diff --git a/.github/workflows/actionlint.yaml b/.github/workflows/actionlint.yaml index d53bb19d7d..e656193779 100644 --- a/.github/workflows/actionlint.yaml +++ b/.github/workflows/actionlint.yaml @@ -25,7 +25,7 @@ jobs: runs-on: ubuntu-24.04 steps: - name: Checkout the code - uses: actions/checkout@v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: fetch-depth: 0 persist-credentials: false diff --git a/.github/workflows/basic-ci-amd64.yaml b/.github/workflows/basic-ci-amd64.yaml index 16e840895e..01c4e0f813 100644 --- a/.github/workflows/basic-ci-amd64.yaml +++ b/.github/workflows/basic-ci-amd64.yaml @@ -35,7 +35,7 @@ jobs: KATA_HYPERVISOR: ${{ matrix.vmm }} SANDBOXER: "shim" steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: ref: ${{ inputs.commit-hash }} fetch-depth: 0 @@ -51,7 +51,7 @@ jobs: run: bash tests/integration/cri-containerd/gha-run.sh install-dependencies - name: get-kata-tarball - uses: actions/download-artifact@v4 + uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0 with: name: kata-static-tarball-amd64${{ inputs.tarball-suffix }} path: kata-artifacts @@ -76,7 +76,7 @@ jobs: KATA_HYPERVISOR: ${{ matrix.vmm }} SANDBOXER: "podsandbox" steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: ref: ${{ inputs.commit-hash }} fetch-depth: 0 @@ -91,7 +91,7 @@ jobs: run: bash tests/stability/gha-run.sh install-dependencies - name: get-kata-tarball - uses: actions/download-artifact@v4 + uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0 with: name: kata-static-tarball-amd64${{ inputs.tarball-suffix }} path: kata-artifacts @@ -118,7 +118,7 @@ jobs: GOPATH: ${{ github.workspace }} KATA_HYPERVISOR: ${{ matrix.vmm }} steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: ref: ${{ inputs.commit-hash }} fetch-depth: 0 @@ -134,7 +134,7 @@ jobs: run: bash tests/integration/nydus/gha-run.sh install-dependencies - name: get-kata-tarball - uses: actions/download-artifact@v4 + uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0 with: name: kata-static-tarball-amd64${{ inputs.tarball-suffix }} path: kata-artifacts @@ -153,7 +153,7 @@ jobs: env: CONTAINERD_VERSION: lts steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: ref: ${{ inputs.commit-hash }} fetch-depth: 0 @@ -169,7 +169,7 @@ jobs: run: bash tests/integration/runk/gha-run.sh install-dependencies - name: get-kata-tarball - uses: actions/download-artifact@v4 + uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0 with: name: kata-static-tarball-amd64${{ inputs.tarball-suffix }} path: kata-artifacts @@ -195,7 +195,7 @@ jobs: env: KATA_HYPERVISOR: ${{ matrix.vmm }} steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: ref: ${{ inputs.commit-hash }} fetch-depth: 0 @@ -211,7 +211,7 @@ jobs: run: bash tests/functional/tracing/gha-run.sh install-dependencies - name: get-kata-tarball - uses: actions/download-artifact@v4 + uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0 with: name: kata-static-tarball-amd64${{ inputs.tarball-suffix }} path: kata-artifacts @@ -239,7 +239,7 @@ jobs: GOPATH: ${{ github.workspace }} KATA_HYPERVISOR: ${{ matrix.vmm }} steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: ref: ${{ inputs.commit-hash }} fetch-depth: 0 @@ -255,7 +255,7 @@ jobs: run: bash tests/functional/vfio/gha-run.sh install-dependencies - name: get-kata-tarball - uses: actions/download-artifact@v4 + uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0 with: name: kata-static-tarball-amd64${{ inputs.tarball-suffix }} path: kata-artifacts @@ -280,7 +280,7 @@ jobs: env: KATA_HYPERVISOR: ${{ matrix.vmm }} steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: ref: ${{ inputs.commit-hash }} fetch-depth: 0 @@ -296,7 +296,7 @@ jobs: run: bash tests/integration/docker/gha-run.sh install-dependencies - name: get-kata-tarball - uses: actions/download-artifact@v4 + uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0 with: name: kata-static-tarball-amd64${{ inputs.tarball-suffix }} path: kata-artifacts @@ -324,7 +324,7 @@ jobs: env: KATA_HYPERVISOR: ${{ matrix.vmm }} steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: ref: ${{ inputs.commit-hash }} fetch-depth: 0 @@ -342,7 +342,7 @@ jobs: run: bash tests/integration/nerdctl/gha-run.sh install-dependencies - name: get-kata-tarball - uses: actions/download-artifact@v4 + uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0 with: name: kata-static-tarball-amd64${{ inputs.tarball-suffix }} path: kata-artifacts @@ -360,7 +360,7 @@ jobs: continue-on-error: true - name: Archive artifacts ${{ matrix.vmm }} - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 with: name: nerdctl-tests-garm-${{ matrix.vmm }} path: /tmp/artifacts @@ -369,7 +369,7 @@ jobs: run-kata-agent-apis: runs-on: ubuntu-22.04 steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: ref: ${{ inputs.commit-hash }} fetch-depth: 0 @@ -385,7 +385,7 @@ jobs: run: bash tests/functional/kata-agent-apis/gha-run.sh install-dependencies - name: get-kata-tarball - uses: actions/download-artifact@v4 + uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0 with: name: kata-static-tarball-amd64${{ inputs.tarball-suffix }} path: kata-artifacts diff --git a/.github/workflows/basic-ci-s390x.yaml b/.github/workflows/basic-ci-s390x.yaml index b8f179f01f..79042e45f7 100644 --- a/.github/workflows/basic-ci-s390x.yaml +++ b/.github/workflows/basic-ci-s390x.yaml @@ -35,7 +35,7 @@ jobs: KATA_HYPERVISOR: ${{ matrix.vmm }} SANDBOXER: "shim" steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: ref: ${{ inputs.commit-hash }} fetch-depth: 0 @@ -51,7 +51,7 @@ jobs: run: bash tests/integration/cri-containerd/gha-run.sh install-dependencies - name: get-kata-tarball - uses: actions/download-artifact@v4 + uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0 with: name: kata-static-tarball-s390x${{ inputs.tarball-suffix }} path: kata-artifacts @@ -76,7 +76,7 @@ jobs: KATA_HYPERVISOR: ${{ matrix.vmm }} SANDBOXER: "podsandbox" steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: ref: ${{ inputs.commit-hash }} fetch-depth: 0 @@ -92,7 +92,7 @@ jobs: run: bash tests/stability/gha-run.sh install-dependencies - name: get-kata-tarball - uses: actions/download-artifact@v4 + uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0 with: name: kata-static-tarball-s390x${{ inputs.tarball-suffix }} path: kata-artifacts @@ -116,7 +116,7 @@ jobs: env: KATA_HYPERVISOR: ${{ matrix.vmm }} steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: ref: ${{ inputs.commit-hash }} fetch-depth: 0 @@ -132,7 +132,7 @@ jobs: run: bash tests/integration/docker/gha-run.sh install-dependencies - name: get-kata-tarball - uses: actions/download-artifact@v4 + uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0 with: name: kata-static-tarball-s390x${{ inputs.tarball-suffix }} path: kata-artifacts diff --git a/.github/workflows/build-checks-preview-riscv64.yaml b/.github/workflows/build-checks-preview-riscv64.yaml index 7a0b9498ff..8a089ad7c6 100644 --- a/.github/workflows/build-checks-preview-riscv64.yaml +++ b/.github/workflows/build-checks-preview-riscv64.yaml @@ -72,7 +72,7 @@ jobs: sudo rm -f /tmp/kata_hybrid* # Sometime we got leftover from test_setup_hvsock_failed() - name: Checkout the code - uses: actions/checkout@v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: fetch-depth: 0 persist-credentials: false diff --git a/.github/workflows/build-checks.yaml b/.github/workflows/build-checks.yaml index 073448b07e..903bc7e914 100644 --- a/.github/workflows/build-checks.yaml +++ b/.github/workflows/build-checks.yaml @@ -70,7 +70,7 @@ jobs: sudo rm -f /tmp/kata_hybrid* # Sometime we got leftover from test_setup_hvsock_failed() - name: Checkout the code - uses: actions/checkout@v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: fetch-depth: 0 persist-credentials: false diff --git a/.github/workflows/build-kata-static-tarball-amd64.yaml b/.github/workflows/build-kata-static-tarball-amd64.yaml index b819886f6c..fb6a184af5 100644 --- a/.github/workflows/build-kata-static-tarball-amd64.yaml +++ b/.github/workflows/build-kata-static-tarball-amd64.yaml @@ -80,7 +80,7 @@ jobs: username: ${{ vars.QUAY_DEPLOYER_USERNAME }} password: ${{ secrets.QUAY_DEPLOYER_PASSWORD }} - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: ref: ${{ inputs.commit-hash }} fetch-depth: 0 # This is needed in order to keep the commit ids history @@ -130,7 +130,7 @@ jobs: username: ${{ github.actor }} password: ${{ secrets.GITHUB_TOKEN }} - - uses: actions/attest-build-provenance@v1 + - uses: actions/attest-build-provenance@ef244123eb79f2f7a7e75d99086184180e6d0018 # v1.4.4 if: ${{ env.PERFORM_ATTESTATION == 'yes' }} with: subject-name: ${{ steps.parse-oci-segments.outputs.oci-name }} @@ -138,7 +138,7 @@ jobs: push-to-registry: true - name: store-artifact ${{ matrix.asset }} - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 with: name: kata-artifacts-amd64-${{ matrix.asset }}${{ inputs.tarball-suffix }} path: kata-build/kata-static-${{ matrix.asset }}.tar.xz @@ -147,7 +147,7 @@ jobs: - name: store-extratarballs-artifact ${{ matrix.asset }} if: ${{ startsWith(matrix.asset, 'kernel-nvidia-gpu') }} - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 with: name: kata-artifacts-amd64-${{ matrix.asset }}-headers${{ inputs.tarball-suffix }} path: kata-build/kata-static-${{ matrix.asset }}-headers.tar.xz @@ -179,7 +179,7 @@ jobs: username: ${{ vars.QUAY_DEPLOYER_USERNAME }} password: ${{ secrets.QUAY_DEPLOYER_PASSWORD }} - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: ref: ${{ inputs.commit-hash }} fetch-depth: 0 # This is needed in order to keep the commit ids history @@ -192,7 +192,7 @@ jobs: TARGET_BRANCH: ${{ inputs.target-branch }} - name: get-artifacts - uses: actions/download-artifact@v4 + uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0 with: pattern: kata-artifacts-amd64-*${{ inputs.tarball-suffix }} path: kata-artifacts @@ -217,7 +217,7 @@ jobs: RELEASE: ${{ inputs.stage == 'release' && 'yes' || 'no' }} - name: store-artifact ${{ matrix.asset }} - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 with: name: kata-artifacts-amd64-${{ matrix.asset }}${{ inputs.tarball-suffix }} path: kata-build/kata-static-${{ matrix.asset }}.tar.xz @@ -270,7 +270,7 @@ jobs: username: ${{ vars.QUAY_DEPLOYER_USERNAME }} password: ${{ secrets.QUAY_DEPLOYER_PASSWORD }} - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: ref: ${{ inputs.commit-hash }} fetch-depth: 0 # This is needed in order to keep the commit ids history @@ -283,7 +283,7 @@ jobs: TARGET_BRANCH: ${{ inputs.target-branch }} - name: get-artifacts - uses: actions/download-artifact@v4 + uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0 with: pattern: kata-artifacts-amd64-*${{ inputs.tarball-suffix }} path: kata-artifacts @@ -309,7 +309,7 @@ jobs: MEASURED_ROOTFS: yes - name: store-artifact shim-v2 - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 with: name: kata-artifacts-amd64-shim-v2${{ inputs.tarball-suffix }} path: kata-build/kata-static-shim-v2.tar.xz @@ -323,7 +323,7 @@ jobs: contents: read packages: write steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: ref: ${{ inputs.commit-hash }} fetch-depth: 0 @@ -334,7 +334,7 @@ jobs: env: TARGET_BRANCH: ${{ inputs.target-branch }} - name: get-artifacts - uses: actions/download-artifact@v4 + uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0 with: pattern: kata-artifacts-amd64-*${{ inputs.tarball-suffix }} path: kata-artifacts @@ -343,7 +343,7 @@ jobs: run: | ./tools/packaging/kata-deploy/local-build/kata-deploy-merge-builds.sh kata-artifacts versions.yaml - name: store-artifacts - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 with: name: kata-static-tarball-amd64${{ inputs.tarball-suffix }} path: kata-static.tar.xz diff --git a/.github/workflows/build-kata-static-tarball-arm64.yaml b/.github/workflows/build-kata-static-tarball-arm64.yaml index bac43318a4..c520c37159 100644 --- a/.github/workflows/build-kata-static-tarball-arm64.yaml +++ b/.github/workflows/build-kata-static-tarball-arm64.yaml @@ -61,7 +61,7 @@ jobs: username: ${{ vars.QUAY_DEPLOYER_USERNAME }} password: ${{ secrets.QUAY_DEPLOYER_PASSWORD }} - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: ref: ${{ inputs.commit-hash }} fetch-depth: 0 # This is needed in order to keep the commit ids history @@ -110,7 +110,7 @@ jobs: username: ${{ github.actor }} password: ${{ secrets.GITHUB_TOKEN }} - - uses: actions/attest-build-provenance@v1 + - uses: actions/attest-build-provenance@ef244123eb79f2f7a7e75d99086184180e6d0018 # v1.4.4 if: ${{ env.PERFORM_ATTESTATION == 'yes' }} with: subject-name: ${{ steps.parse-oci-segments.outputs.oci-name }} @@ -118,7 +118,7 @@ jobs: push-to-registry: true - name: store-artifact ${{ matrix.asset }} - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 with: name: kata-artifacts-arm64-${{ matrix.asset }}${{ inputs.tarball-suffix }} path: kata-build/kata-static-${{ matrix.asset }}.tar.xz @@ -127,7 +127,7 @@ jobs: - name: store-extratarballs-artifact ${{ matrix.asset }} if: ${{ startsWith(matrix.asset, 'kernel-nvidia-gpu') }} - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 with: name: kata-artifacts-arm64-${{ matrix.asset }}-headers${{ inputs.tarball-suffix }} path: kata-build/kata-static-${{ matrix.asset }}-headers.tar.xz @@ -155,7 +155,7 @@ jobs: username: ${{ vars.QUAY_DEPLOYER_USERNAME }} password: ${{ secrets.QUAY_DEPLOYER_PASSWORD }} - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: ref: ${{ inputs.commit-hash }} fetch-depth: 0 # This is needed in order to keep the commit ids history @@ -168,7 +168,7 @@ jobs: TARGET_BRANCH: ${{ inputs.target-branch }} - name: get-artifacts - uses: actions/download-artifact@v4 + uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0 with: pattern: kata-artifacts-arm64-*${{ inputs.tarball-suffix }} path: kata-artifacts @@ -192,7 +192,7 @@ jobs: RELEASE: ${{ inputs.stage == 'release' && 'yes' || 'no' }} - name: store-artifact ${{ matrix.asset }} - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 with: name: kata-artifacts-arm64-${{ matrix.asset }}${{ inputs.tarball-suffix }} path: kata-build/kata-static-${{ matrix.asset }}.tar.xz @@ -242,7 +242,7 @@ jobs: username: ${{ vars.QUAY_DEPLOYER_USERNAME }} password: ${{ secrets.QUAY_DEPLOYER_PASSWORD }} - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: ref: ${{ inputs.commit-hash }} fetch-depth: 0 # This is needed in order to keep the commit ids history @@ -255,7 +255,7 @@ jobs: TARGET_BRANCH: ${{ inputs.target-branch }} - name: get-artifacts - uses: actions/download-artifact@v4 + uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0 with: pattern: kata-artifacts-arm64-*${{ inputs.tarball-suffix }} path: kata-artifacts @@ -279,7 +279,7 @@ jobs: RELEASE: ${{ inputs.stage == 'release' && 'yes' || 'no' }} - name: store-artifact shim-v2 - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 with: name: kata-artifacts-arm64-shim-v2${{ inputs.tarball-suffix }} path: kata-build/kata-static-shim-v2.tar.xz @@ -293,7 +293,7 @@ jobs: contents: read packages: write steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: ref: ${{ inputs.commit-hash }} fetch-depth: 0 @@ -304,7 +304,7 @@ jobs: env: TARGET_BRANCH: ${{ inputs.target-branch }} - name: get-artifacts - uses: actions/download-artifact@v4 + uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0 with: pattern: kata-artifacts-arm64-*${{ inputs.tarball-suffix }} path: kata-artifacts @@ -313,7 +313,7 @@ jobs: run: | ./tools/packaging/kata-deploy/local-build/kata-deploy-merge-builds.sh kata-artifacts versions.yaml - name: store-artifacts - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 with: name: kata-static-tarball-arm64${{ inputs.tarball-suffix }} path: kata-static.tar.xz diff --git a/.github/workflows/build-kata-static-tarball-ppc64le.yaml b/.github/workflows/build-kata-static-tarball-ppc64le.yaml index 4fecbd5abe..3857db9fb4 100644 --- a/.github/workflows/build-kata-static-tarball-ppc64le.yaml +++ b/.github/workflows/build-kata-static-tarball-ppc64le.yaml @@ -51,7 +51,7 @@ jobs: username: ${{ vars.QUAY_DEPLOYER_USERNAME }} password: ${{ secrets.QUAY_DEPLOYER_PASSWORD }} - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: ref: ${{ inputs.commit-hash }} fetch-depth: 0 # This is needed in order to keep the commit ids history @@ -80,7 +80,7 @@ jobs: RELEASE: ${{ inputs.stage == 'release' && 'yes' || 'no' }} - name: store-artifact ${{ matrix.asset }} - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 with: name: kata-artifacts-ppc64le-${{ matrix.asset }}${{ inputs.tarball-suffix }} path: kata-build/kata-static-${{ matrix.asset }}.tar.xz @@ -108,7 +108,7 @@ jobs: username: ${{ vars.QUAY_DEPLOYER_USERNAME }} password: ${{ secrets.QUAY_DEPLOYER_PASSWORD }} - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: ref: ${{ inputs.commit-hash }} fetch-depth: 0 # This is needed in order to keep the commit ids history @@ -121,7 +121,7 @@ jobs: TARGET_BRANCH: ${{ inputs.target-branch }} - name: get-artifacts - uses: actions/download-artifact@v4 + uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0 with: pattern: kata-artifacts-ppc64le-*${{ inputs.tarball-suffix }} path: kata-artifacts @@ -145,7 +145,7 @@ jobs: RELEASE: ${{ inputs.stage == 'release' && 'yes' || 'no' }} - name: store-artifact ${{ matrix.asset }} - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 with: name: kata-artifacts-ppc64le-${{ matrix.asset }}${{ inputs.tarball-suffix }} path: kata-build/kata-static-${{ matrix.asset }}.tar.xz @@ -181,7 +181,7 @@ jobs: username: ${{ vars.QUAY_DEPLOYER_USERNAME }} password: ${{ secrets.QUAY_DEPLOYER_PASSWORD }} - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: ref: ${{ inputs.commit-hash }} fetch-depth: 0 # This is needed in order to keep the commit ids history @@ -194,7 +194,7 @@ jobs: TARGET_BRANCH: ${{ inputs.target-branch }} - name: get-artifacts - uses: actions/download-artifact@v4 + uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0 with: pattern: kata-artifacts-ppc64le-*${{ inputs.tarball-suffix }} path: kata-artifacts @@ -218,7 +218,7 @@ jobs: RELEASE: ${{ inputs.stage == 'release' && 'yes' || 'no' }} - name: store-artifact shim-v2 - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 with: name: kata-artifacts-ppc64le-shim-v2${{ inputs.tarball-suffix }} path: kata-build/kata-static-shim-v2.tar.xz @@ -236,7 +236,7 @@ jobs: run: | sudo chown -R "$USER":"$USER" "$GITHUB_WORKSPACE" - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: ref: ${{ inputs.commit-hash }} fetch-depth: 0 @@ -247,7 +247,7 @@ jobs: env: TARGET_BRANCH: ${{ inputs.target-branch }} - name: get-artifacts - uses: actions/download-artifact@v4 + uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0 with: pattern: kata-artifacts-ppc64le-*${{ inputs.tarball-suffix }} path: kata-artifacts @@ -256,7 +256,7 @@ jobs: run: | ./tools/packaging/kata-deploy/local-build/kata-deploy-merge-builds.sh kata-artifacts versions.yaml - name: store-artifacts - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 with: name: kata-static-tarball-ppc64le${{ inputs.tarball-suffix }} path: kata-static.tar.xz diff --git a/.github/workflows/build-kata-static-tarball-riscv64.yaml b/.github/workflows/build-kata-static-tarball-riscv64.yaml index e3b07d0117..bf5726d00b 100644 --- a/.github/workflows/build-kata-static-tarball-riscv64.yaml +++ b/.github/workflows/build-kata-static-tarball-riscv64.yaml @@ -49,7 +49,7 @@ jobs: username: ${{ vars.QUAY_DEPLOYER_USERNAME }} password: ${{ secrets.QUAY_DEPLOYER_PASSWORD }} - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: ref: ${{ inputs.commit-hash }} fetch-depth: 0 # This is needed in order to keep the commit ids history @@ -78,7 +78,7 @@ jobs: RELEASE: ${{ inputs.stage == 'release' && 'yes' || 'no' }} - name: store-artifact ${{ matrix.asset }} - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 with: name: kata-artifacts-riscv64-${{ matrix.asset }}${{ inputs.tarball-suffix }} path: kata-build/kata-static-${{ matrix.asset }}.tar.xz diff --git a/.github/workflows/build-kata-static-tarball-s390x.yaml b/.github/workflows/build-kata-static-tarball-s390x.yaml index b92b3178cf..1b9bdf7590 100644 --- a/.github/workflows/build-kata-static-tarball-s390x.yaml +++ b/.github/workflows/build-kata-static-tarball-s390x.yaml @@ -59,7 +59,7 @@ jobs: username: ${{ vars.QUAY_DEPLOYER_USERNAME }} password: ${{ secrets.QUAY_DEPLOYER_PASSWORD }} - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: ref: ${{ inputs.commit-hash }} fetch-depth: 0 # This is needed in order to keep the commit ids history @@ -104,7 +104,7 @@ jobs: username: ${{ github.actor }} password: ${{ secrets.GITHUB_TOKEN }} - - uses: actions/attest-build-provenance@v1 + - uses: actions/attest-build-provenance@ef244123eb79f2f7a7e75d99086184180e6d0018 # v1.4.4 if: ${{ env.PERFORM_ATTESTATION == 'yes' }} with: subject-name: ${{ steps.parse-oci-segments.outputs.oci-name }} @@ -112,7 +112,7 @@ jobs: push-to-registry: true - name: store-artifact ${{ matrix.asset }} - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 with: name: kata-artifacts-s390x-${{ matrix.asset }}${{ inputs.tarball-suffix }} path: kata-build/kata-static-${{ matrix.asset }}.tar.xz @@ -141,7 +141,7 @@ jobs: username: ${{ vars.QUAY_DEPLOYER_USERNAME }} password: ${{ secrets.QUAY_DEPLOYER_PASSWORD }} - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: ref: ${{ inputs.commit-hash }} fetch-depth: 0 # This is needed in order to keep the commit ids history @@ -154,7 +154,7 @@ jobs: TARGET_BRANCH: ${{ inputs.target-branch }} - name: get-artifacts - uses: actions/download-artifact@v4 + uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0 with: pattern: kata-artifacts-s390x-*${{ inputs.tarball-suffix }} path: kata-artifacts @@ -179,7 +179,7 @@ jobs: RELEASE: ${{ inputs.stage == 'release' && 'yes' || 'no' }} - name: store-artifact ${{ matrix.asset }} - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 with: name: kata-artifacts-s390x-${{ matrix.asset }}${{ inputs.tarball-suffix }} path: kata-build/kata-static-${{ matrix.asset }}.tar.xz @@ -193,7 +193,7 @@ jobs: contents: read packages: write steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: persist-credentials: false - name: Rebase atop of the latest target branch @@ -203,7 +203,7 @@ jobs: TARGET_BRANCH: ${{ inputs.target-branch }} - name: get-artifacts - uses: actions/download-artifact@v4 + uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0 with: pattern: kata-artifacts-s390x-*${{ inputs.tarball-suffix }} path: kata-artifacts @@ -227,7 +227,7 @@ jobs: HKD_PATH: "host-key-document" - name: store-artifact boot-image-se - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 with: name: kata-artifacts-s390x${{ inputs.tarball-suffix }} path: kata-build/kata-static-boot-image-se.tar.xz @@ -265,7 +265,7 @@ jobs: username: ${{ vars.QUAY_DEPLOYER_USERNAME }} password: ${{ secrets.QUAY_DEPLOYER_PASSWORD }} - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: ref: ${{ inputs.commit-hash }} fetch-depth: 0 # This is needed in order to keep the commit ids history @@ -278,7 +278,7 @@ jobs: TARGET_BRANCH: ${{ inputs.target-branch }} - name: get-artifacts - uses: actions/download-artifact@v4 + uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0 with: pattern: kata-artifacts-s390x-*${{ inputs.tarball-suffix }} path: kata-artifacts @@ -304,7 +304,7 @@ jobs: MEASURED_ROOTFS: no - name: store-artifact shim-v2 - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 with: name: kata-artifacts-s390x-shim-v2${{ inputs.tarball-suffix }} path: kata-build/kata-static-shim-v2.tar.xz @@ -322,7 +322,7 @@ jobs: contents: read packages: write steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: ref: ${{ inputs.commit-hash }} fetch-depth: 0 @@ -333,7 +333,7 @@ jobs: env: TARGET_BRANCH: ${{ inputs.target-branch }} - name: get-artifacts - uses: actions/download-artifact@v4 + uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0 with: pattern: kata-artifacts-s390x-*${{ inputs.tarball-suffix }} path: kata-artifacts @@ -342,7 +342,7 @@ jobs: run: | ./tools/packaging/kata-deploy/local-build/kata-deploy-merge-builds.sh kata-artifacts versions.yaml - name: store-artifacts - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 with: name: kata-static-tarball-s390x${{ inputs.tarball-suffix }} path: kata-static.tar.xz diff --git a/.github/workflows/cargo-deny-runner.yaml b/.github/workflows/cargo-deny-runner.yaml index 925baf2b68..a75db26650 100644 --- a/.github/workflows/cargo-deny-runner.yaml +++ b/.github/workflows/cargo-deny-runner.yaml @@ -21,7 +21,7 @@ jobs: steps: - name: Checkout Code if: ${{ !contains(github.event.pull_request.labels.*.name, 'force-skip-ci') }} - uses: actions/checkout@v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: persist-credentials: false - name: Generate Action diff --git a/.github/workflows/ci-weekly.yaml b/.github/workflows/ci-weekly.yaml index ce458389ab..7f8744bc36 100644 --- a/.github/workflows/ci-weekly.yaml +++ b/.github/workflows/ci-weekly.yaml @@ -69,7 +69,7 @@ jobs: runs-on: ubuntu-22.04 steps: - name: Checkout code - uses: actions/checkout@v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: ref: ${{ inputs.commit-hash }} fetch-depth: 0 diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index 1b5b2388bc..07e7691cc9 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -185,7 +185,7 @@ jobs: runs-on: ubuntu-22.04 steps: - name: Checkout code - uses: actions/checkout@v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: ref: ${{ inputs.commit-hash }} fetch-depth: 0 @@ -227,7 +227,7 @@ jobs: runs-on: ubuntu-22.04 steps: - name: Checkout code - uses: actions/checkout@v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: ref: ${{ inputs.commit-hash }} fetch-depth: 0 @@ -240,7 +240,7 @@ jobs: TARGET_BRANCH: ${{ inputs.target-branch }} - name: get-kata-tarball - uses: actions/download-artifact@v4 + uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0 with: name: kata-static-tarball-amd64-${{ inputs.tag }} path: kata-artifacts diff --git a/.github/workflows/cleanup-resources.yaml b/.github/workflows/cleanup-resources.yaml index 81ed1291e4..d882a15ec6 100644 --- a/.github/workflows/cleanup-resources.yaml +++ b/.github/workflows/cleanup-resources.yaml @@ -13,7 +13,7 @@ jobs: runs-on: ubuntu-22.04 environment: ci steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: persist-credentials: false diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 6de0ef4300..ff41cf39d0 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -60,7 +60,7 @@ jobs: # your codebase is analyzed, see https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages steps: - name: Checkout repository - uses: actions/checkout@v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: persist-credentials: false diff --git a/.github/workflows/darwin-tests.yaml b/.github/workflows/darwin-tests.yaml index d8f5544176..c8aded16d4 100644 --- a/.github/workflows/darwin-tests.yaml +++ b/.github/workflows/darwin-tests.yaml @@ -19,11 +19,11 @@ jobs: runs-on: macos-latest steps: - name: Install Go - uses: actions/setup-go@v5 + uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0 with: go-version: 1.23.10 - name: Checkout code - uses: actions/checkout@v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: persist-credentials: false - name: Build utils diff --git a/.github/workflows/docs-url-alive-check.yaml b/.github/workflows/docs-url-alive-check.yaml index 209dd39292..4d587a30d2 100644 --- a/.github/workflows/docs-url-alive-check.yaml +++ b/.github/workflows/docs-url-alive-check.yaml @@ -15,7 +15,7 @@ jobs: target_branch: ${{ github.base_ref }} steps: - name: Install Go - uses: actions/setup-go@v5 + uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0 with: go-version: 1.23.10 env: @@ -25,7 +25,7 @@ jobs: echo "GOPATH=${{ github.workspace }}" >> "$GITHUB_ENV" echo "${{ github.workspace }}/bin" >> "$GITHUB_PATH" - name: Checkout code - uses: actions/checkout@v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: fetch-depth: 0 persist-credentials: false diff --git a/.github/workflows/gatekeeper-skipper.yaml b/.github/workflows/gatekeeper-skipper.yaml index 03ec1e0d3f..04d57a6359 100644 --- a/.github/workflows/gatekeeper-skipper.yaml +++ b/.github/workflows/gatekeeper-skipper.yaml @@ -42,7 +42,7 @@ jobs: skip_test: ${{ steps.skipper.outputs.skip_test }} skip_static: ${{ steps.skipper.outputs.skip_static }} steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: ref: ${{ inputs.commit-hash }} fetch-depth: 0 diff --git a/.github/workflows/gatekeeper.yaml b/.github/workflows/gatekeeper.yaml index b7cdae154f..02b7f69591 100644 --- a/.github/workflows/gatekeeper.yaml +++ b/.github/workflows/gatekeeper.yaml @@ -28,7 +28,7 @@ jobs: issues: read pull-requests: read steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: ref: ${{ github.event.pull_request.head.sha }} fetch-depth: 0 diff --git a/.github/workflows/kata-runtime-classes-sync.yaml b/.github/workflows/kata-runtime-classes-sync.yaml index 717cf222d3..b5ba220439 100644 --- a/.github/workflows/kata-runtime-classes-sync.yaml +++ b/.github/workflows/kata-runtime-classes-sync.yaml @@ -18,7 +18,7 @@ jobs: runs-on: ubuntu-22.04 steps: - name: Checkout code - uses: actions/checkout@v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: persist-credentials: false - name: Ensure the split out runtime classes match the all-in-one file diff --git a/.github/workflows/payload-after-push.yaml b/.github/workflows/payload-after-push.yaml index f1684fffc7..1ef9d55d54 100644 --- a/.github/workflows/payload-after-push.yaml +++ b/.github/workflows/payload-after-push.yaml @@ -143,7 +143,7 @@ jobs: needs: [publish-kata-deploy-payload-amd64, publish-kata-deploy-payload-arm64, publish-kata-deploy-payload-s390x, publish-kata-deploy-payload-ppc64le] steps: - name: Checkout repository - uses: actions/checkout@v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: persist-credentials: false diff --git a/.github/workflows/publish-kata-deploy-payload.yaml b/.github/workflows/publish-kata-deploy-payload.yaml index 95a691ea1a..0acdedf85b 100644 --- a/.github/workflows/publish-kata-deploy-payload.yaml +++ b/.github/workflows/publish-kata-deploy-payload.yaml @@ -44,7 +44,7 @@ jobs: packages: write runs-on: ${{ inputs.runner }} steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: ref: ${{ inputs.commit-hash }} fetch-depth: 0 @@ -57,7 +57,7 @@ jobs: TARGET_BRANCH: ${{ inputs.target-branch }} - name: get-kata-tarball for ${{ inputs.arch }} - uses: actions/download-artifact@v4 + uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0 with: name: kata-static-tarball-${{ inputs.arch}}${{ inputs.tarball-suffix }} diff --git a/.github/workflows/release-amd64.yaml b/.github/workflows/release-amd64.yaml index 4b916ec257..8c09fa6350 100644 --- a/.github/workflows/release-amd64.yaml +++ b/.github/workflows/release-amd64.yaml @@ -47,11 +47,11 @@ jobs: username: ${{ vars.QUAY_DEPLOYER_USERNAME }} password: ${{ secrets.QUAY_DEPLOYER_PASSWORD }} - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: persist-credentials: false - name: get-kata-tarball - uses: actions/download-artifact@v4 + uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0 with: name: kata-static-tarball-amd64 diff --git a/.github/workflows/release-arm64.yaml b/.github/workflows/release-arm64.yaml index c3a54f8da6..af68a35496 100644 --- a/.github/workflows/release-arm64.yaml +++ b/.github/workflows/release-arm64.yaml @@ -47,11 +47,11 @@ jobs: username: ${{ vars.QUAY_DEPLOYER_USERNAME }} password: ${{ secrets.QUAY_DEPLOYER_PASSWORD }} - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: persist-credentials: false - name: get-kata-tarball - uses: actions/download-artifact@v4 + uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0 with: name: kata-static-tarball-arm64 diff --git a/.github/workflows/release-ppc64le.yaml b/.github/workflows/release-ppc64le.yaml index 30a59c01b3..e01dc9dbce 100644 --- a/.github/workflows/release-ppc64le.yaml +++ b/.github/workflows/release-ppc64le.yaml @@ -47,11 +47,11 @@ jobs: username: ${{ vars.QUAY_DEPLOYER_USERNAME }} password: ${{ secrets.QUAY_DEPLOYER_PASSWORD }} - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: persist-credentials: false - name: get-kata-tarball - uses: actions/download-artifact@v4 + uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0 with: name: kata-static-tarball-ppc64le diff --git a/.github/workflows/release-s390x.yaml b/.github/workflows/release-s390x.yaml index 78d57cd31d..0a184f108b 100644 --- a/.github/workflows/release-s390x.yaml +++ b/.github/workflows/release-s390x.yaml @@ -51,11 +51,11 @@ jobs: username: ${{ vars.QUAY_DEPLOYER_USERNAME }} password: ${{ secrets.QUAY_DEPLOYER_PASSWORD }} - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: persist-credentials: false - name: get-kata-tarball - uses: actions/download-artifact@v4 + uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0 with: name: kata-static-tarball-s390x diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index 4908f9a241..8f385a7f66 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -12,7 +12,7 @@ jobs: contents: write # needed for the `gh release create` command steps: - name: Checkout repository - uses: actions/checkout@v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: fetch-depth: 0 persist-credentials: false @@ -84,7 +84,7 @@ jobs: packages: write # needed to push the multi-arch manifest to ghcr.io steps: - name: Checkout repository - uses: actions/checkout@v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: persist-credentials: false @@ -120,7 +120,7 @@ jobs: runs-on: ubuntu-22.04 steps: - name: Checkout repository - uses: actions/checkout@v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: persist-credentials: false @@ -130,7 +130,7 @@ jobs: echo "KATA_STATIC_TARBALL=${tarball}" >> "$GITHUB_ENV" - name: Download amd64 artifacts - uses: actions/download-artifact@v4 + uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0 with: name: kata-static-tarball-amd64 @@ -142,7 +142,7 @@ jobs: ARCHITECTURE: amd64 - name: Download arm64 artifacts - uses: actions/download-artifact@v4 + uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0 with: name: kata-static-tarball-arm64 @@ -154,7 +154,7 @@ jobs: ARCHITECTURE: arm64 - name: Download s390x artifacts - uses: actions/download-artifact@v4 + uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0 with: name: kata-static-tarball-s390x @@ -166,7 +166,7 @@ jobs: ARCHITECTURE: s390x - name: Download ppc64le artifacts - uses: actions/download-artifact@v4 + uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0 with: name: kata-static-tarball-ppc64le @@ -184,7 +184,7 @@ jobs: contents: write # needed for the `gh release` commands steps: - name: Checkout repository - uses: actions/checkout@v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: persist-credentials: false @@ -201,7 +201,7 @@ jobs: contents: write # needed for the `gh release` commands steps: - name: Checkout repository - uses: actions/checkout@v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: persist-credentials: false @@ -218,7 +218,7 @@ jobs: contents: write # needed for the `gh release` commands steps: - name: Checkout repository - uses: actions/checkout@v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: persist-credentials: false @@ -236,7 +236,7 @@ jobs: packages: write # needed to push the helm chart to ghcr.io steps: - name: Checkout repository - uses: actions/checkout@v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: persist-credentials: false @@ -268,7 +268,7 @@ jobs: contents: write # needed for the `gh release` commands steps: - name: Checkout repository - uses: actions/checkout@v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: persist-credentials: false diff --git a/.github/workflows/run-cri-containerd-tests.yaml b/.github/workflows/run-cri-containerd-tests.yaml index 3889326b39..fd331bb268 100644 --- a/.github/workflows/run-cri-containerd-tests.yaml +++ b/.github/workflows/run-cri-containerd-tests.yaml @@ -44,7 +44,7 @@ jobs: GOPATH: ${{ github.workspace }} KATA_HYPERVISOR: ${{ inputs.vmm }} steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: ref: ${{ inputs.commit-hash }} fetch-depth: 0 @@ -61,7 +61,7 @@ jobs: run: bash tests/integration/cri-containerd/gha-run.sh install-dependencies - name: get-kata-tarball for ${{ inputs.arch }} - uses: actions/download-artifact@v4 + uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0 with: name: kata-static-tarball-${{ inputs.arch }}${{ inputs.tarball-suffix }} path: kata-artifacts diff --git a/.github/workflows/run-k8s-tests-on-aks.yaml b/.github/workflows/run-k8s-tests-on-aks.yaml index 3b7590c22e..10d24bfe7b 100644 --- a/.github/workflows/run-k8s-tests-on-aks.yaml +++ b/.github/workflows/run-k8s-tests-on-aks.yaml @@ -85,7 +85,7 @@ jobs: GENPOLICY_PULL_METHOD: ${{ matrix.genpolicy-pull-method }} AUTO_GENERATE_POLICY: ${{ matrix.auto-generate-policy }} steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: ref: ${{ inputs.commit-hash }} fetch-depth: 0 @@ -98,7 +98,7 @@ jobs: TARGET_BRANCH: ${{ inputs.target-branch }} - name: get-kata-tarball - uses: actions/download-artifact@v4 + uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0 with: name: kata-static-tarball-amd64${{ inputs.tarball-suffix }} path: kata-artifacts diff --git a/.github/workflows/run-k8s-tests-on-amd64.yaml b/.github/workflows/run-k8s-tests-on-amd64.yaml index 7c23b35b0a..4ea4b4acde 100644 --- a/.github/workflows/run-k8s-tests-on-amd64.yaml +++ b/.github/workflows/run-k8s-tests-on-amd64.yaml @@ -61,7 +61,7 @@ jobs: K8S_TEST_HOST_TYPE: all CONTAINER_RUNTIME: ${{ matrix.container_runtime }} steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: ref: ${{ inputs.commit-hash }} fetch-depth: 0 @@ -101,7 +101,7 @@ jobs: continue-on-error: true - name: Archive artifacts ${{ matrix.vmm }} - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 with: name: k8s-tests-${{ matrix.vmm }}-${{ matrix.snapshotter }}-${{ matrix.k8s }}-${{ inputs.tag }} path: /tmp/artifacts diff --git a/.github/workflows/run-k8s-tests-on-arm64.yaml b/.github/workflows/run-k8s-tests-on-arm64.yaml index f2551a6ece..fad147a69e 100644 --- a/.github/workflows/run-k8s-tests-on-arm64.yaml +++ b/.github/workflows/run-k8s-tests-on-arm64.yaml @@ -46,7 +46,7 @@ jobs: K8S_TEST_HOST_TYPE: all TARGET_ARCH: "aarch64" steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: ref: ${{ inputs.commit-hash }} fetch-depth: 0 @@ -75,7 +75,7 @@ jobs: continue-on-error: true - name: Archive artifacts ${{ matrix.vmm }} - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 with: name: k8s-tests-${{ matrix.vmm }}-${{ matrix.k8s }}-${{ inputs.tag }} path: /tmp/artifacts diff --git a/.github/workflows/run-k8s-tests-on-ppc64le.yaml b/.github/workflows/run-k8s-tests-on-ppc64le.yaml index 788405fb7c..a650abb0e7 100644 --- a/.github/workflows/run-k8s-tests-on-ppc64le.yaml +++ b/.github/workflows/run-k8s-tests-on-ppc64le.yaml @@ -46,7 +46,7 @@ jobs: USING_NFD: "false" TARGET_ARCH: "ppc64le" steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: ref: ${{ inputs.commit-hash }} fetch-depth: 0 diff --git a/.github/workflows/run-k8s-tests-on-zvsi.yaml b/.github/workflows/run-k8s-tests-on-zvsi.yaml index 604ee021b5..b3d9b42650 100644 --- a/.github/workflows/run-k8s-tests-on-zvsi.yaml +++ b/.github/workflows/run-k8s-tests-on-zvsi.yaml @@ -81,7 +81,7 @@ jobs: AUTHENTICATED_IMAGE_USER: ${{ vars.AUTHENTICATED_IMAGE_USER }} AUTHENTICATED_IMAGE_PASSWORD: ${{ secrets.AUTHENTICATED_IMAGE_PASSWORD }} steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: ref: ${{ inputs.commit-hash }} fetch-depth: 0 diff --git a/.github/workflows/run-kata-coco-stability-tests.yaml b/.github/workflows/run-kata-coco-stability-tests.yaml index c49c9bd708..ab68634d8c 100644 --- a/.github/workflows/run-kata-coco-stability-tests.yaml +++ b/.github/workflows/run-kata-coco-stability-tests.yaml @@ -70,7 +70,7 @@ jobs: SNAPSHOTTER: ${{ matrix.snapshotter }} USING_NFD: "false" steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: ref: ${{ inputs.commit-hash }} fetch-depth: 0 @@ -83,7 +83,7 @@ jobs: TARGET_BRANCH: ${{ inputs.target-branch }} - name: get-kata-tarball - uses: actions/download-artifact@v4 + uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0 with: name: kata-static-tarball-amd64${{ inputs.tarball-suffix }} path: kata-artifacts diff --git a/.github/workflows/run-kata-coco-tests.yaml b/.github/workflows/run-kata-coco-tests.yaml index 866a462aa9..22580f7e12 100644 --- a/.github/workflows/run-kata-coco-tests.yaml +++ b/.github/workflows/run-kata-coco-tests.yaml @@ -70,7 +70,7 @@ jobs: ITA_KEY: ${{ secrets.ITA_KEY }} AUTO_GENERATE_POLICY: "yes" steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: ref: ${{ inputs.commit-hash }} fetch-depth: 0 @@ -156,7 +156,7 @@ jobs: AUTHENTICATED_IMAGE_PASSWORD: ${{ secrets.AUTHENTICATED_IMAGE_PASSWORD }} AUTO_GENERATE_POLICY: "yes" steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: ref: ${{ inputs.commit-hash }} fetch-depth: 0 @@ -248,7 +248,7 @@ jobs: USING_NFD: "false" AUTO_GENERATE_POLICY: "yes" steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: ref: ${{ inputs.commit-hash }} fetch-depth: 0 @@ -261,7 +261,7 @@ jobs: TARGET_BRANCH: ${{ inputs.target-branch }} - name: get-kata-tarball - uses: actions/download-artifact@v4 + uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0 with: name: kata-static-tarball-amd64${{ inputs.tarball-suffix }} path: kata-artifacts diff --git a/.github/workflows/run-kata-deploy-tests-on-aks.yaml b/.github/workflows/run-kata-deploy-tests-on-aks.yaml index a77cab1d59..d328731422 100644 --- a/.github/workflows/run-kata-deploy-tests-on-aks.yaml +++ b/.github/workflows/run-kata-deploy-tests-on-aks.yaml @@ -60,7 +60,7 @@ jobs: KUBERNETES: "vanilla" USING_NFD: "false" steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: ref: ${{ inputs.commit-hash }} fetch-depth: 0 diff --git a/.github/workflows/run-kata-deploy-tests.yaml b/.github/workflows/run-kata-deploy-tests.yaml index 9402960953..9d05ff69cd 100644 --- a/.github/workflows/run-kata-deploy-tests.yaml +++ b/.github/workflows/run-kata-deploy-tests.yaml @@ -47,7 +47,7 @@ jobs: KUBERNETES: ${{ matrix.k8s }} USING_NFD: "false" steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: ref: ${{ inputs.commit-hash }} fetch-depth: 0 diff --git a/.github/workflows/run-kata-monitor-tests.yaml b/.github/workflows/run-kata-monitor-tests.yaml index 687791ac2b..b21308b4a4 100644 --- a/.github/workflows/run-kata-monitor-tests.yaml +++ b/.github/workflows/run-kata-monitor-tests.yaml @@ -40,7 +40,7 @@ jobs: #CONTAINERD_VERSION: ${{ matrix.containerd_version }} KATA_HYPERVISOR: ${{ matrix.vmm }} steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: ref: ${{ inputs.commit-hash }} fetch-depth: 0 @@ -56,7 +56,7 @@ jobs: run: bash tests/functional/kata-monitor/gha-run.sh install-dependencies - name: get-kata-tarball - uses: actions/download-artifact@v4 + uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0 with: name: kata-static-tarball-amd64${{ inputs.tarball-suffix }} path: kata-artifacts diff --git a/.github/workflows/run-metrics.yaml b/.github/workflows/run-metrics.yaml index e7ba0a10f3..5f7e7841dc 100644 --- a/.github/workflows/run-metrics.yaml +++ b/.github/workflows/run-metrics.yaml @@ -47,7 +47,7 @@ jobs: USING_NFD: "false" KUBERNETES: kubeadm steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: ref: ${{ inputs.commit-hash }} fetch-depth: 0 @@ -116,7 +116,7 @@ jobs: run: bash tests/metrics/gha-run.sh make-tarball-results - name: archive metrics results ${{ matrix.vmm }} - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 with: name: metrics-artifacts-${{ matrix.vmm }} path: results-${{ matrix.vmm }}.tar.gz diff --git a/.github/workflows/run-runk-tests.yaml b/.github/workflows/run-runk-tests.yaml index 65489aa64f..2fdefdcca0 100644 --- a/.github/workflows/run-runk-tests.yaml +++ b/.github/workflows/run-runk-tests.yaml @@ -24,7 +24,7 @@ jobs: env: CONTAINERD_VERSION: lts steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: ref: ${{ inputs.commit-hash }} fetch-depth: 0 @@ -40,7 +40,7 @@ jobs: run: bash tests/integration/runk/gha-run.sh install-dependencies - name: get-kata-tarball - uses: actions/download-artifact@v4 + uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0 with: name: kata-static-tarball-amd64${{ inputs.tarball-suffix }} path: kata-artifacts diff --git a/.github/workflows/shellcheck.yaml b/.github/workflows/shellcheck.yaml index 76e0f77ebf..04c2d85a4c 100644 --- a/.github/workflows/shellcheck.yaml +++ b/.github/workflows/shellcheck.yaml @@ -22,7 +22,7 @@ jobs: runs-on: ubuntu-24.04 steps: - name: Checkout the code - uses: actions/checkout@v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: fetch-depth: 0 persist-credentials: false diff --git a/.github/workflows/shellcheck_required.yaml b/.github/workflows/shellcheck_required.yaml index 369a03f20c..44e84a2700 100644 --- a/.github/workflows/shellcheck_required.yaml +++ b/.github/workflows/shellcheck_required.yaml @@ -23,7 +23,7 @@ jobs: runs-on: ubuntu-24.04 steps: - name: Checkout the code - uses: actions/checkout@v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: fetch-depth: 0 persist-credentials: false diff --git a/.github/workflows/stale.yaml b/.github/workflows/stale.yaml index c539091ec2..e0327ddda1 100644 --- a/.github/workflows/stale.yaml +++ b/.github/workflows/stale.yaml @@ -11,7 +11,7 @@ jobs: stale: runs-on: ubuntu-22.04 steps: - - uses: actions/stale@v9 + - uses: actions/stale@5bef64f19d7facfb25b37b414482c7164d639639 # v9.1.0 with: stale-pr-message: 'This PR has been opened without with no activity for 180 days. Comment on the issue otherwise it will be closed in 7 days' days-before-pr-stale: 180 diff --git a/.github/workflows/static-checks.yaml b/.github/workflows/static-checks.yaml index 3186bd8d6b..52e9d7147c 100644 --- a/.github/workflows/static-checks.yaml +++ b/.github/workflows/static-checks.yaml @@ -27,7 +27,7 @@ jobs: runs-on: ubuntu-22.04 steps: - name: Checkout the code - uses: actions/checkout@v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: fetch-depth: 0 persist-credentials: false @@ -69,7 +69,7 @@ jobs: component-path: src/dragonball steps: - name: Checkout the code - uses: actions/checkout@v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: fetch-depth: 0 persist-credentials: false @@ -107,7 +107,7 @@ jobs: GOPATH: ${{ github.workspace }} steps: - name: Checkout code - uses: actions/checkout@v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: fetch-depth: 0 persist-credentials: false