ci: pin all GH Actions #12619
Merged
ci: pin all GH Actions #12619
Commits on Feb 4, 2024
-
- `git` tags are mutable, while SHAs are immutable, so SHAs are [recommended](https://github.com/ossf/scorecard/blob/8eaf0d7647a3f50d80615812c72a277fd568fb6d/docs/checks.md#pinned-dependencies) for better supply chain security - Note that dependabot [knows how to](https://github.blog/changelog/2022-10-31-dependabot-now-updates-comments-in-github-actions-workflows-referencing-action-versions/) update both the SHA and the version comment - add https://github.com/zgosalvez/github-actions-ensure-sha-pinned-actions to `lint` job to ensure all actions stay pinned - All pins listed below: - pin `actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1` (c.f. [v4.1.1](https://github.com/actions/checkout/releases/tag/v4.1.1)) - pin `actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0` (c.f. [v5.0.0](https://github.com/actions/setup-go/releases/tag/v5.0.0)) - pin `actions/setup-node@b39b52d1213e96004bfcb1c61a8a6fa8ab84f3e8 # v4.0.1` (c.f. [v4.0.1](https://github.com/actions/setup-node/releases/tag/v4.0.1)) - pin `actions/setup-python@0a5c61591373683505ea898e09a3ea4f39ef2b9c # v5.0.0` (c.f. [v5.0.0](https://github.com/actions/setup-python/releases/tag/v5.0.0)) - pin `actions/setup-java@387ac29b308b003ca37ba93a6cab5eb57c8f5f93 # v4.0.0` (c.f. [v4.0.0](https://github.com/actions/setup-java/releases/tag/v4.0.0)) - pin `actions/cache@e12d46a63a90f2fae62d114769bbf2a179198b5c # v3.3.3` (c.f. [v3.3.3](https://github.com/actions/cache/releases/tag/v3.3.3)) - pin `actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3` (c.f. [v3.1.3](https://github.com/actions/upload-artifact/releases/tag/v3.1.3)) - pin `actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2` (c.f. [v3.0.2](https://github.com/actions/download-artifact/releases/tag/v3.0.2)) - pin `actions/stale@28ca1036281a5e5922ead5184a1bbf96e5fc984e # v9.0.0` (c.f. [v9.0.0](https://github.com/actions/stale/releases/tag/v9.0.0)) - pin `dependabot/fetch-metadata@c9c4182bf1b97f5224aee3906fd373f6b61b4526 # v1.6.0` (c.f. [v1.6.0](https://github.com/dependabot/fetch-metadata/releases/tag/v1.6.0)) - pin `docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3.0.0` (c.f. [v3.0.0](https://github.com/docker/setup-buildx-action/releases/tag/v3.0.0)) - pin `docker/build-push-action@4a13e500e55cf31b7a5d59a38ab2040ab0f42f56 # v5.1.0` (c.f. [v5.1.0](https://github.com/docker/build-push-action/releases/tag/v5.1.0)) - pin `docker/setup-qemu-action@68827325e0b33c7199eb31dd4e31fbe9023e06e3 # v3.0.0` (c.f. [v3.0.0](https://github.com/docker/setup-qemu-action/releases/tag/v3.0.0)) - pin `docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0` (c.f. [v3.0.0](https://github.com/docker/login-action/releases/tag/v3.0.0)) - pin `Azure/docker-login@83efeb77770c98b620c73055fbb59b2847e17dc0 # v1.0.1` (c.f. [v1.0.1](https://github.com/Azure/docker-login/releases/tag/v1.0.1)) - pin `sigstore/cosign-installer@e1523de7571e31dbe865fd2e80c5c7c23ae71eb4 # v3.4.0` (c.f. [v3.4.0](https://github.com/sigstore/cosign-installer/releases/tag/v3.4.0)) - pin `snyk/action/golang@b98d498629f1c368650224d6d212bf7dfa89e4bf # v0.4.0` (c.f. [v0.4.0](https://github.com/snyk/actions/releases/tag/0.4.0)) - pin `snyk/action/node@b98d498629f1c368650224d6d212bf7dfa89e4bf # v0.4.0` (c.f. [v0.4.0](https://github.com/snyk/actions/releases/tag/0.4.0)) - pin `tj-actions/changed-files@cbda684547adc8c052d50711417fa61b428a9f88 # v41.1.2` (c.f. [v41.1.2](https://github.com/tj-actions/changed-files/releases/tag/v41.1.2)) - pin `softprops/action-gh-release@de2c0eb89ae2a093876385947365aca7b0e5f844 # v1` (c.f. [v1](https://github.com/softprops/action-gh-release/releases/tag/v1)) - pin `amannn/action-semantic-pull-request@e9fabac35e210fea40ca5b14c0da95a099eff26f # v5.4.0` (c.f. [v5.4.0](https://github.com/amannn/action-semantic-pull-request/releases/tag/v5.4.0)) - pin `peter-evans/create-pull-request@153407881ec5c347639a548ade7d8ad1d6740e38 # v5.0.2` (c.f. [v5.0.2](https://github.com/peter-evans/create-pull-request/releases/tag/v5.0.2)) Signed-off-by: Anton Gilgur <[email protected]>
Commits on Feb 5, 2024
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.