pin third party workflows by hashes (#6924)

Co-authored-by: Patryk Małek <[email protected]> (cherry picked from commit 013ebfb)
Kong · Jan 8, 2025 · 5311f6c · 5311f6c
1 parent 9e84f95
commit 5311f6c
Show file tree

Hide file tree

Showing 27 changed files with 61 additions and 61 deletions.
diff --git a/.github/workflows/_conformance_tests.yaml b/.github/workflows/_conformance_tests.yaml
@@ -48,7 +48,7 @@ jobs:
         with:
           go-version-file: go.mod
 
-      - uses: jdx/mise-action@v2
+      - uses: jdx/mise-action@5083fe46898c414b2475087cc79da59e7da859e8 # v2.1.11
         with:
           install: false
 

diff --git a/.github/workflows/_docker_build.yaml b/.github/workflows/_docker_build.yaml
@@ -33,12 +33,12 @@ jobs:
       - name: Parse semver string
         if: ${{ inputs.tag != '' }}
         id: parse-semver-tag
-        uses: booxmedialtd/[email protected]
+        uses: booxmedialtd/ws-action-parse-semver@7784200024d6b3fc01253e617ec0168daf603de3 # v1.4.7
         with:
           input_string: ${{ inputs.tag }}
           version_extractor_regex: 'v(.*)$'
 
-      - uses: benjlevesque/[email protected]
+      - uses: benjlevesque/short-sha@599815c8ee942a9616c92bcfb4f947a3b670ab0b # v3.0
         id: short-sha
 
       - name: Add standard tag
@@ -89,7 +89,7 @@ jobs:
       - run: echo "GOCACHE=$(go env GOCACHE)" >> $GITHUB_ENV
 
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
+        uses: docker/setup-buildx-action@6524bf65af31da8d45b59e8c27de4bd072b392f5 # v3.8.0
 
       - name: Cache Docker layers
         uses: actions/cache@v4
@@ -101,7 +101,7 @@ jobs:
 
       - name: Docker meta
         id: meta
-        uses: docker/[email protected]
+        uses: docker/metadata-action@369eb591f429131d6889c46b94e711f089e6ca96 # v5.6.1
         with:
           images: kong/kubernetes-ingress-controller
           flavor: |
@@ -110,7 +110,7 @@ jobs:
 
       - name: Build
         id: docker-build-dockerhub
-        uses: docker/build-push-action@v6
+        uses: docker/build-push-action@48aba3b46d1b1fec4febb7c5d0c644b249a11355 # v6.10.0
         with:
           push: false
           file: Dockerfile
@@ -129,7 +129,7 @@ jobs:
       # Build locally with outputs set to `type=docker,dest=/tmp/image.tar` to save the image as a `kic-image` artifact.
       - name: Build locally
         id: docker-build-local
-        uses: docker/build-push-action@v6
+        uses: docker/build-push-action@48aba3b46d1b1fec4febb7c5d0c644b249a11355 # v6.10.0
         with:
           load: true
           file: Dockerfile

diff --git a/.github/workflows/_e2e_tests.yaml b/.github/workflows/_e2e_tests.yaml
@@ -125,7 +125,7 @@ jobs:
         with:
           go-version-file: go.mod
 
-      - uses: Kong/kong-license@master
+      - uses: Kong/kong-license@c4decf08584f84ff8fe8e7cd3c463e0192f6111b # master @ 20250107
         id: license
         with:
           op-token: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }}
@@ -159,7 +159,7 @@ jobs:
         if: ${{ inputs.kong-image != '' && inputs.load-local-image }}
         run: docker pull ${{ inputs.kong-image }}
 
-      - uses: jdx/mise-action@v2
+      - uses: jdx/mise-action@5083fe46898c414b2475087cc79da59e7da859e8 # v2.1.11
         with:
           install: false
 
@@ -229,7 +229,7 @@ jobs:
         with:
           go-version-file: go.mod
 
-      - uses: Kong/kong-license@master
+      - uses: Kong/kong-license@c4decf08584f84ff8fe8e7cd3c463e0192f6111b # master @ 20250107
         continue-on-error: true
         id: license
         with:
@@ -266,7 +266,7 @@ jobs:
             echo "kic-tag=nightly" >> $GITHUB_OUTPUT
           fi
 
-      - uses: jdx/mise-action@v2
+      - uses: jdx/mise-action@5083fe46898c414b2475087cc79da59e7da859e8 # v2.1.11
         with:
           install: false
 
@@ -359,7 +359,7 @@ jobs:
         with:
           go-version-file: go.mod
 
-      - uses: Kong/kong-license@master
+      - uses: Kong/kong-license@c4decf08584f84ff8fe8e7cd3c463e0192f6111b # master @ 20250107
         id: license
         with:
           op-token: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }}
@@ -383,7 +383,7 @@ jobs:
             echo "kic-tag=$kic_tag" >> $GITHUB_OUTPUT
           fi
 
-      - uses: jdx/mise-action@v2
+      - uses: jdx/mise-action@5083fe46898c414b2475087cc79da59e7da859e8 # v2.1.11
         with:
           install: false
 

diff --git a/.github/workflows/_envtest_tests.yaml b/.github/workflows/_envtest_tests.yaml
@@ -16,11 +16,11 @@ jobs:
         with:
           go-version-file: go.mod
 
-      - uses: jdx/mise-action@v2
+      - uses: jdx/mise-action@5083fe46898c414b2475087cc79da59e7da859e8 # v2.1.11
         with:
           install: false
 
-      - uses: Kong/kong-license@master
+      - uses: Kong/kong-license@c4decf08584f84ff8fe8e7cd3c463e0192f6111b # master @ 20250107
         id: license
         with:
           op-token: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }}

diff --git a/.github/workflows/_integration_tests.yaml b/.github/workflows/_integration_tests.yaml
@@ -143,7 +143,7 @@ jobs:
             enterprise: true
 
     steps:
-      - uses: Kong/kong-license@master
+      - uses: Kong/kong-license@c4decf08584f84ff8fe8e7cd3c463e0192f6111b # master @ 20250107
         id: license
         with:
           op-token: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }}
@@ -179,7 +179,7 @@ jobs:
         with:
           go-version-file: go.mod
 
-      - uses: jdx/mise-action@v2
+      - uses: jdx/mise-action@5083fe46898c414b2475087cc79da59e7da859e8 # v2.1.11
         with:
           install: false
 

diff --git a/.github/workflows/_kongintegration_tests.yaml b/.github/workflows/_kongintegration_tests.yaml
@@ -24,7 +24,7 @@ jobs:
         with:
           go-version-file: go.mod
 
-      - uses: Kong/kong-license@master
+      - uses: Kong/kong-license@c4decf08584f84ff8fe8e7cd3c463e0192f6111b # master @ 20250107
         id: license
         with:
           op-token: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }}
@@ -41,7 +41,7 @@ jobs:
           echo "TEST_KONG_IMAGE=kong/kong-gateway" >> $GITHUB_ENV
           echo "TEST_KONG_TAG=$(yq -ojson -r '.kongintegration.kong-ee' < .github/test_dependencies.yaml )" >> $GITHUB_ENV
 
-      - uses: jdx/mise-action@v2
+      - uses: jdx/mise-action@5083fe46898c414b2475087cc79da59e7da859e8 # v2.1.11
         with:
           install: false
 

diff --git a/.github/workflows/_linters.yaml b/.github/workflows/_linters.yaml
@@ -16,7 +16,7 @@ jobs:
         with:
           go-version-file: go.mod
 
-      - uses: jdx/mise-action@v2
+      - uses: jdx/mise-action@5083fe46898c414b2475087cc79da59e7da859e8 # v2.1.11
         with:
           install: false
 

diff --git a/.github/workflows/_performance_tests.yaml b/.github/workflows/_performance_tests.yaml
@@ -54,7 +54,7 @@ jobs:
         with:
           go-version-file: go.mod
 
-      - uses: Kong/kong-license@master
+      - uses: Kong/kong-license@c4decf08584f84ff8fe8e7cd3c463e0192f6111b # master @ 20250107
         id: license
         with:
           op-token: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }}
@@ -78,7 +78,7 @@ jobs:
             echo "kic-tag=$kic_tag" >> $GITHUB_OUTPUT
           fi
 
-      - uses: jdx/mise-action@v2
+      - uses: jdx/mise-action@5083fe46898c414b2475087cc79da59e7da859e8 # v2.1.11
         with:
           install: false
 
@@ -148,7 +148,7 @@ jobs:
         with:
           go-version-file: go.mod
 
-      - uses: Kong/kong-license@master
+      - uses: Kong/kong-license@c4decf08584f84ff8fe8e7cd3c463e0192f6111b # master @ 20250107
         id: license
         with:
           op-token: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }}

diff --git a/.github/workflows/_permission_check.yaml b/.github/workflows/_permission_check.yaml
@@ -13,7 +13,7 @@ jobs:
     steps:
       - name: get user permission
         id: checkAccess
-        uses: actions-cool/check-user-permission@v2
+        uses: actions-cool/check-user-permission@7b90a27f92f3961b368376107661682c441f6103 # v2.3.0
         with:
           require: write
           username: ${{ github.triggering_actor }}

diff --git a/.github/workflows/_test_reports.yaml b/.github/workflows/_test_reports.yaml
@@ -34,7 +34,7 @@ jobs:
           merge-multiple: true
 
       - name: Upload coverage to Codecov
-        uses: codecov/codecov-action@v5
+        uses: codecov/codecov-action@1e68e06f1dbfde0e4cefc87efeba9e4643565303 # v5.1.2
         with:
           name: combined-coverage
           token: ${{ secrets.CODECOV_TOKEN }}
@@ -60,7 +60,7 @@ jobs:
 
       - name: Upload test results to BuildPulse for flaky test detection
         if: ${{ !cancelled() }}
-        uses: buildpulse/[email protected]
+        uses: buildpulse/buildpulse-action@d4d8e00c645a2e3db0419a43664bbcf868080234 # v0.12.0
         with:
           account: 962416
           repository: 127765544

diff --git a/.github/workflows/_unit_tests.yaml b/.github/workflows/_unit_tests.yaml
@@ -16,7 +16,7 @@ jobs:
         with:
           go-version-file: go.mod
 
-      - uses: jdx/mise-action@v2
+      - uses: jdx/mise-action@5083fe46898c414b2475087cc79da59e7da859e8 # v2.1.11
         with:
           install: false
 

diff --git a/.github/workflows/backport.yaml b/.github/workflows/backport.yaml
@@ -22,6 +22,6 @@ jobs:
         )
       )
     steps:
-      - uses: tibdex/backport@v2
+      - uses: tibdex/backport@9565281eda0731b1d20c4025c43339fb0a23812e # v2.0.4
         with:
           github_token: ${{ secrets.K8S_TEAM_BOT_GH_PAT }}
diff --git a/.github/workflows/benchmarks.yaml b/.github/workflows/benchmarks.yaml
@@ -31,15 +31,15 @@ jobs:
       with:
         go-version-file: go.mod
 
-    - uses: jdx/mise-action@v2
+    - uses: jdx/mise-action@5083fe46898c414b2475087cc79da59e7da859e8 # v2.1.11
       with:
         install: false
 
     - name: Run benchmark
       run: make bench | tee bench.out
 
     - name: Store benchmark result
-      uses: benchmark-action/github-action-benchmark@v1
+      uses: benchmark-action/github-action-benchmark@d48d326b4ca9ba73ca0cd0d59f108f9e02a381c7 # v1.20.4
       with:
         name: Go Benchmark
         tool: 'go'

diff --git a/.github/workflows/check_fixed_issues_references.yaml b/.github/workflows/check_fixed_issues_references.yaml
@@ -27,7 +27,7 @@ jobs:
       if: always() && contains(needs.*.result, 'failure') && github.event_name == 'schedule'
       steps:
         - name: Notify on Slack for failures of checking issues state run automatically at night
-          uses: 8398a7/action-slack@v3
+          uses: 8398a7/action-slack@28ba43ae48961b90635b50953d216767a6bea486 # v3.16.2
           env:
             SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
           with:

diff --git a/.github/workflows/check_pr_labels.yaml b/.github/workflows/check_pr_labels.yaml
@@ -9,7 +9,7 @@ jobs:
     timeout-minutes: ${{ fromJSON(vars.GHA_DEFAULT_TIMEOUT) }}
     runs-on: ubuntu-latest
     steps:
-      - uses: pmalek/[email protected]
+      - uses: pmalek/verify-pr-label-action@7c5cdb8db3e959d689b7f13da21826ec8c9f6f8f #  v1.4.5
         with:
           github-token: '${{ secrets.GITHUB_TOKEN }}'
           invalid-labels: 'do not merge,on-hold'

diff --git a/.github/workflows/checks.yaml b/.github/workflows/checks.yaml
@@ -50,7 +50,7 @@ jobs:
           fetch-depth: 0
       - name: Check if PR is up to date, if it is skip workflows for this ref
         id: 'up-to-date'
-        uses: Kong/public-shared-actions/pr-previews/[email protected]
+        uses: Kong/public-shared-actions/pr-previews/up-to-date@0ccacffed804d85da3f938a1b78c12831935f992 # v2.8.0
         if: github.event_name == 'push' &&
           (startsWith(github.ref, 'refs/heads/main') || startsWith(github.ref, 'refs/heads/release/'))
         with:
@@ -69,7 +69,7 @@ jobs:
         uses: actions/setup-go@v5
         with:
           go-version-file: go.mod
-      - uses: jdx/mise-action@v2
+      - uses: jdx/mise-action@5083fe46898c414b2475087cc79da59e7da859e8 # v2.1.11
         with:
           install: false
       - run: make tools

diff --git a/.github/workflows/conformance_tests_report.yaml b/.github/workflows/conformance_tests_report.yaml
@@ -40,7 +40,7 @@ jobs:
           fetch-tags: true
           ref: ${{ github.event.inputs.tag }}
 
-      - uses: jdx/mise-action@v2
+      - uses: jdx/mise-action@5083fe46898c414b2475087cc79da59e7da859e8 # v2.1.11
         with:
           install: false
 

diff --git a/.github/workflows/e2e_nightly.yaml b/.github/workflows/e2e_nightly.yaml
@@ -74,7 +74,7 @@ jobs:
     if: always() && contains(needs.*.result, 'failure') && github.event_name == 'schedule'
     steps:
       - name: Notify on Slack for failures of e2e tests run automatically at night
-        uses: 8398a7/action-slack@v3
+        uses: 8398a7/action-slack@28ba43ae48961b90635b50953d216767a6bea486 # v3.16.2
         env:
           SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
         with:

diff --git a/.github/workflows/license.yaml b/.github/workflows/license.yaml
@@ -11,7 +11,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
-      - uses: fossas/[email protected]
+      - uses: fossas/fossa-action@09bcf127dc0ccb4b5a023f6f906728878e8610ba # v1.4.0
         with:
           api-key: ${{secrets.fossaApiKey}}
           branch: main
diff --git a/.github/workflows/nightly.yaml b/.github/workflows/nightly.yaml
@@ -30,7 +30,7 @@ jobs:
           echo 'EOF' >> $GITHUB_OUTPUT
 
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
+        uses: docker/setup-buildx-action@6524bf65af31da8d45b59e8c27de4bd072b392f5 # v3.8.0
       - name: Cache Docker layers
         uses: actions/cache@v4
         with:
@@ -39,19 +39,19 @@ jobs:
           restore-keys: |
             ${{ runner.os }}-buildx-
       - name: Login to DockerHub
-        uses: docker/login-action@v3
+        uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
         with:
           username: ${{ secrets.DOCKER_USERNAME }}
           password: ${{ secrets.DOCKER_TOKEN }}
       - name: Docker meta
         id: meta
-        uses: docker/[email protected]
+        uses: docker/metadata-action@369eb591f429131d6889c46b94e711f089e6ca96 # v5.6.1
         with:
           images: kong/nightly-ingress-controller
           tags: ${{ steps.tags-standard.outputs.TAGS_STANDARD }}
       - name: Build binary
         id: docker_build_binary
-        uses: docker/build-push-action@v6
+        uses: docker/build-push-action@48aba3b46d1b1fec4febb7c5d0c644b249a11355 # v6.10.0
         with:
           push: false
           file: Dockerfile
@@ -67,7 +67,7 @@ jobs:
             GOCACHE=${{ env.GOCACHE}}
       - name: Build and push distroless image to DockerHub
         id: docker_build
-        uses: docker/build-push-action@v6
+        uses: docker/build-push-action@48aba3b46d1b1fec4febb7c5d0c644b249a11355 # v6.10.0
         with:
           push: true
           file: Dockerfile

diff --git a/.github/workflows/performance_nightly.yaml b/.github/workflows/performance_nightly.yaml
@@ -35,7 +35,7 @@ jobs:
     steps:
       - uses: actions/checkout@v4
       - name: setup ruby
-        uses: ruby/setup-ruby@v1
+        uses: ruby/setup-ruby@4a9ddd6f338a97768b8006bf671dfbad383215f4 # v1.207.0
         with:
           ruby-version: 3.2
           bundler-cache: true
@@ -74,7 +74,7 @@ jobs:
     if: always() && contains(needs.*.result, 'failure') && github.event_name == 'schedule'
     steps:
       - name: Notify on Slack for failures of performance tests run automatically at night
-        uses: 8398a7/action-slack@v3
+        uses: 8398a7/action-slack@28ba43ae48961b90635b50953d216767a6bea486 # v3
         env:
           SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
         with:

diff --git a/.github/workflows/performance_targeted.yaml b/.github/workflows/performance_targeted.yaml
@@ -95,7 +95,7 @@ jobs:
     steps:
       - uses: actions/checkout@v4
       - name: setup ruby
-        uses: ruby/setup-ruby@v1
+        uses: ruby/setup-ruby@4a9ddd6f338a97768b8006bf671dfbad383215f4 # v1.207.0
         with:
           ruby-version: 3.2
           bundler-cache: true