From 409d9e3a7e0fac93e3990a6f60b4234f5b8836dd Mon Sep 17 00:00:00 2001 From: Michal Fiedorowicz Date: Tue, 24 Dec 2024 14:42:35 +0000 Subject: [PATCH] chore: gha - pin actions to commit hashes Signed-off-by: Michal Fiedorowicz --- .github/workflows/go-test.yaml | 10 +++++----- .github/workflows/golangci-lint.yaml | 10 ++++------ .github/workflows/helm-lint.yaml | 4 ++-- .github/workflows/helm-release.yaml | 6 +++--- .github/workflows/labeler.yaml | 4 ++-- .github/workflows/reusable_semantic_release.yaml | 8 ++++---- .../reusable_semantic_release_get_next_version.yaml | 10 +++++----- .github/workflows/server-release.yaml | 10 +++++----- 8 files changed, 30 insertions(+), 32 deletions(-) diff --git a/.github/workflows/go-test.yaml b/.github/workflows/go-test.yaml index 88370b81..8a165e4a 100644 --- a/.github/workflows/go-test.yaml +++ b/.github/workflows/go-test.yaml @@ -28,11 +28,11 @@ jobs: working-directory: diode-server steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 - name: Setup Go - uses: actions/setup-go@v4 + uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5 with: - go-version: '1.23' + go-version: '1.23.x' check-latest: true - name: Run go build run: go build ./... @@ -48,14 +48,14 @@ jobs: echo 'EOF' >> $GITHUB_OUTPUT echo "coverage-total=$(cat .coverage/coverage.txt)" >> $GITHUB_OUTPUT - name: Find comment - uses: peter-evans/find-comment@v3 + uses: peter-evans/find-comment@3eae4d37986fb5a8592848f6a574fdf654e61f9e # v3 id: existing-comment with: issue-number: ${{ github.event.pull_request.number }} comment-author: 'github-actions[bot]' body-includes: Go test coverage - name: Post comment - uses: peter-evans/create-or-update-comment@v4 + uses: peter-evans/create-or-update-comment@71345be0265236311c031f5c7866368bd1eff043 # v4 with: comment-id: ${{ steps.existing-comment.outputs.comment-id }} issue-number: ${{ github.event.pull_request.number }} diff --git a/.github/workflows/golangci-lint.yaml b/.github/workflows/golangci-lint.yaml index 3955441d..90fa2c47 100644 --- a/.github/workflows/golangci-lint.yaml +++ b/.github/workflows/golangci-lint.yaml @@ -17,17 +17,15 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 - name: Setup Go - uses: actions/setup-go@v4 + uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5 with: - go-version: '1.23' + go-version: '1.23.x' check-latest: true - name: Lint - uses: golangci/golangci-lint-action@v3 + uses: golangci/golangci-lint-action@971e284b6050e8a5849b72094c50ab08da042db8 # v6 with: version: v1.62 working-directory: diode-server args: --config ../.github/golangci.yaml - skip-pkg-cache: true - skip-build-cache: true diff --git a/.github/workflows/helm-lint.yaml b/.github/workflows/helm-lint.yaml index 44b19f05..06c7c443 100644 --- a/.github/workflows/helm-lint.yaml +++ b/.github/workflows/helm-lint.yaml @@ -26,9 +26,9 @@ jobs: working-directory: charts steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 - name: Setup Helm - uses: azure/setup-helm@v4.2.0 + uses: azure/setup-helm@fe7b79cd5ee1e45176fcad797de68ecaf3ca4814 # v4 - name: Update helm dependencies run: helm dependency update diode - name: Run helm lint diff --git a/.github/workflows/helm-release.yaml b/.github/workflows/helm-release.yaml index 76515cf2..f5d8cb98 100644 --- a/.github/workflows/helm-release.yaml +++ b/.github/workflows/helm-release.yaml @@ -22,7 +22,7 @@ jobs: working-directory: charts steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 with: fetch-depth: 0 - name: Configure Git @@ -30,14 +30,14 @@ jobs: git config user.name "$GITHUB_ACTOR" git config user.email "$GITHUB_ACTOR@users.noreply.github.com" - name: Setup Helm - uses: azure/setup-helm@v4.2.0 + uses: azure/setup-helm@fe7b79cd5ee1e45176fcad797de68ecaf3ca4814 # v4 - name: Update helm dependencies run: | helm repo add ingress-nginx https://kubernetes.github.io/ingress-nginx helm repo add jetstack https://charts.jetstack.io helm repo add bitnami https://charts.bitnami.com/bitnami - name: Run chart-releaser - uses: helm/chart-releaser-action@v1.6.0 + uses: helm/chart-releaser-action@a917fd15b20e8b64b94d9158ad54cd6345335584 # v1.6.0 env: CR_TOKEN: "${{ secrets.GITHUB_TOKEN }}" CR_RELEASE_NAME_TEMPLATE: helm-chart-{{ .Name }}-{{ .Version }} diff --git a/.github/workflows/labeler.yaml b/.github/workflows/labeler.yaml index e7318a59..fb5f4d4e 100644 --- a/.github/workflows/labeler.yaml +++ b/.github/workflows/labeler.yaml @@ -9,7 +9,7 @@ jobs: pull-requests: write runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 - - uses: actions/labeler@v5 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 + - uses: actions/labeler@8558fd74291d67161a8a78ce36a881fa63b766a9 # v5 with: configuration-path: '.github/pull_request_labeler.yaml' diff --git a/.github/workflows/reusable_semantic_release.yaml b/.github/workflows/reusable_semantic_release.yaml index 40c81693..c3eeefdc 100644 --- a/.github/workflows/reusable_semantic_release.yaml +++ b/.github/workflows/reusable_semantic_release.yaml @@ -27,12 +27,12 @@ jobs: group: semantic-release cancel-in-progress: false steps: - - uses: actions/checkout@v4 - - uses: actions/setup-node@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 + - uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v4 with: node-version: "21.4.0" - name: Write package.json - uses: DamianReeves/write-file-action@master + uses: DamianReeves/write-file-action@6929a9a6d1807689191dcc8bbe62b54d70a32b42 # v1.3 with: path: ${{ inputs.app_dir }}/package.json write-mode: overwrite @@ -46,7 +46,7 @@ jobs: } } - name: Write .releaserc.json - uses: DamianReeves/write-file-action@master + uses: DamianReeves/write-file-action@6929a9a6d1807689191dcc8bbe62b54d70a32b42 # v1.3 with: path: ${{ inputs.app_dir }}/.releaserc.json write-mode: overwrite diff --git a/.github/workflows/reusable_semantic_release_get_next_version.yaml b/.github/workflows/reusable_semantic_release_get_next_version.yaml index b6b9b01f..46eb3b5c 100644 --- a/.github/workflows/reusable_semantic_release_get_next_version.yaml +++ b/.github/workflows/reusable_semantic_release_get_next_version.yaml @@ -31,12 +31,12 @@ jobs: run: working-directory: ${{ inputs.app_dir }} steps: - - uses: actions/checkout@v4 - - uses: actions/setup-node@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 + - uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v4 with: node-version: "lts/*" - name: Write package.json - uses: DamianReeves/write-file-action@master + uses: DamianReeves/write-file-action@6929a9a6d1807689191dcc8bbe62b54d70a32b42 # v1.3 with: path: ${{ inputs.app_dir }}/package.json write-mode: overwrite @@ -53,7 +53,7 @@ jobs: } } - name: Write .releaserc.json - uses: DamianReeves/write-file-action@master + uses: DamianReeves/write-file-action@6929a9a6d1807689191dcc8bbe62b54d70a32b42 # v1.3 with: path: ${{ inputs.app_dir }}/.releaserc.json write-mode: overwrite @@ -118,5 +118,5 @@ jobs: needs: get-next-version if: needs.get-next-version.outputs.new-release-published == 'true' steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 - run: echo "The new release version is ${{ needs.get-next-version.outputs.new-release-version }} commit ${{ needs.get-next-version.outputs.short-sha }}" diff --git a/.github/workflows/server-release.yaml b/.github/workflows/server-release.yaml index a368be1f..0e5b4a6c 100644 --- a/.github/workflows/server-release.yaml +++ b/.github/workflows/server-release.yaml @@ -58,16 +58,16 @@ jobs: BUILD_COMMIT: ${{ needs.get-next-version.outputs.short-sha }} steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 - name: Set up QEMU - uses: docker/setup-qemu-action@v3 + uses: docker/setup-qemu-action@49b3bc8e6bdd4a60e6116a5414239cba5943d3cf # v3 - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 + uses: docker/setup-buildx-action@6524bf65af31da8d45b59e8c27de4bd072b392f5 # v3 - name: Login to Docker Hub - uses: docker/login-action@v3 + uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 #v3 with: username: ${{ secrets.DOCKERHUB_USERNAME }} password: ${{ secrets.DOCKERHUB_TOKEN }} @@ -78,7 +78,7 @@ jobs: echo $BUILD_VERSION > ./diode-server/version/BUILD_VERSION.txt - name: Build image and push - uses: docker/build-push-action@v6 + uses: docker/build-push-action@48aba3b46d1b1fec4febb7c5d0c644b249a11355 # v6 with: context: diode-server file: diode-server/docker/Dockerfile-build