From 104064af32d6c86e42abe4455b757644b7ddaaca Mon Sep 17 00:00:00 2001 From: Bradley Jones Date: Thu, 7 Dec 2023 14:39:44 +0000 Subject: [PATCH 1/6] ci: pin checkout github action to commit hash Signed-off-by: Bradley Jones --- .github/workflows/commit-linting.yaml | 2 +- .github/workflows/release.yaml | 4 ++-- .github/workflows/snapshot.yaml | 2 +- .github/workflows/static-analysis.yaml | 2 +- .github/workflows/unit-test.yaml | 2 +- 5 files changed, 6 insertions(+), 6 deletions(-) diff --git a/.github/workflows/commit-linting.yaml b/.github/workflows/commit-linting.yaml index cb9959a..5451440 100644 --- a/.github/workflows/commit-linting.yaml +++ b/.github/workflows/commit-linting.yaml @@ -6,7 +6,7 @@ jobs: runs-on: ubuntu-latest if: ${{ github.actor != 'dependabot[bot]' }} steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: fetch-depth: 0 - uses: wagoid/commitlint-github-action@v5 diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index efcdae3..b474407 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -16,7 +16,7 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 # we don't want to release commits that have been pushed and tagged, but not necessarily merged onto main - name: Ensure tagged commit is on main @@ -69,7 +69,7 @@ jobs: with: go-version: ${{ env.GO_VERSION }} - - uses: actions/checkout@v4 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: fetch-depth: 0 diff --git a/.github/workflows/snapshot.yaml b/.github/workflows/snapshot.yaml index 9933c0c..8092c6f 100644 --- a/.github/workflows/snapshot.yaml +++ b/.github/workflows/snapshot.yaml @@ -18,7 +18,7 @@ jobs: with: go-version: ${{ env.GO_VERSION }} - - uses: actions/checkout@v4 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - name: Restore bootstrap cache id: cache diff --git a/.github/workflows/static-analysis.yaml b/.github/workflows/static-analysis.yaml index c48ec85..026a810 100644 --- a/.github/workflows/static-analysis.yaml +++ b/.github/workflows/static-analysis.yaml @@ -15,7 +15,7 @@ jobs: with: go-version: ${{ matrix.go-version }} - - uses: actions/checkout@v4 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - name: Restore bootstrap cache id: bootstrap-cache diff --git a/.github/workflows/unit-test.yaml b/.github/workflows/unit-test.yaml index 8093897..793473c 100644 --- a/.github/workflows/unit-test.yaml +++ b/.github/workflows/unit-test.yaml @@ -16,7 +16,7 @@ jobs: with: go-version: ${{ matrix.go-version }} - - uses: actions/checkout@v4 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - name: Restore bootstrap cache id: bootstrap-cache From 6f87a48ac4634dc155cfd507322a57133544cc5f Mon Sep 17 00:00:00 2001 From: Bradley Jones Date: Thu, 7 Dec 2023 14:40:24 +0000 Subject: [PATCH 2/6] ci: pin commitlint github action to commit hash Signed-off-by: Bradley Jones --- .github/workflows/commit-linting.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/commit-linting.yaml b/.github/workflows/commit-linting.yaml index 5451440..3c8a62e 100644 --- a/.github/workflows/commit-linting.yaml +++ b/.github/workflows/commit-linting.yaml @@ -9,4 +9,4 @@ jobs: - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: fetch-depth: 0 - - uses: wagoid/commitlint-github-action@v5 + - uses: wagoid/commitlint-github-action@0d749a1a91d4770e983a7b8f83d4a3f0e7e0874e # v5.4.4 From dfae692c6c2f36d916152156689f073a03969502 Mon Sep 17 00:00:00 2001 From: Bradley Jones Date: Thu, 7 Dec 2023 14:41:42 +0000 Subject: [PATCH 3/6] ci: pin wait-for-check github action to commit hash Signed-off-by: Bradley Jones --- .github/workflows/release.yaml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index b474407..d004e6c 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -26,7 +26,7 @@ jobs: git merge-base --is-ancestor ${GITHUB_REF##*/} origin/main && echo "${GITHUB_REF##*/} is a commit on main!" - name: Build snapshot artifacts - uses: fountainhead/action-wait-for-check@v1.1.0 + uses: fountainhead/action-wait-for-check@297be350cf8393728ea4d4b39435c7d7ae167c93 #v1.1.0 id: snapshot with: token: ${{ secrets.GITHUB_TOKEN }} @@ -35,7 +35,7 @@ jobs: ref: ${{ github.event.pull_request.head.sha || github.sha }} - name: Check static analysis - uses: fountainhead/action-wait-for-check@v1.1.0 + uses: fountainhead/action-wait-for-check@297be350cf8393728ea4d4b39435c7d7ae167c93 #v1.1.0 id: static-analysis with: token: ${{ secrets.GITHUB_TOKEN }} @@ -44,7 +44,7 @@ jobs: ref: ${{ github.event.pull_request.head.sha || github.sha }} - name: Check unit test results - uses: fountainhead/action-wait-for-check@v1.1.0 + uses: fountainhead/action-wait-for-check@297be350cf8393728ea4d4b39435c7d7ae167c93 #v1.1.0 id: tests-unit with: token: ${{ secrets.GITHUB_TOKEN }} From 58cfbf9f9fa99b0bba1f5a3fbc06255aebbe7e69 Mon Sep 17 00:00:00 2001 From: Bradley Jones Date: Thu, 7 Dec 2023 14:42:49 +0000 Subject: [PATCH 4/6] ci: pin setup-go github action to commit hash Signed-off-by: Bradley Jones --- .github/workflows/release.yaml | 2 +- .github/workflows/snapshot.yaml | 2 +- .github/workflows/static-analysis.yaml | 2 +- .github/workflows/unit-test.yaml | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index d004e6c..5596286 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -65,7 +65,7 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/setup-go@v5 + - uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 #v5.0.0 with: go-version: ${{ env.GO_VERSION }} diff --git a/.github/workflows/snapshot.yaml b/.github/workflows/snapshot.yaml index 8092c6f..a52ca27 100644 --- a/.github/workflows/snapshot.yaml +++ b/.github/workflows/snapshot.yaml @@ -14,7 +14,7 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/setup-go@v5 + - uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 #v5.0.0 with: go-version: ${{ env.GO_VERSION }} diff --git a/.github/workflows/static-analysis.yaml b/.github/workflows/static-analysis.yaml index 026a810..b693a11 100644 --- a/.github/workflows/static-analysis.yaml +++ b/.github/workflows/static-analysis.yaml @@ -11,7 +11,7 @@ jobs: platform: [ubuntu-latest] runs-on: ${{ matrix.platform }} steps: - - uses: actions/setup-go@v5 + - uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 #v5.0.0 with: go-version: ${{ matrix.go-version }} diff --git a/.github/workflows/unit-test.yaml b/.github/workflows/unit-test.yaml index 793473c..2d4e95a 100644 --- a/.github/workflows/unit-test.yaml +++ b/.github/workflows/unit-test.yaml @@ -12,7 +12,7 @@ jobs: platform: [ubuntu-latest] runs-on: ${{ matrix.platform }} steps: - - uses: actions/setup-go@v5 + - uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 #v5.0.0 with: go-version: ${{ matrix.go-version }} From 5b0d406879c089e0eff592389e493b3b2c0faf29 Mon Sep 17 00:00:00 2001 From: Bradley Jones Date: Thu, 7 Dec 2023 14:58:59 +0000 Subject: [PATCH 5/6] ci: pin cache action to commit hash Signed-off-by: Bradley Jones --- .github/workflows/release.yaml | 2 +- .github/workflows/snapshot.yaml | 2 +- .github/workflows/static-analysis.yaml | 2 +- .github/workflows/unit-test.yaml | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index 5596286..0cf7d13 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -75,7 +75,7 @@ jobs: - name: Restore bootstrap cache id: cache - uses: actions/cache@v3 + uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84 #v3.3.2 with: path: | ~/go/pkg/mod diff --git a/.github/workflows/snapshot.yaml b/.github/workflows/snapshot.yaml index a52ca27..2509bae 100644 --- a/.github/workflows/snapshot.yaml +++ b/.github/workflows/snapshot.yaml @@ -22,7 +22,7 @@ jobs: - name: Restore bootstrap cache id: cache - uses: actions/cache@v3 + uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84 #v3.3.2 with: path: | ~/go/pkg/mod diff --git a/.github/workflows/static-analysis.yaml b/.github/workflows/static-analysis.yaml index b693a11..f5ebba3 100644 --- a/.github/workflows/static-analysis.yaml +++ b/.github/workflows/static-analysis.yaml @@ -19,7 +19,7 @@ jobs: - name: Restore bootstrap cache id: bootstrap-cache - uses: actions/cache@v3 + uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84 #v3.3.2 with: path: | ~/go/pkg/mod diff --git a/.github/workflows/unit-test.yaml b/.github/workflows/unit-test.yaml index 2d4e95a..4822921 100644 --- a/.github/workflows/unit-test.yaml +++ b/.github/workflows/unit-test.yaml @@ -20,7 +20,7 @@ jobs: - name: Restore bootstrap cache id: bootstrap-cache - uses: actions/cache@v3 + uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84 #v3.3.2 with: path: | ~/go/pkg/mod From 92d87822c482d3a362aaa60931f1ca86043c366f Mon Sep 17 00:00:00 2001 From: Bradley Jones Date: Thu, 7 Dec 2023 15:00:07 +0000 Subject: [PATCH 6/6] ci: pin upload-artifacts action to commit hash Signed-off-by: Bradley Jones --- .github/workflows/release.yaml | 2 +- .github/workflows/snapshot.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index 0cf7d13..57bbb78 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -102,7 +102,7 @@ jobs: env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - - uses: actions/upload-artifact@v3 + - uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 #v3.1.3 with: name: artifacts path: dist/**/* diff --git a/.github/workflows/snapshot.yaml b/.github/workflows/snapshot.yaml index 2509bae..e503ed6 100644 --- a/.github/workflows/snapshot.yaml +++ b/.github/workflows/snapshot.yaml @@ -39,7 +39,7 @@ jobs: - name: Build snapshot artifacts run: make snapshot - - uses: actions/upload-artifact@v3 + - uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 #v3.1.3 with: name: artifacts path: snapshot/**/*