From a4678307bdd0ec6b2c9a8cda81336f696758a10f Mon Sep 17 00:00:00 2001 From: Harshita Sao <84518563+harshitasao@users.noreply.github.com> Date: Mon, 19 Aug 2024 14:14:03 +0530 Subject: [PATCH] fix: fixed the token-permission and pinned-dependencies issue (#6168) Signed-off-by: harshitasao --- .github/workflows/build-image.yml | 17 +++++++----- .github/workflows/test-build-deploy.yml | 36 ++++++++++++------------- 2 files changed, 28 insertions(+), 25 deletions(-) diff --git a/.github/workflows/build-image.yml b/.github/workflows/build-image.yml index 3eb6312a18..cd68ee75b8 100644 --- a/.github/workflows/build-image.yml +++ b/.github/workflows/build-image.yml @@ -12,26 +12,29 @@ on: - 'build-image/**' - '.github/workflows/build-image.yml' +permissions: + contents: read + jobs: build: runs-on: ubuntu-24.04 steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 name: Checkout with: fetch-depth: 0 - name: Set up QEMU - uses: docker/setup-qemu-action@v3 + uses: docker/setup-qemu-action@49b3bc8e6bdd4a60e6116a5414239cba5943d3cf # v3.2.0 - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 + uses: docker/setup-buildx-action@988b5a0280414f521da01fcc63a27aeeb4b104db # v3.6.1 - name: Save image run: make save-multiarch-build-image - name: Upload Docker Images Artifacts - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@834a144ee995460fba8ed112a2fc961b36a5ec5a # v4.3.6 with: name: build-image path: | @@ -44,13 +47,13 @@ jobs: if: (github.ref == 'refs/heads/master' || startsWith(github.ref, 'refs/tags/')) && github.repository == 'cortexproject/cortex' runs-on: ubuntu-24.04 steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 name: Checkout with: fetch-depth: 0 - name: Download Docker Images Artifacts - uses: actions/download-artifact@v4 + uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 with: name: build-image @@ -58,7 +61,7 @@ jobs: run: make load-multiarch-build-image - name: Login to Quay.io - uses: docker/login-action@v3 + uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0 with: registry: quay.io username: ${{secrets.QUAY_REGISTRY_USER}} diff --git a/.github/workflows/test-build-deploy.yml b/.github/workflows/test-build-deploy.yml index 1820dca087..7a9bd7d689 100644 --- a/.github/workflows/test-build-deploy.yml +++ b/.github/workflows/test-build-deploy.yml @@ -20,7 +20,7 @@ jobs: image: quay.io/cortexproject/build-image:master-779dcf4ba steps: - name: Checkout Repo - uses: actions/checkout@v2 + uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 # v2.7.0 - name: Setup Git safe.directory run: | echo "this step is needed because when running in container, actions/checkout does not set safe.directory effectively." @@ -49,7 +49,7 @@ jobs: image: quay.io/cortexproject/build-image:master-779dcf4ba steps: - name: Checkout Repo - uses: actions/checkout@v2 + uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 # v2.7.0 - name: Setup Git safe.directory run: | echo "this step is needed because when running in container, actions/checkout does not set safe.directory effectively." @@ -71,19 +71,19 @@ jobs: security-events: write steps: - name: Checkout repository - uses: actions/checkout@v4 + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL - uses: github/codeql-action/init@v3 + uses: github/codeql-action/init@429e1977040da7a23b6822b13c129cd1ba93dbb2 # v3.26.2 with: languages: go - name: Autobuild - uses: github/codeql-action/autobuild@v3 + uses: github/codeql-action/autobuild@429e1977040da7a23b6822b13c129cd1ba93dbb2 # v3.26.2 - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v3 + uses: github/codeql-action/analyze@429e1977040da7a23b6822b13c129cd1ba93dbb2 # v3.26.2 build: @@ -92,7 +92,7 @@ jobs: image: quay.io/cortexproject/build-image:master-779dcf4ba steps: - name: Checkout Repo - uses: actions/checkout@v2 + uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 # v2.7.0 - name: Setup Git safe.directory run: | echo "this step is needed because when running in container, actions/checkout does not set safe.directory effectively." @@ -113,7 +113,7 @@ jobs: touch build-image/.uptodate make BUILD_IN_CONTAINER=false web-build - name: Upload Website Artifact - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@834a144ee995460fba8ed112a2fc961b36a5ec5a # v4.3.6 with: name: website public path: website/public/ @@ -125,7 +125,7 @@ jobs: - name: Create Docker Images Archive run: tar -cvf images.tar /tmp/images - name: Upload Docker Images Artifact - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@834a144ee995460fba8ed112a2fc961b36a5ec5a # v4.3.6 with: name: Docker Images path: ./images.tar @@ -146,11 +146,11 @@ jobs: - integration_query_fuzz steps: - name: Upgrade golang - uses: actions/setup-go@v2 + uses: actions/setup-go@bfdd3570ce990073878bf10f6b2d79082de49492 # v2.2.0 with: go-version: 1.22.5 - name: Checkout Repo - uses: actions/checkout@v2 + uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 # v2.7.0 - name: Install Docker Client run: sudo ./.github/workflows/scripts/install-docker.sh - name: Sym Link Expected Path to Workspace @@ -158,7 +158,7 @@ jobs: sudo mkdir -p /go/src/github.com/cortexproject/cortex sudo ln -s $GITHUB_WORKSPACE/* /go/src/github.com/cortexproject/cortex - name: Download Docker Images Artifacts - uses: actions/download-artifact@v4 + uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 with: name: Docker Images - name: Extract Docker Images Archive @@ -209,11 +209,11 @@ jobs: runs-on: ubuntu-20.04 steps: - name: Checkout Repo - uses: actions/checkout@v2 + uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 # v2.7.0 - name: Install Docker Client run: sudo ./.github/workflows/scripts/install-docker.sh - name: Download Docker Images Artifact - uses: actions/download-artifact@v4 + uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 with: name: Docker Images - name: Extract Docker Images Archive @@ -233,7 +233,7 @@ jobs: image: quay.io/cortexproject/build-image:master-779dcf4ba steps: - name: Checkout Repo - uses: actions/checkout@v2 + uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 # v2.7.0 with: # web-deploy script expects repo to be cloned with ssh for some commands to work ssh-key: ${{ secrets.WEBSITE_DEPLOY_SSH_PRIVATE_KEY }} @@ -247,7 +247,7 @@ jobs: mkdir -p /go/src/github.com/cortexproject/cortex ln -s $GITHUB_WORKSPACE/* /go/src/github.com/cortexproject/cortex - name: Download Website Artifact - uses: actions/download-artifact@v4 + uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 with: name: website public path: website/public @@ -275,7 +275,7 @@ jobs: image: quay.io/cortexproject/build-image:master-779dcf4ba steps: - name: Checkout Repo - uses: actions/checkout@v2 + uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 # v2.7.0 - name: Setup Git safe.directory run: | echo "this step is needed because when running in container, actions/checkout does not set safe.directory effectively." @@ -288,7 +288,7 @@ jobs: mkdir -p /go/src/github.com/cortexproject/cortex ln -s $GITHUB_WORKSPACE/* /go/src/github.com/cortexproject/cortex - name: Download Docker Images Artifact - uses: actions/download-artifact@v4 + uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 with: name: Docker Images - name: Extract Docker Images Archive