workflow: pin actions with sha's

And update sha's once a week. Signed-off-by: Tuomas Katila <[email protected]>
intel · May 28, 2024 · dfa9133 · dfa9133
1 parent 11c9753
commit dfa9133
Show file tree

Hide file tree

Showing 9 changed files with 46 additions and 61 deletions.
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -12,5 +12,6 @@ updates:
  - package-ecosystem: "github-actions"
  directory: "/"
  schedule:
- # Check for updates to GitHub Actions every weekday
- interval: "daily"
+ # Check for updates to GitHub Actions every week on Sunday
+ interval: "weekly"
+ day: "sunday"
diff --git a/.github/workflows/lib-build.yaml b/.github/workflows/lib-build.yaml
@@ -45,8 +45,8 @@ jobs:
  - dlb-libdlb-demo
  builder: [buildah, docker]
  steps:
- - uses: actions/checkout@v4
- - uses: actions/setup-go@v5
+ - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4
+ - uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5
  with:
  go-version-file: go.mod
  check-latest: true

diff --git a/.github/workflows/lib-codeql.yaml b/.github/workflows/lib-codeql.yaml
@@ -18,19 +18,18 @@ jobs:
 
  steps:
  - name: Checkout repository
- uses: actions/checkout@v4
-
- - uses: actions/setup-go@v5
+ uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4
+ - uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5
  with:
  go-version-file: go.mod
  check-latest: true
 
  - name: Initialize CodeQL
- uses: github/codeql-action/init@v3
+ uses: github/codeql-action/init@71ace48453080e924b22589f0c397bedde464d78 # v3
  with:
  languages: 'go'
 
  - name: Perform CodeQL Analysis
- uses: github/codeql-action/analyze@v3
+ uses: github/codeql-action/analyze@71ace48453080e924b22589f0c397bedde464d78 # v3
  with:
  category: "/language:go"
diff --git a/.github/workflows/lib-e2e.yaml b/.github/workflows/lib-e2e.yaml
@@ -67,7 +67,7 @@ jobs:
  IMAGES: ${{ join(matrix.images, ' ') }}
 
  steps:
- - uses: actions/checkout@v4
+ - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4
  with:
  fetch-depth: 0
  - name: Describe test environment

diff --git a/.github/workflows/lib-publish.yaml b/.github/workflows/lib-publish.yaml
@@ -42,8 +42,8 @@ jobs:
  - crypto-perf
  - opae-nlb-demo
  steps:
- - uses: actions/checkout@v4
- - uses: actions/setup-go@v5
+ - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4
+ - uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5
  with:
  go-version-file: go.mod
  check-latest: true
@@ -54,7 +54,7 @@ jobs:
  run: |
  REG=intel/ make ${IMAGE_NAME} BUILDER=docker
  - name: Trivy scan for image
- uses: aquasecurity/trivy-action@master
+ uses: aquasecurity/trivy-action@fd25fed6972e341ff0007ddb61f77e88103953c2 # 0.21.0
  with:
  scan-type: image
  image-ref: intel/${{ matrix.image }}:${{ inputs.image_tag }}
@@ -64,7 +64,7 @@ jobs:
  if: ${{ !contains(fromJson(env.no_base_check), matrix.image) }}
  run: IMG=intel/${{ matrix.image }}:${{ inputs.image_tag }} make test-image-base-layer BUILDER=docker
  - name: Login
- uses: docker/login-action@v3
+ uses: docker/login-action@0d4c9c5ea7693da7b068278f7b52bda2a190a446 # v3
  with:
  username: ${{ secrets.DOCKERHUB_USER }}
  password: ${{ secrets.DOCKERHUB_PASS }}

diff --git a/.github/workflows/lib-scorecard.yaml b/.github/workflows/lib-scorecard.yaml
@@ -16,18 +16,16 @@ jobs:
  id-token: write
 
  steps:
- - uses: actions/checkout@v4
+ - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4
  with:
  persist-credentials: false
-
  - name: "Analyze project"
- uses: ossf/[email protected]
+ uses: ossf/scorecard-action@e4c423540e964e15ccadc56558705ba15136265c # v2.3.3
  with:
  results_file: results.sarif
  results_format: sarif
  publish_results: true
-
  - name: "Upload results to security"
- uses: github/codeql-action/upload-sarif@v3
+ uses: github/codeql-action/upload-sarif@71ace48453080e924b22589f0c397bedde464d78 # v3
  with:
  sarif_file: results.sarif
diff --git a/.github/workflows/lib-trivy.yaml b/.github/workflows/lib-trivy.yaml
@@ -30,10 +30,9 @@ jobs:
  runs-on: ubuntu-22.04
  steps:
  - name: Checkout
- uses: actions/checkout@v4
-
+ uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4
  - name: Run Trivy in config mode for deployments
- uses: aquasecurity/trivy-action@master
+ uses: aquasecurity/trivy-action@fd25fed6972e341ff0007ddb61f77e88103953c2 # 0.21.0
  with:
  scan-type: config
  scan-ref: deployments/
@@ -49,10 +48,9 @@ jobs:
  runs-on: ubuntu-22.04
  steps:
  - name: Checkout
- uses: actions/checkout@v4
-
+ uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4
  - name: Run Trivy in config mode for dockerfiles
- uses: aquasecurity/trivy-action@master
+ uses: aquasecurity/trivy-action@fd25fed6972e341ff0007ddb61f77e88103953c2 # 0.21.0
  with:
  scan-type: config
  scan-ref: build/docker/
@@ -64,10 +62,9 @@ jobs:
  name: Scan licenses
  steps:
  - name: Checkout
- uses: actions/checkout@v4
-
+ uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4
  - name: Run Trivy in fs mode
- uses: aquasecurity/trivy-action@master
+ uses: aquasecurity/trivy-action@fd25fed6972e341ff0007ddb61f77e88103953c2 # 0.21.0
  with:
  scan-type: fs
  scan-ref: .
@@ -78,53 +75,47 @@ jobs:
  trivy-scan-vulns:
  permissions:
  security-events: write
-
  runs-on: ubuntu-22.04
  name: Scan vulnerabilities
  steps:
  - name: Checkout
- uses: actions/checkout@v4
-
+ uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4
  - name: Run Trivy in fs mode
  continue-on-error: true
- uses: aquasecurity/trivy-action@master
+ uses: aquasecurity/trivy-action@fd25fed6972e341ff0007ddb61f77e88103953c2 # 0.21.0
  with:
  scan-type: fs
  scan-ref: .
  exit-code: 1
  list-all-pkgs: true
  format: json
  output: trivy-report.json
-
  - name: Show report in human-readable format
- uses: aquasecurity/trivy-action@master
+ uses: aquasecurity/trivy-action@fd25fed6972e341ff0007ddb61f77e88103953c2 # 0.21.0
  with:
  scan-type: convert
  vuln-type: ''
  severity: ''
  image-ref: trivy-report.json
  format: table
-
  - name: Convert report to sarif
  if: ${{ inputs.upload-to-github-security-tab }}
- uses: aquasecurity/trivy-action@master
+ uses: aquasecurity/trivy-action@fd25fed6972e341ff0007ddb61f77e88103953c2 # 0.21.0
  with:
  scan-type: convert
  vuln-type: ''
  severity: ''
  image-ref: trivy-report.json
  format: sarif
  output: trivy-report.sarif
-
  - name: Upload sarif report to GitHub Security tab
  if: ${{ inputs.upload-to-github-security-tab }}
- uses: github/codeql-action/upload-sarif@v3
+ uses: github/codeql-action/upload-sarif@71ace48453080e924b22589f0c397bedde464d78 # v3
  with:
- sarif_file: trivy-report.sarif
-
+ sarif_file: trivy-report.sarif
  - name: Convert report to csv
  if: ${{ inputs.export-csv }}
- uses: aquasecurity/trivy-action@master
+ uses: aquasecurity/trivy-action@fd25fed6972e341ff0007ddb61f77e88103953c2 # 0.21.0
  with:
  scan-type: convert
  vuln-type: ''
@@ -133,10 +124,9 @@ jobs:
  format: template
  template: "@.github/workflows/template/trivy-csv.tpl"
  output: trivy-report.csv
-
  - name: Upload CSV report as an artifact
  if: ${{ inputs.export-csv }}
- uses: actions/upload-artifact@v4
+ uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4
  with:
  name: trivy-report
- path: trivy-report.csv
+ path: trivy-report.csv
diff --git a/.github/workflows/lib-validate.yaml b/.github/workflows/lib-validate.yaml
@@ -14,7 +14,7 @@ jobs:
  run: |
  sudo apt-get update
  sudo apt-get install -y python3-venv
- - uses: actions/checkout@v4
+ - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4
  with:
  fetch-depth: 0
  - name: Set up doc directory
@@ -28,30 +28,28 @@ jobs:
  rm -rf _work/venv
  make vhtml
  mv _build/html/* $HOME/output/
-
  golangci:
  permissions:
- pull-requests: read  # for golangci/golangci-lint-action to fetch pull requests
+ pull-requests: read # for golangci/golangci-lint-action to fetch pull requests
  name: lint
  runs-on: ubuntu-22.04
  steps:
- - uses: actions/checkout@v4
- - uses: actions/setup-go@v5
+ - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4
+ - uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5
  with:
  go-version-file: go.mod
  check-latest: true
  - name: golangci-lint
- uses: golangci/golangci-lint-action@v6
+ uses: golangci/golangci-lint-action@a4f60bb28d35aeee14e6880718e0c85ff1882e64 # v6
  with:
  version: v1.57.2
  args: -v --timeout 5m
-
  build:
  name: Build and check device plugins
  runs-on: ubuntu-22.04
  steps:
- - uses: actions/checkout@v4
- - uses: actions/setup-go@v5
+ - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4
+ - uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5
  with:
  go-version-file: go.mod
  check-latest: true
@@ -63,7 +61,6 @@ jobs:
  - run: make check-github-actions
  #- name: Codecov report
  # run: bash <(curl -s https://codecov.io/bash)
-
  envtest:
  name: Test APIs using envtest
  runs-on: ubuntu-22.04
@@ -74,8 +71,8 @@ jobs:
  - 1.29.x
  - 1.30.x
  steps:
- - uses: actions/checkout@v4
- - uses: actions/setup-go@v5
+ - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4
+ - uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5
  with:
  go-version-file: go.mod
  check-latest: true

diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
@@ -15,15 +15,15 @@ jobs:
  build:
 
  permissions:
- contents: write  # for Git to git push
+ contents: write # for Git to git push
  runs-on: ubuntu-22.04
 
  steps:
  - name: Install dependencies
  run: |
  sudo apt-get update
  sudo apt-get install -y python3-venv git
- - uses: actions/checkout@v4
+ - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4
  with:
  fetch-depth: 0
  ref: main
@@ -44,7 +44,7 @@ jobs:
  rm -rf _work/venv
  make vhtml
  mv _build/html/* $HOME/output/
- - uses: actions/checkout@v4
+ - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4
  with:
  fetch-depth: 0
  ref: release-0.28
@@ -55,7 +55,7 @@ jobs:
  rm -rf _work/venv
  make vhtml
  mv _build/html $HOME/output/0.28
- - uses: actions/checkout@v4
+ - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4
  with:
  fetch-depth: 0
  ref: release-0.29
@@ -66,7 +66,7 @@ jobs:
  rm -rf _work/venv
  make vhtml
  mv _build/html $HOME/output/0.29
- - uses: actions/checkout@v4
+ - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4
  with:
  fetch-depth: 0
  ref: release-0.30