Skip to content

Commit beac585

Browse files
mythimythi
authored
Merge pull request #1741 from tkatila/workflow-pin-to-sha
Pin workflow actions sha's
2 parents 20b7b5a + dfa9133 commit beac585

File tree

9 files changed

+46
-61
lines changed

9 files changed

+46
-61
lines changed

.github/dependabot.yml

Lines changed: 3 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -12,5 +12,6 @@ updates:
1212
- package-ecosystem: "github-actions"
1313
directory: "/"
1414
schedule:
15-
# Check for updates to GitHub Actions every weekday
16-
interval: "daily"
15+
# Check for updates to GitHub Actions every week on Sunday
16+
interval: "weekly"
17+
day: "sunday"

.github/workflows/lib-build.yaml

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -45,8 +45,8 @@ jobs:
4545
- dlb-libdlb-demo
4646
builder: [buildah, docker]
4747
steps:
48-
- uses: actions/checkout@v4
49-
- uses: actions/setup-go@v5
48+
- uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4
49+
- uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5
5050
with:
5151
go-version-file: go.mod
5252
check-latest: true

.github/workflows/lib-codeql.yaml

Lines changed: 4 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -18,19 +18,18 @@ jobs:
1818

1919
steps:
2020
- name: Checkout repository
21-
uses: actions/checkout@v4
22-
23-
- uses: actions/setup-go@v5
21+
uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4
22+
- uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5
2423
with:
2524
go-version-file: go.mod
2625
check-latest: true
2726

2827
- name: Initialize CodeQL
29-
uses: github/codeql-action/init@v3
28+
uses: github/codeql-action/init@71ace48453080e924b22589f0c397bedde464d78 # v3
3029
with:
3130
languages: 'go'
3231

3332
- name: Perform CodeQL Analysis
34-
uses: github/codeql-action/analyze@v3
33+
uses: github/codeql-action/analyze@71ace48453080e924b22589f0c397bedde464d78 # v3
3534
with:
3635
category: "/language:go"

.github/workflows/lib-e2e.yaml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -67,7 +67,7 @@ jobs:
6767
IMAGES: ${{ join(matrix.images, ' ') }}
6868

6969
steps:
70-
- uses: actions/checkout@v4
70+
- uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4
7171
with:
7272
fetch-depth: 0
7373
- name: Describe test environment

.github/workflows/lib-publish.yaml

Lines changed: 4 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -42,8 +42,8 @@ jobs:
4242
- crypto-perf
4343
- opae-nlb-demo
4444
steps:
45-
- uses: actions/checkout@v4
46-
- uses: actions/setup-go@v5
45+
- uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4
46+
- uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5
4747
with:
4848
go-version-file: go.mod
4949
check-latest: true
@@ -54,7 +54,7 @@ jobs:
5454
run: |
5555
REG=intel/ make ${IMAGE_NAME} BUILDER=docker
5656
- name: Trivy scan for image
57-
uses: aquasecurity/trivy-action@master
57+
uses: aquasecurity/trivy-action@fd25fed6972e341ff0007ddb61f77e88103953c2 # 0.21.0
5858
with:
5959
scan-type: image
6060
image-ref: intel/${{ matrix.image }}:${{ inputs.image_tag }}
@@ -64,7 +64,7 @@ jobs:
6464
if: ${{ !contains(fromJson(env.no_base_check), matrix.image) }}
6565
run: IMG=intel/${{ matrix.image }}:${{ inputs.image_tag }} make test-image-base-layer BUILDER=docker
6666
- name: Login
67-
uses: docker/login-action@v3
67+
uses: docker/login-action@0d4c9c5ea7693da7b068278f7b52bda2a190a446 # v3
6868
with:
6969
username: ${{ secrets.DOCKERHUB_USER }}
7070
password: ${{ secrets.DOCKERHUB_PASS }}

.github/workflows/lib-scorecard.yaml

Lines changed: 3 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -16,18 +16,16 @@ jobs:
1616
id-token: write
1717

1818
steps:
19-
- uses: actions/checkout@v4
19+
- uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4
2020
with:
2121
persist-credentials: false
22-
2322
- name: "Analyze project"
24-
uses: ossf/[email protected]
23+
uses: ossf/scorecard-action@e4c423540e964e15ccadc56558705ba15136265c # v2.3.3
2524
with:
2625
results_file: results.sarif
2726
results_format: sarif
2827
publish_results: true
29-
3028
- name: "Upload results to security"
31-
uses: github/codeql-action/upload-sarif@v3
29+
uses: github/codeql-action/upload-sarif@71ace48453080e924b22589f0c397bedde464d78 # v3
3230
with:
3331
sarif_file: results.sarif

.github/workflows/lib-trivy.yaml

Lines changed: 15 additions & 25 deletions
Original file line numberDiff line numberDiff line change
@@ -30,10 +30,9 @@ jobs:
3030
runs-on: ubuntu-22.04
3131
steps:
3232
- name: Checkout
33-
uses: actions/checkout@v4
34-
33+
uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4
3534
- name: Run Trivy in config mode for deployments
36-
uses: aquasecurity/trivy-action@master
35+
uses: aquasecurity/trivy-action@fd25fed6972e341ff0007ddb61f77e88103953c2 # 0.21.0
3736
with:
3837
scan-type: config
3938
scan-ref: deployments/
@@ -49,10 +48,9 @@ jobs:
4948
runs-on: ubuntu-22.04
5049
steps:
5150
- name: Checkout
52-
uses: actions/checkout@v4
53-
51+
uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4
5452
- name: Run Trivy in config mode for dockerfiles
55-
uses: aquasecurity/trivy-action@master
53+
uses: aquasecurity/trivy-action@fd25fed6972e341ff0007ddb61f77e88103953c2 # 0.21.0
5654
with:
5755
scan-type: config
5856
scan-ref: build/docker/
@@ -64,10 +62,9 @@ jobs:
6462
name: Scan licenses
6563
steps:
6664
- name: Checkout
67-
uses: actions/checkout@v4
68-
65+
uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4
6966
- name: Run Trivy in fs mode
70-
uses: aquasecurity/trivy-action@master
67+
uses: aquasecurity/trivy-action@fd25fed6972e341ff0007ddb61f77e88103953c2 # 0.21.0
7168
with:
7269
scan-type: fs
7370
scan-ref: .
@@ -78,53 +75,47 @@ jobs:
7875
trivy-scan-vulns:
7976
permissions:
8077
security-events: write
81-
8278
runs-on: ubuntu-22.04
8379
name: Scan vulnerabilities
8480
steps:
8581
- name: Checkout
86-
uses: actions/checkout@v4
87-
82+
uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4
8883
- name: Run Trivy in fs mode
8984
continue-on-error: true
90-
uses: aquasecurity/trivy-action@master
85+
uses: aquasecurity/trivy-action@fd25fed6972e341ff0007ddb61f77e88103953c2 # 0.21.0
9186
with:
9287
scan-type: fs
9388
scan-ref: .
9489
exit-code: 1
9590
list-all-pkgs: true
9691
format: json
9792
output: trivy-report.json
98-
9993
- name: Show report in human-readable format
100-
uses: aquasecurity/trivy-action@master
94+
uses: aquasecurity/trivy-action@fd25fed6972e341ff0007ddb61f77e88103953c2 # 0.21.0
10195
with:
10296
scan-type: convert
10397
vuln-type: ''
10498
severity: ''
10599
image-ref: trivy-report.json
106100
format: table
107-
108101
- name: Convert report to sarif
109102
if: ${{ inputs.upload-to-github-security-tab }}
110-
uses: aquasecurity/trivy-action@master
103+
uses: aquasecurity/trivy-action@fd25fed6972e341ff0007ddb61f77e88103953c2 # 0.21.0
111104
with:
112105
scan-type: convert
113106
vuln-type: ''
114107
severity: ''
115108
image-ref: trivy-report.json
116109
format: sarif
117110
output: trivy-report.sarif
118-
119111
- name: Upload sarif report to GitHub Security tab
120112
if: ${{ inputs.upload-to-github-security-tab }}
121-
uses: github/codeql-action/upload-sarif@v3
113+
uses: github/codeql-action/upload-sarif@71ace48453080e924b22589f0c397bedde464d78 # v3
122114
with:
123-
sarif_file: trivy-report.sarif
124-
115+
sarif_file: trivy-report.sarif
125116
- name: Convert report to csv
126117
if: ${{ inputs.export-csv }}
127-
uses: aquasecurity/trivy-action@master
118+
uses: aquasecurity/trivy-action@fd25fed6972e341ff0007ddb61f77e88103953c2 # 0.21.0
128119
with:
129120
scan-type: convert
130121
vuln-type: ''
@@ -133,10 +124,9 @@ jobs:
133124
format: template
134125
template: "@.github/workflows/template/trivy-csv.tpl"
135126
output: trivy-report.csv
136-
137127
- name: Upload CSV report as an artifact
138128
if: ${{ inputs.export-csv }}
139-
uses: actions/upload-artifact@v4
129+
uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4
140130
with:
141131
name: trivy-report
142-
path: trivy-report.csv
132+
path: trivy-report.csv

.github/workflows/lib-validate.yaml

Lines changed: 9 additions & 12 deletions
Original file line numberDiff line numberDiff line change
@@ -14,7 +14,7 @@ jobs:
1414
run: |
1515
sudo apt-get update
1616
sudo apt-get install -y python3-venv
17-
- uses: actions/checkout@v4
17+
- uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4
1818
with:
1919
fetch-depth: 0
2020
- name: Set up doc directory
@@ -28,30 +28,28 @@ jobs:
2828
rm -rf _work/venv
2929
make vhtml
3030
mv _build/html/* $HOME/output/
31-
3231
golangci:
3332
permissions:
34-
pull-requests: read # for golangci/golangci-lint-action to fetch pull requests
33+
pull-requests: read # for golangci/golangci-lint-action to fetch pull requests
3534
name: lint
3635
runs-on: ubuntu-22.04
3736
steps:
38-
- uses: actions/checkout@v4
39-
- uses: actions/setup-go@v5
37+
- uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4
38+
- uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5
4039
with:
4140
go-version-file: go.mod
4241
check-latest: true
4342
- name: golangci-lint
44-
uses: golangci/golangci-lint-action@v6
43+
uses: golangci/golangci-lint-action@a4f60bb28d35aeee14e6880718e0c85ff1882e64 # v6
4544
with:
4645
version: v1.57.2
4746
args: -v --timeout 5m
48-
4947
build:
5048
name: Build and check device plugins
5149
runs-on: ubuntu-22.04
5250
steps:
53-
- uses: actions/checkout@v4
54-
- uses: actions/setup-go@v5
51+
- uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4
52+
- uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5
5553
with:
5654
go-version-file: go.mod
5755
check-latest: true
@@ -63,7 +61,6 @@ jobs:
6361
- run: make check-github-actions
6462
#- name: Codecov report
6563
# run: bash <(curl -s https://codecov.io/bash)
66-
6764
envtest:
6865
name: Test APIs using envtest
6966
runs-on: ubuntu-22.04
@@ -74,8 +71,8 @@ jobs:
7471
- 1.29.x
7572
- 1.30.x
7673
steps:
77-
- uses: actions/checkout@v4
78-
- uses: actions/setup-go@v5
74+
- uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4
75+
- uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5
7976
with:
8077
go-version-file: go.mod
8178
check-latest: true

.github/workflows/publish.yml

Lines changed: 5 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -15,15 +15,15 @@ jobs:
1515
build:
1616

1717
permissions:
18-
contents: write # for Git to git push
18+
contents: write # for Git to git push
1919
runs-on: ubuntu-22.04
2020

2121
steps:
2222
- name: Install dependencies
2323
run: |
2424
sudo apt-get update
2525
sudo apt-get install -y python3-venv git
26-
- uses: actions/checkout@v4
26+
- uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4
2727
with:
2828
fetch-depth: 0
2929
ref: main
@@ -44,7 +44,7 @@ jobs:
4444
rm -rf _work/venv
4545
make vhtml
4646
mv _build/html/* $HOME/output/
47-
- uses: actions/checkout@v4
47+
- uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4
4848
with:
4949
fetch-depth: 0
5050
ref: release-0.28
@@ -55,7 +55,7 @@ jobs:
5555
rm -rf _work/venv
5656
make vhtml
5757
mv _build/html $HOME/output/0.28
58-
- uses: actions/checkout@v4
58+
- uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4
5959
with:
6060
fetch-depth: 0
6161
ref: release-0.29
@@ -66,7 +66,7 @@ jobs:
6666
rm -rf _work/venv
6767
make vhtml
6868
mv _build/html $HOME/output/0.29
69-
- uses: actions/checkout@v4
69+
- uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4
7070
with:
7171
fetch-depth: 0
7272
ref: release-0.30

0 commit comments

Comments
 (0)