From ccd1cc4616b0713b901c38da2c307e313e45615a Mon Sep 17 00:00:00 2001 From: yiannis Date: Thu, 28 Sep 2023 15:07:14 +0100 Subject: [PATCH 01/12] ci: Pin actions/checkout --- .github/workflows/chart.yaml | 6 +++--- .github/workflows/docs.yaml | 4 ++-- .github/workflows/nightly.yaml | 2 +- .github/workflows/pr.yaml | 12 ++++++------ .github/workflows/prepare-release.yaml | 2 +- .github/workflows/release.yaml | 10 +++++----- .github/workflows/scan.yaml | 2 +- .github/workflows/upgrade-flux.yaml | 4 ++-- 8 files changed, 21 insertions(+), 21 deletions(-) diff --git a/.github/workflows/chart.yaml b/.github/workflows/chart.yaml index e25b408709..ead529d232 100644 --- a/.github/workflows/chart.yaml +++ b/.github/workflows/chart.yaml @@ -29,7 +29,7 @@ jobs: old-version: ${{ steps.old-version.outputs.version }} new-version: ${{ steps.new-version.outputs.version }} steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0 with: fetch-depth: 0 - name: Find new version @@ -49,7 +49,7 @@ jobs: needs: helm-new-version if: github.event_name == 'pull_request' && needs.helm-new-version.outputs.old-version != needs.helm-new-version.outputs.new-version steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0 with: fetch-depth: 0 - name: Find out if there's more changes to release @@ -81,7 +81,7 @@ jobs: needs: helm-new-version if: (github.event_name == 'push' && needs.helm-new-version.outputs.old-version != needs.helm-new-version.outputs.new-version) || github.event_name == 'workflow_dispatch' steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0 - name: Find new version id: new_version run: | diff --git a/.github/workflows/docs.yaml b/.github/workflows/docs.yaml index 184a1cc5e9..264f52f2f1 100644 --- a/.github/workflows/docs.yaml +++ b/.github/workflows/docs.yaml @@ -24,7 +24,7 @@ jobs: run: working-directory: website steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0 - uses: actions/setup-node@v3 with: node-version: "16.x" @@ -77,7 +77,7 @@ jobs: run: working-directory: website steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0 - uses: actions/setup-node@v3 with: node-version: "16.x" diff --git a/.github/workflows/nightly.yaml b/.github/workflows/nightly.yaml index 24ecef783e..d0eb55acc1 100644 --- a/.github/workflows/nightly.yaml +++ b/.github/workflows/nightly.yaml @@ -22,7 +22,7 @@ jobs: with: go-version: 1.20.x - name: Checkout code - uses: actions/checkout@v3 + uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0 - name: Clean run: make clean - name: build diff --git a/.github/workflows/pr.yaml b/.github/workflows/pr.yaml index c5a041b12f..66e58aecff 100644 --- a/.github/workflows/pr.yaml +++ b/.github/workflows/pr.yaml @@ -20,7 +20,7 @@ jobs: matrix: node-version: [16.X] steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0 - name: Node modules cache uses: actions/cache@v2 id: yarn-cache @@ -57,7 +57,7 @@ jobs: matrix: go-version: [1.20.X] steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0 - name: Setup Go uses: actions/setup-go@v4 with: @@ -77,7 +77,7 @@ jobs: go-version: [1.20.X] node-version: [16.X] steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0 - name: Setup Go uses: actions/setup-go@v4 with: @@ -113,7 +113,7 @@ jobs: - gitops - gitops-server steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0 - uses: docker/setup-buildx-action@v2 - name: Set build-time flags run: | @@ -186,7 +186,7 @@ jobs: with: go-version: 1.20.X - name: Checkout code - uses: actions/checkout@v3 + uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0 - name: Clean run: make clean - id: gitsha @@ -216,7 +216,7 @@ jobs: js-version: ${{ steps.package-version.outputs.js-version }} steps: - name: Checkout - uses: actions/checkout@v3 + uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0 with: # avoid the merge commit that on.pull_request creates # fallback to github.sha if not present (e.g. on.push(main)) diff --git a/.github/workflows/prepare-release.yaml b/.github/workflows/prepare-release.yaml index aa40584b08..fdb3666e08 100644 --- a/.github/workflows/prepare-release.yaml +++ b/.github/workflows/prepare-release.yaml @@ -16,7 +16,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@v3 + uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0 - name: Unshallow run: | git fetch --prune --unshallow diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index c79e154aa4..b45e57ab22 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -17,7 +17,7 @@ jobs: version: ${{ steps.release-version.outputs.version }} steps: - name: Checkout - uses: actions/checkout@v3 + uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0 with: ref: ${{ github.event.pull_request.head.sha }} - name: Find release version @@ -37,7 +37,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@v3 + uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0 with: ref: ${{ github.event.pull_request.head.sha }} - uses: actions/setup-node@v3 @@ -57,7 +57,7 @@ jobs: packages: write steps: - name: Checkout - uses: actions/checkout@v3 + uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0 with: ref: ${{ github.event.pull_request.head.sha }} - name: Unshallow @@ -109,7 +109,7 @@ jobs: - build-and-push-image steps: - name: Checkout - uses: actions/checkout@v3 + uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0 with: ref: ${{ github.event.pull_request.head.sha }} - name: Unshallow @@ -161,7 +161,7 @@ jobs: needs: goreleaser steps: - name: Checkout - uses: actions/checkout@v3 + uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0 with: ref: ${{ github.event.pull_request.head.sha }} # 'Unlock Release PR Merge' sets 'release' status check state to success to unlock merging the release PR. See ../../doc/incidents/issues-3907 for full context. diff --git a/.github/workflows/scan.yaml b/.github/workflows/scan.yaml index 36a15f0963..ac8596f40b 100644 --- a/.github/workflows/scan.yaml +++ b/.github/workflows/scan.yaml @@ -17,7 +17,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@v3 + uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0 - name: Install Go uses: actions/setup-go@v4 with: diff --git a/.github/workflows/upgrade-flux.yaml b/.github/workflows/upgrade-flux.yaml index d3f5b138d4..6466ac55b8 100644 --- a/.github/workflows/upgrade-flux.yaml +++ b/.github/workflows/upgrade-flux.yaml @@ -12,7 +12,7 @@ jobs: version: ${{ steps.version.outputs.version }} steps: - name: Checkout - uses: actions/checkout@v3 + uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0 - name: Set new version if different id: version run: | @@ -29,7 +29,7 @@ jobs: if: needs.has-new-flux.outputs.version steps: - name: Checkout - uses: actions/checkout@v3 + uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0 - name: Setup Go uses: actions/setup-go@v4 with: From 5e917e72eded4af697e8fb8af69ab7d410b21e5b Mon Sep 17 00:00:00 2001 From: yiannis Date: Thu, 28 Sep 2023 15:23:14 +0100 Subject: [PATCH 02/12] ci: Pin actions/setup-go --- .github/workflows/nightly.yaml | 2 +- .github/workflows/pr.yaml | 6 +++--- .github/workflows/prepare-release.yaml | 2 +- .github/workflows/release.yaml | 2 +- .github/workflows/scan.yaml | 2 +- .github/workflows/upgrade-flux.yaml | 2 +- 6 files changed, 8 insertions(+), 8 deletions(-) diff --git a/.github/workflows/nightly.yaml b/.github/workflows/nightly.yaml index d0eb55acc1..d10bb139a0 100644 --- a/.github/workflows/nightly.yaml +++ b/.github/workflows/nightly.yaml @@ -18,7 +18,7 @@ jobs: os: [ubuntu-latest, macOS-latest] steps: - name: Install Go - uses: actions/setup-go@v4 + uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0 with: go-version: 1.20.x - name: Checkout code diff --git a/.github/workflows/pr.yaml b/.github/workflows/pr.yaml index 66e58aecff..f6d7b07125 100644 --- a/.github/workflows/pr.yaml +++ b/.github/workflows/pr.yaml @@ -59,7 +59,7 @@ jobs: steps: - uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0 - name: Setup Go - uses: actions/setup-go@v4 + uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0 with: go-version: ${{ matrix.go-version }} - name: Setup Flux CLI @@ -79,7 +79,7 @@ jobs: steps: - uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0 - name: Setup Go - uses: actions/setup-go@v4 + uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0 with: go-version: ${{ matrix.go-version }} - run: make check-format @@ -182,7 +182,7 @@ jobs: if: github.event_name == 'push' steps: - name: Install Go - uses: actions/setup-go@v4 + uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0 with: go-version: 1.20.X - name: Checkout code diff --git a/.github/workflows/prepare-release.yaml b/.github/workflows/prepare-release.yaml index fdb3666e08..1d757728fe 100644 --- a/.github/workflows/prepare-release.yaml +++ b/.github/workflows/prepare-release.yaml @@ -21,7 +21,7 @@ jobs: run: | git fetch --prune --unshallow - name: Setup Go - uses: actions/setup-go@v4 + uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0 with: go-version: 1.20.X - name: Setup Node.js diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index b45e57ab22..f2af7e6b95 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -117,7 +117,7 @@ jobs: git fetch --prune --unshallow git fetch --tags -f - name: Setup Go - uses: actions/setup-go@v4 + uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0 with: go-version: 1.20.X - name: Use Node.js diff --git a/.github/workflows/scan.yaml b/.github/workflows/scan.yaml index ac8596f40b..c97d35658d 100644 --- a/.github/workflows/scan.yaml +++ b/.github/workflows/scan.yaml @@ -19,7 +19,7 @@ jobs: - name: Checkout uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0 - name: Install Go - uses: actions/setup-go@v4 + uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0 with: go-version: 1.20.X - name: Run FOSSA scan and upload build data diff --git a/.github/workflows/upgrade-flux.yaml b/.github/workflows/upgrade-flux.yaml index 6466ac55b8..81131df817 100644 --- a/.github/workflows/upgrade-flux.yaml +++ b/.github/workflows/upgrade-flux.yaml @@ -31,7 +31,7 @@ jobs: - name: Checkout uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0 - name: Setup Go - uses: actions/setup-go@v4 + uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0 with: go-version: 1.20.X - name: Upgrade flux From 5412872024db262f8f401b394ed3ebe40501558b Mon Sep 17 00:00:00 2001 From: yiannis Date: Thu, 28 Sep 2023 15:25:24 +0100 Subject: [PATCH 03/12] ci: Bump github/codeql-action/upload-sarif version to v2.21.7 --- .github/workflows/ossf.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ossf.yaml b/.github/workflows/ossf.yaml index a26f91e3b7..e423f0cba4 100644 --- a/.github/workflows/ossf.yaml +++ b/.github/workflows/ossf.yaml @@ -44,6 +44,6 @@ jobs: # required for Code scanning alerts - name: "Upload SARIF results to code scanning" - uses: github/codeql-action/upload-sarif@e4262713b504983e61c7728f5452be240d9385a7 # v2.14.3 + uses: github/codeql-action/upload-sarif@04daf014b50eaf774287bf3f0f1869d4b4c4b913 # v2.21.7 with: sarif_file: results.sarif \ No newline at end of file From 11fd9681ab276f1e625360d78a360fbfadb1fe68 Mon Sep 17 00:00:00 2001 From: yiannis Date: Thu, 28 Sep 2023 15:59:52 +0100 Subject: [PATCH 04/12] ci: Pin actions/setup-node --- .github/workflows/docs.yaml | 4 ++-- .github/workflows/pr.yaml | 4 ++-- .github/workflows/prepare-release.yaml | 2 +- .github/workflows/release.yaml | 4 ++-- 4 files changed, 7 insertions(+), 7 deletions(-) diff --git a/.github/workflows/docs.yaml b/.github/workflows/docs.yaml index 264f52f2f1..c76e661dce 100644 --- a/.github/workflows/docs.yaml +++ b/.github/workflows/docs.yaml @@ -25,7 +25,7 @@ jobs: working-directory: website steps: - uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0 - - uses: actions/setup-node@v3 + - uses: actions/setup-node@5e21ff4d9bc1a8cf6de233a3057d20ec6b3fb69d # v3.8.1 with: node-version: "16.x" - name: Test Build @@ -78,7 +78,7 @@ jobs: working-directory: website steps: - uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0 - - uses: actions/setup-node@v3 + - uses: actions/setup-node@5e21ff4d9bc1a8cf6de233a3057d20ec6b3fb69d # v3.8.1 with: node-version: "16.x" - uses: weaveworks/webfactory-ssh-agent@6b2f2c5354ff41f1edbbf7a17ea9b6178c89be9f diff --git a/.github/workflows/pr.yaml b/.github/workflows/pr.yaml index f6d7b07125..a9e2144da1 100644 --- a/.github/workflows/pr.yaml +++ b/.github/workflows/pr.yaml @@ -34,7 +34,7 @@ jobs: ${{ runner.os }}-build- ${{ runner.os }}- - name: Use Node.js ${{ matrix.node-version }} - uses: actions/setup-node@v3 + uses: actions/setup-node@5e21ff4d9bc1a8cf6de233a3057d20ec6b3fb69d # v3.8.1 with: node-version: ${{ matrix.node-version }} - run: make node_modules @@ -224,7 +224,7 @@ jobs: # We want the correct sha so we can tag the npm package correctly ref: ${{ github.event.pull_request.head.sha || github.sha }} fetch-depth: 0 - - uses: actions/setup-node@v3 + - uses: actions/setup-node@5e21ff4d9bc1a8cf6de233a3057d20ec6b3fb69d # v3.8.1 with: node-version: "16.X" registry-url: "https://npm.pkg.github.com" diff --git a/.github/workflows/prepare-release.yaml b/.github/workflows/prepare-release.yaml index 1d757728fe..17dbba4e7a 100644 --- a/.github/workflows/prepare-release.yaml +++ b/.github/workflows/prepare-release.yaml @@ -25,7 +25,7 @@ jobs: with: go-version: 1.20.X - name: Setup Node.js - uses: actions/setup-node@v3 + uses: actions/setup-node@5e21ff4d9bc1a8cf6de233a3057d20ec6b3fb69d # v3.8.1 with: node-version: 16.X - name: Set up environment vars diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index f2af7e6b95..8bae072d8c 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -40,7 +40,7 @@ jobs: uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0 with: ref: ${{ github.event.pull_request.head.sha }} - - uses: actions/setup-node@v3 + - uses: actions/setup-node@5e21ff4d9bc1a8cf6de233a3057d20ec6b3fb69d # v3.8.1 with: node-version: "16.X" registry-url: "https://npm.pkg.github.com" @@ -121,7 +121,7 @@ jobs: with: go-version: 1.20.X - name: Use Node.js - uses: actions/setup-node@v3 + uses: actions/setup-node@5e21ff4d9bc1a8cf6de233a3057d20ec6b3fb69d # v3.8.1 with: node-version: 16.X - name: Set env var From 711ca02438bd6d54b3d8b513a6021fea8a670432 Mon Sep 17 00:00:00 2001 From: yiannis Date: Thu, 28 Sep 2023 16:31:45 +0100 Subject: [PATCH 05/12] ci: Pin google-github-actions/auth --- .github/workflows/chart.yaml | 2 +- .github/workflows/docs.yaml | 4 ++-- .github/workflows/pr.yaml | 2 +- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/chart.yaml b/.github/workflows/chart.yaml index ead529d232..3b8899f76a 100644 --- a/.github/workflows/chart.yaml +++ b/.github/workflows/chart.yaml @@ -95,7 +95,7 @@ jobs: curl -O $URL/index.yaml helm repo index helm-release --merge=index.yaml --url=$URL - id: auth - uses: google-github-actions/auth@v1 + uses: google-github-actions/auth@35b0e87d162680511bf346c299f71c9c5c379033 # v1.1.1 with: credentials_json: ${{ secrets.PROD_DOCS_GITOPS_UPLOAD }} - id: upload-file diff --git a/.github/workflows/docs.yaml b/.github/workflows/docs.yaml index c76e661dce..d02bebb8df 100644 --- a/.github/workflows/docs.yaml +++ b/.github/workflows/docs.yaml @@ -46,7 +46,7 @@ jobs: yarn clear npm run build - id: auth - uses: google-github-actions/auth@v1 + uses: google-github-actions/auth@35b0e87d162680511bf346c299f71c9c5c379033 # v1.1.1 with: credentials_json: ${{ secrets.PROD_DOCS_GITOPS_UPLOAD }} - id: upload-file @@ -104,7 +104,7 @@ jobs: yarn clear npm run build - id: auth - uses: google-github-actions/auth@v1 + uses: google-github-actions/auth@35b0e87d162680511bf346c299f71c9c5c379033 # v1.1.1 with: credentials_json: ${{ secrets.PROD_DOCS_GITOPS_UPLOAD }} - id: upload-file diff --git a/.github/workflows/pr.yaml b/.github/workflows/pr.yaml index a9e2144da1..7ee16ee1c4 100644 --- a/.github/workflows/pr.yaml +++ b/.github/workflows/pr.yaml @@ -161,7 +161,7 @@ jobs: path: /tmp - name: Authenticate to Google Cloud id: gcloud-auth - uses: google-github-actions/auth@v1 + uses: google-github-actions/auth@35b0e87d162680511bf346c299f71c9c5c379033 # v1.1.1 with: service_account: ${{ secrets.service_account }} workload_identity_provider: ${{ secrets.workload_identity_provider }} From 871113c0d97792dda021429187cd8ca13a8cbe84 Mon Sep 17 00:00:00 2001 From: yiannis Date: Thu, 28 Sep 2023 16:34:22 +0100 Subject: [PATCH 06/12] ci: Pin google-github-actions/upload-cloud-storage --- .github/workflows/chart.yaml | 2 +- .github/workflows/docs.yaml | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/chart.yaml b/.github/workflows/chart.yaml index 3b8899f76a..15fcf12bd1 100644 --- a/.github/workflows/chart.yaml +++ b/.github/workflows/chart.yaml @@ -99,7 +99,7 @@ jobs: with: credentials_json: ${{ secrets.PROD_DOCS_GITOPS_UPLOAD }} - id: upload-file - uses: google-github-actions/upload-cloud-storage@v1 + uses: google-github-actions/upload-cloud-storage@e95a15f226403ed658d3e65f40205649f342ba2c # v1.0.3 with: path: helm-release destination: helm.gitops.weave.works diff --git a/.github/workflows/docs.yaml b/.github/workflows/docs.yaml index d02bebb8df..94ed241177 100644 --- a/.github/workflows/docs.yaml +++ b/.github/workflows/docs.yaml @@ -50,7 +50,7 @@ jobs: with: credentials_json: ${{ secrets.PROD_DOCS_GITOPS_UPLOAD }} - id: upload-file - uses: google-github-actions/upload-cloud-storage@v1 + uses: google-github-actions/upload-cloud-storage@e95a15f226403ed658d3e65f40205649f342ba2c # v1.0.3 with: path: website/build destination: staging.docs.gitops.weave.works/${{ github.head_ref }} @@ -108,7 +108,7 @@ jobs: with: credentials_json: ${{ secrets.PROD_DOCS_GITOPS_UPLOAD }} - id: upload-file - uses: google-github-actions/upload-cloud-storage@v1 + uses: google-github-actions/upload-cloud-storage@e95a15f226403ed658d3e65f40205649f342ba2c # v1.0.3 with: path: website/build destination: production.docs.gitops.weave.works From 6bde8c674fa6967e1e0c7b37cdd27f0f3c37f2f6 Mon Sep 17 00:00:00 2001 From: yiannis Date: Thu, 28 Sep 2023 16:37:50 +0100 Subject: [PATCH 07/12] ci: Pin google-github-actions/setup-gcloud --- .github/workflows/pr.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/pr.yaml b/.github/workflows/pr.yaml index 7ee16ee1c4..5a761cd559 100644 --- a/.github/workflows/pr.yaml +++ b/.github/workflows/pr.yaml @@ -153,7 +153,7 @@ jobs: - gitops-server steps: - uses: docker/setup-buildx-action@v2 - - uses: google-github-actions/setup-gcloud@v1 + - uses: google-github-actions/setup-gcloud@e30db14379863a8c79331b04a9969f4c1e225e0b # v1.1.1 - name: Download cached docker image uses: actions/download-artifact@v3 with: From e77a0c93636b079c28b29f492ae1d2f8b42e9f0b Mon Sep 17 00:00:00 2001 From: yiannis Date: Thu, 28 Sep 2023 18:39:27 +0100 Subject: [PATCH 08/12] ci: Pin actions/upload-artifact --- .github/workflows/nightly.yaml | 2 +- .github/workflows/ossf.yaml | 2 +- .github/workflows/pr.yaml | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/nightly.yaml b/.github/workflows/nightly.yaml index d10bb139a0..f98d1e17f0 100644 --- a/.github/workflows/nightly.yaml +++ b/.github/workflows/nightly.yaml @@ -28,7 +28,7 @@ jobs: - name: build run: make all BINARY_NAME=gitops-${{matrix.os}}-nightly - name: Store gitops binaries - uses: actions/upload-artifact@v3 + uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3 with: name: gitops-binaries-${{matrix.os}}-nightly path: bin diff --git a/.github/workflows/ossf.yaml b/.github/workflows/ossf.yaml index e423f0cba4..9754654072 100644 --- a/.github/workflows/ossf.yaml +++ b/.github/workflows/ossf.yaml @@ -36,7 +36,7 @@ jobs: # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF # format to the repository Actions tab. - name: "Upload artifact" - uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # 3.1.3 + uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3 with: name: SARIF file path: results.sarif diff --git a/.github/workflows/pr.yaml b/.github/workflows/pr.yaml index 5a761cd559..211c76fd69 100644 --- a/.github/workflows/pr.yaml +++ b/.github/workflows/pr.yaml @@ -132,7 +132,7 @@ jobs: - name: Load docker image run: docker load --input /tmp/${{ matrix.docker-image }}.tar - name: Cache docker image - uses: actions/upload-artifact@v3 + uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3 with: name: ${{ matrix.docker-image }} path: /tmp/${{ matrix.docker-image }}.tar From f7c898072974a341093e477e87e29a34b65e238a Mon Sep 17 00:00:00 2001 From: yiannis Date: Thu, 28 Sep 2023 21:00:45 +0100 Subject: [PATCH 09/12] ci: Pin actions/github-script --- .github/workflows/chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/chart.yaml b/.github/workflows/chart.yaml index 15fcf12bd1..02544f387f 100644 --- a/.github/workflows/chart.yaml +++ b/.github/workflows/chart.yaml @@ -64,7 +64,7 @@ jobs: echo "::set-output name=unreleased-commits::The last chart was last released in $last_revision and there have been other changes in the chart since" fi - name: Let user know merging will cause a release - uses: actions/github-script@v6 + uses: actions/github-script@d7906e4ad0b1822421a7e6a35d5ca353c962f410 # v6.4.1 with: github-token: ${{ secrets.WEAVE_GITOPS_BOT_ACCESS_TOKEN }} script: | From 8fa0f3c67b14a575542116ddfbb407efbc104d3b Mon Sep 17 00:00:00 2001 From: yiannis Date: Thu, 28 Sep 2023 21:02:25 +0100 Subject: [PATCH 10/12] ci: Pin actions/download-artifact --- .github/workflows/nightly.yaml | 2 +- .github/workflows/pr.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/nightly.yaml b/.github/workflows/nightly.yaml index f98d1e17f0..5e508b02cd 100644 --- a/.github/workflows/nightly.yaml +++ b/.github/workflows/nightly.yaml @@ -43,7 +43,7 @@ jobs: os: [ubuntu-latest, macOS-latest] steps: - name: Download tested gitops binaries - uses: actions/download-artifact@v3 + uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2 with: name: gitops-binaries-${{matrix.os}}-nightly path: bin diff --git a/.github/workflows/pr.yaml b/.github/workflows/pr.yaml index 211c76fd69..21dc937869 100644 --- a/.github/workflows/pr.yaml +++ b/.github/workflows/pr.yaml @@ -155,7 +155,7 @@ jobs: - uses: docker/setup-buildx-action@v2 - uses: google-github-actions/setup-gcloud@e30db14379863a8c79331b04a9969f4c1e225e0b # v1.1.1 - name: Download cached docker image - uses: actions/download-artifact@v3 + uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2 with: name: ${{ matrix.docker-image }} path: /tmp From c05e4b05c099adf494c82b2cbbe3b8142b08b838 Mon Sep 17 00:00:00 2001 From: yiannis Date: Thu, 28 Sep 2023 21:05:39 +0100 Subject: [PATCH 11/12] ci: Pin aws-actions/configure-aws-credentials --- .github/workflows/nightly.yaml | 2 +- .github/workflows/pr.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/nightly.yaml b/.github/workflows/nightly.yaml index 5e508b02cd..c3c7c2249b 100644 --- a/.github/workflows/nightly.yaml +++ b/.github/workflows/nightly.yaml @@ -51,7 +51,7 @@ jobs: id: date run: echo "::set-output name=date::$(date +'%Y-%m-%d')" - name: publish nightly binaries to s3 - uses: aws-actions/configure-aws-credentials@v2 + uses: aws-actions/configure-aws-credentials@8c3f20df09ac63af7b3ae3d7c91f105f857d8497 # v4.0.0 with: aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} diff --git a/.github/workflows/pr.yaml b/.github/workflows/pr.yaml index 21dc937869..7e30703ec8 100644 --- a/.github/workflows/pr.yaml +++ b/.github/workflows/pr.yaml @@ -197,7 +197,7 @@ jobs: run: | make gitops - name: publish to s3 - uses: aws-actions/configure-aws-credentials@v2 + uses: aws-actions/configure-aws-credentials@8c3f20df09ac63af7b3ae3d7c91f105f857d8497 # v4.0.0 with: aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} From a3573ef31bd6fe87ee728c65e78554fbf972357b Mon Sep 17 00:00:00 2001 From: yiannis Date: Thu, 28 Sep 2023 21:09:20 +0100 Subject: [PATCH 12/12] ci: Pin actions/cache --- .github/workflows/pr.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/pr.yaml b/.github/workflows/pr.yaml index 7e30703ec8..fcd0526861 100644 --- a/.github/workflows/pr.yaml +++ b/.github/workflows/pr.yaml @@ -22,7 +22,7 @@ jobs: steps: - uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0 - name: Node modules cache - uses: actions/cache@v2 + uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84 # v3.3.2 id: yarn-cache env: cache-name: cache-node-modules