From 346f7bc0fd371464d16b6a3b87952da09008afe0 Mon Sep 17 00:00:00 2001
From: Gabriela Gutierrez <gabigutierrez@google.com>
Date: Wed, 7 Jun 2023 17:03:30 -0300
Subject: [PATCH] Ref actions by commit SHA in sbom_generator.yml

It's important to make sure the SHA's are from the original repositories and not forks.

For reference:

https://github.com/actions/checkout/releases/tag/v3.5.2
https://github.com/actions/checkout/commit/8e5e7e5ab8b370d6c329ec480221332ada57f0ab

https://github.com/advanced-security/sbom-generator-action/releases/tag/v0.0.1
https://github.com/advanced-security/sbom-generator-action/commit/375dee8e6144d9fd0ec1f5667b4f6fb4faacefed

https://github.com/actions/upload-artifact/releases/tag/v3.1.2
https://github.com/actions/upload-artifact/commit/0b7f8abb1508181956e8e162db84b466c27e18ce


Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
---
 .github/workflows/sbom_generator.yml | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/sbom_generator.yml b/.github/workflows/sbom_generator.yml
index 58c1345..c8a0a4d 100644
--- a/.github/workflows/sbom_generator.yml
+++ b/.github/workflows/sbom_generator.yml
@@ -13,13 +13,13 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2
 
-      - uses: advanced-security/sbom-generator-action@v0.0.1
+      - uses: advanced-security/sbom-generator-action@375dee8e6144d9fd0ec1f5667b4f6fb4faacefed # v0.0.1
         id: sbom
         env: 
           GITHUB_TOKEN: ${{ github.token }}
-      - uses: actions/upload-artifact@v3.1.2
+      - uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2
         with: 
           path: ${{steps.sbom.outputs.fileName }}
           name: "SBOM"