fix: use best practice from openssf an use pinned dependencies in gh …

…actions (#2286) Signed-off-by: Sandor Szücs <[email protected]>
zalando · May 3, 2023 · 7d04bfe · 7d04bfe
1 parent cf40cfa
commit 7d04bfe
Show file tree

Hide file tree

Showing 5 changed files with 26 additions and 26 deletions.
diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
@@ -37,15 +37,15 @@ jobs:
 
     steps:
     - name: Checkout repository
-      uses: actions/checkout@v2
+      uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5
       with:
         # We must fetch at least the immediate parents so that if this is
         # a pull request then we can checkout the head.
         fetch-depth: 2
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@v2
+      uses: github/codeql-action/init@9a866ed4524fc3422c3af1e446dab8efa3503411
       with:
         languages: ${{ matrix.language }}
         # If you wish to specify custom queries, you can do so here or in a config file.
@@ -56,7 +56,7 @@ jobs:
     # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
     # If this step fails, then you should remove it and run the build manually (see below)
     - name: Autobuild
-      uses: github/codeql-action/autobuild@v2
+      uses: github/codeql-action/autobuild@9a866ed4524fc3422c3af1e446dab8efa3503411
 
     # ℹ️ Command-line programs to run using the OS shell.
     # 📚 https://git.io/JvXDl
@@ -70,4 +70,4 @@ jobs:
     #   make release
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@v2
+      uses: github/codeql-action/analyze@9a866ed4524fc3422c3af1e446dab8efa3503411
diff --git a/.github/workflows/docs.yaml b/.github/workflows/docs.yaml
@@ -12,11 +12,11 @@ jobs:
   deploy:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
-      - uses: actions/setup-python@v4
+      - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab
+      - uses: actions/setup-python@57ded4d7d5e986d7296eab16560982c6dd7c923b
         with:
           python-version: 3.x
-      - uses: actions/cache@v2
+      - uses: actions/cache@2b250bc32ad02700b996b496c14ac8c2840a2991
         with:
           key: ${{ github.ref }}
           path: .cache

diff --git a/.github/workflows/gh-packages.yaml b/.github/workflows/gh-packages.yaml
@@ -19,21 +19,21 @@ jobs:
       packages: write # to push packages
     steps:
       - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab
 
-      - uses: actions/setup-go@v2
+      - uses: actions/setup-go@bfdd3570ce990073878bf10f6b2d79082de49492
         with:
           # https://www.npmjs.com/package/semver#caret-ranges-123-025-004
           go-version: '^1.19'
 
       - name: Login to Github Container Registry
-        uses: docker/login-action@v2
+        uses: docker/login-action@f4ef78c080cd8ba55a85445d5b36e214a81df20a
         with:
           registry: ${{ env.REGISTRY }}
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
 
-      - uses: actions-ecosystem/action-get-latest-tag@v1
+      - uses: actions-ecosystem/action-get-latest-tag@b7c32daec3395a9616f88548363a42652b22d435
         id: get-latest-tag
 
       - name: Build Skipper Packages
@@ -42,21 +42,21 @@ jobs:
           make build.linux
 
       - name: Set up QEMU
-        uses: docker/setup-qemu-action@v2
+        uses: docker/setup-qemu-action@e81a89b1732b9c48d79cd809d8d81d79c4647a18
 
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v2
+        uses: docker/setup-buildx-action@4b4e9c3e2d4531116a6f8ba8e71fc6e2cb6e6c8c
 
       - name: Login to GitHub Container Registry
         if: github.event_name != 'pull_request'
-        uses: docker/login-action@v2
+        uses: docker/login-action@f4ef78c080cd8ba55a85445d5b36e214a81df20a
         with:
           registry: ghcr.io
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Docker meta
-        uses: docker/metadata-action@v4
+        uses: docker/metadata-action@c4ee3adeed93b1fa6a762f209fb01608c1a22f1e
         id: meta
         with:
           images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
@@ -65,7 +65,7 @@ jobs:
             type=semver,pattern=v{{major}}.{{minor}}
 
       - name: Build and push
-        uses: docker/build-push-action@v3
+        uses: docker/build-push-action@1104d471370f9806843c095c1db02b5a90c5f8b6
         with:
           context: ./packaging
           build-args: BASE_IMAGE=golang:alpine

diff --git a/.github/workflows/master.yaml b/.github/workflows/master.yaml
@@ -9,8 +9,8 @@ jobs:
     permissions:
       contents: read
     steps:
-      - uses: actions/checkout@v2
-      - uses: actions/setup-go@v2
+      - uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5
+      - uses: actions/setup-go@bfdd3570ce990073878bf10f6b2d79082de49492
         with:
           # https://www.npmjs.com/package/semver#caret-ranges-123-025-004
           go-version: '^1.19'

diff --git a/.github/workflows/pr.yaml b/.github/workflows/pr.yaml
@@ -6,16 +6,16 @@ jobs:
   gokart:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v2
-      - uses: actions/setup-go@v2
+      - uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5
+      - uses: actions/setup-go@bfdd3570ce990073878bf10f6b2d79082de49492
         with:
           # https://www.npmjs.com/package/semver#caret-ranges-123-025-004
           # Fix version to 1.19, see https://github.com/praetorian-inc/gokart/issues/88
           go-version: '~1.19'
       - run: go install github.com/praetorian-inc/gokart@latest
       - run: gokart scan -s -o gokart-scan-output.sarif
       # Upload the results to the code scanning security tab
-      - uses: github/codeql-action/upload-sarif@v2
+      - uses: github/codeql-action/upload-sarif@9a866ed4524fc3422c3af1e446dab8efa3503411
         with:
           sarif_file: gokart-scan-output.sarif
   semgrep:
@@ -24,7 +24,7 @@ jobs:
       image: returntocorp/semgrep
     steps:
       # Retrieve the source code for the repository
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab
       # Fetch the semgrep rules
       - run: git clone https://github.com/dgryski/semgrep-go.git
       # Run the rule checker using the fetched rules
@@ -33,8 +33,8 @@ jobs:
   check-race:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v2
-      - uses: actions/setup-go@v2
+      - uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5
+      - uses: actions/setup-go@bfdd3570ce990073878bf10f6b2d79082de49492
         with:
           # https://www.npmjs.com/package/semver#caret-ranges-123-025-004
           go-version: '^1.19'
@@ -44,8 +44,8 @@ jobs:
   tests:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v2
-      - uses: actions/setup-go@v2
+      - uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5
+      - uses: actions/setup-go@bfdd3570ce990073878bf10f6b2d79082de49492
         with:
           # https://www.npmjs.com/package/semver#caret-ranges-123-025-004
           go-version: '^1.19'