Skip to content

Commit 40b6ba5

Browse files
overcookedpandaovercookedpanda
committed
chore(ci): pin all actions to hash, comment w/ver & rel link
Signed-off-by: Overcooked Panda <[email protected]>
1 parent 261e5aa commit 40b6ba5

File tree

3 files changed

+38
-38
lines changed

3 files changed

+38
-38
lines changed

.github/workflows/ci-docker.yml

Lines changed: 12 additions & 12 deletions
Original file line numberDiff line numberDiff line change
@@ -16,25 +16,25 @@ jobs:
1616
build-amd64:
1717
runs-on: ubuntu-latest
1818
steps:
19-
- uses: actions/checkout@v4
19+
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 https://github.com/actions/checkout/releases/tag/v4.2.2
2020
- name: qemu
21-
uses: docker/setup-qemu-action@v3
22-
- uses: docker/setup-buildx-action@v3
23-
- uses: actions/cache@v4
21+
uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v3.6.0 https://github.com/docker/setup-qemu-action/releases/tag/v3.6.0
22+
- uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1 https://github.com/docker/setup-buildx-action/releases/tag/v3.11.1
23+
- uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 # v4.2.3 https://github.com/actions/cache/releases/tag/v4.2.3
2424
with:
2525
path: /tmp/.buildx-cache
2626
key: ${{ runner.os }}-${{ runner.arch }}-buildx-${{ github.sha }}
2727
restore-keys: |
2828
${{ runner.os }}-${{ runner.arch }}-buildx-
2929
- id: meta
30-
uses: docker/metadata-action@v5
30+
uses: docker/metadata-action@902fa8ec7d6ecbf8d84d538b9b233a880e428804 # v5.7.0 https://github.com/docker/metadata-action/releases/tag/v5.7.0
3131
with:
3232
images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
3333
flavor: |
3434
latest=false
3535
suffix=-amd64
3636
- name: build
37-
uses: docker/build-push-action@v6
37+
uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0 https://github.com/docker/build-push-action/releases/tag/v6.18.0
3838
with:
3939
context: .
4040
push: false
@@ -53,25 +53,25 @@ jobs:
5353
build-arm64:
5454
runs-on: ubuntu-24.04-arm
5555
steps:
56-
- uses: actions/checkout@v4
56+
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 https://github.com/actions/checkout/releases/tag/v4.2.2
5757
- name: qemu
58-
uses: docker/setup-qemu-action@v3
59-
- uses: docker/setup-buildx-action@v3
60-
- uses: actions/cache@v4
58+
uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v3.6.0 https://github.com/docker/setup-qemu-action/releases/tag/v3.6.0
59+
- uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1 https://github.com/docker/setup-buildx-action/releases/tag/v3.11.1
60+
- uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 # v4.2.3 https://github.com/actions/cache/releases/tag/v4.2.3
6161
with:
6262
path: /tmp/.buildx-cache
6363
key: ${{ runner.os }}-${{ runner.arch }}-buildx-${{ github.sha }}
6464
restore-keys: |
6565
${{ runner.os }}-${{ runner.arch }}-buildx-
6666
- id: meta
67-
uses: docker/metadata-action@v5
67+
uses: docker/metadata-action@902fa8ec7d6ecbf8d84d538b9b233a880e428804 # v5.7.0 https://github.com/docker/metadata-action/releases/tag/v5.7.0
6868
with:
6969
images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
7070
flavor: |
7171
latest=false
7272
suffix=-arm64v8
7373
- name: build
74-
uses: docker/build-push-action@v6
74+
uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0 https://github.com/docker/build-push-action/releases/tag/v6.18.0
7575
with:
7676
context: .
7777
push: false

.github/workflows/conventional-commits.yml

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -13,5 +13,5 @@ jobs:
1313
permissions:
1414
contents: read
1515
steps:
16-
- uses: actions/checkout@v4
17-
- uses: webiny/[email protected]
16+
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 https://github.com/actions/checkout/releases/tag/v4.2.2
17+
- uses: webiny/action-conventional-commits@8bc41ff4e7d423d56fa4905f6ff79209a78776c7 # v1.3.0 https://github.com/webiny/action-conventional-commits/releases/tag/v1.3.0

.github/workflows/publish.yml

Lines changed: 24 additions & 24 deletions
Original file line numberDiff line numberDiff line change
@@ -19,27 +19,27 @@ jobs:
1919
contents: read
2020
packages: write
2121
steps:
22-
- uses: actions/checkout@v4
23-
- uses: docker/setup-buildx-action@v3
22+
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 https://github.com/actions/checkout/releases/tag/v4.2.2
23+
- uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1 https://github.com/docker/setup-buildx-action/releases/tag/v3.11.1
2424
- name: Login to Docker Hub
25-
uses: docker/login-action@v3
25+
uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0 https://github.com/docker/login-action/releases/tag/v3.4.0
2626
with:
2727
username: blinklabs
2828
password: ${{ secrets.DOCKER_PASSWORD }} # uses token
2929
- name: Login to GHCR
30-
uses: docker/login-action@v3
30+
uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0 https://github.com/docker/login-action/releases/tag/v3.4.0
3131
with:
3232
registry: ghcr.io
3333
username: ${{ github.actor }}
3434
password: ${{ secrets.GITHUB_TOKEN }}
35-
- uses: actions/cache@v4
35+
- uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 # v4.2.3 https://github.com/actions/cache/releases/tag/v4.2.3
3636
with:
3737
path: /tmp/.buildx-cache
3838
key: ${{ runner.os }}-${{ runner.arch }}-buildx-${{ github.sha }}
3939
restore-keys: |
4040
${{ runner.os }}-${{ runner.arch }}-buildx-
4141
- id: meta
42-
uses: docker/metadata-action@v5
42+
uses: docker/metadata-action@902fa8ec7d6ecbf8d84d538b9b233a880e428804 # v5.7.0 https://github.com/docker/metadata-action/releases/tag/v5.7.0
4343
with:
4444
images: |
4545
${{ env.DOCKER_IMAGE_NAME }}
@@ -57,7 +57,7 @@ jobs:
5757
# semver
5858
type=semver,pattern={{version}}
5959
- name: push
60-
uses: docker/build-push-action@v6
60+
uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0 https://github.com/docker/build-push-action/releases/tag/v6.18.0
6161
with:
6262
context: .
6363
push: true
@@ -88,27 +88,27 @@ jobs:
8888
contents: read
8989
packages: write
9090
steps:
91-
- uses: actions/checkout@v4
92-
- uses: docker/setup-buildx-action@v3
91+
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 https://github.com/actions/checkout/releases/tag/v4.2.2
92+
- uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1 https://github.com/docker/setup-buildx-action/releases/tag/v3.11.1
9393
- name: Login to Docker Hub
94-
uses: docker/login-action@v3
94+
uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0 https://github.com/docker/login-action/releases/tag/v3.4.0
9595
with:
9696
username: blinklabs
9797
password: ${{ secrets.DOCKER_PASSWORD }} # uses token
9898
- name: Login to GHCR
99-
uses: docker/login-action@v3
99+
uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0 https://github.com/docker/login-action/releases/tag/v3.4.0
100100
with:
101101
registry: ghcr.io
102102
username: ${{ github.actor }}
103103
password: ${{ secrets.GITHUB_TOKEN }}
104-
- uses: actions/cache@v4
104+
- uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 # v4.2.3 https://github.com/actions/cache/releases/tag/v4.2.3
105105
with:
106106
path: /tmp/.buildx-cache
107107
key: ${{ runner.os }}-${{ runner.arch }}-buildx-${{ github.sha }}
108108
restore-keys: |
109109
${{ runner.os }}-${{ runner.arch }}-buildx-
110110
- id: meta
111-
uses: docker/metadata-action@v5
111+
uses: docker/metadata-action@902fa8ec7d6ecbf8d84d538b9b233a880e428804 # v5.7.0 https://github.com/docker/metadata-action/releases/tag/v5.7.0
112112
with:
113113
images: |
114114
${{ env.DOCKER_IMAGE_NAME }}
@@ -126,7 +126,7 @@ jobs:
126126
# semver
127127
type=semver,pattern={{version}}
128128
- name: push
129-
uses: docker/build-push-action@v6
129+
uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0 https://github.com/docker/build-push-action/releases/tag/v6.18.0
130130
with:
131131
context: .
132132
push: true
@@ -158,22 +158,22 @@ jobs:
158158
contents: read
159159
packages: write
160160
steps:
161-
- uses: actions/checkout@v4
162-
- uses: docker/setup-buildx-action@v3
161+
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 https://github.com/actions/checkout/releases/tag/v4.2.2
162+
- uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1 https://github.com/docker/setup-buildx-action/releases/tag/v3.11.1
163163
- name: Login to Docker Hub
164-
uses: docker/login-action@v3
164+
uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0 https://github.com/docker/login-action/releases/tag/v3.4.0
165165
with:
166166
username: blinklabs
167167
password: ${{ secrets.DOCKER_PASSWORD }} # uses token
168168
- name: Login to GHCR
169-
uses: docker/login-action@v3
169+
uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0 https://github.com/docker/login-action/releases/tag/v3.4.0
170170
with:
171171
registry: ghcr.io
172172
username: ${{ github.actor }}
173173
password: ${{ secrets.GITHUB_TOKEN }}
174174
- id: meta-dockerhub
175175
name: Metadata - Docker Hub
176-
uses: docker/metadata-action@v5
176+
uses: docker/metadata-action@902fa8ec7d6ecbf8d84d538b9b233a880e428804 # v5.7.0 https://github.com/docker/metadata-action/releases/tag/v5.7.0
177177
with:
178178
images: ${{ env.DOCKER_IMAGE_NAME }}
179179
flavor: |
@@ -189,7 +189,7 @@ jobs:
189189
type=semver,pattern={{version}}
190190
- id: meta-dockerhub-tag
191191
name: Metadata - Docker Hub (Tags)
192-
uses: docker/metadata-action@v5
192+
uses: docker/metadata-action@902fa8ec7d6ecbf8d84d538b9b233a880e428804 # v5.7.0 https://github.com/docker/metadata-action/releases/tag/v5.7.0
193193
with:
194194
images: |
195195
${{ env.DOCKER_IMAGE_NAME }}
@@ -200,7 +200,7 @@ jobs:
200200
type=match,pattern=v(.*)-(.*),group=1
201201
- id: meta-ghcr
202202
name: Metadata - GHCR
203-
uses: docker/metadata-action@v5
203+
uses: docker/metadata-action@902fa8ec7d6ecbf8d84d538b9b233a880e428804 # v5.7.0 https://github.com/docker/metadata-action/releases/tag/v5.7.0
204204
with:
205205
images: ${{ env.GHCR_IMAGE_NAME }}
206206
flavor: |
@@ -216,7 +216,7 @@ jobs:
216216
type=semver,pattern={{version}}
217217
- id: meta-ghcr-tag
218218
name: Metadata - GHCR (Tags)
219-
uses: docker/metadata-action@v5
219+
uses: docker/metadata-action@902fa8ec7d6ecbf8d84d538b9b233a880e428804 # v5.7.0 https://github.com/docker/metadata-action/releases/tag/v5.7.0
220220
with:
221221
images: |
222222
${{ env.GHCR_IMAGE_NAME }}
@@ -286,7 +286,7 @@ jobs:
286286
# Update Docker Hub from README
287287

288288
- name: Docker Hub Description
289-
uses: peter-evans/dockerhub-description@v4
289+
uses: peter-evans/dockerhub-description@432a30c9e07499fd01da9f8a49f0faf9e0ca5b77 # v4.0.2 https://github.com/peter-evans/dockerhub-description/releases/tag/v4.0.2
290290
with:
291291
username: blinklabs
292292
password: ${{ secrets.DOCKER_PASSWORD }}
@@ -301,7 +301,7 @@ jobs:
301301
needs: [multi-arch-manifest]
302302
steps:
303303
- run: "echo \"RELEASE_TAG=${GITHUB_REF#refs/tags/}\" >> $GITHUB_ENV"
304-
- uses: actions/github-script@v7
304+
- uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1 https://github.com/actions/github-script/releases/tag/v7.0.1
305305
if: startsWith(github.ref, 'refs/tags/')
306306
with:
307307
github-token: ${{ secrets.GITHUB_TOKEN }}

0 commit comments

Comments
 (0)