diff --git a/.github/workflows/_docker_build.yaml b/.github/workflows/_docker_build.yaml index dac643036f..7f3a1b9238 100644 --- a/.github/workflows/_docker_build.yaml +++ b/.github/workflows/_docker_build.yaml @@ -34,12 +34,12 @@ jobs: - name: Parse semver string if: ${{ inputs.tag != '' }} id: parse-semver-tag - uses: booxmedialtd/ws-action-parse-semver@v1.4.7 + uses: booxmedialtd/ws-action-parse-semver@7784200024d6b3fc01253e617ec0168daf603de3 # v1.4.7 with: input_string: ${{ inputs.tag }} version_extractor_regex: 'v(.*)$' - - uses: benjlevesque/short-sha@v2.2 + - uses: benjlevesque/short-sha@36eb8c530990ceac5ddf3c0bc32d02c677ae9706 # v2.2 id: short-sha - name: Add standard tag @@ -83,10 +83,10 @@ jobs: fetch-depth: 0 - name: Set up QEMU - uses: docker/setup-qemu-action@v3 + uses: docker/setup-qemu-action@49b3bc8e6bdd4a60e6116a5414239cba5943d3cf # v3.2.0 - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 + uses: docker/setup-buildx-action@6524bf65af31da8d45b59e8c27de4bd072b392f5 # v3.8.0 - name: Cache Docker layers uses: actions/cache@v3 @@ -98,7 +98,7 @@ jobs: - name: Docker meta id: meta - uses: docker/metadata-action@v5.0.0 + uses: docker/metadata-action@96383f45573cb7f253c731d3b3ab81c87ef81934 # v5.0.0 with: images: kong/kubernetes-ingress-controller flavor: | @@ -107,7 +107,7 @@ jobs: - name: Build id: docker-build-dockerhub - uses: docker/build-push-action@v5 + uses: docker/build-push-action@ca052bb54ab0790a636c9b5f226502c73d547a25 # v5.4.0 with: push: false file: Dockerfile @@ -124,7 +124,7 @@ jobs: # Build locally with outputs set to `type=docker,dest=/tmp/image.tar` to save the image as a `kic-image` artifact. - name: Build locally id: docker-build-local - uses: docker/build-push-action@v5 + uses: docker/build-push-action@ca052bb54ab0790a636c9b5f226502c73d547a25 # v5.4.0 with: load: true file: Dockerfile diff --git a/.github/workflows/_e2e_tests.yaml b/.github/workflows/_e2e_tests.yaml index ff8413967f..cb405840a3 100644 --- a/.github/workflows/_e2e_tests.yaml +++ b/.github/workflows/_e2e_tests.yaml @@ -121,7 +121,7 @@ jobs: with: go-version-file: go.mod - - uses: Kong/kong-license@master + - uses: Kong/kong-license@c4decf08584f84ff8fe8e7cd3c463e0192f6111b # master @ 20250107 id: license with: op-token: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }} @@ -187,7 +187,7 @@ jobs: with: go-version-file: go.mod - - uses: Kong/kong-license@master + - uses: Kong/kong-license@c4decf08584f84ff8fe8e7cd3c463e0192f6111b # master @ 20250107 continue-on-error: true id: license with: @@ -284,7 +284,7 @@ jobs: with: go-version-file: go.mod - - uses: Kong/kong-license@master + - uses: Kong/kong-license@c4decf08584f84ff8fe8e7cd3c463e0192f6111b # master @ 20250107 id: license with: op-token: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }} diff --git a/.github/workflows/_integration_tests.yaml b/.github/workflows/_integration_tests.yaml index f57f88748b..f272a3d920 100644 --- a/.github/workflows/_integration_tests.yaml +++ b/.github/workflows/_integration_tests.yaml @@ -91,7 +91,7 @@ jobs: feature_gates: "GatewayAlpha=true,RewriteURIs=true" steps: - - uses: Kong/kong-license@master + - uses: Kong/kong-license@c4decf08584f84ff8fe8e7cd3c463e0192f6111b # master @ 20250107 id: license with: op-token: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }} diff --git a/.github/workflows/_test_reports.yaml b/.github/workflows/_test_reports.yaml index 6902246496..daf01db0f1 100644 --- a/.github/workflows/_test_reports.yaml +++ b/.github/workflows/_test_reports.yaml @@ -34,7 +34,7 @@ jobs: path: coverage - name: Upload coverage to Codecov - uses: codecov/codecov-action@v3 + uses: codecov/codecov-action@ab904c41d6ece82784817410c45d8b8c02684457 # v3.1.6 with: name: combined-coverage token: ${{ secrets.CODECOV_TOKEN }} @@ -60,7 +60,7 @@ jobs: - name: Upload test results to BuildPulse for flaky test detection if: ${{ !cancelled() }} - uses: buildpulse/buildpulse-action@v0.11.0 + uses: buildpulse/buildpulse-action@d0d30f53585cf16b2e01811a5a753fd47968654a # v0.11.0 with: account: 962416 repository: 127765544 diff --git a/.github/workflows/backport.yaml b/.github/workflows/backport.yaml index f6c25f9319..aaace1d052 100644 --- a/.github/workflows/backport.yaml +++ b/.github/workflows/backport.yaml @@ -21,6 +21,6 @@ jobs: ) ) steps: - - uses: tibdex/backport@v2 + - uses: tibdex/backport@9565281eda0731b1d20c4025c43339fb0a23812e # v2.0.4 with: github_token: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/benchmarks.yaml b/.github/workflows/benchmarks.yaml index e6138b8900..8613922bff 100644 --- a/.github/workflows/benchmarks.yaml +++ b/.github/workflows/benchmarks.yaml @@ -24,7 +24,7 @@ jobs: run: make bench | tee bench.out - name: Store benchmark result - uses: benchmark-action/github-action-benchmark@v1 + uses: benchmark-action/github-action-benchmark@d48d326b4ca9ba73ca0cd0d59f108f9e02a381c7 # v1.20.4 with: name: Go Benchmark tool: 'go' diff --git a/.github/workflows/check_pr_labels.yaml b/.github/workflows/check_pr_labels.yaml index d22d80a28e..f380d100fb 100644 --- a/.github/workflows/check_pr_labels.yaml +++ b/.github/workflows/check_pr_labels.yaml @@ -8,7 +8,7 @@ jobs: label: runs-on: ubuntu-latest steps: - - uses: pmalek/verify-pr-label-action@v1.4.5 + - uses: pmalek/verify-pr-label-action@7c5cdb8db3e959d689b7f13da21826ec8c9f6f8f # v1.4.5 with: github-token: '${{ secrets.GITHUB_TOKEN }}' invalid-labels: 'do not merge,on-hold' diff --git a/.github/workflows/e2e_nightly.yaml b/.github/workflows/e2e_nightly.yaml index 4044a332ca..2ae4209f6e 100644 --- a/.github/workflows/e2e_nightly.yaml +++ b/.github/workflows/e2e_nightly.yaml @@ -72,7 +72,7 @@ jobs: if: always() && contains(needs.*.result, 'failure') && github.event_name == 'schedule' steps: - name: Notify on Slack for failures of e2e tests run automatically at night - uses: 8398a7/action-slack@v3 + uses: 8398a7/action-slack@28ba43ae48961b90635b50953d216767a6bea486 # v3.16.2 env: SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }} with: diff --git a/.github/workflows/license.yaml b/.github/workflows/license.yaml index fdfb613742..f7ce943f87 100644 --- a/.github/workflows/license.yaml +++ b/.github/workflows/license.yaml @@ -10,7 +10,7 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 - - uses: fossas/fossa-action@v1 + - uses: fossas/fossa-action@f61a4c0c263690f2ddb54b9822a719c25a7b608f # v1.3.1 with: api-key: ${{secrets.fossaApiKey}} branch: main diff --git a/.github/workflows/nightly.yaml b/.github/workflows/nightly.yaml index f7893d3999..cbf94e08fd 100644 --- a/.github/workflows/nightly.yaml +++ b/.github/workflows/nightly.yaml @@ -23,9 +23,9 @@ jobs: echo 'EOF' >> $GITHUB_OUTPUT - name: Set up QEMU - uses: docker/setup-qemu-action@v3 + uses: docker/setup-qemu-action@49b3bc8e6bdd4a60e6116a5414239cba5943d3cf # v3.2.0 - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 + uses: docker/setup-buildx-action@6524bf65af31da8d45b59e8c27de4bd072b392f5 # v3.8.0 - name: Cache Docker layers uses: actions/cache@v3 with: @@ -34,19 +34,19 @@ jobs: restore-keys: | ${{ runner.os }}-buildx- - name: Login to DockerHub - uses: docker/login-action@v3 + uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0 with: username: ${{ secrets.DOCKER_USERNAME }} password: ${{ secrets.DOCKER_TOKEN }} - name: Docker meta id: meta - uses: docker/metadata-action@v5.0.0 + uses: docker/metadata-action@96383f45573cb7f253c731d3b3ab81c87ef81934 # v5.0.0 with: images: kong/nightly-ingress-controller tags: ${{ steps.tags-standard.outputs.TAGS_STANDARD }} - name: Build binary id: docker_build_binary - uses: docker/build-push-action@v5 + uses: docker/build-push-action@ca052bb54ab0790a636c9b5f226502c73d547a25 # v5.4.0 with: push: false file: Dockerfile @@ -60,7 +60,7 @@ jobs: REPO_INFO=https://github.com/${{ github.repository }}.git - name: Build and push distroless image to DockerHub id: docker_build - uses: docker/build-push-action@v5 + uses: docker/build-push-action@ca052bb54ab0790a636c9b5f226502c73d547a25 # v5.4.0 with: push: true file: Dockerfile diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index 6f168c55a4..b416e89546 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -24,7 +24,7 @@ jobs: outputs: fullversion_tag: ${{ steps.semver_parser.outputs.fullversion }} steps: - - uses: mukunku/tag-exists-action@v1.4.0 + - uses: mukunku/tag-exists-action@78009d2b13e10ba051fe68d8d2f6778a9b2adab3 # v1.4.0 id: check-tag name: check if tag already exists with: @@ -40,7 +40,7 @@ jobs: fetch-depth: 0 - name: Parse semver string id: semver_parser - uses: booxmedialtd/ws-action-parse-semver@v1.4.7 + uses: booxmedialtd/ws-action-parse-semver@7784200024d6b3fc01253e617ec0168daf603de3 # v1.4.7 with: input_string: ${{ github.event.inputs.tag }} version_extractor_regex: 'v(.*)$' @@ -63,7 +63,7 @@ jobs: fetch-depth: 0 - name: Parse semver string id: semver_parser - uses: booxmedialtd/ws-action-parse-semver@v1.4.7 + uses: booxmedialtd/ws-action-parse-semver@7784200024d6b3fc01253e617ec0168daf603de3 # v1.4.7 with: input_string: ${{ github.event.inputs.tag }} version_extractor_regex: 'v(.*)$' @@ -80,9 +80,9 @@ jobs: echo 'type=raw,value=${{ steps.semver_parser.outputs.major }}.${{ steps.semver_parser.outputs.minor }}' >> $GITHUB_ENV echo 'EOF' >> $GITHUB_ENV - name: Set up QEMU - uses: docker/setup-qemu-action@v3 + uses: docker/setup-qemu-action@49b3bc8e6bdd4a60e6116a5414239cba5943d3cf # v3.2.0 - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 + uses: docker/setup-buildx-action@6524bf65af31da8d45b59e8c27de4bd072b392f5 # v3.8.0 - name: Cache Docker layers uses: actions/cache@v3 with: @@ -91,13 +91,13 @@ jobs: restore-keys: | ${{ runner.os }}-buildx- - name: Login to DockerHub - uses: docker/login-action@v3 + uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0 with: username: ${{ secrets.DOCKER_USERNAME }} password: ${{ secrets.DOCKER_TOKEN }} - name: Docker meta id: meta - uses: docker/metadata-action@v5.0.0 + uses: docker/metadata-action@96383f45573cb7f253c731d3b3ab81c87ef81934 # v5.0.0 with: images: kong/kubernetes-ingress-controller flavor: | @@ -105,7 +105,7 @@ jobs: tags: ${{ env.TAGS_STANDARD }}${{ env.TAGS_SUPPLEMENTAL }} - name: Build binary id: docker_build_binary - uses: docker/build-push-action@v5 + uses: docker/build-push-action@ca052bb54ab0790a636c9b5f226502c73d547a25 # v5.4.0 with: push: false file: Dockerfile @@ -119,7 +119,7 @@ jobs: REPO_INFO=https://github.com/${{ github.repository }}.git - name: Build and push distroless image to DockerHub id: docker_build - uses: docker/build-push-action@v5 + uses: docker/build-push-action@ca052bb54ab0790a636c9b5f226502c73d547a25 # v5.4.0 with: push: true file: Dockerfile @@ -146,7 +146,7 @@ jobs: steps: - name: Parse semver string id: semver_parser - uses: booxmedialtd/ws-action-parse-semver@v1.4.7 + uses: booxmedialtd/ws-action-parse-semver@7784200024d6b3fc01253e617ec0168daf603de3 # v1.4.7 with: input_string: ${{ github.event.inputs.tag }} version_extractor_regex: 'v(.*)$' @@ -182,7 +182,7 @@ jobs: fetch-depth: 0 - name: Parse semver string id: semver_parser - uses: booxmedialtd/ws-action-parse-semver@v1.4.7 + uses: booxmedialtd/ws-action-parse-semver@7784200024d6b3fc01253e617ec0168daf603de3 # v1.4.7 with: input_string: ${{ github.event.inputs.tag }} version_extractor_regex: 'v(.*)$' diff --git a/.github/workflows/release_docs.yaml b/.github/workflows/release_docs.yaml index 5762b7a883..b5fa746bb8 100644 --- a/.github/workflows/release_docs.yaml +++ b/.github/workflows/release_docs.yaml @@ -13,7 +13,7 @@ jobs: steps: - name: Parse semver string id: semver_parser - uses: booxmedialtd/ws-action-parse-semver@v1.4.7 + uses: booxmedialtd/ws-action-parse-semver@7784200024d6b3fc01253e617ec0168daf603de3 # v1.4.7 with: input_string: ${{ github.event.inputs.tag }} version_extractor_regex: 'v(.*)$' @@ -51,7 +51,7 @@ jobs: fi - name: GPG sign the commits - uses: crazy-max/ghaction-import-gpg@82a020f1f7f605c65dd2449b392a52c3fcfef7ef + uses: crazy-max/ghaction-import-gpg@82a020f1f7f605c65dd2449b392a52c3fcfef7ef # v6.0.0 with: workdir: docs.konghq.com gpg_private_key: ${{ secrets.K8S_TEAM_BOT_GPG_PRIVATE_KEY }} @@ -60,7 +60,7 @@ jobs: git_commit_gpgsign: true - name: Create a PR in docs repo - uses: peter-evans/create-pull-request@153407881ec5c347639a548ade7d8ad1d6740e38 + uses: peter-evans/create-pull-request@153407881ec5c347639a548ade7d8ad1d6740e38 # v5.0.2 if: steps.detect-changes.outputs.HAS_CHANGES with: token: ${{ secrets.K8S_TEAM_BOT_GH_PAT }} diff --git a/.github/workflows/test_nightly.yaml b/.github/workflows/test_nightly.yaml index 8fbee629ae..d05801b313 100644 --- a/.github/workflows/test_nightly.yaml +++ b/.github/workflows/test_nightly.yaml @@ -47,7 +47,7 @@ jobs: runs-on: ubuntu-latest steps: - - uses: Kong/kong-license@master + - uses: Kong/kong-license@c4decf08584f84ff8fe8e7cd3c463e0192f6111b # master @ 20250107 id: license with: op-token: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }} @@ -93,7 +93,7 @@ jobs: runs-on: ubuntu-latest steps: - - uses: Kong/kong-license@master + - uses: Kong/kong-license@c4decf08584f84ff8fe8e7cd3c463e0192f6111b # master @ 20250107 id: license with: op-token: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }}