Skip to content

Commit 99c6370

Browse files
chore(ci): pin all actions to hash, comment w/ver & rel link (#362)
1 parent 8fd84a1 commit 99c6370

File tree

5 files changed

+27
-27
lines changed

5 files changed

+27
-27
lines changed

.github/workflows/ci-docker.yml

Lines changed: 5 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -15,18 +15,18 @@ jobs:
1515
docker:
1616
runs-on: ubuntu-latest
1717
steps:
18-
- uses: actions/checkout@v4
18+
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 https://github.com/actions/checkout/releases/tag/v4.2.2
1919
with:
2020
fetch-depth: '0'
2121
- name: qemu
22-
uses: docker/setup-qemu-action@v3
23-
- uses: docker/setup-buildx-action@v3
22+
uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v3.6.0 https://github.com/docker/setup-qemu-action/releases/tag/v3.6.0
23+
- uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1 https://github.com/docker/setup-buildx-action/releases/tag/v3.11.1
2424
- id: meta
25-
uses: docker/metadata-action@v5
25+
uses: docker/metadata-action@902fa8ec7d6ecbf8d84d538b9b233a880e428804 # v5.7.0 https://github.com/docker/metadata-action/releases/tag/v5.7.0
2626
with:
2727
images: ${{ env.GHCR_IMAGE_NAME }}
2828
- name: build
29-
uses: docker/build-push-action@v6
29+
uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0 https://github.com/docker/build-push-action/releases/tag/v6.18.0
3030
with:
3131
context: .
3232
push: false

.github/workflows/conventional-commits.yml

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -13,5 +13,5 @@ jobs:
1313
permissions:
1414
contents: read
1515
steps:
16-
- uses: actions/checkout@v4
17-
- uses: webiny/[email protected]
16+
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 https://github.com/actions/checkout/releases/tag/v4.2.2
17+
- uses: webiny/action-conventional-commits@8bc41ff4e7d423d56fa4905f6ff79209a78776c7 # v1.3.0 https://github.com/webiny/action-conventional-commits/releases/tag/v1.3.0

.github/workflows/go-test.yml

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -20,8 +20,8 @@ jobs:
2020
platform: [ubuntu-latest]
2121
runs-on: ${{ matrix.platform }}
2222
steps:
23-
- uses: actions/checkout@v4
24-
- uses: actions/setup-go@v5
23+
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 https://github.com/actions/checkout/releases/tag/v4.2.2
24+
- uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0 https://github.com/actions/setup-go/releases/tag/v5.5.0
2525
with:
2626
go-version: ${{ matrix.go-version }}
2727
- name: go-test

.github/workflows/golangci-lint.yml

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -15,9 +15,9 @@ jobs:
1515
name: lint
1616
runs-on: ubuntu-latest
1717
steps:
18-
- uses: actions/checkout@v4
19-
- uses: actions/setup-go@v5
18+
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 https://github.com/actions/checkout/releases/tag/v4.2.2
19+
- uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0 https://github.com/actions/setup-go/releases/tag/v5.5.0
2020
with:
2121
go-version: 1.23.x
2222
- name: golangci-lint
23-
uses: golangci/golangci-lint-action@v8
23+
uses: golangci/golangci-lint-action@4afd733a84b1f43292c63897423277bb7f4313a9 # v8.0.0 https://github.com/golangci/golangci-lint-action/releases/tag/v8.0.0

.github/workflows/publish.yml

Lines changed: 15 additions & 15 deletions
Original file line numberDiff line numberDiff line change
@@ -17,7 +17,7 @@ jobs:
1717
RELEASE_ID: ${{ steps.create-release.outputs.result }}
1818
steps:
1919
- run: "echo \"RELEASE_TAG=${GITHUB_REF#refs/tags/}\" >> $GITHUB_ENV"
20-
- uses: actions/github-script@v7
20+
- uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1 https://github.com/actions/github-script/releases/tag/v7.0.1
2121
id: create-release
2222
if: startsWith(github.ref, 'refs/tags/')
2323
with:
@@ -57,10 +57,10 @@ jobs:
5757
statuses: write
5858
steps:
5959
- run: "echo \"RELEASE_TAG=${GITHUB_REF#refs/tags/}\" >> $GITHUB_ENV"
60-
- uses: actions/checkout@v4
60+
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 https://github.com/actions/checkout/releases/tag/v4.2.2
6161
with:
6262
fetch-depth: '0'
63-
- uses: actions/setup-go@v5
63+
- uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0 https://github.com/actions/setup-go/releases/tag/v5.5.0
6464
with:
6565
go-version: 1.23.x
6666
- name: Build binary
@@ -79,7 +79,7 @@ jobs:
7979
--data-binary @${_filename} \
8080
https://uploads.github.com/repos/${{ github.repository_owner }}/cdnsd/releases/${{ needs.create-draft-release.outputs.RELEASE_ID }}/assets?name=${_filename}
8181
- name: Attest binary
82-
uses: actions/attest-build-provenance@v2
82+
uses: actions/attest-build-provenance@e8998f949152b193b063cb0ec769d69d929409be # v2.4.0 https://github.com/actions/attest-build-provenance/releases/tag/v2.4.0
8383
with:
8484
subject-path: 'cdnsd'
8585

@@ -96,26 +96,26 @@ jobs:
9696
statuses: write
9797
steps:
9898
- run: "echo \"RELEASE_TAG=${GITHUB_REF#refs/tags/}\" >> $GITHUB_ENV"
99-
- uses: actions/checkout@v4
99+
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 https://github.com/actions/checkout/releases/tag/v4.2.2
100100
with:
101101
fetch-depth: '0'
102102
- name: Set up QEMU
103-
uses: docker/setup-qemu-action@v3
103+
uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v3.6.0 https://github.com/docker/setup-qemu-action/releases/tag/v3.6.0
104104
- name: Set up Docker Buildx
105-
uses: docker/setup-buildx-action@v3
105+
uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1 https://github.com/docker/setup-buildx-action/releases/tag/v3.11.1
106106
- name: Login to Docker Hub
107-
uses: docker/login-action@v3
107+
uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0 https://github.com/docker/login-action/releases/tag/v3.4.0
108108
with:
109109
username: blinklabs
110110
password: ${{ secrets.DOCKER_PASSWORD }} # uses token
111111
- name: Login to GHCR
112-
uses: docker/login-action@v3
112+
uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0 https://github.com/docker/login-action/releases/tag/v3.4.0
113113
with:
114114
username: ${{ github.repository_owner }}
115115
password: ${{ secrets.GITHUB_TOKEN }}
116116
registry: ghcr.io
117117
- id: meta
118-
uses: docker/metadata-action@v5
118+
uses: docker/metadata-action@902fa8ec7d6ecbf8d84d538b9b233a880e428804 # v5.7.0 https://github.com/docker/metadata-action/releases/tag/v5.7.0
119119
with:
120120
images: |
121121
blinklabs/cdnsd
@@ -128,28 +128,28 @@ jobs:
128128
# semver
129129
type=semver,pattern={{version}}
130130
- name: Build images
131-
uses: docker/build-push-action@v6
131+
uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0 https://github.com/docker/build-push-action/releases/tag/v6.18.0
132132
id: push
133133
with:
134134
outputs: "type=registry,push=true"
135135
platforms: linux/amd64,linux/arm64
136136
tags: ${{ steps.meta.outputs.tags }}
137137
labels: ${{ steps.meta.outputs.labels }}
138138
- name: Attest Docker Hub image
139-
uses: actions/attest-build-provenance@v2
139+
uses: actions/attest-build-provenance@e8998f949152b193b063cb0ec769d69d929409be # v2.4.0 https://github.com/actions/attest-build-provenance/releases/tag/v2.4.0
140140
with:
141141
subject-name: index.docker.io/blinklabs/cdnsd
142142
subject-digest: ${{ steps.push.outputs.digest }}
143143
push-to-registry: true
144144
- name: Attest GHCR image
145-
uses: actions/attest-build-provenance@v2
145+
uses: actions/attest-build-provenance@e8998f949152b193b063cb0ec769d69d929409be # v2.4.0 https://github.com/actions/attest-build-provenance/releases/tag/v2.4.0
146146
with:
147147
subject-name: ghcr.io/${{ github.repository }}
148148
subject-digest: ${{ steps.push.outputs.digest }}
149149
push-to-registry: true
150150
# Update Docker Hub from README
151151
- name: Docker Hub Description
152-
uses: peter-evans/dockerhub-description@v4
152+
uses: peter-evans/dockerhub-description@432a30c9e07499fd01da9f8a49f0faf9e0ca5b77 # v4.0.2 https://github.com/peter-evans/dockerhub-description/releases/tag/v4.0.2
153153
with:
154154
username: blinklabs
155155
password: ${{ secrets.DOCKER_PASSWORD }}
@@ -163,7 +163,7 @@ jobs:
163163
contents: write
164164
needs: [create-draft-release, build-binaries, build-images]
165165
steps:
166-
- uses: actions/github-script@v7
166+
- uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1 https://github.com/actions/github-script/releases/tag/v7.0.1
167167
if: startsWith(github.ref, 'refs/tags/')
168168
with:
169169
github-token: ${{ secrets.GITHUB_TOKEN }}

0 commit comments

Comments
 (0)