Replace unpinned actions with pinned action (#705)

This is a Minder automated pull request. This pull request replaces references to actions by tag to references to actions by SHA. Verifies that any actions use pinned tags Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps mitigate the risk of a bad actor adding a backdoor to the action's repository, as they would need to generate a SHA-1 collision for a valid Git object payload. When selecting a SHA, you should verify it is from the action's repository and not a repository fork. For more information, see https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-third-party-actions Co-authored-by: minder-by-stacklok[bot] <165083860+github-actions[bot]@users.noreply.github.com>
mesosphere · May 7, 2024 · 8336003 · 8336003
1 parent e76ae38
commit 8336003
Show file tree

Hide file tree

Showing 11 changed files with 39 additions and 115 deletions.
diff --git a/.github/workflows/backport.yaml b/.github/workflows/backport.yaml
@@ -6,7 +6,6 @@ on:
     types:
       - labeled
       - closed
-
 jobs:
   backport:
     name: Backport PR
@@ -20,11 +19,10 @@ jobs:
       )
     steps:
       - name: Backport Action
-        uses: sqren/[email protected]
+        uses: sqren/backport-github-action@db3bc05f94a7298d25bb14d52441a36e5b5f0327 # v9.3.1
         with:
           github_token: ${{ secrets.GITHUB_TOKEN }}
           auto_backport_label_prefix: backport-to-
-
       - name: Backport log
         if: always()
         run: cat /home/runner/.backport/backport.log
diff --git a/.github/workflows/checks-macos.yml b/.github/workflows/checks-macos.yml
@@ -2,7 +2,6 @@
 # SPDX-License-Identifier: Apache-2.0
 
 name: build-on-macos
-
 on:
   push:
     branches:
@@ -14,34 +13,28 @@ on:
       - reopened
     branches:
       - main
-
 defaults:
   run:
     shell: bash
-
 env:
   TASK_X_ANY_VARIABLES: 1
-
 jobs:
   build-and-run:
     runs-on: macos-13
     steps:
       - name: Check out code
-        uses: actions/checkout@v4
+        uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4
         with:
           fetch-depth: 0
-
       - name: Install devbox
-        uses: jetify-com/[email protected]
+        uses: jetify-com/devbox-install-action@e55980d19e8a14213735f6ebcbced49a1e507856 # v0.10.0
         with:
           enable-cache: true
         env:
           NIX_USER_COUNT: 4
-
       - name: Build
         run: |
           GORELEASER_PLATFORMS="\"darwin_amd64\"" devbox run -- task build:release-unpublished
-
       - name: Run binary
         run: |
           ./dist/mindthegap_darwin_amd64_v1/mindthegap
diff --git a/.github/workflows/checks.yml b/.github/workflows/checks.yml
@@ -2,7 +2,6 @@
 # SPDX-License-Identifier: Apache-2.0
 
 name: checks
-
 on:
   push:
     branches:
@@ -12,17 +11,13 @@ on:
       - opened
       - synchronize
       - reopened
-
 permissions:
   contents: read
-
 defaults:
   run:
     shell: bash
-
 env:
   TASK_X_ANY_VARIABLES: 1
-
 jobs:
   unit-test:
     runs-on: ubuntu-22.04
@@ -31,150 +26,127 @@ jobs:
       pull-requests: write
     steps:
       - name: Check out code
-        uses: actions/checkout@v4
-
+        uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4
       - name: Install devbox
-        uses: jetify-com/[email protected]
+        uses: jetify-com/devbox-install-action@e55980d19e8a14213735f6ebcbced49a1e507856 # v0.10.0
         with:
           enable-cache: true
-
       - name: Go cache
-        uses: actions/cache@v4
+        uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4
         with:
           path: |
             ~/.cache/go-build
             ~/go/pkg/mod
           key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
           restore-keys: |
             ${{ runner.os }}-go-
-
       - name: Run unit tests
         run: devbox run -- task test:unit
-
       - name: Publish Test Results
-        uses: EnricoMi/publish-unit-test-result-action@v2
+        uses: EnricoMi/publish-unit-test-result-action@ad4accd991d403df04fbe818c95a3c57501b784f # v2
         if: always()
         with:
           check_name: "Unit test results"
           files: |
             junit-report.xml
-
   e2e-test:
     runs-on: ubuntu-22.04
     permissions:
       checks: write
       pull-requests: write
     steps:
       - name: Check out code
-        uses: actions/checkout@v4
+        uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4
         with:
           fetch-depth: 0
-
       - name: Install devbox
-        uses: jetify-com/[email protected]
+        uses: jetify-com/devbox-install-action@e55980d19e8a14213735f6ebcbced49a1e507856 # v0.10.0
         with:
           enable-cache: true
-
       - name: Set up QEMU
-        uses: docker/setup-qemu-action@v3
+        uses: docker/setup-qemu-action@68827325e0b33c7199eb31dd4e31fbe9023e06e3 # v3
         with:
           platforms: arm64
-
       - name: Run e2e tests
         run: devbox run -- task test:e2e
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           TMPDIR: ${{ runner.temp }}
-
       - name: Publish Test Results
-        uses: EnricoMi/publish-unit-test-result-action@v2
+        uses: EnricoMi/publish-unit-test-result-action@ad4accd991d403df04fbe818c95a3c57501b784f # v2
         if: always()
         with:
           check_name: "e2e test results"
           files: |
             junit-e2e.xml
-
   lint:
     runs-on: ubuntu-22.04
     steps:
       - name: Check out code
-        uses: actions/checkout@v4
-
+        uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4
       - name: Install devbox
-        uses: jetify-com/[email protected]
+        uses: jetify-com/devbox-install-action@e55980d19e8a14213735f6ebcbced49a1e507856 # v0.10.0
         with:
           enable-cache: true
-
       - name: Export golang and golangci-lint versions
         id: versions
         run: |
           echo "golangci-lint=$(devbox run -- golangci-lint version --format short)" >>"${GITHUB_OUTPUT}"
           echo "golang=$(devbox run -- go version | grep -o "[[:digit:]]\+.[[:digit:]]\+\(.[[:digit:]]\+\)\?")" >>"${GITHUB_OUTPUT}"
-
       - name: golangci-lint
-        uses: reviewdog/action-golangci-lint@v2
+        uses: reviewdog/action-golangci-lint@0c44ad132827d4ba66cb5975502c7cf903519828 # v2
         with:
           fail_on_error: true
           reporter: github-pr-review
           golangci_lint_version: v${{ steps.versions.outputs.golangci-lint }}
           go_version: v${{ steps.versions.outputs.golang }}
-
   lint-gha:
     runs-on: ubuntu-22.04
     steps:
       - name: Check out code
-        uses: actions/checkout@v4
-
+        uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4
       - name: actionlint
-        uses: reviewdog/action-actionlint@v1
+        uses: reviewdog/action-actionlint@6bd00ab832c9b5d4873f40a8b0c9501ac2df1b29 # v1
         with:
           fail_on_error: true
           reporter: github-pr-review
-
   pre-commit:
     runs-on: ubuntu-22.04
     steps:
       - name: Check out code
-        uses: actions/checkout@v4
+        uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4
         with:
           ref: ${{ github.event.pull_request.head.sha }}
-
       - name: Install devbox
-        uses: jetify-com/[email protected]
+        uses: jetify-com/devbox-install-action@e55980d19e8a14213735f6ebcbced49a1e507856 # v0.10.0
         with:
           enable-cache: true
-
       - name: Go cache
-        uses: actions/cache@v4
+        uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4
         with:
           path: |
             ~/.cache/go-build
             ~/go/pkg/mod
           key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
           restore-keys: |
             ${{ runner.os }}-go-
-
       - name: Set up pre-commit cache
-        uses: actions/cache@v4
+        uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4
         with:
           path: ~/.cache/pre-commit
           key: pre-commit-3|${{ hashFiles('.pre-commit-config.yaml') }}
-
       - name: Run pre-commit
         run: devbox run -- task pre-commit:run
         env:
           SKIP: no-commit-to-branch,golangci-lint,actionlint-system
-
   govulncheck:
     runs-on: ubuntu-22.04
     steps:
       - name: Check out code
-        uses: actions/checkout@v4
-
+        uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4
       - name: Install devbox
-        uses: jetify-com/[email protected]
+        uses: jetify-com/devbox-install-action@e55980d19e8a14213735f6ebcbced49a1e507856 # v0.10.0
         with:
           enable-cache: true
-
       - id: govulncheck
         run: devbox run -- task go:vulncheck
diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
@@ -2,14 +2,11 @@
 # SPDX-License-Identifier: Apache-2.0
 
 name: codeql
-
 on:
   schedule:
     - cron: '32 21 * * 2'
-
 env:
   TASK_X_ANY_VARIABLES: 1
-
 jobs:
   analyze:
     name: Analyze
@@ -21,28 +18,22 @@ jobs:
       actions: read
       contents: read
       security-events: write
-
     strategy:
       fail-fast: false
       matrix:
-        language: [ 'go' ]
-
+        language: ['go']
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v4
-
+        uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@v3
+        uses: github/codeql-action/init@97c34c320a23709ce7144dcb00697f21d5157ec8 # v3
         with:
           languages: ${{ matrix.language }}
-
       - name: Install devbox
-        uses: jetify-com/[email protected]
+        uses: jetify-com/devbox-install-action@e55980d19e8a14213735f6ebcbced49a1e507856 # v0.10.0
         with:
           enable-cache: true
-
       - name: Build
         run: devbox run -- task build:snapshot
-
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@v3
+        uses: github/codeql-action/analyze@97c34c320a23709ce7144dcb00697f21d5157ec8 # v3
diff --git a/.github/workflows/conventional-label.yaml b/.github/workflows/conventional-label.yaml
@@ -11,4 +11,4 @@ jobs:
   label:
     runs-on: ubuntu-22.04
     steps:
-      - uses: bcoe/conventional-release-labels@v1
+      - uses: bcoe/conventional-release-labels@b503ca473654e07521c051628c5f1f969e7436da # v1
diff --git a/.github/workflows/conventional-pr-title.yaml b/.github/workflows/conventional-pr-title.yaml
@@ -11,7 +11,7 @@ jobs:
   check:
     runs-on: ubuntu-22.04
     steps:
-      - uses: amannn/action-semantic-pull-request@v5
+      - uses: amannn/action-semantic-pull-request@e9fabac35e210fea40ca5b14c0da95a099eff26f # v5
         with:
           types: |
             build

diff --git a/.github/workflows/dependabot-automation.yaml b/.github/workflows/dependabot-automation.yaml
@@ -2,28 +2,24 @@
 # SPDX-License-Identifier: Apache-2.0
 
 name: dependabot
-
 on:
   pull_request_target:
     types:
       - opened
-
 permissions:
   pull-requests: write
   contents: write
-
 defaults:
   run:
     shell: bash
-
 jobs:
   enable-automerge:
     runs-on: ubuntu-22.04
     if: ${{ github.event.pull_request.user.login == 'dependabot[bot]'}}
     steps:
       - name: Dependabot metadata
         id: dependabot-metadata
-        uses: dependabot/fetch-metadata@v2
+        uses: dependabot/fetch-metadata@5e5f99653a5b510e8555840e80cbf1514ad4af38 # v2
       - name: Enable auto-merge for Dependabot PRs
         run: gh pr merge --auto --squash "$PR_URL"
         env: