Ref actions by commit SHA in sbom_generator.yml

It's important to make sure the SHA's are from the original repositories and not forks. For reference: https://github.com/actions/checkout/releases/tag/v3.5.2 8e5e7e5ab8 https://github.com/advanced-security/sbom-generator-action/releases/tag/v0.0.1 375dee8e61 https://github.com/actions/upload-artifact/releases/tag/v3.1.2 0b7f8abb15 Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
2 years ago · 346f7bc0fd
parent f6afa2b95f
commit 346f7bc0fd
1 changed files with 3 additions and 3 deletions
--- a/.github/workflows/sbom_generator.yml
+++ b/.github/workflows/sbom_generator.yml
@ -13,13 +13,13 @@ jobs:
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2
-      - uses: advanced-security/sbom-generator-action@v0.0.1
+      - uses: advanced-security/sbom-generator-action@375dee8e6144d9fd0ec1f5667b4f6fb4faacefed # v0.0.1
        id: sbom
        env: 
          GITHUB_TOKEN: ${{ github.token }}
-      - uses: actions/upload-artifact@v3.1.2
+      - uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2
        with: 
          path: ${{steps.sbom.outputs.fileName }}
          name: "SBOM"