From 924db233207884cfe73a10b727500855ebbfec58 Mon Sep 17 00:00:00 2001 From: Sascha Grunert Date: Tue, 3 Sep 2024 14:27:22 +0200 Subject: [PATCH] Pin GitHub actions dependencies Signed-off-by: Sascha Grunert --- .github/workflows/cargo-upgrade.yml | 8 +-- .github/workflows/ci.yml | 108 ++++++++++++++-------------- .github/workflows/cross.yml | 4 +- .github/workflows/gh-pages.yml | 8 +-- .github/workflows/release.yml | 10 +-- 5 files changed, 69 insertions(+), 69 deletions(-) diff --git a/.github/workflows/cargo-upgrade.yml b/.github/workflows/cargo-upgrade.yml index 864a76b338..f4f046595d 100644 --- a/.github/workflows/cargo-upgrade.yml +++ b/.github/workflows/cargo-upgrade.yml @@ -16,9 +16,9 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - name: Setup Cache - uses: actions/cache@v4 + uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2 with: path: | ~/.cargo/registry @@ -26,7 +26,7 @@ jobs: target key: cargo-upgrade-${{ hashFiles('**/Cargo.lock') }} - name: Select latest toolchain - uses: actions-rs/toolchain@v1 + uses: actions-rs/toolchain@16499b5e05bf2e26879000db0c1d13f7e13fa3af # v1.0.7 with: toolchain: stable default: true @@ -50,7 +50,7 @@ jobs: echo "create_pr=true" >> "$GITHUB_OUTPUT" fi - name: Create PR if required - uses: peter-evans/create-pull-request@v6 + uses: peter-evans/create-pull-request@4320041ed380b20e97d388d56a7fb4f9b8c20e79 # v7.0.0 if: ${{ steps.create_pr.outputs.create_pr == 'true' }} with: commit-message: Update cargo dependencies diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 60bca334dd..7f2fac786d 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -18,9 +18,9 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - name: Setup Cache - uses: actions/cache@v4 + uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2 with: path: | ~/.cargo/registry @@ -29,7 +29,7 @@ jobs: key: ${{ runner.os }}-cargo-${{ hashFiles('**/Cargo.lock') }} - run: .github/install-deps - name: Select Toolchain - uses: actions-rs/toolchain@v1 + uses: actions-rs/toolchain@16499b5e05bf2e26879000db0c1d13f7e13fa3af # v1.0.7 with: toolchain: ${{ env['ACTION_MSRV_TOOLCHAIN'] }} default: true @@ -40,17 +40,17 @@ jobs: dependencies: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - run: make verify-dependencies go-lint: runs-on: ubuntu-latest steps: - - uses: actions/setup-go@v5 + - uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2 with: go-version: ${{ env.GO_VERSION }} - - uses: actions/checkout@v4 - - uses: golangci/golangci-lint-action@v6 + - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + - uses: golangci/golangci-lint-action@aaa42aa0628b4ae2578232a66b541047968fac86 # v6.1.0 with: version: v1.60.3 only-new-issues: true @@ -58,8 +58,8 @@ jobs: get-script: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 - - uses: sigstore/cosign-installer@v3 + - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + - uses: sigstore/cosign-installer@4959ce089c160fddf62f7b42464195ba1a56d382 # v3.6.0 - run: scripts/get release-static: @@ -70,9 +70,9 @@ jobs: COSIGN_EXPERIMENTAL: 1 steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - name: Setup Cache - uses: actions/cache@v4 + uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2 with: path: | ~/.cargo/registry @@ -81,7 +81,7 @@ jobs: key: ${{ runner.os }}-cargo-release-static-${{ hashFiles('**/Cargo.lock') }} - run: .github/install-deps - name: Select Toolchain - uses: actions-rs/toolchain@v1 + uses: actions-rs/toolchain@16499b5e05bf2e26879000db0c1d13f7e13fa3af # v1.0.7 with: # Ubuntu 22.04 glibc static is not compatible with rustc 1.58.1 (see # ACTION_MSRV_TOOLCHAIN). Means we now just use the latest one, since @@ -95,7 +95,7 @@ jobs: mkdir ${{ github.sha }} mv target/x86_64-unknown-linux-gnu/release/conmonrs ${{ github.sha }} - run: ./${{ github.sha }}/conmonrs -v - - uses: sigstore/cosign-installer@v3 + - uses: sigstore/cosign-installer@4959ce089c160fddf62f7b42464195ba1a56d382 # v3.6.0 if: github.ref == 'refs/heads/main' || contains(github.ref, 'refs/tags') - name: Sign binary if: github.ref == 'refs/heads/main' || contains(github.ref, 'refs/tags') @@ -104,15 +104,15 @@ jobs: cosign sign-blob -y conmonrs \ --output-signature conmonrs.sig \ --output-certificate conmonrs.cert - - uses: actions/upload-artifact@v4 + - uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0 with: name: conmonrs path: ${{ github.sha }}/* - - uses: google-github-actions/auth@v2 + - uses: google-github-actions/auth@62cf5bd3e4211a0a0b51f2c6d6a37129d828611d # v2.1.5 if: github.ref == 'refs/heads/main' || contains(github.ref, 'refs/tags') with: credentials_json: ${{ secrets.GCS_CRIO_SA }} - - uses: google-github-actions/upload-cloud-storage@v2 + - uses: google-github-actions/upload-cloud-storage@e485962f2bef914ac9c3bdd571f821f0ba7946c4 # v2.2.0 if: github.ref == 'refs/heads/main' || contains(github.ref, 'refs/tags') with: path: ${{ github.sha }} @@ -126,12 +126,12 @@ jobs: - build-static steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - run: .github/create-marker - - uses: google-github-actions/auth@v2 + - uses: google-github-actions/auth@62cf5bd3e4211a0a0b51f2c6d6a37129d828611d # v2.1.5 with: credentials_json: ${{ secrets.GCS_CRIO_SA }} - - uses: google-github-actions/upload-cloud-storage@v2 + - uses: google-github-actions/upload-cloud-storage@e485962f2bef914ac9c3bdd571f821f0ba7946c4 # v2.2.0 with: path: . glob: latest-*.txt @@ -149,18 +149,18 @@ jobs: arch: [amd64, arm64, ppc64le, s390x] name: build-static-${{ matrix.arch }} steps: - - uses: actions/checkout@v4 - - uses: cachix/install-nix-action@V27 + - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + - uses: cachix/install-nix-action@ba0dd844c9180cbf77aa72a116d6fbc515d0e87b # v27 with: install_url: https://releases.nixos.org/nix/nix-${{ env.NIX_VERSION }}/install - - uses: cachix/cachix-action@v15 + - uses: cachix/cachix-action@ad2ddac53f961de1989924296a1f236fcfbaa4fc # v15 with: name: conmon-rs authToken: '${{ secrets.CACHIX_AUTH_TOKEN }}' pushFilter: "(conmon-rs|cargo-vendor)" - run: nix-build nix/default-${{ matrix.arch }}.nix - run: file result/bin/conmonrs | grep static | grep stripped - - uses: actions/upload-artifact@v4 + - uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0 with: name: build-static-${{ matrix.arch }} path: | @@ -168,7 +168,7 @@ jobs: - run: | mkdir ${{ github.sha }} cp result/bin/conmonrs ${{ github.sha }}/conmonrs.${{ matrix.arch }} - - uses: sigstore/cosign-installer@v3 + - uses: sigstore/cosign-installer@4959ce089c160fddf62f7b42464195ba1a56d382 # v3.6.0 if: github.ref == 'refs/heads/main' || contains(github.ref, 'refs/tags') - name: Sign binary if: github.ref == 'refs/heads/main' || contains(github.ref, 'refs/tags') @@ -177,15 +177,15 @@ jobs: cosign sign-blob -y conmonrs.${{ matrix.arch }} \ --output-signature conmonrs.${{ matrix.arch }}.sig \ --output-certificate conmonrs.${{ matrix.arch }}.cert - - uses: actions/upload-artifact@v4 + - uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0 with: name: conmonrs-${{ matrix.arch }} path: ${{ github.sha }}/* - - uses: google-github-actions/auth@v2 + - uses: google-github-actions/auth@62cf5bd3e4211a0a0b51f2c6d6a37129d828611d # v2.1.5 if: github.ref == 'refs/heads/main' || contains(github.ref, 'refs/tags') with: credentials_json: ${{ secrets.GCS_CRIO_SA }} - - uses: google-github-actions/upload-cloud-storage@v2 + - uses: google-github-actions/upload-cloud-storage@e485962f2bef914ac9c3bdd571f821f0ba7946c4 # v2.2.0 if: github.ref == 'refs/heads/main' || contains(github.ref, 'refs/tags') with: path: ${{ github.sha }} @@ -195,9 +195,9 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - name: Setup Cache - uses: actions/cache@v4 + uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2 with: path: | ~/.cargo/registry @@ -206,7 +206,7 @@ jobs: key: ${{ runner.os }}-cargo-doc-${{ hashFiles('**/Cargo.lock') }} - run: .github/install-deps - name: Select Toolchain - uses: actions-rs/toolchain@v1 + uses: actions-rs/toolchain@16499b5e05bf2e26879000db0c1d13f7e13fa3af # v1.0.7 with: toolchain: ${{ env['ACTION_MSRV_TOOLCHAIN'] }} default: true @@ -219,9 +219,9 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - name: Setup Cache - uses: actions/cache@v4 + uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2 with: path: | ~/.cargo/registry @@ -230,7 +230,7 @@ jobs: key: ${{ runner.os }}-cargo-clippy-${{ hashFiles('**/Cargo.lock') }} - run: .github/install-deps - name: Select Toolchain - uses: actions-rs/toolchain@v1 + uses: actions-rs/toolchain@16499b5e05bf2e26879000db0c1d13f7e13fa3af # v1.0.7 with: toolchain: ${{ env['ACTION_MSRV_NIGHTLY_TOOLCHAIN'] }} default: true @@ -245,9 +245,9 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - name: Setup Cache - uses: actions/cache@v4 + uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2 with: path: | ~/.cargo/registry @@ -256,7 +256,7 @@ jobs: key: ${{ runner.os }}-cargo-vendor-${{ hashFiles('**/Cargo.lock') }} - run: .github/install-deps - name: Select Toolchain - uses: actions-rs/toolchain@v1 + uses: actions-rs/toolchain@16499b5e05bf2e26879000db0c1d13f7e13fa3af # v1.0.7 with: toolchain: stable default: true @@ -268,9 +268,9 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - name: Select Toolchain - uses: actions-rs/toolchain@v1 + uses: actions-rs/toolchain@16499b5e05bf2e26879000db0c1d13f7e13fa3af # v1.0.7 with: toolchain: ${{ env['ACTION_MSRV_TOOLCHAIN'] }} default: true @@ -283,10 +283,10 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - run: .github/install-deps - name: Select Toolchain - uses: actions-rs/toolchain@v1 + uses: actions-rs/toolchain@16499b5e05bf2e26879000db0c1d13f7e13fa3af # v1.0.7 with: toolchain: ${{ env['ACTION_MSRV_NIGHTLY_TOOLCHAIN'] }} override: true @@ -294,7 +294,7 @@ jobs: shell: bash run: rustup component add rustfmt - name: Unit tests - uses: actions-rs/cargo@v1 + uses: actions-rs/cargo@844f36862e911db73fe0815f00a4a2602c279505 # v1.0.3 with: command: test args: --no-fail-fast @@ -303,24 +303,24 @@ jobs: RUSTFLAGS: '-Zprofile -Ccodegen-units=1 -Cinline-threshold=0 -Clink-dead-code -Coverflow-checks=off -Zpanic_abort_tests' RUSTDOCFLAGS: '-Zprofile -Ccodegen-units=1 -Cinline-threshold=0 -Clink-dead-code -Coverflow-checks=off -Zpanic_abort_tests' - name: Coverage - uses: actions-rs/grcov@v0.1 + uses: actions-rs/grcov@770fa904bcbfc50da498080d1511da7388e6ddc6 # v0.1.6 with: config: .github/grcov.yml - name: Upload Results - uses: codecov/codecov-action@v4 + uses: codecov/codecov-action@e28ff129e5465c2c0dcc6f003fc735cb6ae0c673 # v4.5.0 test-integration: needs: release-static runs-on: ubuntu-latest timeout-minutes: 10 steps: - - uses: actions/setup-go@v5 + - uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2 with: go-version: ${{ env.GO_VERSION }} - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - name: Setup Rust and Golang Cache - uses: actions/cache@v4 + uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2 with: path: | ~/.cargo/registry @@ -330,13 +330,13 @@ jobs: ~/.cache/go-build key: ${{ runner.os }}-cargo-test-integration-${{ hashFiles('**/Cargo.lock') }}-${{ hashFiles('**/go.sum') }} - name: Setup Testfiles Cache - uses: actions/cache@v4 + uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2 with: path: | /tmp/conmon-test-images key: ${{ runner.os }}-cargo-test-files-${{ hashFiles('pkg/client/files_test.go') }} - run: rm -rf target/x86_64-unknown-linux-gnu/release/conmonrs - - uses: actions/download-artifact@v4 + - uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 with: name: conmonrs path: target/x86_64-unknown-linux-gnu/release @@ -357,11 +357,11 @@ jobs: timeout-minutes: 10 steps: - name: Checkout - uses: actions/checkout@v4 - - uses: actions/setup-go@v5 + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + - uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2 with: go-version: ${{ env.GO_VERSION }} - - uses: actions/download-artifact@v4 + - uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 with: name: conmonrs path: target/x86_64-unknown-linux-musl/release @@ -397,7 +397,7 @@ jobs: test $TEST_RC -ne 0 && cat journal.log exit $TEST_RC - name: Upload logs - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0 with: name: journal.log path: journal.log @@ -405,7 +405,7 @@ jobs: typos: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 - - uses: crate-ci/typos@v1.24.3 + - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + - uses: crate-ci/typos@9ad6f5c0549e0eb32bd70e26d5083421d639f278 # v1.24.3 with: config: .github/typos.toml diff --git a/.github/workflows/cross.yml b/.github/workflows/cross.yml index bf13acad2b..6de0905c46 100644 --- a/.github/workflows/cross.yml +++ b/.github/workflows/cross.yml @@ -22,9 +22,9 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - name: Setup Cache - uses: actions/cache@v4 + uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2 with: path: | ~/.cargo/registry diff --git a/.github/workflows/gh-pages.yml b/.github/workflows/gh-pages.yml index 8dfd3b3df2..2355747b56 100644 --- a/.github/workflows/gh-pages.yml +++ b/.github/workflows/gh-pages.yml @@ -10,16 +10,16 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - run: .github/install-deps - name: Select Nightly Toolchain - uses: actions-rs/toolchain@v1 + uses: actions-rs/toolchain@16499b5e05bf2e26879000db0c1d13f7e13fa3af # v1.0.7 with: toolchain: nightly override: true components: rustfmt - name: Setup Cache - uses: actions/cache@v4 + uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2 with: path: | ~/.cargo/registry @@ -29,7 +29,7 @@ jobs: - name: Build Documentation run: cargo doc --all-features --no-deps - name: Deploy Documentation - uses: peaceiris/actions-gh-pages@v4 + uses: peaceiris/actions-gh-pages@4f9cc6602d3f66b9c108549d475ec49e8ef4d45e # v4.0.0 with: deploy_key: ${{ secrets.ACTIONS_DEPLOY_KEY }} publish_branch: gh-pages diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 0be458af33..9d577f4064 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -16,11 +16,11 @@ jobs: steps: - name: Get branch names id: branch-name - uses: tj-actions/branch-names@v8 + uses: tj-actions/branch-names@6871f53176ad61624f978536bbf089c574dc19a2 # v8.0.1 - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - name: Setup Cache - uses: actions/cache@v4 + uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2 with: path: | ~/.cargo/registry @@ -29,7 +29,7 @@ jobs: key: ${{ runner.os }}-cargo-${{ hashFiles('**/Cargo.lock') }} - run: .github/install-deps - name: Select Toolchain - uses: actions-rs/toolchain@v1 + uses: actions-rs/toolchain@16499b5e05bf2e26879000db0c1d13f7e13fa3af # v1.0.7 with: toolchain: ${{ env['ACTION_MSRV_TOOLCHAIN'] }} default: true @@ -42,6 +42,6 @@ jobs: env: CI_TAG: ${{ steps.branch-name.outputs.tag }} - name: Release - uses: softprops/action-gh-release@v2 + uses: softprops/action-gh-release@c062e08bd532815e2082a85e87e3ef29c3e6d191 # v2.0.8 with: files: "*.tar.gz"