKEN }} stale-issue-message: 'Stale issue message' From 8b778291b33306a6ccd8f1a9b32e0fa507ed3132 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Thu, 29 Jan 2026 12:24:00 +0000 Subject: [PATCH 3/3] Fix: Use actual commit hashes instead of tag objects for annotated tags For github/codeql-action@v4 and advanced-security/maven-dependency-submission-action@v5, the previous commit used the annotated tag object hash instead of the actual commit hash. This corrects them to use the dereferenced commit hashes (tag^{}). Co-authored-by: thomasturrell <1552612+thomasturrell@users.noreply.github.com> --- .github/workflows/codeql.yml | 6 +++--- .github/workflows/maven_push.yml | 2 +- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index c683cdf1..7f627f00 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -62,7 +62,7 @@ jobs: # Initializes the CodeQL tools for scanning. # Uses custom configuration file to exclude test directories from analysis. - name: Initialize CodeQL - uses: github/codeql-action/init@ab28d5ce09b08e4700b2296d39d684a7ac71d1e7 # v4 + uses: github/codeql-action/init@b20883b0cd1f46c72ae0ba6d1090936928f9fa30 # v4 with: languages: ${{ matrix.language }} config-file: ./.github/codeql-config.yml @@ -77,7 +77,7 @@ jobs: # Autobuild attempts to build any compiled languages (C/C++, C#, Go, or Java). # If this step fails, then you should remove it and run the build manually (see below) - name: Autobuild - uses: github/codeql-action/autobuild@ab28d5ce09b08e4700b2296d39d684a7ac71d1e7 # v4 + uses: github/codeql-action/autobuild@b20883b0cd1f46c72ae0ba6d1090936928f9fa30 # v4 # ℹī¸ Command-line programs to run using the OS shell. # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun @@ -90,6 +90,6 @@ jobs: # ./location_of_script_within_repo/buildscript.sh - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@ab28d5ce09b08e4700b2296d39d684a7ac71d1e7 # v4 + uses: github/codeql-action/analyze@b20883b0cd1f46c72ae0ba6d1090936928f9fa30 # v4 with: category: "/language:${{matrix.language}}" diff --git a/.github/workflows/maven_push.yml b/.github/workflows/maven_push.yml index 29da0bb1..cfcce14e 100644 --- a/.github/workflows/maven_push.yml +++ b/.github/workflows/maven_push.yml @@ -35,4 +35,4 @@ jobs: # Optional: Uploads the full dependency graph to GitHub to improve the quality of Dependabot alerts this repository can receive - name: Update dependency graph - uses: advanced-security/maven-dependency-submission-action@3a183dc11227df3dd6351cfffb472965b9265da1 # v5 + uses: advanced-security/maven-dependency-submission-action@b275d12641ac2d2108b2cbb7598b154ad2f2cee8 # v5