From e9eb3c2fb4f9b64db163e77cb866834ba78baa91 Mon Sep 17 00:00:00 2001 From: Sebastiaan van Stijn Date: Fri, 27 Mar 2026 23:03:23 +0100 Subject: [PATCH] ci: pin all actions by sha Signed-off-by: Sebastiaan van Stijn --- .github/workflows/build.yml | 25 +++++++++++++------------ .github/workflows/codeql-analysis.yml | 8 ++++---- .github/workflows/conformance.yml | 6 +++--- .github/workflows/dockerhub-readme.yml | 4 ++-- .github/workflows/docs.yml | 10 +++++----- .github/workflows/e2e.yml | 6 +++--- .github/workflows/fossa.yml | 4 ++-- .github/workflows/label.yaml | 11 +++++++---- .github/workflows/scorecards.yml | 8 ++++---- .github/workflows/validate.yml | 2 +- 10 files changed, 44 insertions(+), 40 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 0158d0603..2429a4934 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -42,19 +42,20 @@ jobs: steps: - name: Checkout - uses: actions/checkout@v6.0.2 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Set up Go - uses: actions/setup-go@v6 + uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0 with: go-version: ${{ matrix.go }} + cache: false - name: Test run: | make ${{ matrix.target }} - name: Codecov - uses: codecov/codecov-action@v5 + uses: codecov/codecov-action@75cd11691c0faa626561e295848008c8a7dddffe # v5 with: directory: ./ @@ -69,13 +70,13 @@ jobs: steps: - name: Checkout - uses: actions/checkout@v6.0.2 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: fetch-depth: 0 - name: Docker meta id: meta - uses: docker/metadata-action@v6 + uses: docker/metadata-action@030e881283bb7a6894de51c315a6bfe6a94e05cf # v6 with: images: | ${{ env.DOCKERHUB_SLUG }} @@ -101,25 +102,25 @@ jobs: org.opencontainers.image.description=The toolkit to pack, ship, store, and distribute container content - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v4 + uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0 - name: Login to DockerHub if: github.event_name != 'pull_request' - uses: docker/login-action@v4 + uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0 with: username: ${{ secrets.DOCKERHUB_USERNAME }} password: ${{ secrets.DOCKERHUB_TOKEN }} - name: Log in to GitHub Container registry if: github.event_name != 'pull_request' - uses: docker/login-action@v4 + uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0 with: registry: ghcr.io username: ${{ github.actor }} password: ${{ secrets.GITHUB_TOKEN }} - name: Build artifacts - uses: docker/bake-action@v7 + uses: docker/bake-action@82490499d2e5613fcead7e128237ef0b0ea210f7 # v7.0.0 with: source: . targets: artifact-all @@ -141,14 +142,14 @@ jobs: tree -nh ./bin - name: Upload artifacts - uses: actions/upload-artifact@v7.0.0 + uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 with: name: registry path: ./bin/* if-no-files-found: error - name: Build image - uses: docker/bake-action@v7 + uses: docker/bake-action@82490499d2e5613fcead7e128237ef0b0ea210f7 # v7.0.0 with: source: . files: | @@ -158,7 +159,7 @@ jobs: push: ${{ github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/tags/') }} - name: GitHub Release - uses: softprops/action-gh-release@v2 + uses: softprops/action-gh-release@153bb8e04406b158c6c84fc1615b65b24149a1fe # v2.6.1 if: startsWith(github.ref, 'refs/tags/') with: draft: true diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index 9b5d8beb7..8426ca540 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -34,7 +34,7 @@ jobs: steps: - name: Checkout - uses: actions/checkout@v6.0.2 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: fetch-depth: 2 - @@ -44,12 +44,12 @@ jobs: git checkout HEAD^2 - name: Initialize CodeQL - uses: github/codeql-action/init@v4.34.1 + uses: github/codeql-action/init@38697555549f1db7851b81482ff19f1fa5c4fedc # v4.34.1 with: languages: ${{ matrix.language }} - name: Autobuild - uses: github/codeql-action/autobuild@v4.34.1 + uses: github/codeql-action/autobuild@38697555549f1db7851b81482ff19f1fa5c4fedc # v4.34.1 - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v4.34.1 + uses: github/codeql-action/analyze@38697555549f1db7851b81482ff19f1fa5c4fedc # v4.34.1 diff --git a/.github/workflows/conformance.yml b/.github/workflows/conformance.yml index 3dcfa127d..effa40790 100644 --- a/.github/workflows/conformance.yml +++ b/.github/workflows/conformance.yml @@ -17,7 +17,7 @@ jobs: steps: - name: Build image - uses: docker/bake-action@v7 + uses: docker/bake-action@82490499d2e5613fcead7e128237ef0b0ea210f7 # v7.0.0 with: targets: image-local - @@ -30,7 +30,7 @@ jobs: docker run --rm -p 5000:5000 -e REGISTRY_STORAGE_DELETE_ENABLED=true -idt "registry:local" - name: Run OCI Distribution Spec conformance tests - uses: opencontainers/distribution-spec@v1.0.1 + uses: opencontainers/distribution-spec@10efb871ee08eb13678fe275e2cf89b3df86542b # v1.0.1 env: OCI_ROOT_URL: ${{ env.OCI_ROOT_URL }} OCI_NAMESPACE: oci-conformance/distribution-test @@ -44,7 +44,7 @@ jobs: run: mkdir -p out/ && mv {report.html,junit.xml} out/ - name: Upload test results - uses: actions/upload-artifact@v7.0.0 + uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 with: name: oci-test-results-${{ github.sha }} path: out/ diff --git a/.github/workflows/dockerhub-readme.yml b/.github/workflows/dockerhub-readme.yml index 30251b5d6..068cd5c32 100644 --- a/.github/workflows/dockerhub-readme.yml +++ b/.github/workflows/dockerhub-readme.yml @@ -24,10 +24,10 @@ jobs: steps: - name: Checkout - uses: actions/checkout@v6.0.2 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Update Docker Hub README - uses: peter-evans/dockerhub-description@v5 + uses: peter-evans/dockerhub-description@1b9a80c056b620d92cedb9d9b5a223409c68ddfa # v5.0.0 with: username: ${{ secrets.DOCKERHUB_USERNAME }} password: ${{ secrets.DOCKERHUB_TOKEN }} diff --git a/.github/workflows/docs.yml b/.github/workflows/docs.yml index 5921790a7..b17827ea8 100644 --- a/.github/workflows/docs.yml +++ b/.github/workflows/docs.yml @@ -25,13 +25,13 @@ jobs: steps: - name: Setup Pages id: pages - uses: actions/configure-pages@v5 + uses: actions/configure-pages@983d7736d9b0ae728b81ab479565c72886d7745b # v5.0.0 - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v4 + uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0 - name: Build docs - uses: docker/bake-action@v7 + uses: docker/bake-action@82490499d2e5613fcead7e128237ef0b0ea210f7 # v7.0.0 with: targets: docs-export provenance: false @@ -46,7 +46,7 @@ jobs: done - name: Upload Pages artifact - uses: actions/upload-pages-artifact@v4 + uses: actions/upload-pages-artifact@7b1f4a764d45c48632c6b24a0339c27f5614fb0b # v4.0.0 with: path: ./build/docs @@ -71,4 +71,4 @@ jobs: steps: - name: Deploy to GitHub Pages id: deployment - uses: actions/deploy-pages@v5 # or the latest "vX.X.X" version tag for this action + uses: actions/deploy-pages@cd2ce8fcbc39b97be8ca5fce6e763baed58fa128 # v5.0.0 diff --git a/.github/workflows/e2e.yml b/.github/workflows/e2e.yml index 48f840dda..2c6ded2ba 100644 --- a/.github/workflows/e2e.yml +++ b/.github/workflows/e2e.yml @@ -20,12 +20,12 @@ jobs: steps: - name: Checkout - uses: actions/checkout@v6.0.2 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: fetch-depth: 0 - name: Build image - uses: docker/bake-action@v7 + uses: docker/bake-action@82490499d2e5613fcead7e128237ef0b0ea210f7 # v7.0.0 with: source: . targets: image-local @@ -43,7 +43,7 @@ jobs: steps: - name: Checkout - uses: actions/checkout@v6.0.2 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: fetch-depth: 0 - diff --git a/.github/workflows/fossa.yml b/.github/workflows/fossa.yml index d41ccfe45..a887d2b42 100644 --- a/.github/workflows/fossa.yml +++ b/.github/workflows/fossa.yml @@ -17,9 +17,9 @@ jobs: steps: - name: Checkout code - uses: actions/checkout@v6.0.2 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Run FOSSA scan and upload build data - uses: fossa-contrib/fossa-action@v3 + uses: fossa-contrib/fossa-action@3d2ef181b1820d6dcd1972f86a767d18167fa19b # v3.0.1 with: fossa-api-key: cac3dc8d4f2ba86142f6c0f2199a160f diff --git a/.github/workflows/label.yaml b/.github/workflows/label.yaml index 422814d29..4efaf6122 100644 --- a/.github/workflows/label.yaml +++ b/.github/workflows/label.yaml @@ -5,15 +5,18 @@ concurrency: cancel-in-progress: true on: - pull_request_target: + pull_request_target: # zizmor: ignore[dangerous-triggers] does not checkout, safe to use pull_request_target + +permissions: + contents: read # to fetch code (actions/checkout) jobs: labeler: permissions: - contents: read - pull-requests: write + contents: read # same as global permission + pull-requests: write # required for writing labels runs-on: ubuntu-latest steps: - - uses: actions/labeler@v6 + - uses: actions/labeler@634933edcd8ababfe52f92936142cc22ac488b1b # v6.0.1 with: dot: true diff --git a/.github/workflows/scorecards.yml b/.github/workflows/scorecards.yml index 692d24836..075827f14 100644 --- a/.github/workflows/scorecards.yml +++ b/.github/workflows/scorecards.yml @@ -22,12 +22,12 @@ jobs: steps: - name: "Checkout code" - uses: actions/checkout@0c366fd6a839edf440554fa01a7085ccba70ac98 # tag=v6.0.1 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: "Run analysis" - uses: ossf/scorecard-action@4eaacf0543bb3f2c246792bd56e8cdeffafb205a # tag=v2.4.3 + uses: ossf/scorecard-action@4eaacf0543bb3f2c246792bd56e8cdeffafb205a # v2.4.3 with: results_file: results.sarif results_format: sarif @@ -46,7 +46,7 @@ jobs: # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF # format to the repository Actions tab. - name: "Upload artifact" - uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # tag=v7.0.0 + uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 with: name: SARIF file path: results.sarif @@ -54,7 +54,7 @@ jobs: # Upload the results to GitHub's code scanning dashboard. - name: "Upload to code-scanning" - uses: github/codeql-action/upload-sarif@05b1a5d28f8763fd11e77388fe57846f1ba8e766 # tag=v2.22.12 + uses: github/codeql-action/upload-sarif@38697555549f1db7851b81482ff19f1fa5c4fedc # v4.34.1 with: sarif_file: results.sarif diff --git a/.github/workflows/validate.yml b/.github/workflows/validate.yml index b346f556a..c85510fa2 100644 --- a/.github/workflows/validate.yml +++ b/.github/workflows/validate.yml @@ -30,7 +30,7 @@ jobs: steps: - name: Checkout - uses: actions/checkout@v6.0.2 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Run run: |