From a678046d130fc001397d9940f36771bd2fa054f2 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Aur=C3=A9lien=20Bombo?= <abombo@microsoft.com>
Date: Mon, 17 Mar 2025 12:23:15 -0500
Subject: [PATCH] gha: Pin third-party actions to commit hashes
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
A popular third-party action has recently been compromised [1][2] and
the attacker managed to point multiple git version tags to a malicious
commit containing code to exfiltrate secrets.
This PR follows GitHub's recommendation [3] to pin third-party actions
to a full-length commit hash, to mitigate such attacks.
Hopefully actionlint starts warning about this soon [4].
[1] https://www.cve.org/CVERecord?id=CVE-2025-30066
[2] https://www.stepsecurity.io/blog/harden-runner-detection-tj-actions-changed-files-action-is-compromised
[3] https://docs.github.com/en/actions/security-for-github-actions/security-guides/security-hardening-for-github-actions#using-third-party-actions
[4] https://github.com/rhysd/actionlint/pull/436
Signed-off-by: Aurélien Bombo <abombo@microsoft.com>
---
.../cargo-deny-skeleton.yaml.in | 2 +-
.github/workflows/PR-wip-checks.yaml | 2 +-
.../workflows/build-kata-static-tarball-amd64.yaml | 14 +++++++-------
.../workflows/build-kata-static-tarball-arm64.yaml | 14 +++++++-------
.../build-kata-static-tarball-ppc64le.yaml | 8 ++++----
.../build-kata-static-tarball-riscv64.yaml | 2 +-
.../workflows/build-kata-static-tarball-s390x.yaml | 10 +++++-----
.github/workflows/ci-weekly.yaml | 8 ++++----
.github/workflows/ci.yaml | 14 +++++++-------
.github/workflows/commit-message-check.yaml | 12 ++++++------
.github/workflows/payload-after-push.yaml | 2 +-
.github/workflows/publish-kata-deploy-payload.yaml | 4 ++--
.github/workflows/release-amd64.yaml | 4 ++--
.github/workflows/release-arm64.yaml | 4 ++--
.github/workflows/release-ppc64le.yaml | 4 ++--
.github/workflows/release-s390x.yaml | 4 ++--
.github/workflows/release.yaml | 6 +++---
.github/workflows/run-k8s-tests-on-aks.yaml | 2 +-
.../workflows/run-kata-coco-stability-tests.yaml | 2 +-
.github/workflows/run-kata-coco-tests.yaml | 2 +-
.../workflows/run-kata-deploy-tests-on-aks.yaml | 2 +-
.github/workflows/shellcheck.yaml | 2 +-
.github/workflows/shellcheck_required.yaml | 2 +-
src/runtime/pkg/govmm/.github/workflows/main.yml | 2 +-
24 files changed, 64 insertions(+), 64 deletions(-)
diff --git a/.github/cargo-deny-composite-action/cargo-deny-skeleton.yaml.in b/.github/cargo-deny-composite-action/cargo-deny-skeleton.yaml.in
index e48d1f6c86..b12569f4a5 100644
--- a/.github/cargo-deny-composite-action/cargo-deny-skeleton.yaml.in
+++ b/.github/cargo-deny-composite-action/cargo-deny-skeleton.yaml.in
@@ -21,7 +21,7 @@ runs:
override: true
- name: Cache
- uses: Swatinem/rust-cache@v2
+ uses: Swatinem/rust-cache@f0deed1e0edfc6a9be95417288c0e1099b1eeec3 # v2.7.7
- name: Install Cargo deny
shell: bash
diff --git a/.github/workflows/PR-wip-checks.yaml b/.github/workflows/PR-wip-checks.yaml
index 7616b978ce..7a5f5769f0 100644
--- a/.github/workflows/PR-wip-checks.yaml
+++ b/.github/workflows/PR-wip-checks.yaml
@@ -20,7 +20,7 @@ jobs:
steps:
- name: WIP Check
if: ${{ !contains(github.event.pull_request.labels.*.name, 'force-skip-ci') }}
- uses: tim-actions/wip-check@1c2a1ca6c110026b3e2297bb2ef39e1747b5a755
+ uses: tim-actions/wip-check@1c2a1ca6c110026b3e2297bb2ef39e1747b5a755 # master (2021-06-10)
with:
labels: '["do-not-merge", "wip", "rfc"]'
keywords: '["WIP", "wip", "RFC", "rfc", "dnm", "DNM", "do-not-merge"]'
diff --git a/.github/workflows/build-kata-static-tarball-amd64.yaml b/.github/workflows/build-kata-static-tarball-amd64.yaml
index a6093f384a..790baa7ba9 100644
--- a/.github/workflows/build-kata-static-tarball-amd64.yaml
+++ b/.github/workflows/build-kata-static-tarball-amd64.yaml
@@ -68,7 +68,7 @@ jobs:
steps:
- name: Login to Kata Containers quay.io
if: ${{ inputs.push-to-registry == 'yes' }}
- uses: docker/login-action@v3
+ uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
with:
registry: quay.io
username: ${{ secrets.QUAY_DEPLOYER_USERNAME }}
@@ -110,13 +110,13 @@ jobs:
echo "oci-name=${oci_image%@*}" >> "$GITHUB_OUTPUT"
echo "oci-digest=${oci_image#*@}" >> "$GITHUB_OUTPUT"
- - uses: oras-project/setup-oras@v1
+ - uses: oras-project/setup-oras@5c0b487ce3fe0ce3ab0d034e63669e426e294e4d # v1.2.2
if: ${{ env.PERFORM_ATTESTATION == 'yes' }}
with:
version: "1.2.0"
# for pushing attestations to the registry
- - uses: docker/login-action@v3
+ - uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
if: ${{ env.PERFORM_ATTESTATION == 'yes' }}
with:
registry: ghcr.io
@@ -163,7 +163,7 @@ jobs:
steps:
- name: Login to Kata Containers quay.io
if: ${{ inputs.push-to-registry == 'yes' }}
- uses: docker/login-action@v3
+ uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
with:
registry: quay.io
username: ${{ secrets.QUAY_DEPLOYER_USERNAME }}
@@ -226,7 +226,7 @@ jobs:
- kernel-nvidia-gpu-confidential-headers
- pause-image
steps:
- - uses: geekyeggo/delete-artifact@v5
+ - uses: geekyeggo/delete-artifact@f275313e70c08f6120db482d7a6b98377786765b # v5.1.0
with:
name: kata-artifacts-amd64-${{ matrix.asset}}${{ inputs.tarball-suffix }}
@@ -239,7 +239,7 @@ jobs:
asset:
- agent
steps:
- - uses: geekyeggo/delete-artifact@v5
+ - uses: geekyeggo/delete-artifact@f275313e70c08f6120db482d7a6b98377786765b # v5.1.0
if: ${{ inputs.stage == 'release' }}
with:
name: kata-artifacts-amd64-${{ matrix.asset}}${{ inputs.tarball-suffix }}
@@ -250,7 +250,7 @@ jobs:
steps:
- name: Login to Kata Containers quay.io
if: ${{ inputs.push-to-registry == 'yes' }}
- uses: docker/login-action@v3
+ uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
with:
registry: quay.io
username: ${{ secrets.QUAY_DEPLOYER_USERNAME }}
diff --git a/.github/workflows/build-kata-static-tarball-arm64.yaml b/.github/workflows/build-kata-static-tarball-arm64.yaml
index 2c5fda1d57..40431e3980 100644
--- a/.github/workflows/build-kata-static-tarball-arm64.yaml
+++ b/.github/workflows/build-kata-static-tarball-arm64.yaml
@@ -48,7 +48,7 @@ jobs:
steps:
- name: Login to Kata Containers quay.io
if: ${{ inputs.push-to-registry == 'yes' }}
- uses: docker/login-action@v3
+ uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
with:
registry: quay.io
username: ${{ secrets.QUAY_DEPLOYER_USERNAME }}
@@ -89,13 +89,13 @@ jobs:
echo "oci-name=${oci_image%@*}" >> "$GITHUB_OUTPUT"
echo "oci-digest=${oci_image#*@}" >> "$GITHUB_OUTPUT"
- - uses: oras-project/setup-oras@v1
+ - uses: oras-project/setup-oras@5c0b487ce3fe0ce3ab0d034e63669e426e294e4d # v1.2.2
if: ${{ env.PERFORM_ATTESTATION == 'yes' }}
with:
version: "1.2.0"
# for pushing attestations to the registry
- - uses: docker/login-action@v3
+ - uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
if: ${{ env.PERFORM_ATTESTATION == 'yes' }}
with:
registry: ghcr.io
@@ -138,7 +138,7 @@ jobs:
steps:
- name: Login to Kata Containers quay.io
if: ${{ inputs.push-to-registry == 'yes' }}
- uses: docker/login-action@v3
+ uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
with:
registry: quay.io
username: ${{ secrets.QUAY_DEPLOYER_USERNAME }}
@@ -197,7 +197,7 @@ jobs:
- busybox
- kernel-nvidia-gpu-headers
steps:
- - uses: geekyeggo/delete-artifact@v5
+ - uses: geekyeggo/delete-artifact@f275313e70c08f6120db482d7a6b98377786765b # v5.1.0
with:
name: kata-artifacts-arm64-${{ matrix.asset}}${{ inputs.tarball-suffix }}
@@ -210,7 +210,7 @@ jobs:
asset:
- agent
steps:
- - uses: geekyeggo/delete-artifact@v5
+ - uses: geekyeggo/delete-artifact@f275313e70c08f6120db482d7a6b98377786765b # v5.1.0
if: ${{ inputs.stage == 'release' }}
with:
name: kata-artifacts-arm64-${{ matrix.asset}}${{ inputs.tarball-suffix }}
@@ -221,7 +221,7 @@ jobs:
steps:
- name: Login to Kata Containers quay.io
if: ${{ inputs.push-to-registry == 'yes' }}
- uses: docker/login-action@v3
+ uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
with:
registry: quay.io
username: ${{ secrets.QUAY_DEPLOYER_USERNAME }}
diff --git a/.github/workflows/build-kata-static-tarball-ppc64le.yaml b/.github/workflows/build-kata-static-tarball-ppc64le.yaml
index e1ddd9d882..a457b3f746 100644
--- a/.github/workflows/build-kata-static-tarball-ppc64le.yaml
+++ b/.github/workflows/build-kata-static-tarball-ppc64le.yaml
@@ -36,7 +36,7 @@ jobs:
steps:
- name: Login to Kata Containers quay.io
if: ${{ inputs.push-to-registry == 'yes' }}
- uses: docker/login-action@v3
+ uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
with:
registry: quay.io
username: ${{ secrets.QUAY_DEPLOYER_USERNAME }}
@@ -89,7 +89,7 @@ jobs:
steps:
- name: Login to Kata Containers quay.io
if: ${{ inputs.push-to-registry == 'yes' }}
- uses: docker/login-action@v3
+ uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
with:
registry: quay.io
username: ${{ secrets.QUAY_DEPLOYER_USERNAME }}
@@ -147,7 +147,7 @@ jobs:
asset:
- agent
steps:
- - uses: geekyeggo/delete-artifact@v5
+ - uses: geekyeggo/delete-artifact@f275313e70c08f6120db482d7a6b98377786765b # v5.1.0
if: ${{ inputs.stage == 'release' }}
with:
name: kata-artifacts-ppc64le-${{ matrix.asset}}${{ inputs.tarball-suffix }}
@@ -158,7 +158,7 @@ jobs:
steps:
- name: Login to Kata Containers quay.io
if: ${{ inputs.push-to-registry == 'yes' }}
- uses: docker/login-action@v3
+ uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
with:
registry: quay.io
username: ${{ secrets.QUAY_DEPLOYER_USERNAME }}
diff --git a/.github/workflows/build-kata-static-tarball-riscv64.yaml b/.github/workflows/build-kata-static-tarball-riscv64.yaml
index 4cc5ca0695..e09b247b64 100644
--- a/.github/workflows/build-kata-static-tarball-riscv64.yaml
+++ b/.github/workflows/build-kata-static-tarball-riscv64.yaml
@@ -37,7 +37,7 @@ jobs:
steps:
- name: Login to Kata Containers quay.io
if: ${{ inputs.push-to-registry == 'yes' }}
- uses: docker/login-action@v3
+ uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
with:
registry: quay.io
username: ${{ secrets.QUAY_DEPLOYER_USERNAME }}
diff --git a/.github/workflows/build-kata-static-tarball-s390x.yaml b/.github/workflows/build-kata-static-tarball-s390x.yaml
index f1bbb06ba9..5c851a1768 100644
--- a/.github/workflows/build-kata-static-tarball-s390x.yaml
+++ b/.github/workflows/build-kata-static-tarball-s390x.yaml
@@ -44,7 +44,7 @@ jobs:
steps:
- name: Login to Kata Containers quay.io
if: ${{ inputs.push-to-registry == 'yes' }}
- uses: docker/login-action@v3
+ uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
with:
registry: quay.io
username: ${{ secrets.QUAY_DEPLOYER_USERNAME }}
@@ -87,7 +87,7 @@ jobs:
echo "oci-digest=${oci_image#*@}" >> "$GITHUB_OUTPUT"
# for pushing attestations to the registry
- - uses: docker/login-action@v3
+ - uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
if: ${{ env.PERFORM_ATTESTATION == 'yes' }}
with:
registry: ghcr.io
@@ -122,7 +122,7 @@ jobs:
steps:
- name: Login to Kata Containers quay.io
if: ${{ inputs.push-to-registry == 'yes' }}
- uses: docker/login-action@v3
+ uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
with:
registry: quay.io
username: ${{ secrets.QUAY_DEPLOYER_USERNAME }}
@@ -227,7 +227,7 @@ jobs:
- coco-guest-components
- pause-image
steps:
- - uses: geekyeggo/delete-artifact@v5
+ - uses: geekyeggo/delete-artifact@f275313e70c08f6120db482d7a6b98377786765b # v5.1.0
if: ${{ inputs.stage == 'release' }}
with:
name: kata-artifacts-s390x-${{ matrix.asset}}${{ inputs.tarball-suffix }}
@@ -238,7 +238,7 @@ jobs:
steps:
- name: Login to Kata Containers quay.io
if: ${{ inputs.push-to-registry == 'yes' }}
- uses: docker/login-action@v3
+ uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
with:
registry: quay.io
username: ${{ secrets.QUAY_DEPLOYER_USERNAME }}
diff --git a/.github/workflows/ci-weekly.yaml b/.github/workflows/ci-weekly.yaml
index 38c91caaf7..ba7615318c 100644
--- a/.github/workflows/ci-weekly.yaml
+++ b/.github/workflows/ci-weekly.yaml
@@ -54,20 +54,20 @@ jobs:
TARGET_BRANCH: ${{ inputs.target-branch }}
- name: Set up QEMU
- uses: docker/setup-qemu-action@v3
+ uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v3.6.0
- name: Set up Docker Buildx
- uses: docker/setup-buildx-action@v3
+ uses: docker/setup-buildx-action@b5ca514318bd6ebac0fb2aedd5d36ec1b5c232a2 # v3.10.0
- name: Login to Kata Containers ghcr.io
- uses: docker/login-action@v3
+ uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Docker build and push
- uses: docker/build-push-action@v5
+ uses: docker/build-push-action@ca052bb54ab0790a636c9b5f226502c73d547a25 # v5.4.0
with:
tags: ghcr.io/kata-containers/test-images:unencrypted-${{ inputs.pr-number }}
push: true
diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
index b78f34295d..c0e80ad57b 100644
--- a/.github/workflows/ci.yaml
+++ b/.github/workflows/ci.yaml
@@ -122,20 +122,20 @@ jobs:
TARGET_BRANCH: ${{ inputs.target-branch }}
- name: Set up QEMU
- uses: docker/setup-qemu-action@v3
+ uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v3.6.0
- name: Set up Docker Buildx
- uses: docker/setup-buildx-action@v3
+ uses: docker/setup-buildx-action@b5ca514318bd6ebac0fb2aedd5d36ec1b5c232a2 # v3.10.0
- name: Login to Kata Containers ghcr.io
- uses: docker/login-action@v3
+ uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Docker build and push
- uses: docker/build-push-action@v5
+ uses: docker/build-push-action@ca052bb54ab0790a636c9b5f226502c73d547a25 # v5.4.0
with:
tags: ghcr.io/kata-containers/test-images:unencrypted-${{ inputs.pr-number }}
push: true
@@ -175,17 +175,17 @@ jobs:
cp /opt/kata/bin/csi-kata-directvolume src/tools/csi-kata-directvolume/bin/directvolplugin
- name: Set up Docker Buildx
- uses: docker/setup-buildx-action@v3
+ uses: docker/setup-buildx-action@b5ca514318bd6ebac0fb2aedd5d36ec1b5c232a2 # v3.10.0
- name: Login to Kata Containers ghcr.io
- uses: docker/login-action@v3
+ uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Docker build and push
- uses: docker/build-push-action@v5
+ uses: docker/build-push-action@ca052bb54ab0790a636c9b5f226502c73d547a25 # v5.4.0
with:
tags: ghcr.io/kata-containers/csi-kata-directvolume:${{ inputs.pr-number }}
push: true
diff --git a/.github/workflows/commit-message-check.yaml b/.github/workflows/commit-message-check.yaml
index bb697cbf87..347434d990 100644
--- a/.github/workflows/commit-message-check.yaml
+++ b/.github/workflows/commit-message-check.yaml
@@ -26,7 +26,7 @@ jobs:
- name: Get PR Commits
if: ${{ !contains(github.event.pull_request.labels.*.name, 'force-skip-ci') }}
id: 'get-pr-commits'
- uses: tim-actions/get-pr-commits@v1.2.0
+ uses: tim-actions/get-pr-commits@c64db31d359214d244884dd68f971a110b29ab83 # v1.2.0
with:
token: ${{ secrets.GITHUB_TOKEN }}
# Filter out revert commits
@@ -41,19 +41,19 @@ jobs:
- name: DCO Check
if: ${{ !contains(github.event.pull_request.labels.*.name, 'force-skip-ci') }}
- uses: tim-actions/dco@2fd0504dc0d27b33f542867c300c60840c6dcb20
+ uses: tim-actions/dco@2fd0504dc0d27b33f542867c300c60840c6dcb20 # master (2020-04-28)
with:
commits: ${{ steps.get-pr-commits.outputs.commits }}
- name: Commit Body Missing Check
if: ${{ !contains(github.event.pull_request.labels.*.name, 'force-skip-ci') && ( success() || failure() ) }}
- uses: tim-actions/commit-body-check@v1.0.2
+ uses: tim-actions/commit-body-check@d2e0e8e1f0332b3281c98867c42a2fbe25ad3f15 # v1.0.2
with:
commits: ${{ steps.get-pr-commits.outputs.commits }}
- name: Check Subject Line Length
if: ${{ (env.PR_AUTHOR != 'dependabot[bot]') && !contains(github.event.pull_request.labels.*.name, 'force-skip-ci') && ( success() || failure() ) }}
- uses: tim-actions/commit-message-checker-with-regex@v0.3.1
+ uses: tim-actions/commit-message-checker-with-regex@d6d9770051dd6460679d1cab1dcaa8cffc5c2bbd # v0.3.1
with:
commits: ${{ steps.get-pr-commits.outputs.commits }}
pattern: '^.{0,75}(\n.*)*$'
@@ -62,7 +62,7 @@ jobs:
- name: Check Body Line Length
if: ${{ (env.PR_AUTHOR != 'dependabot[bot]') && !contains(github.event.pull_request.labels.*.name, 'force-skip-ci') && ( success() || failure() ) }}
- uses: tim-actions/commit-message-checker-with-regex@v0.3.1
+ uses: tim-actions/commit-message-checker-with-regex@d6d9770051dd6460679d1cab1dcaa8cffc5c2bbd # v0.3.1
with:
commits: ${{ steps.get-pr-commits.outputs.commits }}
# Notes:
@@ -93,7 +93,7 @@ jobs:
- name: Check Subsystem
if: ${{ (env.PR_AUTHOR != 'dependabot[bot]') && !contains(github.event.pull_request.labels.*.name, 'force-skip-ci') && ( success() || failure() ) }}
- uses: tim-actions/commit-message-checker-with-regex@v0.3.1
+ uses: tim-actions/commit-message-checker-with-regex@d6d9770051dd6460679d1cab1dcaa8cffc5c2bbd # v0.3.1
with:
commits: ${{ steps.get-pr-commits.outputs.commits }}
pattern: '^[\s\t]*[^:\s\t]+[\s\t]*:'
diff --git a/.github/workflows/payload-after-push.yaml b/.github/workflows/payload-after-push.yaml
index 131a8a1623..dbbea5bace 100644
--- a/.github/workflows/payload-after-push.yaml
+++ b/.github/workflows/payload-after-push.yaml
@@ -101,7 +101,7 @@ jobs:
uses: actions/checkout@v4
- name: Login to Kata Containers quay.io
- uses: docker/login-action@v3
+ uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
with:
registry: quay.io
username: ${{ secrets.QUAY_DEPLOYER_USERNAME }}
diff --git a/.github/workflows/publish-kata-deploy-payload.yaml b/.github/workflows/publish-kata-deploy-payload.yaml
index b49db0186f..133bab2d5e 100644
--- a/.github/workflows/publish-kata-deploy-payload.yaml
+++ b/.github/workflows/publish-kata-deploy-payload.yaml
@@ -53,7 +53,7 @@ jobs:
- name: Login to Kata Containers quay.io
if: ${{ inputs.registry == 'quay.io' }}
- uses: docker/login-action@v3
+ uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
with:
registry: quay.io
username: ${{ secrets.QUAY_DEPLOYER_USERNAME }}
@@ -61,7 +61,7 @@ jobs:
- name: Login to Kata Containers ghcr.io
if: ${{ inputs.registry == 'ghcr.io' }}
- uses: docker/login-action@v3
+ uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
with:
registry: ghcr.io
username: ${{ github.actor }}
diff --git a/.github/workflows/release-amd64.yaml b/.github/workflows/release-amd64.yaml
index 5e519b0ae4..2c8c741764 100644
--- a/.github/workflows/release-amd64.yaml
+++ b/.github/workflows/release-amd64.yaml
@@ -19,13 +19,13 @@ jobs:
runs-on: ubuntu-22.04
steps:
- name: Login to Kata Containers docker.io
- uses: docker/login-action@v3
+ uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
with:
username: ${{ secrets.DOCKER_USERNAME }}
password: ${{ secrets.DOCKER_PASSWORD }}
- name: Login to Kata Containers quay.io
- uses: docker/login-action@v3
+ uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
with:
registry: quay.io
username: ${{ secrets.QUAY_DEPLOYER_USERNAME }}
diff --git a/.github/workflows/release-arm64.yaml b/.github/workflows/release-arm64.yaml
index 65474e38ce..40e623ffb4 100644
--- a/.github/workflows/release-arm64.yaml
+++ b/.github/workflows/release-arm64.yaml
@@ -19,13 +19,13 @@ jobs:
runs-on: ubuntu-22.04-arm
steps:
- name: Login to Kata Containers docker.io
- uses: docker/login-action@v3
+ uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
with:
username: ${{ secrets.DOCKER_USERNAME }}
password: ${{ secrets.DOCKER_PASSWORD }}
- name: Login to Kata Containers quay.io
- uses: docker/login-action@v3
+ uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
with:
registry: quay.io
username: ${{ secrets.QUAY_DEPLOYER_USERNAME }}
diff --git a/.github/workflows/release-ppc64le.yaml b/.github/workflows/release-ppc64le.yaml
index 0be2dc886c..178957556e 100644
--- a/.github/workflows/release-ppc64le.yaml
+++ b/.github/workflows/release-ppc64le.yaml
@@ -19,13 +19,13 @@ jobs:
runs-on: ppc64le
steps:
- name: Login to Kata Containers docker.io
- uses: docker/login-action@v3
+ uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
with:
username: ${{ secrets.DOCKER_USERNAME }}
password: ${{ secrets.DOCKER_PASSWORD }}
- name: Login to Kata Containers quay.io
- uses: docker/login-action@v3
+ uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
with:
registry: quay.io
username: ${{ secrets.QUAY_DEPLOYER_USERNAME }}
diff --git a/.github/workflows/release-s390x.yaml b/.github/workflows/release-s390x.yaml
index 1909b3f5ef..c6902da1a5 100644
--- a/.github/workflows/release-s390x.yaml
+++ b/.github/workflows/release-s390x.yaml
@@ -19,13 +19,13 @@ jobs:
runs-on: s390x
steps:
- name: Login to Kata Containers docker.io
- uses: docker/login-action@v3
+ uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
with:
username: ${{ secrets.DOCKER_USERNAME }}
password: ${{ secrets.DOCKER_PASSWORD }}
- name: Login to Kata Containers quay.io
- uses: docker/login-action@v3
+ uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
with:
registry: quay.io
username: ${{ secrets.QUAY_DEPLOYER_USERNAME }}
diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
index 86bfc3ede3..e6af868670 100644
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@@ -53,13 +53,13 @@ jobs:
uses: actions/checkout@v4
- name: Login to Kata Containers docker.io
- uses: docker/login-action@v3
+ uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
with:
username: ${{ secrets.DOCKER_USERNAME }}
password: ${{ secrets.DOCKER_PASSWORD }}
- name: Login to Kata Containers quay.io
- uses: docker/login-action@v3
+ uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
with:
registry: quay.io
username: ${{ secrets.QUAY_DEPLOYER_USERNAME }}
@@ -183,7 +183,7 @@ jobs:
uses: actions/checkout@v4
- name: Install helm
- uses: azure/setup-helm@v4.2.0
+ uses: azure/setup-helm@fe7b79cd5ee1e45176fcad797de68ecaf3ca4814 # v4.2.0
id: install
- name: Generate and upload helm chart tarball
diff --git a/.github/workflows/run-k8s-tests-on-aks.yaml b/.github/workflows/run-k8s-tests-on-aks.yaml
index b49b783dde..9b6a0cb5ff 100644
--- a/.github/workflows/run-k8s-tests-on-aks.yaml
+++ b/.github/workflows/run-k8s-tests-on-aks.yaml
@@ -103,7 +103,7 @@ jobs:
AZ_SUBSCRIPTION_ID: ${{ secrets.AZ_SUBSCRIPTION_ID }}
- name: Create AKS cluster
- uses: nick-fields/retry@v3
+ uses: nick-fields/retry@ce71cc2ab81d554ebbe88c79ab5975992d79ba08 # v3.0.2
with:
timeout_minutes: 15
max_attempts: 20
diff --git a/.github/workflows/run-kata-coco-stability-tests.yaml b/.github/workflows/run-kata-coco-stability-tests.yaml
index eb8b2bcb87..142681878d 100644
--- a/.github/workflows/run-kata-coco-stability-tests.yaml
+++ b/.github/workflows/run-kata-coco-stability-tests.yaml
@@ -87,7 +87,7 @@ jobs:
AZ_SUBSCRIPTION_ID: ${{ secrets.AZ_SUBSCRIPTION_ID }}
- name: Create AKS cluster
- uses: nick-fields/retry@v3
+ uses: nick-fields/retry@ce71cc2ab81d554ebbe88c79ab5975992d79ba08 # v3.0.2
with:
timeout_minutes: 15
max_attempts: 20
diff --git a/.github/workflows/run-kata-coco-tests.yaml b/.github/workflows/run-kata-coco-tests.yaml
index a64baeb8c7..70eb05030f 100644
--- a/.github/workflows/run-kata-coco-tests.yaml
+++ b/.github/workflows/run-kata-coco-tests.yaml
@@ -257,7 +257,7 @@ jobs:
AZ_SUBSCRIPTION_ID: ${{ secrets.AZ_SUBSCRIPTION_ID }}
- name: Create AKS cluster
- uses: nick-fields/retry@v3
+ uses: nick-fields/retry@ce71cc2ab81d554ebbe88c79ab5975992d79ba08 # v3.0.2
with:
timeout_minutes: 15
max_attempts: 20
diff --git a/.github/workflows/run-kata-deploy-tests-on-aks.yaml b/.github/workflows/run-kata-deploy-tests-on-aks.yaml
index 7183309943..9a665f02d3 100644
--- a/.github/workflows/run-kata-deploy-tests-on-aks.yaml
+++ b/.github/workflows/run-kata-deploy-tests-on-aks.yaml
@@ -71,7 +71,7 @@ jobs:
AZ_SUBSCRIPTION_ID: ${{ secrets.AZ_SUBSCRIPTION_ID }}
- name: Create AKS cluster
- uses: nick-fields/retry@v3
+ uses: nick-fields/retry@ce71cc2ab81d554ebbe88c79ab5975992d79ba08 # v3.0.2
with:
timeout_minutes: 15
max_attempts: 20
diff --git a/.github/workflows/shellcheck.yaml b/.github/workflows/shellcheck.yaml
index f057ca9c8b..ea2b350c4d 100644
--- a/.github/workflows/shellcheck.yaml
+++ b/.github/workflows/shellcheck.yaml
@@ -25,6 +25,6 @@ jobs:
- uses: actions/checkout@v4
- name: Run ShellCheck
- uses: ludeeus/action-shellcheck@master
+ uses: ludeeus/action-shellcheck@00b27aa7cb85167568cb48a3838b75f4265f2bca # master (2024-06-20)
with:
ignore_paths: "**/vendor/**"
diff --git a/.github/workflows/shellcheck_required.yaml b/.github/workflows/shellcheck_required.yaml
index 07058e7247..ac0768f84e 100644
--- a/.github/workflows/shellcheck_required.yaml
+++ b/.github/workflows/shellcheck_required.yaml
@@ -26,7 +26,7 @@ jobs:
- uses: actions/checkout@v4
- name: Run ShellCheck
- uses: ludeeus/action-shellcheck@master
+ uses: ludeeus/action-shellcheck@00b27aa7cb85167568cb48a3838b75f4265f2bca # master (2024-06-20)
with:
severity: error
ignore_paths: "**/vendor/**"
diff --git a/src/runtime/pkg/govmm/.github/workflows/main.yml b/src/runtime/pkg/govmm/.github/workflows/main.yml
index 6c6841ca13..a259204b54 100644
--- a/src/runtime/pkg/govmm/.github/workflows/main.yml
+++ b/src/runtime/pkg/govmm/.github/workflows/main.yml
@@ -15,7 +15,7 @@ jobs:
- name: Checkout code
uses: actions/checkout@v4
- name: golangci-lint
- uses: golangci/golangci-lint-action@v6
+ uses: golangci/golangci-lint-action@4696ba8babb6127d732c3c6dde519db15edab9ea # v6.5.1
with:
version: latest
args: -c .golangci.yml -v