From f77e1f8a92e5cac2823e148ccc1a85f05e5c225d Mon Sep 17 00:00:00 2001
From: Ajesh Sen Thapa <aj3sshh@gmail.com>
Date: Thu, 27 Jun 2024 18:10:25 +0545
Subject: [PATCH] fix: security updates on commitlint action and workflows

- Updated immutable tag for commitlint actions
- Updated immutable hash for action workflows
---
 .github/workflows/release-please.yml | 16 ++++++----------
 action.yml                           |  9 +++++----
 2 files changed, 11 insertions(+), 14 deletions(-)

diff --git a/.github/workflows/release-please.yml b/.github/workflows/release-please.yml
index b129445..dad1b3f 100644
--- a/.github/workflows/release-please.yml
+++ b/.github/workflows/release-please.yml
@@ -1,23 +1,19 @@
 on:
   push:
-    branches:
-      - main
-  workflow_dispatch:
-
-permissions:
-  id-token: write # for PYPI release
+    branches: ['main']
 
 name: release-please
 
 jobs:
   release-please:
     runs-on: ubuntu-latest
+    permissions:
+      id-token: write # for PYPI release
+
     steps:
       - name: Release
         id: release
-        uses: google-github-actions/release-please-action@v4
-        with:
-          token: ${{ secrets.BOT_TOKEN }}
+        uses: google-github-actions/release-please-action@e4dc86ba9405554aeba3c6bb2d169500e7d3b4ee # v4.1.1
 
       - uses: actions/checkout@v3
         if: ${{ steps.release.outputs.release_created }}
@@ -40,4 +36,4 @@ jobs:
 
       - name: Publish package
         if: ${{ steps.release.outputs.release_created }}
-        uses: pypa/gh-action-pypi-publish@v1.8.14
+        uses: pypa/gh-action-pypi-publish@ec4db0b4ddc65acdf4bff5fa45ac92d78b56bdf0 # v1.9.0
diff --git a/action.yml b/action.yml
index c69c42b..a84f8e6 100644
--- a/action.yml
+++ b/action.yml
@@ -23,12 +23,12 @@ runs:
   using: 'composite'
   steps:
     - name: Install Python
-      uses: actions/setup-python@v5
+      uses: actions/setup-python@v5.1.0
       with:
         python-version: '3.8'
 
     - name: Install Commitlint
-      run: python -m pip install -e ${{ github.action_path }}
+      run: python -m pip install --disable-pip-version-check -e ${{ github.action_path }}
       shell: bash
 
     # checkout to the source code
@@ -40,9 +40,10 @@ runs:
         echo "count=$(echo '${{ toJson(github.event.commits) }}' | jq '. | length')" \
           >> $GITHUB_OUTPUT
       shell: bash
+
     - name: Checkout to pushed commits
       if: github.event_name == 'push'
-      uses: actions/checkout@v4
+      uses: actions/checkout@v4.1.7
       with:
         ref: ${{ github.sha }}
         fetch-depth: ${{ steps.push_commit_count.outputs.count }}
@@ -50,7 +51,7 @@ runs:
     # for pull_request event
     - name: Checkout to PR source branch
       if: github.event_name == 'pull_request'
-      uses: actions/checkout@v4
+      uses: actions/checkout@v4.1.7
       with:
         ref: ${{ github.event.pull_request.head.sha }}
         fetch-depth: ${{ github.event.pull_request.commits }}