Fixed iac issues (#661)

checkmarx-kobi-hagmi · cx-tamar-levi · web-flow · commit 9f0bce6e01b7 · 2024-06-25T13:57:22.000+03:00
Co-authored-by: tamarleviCm &lt;110327792+tamarleviCm@users.noreply.github.com&gt;
diff --git a/.github/workflows/ast-scan.yml b/.github/workflows/ast-scan.yml
@@ -9,7 +9,7 @@ jobs:
       - name: Checkout
         uses: actions/checkout@v4
       - name: Checkmarx AST CLI Action
-        uses: checkmarx/ast-github-action@main
+        uses: checkmarx/ast-github-action@831a8d51a8a0535c0399f9c12728d8d3cc22d850 #main (currently 2.0.28)
         with:
           base_uri: ${{ secrets.BASE_URI }}
           cx_tenant: ${{ secrets.TENANT }}
diff --git a/.github/workflows/delete-packages-and-releases.yml b/.github/workflows/delete-packages-and-releases.yml
@@ -41,7 +41,7 @@ jobs:
 
       - name: Delete releases and tags
         continue-on-error: true
-        uses: dev-drprasad/delete-older-releases@v0.3.4
+        uses: dev-drprasad/delete-older-releases@dfbe6be2a006e9475dfcbe5b8d201f1824c2a9fe #v0.3.4
         env:
           GITHUB_TOKEN: ${{ secrets.PERSONAL_ACCESS_TOKEN }}
         with:
diff --git a/.github/workflows/dependabot-auto-merge.yml b/.github/workflows/dependabot-auto-merge.yml
@@ -11,7 +11,7 @@ jobs:
     steps:
       - name: Dependabot metadata
         id: metadata
-        uses: dependabot/fetch-metadata@v2.1.0
+        uses: dependabot/fetch-metadata@5e5f99653a5b510e8555840e80cbf1514ad4af38 #v2.1.0
         with:
           github-token: "${{ secrets.PERSONAL_ACCESS_TOKEN  }}"
       - name: Enable auto-merge for Dependabot PRs
@@ -20,6 +20,6 @@ jobs:
           GITHUB_TOKEN: ${{secrets.PERSONAL_ACCESS_TOKEN }}
         run: gh pr merge --auto --merge "$PR_URL"
       - name: Auto approve dependabot PRs
-        uses: hmarr/auto-approve-action@v4
+        uses: hmarr/auto-approve-action@f0939ea97e9205ef24d872e76833fa908a770363 #v4
         with:
           github-token: ${{ secrets.PERSONAL_ACCESS_TOKEN }}
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -92,11 +92,13 @@ jobs:
           npm ci
           npm run build
 
+
       # PUSH TAGS IF IT IS A RELEASE
       - name: Push tag if release
         if: inputs.dev == false
         run: git push && git push --tags
 
+
       # PUBLISH NPM PACKAGE
       - name: Publish npm package
         run: |
@@ -110,7 +112,7 @@ jobs:
 
       # CREATE RELEASE
       - name: Create Release
-        uses: softprops/action-gh-release@v2
+        uses: softprops/action-gh-release@a6c7483a42ee9d5daced968f6c217562cd680f7f #v2
         with:
           name: ${{env.TAG_NAME}}
           tag_name: ${{env.TAG_NAME}}
diff --git a/.github/workflows/update-cli.yml b/.github/workflows/update-cli.yml
@@ -29,7 +29,7 @@ jobs:
           ./.github/scripts/update_cli.sh ${{ steps.checkmarx-ast-cli.outputs.release_tag }}
       - name: Create Pull Request
         if: steps.checkmarx-ast-cli.outputs.current_tag != steps.checkmarx-ast-cli.outputs.release_tag
-        uses: peter-evans/create-pull-request@v6
+        uses: peter-evans/create-pull-request@b1ddad2c994a25fbc81a28b3ec0e368bb2021c50 #v6
         with:
           token: ${{ secrets.PERSONAL_ACCESS_TOKEN }}
           commit-message: Update checkmarx-ast-cli to ${{ steps.checkmarx-ast-cli.outputs.release_tag }}
