From e8192078cb8730e2b586171cf96810547c919469 Mon Sep 17 00:00:00 2001
From: StepSecurity Bot <bot@stepsecurity.io>
Date: Wed, 11 Sep 2024 11:51:11 -0700
Subject: [PATCH] [StepSecurity] Apply security best practices (#202)

---
 .github/dependabot.yml          |  6 ++++++
 .github/workflows/codeql.yml    | 10 +++++-----
 .github/workflows/main.yml      |  6 +++---
 .github/workflows/msbuild.yml   |  6 +++---
 .github/workflows/msbuildex.yml |  6 +++---
 .github/workflows/msvc.yml      |  8 ++++----
 .github/workflows/test.yml      |  6 +++---
 .github/workflows/wsl.yml       |  6 +++---
 8 files changed, 30 insertions(+), 24 deletions(-)
 create mode 100644 .github/dependabot.yml

diff --git a/.github/dependabot.yml b/.github/dependabot.yml
new file mode 100644
index 0000000..253bcb7
--- /dev/null
+++ b/.github/dependabot.yml
@@ -0,0 +1,6 @@
+version: 2
+updates:
+  - package-ecosystem: github-actions
+    directory: /
+    schedule:
+      interval: daily
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
index 1fb70ba..f160b59 100644
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@@ -35,10 +35,10 @@ jobs:
 
     steps:
     - name: Checkout repository
-      uses: actions/checkout@v4
+      uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
 
     - name: Clone test repository
-      uses: actions/checkout@v4
+      uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
       with:
         repository: walbourn/directxmathtest
         path: Tests
@@ -47,10 +47,10 @@ jobs:
     - name: 'Install Ninja'
       run: choco install ninja
 
-    - uses: ilammy/msvc-dev-cmd@v1
+    - uses: ilammy/msvc-dev-cmd@0b201ec74fa43914dc39ae48a89fd1d8cb592756 # v1.13.0
 
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@v3
+      uses: github/codeql-action/init@4dd16135b69a43b6c8efb853346f8437d92d3c93 # v3.26.6
       with:
         languages: c-cpp
         build-mode: manual
@@ -64,6 +64,6 @@ jobs:
       run: cmake --build out\build\x64-Debug
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@v3
+      uses: github/codeql-action/analyze@4dd16135b69a43b6c8efb853346f8437d92d3c93 # v3.26.6
       with:
         category: "/language:c-cpp"
diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
index cc3a9ee..147032f 100644
--- a/.github/workflows/main.yml
+++ b/.github/workflows/main.yml
@@ -70,10 +70,10 @@ jobs:
             arch: amd64_arm64
 
     steps:
-    - uses: actions/checkout@v4
+    - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
 
     - name: Clone test repository
-      uses: actions/checkout@v4
+      uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
       with:
         repository: walbourn/directxmathtest
         path: Tests
@@ -82,7 +82,7 @@ jobs:
     - name: 'Install Ninja'
       run: choco install ninja
 
-    - uses: ilammy/msvc-dev-cmd@v1
+    - uses: ilammy/msvc-dev-cmd@0b201ec74fa43914dc39ae48a89fd1d8cb592756 # v1.13.0
       with:
         arch: ${{ matrix.arch }}
 
diff --git a/.github/workflows/msbuild.yml b/.github/workflows/msbuild.yml
index ee76839..dc718d6 100644
--- a/.github/workflows/msbuild.yml
+++ b/.github/workflows/msbuild.yml
@@ -35,17 +35,17 @@ jobs:
           platform: ARM64
 
     steps:
-    - uses: actions/checkout@v4
+    - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
 
     - name: Clone test repository
-      uses: actions/checkout@v4
+      uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
       with:
         repository: walbourn/directxmathtest
         path: Tests
         ref: main
 
     - name: Add MSBuild to PATH
-      uses: microsoft/setup-msbuild@v2
+      uses: microsoft/setup-msbuild@6fb02220983dee41ce7ae257b6f4d8f9bf5ed4ce # v2.0.0
 
     - name: Build math3
       working-directory: ${{ github.workspace }}/Tests/math3
diff --git a/.github/workflows/msbuildex.yml b/.github/workflows/msbuildex.yml
index 3128553..acc682b 100644
--- a/.github/workflows/msbuildex.yml
+++ b/.github/workflows/msbuildex.yml
@@ -90,17 +90,17 @@ jobs:
           build_type: 'x87 Release'
 
     steps:
-    - uses: actions/checkout@v4
+    - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
 
     - name: Clone test repository
-      uses: actions/checkout@v4
+      uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
       with:
         repository: walbourn/directxmathtest
         path: Tests
         ref: main
 
     - name: Add MSBuild to PATH
-      uses: microsoft/setup-msbuild@v2
+      uses: microsoft/setup-msbuild@6fb02220983dee41ce7ae257b6f4d8f9bf5ed4ce # v2.0.0
 
     - name: Build math3
       working-directory: ${{ github.workspace }}/Tests/math3
diff --git a/.github/workflows/msvc.yml b/.github/workflows/msvc.yml
index 7f62ef0..107eba2 100644
--- a/.github/workflows/msvc.yml
+++ b/.github/workflows/msvc.yml
@@ -34,10 +34,10 @@ jobs:
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
 
       - name: Clone test repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
         with:
           repository: walbourn/directxmathtest
           path: Tests
@@ -48,7 +48,7 @@ jobs:
         run: cmake -B out
 
       - name: Initialize MSVC Code Analysis
-        uses: microsoft/msvc-code-analysis-action@v0.1.1
+        uses: microsoft/msvc-code-analysis-action@24c285ab36952c9e9182f4b78dfafbac38a7e5ee # v0.1.1
         id: run-analysis
         with:
           cmakeBuildDirectory: ./Tests/headertest/out
@@ -57,6 +57,6 @@ jobs:
 
       # Upload SARIF file to GitHub Code Scanning Alerts
       - name: Upload SARIF to GitHub
-        uses: github/codeql-action/upload-sarif@v3
+        uses: github/codeql-action/upload-sarif@4dd16135b69a43b6c8efb853346f8437d92d3c93 # v3.26.6
         with:
           sarif_file: ${{ steps.run-analysis.outputs.sarif }}
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index 81ee002..ddfc7b6 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -71,10 +71,10 @@ jobs:
             arch: amd64_arm64
 
     steps:
-    - uses: actions/checkout@v4
+    - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
 
     - name: Clone test repository
-      uses: actions/checkout@v4
+      uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
       with:
         repository: walbourn/directxmathtest
         path: Tests
@@ -83,7 +83,7 @@ jobs:
     - name: 'Install Ninja'
       run: choco install ninja
 
-    - uses: ilammy/msvc-dev-cmd@v1
+    - uses: ilammy/msvc-dev-cmd@0b201ec74fa43914dc39ae48a89fd1d8cb592756 # v1.13.0
       with:
         arch: ${{ matrix.arch }}
 
diff --git a/.github/workflows/wsl.yml b/.github/workflows/wsl.yml
index 89b077e..e74ba0c 100644
--- a/.github/workflows/wsl.yml
+++ b/.github/workflows/wsl.yml
@@ -30,16 +30,16 @@ jobs:
         # x64-Debug-NI-Linux, x64-Release-NI-Linux trigger issue with GCC
 
     steps:
-    - uses: actions/checkout@v4
+    - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
 
     - name: Clone test repository
-      uses: actions/checkout@v4
+      uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
       with:
         repository: walbourn/directxmathtest
         path: Tests
         ref: main
 
-    - uses: seanmiddleditch/gha-setup-ninja@v5
+    - uses: seanmiddleditch/gha-setup-ninja@96bed6edff20d1dd61ecff9b75cc519d516e6401 # v5
 
     - name: 'Configure CMake'
       working-directory: ${{ github.workspace }}/Tests