Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[StepSecurity] ci: Harden GitHub Actions #688

Merged
merged 1 commit into from
Jan 13, 2025
Merged

[StepSecurity] ci: Harden GitHub Actions #688

merged 1 commit into from
Jan 13, 2025

Conversation

step-security-bot
Copy link
Contributor

Summary

This pull request is created by StepSecurity at the request of @RalphHightower. Please merge the Pull Request to incorporate the requested changes. Please tag @RalphHightower on your message if you have any questions related to the PR.

Security Fixes

Pinned Dependencies

GitHub Action tags and Docker tags are mutable. This poses a security risk. GitHub's Security Hardening guide recommends pinning actions to full length commit.

Feedback

For bug reports, feature requests, and general feedback; please email support@stepsecurity.io. To create such PRs, please visit https://app.stepsecurity.io/securerepo.

Signed-off-by: StepSecurity Bot bot@stepsecurity.io

@step-security-bot
[StepSecurity] ci: Harden GitHub Actions
ed385b7 
Signed-off-by: StepSecurity Bot <bot@stepsecurity.io>
@RalphHightower RalphHightower self-assigned this Jan 13, 2025
RalphHightower
RalphHightower approved these changes Jan 13, 2025
View reviewed changes
Copy link
Owner

@RalphHightower RalphHightower left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Approved

@RalphHightower RalphHightower merged commit 08d0794 into RalphHightower:main Jan 13, 2025
1 of 3 checks passed
@RalphHightower
Copy link
Owner 

Run bundle exec jekyll build --trace --incremental --baseurl "/blog"
  bundle exec jekyll build --trace --incremental --baseurl "/blog"
  shell: /usr/bin/bash -e {0}
  env:
    GITHUB_PAGES: true
    JEKYLL_ENV: production
    JEKYLL_GITHUB_TOKEN: 
    LOG_LEVEL: debug
  
To use retry middleware with Faraday v2.0+, install `faraday-retry` gem
Configuration file: /home/runner/work/blog/blog/_config.yml
            Source: /home/runner/work/blog/blog
       Destination: /home/runner/work/blog/blog/_site
 Incremental build: enabled
      Generating... 
  AI Related Posts: Creating cache [.ai_related_posts_cache.sqlite3]
bundler: failed to load command: jekyll (/home/runner/work/blog/blog/vendor/bundle/ruby/3.3.0/bin/jekyll)
/home/runner/work/blog/blog/vendor/bundle/ruby/3.3.0/gems/sqlite-vss-0.1.2-x86_64-linux/lib/sqlite_vss.rb:15:in `load_extension': libblas.so.3: cannot open shared object file: No such file or directory (RuntimeError)
	from /home/runner/work/blog/blog/vendor/bundle/ruby/3.3.0/gems/sqlite-vss-0.1.2-x86_64-linux/lib/sqlite_vss.rb:15:in `load_vss'
	from /home/runner/work/blog/blog/vendor/bundle/ruby/3.3.0/gems/sqlite-vss-0.1.2-x86_64-linux/lib/sqlite_vss.rb:19:in `load'
	from /home/runner/work/blog/blog/vendor/bundle/ruby/3.3.0/gems/jekyll_ai_related_posts-0.1.4/lib/jekyll_ai_related_posts/generator.rb:194:in `setup_database'
	from /home/runner/work/blog/blog/vendor/bundle/ruby/3.3.0/gems/jekyll_ai_related_posts-0.1.4/lib/jekyll_ai_related_posts/generator.rb:19:in `generate'
	from /home/runner/work/blog/blog/vendor/bundle/ruby/3.3.0/gems/jekyll-4.3.4/lib/jekyll/site.rb:193:in `block in generate'
	from /home/runner/work/blog/blog/vendor/bundle/ruby/3.3.0/gems/jekyll-4.3.4/lib/jekyll/site.rb:191:in `each'
	from /home/runner/work/blog/blog/vendor/bundle/ruby/3.3.0/gems/jekyll-4.3.4/lib/jekyll/site.rb:191:in `generate'
	from /home/runner/work/blog/blog/vendor/bundle/ruby/3.3.0/gems/jekyll-4.3.4/lib/jekyll/site.rb:79:in `process'
	from /home/runner/work/blog/blog/vendor/bundle/ruby/3.3.0/gems/jekyll-4.3.4/lib/jekyll/command.rb:28:in `process_site'
	from /home/runner/work/blog/blog/vendor/bundle/ruby/3.3.0/gems/jekyll-4.3.4/lib/jekyll/commands/build.rb:65:in `build'
	from /home/runner/work/blog/blog/vendor/bundle/ruby/3.3.0/gems/jekyll-4.3.4/lib/jekyll/commands/build.rb:36:in `process'
	from /home/runner/work/blog/blog/vendor/bundle/ruby/3.3.0/gems/jekyll-4.3.4/lib/jekyll/command.rb:91:in `block in process_with_graceful_fail'
	from /home/runner/work/blog/blog/vendor/bundle/ruby/3.3.0/gems/jekyll-4.3.4/lib/jekyll/command.rb:91:in `each'
	from /home/runner/work/blog/blog/vendor/bundle/ruby/3.3.0/gems/jekyll-4.3.4/lib/jekyll/command.rb:91:in `process_with_graceful_fail'
	from /home/runner/work/blog/blog/vendor/bundle/ruby/3.3.0/gems/jekyll-4.3.4/lib/jekyll/commands/build.rb:18:in `block (2 levels) in init_with_program'
	from /home/runner/work/blog/blog/vendor/bundle/ruby/3.3.0/gems/mercenary-0.4.0/lib/mercenary/command.rb:221:in `block in execute'
	from /home/runner/work/blog/blog/vendor/bundle/ruby/3.3.0/gems/mercenary-0.4.0/lib/mercenary/command.rb:221:in `each'
	from /home/runner/work/blog/blog/vendor/bundle/ruby/3.3.0/gems/mercenary-0.4.0/lib/mercenary/command.rb:221:in `execute'
	from /home/runner/work/blog/blog/vendor/bundle/ruby/3.3.0/gems/mercenary-0.4.0/lib/mercenary/program.rb:44:in `go'
	from /home/runner/work/blog/blog/vendor/bundle/ruby/3.3.0/gems/mercenary-0.4.0/lib/mercenary.rb:21:in `program'
	from /home/runner/work/blog/blog/vendor/bundle/ruby/3.3.0/gems/jekyll-4.3.4/exe/jekyll:15:in `<top (required)>'
	from /home/runner/work/blog/blog/vendor/bundle/ruby/3.3.0/bin/jekyll:25:in `load'
	from /home/runner/work/blog/blog/vendor/bundle/ruby/3.3.0/bin/jekyll:25:in `<top (required)>'
	from /opt/hostedtoolcache/Ruby/3.3.6/x64/lib/ruby/3.3.0/bundler/cli/exec.rb:58:in `load'
	from /opt/hostedtoolcache/Ruby/3.3.6/x64/lib/ruby/3.3.0/bundler/cli/exec.rb:58:in `kernel_load'
	from /opt/hostedtoolcache/Ruby/3.3.6/x64/lib/ruby/3.3.0/bundler/cli/exec.rb:23:in `run'
	from /opt/hostedtoolcache/Ruby/3.3.6/x64/lib/ruby/3.3.0/bundler/cli.rb:455:in `exec'
	from /opt/hostedtoolcache/Ruby/3.3.6/x64/lib/ruby/3.3.0/bundler/vendor/thor/lib/thor/command.rb:28:in `run'
	from /opt/hostedtoolcache/Ruby/3.3.6/x64/lib/ruby/3.3.0/bundler/vendor/thor/lib/thor/invocation.rb:127:in `invoke_command'
	from /opt/hostedtoolcache/Ruby/3.3.6/x64/lib/ruby/3.3.0/bundler/vendor/thor/lib/thor.rb:527:in `dispatch'
	from /opt/hostedtoolcache/Ruby/3.3.6/x64/lib/ruby/3.3.0/bundler/cli.rb:35:in `dispatch'
	from /opt/hostedtoolcache/Ruby/3.3.6/x64/lib/ruby/3.3.0/bundler/vendor/thor/lib/thor/base.rb:584:in `start'
	from /opt/hostedtoolcache/Ruby/3.3.6/x64/lib/ruby/3.3.0/bundler/cli.rb:29:in `start'
	from /opt/hostedtoolcache/Ruby/3.3.6/x64/lib/ruby/gems/3.3.0/gems/bundler-2.5.22/exe/bundle:28:in `block in <top (required)>'
	from /opt/hostedtoolcache/Ruby/3.3.6/x64/lib/ruby/3.3.0/bundler/friendly_errors.rb:117:in `with_friendly_errors'
	from /opt/hostedtoolcache/Ruby/3.3.6/x64/lib/ruby/gems/3.3.0/gems/bundler-2.5.22/exe/bundle:20:in `<top (required)>'
	from /opt/hostedtoolcache/Ruby/3.3.6/x64/bin/bundle:25:in `load'
	from /opt/hostedtoolcache/Ruby/3.3.6/x64/bin/bundle:25:in `<main>'
Error: Process completed with exit code 1.

@RalphHightower RalphHightower added action – failure Failure during an Action ossf OpenSSF is a community of software developers and security engineers labels Jan 13, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@RalphHightower RalphHightower RalphHightower approved these changes

Assignees

@RalphHightower RalphHightower

Labels
action – failure Failure during an Action ossf OpenSSF is a community of software developers and security engineers
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@step-security-bot @RalphHightower