ci: pin all actions by sha

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
This commit is contained in:
Sebastiaan van Stijn
2026-03-27 23:03:23 +01:00
parent b01c36a6ae
commit e9eb3c2fb4
10 changed files with 44 additions and 40 deletions

View File

@@ -42,19 +42,20 @@ jobs:
steps:
-
name: Checkout
uses: actions/checkout@v6.0.2
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-
name: Set up Go
uses: actions/setup-go@v6
uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
with:
go-version: ${{ matrix.go }}
cache: false
-
name: Test
run: |
make ${{ matrix.target }}
-
name: Codecov
uses: codecov/codecov-action@v5
uses: codecov/codecov-action@75cd11691c0faa626561e295848008c8a7dddffe # v5
with:
directory: ./
@@ -69,13 +70,13 @@ jobs:
steps:
-
name: Checkout
uses: actions/checkout@v6.0.2
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
fetch-depth: 0
-
name: Docker meta
id: meta
uses: docker/metadata-action@v6
uses: docker/metadata-action@030e881283bb7a6894de51c315a6bfe6a94e05cf # v6
with:
images: |
${{ env.DOCKERHUB_SLUG }}
@@ -101,25 +102,25 @@ jobs:
org.opencontainers.image.description=The toolkit to pack, ship, store, and distribute container content
-
name: Set up Docker Buildx
uses: docker/setup-buildx-action@v4
uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
-
name: Login to DockerHub
if: github.event_name != 'pull_request'
uses: docker/login-action@v4
uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
with:
username: ${{ secrets.DOCKERHUB_USERNAME }}
password: ${{ secrets.DOCKERHUB_TOKEN }}
-
name: Log in to GitHub Container registry
if: github.event_name != 'pull_request'
uses: docker/login-action@v4
uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
-
name: Build artifacts
uses: docker/bake-action@v7
uses: docker/bake-action@82490499d2e5613fcead7e128237ef0b0ea210f7 # v7.0.0
with:
source: .
targets: artifact-all
@@ -141,14 +142,14 @@ jobs:
tree -nh ./bin
-
name: Upload artifacts
uses: actions/upload-artifact@v7.0.0
uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
with:
name: registry
path: ./bin/*
if-no-files-found: error
-
name: Build image
uses: docker/bake-action@v7
uses: docker/bake-action@82490499d2e5613fcead7e128237ef0b0ea210f7 # v7.0.0
with:
source: .
files: |
@@ -158,7 +159,7 @@ jobs:
push: ${{ github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/tags/') }}
-
name: GitHub Release
uses: softprops/action-gh-release@v2
uses: softprops/action-gh-release@153bb8e04406b158c6c84fc1615b65b24149a1fe # v2.6.1
if: startsWith(github.ref, 'refs/tags/')
with:
draft: true

View File

@@ -34,7 +34,7 @@ jobs:
steps:
-
name: Checkout
uses: actions/checkout@v6.0.2
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
fetch-depth: 2
-
@@ -44,12 +44,12 @@ jobs:
git checkout HEAD^2
-
name: Initialize CodeQL
uses: github/codeql-action/init@v4.34.1
uses: github/codeql-action/init@38697555549f1db7851b81482ff19f1fa5c4fedc # v4.34.1
with:
languages: ${{ matrix.language }}
-
name: Autobuild
uses: github/codeql-action/autobuild@v4.34.1
uses: github/codeql-action/autobuild@38697555549f1db7851b81482ff19f1fa5c4fedc # v4.34.1
-
name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@v4.34.1
uses: github/codeql-action/analyze@38697555549f1db7851b81482ff19f1fa5c4fedc # v4.34.1

View File

@@ -17,7 +17,7 @@ jobs:
steps:
-
name: Build image
uses: docker/bake-action@v7
uses: docker/bake-action@82490499d2e5613fcead7e128237ef0b0ea210f7 # v7.0.0
with:
targets: image-local
-
@@ -30,7 +30,7 @@ jobs:
docker run --rm -p 5000:5000 -e REGISTRY_STORAGE_DELETE_ENABLED=true -idt "registry:local"
-
name: Run OCI Distribution Spec conformance tests
uses: opencontainers/distribution-spec@v1.0.1
uses: opencontainers/distribution-spec@10efb871ee08eb13678fe275e2cf89b3df86542b # v1.0.1
env:
OCI_ROOT_URL: ${{ env.OCI_ROOT_URL }}
OCI_NAMESPACE: oci-conformance/distribution-test
@@ -44,7 +44,7 @@ jobs:
run: mkdir -p out/ && mv {report.html,junit.xml} out/
-
name: Upload test results
uses: actions/upload-artifact@v7.0.0
uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
with:
name: oci-test-results-${{ github.sha }}
path: out/

View File

@@ -24,10 +24,10 @@ jobs:
steps:
-
name: Checkout
uses: actions/checkout@v6.0.2
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-
name: Update Docker Hub README
uses: peter-evans/dockerhub-description@v5
uses: peter-evans/dockerhub-description@1b9a80c056b620d92cedb9d9b5a223409c68ddfa # v5.0.0
with:
username: ${{ secrets.DOCKERHUB_USERNAME }}
password: ${{ secrets.DOCKERHUB_TOKEN }}

View File

@@ -25,13 +25,13 @@ jobs:
steps:
- name: Setup Pages
id: pages
uses: actions/configure-pages@v5
uses: actions/configure-pages@983d7736d9b0ae728b81ab479565c72886d7745b # v5.0.0
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v4
uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
- name: Build docs
uses: docker/bake-action@v7
uses: docker/bake-action@82490499d2e5613fcead7e128237ef0b0ea210f7 # v7.0.0
with:
targets: docs-export
provenance: false
@@ -46,7 +46,7 @@ jobs:
done
- name: Upload Pages artifact
uses: actions/upload-pages-artifact@v4
uses: actions/upload-pages-artifact@7b1f4a764d45c48632c6b24a0339c27f5614fb0b # v4.0.0
with:
path: ./build/docs
@@ -71,4 +71,4 @@ jobs:
steps:
- name: Deploy to GitHub Pages
id: deployment
uses: actions/deploy-pages@v5 # or the latest "vX.X.X" version tag for this action
uses: actions/deploy-pages@cd2ce8fcbc39b97be8ca5fce6e763baed58fa128 # v5.0.0

View File

@@ -20,12 +20,12 @@ jobs:
steps:
-
name: Checkout
uses: actions/checkout@v6.0.2
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
fetch-depth: 0
-
name: Build image
uses: docker/bake-action@v7
uses: docker/bake-action@82490499d2e5613fcead7e128237ef0b0ea210f7 # v7.0.0
with:
source: .
targets: image-local
@@ -43,7 +43,7 @@ jobs:
steps:
-
name: Checkout
uses: actions/checkout@v6.0.2
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
fetch-depth: 0
-

View File

@@ -17,9 +17,9 @@ jobs:
steps:
- name: Checkout code
uses: actions/checkout@v6.0.2
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- name: Run FOSSA scan and upload build data
uses: fossa-contrib/fossa-action@v3
uses: fossa-contrib/fossa-action@3d2ef181b1820d6dcd1972f86a767d18167fa19b # v3.0.1
with:
fossa-api-key: cac3dc8d4f2ba86142f6c0f2199a160f

View File

@@ -5,15 +5,18 @@ concurrency:
cancel-in-progress: true
on:
pull_request_target:
pull_request_target: # zizmor: ignore[dangerous-triggers] does not checkout, safe to use pull_request_target
permissions:
contents: read # to fetch code (actions/checkout)
jobs:
labeler:
permissions:
contents: read
pull-requests: write
contents: read # same as global permission
pull-requests: write # required for writing labels
runs-on: ubuntu-latest
steps:
- uses: actions/labeler@v6
- uses: actions/labeler@634933edcd8ababfe52f92936142cc22ac488b1b # v6.0.1
with:
dot: true

View File

@@ -22,12 +22,12 @@ jobs:
steps:
- name: "Checkout code"
uses: actions/checkout@0c366fd6a839edf440554fa01a7085ccba70ac98 # tag=v6.0.1
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: false
- name: "Run analysis"
uses: ossf/scorecard-action@4eaacf0543bb3f2c246792bd56e8cdeffafb205a # tag=v2.4.3
uses: ossf/scorecard-action@4eaacf0543bb3f2c246792bd56e8cdeffafb205a # v2.4.3
with:
results_file: results.sarif
results_format: sarif
@@ -46,7 +46,7 @@ jobs:
# Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
# format to the repository Actions tab.
- name: "Upload artifact"
uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # tag=v7.0.0
uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
with:
name: SARIF file
path: results.sarif
@@ -54,7 +54,7 @@ jobs:
# Upload the results to GitHub's code scanning dashboard.
- name: "Upload to code-scanning"
uses: github/codeql-action/upload-sarif@05b1a5d28f8763fd11e77388fe57846f1ba8e766 # tag=v2.22.12
uses: github/codeql-action/upload-sarif@38697555549f1db7851b81482ff19f1fa5c4fedc # v4.34.1
with:
sarif_file: results.sarif

View File

@@ -30,7 +30,7 @@ jobs:
steps:
-
name: Checkout
uses: actions/checkout@v6.0.2
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-
name: Run
run: |