Pin workflow and container dependencies

Author: krotname

.github/workflows/actionlint.yml

@@ -20,10 +20,10 @@ jobs:
     runs-on: ubuntu-latest
     timeout-minutes: 5
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
         with:
           persist-credentials: false
       - name: Check GitHub Actions workflows
-        uses: docker://rhysd/actionlint:1.7.12
+        uses: docker://rhysd/actionlint@sha256:b1934ee5f1c509618f2508e6eb47ee0d3520686341fec936f3b79331f9315667 # 1.7.12
         with:
           args: -color

.github/workflows/ci.yml

@@ -21,11 +21,11 @@ jobs:
     runs-on: ubuntu-latest
     timeout-minutes: 10
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
         with:
           persist-credentials: false
       - name: Setup Java
-        uses: actions/setup-java@v4
+        uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5
         with:
           distribution: temurin
           java-version: 21
@@ -38,11 +38,11 @@ jobs:
     runs-on: ubuntu-latest
     timeout-minutes: 10
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
         with:
           persist-credentials: false
       - name: Setup Java
-        uses: actions/setup-java@v4
+        uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5
         with:
           distribution: temurin
           java-version: 21
@@ -55,11 +55,11 @@ jobs:
     runs-on: ubuntu-latest
     timeout-minutes: 10
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
         with:
           persist-credentials: false
       - name: Setup Java
-        uses: actions/setup-java@v4
+        uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5
         with:
           distribution: temurin
           java-version: 21
@@ -74,11 +74,11 @@ jobs:
     runs-on: ubuntu-latest
     timeout-minutes: 10
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
         with:
           persist-credentials: false
       - name: Setup Java
-        uses: actions/setup-java@v4
+        uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5
         with:
           distribution: temurin
           java-version: 21
@@ -91,11 +91,11 @@ jobs:
     runs-on: ubuntu-latest
     timeout-minutes: 10
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
         with:
           persist-credentials: false
       - name: Setup Java
-        uses: actions/setup-java@v4
+        uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5
         with:
           distribution: temurin
           java-version: 21
@@ -114,19 +114,19 @@ jobs:
       - contract-and-smoke-tests
       - architecture-tests
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
         with:
           persist-credentials: false
       - name: Setup Java
-        uses: actions/setup-java@v4
+        uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5
         with:
           distribution: temurin
           java-version: 21
           cache: maven
       - name: Build and enforce quality gates
         run: bash ./mvnw -q verify
       - name: Upload coverage
-        uses: codecov/codecov-action@v4
+        uses: codecov/codecov-action@fb8b3582c8e4def4969c97caa2f19720cb33a72f # v7
         with:
           files: target/site/jacoco/jacoco.xml
           fail_ci_if_error: false
@@ -136,11 +136,11 @@ jobs:
     runs-on: ubuntu-latest
     timeout-minutes: 15
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
         with:
           persist-credentials: false
       - name: Setup Java
-        uses: actions/setup-java@v4
+        uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5
         with:
           distribution: temurin
           java-version: 21
@@ -157,7 +157,7 @@ jobs:
           fi
       - name: Dependency review
         if: github.event_name == 'pull_request'
-        uses: actions/dependency-review-action@v4
+        uses: actions/dependency-review-action@a1d282b36b6f3519aa1f3fc636f609c47dddb294 # v5.0.0
         with:
           fail-on-severity: moderate
       - name: Dependency analysis

.github/workflows/codeql.yml

@@ -19,19 +19,19 @@ jobs:
       contents: read
       security-events: write
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
         with:
           persist-credentials: false
       - name: Setup Java
-        uses: actions/setup-java@v4
+        uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5
         with:
           distribution: temurin
           java-version: 21
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@v3
+        uses: github/codeql-action/init@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4
         with:
           languages: java
       - name: Build with Maven Wrapper
         run: bash ./mvnw -q -DskipTests package
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@v3
+        uses: github/codeql-action/analyze@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4

.github/workflows/release.yml

@@ -20,11 +20,11 @@ jobs:
     runs-on: ubuntu-latest
     timeout-minutes: 25
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
         with:
           persist-credentials: false
       - name: Setup Java
-        uses: actions/setup-java@v4
+        uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5
         with:
           distribution: temurin
           java-version: 21
@@ -59,16 +59,16 @@ jobs:
           echo "jar=$jar" >> "$GITHUB_OUTPUT"
           echo "sbom_json=$sbom_json" >> "$GITHUB_OUTPUT"
       - name: Generate provenance attestations
-        uses: actions/attest@v4
+        uses: actions/attest@59d89421af93a897026c735860bf21b6eb4f7b26 # v4.1.0
         with:
           subject-checksums: target/checksums.txt
       - name: Generate SBOM attestation
-        uses: actions/attest@v4
+        uses: actions/attest@59d89421af93a897026c735860bf21b6eb4f7b26 # v4.1.0
         with:
           subject-path: ${{ steps.artifacts.outputs.jar }}
           sbom-path: ${{ steps.artifacts.outputs.sbom_json }}
       - name: Upload release artifact
-        uses: softprops/action-gh-release@v2
+        uses: softprops/action-gh-release@b4309332981a82ec1c5618f44dd2e27cc8bfbfda # v3
         with:
           files: |
             target/javasoundrecorder-*-all.jar

.github/workflows/scorecard.yml

@@ -25,11 +25,11 @@ jobs:
       contents: read
       id-token: write
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
         with:
           persist-credentials: false
       - name: Analyze
-        uses: ossf/scorecard-action@v2.4.0
+        uses: ossf/scorecard-action@4eaacf0543bb3f2c246792bd56e8cdeffafb205a # v2.4.3
         with:
           results_file: scorecard-results.sarif
           results_format: sarif

CHANGELOG.md

@@ -28,6 +28,8 @@
 - Dependabot GitHub Actions update cadence changed to weekly.
 - SpotBugs quality gate added to Maven `verify` and CI static-analysis workflow.
 - Release workflow shell snippets hardened for actionlint/shellcheck compliance.
+- GitHub Actions pinned to immutable commit SHAs and Docker images pinned by digest.
+- Repository security settings enabled for Dependabot security updates and secret scanning.
 
 ## 1.0.0
 ### Added

Dockerfile

@@ -1,4 +1,4 @@
-FROM eclipse-temurin:21-jre-jammy as runtime
+FROM eclipse-temurin:21-jre-jammy@sha256:199aebeb3adcde4910695cdebfe782ada38dadb6cc8013159b58d3724451befd as runtime
 
 WORKDIR /app
 COPY target/javasoundrecorder-*-all.jar /app/javasoundrecorder.jar

README.md

@@ -141,6 +141,7 @@ This enforces configured line/branch thresholds in `pom.xml`.
 - `.github/workflows/actionlint.yml`: static validation for GitHub Actions workflow files.
 - Maven Wrapper: reproducible local and CI builds via Maven 3.9.16.
 - GitHub Actions hardening: scoped token permissions, job timeouts, concurrency controls, and non-persistent checkout credentials.
+- GitHub Actions are pinned to immutable commit SHAs; Docker images are pinned by digest.
 - `.github/workflows/codeql.yml`: static security analysis
 - `.github/workflows/scorecard.yml`: OSSF scorecards check for supply-chain posture.
 - `.github/workflows/release.yml`: verified tag releases with checksums, CycloneDX SBOM (JSON/XML), and GitHub artifact attestations.
@@ -265,6 +266,7 @@ docker run --rm javasoundrecorder
 - `.github/workflows/actionlint.yml` — статическая проверка GitHub Actions workflow-файлов.
 - Maven Wrapper — воспроизводимая локальная и CI-сборка на Maven 3.9.16.
 - GitHub Actions hardening: ограниченные permissions, timeout для job, concurrency и checkout без сохранения credentials.
+- GitHub Actions закреплены по immutable commit SHA; Docker images закреплены по digest.
 - `.github/workflows/ci.yml` также запускает `Dependency Review` для pull request.
 - `.github/workflows/codeql.yml` — анализ безопасности.
 - `.github/workflows/scorecard.yml` — OSSF Scorecards для оценки supply-chain-подхода.

docs/DEPENDENCY_POLICY.md

@@ -31,6 +31,8 @@ The baseline favors current stable releases over milestones, betas, snapshots, o
 - Keep test style in JUnit Jupiter; update tests by behavior, not framework churn.
 - Run `./mvnw -q verify` after dependency changes.
 - Keep Dependabot enabled for Maven and GitHub Actions.
+- Pin GitHub Actions to full commit SHAs and keep the human-readable version in a trailing comment.
+- Pin Docker images by digest; refresh the digest together with the reviewed tag.
 
 ## Manual update check
 

docs/QUALITY.md

@@ -16,6 +16,7 @@
 - Security checks include dependency analysis and `CodeQL` workflow.
 - Pull request dependency policy is enforced by `dependency-review` in CI.
 - Workflows use least-privilege permissions, explicit timeouts, concurrency control, and non-persistent checkout credentials.
+- Workflow actions are pinned to immutable commit SHAs and container images are pinned by digest.
 - Current stable dependency baseline and update rules are documented in `docs/DEPENDENCY_POLICY.md`.
 - Supply-chain posture is additionally analyzed by OSSF Scorecards workflow.
 - Release automation is in `.github/workflows/release.yml` with full Maven verification, checksums, and artifact attestations.
@@ -43,6 +44,7 @@
 - Workflow quality posture is covered by actionlint for GitHub Actions YAML.
 - Modernized Maven/JUnit/SLF4J/JaCoCo/Checkstyle/SpotBugs/ArchUnit/CycloneDX baseline.
 - CI hardening is visible through scoped workflow permissions, job timeouts, and cancelled superseded runs.
+- Immutable workflow dependencies reduce tag-retargeting risk and improve OSSF Scorecards evidence.
 - Dependency manifest transparency through release artifacts containing CycloneDX SBOM in JSON and XML.
 - Release provenance and SBOM linkage are verifiable through GitHub artifact attestations.