From e7de507ca5ae26669e1f4b1ece0e5abd3ac66b0e Mon Sep 17 00:00:00 2001 From: "minder-by-stacklok[bot]" <165083860+github-actions[bot]@users.noreply.github.com> Date: Tue, 7 May 2024 11:49:47 +0000 Subject: [PATCH] Replace unpinned actions with pinned action --- .github/workflows/backport.yaml | 4 +- .github/workflows/checks-macos.yml | 11 +--- .github/workflows/checks.yml | 66 ++++++-------------- .github/workflows/codeql-analysis.yml | 19 ++---- .github/workflows/conventional-label.yaml | 2 +- .github/workflows/conventional-pr-title.yaml | 2 +- .github/workflows/dependabot-automation.yaml | 6 +- .github/workflows/devbox-update.yaml | 16 +---- .github/workflows/release-please-main.yaml | 11 +--- .github/workflows/release-tag.yaml | 11 +--- .github/workflows/stacked-prs.yml | 6 +- 11 files changed, 39 insertions(+), 115 deletions(-) diff --git a/.github/workflows/backport.yaml b/.github/workflows/backport.yaml index 28cc82c0..bae30388 100644 --- a/.github/workflows/backport.yaml +++ b/.github/workflows/backport.yaml @@ -6,7 +6,6 @@ on: types: - labeled - closed - jobs: backport: name: Backport PR @@ -20,11 +19,10 @@ jobs: ) steps: - name: Backport Action - uses: sqren/backport-github-action@v9.3.1 + uses: sqren/backport-github-action@db3bc05f94a7298d25bb14d52441a36e5b5f0327 # v9.3.1 with: github_token: ${{ secrets.GITHUB_TOKEN }} auto_backport_label_prefix: backport-to- - - name: Backport log if: always() run: cat /home/runner/.backport/backport.log diff --git a/.github/workflows/checks-macos.yml b/.github/workflows/checks-macos.yml index efe21d51..30cf76f8 100644 --- a/.github/workflows/checks-macos.yml +++ b/.github/workflows/checks-macos.yml @@ -2,7 +2,6 @@ # SPDX-License-Identifier: Apache-2.0 name: build-on-macos - on: push: branches: @@ -14,34 +13,28 @@ on: - reopened branches: - main - defaults: run: shell: bash - env: TASK_X_ANY_VARIABLES: 1 - jobs: build-and-run: runs-on: macos-13 steps: - name: Check out code - uses: actions/checkout@v4 + uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4 with: fetch-depth: 0 - - name: Install devbox - uses: jetify-com/devbox-install-action@v0.10.0 + uses: jetify-com/devbox-install-action@e55980d19e8a14213735f6ebcbced49a1e507856 # v0.10.0 with: enable-cache: true env: NIX_USER_COUNT: 4 - - name: Build run: | GORELEASER_PLATFORMS="\"darwin_amd64\"" devbox run -- task build:release-unpublished - - name: Run binary run: | ./dist/mindthegap_darwin_amd64_v1/mindthegap diff --git a/.github/workflows/checks.yml b/.github/workflows/checks.yml index 5ec6c31b..d51980bf 100644 --- a/.github/workflows/checks.yml +++ b/.github/workflows/checks.yml @@ -2,7 +2,6 @@ # SPDX-License-Identifier: Apache-2.0 name: checks - on: push: branches: @@ -12,17 +11,13 @@ on: - opened - synchronize - reopened - permissions: contents: read - defaults: run: shell: bash - env: TASK_X_ANY_VARIABLES: 1 - jobs: unit-test: runs-on: ubuntu-22.04 @@ -31,15 +26,13 @@ jobs: pull-requests: write steps: - name: Check out code - uses: actions/checkout@v4 - + uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4 - name: Install devbox - uses: jetify-com/devbox-install-action@v0.10.0 + uses: jetify-com/devbox-install-action@e55980d19e8a14213735f6ebcbced49a1e507856 # v0.10.0 with: enable-cache: true - - name: Go cache - uses: actions/cache@v4 + uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4 with: path: | ~/.cache/go-build @@ -47,18 +40,15 @@ jobs: key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }} restore-keys: | ${{ runner.os }}-go- - - name: Run unit tests run: devbox run -- task test:unit - - name: Publish Test Results - uses: EnricoMi/publish-unit-test-result-action@v2 + uses: EnricoMi/publish-unit-test-result-action@ad4accd991d403df04fbe818c95a3c57501b784f # v2 if: always() with: check_name: "Unit test results" files: | junit-report.xml - e2e-test: runs-on: ubuntu-22.04 permissions: @@ -66,86 +56,73 @@ jobs: pull-requests: write steps: - name: Check out code - uses: actions/checkout@v4 + uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4 with: fetch-depth: 0 - - name: Install devbox - uses: jetify-com/devbox-install-action@v0.10.0 + uses: jetify-com/devbox-install-action@e55980d19e8a14213735f6ebcbced49a1e507856 # v0.10.0 with: enable-cache: true - - name: Set up QEMU - uses: docker/setup-qemu-action@v3 + uses: docker/setup-qemu-action@68827325e0b33c7199eb31dd4e31fbe9023e06e3 # v3 with: platforms: arm64 - - name: Run e2e tests run: devbox run -- task test:e2e env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} TMPDIR: ${{ runner.temp }} - - name: Publish Test Results - uses: EnricoMi/publish-unit-test-result-action@v2 + uses: EnricoMi/publish-unit-test-result-action@ad4accd991d403df04fbe818c95a3c57501b784f # v2 if: always() with: check_name: "e2e test results" files: | junit-e2e.xml - lint: runs-on: ubuntu-22.04 steps: - name: Check out code - uses: actions/checkout@v4 - + uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4 - name: Install devbox - uses: jetify-com/devbox-install-action@v0.10.0 + uses: jetify-com/devbox-install-action@e55980d19e8a14213735f6ebcbced49a1e507856 # v0.10.0 with: enable-cache: true - - name: Export golang and golangci-lint versions id: versions run: | echo "golangci-lint=$(devbox run -- golangci-lint version --format short)" >>"${GITHUB_OUTPUT}" echo "golang=$(devbox run -- go version | grep -o "[[:digit:]]\+.[[:digit:]]\+\(.[[:digit:]]\+\)\?")" >>"${GITHUB_OUTPUT}" - - name: golangci-lint - uses: reviewdog/action-golangci-lint@v2 + uses: reviewdog/action-golangci-lint@0c44ad132827d4ba66cb5975502c7cf903519828 # v2 with: fail_on_error: true reporter: github-pr-review golangci_lint_version: v${{ steps.versions.outputs.golangci-lint }} go_version: v${{ steps.versions.outputs.golang }} - lint-gha: runs-on: ubuntu-22.04 steps: - name: Check out code - uses: actions/checkout@v4 - + uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4 - name: actionlint - uses: reviewdog/action-actionlint@v1 + uses: reviewdog/action-actionlint@6bd00ab832c9b5d4873f40a8b0c9501ac2df1b29 # v1 with: fail_on_error: true reporter: github-pr-review - pre-commit: runs-on: ubuntu-22.04 steps: - name: Check out code - uses: actions/checkout@v4 + uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4 with: ref: ${{ github.event.pull_request.head.sha }} - - name: Install devbox - uses: jetify-com/devbox-install-action@v0.10.0 + uses: jetify-com/devbox-install-action@e55980d19e8a14213735f6ebcbced49a1e507856 # v0.10.0 with: enable-cache: true - - name: Go cache - uses: actions/cache@v4 + uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4 with: path: | ~/.cache/go-build @@ -153,28 +130,23 @@ jobs: key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }} restore-keys: | ${{ runner.os }}-go- - - name: Set up pre-commit cache - uses: actions/cache@v4 + uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4 with: path: ~/.cache/pre-commit key: pre-commit-3|${{ hashFiles('.pre-commit-config.yaml') }} - - name: Run pre-commit run: devbox run -- task pre-commit:run env: SKIP: no-commit-to-branch,golangci-lint,actionlint-system - govulncheck: runs-on: ubuntu-22.04 steps: - name: Check out code - uses: actions/checkout@v4 - + uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4 - name: Install devbox - uses: jetify-com/devbox-install-action@v0.10.0 + uses: jetify-com/devbox-install-action@e55980d19e8a14213735f6ebcbced49a1e507856 # v0.10.0 with: enable-cache: true - - id: govulncheck run: devbox run -- task go:vulncheck diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index bb571bcb..02a29272 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -2,14 +2,11 @@ # SPDX-License-Identifier: Apache-2.0 name: codeql - on: schedule: - cron: '32 21 * * 2' - env: TASK_X_ANY_VARIABLES: 1 - jobs: analyze: name: Analyze @@ -21,28 +18,22 @@ jobs: actions: read contents: read security-events: write - strategy: fail-fast: false matrix: - language: [ 'go' ] - + language: ['go'] steps: - name: Checkout repository - uses: actions/checkout@v4 - + uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4 - name: Initialize CodeQL - uses: github/codeql-action/init@v3 + uses: github/codeql-action/init@97c34c320a23709ce7144dcb00697f21d5157ec8 # v3 with: languages: ${{ matrix.language }} - - name: Install devbox - uses: jetify-com/devbox-install-action@v0.10.0 + uses: jetify-com/devbox-install-action@e55980d19e8a14213735f6ebcbced49a1e507856 # v0.10.0 with: enable-cache: true - - name: Build run: devbox run -- task build:snapshot - - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v3 + uses: github/codeql-action/analyze@97c34c320a23709ce7144dcb00697f21d5157ec8 # v3 diff --git a/.github/workflows/conventional-label.yaml b/.github/workflows/conventional-label.yaml index 669d39d2..cfaeabf7 100644 --- a/.github/workflows/conventional-label.yaml +++ b/.github/workflows/conventional-label.yaml @@ -11,4 +11,4 @@ jobs: label: runs-on: ubuntu-22.04 steps: - - uses: bcoe/conventional-release-labels@v1 + - uses: bcoe/conventional-release-labels@b503ca473654e07521c051628c5f1f969e7436da # v1 diff --git a/.github/workflows/conventional-pr-title.yaml b/.github/workflows/conventional-pr-title.yaml index c8d31137..eaa655d4 100644 --- a/.github/workflows/conventional-pr-title.yaml +++ b/.github/workflows/conventional-pr-title.yaml @@ -11,7 +11,7 @@ jobs: check: runs-on: ubuntu-22.04 steps: - - uses: amannn/action-semantic-pull-request@v5 + - uses: amannn/action-semantic-pull-request@e9fabac35e210fea40ca5b14c0da95a099eff26f # v5 with: types: | build diff --git a/.github/workflows/dependabot-automation.yaml b/.github/workflows/dependabot-automation.yaml index f19cd77c..3c345e45 100644 --- a/.github/workflows/dependabot-automation.yaml +++ b/.github/workflows/dependabot-automation.yaml @@ -2,20 +2,16 @@ # SPDX-License-Identifier: Apache-2.0 name: dependabot - on: pull_request_target: types: - opened - permissions: pull-requests: write contents: write - defaults: run: shell: bash - jobs: enable-automerge: runs-on: ubuntu-22.04 @@ -23,7 +19,7 @@ jobs: steps: - name: Dependabot metadata id: dependabot-metadata - uses: dependabot/fetch-metadata@v2 + uses: dependabot/fetch-metadata@5e5f99653a5b510e8555840e80cbf1514ad4af38 # v2 - name: Enable auto-merge for Dependabot PRs run: gh pr merge --auto --squash "$PR_URL" env: diff --git a/.github/workflows/devbox-update.yaml b/.github/workflows/devbox-update.yaml index fb92087b..62f55f27 100644 --- a/.github/workflows/devbox-update.yaml +++ b/.github/workflows/devbox-update.yaml @@ -2,20 +2,16 @@ # SPDX-License-Identifier: Apache-2.0 name: devbox-update - on: workflow_dispatch: schedule: - cron: "0 0 * * 1" - permissions: contents: write pull-requests: write - defaults: run: shell: bash - jobs: devbox-update: if: github.ref_type == 'branch' @@ -24,21 +20,17 @@ jobs: DESTINATION_BRANCH: scheduled-devbox-update-${{ github.ref_name }} steps: - name: Check out code - uses: actions/checkout@v4 - + uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4 - name: Install devbox - uses: jetify-com/devbox-install-action@v0.10.0 + uses: jetify-com/devbox-install-action@e55980d19e8a14213735f6ebcbced49a1e507856 # v0.10.0 with: enable-cache: true - - name: Run devbox update run: devbox update - - name: Get number of versions changed id: devbox-versions-changed run: | echo "number_changed=$(git diff --unified=0 devbox.lock | grep -c \"version\":)" >>"${GITHUB_OUTPUT}" - - name: Commit changes if: steps.devbox-versions-changed.outputs.number_changed > 0 id: commit-changes @@ -61,16 +53,14 @@ jobs: --field sha="${SHA}" echo "message=${MESSAGE}" >>"${GITHUB_OUTPUT}" - - name: Get app token to create PR with if: steps.devbox-versions-changed.outputs.number_changed > 0 - uses: actions/create-github-app-token@v1 + uses: actions/create-github-app-token@a0de6af83968303c8c955486bf9739a57d23c7f1 # v1 id: app-token with: app-id: ${{ secrets.GHA_PR_APP_ID }} private-key: ${{ secrets.GHA_PR_APP_PRIVATE_KEY }} owner: ${{ github.repository_owner }} - - name: Create PR using app token if: steps.devbox-versions-changed.outputs.number_changed > 0 env: diff --git a/.github/workflows/release-please-main.yaml b/.github/workflows/release-please-main.yaml index a4992a88..423f7ba7 100644 --- a/.github/workflows/release-please-main.yaml +++ b/.github/workflows/release-please-main.yaml @@ -2,37 +2,32 @@ # SPDX-License-Identifier: Apache-2.0 name: release-please-main - on: push: branches: - main - permissions: contents: write pull-requests: write actions: write - jobs: release-please: runs-on: ubuntu-22.04 steps: - name: Get app token to create PR with - uses: actions/create-github-app-token@v1 + uses: actions/create-github-app-token@a0de6af83968303c8c955486bf9739a57d23c7f1 # v1 id: app-token with: app-id: ${{ secrets.GHA_PR_APP_ID }} private-key: ${{ secrets.GHA_PR_APP_PRIVATE_KEY }} owner: ${{ github.repository_owner }} - - - uses: google-github-actions/release-please-action@v4.1 + - uses: google-github-actions/release-please-action@af07583d1c57eb872d7df7a2e6a2384e2ce88e30 # v4.1 id: release-please with: token: ${{ steps.app-token.outputs.token }} - - if: ${{ steps.release-please.outputs.release_created }} name: Run release workflow - uses: benc-uk/workflow-dispatch@v1 + uses: benc-uk/workflow-dispatch@25b02cc069be46d637e8fe2f1e8484008e9e9609 # v1 with: workflow: release-tag.yaml ref: ${{ steps.release-please.outputs.tag_name }} diff --git a/.github/workflows/release-tag.yaml b/.github/workflows/release-tag.yaml index 5ccbe5a3..6d42698f 100644 --- a/.github/workflows/release-tag.yaml +++ b/.github/workflows/release-tag.yaml @@ -2,38 +2,31 @@ # SPDX-License-Identifier: Apache-2.0 name: release - on: workflow_dispatch: push: tags: - v* - permissions: contents: write packages: write - defaults: run: shell: bash - env: TASK_X_ANY_VARIABLES: 1 - jobs: release-tag: runs-on: ubuntu-22.04 steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4 with: ref: ${{ github.ref }} fetch-depth: 0 - - name: Install devbox - uses: jetify-com/devbox-install-action@v0.10.0 + uses: jetify-com/devbox-install-action@e55980d19e8a14213735f6ebcbced49a1e507856 # v0.10.0 with: enable-cache: true - - name: Release run: devbox run -- task build:release env: diff --git a/.github/workflows/stacked-prs.yml b/.github/workflows/stacked-prs.yml index 46574fcf..ad33c6ef 100644 --- a/.github/workflows/stacked-prs.yml +++ b/.github/workflows/stacked-prs.yml @@ -2,30 +2,26 @@ # SPDX-License-Identifier: Apache-2.0 name: stacked-prs - permissions: actions: write checks: write issues: write pull-requests: write statuses: write - on: pull_request_target: types: [opened, edited, reopened, synchronize] - jobs: check: runs-on: ubuntu-22.04 steps: - - uses: z0al/dependent-issues@v1 + - uses: z0al/dependent-issues@950226e7ca8fc43dc209a7febf67c655af3bdb43 # v1 env: # (Required) The token to use to make API calls to GitHub. GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} with: # (Optional) The label to use to mark dependent issues label: stacked - # (Optional) A comma-separated list of keywords. Default # "depends on, blocked by" keywords: depends on, blocked by