From 85e74b2bd5fb7b5fb2c9fa1a36f98b80f8dfabcc Mon Sep 17 00:00:00 2001 From: Tim Curtin <8890118+timm088@users.noreply.github.com> Date: Tue, 18 Mar 2025 12:48:01 +1100 Subject: [PATCH 1/3] Pin setup-go action --- .github/actions/bootstrap/action.yaml | 2 +- .github/actions/rewind/action.yaml | 2 +- .github/workflows/pr.yaml | 4 ++-- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/actions/bootstrap/action.yaml b/.github/actions/bootstrap/action.yaml index dc57c0626..1acfe96e5 100644 --- a/.github/actions/bootstrap/action.yaml +++ b/.github/actions/bootstrap/action.yaml @@ -5,7 +5,7 @@ runs: using: composite steps: - name: Setup - uses: actions/setup-go@v3 + uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34 # pin@v5.3.0 with: go-version: 1.20.x diff --git a/.github/actions/rewind/action.yaml b/.github/actions/rewind/action.yaml index 45d5a198c..9bf934ceb 100644 --- a/.github/actions/rewind/action.yaml +++ b/.github/actions/rewind/action.yaml @@ -5,7 +5,7 @@ runs: using: composite steps: - name: Setup - uses: actions/setup-go@v3 + uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34 # pin@v5.3.0 with: go-version: 1.20.x diff --git a/.github/workflows/pr.yaml b/.github/workflows/pr.yaml index 869fbb2c3..87d195788 100644 --- a/.github/workflows/pr.yaml +++ b/.github/workflows/pr.yaml @@ -48,7 +48,7 @@ jobs: - uses: actions/checkout@v4 with: fetch-depth: 0 # We need the full history to get the base commit in order to compute the diff in golanci-lint - - uses: actions/setup-go@v3 + - uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34 # pin@v5.3.0 with: go-version: 1.20.x - name: Cache modules @@ -74,7 +74,7 @@ jobs: timeout-minutes: 35 steps: - uses: actions/checkout@v4 - - uses: actions/setup-go@v3 + - uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34 # pin@v5.3.0 with: go-version: 1.20.x - name: Cache modules From b25d7f1cc9d94b605545e11d887eb630e79d4345 Mon Sep 17 00:00:00 2001 From: Tim Curtin <8890118+timm088@users.noreply.github.com> Date: Tue, 18 Mar 2025 12:49:02 +1100 Subject: [PATCH 2/3] Pin cache-actions --- .github/actions/cache/golang/action.yml | 8 ++++---- .github/actions/cache/golangci-lint/action.yml | 6 +++--- .github/actions/push/action.yaml | 4 ++-- 3 files changed, 9 insertions(+), 9 deletions(-) diff --git a/.github/actions/cache/golang/action.yml b/.github/actions/cache/golang/action.yml index e97a7fee2..ef6f2cf91 100644 --- a/.github/actions/cache/golang/action.yml +++ b/.github/actions/cache/golang/action.yml @@ -15,7 +15,7 @@ runs: steps: - name: Restore Go mod (pkg) if: ${{ inputs.refresh-go-cache != 'true' }} - uses: actions/cache/restore@v3 + uses: actions/cache/restore@d4323d4df104b026a6aa633fdb11d772146be0bf # pin@v4.2.2 with: path: | ~/go/pkg/mod @@ -26,7 +26,7 @@ runs: - name: Restore Go build (test) if: ${{ inputs.refresh-go-cache != 'true' }} - uses: actions/cache/restore@v3 + uses: actions/cache/restore@d4323d4df104b026a6aa633fdb11d772146be0bf # pin@v4.2.2 with: path: | ~/.cache/go-build @@ -37,7 +37,7 @@ runs: - name: Cache Go mod (pkg) if: ${{ inputs.refresh-go-cache == 'true' }} - uses: actions/cache@v3 + uses: actions/cache@d4323d4df104b026a6aa633fdb11d772146be0bf # pin@v4.2.2 with: path: | ~/go/pkg/mod @@ -48,7 +48,7 @@ runs: - name: Cache Go build (test) if: ${{ inputs.refresh-go-cache == 'true' }} - uses: actions/cache@v3 + uses: actions/cache@d4323d4df104b026a6aa633fdb11d772146be0bf # pin@v4.2.2 with: path: | ~/.cache/go-build diff --git a/.github/actions/cache/golangci-lint/action.yml b/.github/actions/cache/golangci-lint/action.yml index 4e741afee..fd5dd2864 100644 --- a/.github/actions/cache/golangci-lint/action.yml +++ b/.github/actions/cache/golangci-lint/action.yml @@ -18,7 +18,7 @@ runs: using: "composite" steps: - name: Cache golangci-lint - uses: actions/cache@v3 + uses: actions/cache@d4323d4df104b026a6aa633fdb11d772146be0bf # pin@v4.2.2 id: cache-golangci-lint with: path: ~/go/bin/golangci-lint @@ -31,7 +31,7 @@ runs: - name: Restore golangci-lint analysis cache if: ${{ inputs.refresh-analysis-cache != 'true' }} - uses: actions/cache/restore@v3 + uses: actions/cache/restore@d4323d4df104b026a6aa633fdb11d772146be0bf # pin@v4.2.2 with: path: ~/.cache/golangci-lint # This technique will make the cache key unique to the commit SHA, @@ -42,7 +42,7 @@ runs: - name: Cache golangci-lint analysis cache if: ${{ inputs.refresh-analysis-cache == 'true' }} - uses: actions/cache@v3 + uses: actions/cache@d4323d4df104b026a6aa633fdb11d772146be0bf # pin@v4.2.2 with: path: ~/.cache/golangci-lint # This technique will make the cache key unique to the commit SHA, diff --git a/.github/actions/push/action.yaml b/.github/actions/push/action.yaml index 3ec0c6cca..5caa1159e 100644 --- a/.github/actions/push/action.yaml +++ b/.github/actions/push/action.yaml @@ -34,7 +34,7 @@ runs: github-token: ${{ inputs.github-token }} - name: Restore Go mod (pkg) - uses: actions/cache/restore@v3 + uses: actions/cache/restore@d4323d4df104b026a6aa633fdb11d772146be0bf # pin@v4.2.2 with: path: "~/go/pkg/mod" key: ${{ runner.os }}-gomod-${{ hashFiles('**/go.sum') }}-${{ github.sha }}-${{ github.run_id }} @@ -44,7 +44,7 @@ runs: ${{ runner.os }}-gomod- - name: Restore Go build (test) - uses: actions/cache/restore@v3 + uses: actions/cache/restore@d4323d4df104b026a6aa633fdb11d772146be0bf # pin@v4.2.2 with: path: "~/.cache/go-build" key: ${{ runner.os }}-gobuild-${{ hashFiles('**/go.sum') }}-${{ github.sha }}-${{ github.run_id }} From b838d2f27543d948d89d2b2611b9576e3fe38116 Mon Sep 17 00:00:00 2001 From: Tim Curtin <8890118+timm088@users.noreply.github.com> Date: Tue, 18 Mar 2025 12:51:28 +1100 Subject: [PATCH 3/3] Pin github-actions to verified commit --- .github/actions/push/action.yaml | 6 +++--- .github/workflows/main.yaml | 2 +- .github/workflows/pr.yaml | 12 ++++++------ .github/workflows/release.yaml | 2 +- 4 files changed, 11 insertions(+), 11 deletions(-) diff --git a/.github/actions/push/action.yaml b/.github/actions/push/action.yaml index 5caa1159e..e0a502406 100644 --- a/.github/actions/push/action.yaml +++ b/.github/actions/push/action.yaml @@ -20,7 +20,7 @@ runs: using: "composite" steps: - name: Log in to GitHub Container Registry - uses: docker/login-action@v2 + uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # pin@v3.4.0 with: registry: ghcr.io username: ${{ github.actor }} @@ -28,7 +28,7 @@ runs: - name: Extract Docker metadata id: meta - uses: docker/metadata-action@v4 + uses: docker/metadata-action@902fa8ec7d6ecbf8d84d538b9b233a880e428804 # pin@v5.7.0 with: images: ghcr.io/${{ github.repository }}/s github-token: ${{ inputs.github-token }} @@ -61,7 +61,7 @@ runs: - name: Set up Docker Buildx id: buildx - uses: docker/setup-buildx-action@v2 + uses: docker/setup-buildx-action@b5ca514318bd6ebac0fb2aedd5d36ec1b5c232a2 # pin@v3.10.0 with: version: latest endpoint: builders diff --git a/.github/workflows/main.yaml b/.github/workflows/main.yaml index fbaa78e4b..23aea9eff 100644 --- a/.github/workflows/main.yaml +++ b/.github/workflows/main.yaml @@ -12,7 +12,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@v3 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # pin@v4.2.2 - name: Tags shell: bash diff --git a/.github/workflows/pr.yaml b/.github/workflows/pr.yaml index 87d195788..cf79f60b6 100644 --- a/.github/workflows/pr.yaml +++ b/.github/workflows/pr.yaml @@ -13,19 +13,19 @@ jobs: runs-on: ubuntu-20-04-4-cores timeout-minutes: 1 steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # pin@v4.2.2 - name: Invariants shell: bash run: ./.github/scripts/invariants.sh - name: TruffleHog OSS - uses: trufflesecurity/trufflehog@v3.82.7 + uses: trufflesecurity/trufflehog@12164e38f0f1b673ab0594c7d94daf71b0be6823 # pin@3.88.17 bootstrap: name: Local E2E Tests runs-on: ubuntu-20-04-4-cores timeout-minutes: 10 steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # pin@v4.2.2 - name: Cache modules uses: ./.github/actions/cache/golang - uses: ./.github/actions/bootstrap @@ -35,7 +35,7 @@ jobs: runs-on: ubuntu-20-04-4-cores timeout-minutes: 10 steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # pin@v4.2.2 - name: Cache modules uses: ./.github/actions/cache/golang - uses: ./.github/actions/rewind @@ -45,7 +45,7 @@ jobs: runs-on: ubuntu-20-04-4-cores timeout-minutes: 35 steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # pin@v4.2.2 with: fetch-depth: 0 # We need the full history to get the base commit in order to compute the diff in golanci-lint - uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34 # pin@v5.3.0 @@ -73,7 +73,7 @@ jobs: runs-on: ubuntu-20-04-4-cores timeout-minutes: 35 steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # pin@v4.2.2 - uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34 # pin@v5.3.0 with: go-version: 1.20.x diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index 4783b03b1..69b760045 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -10,7 +10,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@v3 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # pin@v4.2.2 - name: Set Release Tag run: echo "TAG=$(echo ${GITHUB_REF} | sed 's/refs\/tags\///')" >> $GITHUB_ENV