From 7d04bfe488db59d2a9d9c46b87763bd98a48f1b5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Sandor=20Sz=C3=BCcs?= Date: Wed, 3 May 2023 18:31:01 +0200 Subject: [PATCH] fix: use best practice from openssf an use pinned dependencies in gh actions (#2286) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Sandor Szücs --- .github/workflows/codeql-analysis.yml | 8 ++++---- .github/workflows/docs.yaml | 6 +++--- .github/workflows/gh-packages.yaml | 18 +++++++++--------- .github/workflows/master.yaml | 4 ++-- .github/workflows/pr.yaml | 16 ++++++++-------- 5 files changed, 26 insertions(+), 26 deletions(-) diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index 35294ebda9..5d4f294659 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -37,7 +37,7 @@ jobs: steps: - name: Checkout repository - uses: actions/checkout@v2 + uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 with: # We must fetch at least the immediate parents so that if this is # a pull request then we can checkout the head. @@ -45,7 +45,7 @@ jobs: # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL - uses: github/codeql-action/init@v2 + uses: github/codeql-action/init@9a866ed4524fc3422c3af1e446dab8efa3503411 with: languages: ${{ matrix.language }} # If you wish to specify custom queries, you can do so here or in a config file. @@ -56,7 +56,7 @@ jobs: # Autobuild attempts to build any compiled languages (C/C++, C#, or Java). # If this step fails, then you should remove it and run the build manually (see below) - name: Autobuild - uses: github/codeql-action/autobuild@v2 + uses: github/codeql-action/autobuild@9a866ed4524fc3422c3af1e446dab8efa3503411 # ℹ️ Command-line programs to run using the OS shell. # 📚 https://git.io/JvXDl @@ -70,4 +70,4 @@ jobs: # make release - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v2 + uses: github/codeql-action/analyze@9a866ed4524fc3422c3af1e446dab8efa3503411 diff --git a/.github/workflows/docs.yaml b/.github/workflows/docs.yaml index 154fd95606..73b4960084 100644 --- a/.github/workflows/docs.yaml +++ b/.github/workflows/docs.yaml @@ -12,11 +12,11 @@ jobs: deploy: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 - - uses: actions/setup-python@v4 + - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab + - uses: actions/setup-python@57ded4d7d5e986d7296eab16560982c6dd7c923b with: python-version: 3.x - - uses: actions/cache@v2 + - uses: actions/cache@2b250bc32ad02700b996b496c14ac8c2840a2991 with: key: ${{ github.ref }} path: .cache diff --git a/.github/workflows/gh-packages.yaml b/.github/workflows/gh-packages.yaml index 47c3ae875e..3fbc90f1ca 100644 --- a/.github/workflows/gh-packages.yaml +++ b/.github/workflows/gh-packages.yaml @@ -19,21 +19,21 @@ jobs: packages: write # to push packages steps: - name: Checkout - uses: actions/checkout@v3 + uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab - - uses: actions/setup-go@v2 + - uses: actions/setup-go@bfdd3570ce990073878bf10f6b2d79082de49492 with: # https://www.npmjs.com/package/semver#caret-ranges-123-025-004 go-version: '^1.19' - name: Login to Github Container Registry - uses: docker/login-action@v2 + uses: docker/login-action@f4ef78c080cd8ba55a85445d5b36e214a81df20a with: registry: ${{ env.REGISTRY }} username: ${{ github.actor }} password: ${{ secrets.GITHUB_TOKEN }} - - uses: actions-ecosystem/action-get-latest-tag@v1 + - uses: actions-ecosystem/action-get-latest-tag@b7c32daec3395a9616f88548363a42652b22d435 id: get-latest-tag - name: Build Skipper Packages @@ -42,21 +42,21 @@ jobs: make build.linux - name: Set up QEMU - uses: docker/setup-qemu-action@v2 + uses: docker/setup-qemu-action@e81a89b1732b9c48d79cd809d8d81d79c4647a18 - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v2 + uses: docker/setup-buildx-action@4b4e9c3e2d4531116a6f8ba8e71fc6e2cb6e6c8c - name: Login to GitHub Container Registry if: github.event_name != 'pull_request' - uses: docker/login-action@v2 + uses: docker/login-action@f4ef78c080cd8ba55a85445d5b36e214a81df20a with: registry: ghcr.io username: ${{ github.actor }} password: ${{ secrets.GITHUB_TOKEN }} - name: Docker meta - uses: docker/metadata-action@v4 + uses: docker/metadata-action@c4ee3adeed93b1fa6a762f209fb01608c1a22f1e id: meta with: images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} @@ -65,7 +65,7 @@ jobs: type=semver,pattern=v{{major}}.{{minor}} - name: Build and push - uses: docker/build-push-action@v3 + uses: docker/build-push-action@1104d471370f9806843c095c1db02b5a90c5f8b6 with: context: ./packaging build-args: BASE_IMAGE=golang:alpine diff --git a/.github/workflows/master.yaml b/.github/workflows/master.yaml index 20cfb92d6e..fa63be64f6 100644 --- a/.github/workflows/master.yaml +++ b/.github/workflows/master.yaml @@ -9,8 +9,8 @@ jobs: permissions: contents: read steps: - - uses: actions/checkout@v2 - - uses: actions/setup-go@v2 + - uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 + - uses: actions/setup-go@bfdd3570ce990073878bf10f6b2d79082de49492 with: # https://www.npmjs.com/package/semver#caret-ranges-123-025-004 go-version: '^1.19' diff --git a/.github/workflows/pr.yaml b/.github/workflows/pr.yaml index 75f4208600..0d0c988efc 100644 --- a/.github/workflows/pr.yaml +++ b/.github/workflows/pr.yaml @@ -6,8 +6,8 @@ jobs: gokart: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v2 - - uses: actions/setup-go@v2 + - uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 + - uses: actions/setup-go@bfdd3570ce990073878bf10f6b2d79082de49492 with: # https://www.npmjs.com/package/semver#caret-ranges-123-025-004 # Fix version to 1.19, see https://github.com/praetorian-inc/gokart/issues/88 @@ -15,7 +15,7 @@ jobs: - run: go install github.com/praetorian-inc/gokart@latest - run: gokart scan -s -o gokart-scan-output.sarif # Upload the results to the code scanning security tab - - uses: github/codeql-action/upload-sarif@v2 + - uses: github/codeql-action/upload-sarif@9a866ed4524fc3422c3af1e446dab8efa3503411 with: sarif_file: gokart-scan-output.sarif semgrep: @@ -24,7 +24,7 @@ jobs: image: returntocorp/semgrep steps: # Retrieve the source code for the repository - - uses: actions/checkout@v3 + - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # Fetch the semgrep rules - run: git clone https://github.com/dgryski/semgrep-go.git # Run the rule checker using the fetched rules @@ -33,8 +33,8 @@ jobs: check-race: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v2 - - uses: actions/setup-go@v2 + - uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 + - uses: actions/setup-go@bfdd3570ce990073878bf10f6b2d79082de49492 with: # https://www.npmjs.com/package/semver#caret-ranges-123-025-004 go-version: '^1.19' @@ -44,8 +44,8 @@ jobs: tests: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v2 - - uses: actions/setup-go@v2 + - uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 + - uses: actions/setup-go@bfdd3570ce990073878bf10f6b2d79082de49492 with: # https://www.npmjs.com/package/semver#caret-ranges-123-025-004 go-version: '^1.19'