Merge pull request #2738 from step-security-bot/stepsecurity_remediat…

…ion_1729036493 [StepSecurity] ci: Harden GitHub Actions
lima-vm · Oct 16, 2024 · decb0a2 · decb0a2
2 parents 3ff7351 + 71bfca2
commit decb0a2
Show file tree

Hide file tree

Showing 2 changed files with 35 additions and 35 deletions.
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -25,16 +25,16 @@ jobs:
  xcodebuild -version
  # macOS SDK version
  xcrun --show-sdk-version
- - uses: actions/checkout@v4
+ - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
  with:
  fetch-depth: 1
- - uses: actions/setup-go@v5
+ - uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
  with:
  go-version: 1.23.x
  - name: Make darwin artifacts
  run: make artifacts-darwin
  - name: "Upload artifacts"
- uses: actions/upload-artifact@v4
+ uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
  with:
  name: artifacts-darwin
  path: _artifacts/
@@ -50,12 +50,12 @@ jobs:
  id-token: write # for provenances
  attestations: write # for provenances
  steps:
- - uses: actions/checkout@v4
- - uses: actions/download-artifact@v4
+ - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
+ - uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
  with:
  name: artifacts-darwin
  path: _artifacts/
- - uses: actions/setup-go@v5
+ - uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
  with:
  go-version: 1.23.x
  - name: Install gcc-x86-64-linux-gnu
@@ -101,7 +101,7 @@ jobs:
  - - -
  Release manager: [ADD YOUR NAME HERE] (@[ADD YOUR GITHUB ID HERE])
  EOF
- - uses: actions/attest-build-provenance@v1
+ - uses: actions/attest-build-provenance@1c608d11d69870c2092266b3f9a6f3abbf17002c # v1.4.3
  if: github.event_name == 'push' && startsWith(github.ref, 'refs/tags/v')
  with:
  subject-path: _artifacts/*

diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
@@ -23,11 +23,11 @@ jobs:
  runs-on: ubuntu-24.04
  timeout-minutes: 30
  steps:
- - uses: actions/checkout@v4
+ - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
  with:
  # To avoid "failed to load YAML file \"templates/experimental/riscv64.yaml\": can't parse builtin Lima version \"3f3a6f6\": 3f3a6f6 is not in dotted-tri format"
  fetch-depth: 0
- - uses: actions/setup-go@v5
+ - uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
  with:
  go-version: 1.23.x
  - name: Install protoc
@@ -37,7 +37,7 @@ jobs:
  - name: Verify generated files
  run: make install-tools generate check-generated
  - name: Run golangci-lint
- uses: golangci/[email protected]
+ uses: golangci/golangci-lint-action@971e284b6050e8a5849b72094c50ab08da042db8 # v6.1.1
  with:
  version: v1.60.1
  args: --verbose --timeout=10m
@@ -48,15 +48,15 @@ jobs:
  sudo apt-get update
  sudo apt-get install -y shellcheck
  - name: Run file and directory name linter
- uses: ls-lint/[email protected]
+ uses: ls-lint/action@1887e6c0e7f2dfa81a2d67591f0eb7782720026f # v2.2.3
  - name: Run shellcheck
  run: find . -name '*.sh' | xargs shellcheck
  - name: Install shfmt
  run: go install mvdan.cc/sh/v3/cmd/[email protected]
  - name: Run shfmt
  run: find . -name '*.sh' | xargs shfmt -s -d
  - name: Check hyperlinks
- uses: docker://dkhamsing/awesome_bot:latest
+ uses: docker://dkhamsing/awesome_bot:latest@sha256:a8adaeb3b3bd5745304743e4d8a6d512127646e420544a6d22d9f58a07f35884
  with:
  args: /github/workspace/README.md --allow-dupe --allow-redirect --request-delay 1 --white-list https://img.shields.io,http://127.0.0.1:8080,https://github.com/lima-vm/lima/releases/download,https://xbarapp.com,https://api.github.com
  - name: Install go-licenses
@@ -79,10 +79,10 @@ jobs:
  run: |
  sudo apt-get update
  sudo apt-get install -y --no-install-recommends qemu-utils
- - uses: actions/checkout@v4
+ - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
  with:
  fetch-depth: 1
- - uses: actions/setup-go@v5
+ - uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
  with:
  go-version: ${{ matrix.go-version }}
  - name: Unit tests
@@ -127,10 +127,10 @@ jobs:
  run: |
  git config --global core.autocrlf false
  git config --global core.eol lf
- - uses: actions/checkout@v4
+ - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
  with:
  fetch-depth: 1
- - uses: actions/setup-go@v5
+ - uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
  with:
  go-version: 1.23.x
  - name: Unit tests
@@ -157,11 +157,11 @@ jobs:
  runs-on: macos-12
  timeout-minutes: 120
  steps:
- - uses: actions/checkout@v4
+ - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
  with:
  # To avoid "failed to load YAML file \"templates/experimental/riscv64.yaml\": can't parse builtin Lima version \"3f3a6f6\": 3f3a6f6 is not in dotted-tri format"
  fetch-depth: 0
- - uses: actions/setup-go@v5
+ - uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
  with:
  go-version: 1.23.x
  - name: Unit tests
@@ -193,7 +193,7 @@ jobs:
  - name: "Show cache"
  run: ./hack/debug-cache.sh
  - name: "Test default.yaml"
- uses: nick-fields/retry@v3
+ uses: nick-fields/retry@7152eba30c6575329ac0576536151aca5a72780e # v3.0.0
  with:
  timeout_minutes: 30
  retry_on: error
@@ -230,10 +230,10 @@ jobs:
  - ../hack/test-templates/alpine-iso-9p-writable.yaml # Covers alpine-iso.yaml
  - ../hack/test-templates/test-misc.yaml
  steps:
- - uses: actions/checkout@v4
+ - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
  with:
  fetch-depth: 1
- - uses: actions/setup-go@v5
+ - uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
  with:
  go-version: 1.23.x
  - name: Make
@@ -267,7 +267,7 @@ jobs:
  run: echo "LIMACTL_CREATE_ARGS=${LIMACTL_CREATE_ARGS} --mount-type=reverse-sshfs" >>$GITHUB_ENV
  if: matrix.template == 'archlinux.yaml'
  - name: "Test"
- uses: nick-fields/retry@v3
+ uses: nick-fields/retry@7152eba30c6575329ac0576536151aca5a72780e # v3.0.0
  with:
  timeout_minutes: 30
  retry_on: error
@@ -288,15 +288,15 @@ jobs:
  matrix:
  colima-version: ["v0.6.5"]
  steps:
- - uses: actions/checkout@v4
+ - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
  with:
  # fetch-depth is set to 0 to let `limactl --version` print semver-ish version
  fetch-depth: 0
  ref: ${{ github.event.pull_request.head.sha }}
- - uses: actions/setup-go@v5
+ - uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
  with:
  go-version: 1.23.x
- - uses: actions/cache@v4
+ - uses: actions/cache@3624ceb22c1c5a301c8db4169662070a689d9ea8 # v4.1.1
  with:
  path: ~/.cache/lima/download
  key: ${{ runner.os }}-colima-${{ matrix.colima-version }}
@@ -321,7 +321,7 @@ jobs:
  - name: "Show cache"
  run: ./hack/debug-cache.sh
  - name: "Test"
- uses: nick-fields/retry@v3
+ uses: nick-fields/retry@7152eba30c6575329ac0576536151aca5a72780e # v3.0.0
  with:
  timeout_minutes: 30
  retry_on: error
@@ -335,10 +335,10 @@ jobs:
  runs-on: macos-12
  timeout-minutes: 120
  steps:
- - uses: actions/checkout@v4
+ - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
  with:
  fetch-depth: 1
- - uses: actions/setup-go@v5
+ - uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
  with:
  go-version: 1.23.x
  - name: Make
@@ -371,7 +371,7 @@ jobs:
  # Set -count=1 to disable cache
  run: go test -v -count=1 ./pkg/networks/...
  - name: Test socket_vmnet
- uses: nick-fields/retry@v3
+ uses: nick-fields/retry@7152eba30c6575329ac0576536151aca5a72780e # v3.0.0
  with:
  timeout_minutes: 30
  retry_on: error
@@ -388,18 +388,18 @@ jobs:
  matrix:
  oldver: ["v0.15.1"]
  steps:
- - uses: actions/checkout@v4
+ - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
  with:
  fetch-depth: 0
  - name: Fetch homebrew-core commit messages
- uses: actions/checkout@v4
+ uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
  with:
  # needed by ./hack/brew-install-version.sh
  repository: homebrew/homebrew-core
  path: homebrew-core
  fetch-depth: 0
  filter: tree:0
- - uses: actions/setup-go@v5
+ - uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
  with:
  go-version: 1.23.x
  - name: Cache image used by ${{ matrix.oldver }}/examples/ubuntu-lts.yaml
@@ -413,7 +413,7 @@ jobs:
  # We revert back to 8.2.1, which seems to work fine
  ./hack/brew-install-version.sh qemu 8.2.1
  - name: Test
- uses: nick-fields/retry@v3
+ uses: nick-fields/retry@7152eba30c6575329ac0576536151aca5a72780e # v3.0.0
  with:
  timeout_minutes: 30
  retry_on: error
@@ -434,10 +434,10 @@ jobs:
  - default.yaml
  - fedora.yaml
  steps:
- - uses: actions/checkout@v4
+ - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
  with:
  fetch-depth: 1
- - uses: actions/setup-go@v5
+ - uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
  with:
  go-version: 1.23.x
  - name: Make