From 3a809d7b53f5a0d40547b8917ef81fc94bad022d Mon Sep 17 00:00:00 2001
From: Christoph Wille <christoph.wille@gmail.com>
Date: Sat, 11 Jan 2025 11:37:37 +0100
Subject: [PATCH] Update Scorecard actions versions and apply Zizmor offline
 findings (#3365)

* Update scorecard.yml actions versions
* Zizmor offline analysis findings
---
 .github/workflows/build-frontends.yml | 2 ++
 .github/workflows/build-ilspy.yml     | 1 +
 .github/workflows/codeql-analysis.yml | 1 +
 .github/workflows/generate-bom.yml    | 1 +
 .github/workflows/scorecard.yml       | 7 ++++---
 5 files changed, 9 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/build-frontends.yml b/.github/workflows/build-frontends.yml
index d9abeabe5f..894202f2c3 100644
--- a/.github/workflows/build-frontends.yml
+++ b/.github/workflows/build-frontends.yml
@@ -17,6 +17,8 @@ jobs:
     - uses: actions/checkout@v4
       with:
         fetch-depth: 0
+        persist-credentials: false
+        
     - uses: actions/setup-dotnet@v4
       with:
         dotnet-version: '8.0.x'
diff --git a/.github/workflows/build-ilspy.yml b/.github/workflows/build-ilspy.yml
index 71b7e0e1ba..a112c3a39f 100644
--- a/.github/workflows/build-ilspy.yml
+++ b/.github/workflows/build-ilspy.yml
@@ -30,6 +30,7 @@ jobs:
       with:
         submodules: true
         fetch-depth: 0
+        persist-credentials: false
 
     - uses: actions/setup-dotnet@v4
       with:
diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
index f7cd2250c9..1508ed57fd 100644
--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@@ -28,6 +28,7 @@ jobs:
       uses: actions/checkout@v4
       with:
         fetch-depth: 0
+        persist-credentials: false
     
     - name: Initialize CodeQL
       uses: github/codeql-action/init@v3
diff --git a/.github/workflows/generate-bom.yml b/.github/workflows/generate-bom.yml
index 44cf80453e..9d31c0f72f 100644
--- a/.github/workflows/generate-bom.yml
+++ b/.github/workflows/generate-bom.yml
@@ -17,6 +17,7 @@ jobs:
     - uses: actions/checkout@v4
       with:
         submodules: true
+        persist-credentials: false
 
     - name: Install CycloneDX
       run: dotnet tool install --global CycloneDX
diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml
index 1ba02149a4..f6f0279ad3 100644
--- a/.github/workflows/scorecard.yml
+++ b/.github/workflows/scorecard.yml
@@ -1,4 +1,5 @@
 name: Scorecard supply-chain security
+
 on:
   # For Branch-Protection check. Only the default branch is supported. See
   # https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection (disabled)
@@ -23,19 +24,19 @@ jobs:
 
     steps:
       - name: "Checkout code"
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        uses: actions/checkout@v4
         with:
           persist-credentials: false
 
       - name: "Run analysis"
-        uses: ossf/scorecard-action@0864cf19026789058feabb7e87baa5f140aac736 # v2.3.1
+        uses: ossf/scorecard-action@v2.4.0 # https://github.com/marketplace/actions/ossf-scorecard-action
         with:
           results_file: results.sarif
           results_format: sarif
           publish_results: true
 
       - name: "Upload artifact"
-        uses: actions/upload-artifact@97a0fba1372883ab732affbe8f94b823f91727db # v3.pre.node20
+        uses: actions/upload-artifact@v4
         with:
           name: SARIF file
           path: results.sarif