Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

ci: pin all GH Actions #12619

Merged
merged 2 commits into from
Feb 5, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 2 additions & 2 deletions .github/workflows/changelog.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -18,15 +18,15 @@ jobs:
pull-requests: write # for peter-evans/create-pull-request to create a PR
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
with:
ref: main
fetch-depth: 0
- run: git fetch --prune --prune-tags
- run: git tag -l 'v*'
# avoid invoking `make` to reduce the risk of a Makefile bug failing this workflow
- run: ./hack/changelog.sh > CHANGELOG.md
- uses: peter-evans/create-pull-request@v5
- uses: peter-evans/create-pull-request@153407881ec5c347639a548ade7d8ad1d6740e38 # v5.0.2
with:
title: 'docs: updated CHANGELOG.md'
commit-message: 'docs: updated CHANGELOG.md'
Expand Down
47 changes: 26 additions & 21 deletions .github/workflows/ci-build.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -28,12 +28,12 @@ jobs:
ui: ${{ steps.changed-files.outputs.ui_any_modified == 'true' }}
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
with:
fetch-depth: 50 # assume PRs are less than 50 commits
- name: Get relevant files changed per group
id: changed-files
uses: tj-actions/changed-files@v41
uses: tj-actions/changed-files@cbda684547adc8c052d50711417fa61b428a9f88 # v41.1.2
with:
files_yaml: |
common: &common
Expand Down Expand Up @@ -87,6 +87,8 @@ jobs:
- *tests
# plus lint config
- .golangci.yml
# all GH workflows / actions
- .github/workflows/**
# docs files below
- docs/**
# generated files are covered by codegen
Expand All @@ -113,8 +115,8 @@ jobs:
runs-on: ubuntu-latest
timeout-minutes: 10
steps:
- uses: actions/checkout@v4
- uses: actions/setup-go@v5
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
- uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
with:
go-version: "1.21"
cache: true
Expand All @@ -131,8 +133,8 @@ jobs:
runs-on: windows-2022
timeout-minutes: 20
steps:
- uses: actions/checkout@v4
- uses: actions/setup-go@v5
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
- uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
with:
go-version: "1.21"
cache: true
Expand All @@ -147,10 +149,10 @@ jobs:
runs-on: ubuntu-latest
timeout-minutes: 10
steps:
- uses: actions/checkout@v4
- uses: docker/setup-buildx-action@v3
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
- uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3.0.0
- name: Build and export
uses: docker/build-push-action@v5
uses: docker/build-push-action@4a13e500e55cf31b7a5d59a38ab2040ab0f42f56 # v5.1.0
with:
context: .
tags: quay.io/argoproj/argoexec:latest
Expand All @@ -159,7 +161,7 @@ jobs:
cache-from: type=gha
cache-to: type=gha,mode=max
- name: Upload
uses: actions/upload-artifact@v3
uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
with:
name: argoexec
path: /tmp/argoexec_image.tar
Expand Down Expand Up @@ -210,21 +212,21 @@ jobs:
steps:
- name: Install socat (needed by Kubernetes v1.25)
run: sudo apt-get -y install socat
- uses: actions/checkout@v4
- uses: actions/setup-go@v5
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
- uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
with:
go-version: "1.21"
cache: true
- name: Install Java for the SDK
if: ${{matrix.test == 'test-java-sdk'}}
uses: actions/setup-java@v4
uses: actions/setup-java@387ac29b308b003ca37ba93a6cab5eb57c8f5f93 # v4.0.0
with:
java-version: '8'
distribution: adopt
cache: maven
- name: Install Python for the SDK
if: ${{matrix.test == 'test-python-sdk'}}
uses: actions/setup-python@v5
uses: actions/setup-python@0a5c61591373683505ea898e09a3ea4f39ef2b9c # v5.0.0
with:
python-version: '3.x'
cache: pip
Expand All @@ -243,7 +245,7 @@ jobs:
echo " token: xxxxxx" >> $KUBECONFIG
until kubectl cluster-info ; do sleep 10s ; done
- name: Download argoexec image
uses: actions/download-artifact@v3
uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
with:
name: argoexec
path: /tmp
Expand Down Expand Up @@ -340,8 +342,8 @@ jobs:
env:
GOPATH: /home/runner/go
steps:
- uses: actions/checkout@v4
- uses: actions/setup-go@v5
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
- uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
with:
go-version: "1.21"
cache: true
Expand Down Expand Up @@ -377,15 +379,18 @@ jobs:
env:
GOPATH: /home/runner/go
steps:
- uses: actions/checkout@v4
- uses: actions/setup-go@v5
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
- uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
with:
go-version: "1.21"
cache: true
- run: make lint STATIC_FILES=false
# if lint makes changes that are not in the PR, fail the build
- name: Check if lint made changes not present in the PR
run: git diff --exit-code
# lint GH Actions
- name: Ensure GH Actions are pinned to SHAs
uses: zgosalvez/github-actions-ensure-sha-pinned-actions@ba37328d4ea95eaf8b3bd6c6cef308f709a5f2ec # v3.0.3

ui:
name: UI
Expand All @@ -396,8 +401,8 @@ jobs:
env:
NODE_OPTIONS: --max-old-space-size=4096
steps:
- uses: actions/checkout@v4
- uses: actions/setup-node@v4
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
- uses: actions/setup-node@b39b52d1213e96004bfcb1c61a8a6fa8ab84f3e8 # v4.0.1
with:
node-version: "20" # change in all GH Workflows
cache: yarn
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/dependabot-reviewer.yml
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,7 @@ jobs:
steps:
- name: Dependabot metadata
id: metadata
uses: dependabot/[email protected]
uses: dependabot/fetch-metadata@c9c4182bf1b97f5224aee3906fd373f6b61b4526 # v1.6.0
with:
github-token: "${{ secrets.GITHUB_TOKEN }}"
- name: Approve PR
Expand Down
10 changes: 5 additions & 5 deletions .github/workflows/docs.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -19,14 +19,14 @@ jobs:
docs:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/setup-python@v5
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
- uses: actions/setup-python@0a5c61591373683505ea898e09a3ea4f39ef2b9c # v5.0.0
with:
python-version: 3.9
- uses: actions/setup-go@v5
- uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
with:
go-version: '1.21'
- uses: actions/setup-node@v4
- uses: actions/setup-node@b39b52d1213e96004bfcb1c61a8a6fa8ab84f3e8 # v4.0.1
with:
node-version: "19"
# Use the same make target both locally and on CI to make it easier to debug failures.
Expand All @@ -37,7 +37,7 @@ jobs:
run: git diff --exit-code
# Upload the site so reviewers see it.
- name: Upload Docs Site
uses: actions/upload-artifact@v3
uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
with:
name: docs
path: site
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/pr.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,6 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Check PR Title's semantic conformance
uses: amannn/action-semantic-pull-request@v5
uses: amannn/action-semantic-pull-request@e9fabac35e210fea40ca5b14c0da95a099eff26f # v5.4.0
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
48 changes: 24 additions & 24 deletions .github/workflows/release.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -29,18 +29,18 @@ jobs:
platform: [ linux/amd64, linux/arm64 ]
target: [ workflow-controller, argocli, argoexec ]
steps:
- uses: actions/checkout@v4
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1

- name: Set up QEMU
uses: docker/setup-qemu-action@v3
uses: docker/setup-qemu-action@68827325e0b33c7199eb31dd4e31fbe9023e06e3 # v3.0.0

- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3.0.0
with:
version: v0.10.4

- name: Cache Docker layers
uses: actions/cache@v3
uses: actions/cache@e12d46a63a90f2fae62d114769bbf2a179198b5c # v3.3.3
id: cache
with:
path: /tmp/.buildx-cache
Expand All @@ -49,13 +49,13 @@ jobs:
${{ runner.os }}-${{ matrix.platform }}-${{ matrix.target }}-buildx-

- name: Docker Login
uses: docker/login-action@v3
uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0
with:
username: ${{ secrets.DOCKERIO_USERNAME }}
password: ${{ secrets.DOCKERIO_PASSWORD }}

- name: Docker Login
uses: docker/login-action@v3
- name: Login to Quay
uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0
with:
registry: quay.io
username: ${{ secrets.QUAYIO_USERNAME }}
Expand Down Expand Up @@ -97,15 +97,15 @@ jobs:
if: github.repository == 'argoproj/argo-workflows'
runs-on: windows-2022
steps:
- uses: actions/checkout@v4
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
- name: Docker Login
uses: Azure/docker-login@v1
uses: Azure/docker-login@83efeb77770c98b620c73055fbb59b2847e17dc0 # v1.0.1
with:
username: ${{ secrets.DOCKERIO_USERNAME }}
password: ${{ secrets.DOCKERIO_PASSWORD }}

- name: Login to Quay
uses: Azure/docker-login@v1
uses: Azure/docker-login@83efeb77770c98b620c73055fbb59b2847e17dc0 # v1.0.1
with:
login-server: quay.io
username: ${{ secrets.QUAYIO_USERNAME }}
Expand Down Expand Up @@ -147,22 +147,22 @@ jobs:
runs-on: ubuntu-latest
needs: [ build-linux, build-windows ]
steps:
- uses: actions/checkout@v4
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
- name: Docker Login
uses: Azure/docker-login@v1
uses: Azure/docker-login@83efeb77770c98b620c73055fbb59b2847e17dc0 # v1.0.1
with:
username: ${{ secrets.DOCKERIO_USERNAME }}
password: ${{ secrets.DOCKERIO_PASSWORD }}

- name: Login to Quay
uses: Azure/docker-login@v1
uses: Azure/docker-login@83efeb77770c98b620c73055fbb59b2847e17dc0 # v1.0.1
with:
login-server: quay.io
username: ${{ secrets.QUAYIO_USERNAME }}
password: ${{ secrets.QUAYIO_PASSWORD }}

- name: Install cosign
uses: sigstore/cosign-installer@main
uses: sigstore/cosign-installer@e1523de7571e31dbe865fd2e80c5c7c23ae71eb4 # v3.4.0
with:
cosign-release: 'v1.13.0'

Expand Down Expand Up @@ -211,13 +211,13 @@ jobs:
target: [ workflow-controller, argocli, argoexec ]
steps:
- name: Docker Login
uses: Azure/docker-login@v1
uses: Azure/docker-login@83efeb77770c98b620c73055fbb59b2847e17dc0 # v1.0.1
with:
username: ${{ secrets.DOCKERIO_USERNAME }}
password: ${{ secrets.DOCKERIO_PASSWORD }}

- name: Login to Quay
uses: Azure/docker-login@v1
uses: Azure/docker-login@83efeb77770c98b620c73055fbb59b2847e17dc0 # v1.0.1
with:
login-server: quay.io
username: ${{ secrets.QUAYIO_USERNAME }}
Expand Down Expand Up @@ -245,13 +245,13 @@ jobs:
needs: [ push-images ]
steps:
- name: Docker Login
uses: Azure/docker-login@v1
uses: Azure/docker-login@83efeb77770c98b620c73055fbb59b2847e17dc0 # v1.0.1
with:
username: ${{ secrets.DOCKERIO_USERNAME }}
password: ${{ secrets.DOCKERIO_PASSWORD }}

- name: Login to Quay
uses: Azure/docker-login@v1
uses: Azure/docker-login@83efeb77770c98b620c73055fbb59b2847e17dc0 # v1.0.1
with:
login-server: quay.io
username: ${{ secrets.QUAYIO_USERNAME }}
Expand Down Expand Up @@ -284,20 +284,20 @@ jobs:
COSIGN_PRIVATE_KEY: ${{secrets.COSIGN_PRIVATE_KEY}}
COSIGN_PASSWORD: ${{secrets.COSIGN_PASSWORD}}
steps:
- uses: actions/checkout@v4
- uses: actions/setup-node@v4
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
- uses: actions/setup-node@b39b52d1213e96004bfcb1c61a8a6fa8ab84f3e8 # v4.0.1
with:
node-version: "20" # change in all GH Workflows
- uses: actions/setup-go@v5
- uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
with:
go-version: "1.21"
- name: Restore node packages cache
uses: actions/cache@v3
uses: actions/cache@e12d46a63a90f2fae62d114769bbf2a179198b5c # v3.3.3
with:
path: ui/node_modules
key: ${{ runner.os }}-node-dep-v1-${{ hashFiles('**/yarn.lock') }}
- name: Install cosign
uses: sigstore/cosign-installer@main
uses: sigstore/cosign-installer@e1523de7571e31dbe865fd2e80c5c7c23ae71eb4 # v3.4.0
with:
cosign-release: 'v1.13.0'
# https://stackoverflow.com/questions/58033366/how-to-get-current-branch-within-github-actions
Expand Down Expand Up @@ -340,7 +340,7 @@ jobs:
# If a conflict occurs (because you are not on a tag), the release will not be updated. This is a short coming
# of this action.
# Instead, delete the release so it is re-created.
- uses: softprops/action-gh-release@v1
- uses: softprops/action-gh-release@de2c0eb89ae2a093876385947365aca7b0e5f844 # v1
if: startsWith(github.ref, 'refs/tags/v')
with:
prerelease: ${{ startsWith(github.ref, 'refs/tags/v0') || contains(github.ref, 'rc') }}
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/sdks.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -21,7 +21,7 @@ jobs:
- java
- python
steps:
- uses: actions/checkout@v4
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
- run: make --directory sdks/${{matrix.name}} publish -B
env:
JAVA_SDK_MAVEN_PASSWORD: ${{ secrets.GITHUB_TOKEN }}
Expand Down
Loading
Loading