From b1614afdeb22c5946773f3f28be7f5d1e8a56281 Mon Sep 17 00:00:00 2001 From: Patrick Stephens Date: Thu, 19 Mar 2026 13:13:01 +0000 Subject: [PATCH] ci: switch to using SHAs for actions Signed-off-by: Patrick Stephens --- .github/dependabot.yml | 10 ++++++--- .github/workflows/build-offline.yaml | 4 ++-- .../workflows/call-add-mapping-version.yaml | 8 +++---- .github/workflows/cron-run-scan.yaml | 10 ++++----- .github/workflows/lint.yaml | 22 +++++++++++++++---- .pinact.yaml | 16 ++++++++++++++ 6 files changed, 52 insertions(+), 18 deletions(-) create mode 100644 .pinact.yaml diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 1230149..be8df6a 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -1,6 +1,10 @@ version: 2 updates: - - package-ecosystem: "github-actions" - directory: "/" + - package-ecosystem: github-actions + directory: / + groups: + github-actions: + patterns: + - "*" schedule: - interval: "daily" + interval: daily diff --git a/.github/workflows/build-offline.yaml b/.github/workflows/build-offline.yaml index 09cc14b..8f39aec 100644 --- a/.github/workflows/build-offline.yaml +++ b/.github/workflows/build-offline.yaml @@ -9,7 +9,7 @@ jobs: permissions: contents: read steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - run: scripts/generate-offline.sh shell: bash @@ -20,7 +20,7 @@ jobs: run: ls -lR shell: bash - - uses: actions/upload-artifact@v7 + - uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 with: name: agent-documentation path: "*.tgz" diff --git a/.github/workflows/call-add-mapping-version.yaml b/.github/workflows/call-add-mapping-version.yaml index ce11cb1..3176e5d 100644 --- a/.github/workflows/call-add-mapping-version.yaml +++ b/.github/workflows/call-add-mapping-version.yaml @@ -25,7 +25,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Authenticate with GCP - uses: google-github-actions/auth@v3 + uses: google-github-actions/auth@7c6bc770dae815cd3e89ee6cdf493a5fab2cc093 # v3.0.0 with: workload_identity_provider: "projects/841522437311/locations/global/workloadIdentityPools/github-actions/providers/github-actions" service_account: "terraform-infra@infrastructure-464010.iam.gserviceaccount.com" @@ -34,13 +34,13 @@ jobs: name: Get secrets from GCP Secret Manager # This step retrieves secrets from GCP Secret Manager and sets them as outputs # The secrets can then be accessed in subsequent steps using ${{ steps.get-secrets.outputs. }} - uses: "google-github-actions/get-secretmanager-secrets@v3" + uses: "google-github-actions/get-secretmanager-secrets@bc9c54b29fdffb8a47776820a7d26e77b379d262" # v3.0.0 with: secrets: |- github-pat:projects/626836145334/secrets/GITHUB_CI_PAT - name: Checkout repository - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: repository: telemetryforge/documentation token: ${{ steps.get-secrets.outputs.github-pat }} @@ -78,7 +78,7 @@ jobs: - name: Create a PR with the update if: ${{ !inputs.dry-run }} id: cpr - uses: peter-evans/create-pull-request@v8 + uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v8.1.0 with: commit-message: "ci: add mapping version for agent ${{ inputs.agent-version }}" signoff: true diff --git a/.github/workflows/cron-run-scan.yaml b/.github/workflows/cron-run-scan.yaml index b19112b..45e7086 100644 --- a/.github/workflows/cron-run-scan.yaml +++ b/.github/workflows/cron-run-scan.yaml @@ -20,7 +20,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Authenticate with GCP - uses: google-github-actions/auth@v3 + uses: google-github-actions/auth@7c6bc770dae815cd3e89ee6cdf493a5fab2cc093 # v3.0.0 with: workload_identity_provider: "projects/841522437311/locations/global/workloadIdentityPools/github-actions/providers/github-actions" service_account: "terraform-infra@infrastructure-464010.iam.gserviceaccount.com" @@ -29,18 +29,18 @@ jobs: name: Get secrets from GCP Secret Manager # This step retrieves secrets from GCP Secret Manager and sets them as outputs # The secrets can then be accessed in subsequent steps using ${{ steps.get-secrets.outputs. }} - uses: "google-github-actions/get-secretmanager-secrets@v3" + uses: "google-github-actions/get-secretmanager-secrets@bc9c54b29fdffb8a47776820a7d26e77b379d262" # v3.0.0 with: secrets: |- github-pat:projects/626836145334/secrets/GITHUB_CI_PAT - name: Checkout repository - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: token: ${{ steps.get-secrets.outputs.github-pat }} - name: Log into ghcr.io - uses: docker/login-action@v4 + uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0 with: registry: ghcr.io username: ${{ github.actor }} @@ -68,7 +68,7 @@ jobs: - name: Create a PR with the update if: ${{ !inputs.dry-run }} id: cpr - uses: peter-evans/create-pull-request@v8 + uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v8.1.0 with: commit-message: "ci: update cve scan results" signoff: true diff --git a/.github/workflows/lint.yaml b/.github/workflows/lint.yaml index 5047a38..ad82f50 100644 --- a/.github/workflows/lint.yaml +++ b/.github/workflows/lint.yaml @@ -14,8 +14,8 @@ jobs: runs-on: ubuntu-latest name: PR - Shellcheck steps: - - uses: actions/checkout@v6 - - uses: reviewdog/action-shellcheck@v1.32.0 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: reviewdog/action-shellcheck@4c07458293ac342d477251099501a718ae5ef86e # v1.32.0 with: reporter: github-pr-review fail_level: error @@ -30,7 +30,7 @@ jobs: runs-on: ubuntu-latest name: PR - Actionlint steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - run: | echo "::add-matcher::.github/actionlint-matcher.json" bash <(curl https://raw.githubusercontent.com/rhysd/actionlint/main/scripts/download-actionlint.bash) @@ -41,7 +41,21 @@ jobs: runs-on: ubuntu-latest name: PR - Check Orphaned Documentation steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Check for orphaned markdown files run: bash ./scripts/check-orphaned-docs.sh shell: bash + + actions-pin-sha: + runs-on: ubuntu-latest + name: PR - Actions Pin SHA + permissions: + contents: read + # For ReviewDog to post comments to the PR + pull-requests: write + steps: + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: suzuki-shunsuke/pinact-action@1081f5ad49ac904b7d977784f338145150a32112 # v1.4.0 + with: + skip_push: "true" + review: "true" diff --git a/.pinact.yaml b/.pinact.yaml new file mode 100644 index 0000000..3b20588 --- /dev/null +++ b/.pinact.yaml @@ -0,0 +1,16 @@ +# yaml-language-server: $schema=https://raw.githubusercontent.com/suzuki-shunsuke/pinact/refs/heads/main/json-schema/pinact.json +# pinact - https://github.com/suzuki-shunsuke/pinact +version: 3 +# files: +# - pattern: action.yaml +# - pattern: */action.yaml + +# separator: " # " + +ignore_actions: +# - name: slsa-framework/slsa-github-generator/\.github/workflows/generator_generic_slsa3\.yml +# ref: v\d+\.\d+\.\d+ +# - name: actions/.* +# ref: main +# - name: suzuki-shunsuke/.* +# ref: release-.*