Skip to content

Commit

Permalink
Hardened github workflows by pinning dependencies…
Browse files Browse the repository at this point in the history 
… and setting some things as readonly.

Signed-off-by: Vincent Demeester <[email protected]>
  • Loading branch information
@vdemeester
vdemeester committed Jan 2, 2024
1 parent 3d61d1d commit 57322df
Show file tree
Hide file tree
Showing 4 changed files with 47 additions and 40 deletions.
38 changes: 20 additions & 18 deletions .github/workflows/build.yaml
View file
Original file line number Diff line number Diff line change
@@ -1,30 +1,32 @@

on:
pull_request:
branches: [ main ]
push:
branches: [ main ]

permissions:
contents: read

name: build-test

jobs:
build:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Set up Go
uses: actions/setup-go@v5
with:
go-version: 1.20.x
- run: go env
- name: go build
run: go build -v ./...
- name: go test
run: go test -v ./...
- name: build catalog-cd
run: go build -o catalog-cd -v ./cmd/catalog-cd
- name: Upload catalog-cd binary
uses: actions/upload-artifact@v4
with:
name: catalog-cd-bin
path: catalog-cd
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4
- name: Set up Go
uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5
with:
go-version: 1.20.x
- run: go env
- name: go build
run: go build -v ./...
- name: go test
run: go test -v ./...
- name: build catalog-cd
run: go build -o catalog-cd -v ./cmd/catalog-cd
- name: Upload catalog-cd binary
uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3
with:
name: catalog-cd-bin
path: catalog-cd
17 changes: 9 additions & 8 deletions .github/workflows/generate-catalogs.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,8 @@ name: generate-catalogs
on:
schedule:
- cron: "0 */6 * * *" # every 6 hours
workflow_dispatch: # allow manual triggering
workflow_dispatch:
# allow manual triggering

jobs:

Expand All @@ -16,8 +17,8 @@ jobs:
outputs:
matrix: ${{ steps.set-matrix.outputs.matrix }}
steps:
- uses: actions/checkout@v4
- uses: actions/setup-go@v5
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4
- uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5
with:
go-version: 1.20.x
cache: true
Expand All @@ -35,8 +36,8 @@ jobs:
strategy:
matrix: ${{fromJSON(needs.catalog-matrix.outputs.matrix)}}
steps:
- uses: actions/checkout@v4
- uses: actions/setup-go@v5
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4
- uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5
with:
go-version: 1.20.x
cache: true
Expand All @@ -54,7 +55,7 @@ jobs:
--ignore-versions "${{ matrix.ignoreVersions }}" \
stable
- name: Checkout "p" publish branch
uses: actions/checkout@v4
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4
with:
repository: openshift-pipelines/tektoncd-catalog
ref: p
Expand All @@ -79,7 +80,7 @@ jobs:
fi
- name: Create PR
id: create-pr
uses: peter-evans/create-pull-request@v5
uses: peter-evans/create-pull-request@153407881ec5c347639a548ade7d8ad1d6740e38 # v5
with:
path: p
base: p
Expand All @@ -92,7 +93,7 @@ jobs:
# committer: ${{ env.GIT_COMMITTER_NAME }} ${{ env.GIT_COMMITTER_EMAIL }}
# author: ${{ env.GIT_AUTHOR_NAME }} ${{ env.GIT_AUTHOR_EMAIL }}
# body: ${{ steps.pr_body.outputs.content }} # TODO(vdemeester) Write git status from the artifact
- uses: actions/upload-artifact@v4 # We could ignore this completely
- uses: actions/upload-artifact@c7d193f32edcb7bfad88892161225aeda64e9392 # v4
with:
name: ${{ matrix.name }}-${{ matrix.type }}-stable-catalog-artifact
path: p/
Expand Down
17 changes: 9 additions & 8 deletions .github/workflows/generate-experimental-catalogs.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,8 @@ name: generate-experimental-catalogs
on:
schedule:
- cron: "0 */6 * * *" # every 6 hours
workflow_dispatch: # allow manual triggering
workflow_dispatch:
# allow manual triggering

jobs:

Expand All @@ -16,8 +17,8 @@ jobs:
outputs:
matrix: ${{ steps.set-matrix.outputs.matrix }}
steps:
- uses: actions/checkout@v4
- uses: actions/setup-go@v5
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4
- uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5
with:
go-version: 1.20.x
cache: true
Expand All @@ -35,8 +36,8 @@ jobs:
strategy:
matrix: ${{fromJSON(needs.experimental-catalog-matrix.outputs.matrix)}}
steps:
- uses: actions/checkout@v4
- uses: actions/setup-go@v5
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4
- uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5
with:
go-version: 1.20.x
cache: true
Expand All @@ -52,7 +53,7 @@ jobs:
--ignore-versions "${{ matrix.ignoreVersions }}" \
experimental
- name: Checkout "p" publish branch
uses: actions/checkout@v4
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4
with:
repository: openshift-pipelines/tektoncd-catalog
ref: p
Expand All @@ -78,7 +79,7 @@ jobs:
fi
- name: Create PR
id: create-pr
uses: peter-evans/create-pull-request@v5
uses: peter-evans/create-pull-request@153407881ec5c347639a548ade7d8ad1d6740e38 # v5
with:
path: p
base: p
Expand All @@ -91,7 +92,7 @@ jobs:
# committer: ${{ env.GIT_COMMITTER_NAME }} ${{ env.GIT_COMMITTER_EMAIL }}
# author: ${{ env.GIT_AUTHOR_NAME }} ${{ env.GIT_AUTHOR_EMAIL }}
# body: ${{ steps.pr_body.outputs.content }} # TODO(vdemeester) Write git status from the artifact
- uses: actions/upload-artifact@v4 # We could ignore this completely
- uses: actions/upload-artifact@c7d193f32edcb7bfad88892161225aeda64e9392 # v4
with:
name: ${{ matrix.name }}-${{ matrix.type }}-experimental-catalog-artifact
path: p/experimental/
Expand Down
15 changes: 9 additions & 6 deletions .github/workflows/images.yaml
View file
Original file line number Diff line number Diff line change
@@ -1,6 +1,9 @@
---
name: build-images

permissions:
contents: read

on:
pull_request:
branches:
Expand All @@ -20,7 +23,7 @@ jobs:
outputs:
images: ${{ steps.output-images.outputs.images }}
steps:
- uses: actions/checkout@v4
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4
- name: list images
id: output-images
run: |
Expand All @@ -36,12 +39,12 @@ jobs:
matrix:
image: ${{fromJSON(needs.list.outputs.images)}}
steps:
- uses: actions/checkout@v4
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4
with:
fetch-depth: 2
- name: Get changed files
id: changed-files
uses: tj-actions/changed-files@v41
uses: tj-actions/changed-files@56284d80811fb5963a972b438f2870f175e5b7c8 # v40
with:
files: |
images/${{ matrix.image }}/**
Expand All @@ -52,20 +55,20 @@ jobs:
echo "List all the files that have changed: ${{ steps.changed-files-specific.outputs.all_changed_files }}"
- name: Log in to the Container registry
if: steps.changed-files.outputs.any_changed == 'true' || github.event_name != 'pull_request'
uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d
uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # 343f7c4344506bcbf9b4de18042ae17996df046d
with:
registry: ${{ env.REGISTRY }}
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Extract metadata (tags, labels) for Docker
if: steps.changed-files.outputs.any_changed == 'true' || github.event_name != 'pull_request'
id: meta
uses: docker/metadata-action@9dc751fe249ad99385a2583ee0d084c400eee04e
uses: docker/metadata-action@31cebacef4805868f9ce9a0cb03ee36c32df2ac4 # v5
with:
images: ${{ env.REGISTRY }}/${{ github.repository }}/${{ matrix.image }}
- name: Build and push Docker image
if: steps.changed-files.outputs.any_changed == 'true' || github.event_name != 'pull_request'
uses: docker/build-push-action@4a13e500e55cf31b7a5d59a38ab2040ab0f42f56
uses: docker/build-push-action@4a13e500e55cf31b7a5d59a38ab2040ab0f42f56 # v5
with:
context: images/${{ matrix.image }}
push: ${{ github.event_name != 'pull_request' }}
Expand Down

0 comments on commit 57322df

Please sign in to comment.