Merge pull request ceph#65720 from rhcs-dashboard/fix-73307-main

epuertat · web-flow · commit 3e427c174241 · 2025-10-01T18:38:28.000+02:00
.github: pin GH Actions to SHA-1 commit
diff --git a/.github/workflows/qa-symlink.yml b/.github/workflows/qa-symlink.yml
@@ -14,12 +14,12 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: checkout PR HEAD
-        uses: actions/checkout@v4
+        uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4
         with:
           path: head
 
       - name: checkout base
-        uses: actions/checkout@v4
+        uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4
         with:
           path: base
           ref: ${{ github.base_ref }}
diff --git a/src/script/pin-gh-workflow-deps.sh b/src/script/pin-gh-workflow-deps.sh
@@ -0,0 +1,45 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+WORKFLOWS_DIR="${1:-.}/.github/workflows"
+
+echo "Scanning workflows in: $WORKFLOWS_DIR"
+
+# Recursively grep workflow files for actions not pinned to SHA-1
+grep -Prno --include="*.yml" --include="*.yaml" 'uses:\s*([^/]+)/([^@]+)@([^[:space:]]+)' "${WORKFLOWS_DIR}" | \
+  while IFS=: read -r file _line_num uses_line; do
+    echo -n "$file - "
+    # Extract owner/repo/version
+    if [[ "$uses_line" =~ uses:\ ([^/]+)/([^@]+)@([^[:space:]]+) ]]; then
+        owner="${BASH_REMATCH[1]}"
+        repo="${BASH_REMATCH[2]}"
+        version="${BASH_REMATCH[3]}"
+        action="$owner/$repo"
+        echo -n "$owner/$repo: "
+    else
+        echo "Failed to parse line: $uses_line [FAIL]"
+        continue
+    fi
+
+    # Skip if already pinned to SHA
+    if [[ "$version" =~ ^[0-9a-f]{40}$ ]]; then
+        echo "SHA-1 pinned: $version [OK]"
+        continue
+    else
+        echo -n "Tag pinned: $version [WARNING], "
+    fi
+
+    api_url="https://api.github.com/repos/$owner/$repo/git/ref/tags/$version"
+
+    # Get full SHA
+    sha=$(curl -s "$api_url" | jq -r '.object.sha')
+    if [[ "$sha" == "null" || -z "$sha" ]]; then
+        echo "Could not resolve $action@$version [FAIL]"
+        continue
+    fi
+
+    echo "Replacing $version → $sha [OK]"
+
+    # Precise sed replacement: match 'uses:' literally and append comment
+    sed -i.bak "s|uses:\s*$action@$version|uses: $action@$sha # $version|g" "$file"
+done
