From baecb700252a0e253b9acabfb8dfe3fd7e3368ff Mon Sep 17 00:00:00 2001
From: StepSecurity Bot <bot@stepsecurity.io>
Date: Mon, 30 Oct 2023 08:38:05 +0000
Subject: [PATCH] [StepSecurity] ci: Harden GitHub Actions

Signed-off-by: StepSecurity Bot <bot@stepsecurity.io>
---
 .github/workflows/gradle.yml         | 6 +++---
 .github/workflows/publish-github.yml | 4 ++--
 .github/workflows/publish-maven.yml  | 4 ++--
 3 files changed, 7 insertions(+), 7 deletions(-)

diff --git a/.github/workflows/gradle.yml b/.github/workflows/gradle.yml
index 2dfca6f33b..11a08c1efd 100644
--- a/.github/workflows/gradle.yml
+++ b/.github/workflows/gradle.yml
@@ -19,7 +19,7 @@ jobs:
     name: Rhino Java ${{ matrix.java }}
     steps:
     - name: Checkout
-      uses: actions/checkout@v3
+      uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
       with:
         # Need all history or spotless check will fail
         fetch-depth: 0
@@ -27,7 +27,7 @@ jobs:
       # We don't actually want all the history for this part
       run: git submodule update --init --single-branch
     - name: Set up Java
-      uses: actions/setup-java@v3
+      uses: actions/setup-java@0ab4596768b603586c0de567f2430c30f5b0d2b0 # v3.13.0
       with:
         java-version: ${{ matrix.java }}
         distribution: 'adopt'
@@ -44,7 +44,7 @@ jobs:
         --add-exports jdk.compiler/com.sun.tools.javac.tree=ALL-UNNAMED
         --add-exports jdk.compiler/com.sun.tools.javac.util=ALL-UNNAMED"
     - name: Upload results
-      uses: actions/upload-artifact@v3
+      uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
       with:
         name: reports
         path: buildGradle/reports
diff --git a/.github/workflows/publish-github.yml b/.github/workflows/publish-github.yml
index 8f8b2b853e..b73781b5ee 100644
--- a/.github/workflows/publish-github.yml
+++ b/.github/workflows/publish-github.yml
@@ -16,9 +16,9 @@ jobs:
       packages: write
     steps:
     - name: Checkout
-      uses: actions/checkout@v3
+      uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
     - name: Set up JDK
-      uses: actions/setup-java@v3
+      uses: actions/setup-java@0ab4596768b603586c0de567f2430c30f5b0d2b0 # v3.13.0
       with:
         java-version: '8'
         distribution: 'adopt'
diff --git a/.github/workflows/publish-maven.yml b/.github/workflows/publish-maven.yml
index b7b8e3e25f..35f8557b11 100644
--- a/.github/workflows/publish-maven.yml
+++ b/.github/workflows/publish-maven.yml
@@ -12,9 +12,9 @@ jobs:
       packages: write
     steps:
     - name: Checkout
-      uses: actions/checkout@v3
+      uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
     - name: Set up JDK
-      uses: actions/setup-java@v3
+      uses: actions/setup-java@0ab4596768b603586c0de567f2430c30f5b0d2b0 # v3.13.0
       with:
         java-version: '8'
         distribution: 'adopt'