From cac4b0e5f35d115a590dfc89a7bbee59d147dc96 Mon Sep 17 00:00:00 2001
From: Yinyin Liu <liu@innov.energy>
Date: Fri, 3 Apr 2026 19:49:03 +0200
Subject: [PATCH] improve safety

---
 .gitea/workflows/prod-deploy.yaml  | 20 ++++++++++----------
 .gitea/workflows/stage-deploy.yaml | 20 ++++++++++----------
 2 files changed, 20 insertions(+), 20 deletions(-)

diff --git a/.gitea/workflows/prod-deploy.yaml b/.gitea/workflows/prod-deploy.yaml
index 52c5409e6..58305b2df 100644
--- a/.gitea/workflows/prod-deploy.yaml
+++ b/.gitea/workflows/prod-deploy.yaml
@@ -9,20 +9,21 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Check out repository code
-        uses: actions/checkout@v3
+        uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3
       - run: echo " The ${{ gitea.repository }} repository has been cloned to the runner."
-      - uses: actions/setup-dotnet@v3
+      - uses: actions/setup-dotnet@55ec9447dda3d1cf6bd587150f3262f30ee10815 # v3
         with:
           dotnet-version: '7.0.x'
       - run: dotnet publish ${{ gitea.workspace }}/csharp/App/Backend/Backend.csproj -c Release -r linux-x64 --self-contained true -p:PublishTrimmed=false
-      - uses: actions/setup-node@v3
+      - uses: actions/setup-node@3235b876344d2a9aa001b8d1453c930bba69e610 # v3
+      - run: npm --prefix ${{ gitea.workspace }}/typescript/frontend-marios2 audit --audit-level=moderate || true
       - run: |
-          npm --prefix ${{ gitea.workspace }}/typescript/frontend-marios2 install
+          npm --prefix ${{ gitea.workspace }}/typescript/frontend-marios2 install --ignore-scripts
           npm --prefix ${{ gitea.workspace }}/typescript/frontend-marios2 run build
 
 
       - name: stop services
-        uses: appleboy/ssh-action@v0.1.4
+        uses: appleboy/ssh-action@1d1b21ca96111b1eb4c03c21c14ebb971d2200f6 # v0.1.4
         with:
           host: 194.182.190.208
           username: ubuntu
@@ -31,7 +32,7 @@ jobs:
             sudo systemctl stop backend
             
       - name: Copy Backend
-        uses: appleboy/scp-action@v0.1.4
+        uses: appleboy/scp-action@8a92fcdb1eb4ffbf538b2fa286739760aac8a95b # v0.1.4
         with:
           host: 194.182.190.208
           username: ubuntu
@@ -42,7 +43,7 @@ jobs:
           strip_components: 1
 
       - name: Copy Frontend
-        uses: appleboy/scp-action@v0.1.4
+        uses: appleboy/scp-action@8a92fcdb1eb4ffbf538b2fa286739760aac8a95b # v0.1.4
         with:
           host: 194.182.190.208
           username: ubuntu
@@ -53,12 +54,11 @@ jobs:
           strip_components: 1
 
       - name: restart services
-        uses: appleboy/ssh-action@v0.1.4
+        uses: appleboy/ssh-action@1d1b21ca96111b1eb4c03c21c14ebb971d2200f6 # v0.1.4
         with:
           host: 194.182.190.208
           username: ubuntu
           password: ${{ secrets.PRODUCTION_SSH_PASSPHRASE }}
           script: |
             sudo systemctl restart backend
-            sudo cp -rf ~/frontend/build/* /var/www/html/monitor.innov.energy/html/
-            sudo npm install -g serve
\ No newline at end of file
+            sudo cp -rf ~/frontend/build/* /var/www/html/monitor.innov.energy/html/
\ No newline at end of file
diff --git a/.gitea/workflows/stage-deploy.yaml b/.gitea/workflows/stage-deploy.yaml
index 5b7e7c349..2826da601 100644
--- a/.gitea/workflows/stage-deploy.yaml
+++ b/.gitea/workflows/stage-deploy.yaml
@@ -9,19 +9,20 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Check out repository code
-        uses: actions/checkout@v3
+        uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3
       - run: echo " The ${{ gitea.repository }} repository has been cloned to the runner."
-      - uses: actions/setup-dotnet@v3
+      - uses: actions/setup-dotnet@55ec9447dda3d1cf6bd587150f3262f30ee10815 # v3
         with:
           dotnet-version: '7.0.x'
       - run: dotnet publish ${{ gitea.workspace }}/csharp/App/Backend/Backend.csproj -c Release -r linux-x64 --self-contained true -p:PublishTrimmed=false
-      - uses: actions/setup-node@v3
+      - uses: actions/setup-node@3235b876344d2a9aa001b8d1453c930bba69e610 # v3
+      - run: npm --prefix ${{ gitea.workspace }}/typescript/frontend-marios2 audit --audit-level=moderate || true
       - run: |
-          npm --prefix ${{ gitea.workspace }}/typescript/frontend-marios2 install
+          npm --prefix ${{ gitea.workspace }}/typescript/frontend-marios2 install --ignore-scripts
           npm --prefix ${{ gitea.workspace }}/typescript/frontend-marios2 run build
           
       - name: stop services
-        uses: appleboy/ssh-action@v0.1.4
+        uses: appleboy/ssh-action@1d1b21ca96111b1eb4c03c21c14ebb971d2200f6 # v0.1.4
         with:
           host: 91.92.154.141
           username: ubuntu
@@ -30,7 +31,7 @@ jobs:
             sudo systemctl stop backend
       
       - name: Copy Backend
-        uses: appleboy/scp-action@v0.1.4
+        uses: appleboy/scp-action@8a92fcdb1eb4ffbf538b2fa286739760aac8a95b # v0.1.4
         with:
           host: 91.92.154.141
           username: ubuntu
@@ -41,7 +42,7 @@ jobs:
           strip_components: 11
       
       - name: Copy Frontend
-        uses: appleboy/scp-action@v0.1.4
+        uses: appleboy/scp-action@8a92fcdb1eb4ffbf538b2fa286739760aac8a95b # v0.1.4
         with:
           host: 91.92.154.141
           username: ubuntu
@@ -52,12 +53,11 @@ jobs:
           strip_components: 5
 
       - name: restart services
-        uses: appleboy/ssh-action@v0.1.4
+        uses: appleboy/ssh-action@1d1b21ca96111b1eb4c03c21c14ebb971d2200f6 # v0.1.4
         with:
           host: 91.92.154.141
           username: ubuntu
           password: ${{ secrets.STAGE_SSH_PASSPHRASE }}
           script: |
             sudo systemctl restart backend
-            sudo cp -rf ~/frontend/build/* /var/www/html/stage.innov.energy/html/
-            sudo npm install -g serve
\ No newline at end of file
+            sudo cp -rf ~/frontend/build/* /var/www/html/stage.innov.energy/html/
\ No newline at end of file