From 6a6fb45fd8af75fe09573289e35506c2884ccd71 Mon Sep 17 00:00:00 2001 From: Thomas Ferrandiz Date: Wed, 25 Mar 2026 13:25:45 +0000 Subject: [PATCH] Pin GH Actions to commit sha --- .github/workflows/build.yml | 4 ++-- .github/workflows/codeql.yml | 8 ++++---- .github/workflows/image-build.yml | 22 +++++++++++----------- .github/workflows/image-push-master.yml | 18 +++++++++--------- .github/workflows/image-push-release.yml | 22 +++++++++++----------- .github/workflows/kind-e2e.yml | 10 +++++----- .github/workflows/release.yml | 6 +++--- .github/workflows/stale-issues-prs.yml | 2 +- .github/workflows/test.yml | 8 ++++---- 9 files changed, 50 insertions(+), 50 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 1934563a0..e04728b26 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -10,12 +10,12 @@ jobs: runs-on: ${{ matrix.os }} steps: - name: Install Go - uses: actions/setup-go@v5 + uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5 with: go-version: ${{ matrix.go-version }} - name: Checkout code - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 - name: Build env: diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 044e90117..d795a591d 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -24,18 +24,18 @@ jobs: steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 - name: Initialize CodeQL - uses: github/codeql-action/init@v2 + uses: github/codeql-action/init@b8d3b6e8af63cde30bdc382c0bc28114f4346c88 # v2 with: languages: ${{ matrix.language }} queries: +security-and-quality - name: Autobuild - uses: github/codeql-action/autobuild@v2 + uses: github/codeql-action/autobuild@b8d3b6e8af63cde30bdc382c0bc28114f4346c88 # v2 - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v2 + uses: github/codeql-action/analyze@b8d3b6e8af63cde30bdc382c0bc28114f4346c88 # v2 with: category: "/language:${{ matrix.language }}" diff --git a/.github/workflows/image-build.yml b/.github/workflows/image-build.yml index e19ebfb0b..aa16f06e8 100644 --- a/.github/workflows/image-build.yml +++ b/.github/workflows/image-build.yml @@ -6,14 +6,14 @@ jobs: runs-on: ubuntu-latest steps: - name: Check out code into the Go module directory - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 + uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3 # note: disable sbom/provenance for now (gchr.io does not managed well yet) - name: Build container image - uses: docker/build-push-action@v6 + uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6 with: context: . push: false @@ -25,7 +25,7 @@ jobs: # note: disable sbom/provenance for now (gchr.io does not managed well yet) - name: Build container debug image - uses: docker/build-push-action@v6 + uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6 with: context: . push: false @@ -40,13 +40,13 @@ jobs: runs-on: ubuntu-latest steps: - name: Check out code into the Go module directory - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 + uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3 - name: Build container image - uses: docker/build-push-action@v6 + uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6 with: context: . push: false @@ -57,7 +57,7 @@ jobs: provenance: false - name: Run Trivy vulnerability scanner - uses: aquasecurity/trivy-action@0.35.0 + uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # v0.35.0 with: image-ref: ghcr.io/${{ github.repository }}:latest-thick ignore-unfixed: true @@ -67,7 +67,7 @@ jobs: output: 'trivy-results.sarif' - name: Upload Trivy scan results to GitHub Security tab - uses: github/codeql-action/upload-sarif@v3 + uses: github/codeql-action/upload-sarif@ebcb5b36ded6beda4ceefea6a8bc4cc885255bb3 # v3 if: always() with: sarif_file: 'trivy-results.sarif' @@ -77,10 +77,10 @@ jobs: runs-on: ubuntu-latest steps: - name: Check out code into the Go module directory - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 + uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3 - name: Download OKD Builder Dockerfile run: curl https://raw.githubusercontent.com/okd-project/images/main/builder/Dockerfile -o images/okd-builder.Dockerfile diff --git a/.github/workflows/image-push-master.yml b/.github/workflows/image-push-master.yml index 8706fca90..0278b605a 100644 --- a/.github/workflows/image-push-master.yml +++ b/.github/workflows/image-push-master.yml @@ -11,14 +11,14 @@ jobs: runs-on: ubuntu-latest steps: - name: Check out code into the Go module directory - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 + uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3 - name: Login to GitHub Container Registry if: ${{ github.repository_owner == env.image-push-owner }} - uses: docker/login-action@v3 + uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3 with: registry: ghcr.io username: ${{ github.repository_owner }} @@ -26,7 +26,7 @@ jobs: - name: Push container image for thick plugin if: ${{ github.repository_owner == env.image-push-owner }} - uses: docker/build-push-action@v5 + uses: docker/build-push-action@ca052bb54ab0790a636c9b5f226502c73d547a25 # v5 with: context: . push: true @@ -43,14 +43,14 @@ jobs: runs-on: ubuntu-latest steps: - name: Check out code into the Go module directory - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 + uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3 - name: Login to GitHub Container Registry if: ${{ github.repository_owner == env.image-push-owner }} - uses: docker/login-action@v3 + uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3 with: registry: ghcr.io username: ${{ github.repository_owner }} @@ -58,7 +58,7 @@ jobs: - name: Push thin container image if: ${{ github.repository_owner == env.image-push-owner }} - uses: docker/build-push-action@v5 + uses: docker/build-push-action@ca052bb54ab0790a636c9b5f226502c73d547a25 # v5 with: context: . push: true @@ -72,7 +72,7 @@ jobs: - name: Push thin container debug image if: ${{ github.repository_owner == env.image-push-owner }} - uses: docker/build-push-action@v5 + uses: docker/build-push-action@ca052bb54ab0790a636c9b5f226502c73d547a25 # v5 with: context: . push: true diff --git a/.github/workflows/image-push-release.yml b/.github/workflows/image-push-release.yml index 5a778f093..2668e3715 100644 --- a/.github/workflows/image-push-release.yml +++ b/.github/workflows/image-push-release.yml @@ -11,14 +11,14 @@ jobs: runs-on: ubuntu-latest steps: - name: Check out code into the Go module directory - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 + uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3 - name: Login to GitHub Container Registry if: ${{ github.repository_owner == env.image-push-owner }} - uses: docker/login-action@v3 + uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3 with: registry: ghcr.io username: ${{ github.repository_owner }} @@ -26,7 +26,7 @@ jobs: - name: Docker meta id: docker_meta - uses: docker/metadata-action@v5 + uses: docker/metadata-action@c299e40c65443455700f0fdfc63efafe5b349051 # v5 with: images: ghcr.io/${{ github.repository }} flavor: | @@ -34,7 +34,7 @@ jobs: - name: Push container image for thick plugin if: ${{ github.repository_owner == env.image-push-owner }} - uses: docker/build-push-action@v5 + uses: docker/build-push-action@ca052bb54ab0790a636c9b5f226502c73d547a25 # v5 with: context: . push: true @@ -51,14 +51,14 @@ jobs: runs-on: ubuntu-latest steps: - name: Check out code into the Go module directory - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 + uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3 - name: Login to GitHub Container Registry if: ${{ github.repository_owner == env.image-push-owner }} - uses: docker/login-action@v3 + uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3 with: registry: ghcr.io username: ${{ github.repository_owner }} @@ -66,7 +66,7 @@ jobs: - name: Docker meta id: docker_meta - uses: docker/metadata-action@v5 + uses: docker/metadata-action@c299e40c65443455700f0fdfc63efafe5b349051 # v5 with: images: ghcr.io/${{ github.repository }} flavor: | @@ -74,7 +74,7 @@ jobs: - name: Push thin container image if: ${{ github.repository_owner == env.image-push-owner }} - uses: docker/build-push-action@v5 + uses: docker/build-push-action@ca052bb54ab0790a636c9b5f226502c73d547a25 # v5 with: context: . push: true @@ -88,7 +88,7 @@ jobs: - name: Push thin container debug image if: ${{ github.repository_owner == env.image-push-owner }} - uses: docker/build-push-action@v5 + uses: docker/build-push-action@ca052bb54ab0790a636c9b5f226502c73d547a25 # v5 with: context: . push: true diff --git a/.github/workflows/kind-e2e.yml b/.github/workflows/kind-e2e.yml index 5f9576b3b..677c5b2dc 100644 --- a/.github/workflows/kind-e2e.yml +++ b/.github/workflows/kind-e2e.yml @@ -33,13 +33,13 @@ jobs: github.event_name == 'pull_request' ) || (github.event_name == 'push' && github.event.commits != '[]' ) steps: - name: Check out code into the Go module directory - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 + uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3 - name: Setup python - uses: actions/setup-python@v5 + uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5 with: python-version: 3.x @@ -49,7 +49,7 @@ jobs: echo $(j2 --version) - name: Build latest-amd64 - uses: docker/build-push-action@v5 + uses: docker/build-push-action@ca052bb54ab0790a636c9b5f226502c73d547a25 # v5 with: context: . load: true @@ -108,7 +108,7 @@ jobs: - name: Upload kind logs if: always() - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4 with: name: kind-logs-${{ env.JOB_NAME }}-${{ github.run_id }} path: /tmp/kind/logs diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 1a99fa5b1..f887ae2c6 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -8,17 +8,17 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 with: fetch-depth: 0 - name: Set up Go - uses: actions/setup-go@v5 + uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5 with: go-version: 1.25.x - name: Run GoReleaser - uses: goreleaser/goreleaser-action@v5 + uses: goreleaser/goreleaser-action@5742e2a039330cbb23ebf35f046f814d4c6ff811 # v5 with: version: latest args: release --rm-dist diff --git a/.github/workflows/stale-issues-prs.yml b/.github/workflows/stale-issues-prs.yml index b64645897..9b2e25a34 100644 --- a/.github/workflows/stale-issues-prs.yml +++ b/.github/workflows/stale-issues-prs.yml @@ -7,7 +7,7 @@ jobs: stale: runs-on: ubuntu-latest steps: - - uses: actions/stale@v9 + - uses: actions/stale@5bef64f19d7facfb25b37b414482c7164d639639 # v9 with: stale-issue-message: 'This issue is stale because it has been open 90 days with no activity. Remove stale label or comment or this will be closed in 7 days.' stale-pr-message: 'This pull request is stale because it has been open 90 days with no activity. Remove stale label or comment or this will be closed in 7 days.' diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 00a31def5..ec3ba0ffc 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -9,12 +9,12 @@ jobs: runs-on: ${{ matrix.os }} steps: - name: Install Go - uses: actions/setup-go@v5 + uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5 with: go-version: ${{ matrix.go-version }} - name: Checkout code - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 - name: Run Revive Action by pulling pre-built image uses: docker://morphy/revive-action:v2 @@ -32,7 +32,7 @@ jobs: run: sudo -E env "PATH=$PATH" ./hack/test-go.sh - name: Send coverage - uses: shogo82148/actions-goveralls@v1 + uses: shogo82148/actions-goveralls@25f5320d970fb565100cf1993ada29be1bb196a1 # v1 with: path-to-profile: coverage.out flag-name: Go-${{ matrix.go }} @@ -43,6 +43,6 @@ jobs: needs: test runs-on: ubuntu-latest steps: - - uses: shogo82148/actions-goveralls@v1 + - uses: shogo82148/actions-goveralls@25f5320d970fb565100cf1993ada29be1bb196a1 # v1 with: parallel-finished: true