From c586117cee3a22fae2cb330b0fb8ab281f8d241d Mon Sep 17 00:00:00 2001
From: Michal Fiedorowicz <mfiedorowicz@netboxlabs.com>
Date: Tue, 24 Dec 2024 14:19:01 +0000
Subject: [PATCH 1/3] chore: set correct go toolchain version

Signed-off-by: Michal Fiedorowicz <mfiedorowicz@netboxlabs.com>
---
 diode-server/go.mod | 2 +-
 diode-server/go.sum | 8 ++------
 2 files changed, 3 insertions(+), 7 deletions(-)

diff --git a/diode-server/go.mod b/diode-server/go.mod
index ba08939..a1f2b3a 100644
--- a/diode-server/go.mod
+++ b/diode-server/go.mod
@@ -1,6 +1,6 @@
 module github.com/netboxlabs/diode/diode-server
 
-go 1.23
+go 1.23.4
 
 require (
 	github.com/alicebob/miniredis/v2 v2.33.0
diff --git a/diode-server/go.sum b/diode-server/go.sum
index 272ba16..9ec6564 100644
--- a/diode-server/go.sum
+++ b/diode-server/go.sum
@@ -99,10 +99,8 @@ go.uber.org/multierr v1.11.0 h1:blXXJkSxSSfBVBlC76pxqeO+LN3aDfLQo+309xJstO0=
 go.uber.org/multierr v1.11.0/go.mod h1:20+QtiLqy0Nd6FdQB9TLXag12DsQkrbs3htMFfDN80Y=
 golang.org/x/crypto v0.31.0 h1:ihbySMvVjLAeSH1IbfcRTkD/iNscyz8rGzjF/E5hV6U=
 golang.org/x/crypto v0.31.0/go.mod h1:kDsLvtWBEx7MV9tJOj9bnXsPbxwJQ6csT/x4KIN4Ssk=
-golang.org/x/mod v0.18.0 h1:5+9lSbEzPSdWkH32vYPBwEpX8KwDbM52Ud9xBUvNlb0=
-golang.org/x/mod v0.18.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c=
-golang.org/x/net v0.30.0 h1:AcW1SDZMkb8IpzCdQUaIq2sP4sZ4zw+55h6ynffypl4=
-golang.org/x/net v0.30.0/go.mod h1:2wGyMJ5iFasEhkwi13ChkO/t1ECNC4X4eBKkVFyYFlU=
+golang.org/x/mod v0.22.0 h1:D4nJWe9zXqHOmWqj4VMOJhvzj7bEZg4wEYa759z1pH4=
+golang.org/x/mod v0.22.0/go.mod h1:6SkKJ3Xj0I0BrPOZoBy3bdMptDDU9oJrpohJ3eWZ1fY=
 golang.org/x/net v0.33.0 h1:74SYHlV8BIgHIFC/LrYkOGIwL19eTYXQ5wc6TBuO36I=
 golang.org/x/net v0.33.0/go.mod h1:HXLR5J+9DxmrqMwG9qjGCxZ+zKXxBru04zlTvWlWuN4=
 golang.org/x/sync v0.10.0 h1:3NQrjDixjgGwUOCaF8w2+VYHv0Ve/vGYSbdkTa98gmQ=
@@ -114,8 +112,6 @@ golang.org/x/text v0.21.0 h1:zyQAAkrwaneQ066sspRyJaG9VNi/YJ1NfzcGB3hZ/qo=
 golang.org/x/text v0.21.0/go.mod h1:4IBbMaMmOPCJ8SecivzSH54+73PCFmPWxNTLm+vZkEQ=
 golang.org/x/time v0.5.0 h1:o7cqy6amK/52YcAKIPlM3a+Fpj35zvRj2TP+e1xFSfk=
 golang.org/x/time v0.5.0/go.mod h1:3BpzKBy/shNhVucY/MWOyx10tF3SFh9QdLuxbVysPQM=
-golang.org/x/tools v0.22.0 h1:gqSGLZqv+AI9lIQzniJ0nZDRG5GBPsSi+DRNHWNz6yA=
-golang.org/x/tools v0.22.0/go.mod h1:aCwcsjqvq7Yqt6TNyX7QMU2enbQ/Gt0bo6krSeEri+c=
 golang.org/x/tools v0.28.0 h1:WuB6qZ4RPCQo5aP3WdKZS7i595EdWqWR8vqJTlwTVK8=
 golang.org/x/tools v0.28.0/go.mod h1:dcIOrVd3mfQKTgrDVQHqCPMWy6lnhfhtX3hLXYVLfRw=
 google.golang.org/genproto/googleapis/rpc v0.0.0-20240513163218-0867130af1f8 h1:mxSlqyb8ZAHsYDCfiXN1EDdNTdvjUJSLY+OnAUtYNYA=

From 409d9e3a7e0fac93e3990a6f60b4234f5b8836dd Mon Sep 17 00:00:00 2001
From: Michal Fiedorowicz <mfiedorowicz@netboxlabs.com>
Date: Tue, 24 Dec 2024 14:42:35 +0000
Subject: [PATCH 2/3] chore: gha - pin actions to commit hashes

Signed-off-by: Michal Fiedorowicz <mfiedorowicz@netboxlabs.com>
---
 .github/workflows/go-test.yaml                         | 10 +++++-----
 .github/workflows/golangci-lint.yaml                   | 10 ++++------
 .github/workflows/helm-lint.yaml                       |  4 ++--
 .github/workflows/helm-release.yaml                    |  6 +++---
 .github/workflows/labeler.yaml                         |  4 ++--
 .github/workflows/reusable_semantic_release.yaml       |  8 ++++----
 .../reusable_semantic_release_get_next_version.yaml    | 10 +++++-----
 .github/workflows/server-release.yaml                  | 10 +++++-----
 8 files changed, 30 insertions(+), 32 deletions(-)

diff --git a/.github/workflows/go-test.yaml b/.github/workflows/go-test.yaml
index 88370b8..8a165e4 100644
--- a/.github/workflows/go-test.yaml
+++ b/.github/workflows/go-test.yaml
@@ -28,11 +28,11 @@ jobs:
         working-directory: diode-server
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
       - name: Setup Go
-        uses: actions/setup-go@v4
+        uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5
         with:
-          go-version: '1.23'
+          go-version: '1.23.x'
           check-latest: true
       - name: Run go build
         run: go build ./...
@@ -48,14 +48,14 @@ jobs:
           echo 'EOF' >> $GITHUB_OUTPUT
           echo "coverage-total=$(cat .coverage/coverage.txt)" >> $GITHUB_OUTPUT
       - name: Find comment
-        uses: peter-evans/find-comment@v3
+        uses: peter-evans/find-comment@3eae4d37986fb5a8592848f6a574fdf654e61f9e # v3
         id: existing-comment
         with:
           issue-number: ${{ github.event.pull_request.number }}
           comment-author: 'github-actions[bot]'
           body-includes: Go test coverage
       - name: Post comment
-        uses: peter-evans/create-or-update-comment@v4
+        uses: peter-evans/create-or-update-comment@71345be0265236311c031f5c7866368bd1eff043 # v4
         with:
           comment-id: ${{ steps.existing-comment.outputs.comment-id }}
           issue-number: ${{ github.event.pull_request.number }}
diff --git a/.github/workflows/golangci-lint.yaml b/.github/workflows/golangci-lint.yaml
index 3955441..90fa2c4 100644
--- a/.github/workflows/golangci-lint.yaml
+++ b/.github/workflows/golangci-lint.yaml
@@ -17,17 +17,15 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
       - name: Setup Go
-        uses: actions/setup-go@v4
+        uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5
         with:
-          go-version: '1.23'
+          go-version: '1.23.x'
           check-latest: true
       - name: Lint
-        uses: golangci/golangci-lint-action@v3
+        uses: golangci/golangci-lint-action@971e284b6050e8a5849b72094c50ab08da042db8 # v6
         with:
           version: v1.62
           working-directory: diode-server
           args: --config ../.github/golangci.yaml
-          skip-pkg-cache: true
-          skip-build-cache: true
diff --git a/.github/workflows/helm-lint.yaml b/.github/workflows/helm-lint.yaml
index 44b19f0..06c7c44 100644
--- a/.github/workflows/helm-lint.yaml
+++ b/.github/workflows/helm-lint.yaml
@@ -26,9 +26,9 @@ jobs:
         working-directory: charts
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
       - name: Setup Helm
-        uses: azure/setup-helm@v4.2.0
+        uses: azure/setup-helm@fe7b79cd5ee1e45176fcad797de68ecaf3ca4814 # v4
       - name: Update helm dependencies
         run: helm dependency update diode
       - name: Run helm lint
diff --git a/.github/workflows/helm-release.yaml b/.github/workflows/helm-release.yaml
index 76515cf..f5d8cb9 100644
--- a/.github/workflows/helm-release.yaml
+++ b/.github/workflows/helm-release.yaml
@@ -22,7 +22,7 @@ jobs:
         working-directory: charts
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
         with:
           fetch-depth: 0
       - name: Configure Git
@@ -30,14 +30,14 @@ jobs:
           git config user.name "$GITHUB_ACTOR"
           git config user.email "$GITHUB_ACTOR@users.noreply.github.com"
       - name: Setup Helm
-        uses: azure/setup-helm@v4.2.0
+        uses: azure/setup-helm@fe7b79cd5ee1e45176fcad797de68ecaf3ca4814 # v4
       - name: Update helm dependencies
         run: |
           helm repo add ingress-nginx https://kubernetes.github.io/ingress-nginx
           helm repo add jetstack https://charts.jetstack.io
           helm repo add bitnami https://charts.bitnami.com/bitnami
       - name: Run chart-releaser
-        uses: helm/chart-releaser-action@v1.6.0
+        uses: helm/chart-releaser-action@a917fd15b20e8b64b94d9158ad54cd6345335584 # v1.6.0
         env:
           CR_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
           CR_RELEASE_NAME_TEMPLATE: helm-chart-{{ .Name }}-{{ .Version }}
diff --git a/.github/workflows/labeler.yaml b/.github/workflows/labeler.yaml
index e7318a5..fb5f4d4 100644
--- a/.github/workflows/labeler.yaml
+++ b/.github/workflows/labeler.yaml
@@ -9,7 +9,7 @@ jobs:
       pull-requests: write
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
-      - uses: actions/labeler@v5
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
+      - uses: actions/labeler@8558fd74291d67161a8a78ce36a881fa63b766a9 # v5
         with:
           configuration-path: '.github/pull_request_labeler.yaml'
diff --git a/.github/workflows/reusable_semantic_release.yaml b/.github/workflows/reusable_semantic_release.yaml
index 40c8169..c3eeefd 100644
--- a/.github/workflows/reusable_semantic_release.yaml
+++ b/.github/workflows/reusable_semantic_release.yaml
@@ -27,12 +27,12 @@ jobs:
       group: semantic-release
       cancel-in-progress: false
     steps:
-      - uses: actions/checkout@v4
-      - uses: actions/setup-node@v4
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
+      - uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v4
         with:
           node-version: "21.4.0"
       - name: Write package.json
-        uses: DamianReeves/write-file-action@master
+        uses: DamianReeves/write-file-action@6929a9a6d1807689191dcc8bbe62b54d70a32b42 # v1.3
         with:
           path: ${{ inputs.app_dir }}/package.json
           write-mode: overwrite
@@ -46,7 +46,7 @@ jobs:
               }
             }
       - name: Write .releaserc.json
-        uses: DamianReeves/write-file-action@master
+        uses: DamianReeves/write-file-action@6929a9a6d1807689191dcc8bbe62b54d70a32b42 # v1.3
         with:
           path: ${{ inputs.app_dir }}/.releaserc.json
           write-mode: overwrite
diff --git a/.github/workflows/reusable_semantic_release_get_next_version.yaml b/.github/workflows/reusable_semantic_release_get_next_version.yaml
index b6b9b01..46eb3b5 100644
--- a/.github/workflows/reusable_semantic_release_get_next_version.yaml
+++ b/.github/workflows/reusable_semantic_release_get_next_version.yaml
@@ -31,12 +31,12 @@ jobs:
       run:
         working-directory: ${{ inputs.app_dir }}
     steps:
-      - uses: actions/checkout@v4
-      - uses: actions/setup-node@v4
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
+      - uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v4
         with:
           node-version: "lts/*"
       - name: Write package.json
-        uses: DamianReeves/write-file-action@master
+        uses: DamianReeves/write-file-action@6929a9a6d1807689191dcc8bbe62b54d70a32b42 # v1.3
         with:
           path: ${{ inputs.app_dir }}/package.json
           write-mode: overwrite
@@ -53,7 +53,7 @@ jobs:
               }
             }
       - name: Write .releaserc.json
-        uses: DamianReeves/write-file-action@master
+        uses: DamianReeves/write-file-action@6929a9a6d1807689191dcc8bbe62b54d70a32b42 # v1.3
         with:
           path: ${{ inputs.app_dir }}/.releaserc.json
           write-mode: overwrite
@@ -118,5 +118,5 @@ jobs:
     needs: get-next-version
     if: needs.get-next-version.outputs.new-release-published == 'true'
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
       - run: echo "The new release version is ${{ needs.get-next-version.outputs.new-release-version }} commit ${{ needs.get-next-version.outputs.short-sha }}"
diff --git a/.github/workflows/server-release.yaml b/.github/workflows/server-release.yaml
index a368be1..0e5b4a6 100644
--- a/.github/workflows/server-release.yaml
+++ b/.github/workflows/server-release.yaml
@@ -58,16 +58,16 @@ jobs:
       BUILD_COMMIT: ${{ needs.get-next-version.outputs.short-sha }}
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
 
       - name: Set up QEMU
-        uses: docker/setup-qemu-action@v3
+        uses: docker/setup-qemu-action@49b3bc8e6bdd4a60e6116a5414239cba5943d3cf # v3
 
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
+        uses: docker/setup-buildx-action@6524bf65af31da8d45b59e8c27de4bd072b392f5 # v3
 
       - name: Login to Docker Hub
-        uses: docker/login-action@v3
+        uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 #v3
         with:
           username: ${{ secrets.DOCKERHUB_USERNAME }}
           password: ${{ secrets.DOCKERHUB_TOKEN }}
@@ -78,7 +78,7 @@ jobs:
           echo $BUILD_VERSION > ./diode-server/version/BUILD_VERSION.txt
 
       - name: Build image and push
-        uses: docker/build-push-action@v6
+        uses: docker/build-push-action@48aba3b46d1b1fec4febb7c5d0c644b249a11355 # v6
         with:
           context: diode-server
           file: diode-server/docker/Dockerfile-build

From 6d48cb1955a0c2f8302730cc8a949c8e1613d870 Mon Sep 17 00:00:00 2001
From: Michal Fiedorowicz <mfiedorowicz@netboxlabs.com>
Date: Tue, 24 Dec 2024 14:51:48 +0000
Subject: [PATCH 3/3] chore: gha - actions/checkout with a tag (immutable
 action)

Signed-off-by: Michal Fiedorowicz <mfiedorowicz@netboxlabs.com>
---
 .github/workflows/go-test.yaml                                | 2 +-
 .github/workflows/golangci-lint.yaml                          | 2 +-
 .github/workflows/helm-lint.yaml                              | 2 +-
 .github/workflows/helm-release.yaml                           | 2 +-
 .github/workflows/labeler.yaml                                | 2 +-
 .github/workflows/reusable_semantic_release.yaml              | 2 +-
 .../workflows/reusable_semantic_release_get_next_version.yaml | 4 ++--
 .github/workflows/server-release.yaml                         | 2 +-
 8 files changed, 9 insertions(+), 9 deletions(-)

diff --git a/.github/workflows/go-test.yaml b/.github/workflows/go-test.yaml
index 8a165e4..075a64f 100644
--- a/.github/workflows/go-test.yaml
+++ b/.github/workflows/go-test.yaml
@@ -28,7 +28,7 @@ jobs:
         working-directory: diode-server
     steps:
       - name: Checkout
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
+        uses: actions/checkout@v4
       - name: Setup Go
         uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5
         with:
diff --git a/.github/workflows/golangci-lint.yaml b/.github/workflows/golangci-lint.yaml
index 90fa2c4..152ec41 100644
--- a/.github/workflows/golangci-lint.yaml
+++ b/.github/workflows/golangci-lint.yaml
@@ -17,7 +17,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
+        uses: actions/checkout@v4
       - name: Setup Go
         uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5
         with:
diff --git a/.github/workflows/helm-lint.yaml b/.github/workflows/helm-lint.yaml
index 06c7c44..9c8fda0 100644
--- a/.github/workflows/helm-lint.yaml
+++ b/.github/workflows/helm-lint.yaml
@@ -26,7 +26,7 @@ jobs:
         working-directory: charts
     steps:
       - name: Checkout
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
+        uses: actions/checkout@v4
       - name: Setup Helm
         uses: azure/setup-helm@fe7b79cd5ee1e45176fcad797de68ecaf3ca4814 # v4
       - name: Update helm dependencies
diff --git a/.github/workflows/helm-release.yaml b/.github/workflows/helm-release.yaml
index f5d8cb9..5847ae4 100644
--- a/.github/workflows/helm-release.yaml
+++ b/.github/workflows/helm-release.yaml
@@ -22,7 +22,7 @@ jobs:
         working-directory: charts
     steps:
       - name: Checkout
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
+        uses: actions/checkout@v4
         with:
           fetch-depth: 0
       - name: Configure Git
diff --git a/.github/workflows/labeler.yaml b/.github/workflows/labeler.yaml
index fb5f4d4..2319266 100644
--- a/.github/workflows/labeler.yaml
+++ b/.github/workflows/labeler.yaml
@@ -9,7 +9,7 @@ jobs:
       pull-requests: write
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
+      - uses: actions/checkout@v4
       - uses: actions/labeler@8558fd74291d67161a8a78ce36a881fa63b766a9 # v5
         with:
           configuration-path: '.github/pull_request_labeler.yaml'
diff --git a/.github/workflows/reusable_semantic_release.yaml b/.github/workflows/reusable_semantic_release.yaml
index c3eeefd..c413e07 100644
--- a/.github/workflows/reusable_semantic_release.yaml
+++ b/.github/workflows/reusable_semantic_release.yaml
@@ -27,7 +27,7 @@ jobs:
       group: semantic-release
       cancel-in-progress: false
     steps:
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
+      - uses: actions/checkout@v4
       - uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v4
         with:
           node-version: "21.4.0"
diff --git a/.github/workflows/reusable_semantic_release_get_next_version.yaml b/.github/workflows/reusable_semantic_release_get_next_version.yaml
index 46eb3b5..2c30a34 100644
--- a/.github/workflows/reusable_semantic_release_get_next_version.yaml
+++ b/.github/workflows/reusable_semantic_release_get_next_version.yaml
@@ -31,7 +31,7 @@ jobs:
       run:
         working-directory: ${{ inputs.app_dir }}
     steps:
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
+      - uses: actions/checkout@v4
       - uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v4
         with:
           node-version: "lts/*"
@@ -118,5 +118,5 @@ jobs:
     needs: get-next-version
     if: needs.get-next-version.outputs.new-release-published == 'true'
     steps:
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
+      - uses: actions/checkout@v4
       - run: echo "The new release version is ${{ needs.get-next-version.outputs.new-release-version }} commit ${{ needs.get-next-version.outputs.short-sha }}"
diff --git a/.github/workflows/server-release.yaml b/.github/workflows/server-release.yaml
index 0e5b4a6..db780e1 100644
--- a/.github/workflows/server-release.yaml
+++ b/.github/workflows/server-release.yaml
@@ -58,7 +58,7 @@ jobs:
       BUILD_COMMIT: ${{ needs.get-next-version.outputs.short-sha }}
     steps:
       - name: Checkout
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
+        uses: actions/checkout@v4
 
       - name: Set up QEMU
         uses: docker/setup-qemu-action@49b3bc8e6bdd4a60e6116a5414239cba5943d3cf # v3