Skip to content

Pin GitHub Actions versions #4044

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
yitsushi merged 12 commits into from
Sep 28, 2023
Merged

Pin GitHub Actions versions #4044

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
12 commits
Select commit Hold shift + click to select a range
ccd1cc4
ci: Pin actions/checkout
yiannistri Sep 28, 2023
5e917e7
ci: Pin actions/setup-go
yiannistri Sep 28, 2023
5412872
ci: Bump github/codeql-action/upload-sarif version to v2.21.7
yiannistri Sep 28, 2023
11fd968
ci: Pin actions/setup-node
yiannistri Sep 28, 2023
711ca02
ci: Pin google-github-actions/auth
yiannistri Sep 28, 2023
871113c
ci: Pin google-github-actions/upload-cloud-storage
yiannistri Sep 28, 2023
6bde8c6
ci: Pin google-github-actions/setup-gcloud
yiannistri Sep 28, 2023
e77a0c9
ci: Pin actions/upload-artifact
yiannistri Sep 28, 2023
f7c8980
ci: Pin actions/github-script
yiannistri Sep 28, 2023
8fa0f3c
ci: Pin actions/download-artifact
yiannistri Sep 28, 2023
c05e4b0
ci: Pin aws-actions/configure-aws-credentials
yiannistri Sep 28, 2023
a3573ef
ci: Pin actions/cache
yiannistri Sep 28, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
12 changes: 6 additions & 6 deletions .github/workflows/chart.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -29,7 +29,7 @@ jobs:
old-version: ${{ steps.old-version.outputs.version }}
new-version: ${{ steps.new-version.outputs.version }}
steps:
- uses: actions/checkout@v3
- uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0
with:
fetch-depth: 0
- name: Find new version
Expand All @@ -49,7 +49,7 @@ jobs:
needs: helm-new-version
if: github.event_name == 'pull_request' && needs.helm-new-version.outputs.old-version != needs.helm-new-version.outputs.new-version
steps:
- uses: actions/checkout@v3
- uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0
with:
fetch-depth: 0
- name: Find out if there's more changes to release
Expand All @@ -64,7 +64,7 @@ jobs:
echo "::set-output name=unreleased-commits::The last chart was last released in $last_revision and there have been other changes in the chart since"
fi
- name: Let user know merging will cause a release
uses: actions/github-script@v6
uses: actions/github-script@d7906e4ad0b1822421a7e6a35d5ca353c962f410 # v6.4.1
with:
github-token: ${{ secrets.WEAVE_GITOPS_BOT_ACCESS_TOKEN }}
script: |
Expand All @@ -81,7 +81,7 @@ jobs:
needs: helm-new-version
if: (github.event_name == 'push' && needs.helm-new-version.outputs.old-version != needs.helm-new-version.outputs.new-version) || github.event_name == 'workflow_dispatch'
steps:
- uses: actions/checkout@v3
- uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0
- name: Find new version
id: new_version
run: |
Expand All @@ -95,11 +95,11 @@ jobs:
curl -O $URL/index.yaml
helm repo index helm-release --merge=index.yaml --url=$URL
- id: auth
uses: google-github-actions/auth@v1
uses: google-github-actions/auth@35b0e87d162680511bf346c299f71c9c5c379033 # v1.1.1
with:
credentials_json: ${{ secrets.PROD_DOCS_GITOPS_UPLOAD }}
- id: upload-file
uses: google-github-actions/upload-cloud-storage@v1
uses: google-github-actions/upload-cloud-storage@e95a15f226403ed658d3e65f40205649f342ba2c # v1.0.3
with:
path: helm-release
destination: helm.gitops.weave.works
Expand Down
16 changes: 8 additions & 8 deletions .github/workflows/docs.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -24,8 +24,8 @@ jobs:
run:
working-directory: website
steps:
- uses: actions/checkout@v3
- uses: actions/setup-node@v3
- uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0
- uses: actions/setup-node@5e21ff4d9bc1a8cf6de233a3057d20ec6b3fb69d # v3.8.1
with:
node-version: "16.x"
- name: Test Build
Expand All @@ -46,11 +46,11 @@ jobs:
yarn clear
npm run build
- id: auth
uses: google-github-actions/auth@v1
uses: google-github-actions/auth@35b0e87d162680511bf346c299f71c9c5c379033 # v1.1.1
with:
credentials_json: ${{ secrets.PROD_DOCS_GITOPS_UPLOAD }}
- id: upload-file
uses: google-github-actions/upload-cloud-storage@v1
uses: google-github-actions/upload-cloud-storage@e95a15f226403ed658d3e65f40205649f342ba2c # v1.0.3
with:
path: website/build
destination: staging.docs.gitops.weave.works/${{ github.head_ref }}
Expand All @@ -77,8 +77,8 @@ jobs:
run:
working-directory: website
steps:
- uses: actions/checkout@v3
- uses: actions/setup-node@v3
- uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0
- uses: actions/setup-node@5e21ff4d9bc1a8cf6de233a3057d20ec6b3fb69d # v3.8.1
with:
node-version: "16.x"
- uses: weaveworks/webfactory-ssh-agent@6b2f2c5354ff41f1edbbf7a17ea9b6178c89be9f
Expand All @@ -104,11 +104,11 @@ jobs:
yarn clear
npm run build
- id: auth
uses: google-github-actions/auth@v1
uses: google-github-actions/auth@35b0e87d162680511bf346c299f71c9c5c379033 # v1.1.1
with:
credentials_json: ${{ secrets.PROD_DOCS_GITOPS_UPLOAD }}
- id: upload-file
uses: google-github-actions/upload-cloud-storage@v1
uses: google-github-actions/upload-cloud-storage@e95a15f226403ed658d3e65f40205649f342ba2c # v1.0.3
with:
path: website/build
destination: production.docs.gitops.weave.works
Expand Down
10 changes: 5 additions & 5 deletions .github/workflows/nightly.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,17 +18,17 @@ jobs:
os: [ubuntu-latest, macOS-latest]
steps:
- name: Install Go
uses: actions/setup-go@v4
uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0
with:
go-version: 1.20.x
- name: Checkout code
uses: actions/checkout@v3
uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0
- name: Clean
run: make clean
- name: build
run: make all BINARY_NAME=gitops-${{matrix.os}}-nightly
- name: Store gitops binaries
uses: actions/upload-artifact@v3
uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
with:
name: gitops-binaries-${{matrix.os}}-nightly
path: bin
Expand All @@ -43,15 +43,15 @@ jobs:
os: [ubuntu-latest, macOS-latest]
steps:
- name: Download tested gitops binaries
uses: actions/download-artifact@v3
uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
with:
name: gitops-binaries-${{matrix.os}}-nightly
path: bin
- name: Get current date
id: date
run: echo "::set-output name=date::$(date +'%Y-%m-%d')"
- name: publish nightly binaries to s3
uses: aws-actions/configure-aws-credentials@v2
uses: aws-actions/configure-aws-credentials@8c3f20df09ac63af7b3ae3d7c91f105f857d8497 # v4.0.0
with:
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
Expand Down
4 changes: 2 additions & 2 deletions .github/workflows/ossf.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -36,14 +36,14 @@ jobs:
# Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
# format to the repository Actions tab.
- name: "Upload artifact"
uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # 3.1.3
uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
with:
name: SARIF file
path: results.sarif
retention-days: 5

# required for Code scanning alerts
- name: "Upload SARIF results to code scanning"
uses: github/codeql-action/upload-sarif@e4262713b504983e61c7728f5452be240d9385a7 # v2.14.3
uses: github/codeql-action/upload-sarif@04daf014b50eaf774287bf3f0f1869d4b4c4b913 # v2.21.7
with:
sarif_file: results.sarif
34 changes: 17 additions & 17 deletions .github/workflows/pr.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -20,9 +20,9 @@ jobs:
matrix:
node-version: [16.X]
steps:
- uses: actions/checkout@v3
- uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0
- name: Node modules cache
uses: actions/cache@v2
uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84 # v3.3.2
id: yarn-cache
env:
cache-name: cache-node-modules
Expand All @@ -34,7 +34,7 @@ jobs:
${{ runner.os }}-build-
${{ runner.os }}-
- name: Use Node.js ${{ matrix.node-version }}
uses: actions/setup-node@v3
uses: actions/setup-node@5e21ff4d9bc1a8cf6de233a3057d20ec6b3fb69d # v3.8.1
with:
node-version: ${{ matrix.node-version }}
- run: make node_modules
Expand All @@ -57,9 +57,9 @@ jobs:
matrix:
go-version: [1.20.X]
steps:
- uses: actions/checkout@v3
- uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0
- name: Setup Go
uses: actions/setup-go@v4
uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0
with:
go-version: ${{ matrix.go-version }}
- name: Setup Flux CLI
Expand All @@ -77,9 +77,9 @@ jobs:
go-version: [1.20.X]
node-version: [16.X]
steps:
- uses: actions/checkout@v3
- uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0
- name: Setup Go
uses: actions/setup-go@v4
uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0
with:
go-version: ${{ matrix.go-version }}
- run: make check-format
Expand Down Expand Up @@ -113,7 +113,7 @@ jobs:
- gitops
- gitops-server
steps:
- uses: actions/checkout@v3
- uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0
- uses: docker/setup-buildx-action@v2
- name: Set build-time flags
run: |
Expand All @@ -132,7 +132,7 @@ jobs:
- name: Load docker image
run: docker load --input /tmp/${{ matrix.docker-image }}.tar
- name: Cache docker image
uses: actions/upload-artifact@v3
uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
with:
name: ${{ matrix.docker-image }}
path: /tmp/${{ matrix.docker-image }}.tar
Expand All @@ -153,15 +153,15 @@ jobs:
- gitops-server
steps:
- uses: docker/setup-buildx-action@v2
- uses: google-github-actions/setup-gcloud@v1
- uses: google-github-actions/setup-gcloud@e30db14379863a8c79331b04a9969f4c1e225e0b # v1.1.1
- name: Download cached docker image
uses: actions/download-artifact@v3
uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
with:
name: ${{ matrix.docker-image }}
path: /tmp
- name: Authenticate to Google Cloud
id: gcloud-auth
uses: google-github-actions/auth@v1
uses: google-github-actions/auth@35b0e87d162680511bf346c299f71c9c5c379033 # v1.1.1
with:
service_account: ${{ secrets.service_account }}
workload_identity_provider: ${{ secrets.workload_identity_provider }}
Expand All @@ -182,11 +182,11 @@ jobs:
if: github.event_name == 'push'
steps:
- name: Install Go
uses: actions/setup-go@v4
uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0
with:
go-version: 1.20.X
- name: Checkout code
uses: actions/checkout@v3
uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0
- name: Clean
run: make clean
- id: gitsha
Expand All @@ -197,7 +197,7 @@ jobs:
run: |
make gitops
- name: publish to s3
uses: aws-actions/configure-aws-credentials@v2
uses: aws-actions/configure-aws-credentials@8c3f20df09ac63af7b3ae3d7c91f105f857d8497 # v4.0.0
with:
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
Expand All @@ -216,15 +216,15 @@ jobs:
js-version: ${{ steps.package-version.outputs.js-version }}
steps:
- name: Checkout
uses: actions/checkout@v3
uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0
with:
# avoid the merge commit that on.pull_request creates
# fallback to github.sha if not present (e.g. on.push(main))
# https://github.com/actions/checkout#checkout-pull-request-head-commit-instead-of-merge-commit
# We want the correct sha so we can tag the npm package correctly
ref: ${{ github.event.pull_request.head.sha || github.sha }}
fetch-depth: 0
- uses: actions/setup-node@v3
- uses: actions/setup-node@5e21ff4d9bc1a8cf6de233a3057d20ec6b3fb69d # v3.8.1
with:
node-version: "16.X"
registry-url: "https://npm.pkg.github.com"
Expand Down
6 changes: 3 additions & 3 deletions .github/workflows/prepare-release.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -16,16 +16,16 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v3
uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0
- name: Unshallow
run: |
git fetch --prune --unshallow
- name: Setup Go
uses: actions/setup-go@v4
uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0
with:
go-version: 1.20.X
- name: Setup Node.js
uses: actions/setup-node@v3
uses: actions/setup-node@5e21ff4d9bc1a8cf6de233a3057d20ec6b3fb69d # v3.8.1
with:
node-version: 16.X
- name: Set up environment vars
Expand Down
16 changes: 8 additions & 8 deletions .github/workflows/release.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,7 +17,7 @@ jobs:
version: ${{ steps.release-version.outputs.version }}
steps:
- name: Checkout
uses: actions/checkout@v3
uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0
with:
ref: ${{ github.event.pull_request.head.sha }}
- name: Find release version
Expand All @@ -37,10 +37,10 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v3
uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0
with:
ref: ${{ github.event.pull_request.head.sha }}
- uses: actions/setup-node@v3
- uses: actions/setup-node@5e21ff4d9bc1a8cf6de233a3057d20ec6b3fb69d # v3.8.1
with:
node-version: "16.X"
registry-url: "https://npm.pkg.github.com"
Expand All @@ -57,7 +57,7 @@ jobs:
packages: write
steps:
- name: Checkout
uses: actions/checkout@v3
uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0
with:
ref: ${{ github.event.pull_request.head.sha }}
- name: Unshallow
Expand Down Expand Up @@ -109,19 +109,19 @@ jobs:
- build-and-push-image
steps:
- name: Checkout
uses: actions/checkout@v3
uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0
with:
ref: ${{ github.event.pull_request.head.sha }}
- name: Unshallow
run: |
git fetch --prune --unshallow
git fetch --tags -f
- name: Setup Go
uses: actions/setup-go@v4
uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0
with:
go-version: 1.20.X
- name: Use Node.js
uses: actions/setup-node@v3
uses: actions/setup-node@5e21ff4d9bc1a8cf6de233a3057d20ec6b3fb69d # v3.8.1
with:
node-version: 16.X
- name: Set env var
Expand Down Expand Up @@ -161,7 +161,7 @@ jobs:
needs: goreleaser
steps:
- name: Checkout
uses: actions/checkout@v3
uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0
with:
ref: ${{ github.event.pull_request.head.sha }}
# 'Unlock Release PR Merge' sets 'release' status check state to success to unlock merging the release PR. See ../../doc/incidents/issues-3907 for full context.
Expand Down
4 changes: 2 additions & 2 deletions .github/workflows/scan.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,9 +17,9 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v3
uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0
- name: Install Go
uses: actions/setup-go@v4
uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0
with:
go-version: 1.20.X
- name: Run FOSSA scan and upload build data
Expand Down
6 changes: 3 additions & 3 deletions .github/workflows/upgrade-flux.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -12,7 +12,7 @@ jobs:
version: ${{ steps.version.outputs.version }}
steps:
- name: Checkout
uses: actions/checkout@v3
uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0
- name: Set new version if different
id: version
run: |
Expand All @@ -29,9 +29,9 @@ jobs:
if: needs.has-new-flux.outputs.version
steps:
- name: Checkout
uses: actions/checkout@v3
uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0
- name: Setup Go
uses: actions/setup-go@v4
uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0
with:
go-version: 1.20.X
- name: Upgrade flux
Expand Down