Implement GitHub Actions pinning automation for improved security

.github/workflows/ci-cd.yml

@@ -16,10 +16,10 @@ jobs:
 
     steps:
     - name: Checkout code
-      uses: actions/checkout@v3
+      uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744
 
     - name: Set up Node.js
-      uses: actions/setup-node@v3
+      uses: actions/setup-node@3235b876344d2a9aa001b8d1453c930bba69e610
       with:
         node-version: 18
 
@@ -36,10 +36,10 @@ jobs:
 
     steps:
     - name: Checkout code
-      uses: actions/checkout@v3
+      uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744
 
     - name: Set up Node.js
-      uses: actions/setup-node@v3
+      uses: actions/setup-node@3235b876344d2a9aa001b8d1453c930bba69e610
       with:
         node-version: 18
 
@@ -56,10 +56,10 @@ jobs:
 
     steps:
     - name: Checkout code
-      uses: actions/checkout@v3
+      uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744
 
     - name: Set up Node.js
-      uses: actions/setup-node@v3
+      uses: actions/setup-node@3235b876344d2a9aa001b8d1453c930bba69e610
       with:
         node-version: 18
 

.gitignore

@@ -23,6 +23,9 @@ yarn-error.log*
 cache/
 artifacts/
 
+# Backup files
+*.backup
+
 # Project files, i.e. `.project`, `.actionScriptProperties` and `.flexProperties`
 # should NOT be excluded as they contain compiler settings and other important
 # information for Eclipse / Flash Builder.

README.md

@@ -8,6 +8,7 @@ This project contains:
 - **SEQICO.sol**: The main ICO contract allowing token purchases with ETH, USDT, and USDC
 - **SEQToken.sol**: The ERC20 token contract
 - **Deployment scripts**: Two deployment scripts with different configurations
+- **GitHub Actions Security**: Automated pinning of GitHub Actions to commit SHAs for improved security
 
 ## Features
 
@@ -62,6 +63,64 @@ The deployment scripts include configurable parameters:
 - Token pricing for ETH, USDT, and USDC
 - Total supply (500,000 SEQ tokens)
 
+## GitHub Actions Security
+
+This repository includes an automated script to pin GitHub Actions to their full-length commit SHAs for improved security. This prevents supply chain attacks where action tags could be moved to malicious commits.
+
+### Using the GitHub Actions Pinner
+
+The pinning script is located at `scripts/pin-github-actions.js` and can be used as follows:
+
+```bash
+# Run in dry-run mode to see what would be changed
+node scripts/pin-github-actions.js --dry-run --verbose
+
+# Pin all GitHub Actions to commit SHAs
+node scripts/pin-github-actions.js --verbose
+
+# Get help
+node scripts/pin-github-actions.js --help
+```
+
+### Features
+
+- **Automatic Detection**: Scans all workflow files in `.github/workflows/`
+- **Smart Filtering**: Only processes GitHub-hosted actions, skips local and already-pinned actions
+- **Safe Updates**: Validates YAML syntax after updates
+- **Dry Run Mode**: Preview changes before applying them
+- **Comprehensive Logging**: Detailed output with `--verbose` flag
+- **Error Handling**: Graceful handling of non-existent actions or API failures
+
+### Environment Variables
+
+- `GITHUB_TOKEN`: Optional GitHub personal access token to avoid rate limits
+
+### Testing
+
+Run the test suite to validate the pinning functionality:
+
+```bash
+node test/pin-github-actions.test.js
+```
+
+### Example Output
+
+```
+🔍 Scanning for GitHub Actions to pin...
+📍 Found 2 unique actions to pin:
+  - actions/checkout@v3
+  - actions/setup-node@v3
+
+🔗 Fetching latest commit SHAs...
+✓ actions/checkout@v3 → f43a0e5ff2bd294095638e18286ca9a3d1956744
+✓ actions/setup-node@v3 → 3235b876344d2a9aa001b8d1453c930bba69e610
+
+📝 Updating workflow files...
+✓ Updated ci-cd.yml (6 changes)
+
+🎯 Successfully pinned 6 actions in 1 files.
+```
+
 ## License
 
 MIT