From 8a0d61b18f283822d1106419834d9c9372656769 Mon Sep 17 00:00:00 2001 From: Lucas TESSON Date: Mon, 3 Jun 2024 22:55:36 +0200 Subject: [PATCH] chore(deps): pin dependencies --- .github/workflows/ci.yaml | 14 ++++---- .github/workflows/codeql-analysis.yaml | 8 ++--- .github/workflows/goreleaser.yaml | 47 +++++--------------------- 3 files changed, 20 insertions(+), 49 deletions(-) diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index c15e07a..ee3bb2f 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -14,15 +14,15 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout code - uses: actions/checkout@v4 + uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 - name: Setup Go - uses: actions/setup-go@v5.0.1 + uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1 with: go-version-file: go.mod - name: Cache go modules - uses: actions/cache@v4 + uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2 with: path: ~/go/pkg/mod key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }} @@ -33,17 +33,17 @@ jobs: - name: Upload coverage to Coveralls if: ${{ matrix.update-coverage }} - uses: shogo82148/actions-goveralls@v1 + uses: shogo82148/actions-goveralls@785c9d68212c91196d3994652647f8721918ba11 # v1.9.0 with: path-to-profile: cov.out go-lint: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 - - uses: actions/setup-go@v5.0.1 + - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 + - uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1 with: go-version-file: go.mod - name: go-lint - uses: golangci/golangci-lint-action@v6 + uses: golangci/golangci-lint-action@a4f60bb28d35aeee14e6880718e0c85ff1882e64 # v6.0.1 diff --git a/.github/workflows/codeql-analysis.yaml b/.github/workflows/codeql-analysis.yaml index 832cc96..c76b1e1 100644 --- a/.github/workflows/codeql-analysis.yaml +++ b/.github/workflows/codeql-analysis.yaml @@ -27,19 +27,19 @@ jobs: steps: - name: Checkout repository - uses: actions/checkout@v4 + uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 - uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1 with: go-version-file: go.mod - name: Initialize CodeQL - uses: github/codeql-action/init@v3 + uses: github/codeql-action/init@f079b8493333aace61c81488f8bd40919487bd9f # v3.25.7 with: languages: ${{ matrix.language }} - name: Autobuild - uses: github/codeql-action/autobuild@v3 + uses: github/codeql-action/autobuild@f079b8493333aace61c81488f8bd40919487bd9f # v3.25.7 - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v3 + uses: github/codeql-action/analyze@f079b8493333aace61c81488f8bd40919487bd9f # v3.25.7 diff --git a/.github/workflows/goreleaser.yaml b/.github/workflows/goreleaser.yaml index 7a4a789..33ad761 100644 --- a/.github/workflows/goreleaser.yaml +++ b/.github/workflows/goreleaser.yaml @@ -17,25 +17,28 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 with: fetch-depth: 0 + - name: Set up Go - uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 + uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1 with: go-version-file: go.mod + - name: Install Syft - run: | - curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b /usr/local/bin + uses: anchore/sbom-action/download-syft@e8d2a6937ecead383dfe75190d104edd1f9c5751 # v0.16.0 + - name: Run GoReleaser id: run-goreleaser - uses: goreleaser/goreleaser-action@5742e2a039330cbb23ebf35f046f814d4c6ff811 + uses: goreleaser/goreleaser-action@5742e2a039330cbb23ebf35f046f814d4c6ff811 # v5.1.0 with: version: latest args: release --clean env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} VERSION_LDFLAGS: ${{ steps.ldflags.outputs.version }} + - name: Generate subject id: hash env: @@ -52,39 +55,7 @@ jobs: actions: read # To read the workflow path. id-token: write # To sign the provenance. contents: write # To add assets to a release. - uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v2.0.0 + uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v2.0.0 # not pinned to avoid breaking it, use it to target refs/tags/vX.Y.Z with: base64-subjects: "${{ needs.goreleaser.outputs.hashes }}" upload-assets: true # upload to a new release - verification: - needs: [goreleaser, provenance] - runs-on: ubuntu-latest - permissions: read-all - steps: - - name: Install the verifier - uses: slsa-framework/slsa-verifier/actions/installer@v2.5.1 - - - name: Download assets - env: - GITHUB_TOKEN: ${{ secrets.GH_TOKEN }} - PROVENANCE: "${{ needs.provenance.outputs.provenance-name }}" - run: | - set -euo pipefail - gh -R "$GITHUB_REPOSITORY" release download "$GITHUB_REF_NAME" -p "*.tar.gz" - gh -R "$GITHUB_REPOSITORY" release download "$GITHUB_REF_NAME" -p "*.sbom" - gh -R "$GITHUB_REPOSITORY" release download "$GITHUB_REF_NAME" -p "$PROVENANCE" - - name: Verify assets - env: - CHECKSUMS: ${{ needs.goreleaser.outputs.hashes }} - PROVENANCE: "${{ needs.provenance.outputs.provenance-name }}" - run: | - set -euo pipefail - checksums=$(echo "$CHECKSUMS" | base64 -d) - while read -r line; do - fn=$(echo $line | cut -d ' ' -f2) - echo "Verifying $fn" - slsa-verifier verify-artifact --provenance-path "$PROVENANCE" \ - --source-uri "github.com/$GITHUB_REPOSITORY" \ - --source-tag "$GITHUB_REF_NAME" \ - "$fn" - done <<<"$checksums"