Skip to content

Commit 922ab3b

Browse files
overcookedpandaovercookedpanda
committed
chore(ci): pin all actions to hash, comment w/ver & rel link
Signed-off-by: Overcooked Panda <[email protected]>
1 parent 80977d2 commit 922ab3b

File tree

3 files changed

+38
-38
lines changed

3 files changed

+38
-38
lines changed

.github/workflows/ci-docker.yml

Lines changed: 12 additions & 12 deletions
Original file line numberDiff line numberDiff line change
@@ -16,25 +16,25 @@ jobs:
1616
build-amd64:
1717
runs-on: ubuntu-latest
1818
steps:
19-
- uses: actions/checkout@v4
19+
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 https://github.com/actions/checkout/releases/tag/v4.2.2
2020
- name: qemu
21-
uses: docker/setup-qemu-action@v3
22-
- uses: docker/setup-buildx-action@v3
23-
- uses: actions/cache@v4
21+
uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v3.6.0 https://github.com/docker/setup-qemu-action/releases/tag/v3.6.0
22+
- uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1 https://github.com/docker/setup-buildx-action/releases/tag/v3.11.1
23+
- uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 # v4.2.3 https://github.com/actions/cache/releases/tag/v4.2.3
2424
with:
2525
path: /tmp/.buildx-cache
2626
key: ${{ runner.os }}-${{ runner.arch }}-buildx-${{ github.sha }}
2727
restore-keys: |
2828
${{ runner.os }}-${{ runner.arch }}-buildx-
2929
- id: meta
30-
uses: docker/metadata-action@v5
30+
uses: docker/metadata-action@902fa8ec7d6ecbf8d84d538b9b233a880e428804 # v5.7.0 https://github.com/docker/metadata-action/releases/tag/v5.7.0
3131
with:
3232
images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
3333
flavor: |
3434
latest=false
3535
suffix=-amd64
3636
- name: build
37-
uses: docker/build-push-action@v6
37+
uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0 https://github.com/docker/build-push-action/releases/tag/v6.18.0
3838
with:
3939
context: .
4040
push: false
@@ -53,25 +53,25 @@ jobs:
5353
build-arm64:
5454
runs-on: ubuntu-24.04-arm
5555
steps:
56-
- uses: actions/checkout@v4
56+
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 https://github.com/actions/checkout/releases/tag/v4.2.2
5757
- name: qemu
58-
uses: docker/setup-qemu-action@v3
59-
- uses: docker/setup-buildx-action@v3
60-
- uses: actions/cache@v4
58+
uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v3.6.0 https://github.com/docker/setup-qemu-action/releases/tag/v3.6.0
59+
- uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1 https://github.com/docker/setup-buildx-action/releases/tag/v3.11.1
60+
- uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 # v4.2.3 https://github.com/actions/cache/releases/tag/v4.2.3
6161
with:
6262
path: /tmp/.buildx-cache
6363
key: ${{ runner.os }}-${{ runner.arch }}-buildx-${{ github.sha }}
6464
restore-keys: |
6565
${{ runner.os }}-${{ runner.arch }}-buildx-
6666
- id: meta
67-
uses: docker/metadata-action@v5
67+
uses: docker/metadata-action@902fa8ec7d6ecbf8d84d538b9b233a880e428804 # v5.7.0 https://github.com/docker/metadata-action/releases/tag/v5.7.0
6868
with:
6969
images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
7070
flavor: |
7171
latest=false
7272
suffix=-arm64v8
7373
- name: build
74-
uses: docker/build-push-action@v6
74+
uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0 https://github.com/docker/build-push-action/releases/tag/v6.18.0
7575
with:
7676
context: .
7777
push: false

.github/workflows/conventional-commits.yml

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -13,5 +13,5 @@ jobs:
1313
permissions:
1414
contents: read
1515
steps:
16-
- uses: actions/checkout@v4
17-
- uses: webiny/[email protected]
16+
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 https://github.com/actions/checkout/releases/tag/v4.2.2
17+
- uses: webiny/action-conventional-commits@8bc41ff4e7d423d56fa4905f6ff79209a78776c7 # v1.3.0 https://github.com/webiny/action-conventional-commits/releases/tag/v1.3.0

.github/workflows/publish.yml

Lines changed: 24 additions & 24 deletions
Original file line numberDiff line numberDiff line change
@@ -19,27 +19,27 @@ jobs:
1919
contents: read
2020
packages: write
2121
steps:
22-
- uses: actions/checkout@v4
23-
- uses: docker/setup-buildx-action@v3
22+
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 https://github.com/actions/checkout/releases/tag/v4.2.2
23+
- uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1 https://github.com/docker/setup-buildx-action/releases/tag/v3.11.1
2424
- name: Login to Docker Hub
25-
uses: docker/login-action@v3
25+
uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0 https://github.com/docker/login-action/releases/tag/v3.4.0
2626
with:
2727
username: blinklabs
2828
password: ${{ secrets.DOCKER_PASSWORD }} # uses token
2929
- name: Login to GHCR
30-
uses: docker/login-action@v3
30+
uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0 https://github.com/docker/login-action/releases/tag/v3.4.0
3131
with:
3232
registry: ghcr.io
3333
username: ${{ github.actor }}
3434
password: ${{ secrets.GITHUB_TOKEN }}
35-
- uses: actions/cache@v4
35+
- uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 # v4.2.3 https://github.com/actions/cache/releases/tag/v4.2.3
3636
with:
3737
path: /tmp/.buildx-cache
3838
key: ${{ runner.os }}-${{ runner.arch }}-buildx-${{ github.sha }}
3939
restore-keys: |
4040
${{ runner.os }}-${{ runner.arch }}-buildx-
4141
- id: meta
42-
uses: docker/metadata-action@v5
42+
uses: docker/metadata-action@902fa8ec7d6ecbf8d84d538b9b233a880e428804 # v5.7.0 https://github.com/docker/metadata-action/releases/tag/v5.7.0
4343
with:
4444
images: |
4545
${{ env.DOCKER_IMAGE_NAME }}
@@ -57,7 +57,7 @@ jobs:
5757
# semver
5858
type=semver,pattern={{version}}
5959
- name: push
60-
uses: docker/build-push-action@v6
60+
uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0 https://github.com/docker/build-push-action/releases/tag/v6.18.0
6161
with:
6262
context: .
6363
push: true
@@ -88,27 +88,27 @@ jobs:
8888
contents: read
8989
packages: write
9090
steps:
91-
- uses: actions/checkout@v4
92-
- uses: docker/setup-buildx-action@v3
91+
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 https://github.com/actions/checkout/releases/tag/v4.2.2
92+
- uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1 https://github.com/docker/setup-buildx-action/releases/tag/v3.11.1
9393
- name: Login to Docker Hub
94-
uses: docker/login-action@v3
94+
uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0 https://github.com/docker/login-action/releases/tag/v3.4.0
9595
with:
9696
username: blinklabs
9797
password: ${{ secrets.DOCKER_PASSWORD }} # uses token
9898
- name: Login to GHCR
99-
uses: docker/login-action@v3
99+
uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0 https://github.com/docker/login-action/releases/tag/v3.4.0
100100
with:
101101
registry: ghcr.io
102102
username: ${{ github.actor }}
103103
password: ${{ secrets.GITHUB_TOKEN }}
104-
- uses: actions/cache@v4
104+
- uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 # v4.2.3 https://github.com/actions/cache/releases/tag/v4.2.3
105105
with:
106106
path: /tmp/.buildx-cache
107107
key: ${{ runner.os }}-${{ runner.arch }}-buildx-${{ github.sha }}
108108
restore-keys: |
109109
${{ runner.os }}-${{ runner.arch }}-buildx-
110110
- id: meta
111-
uses: docker/metadata-action@v5
111+
uses: docker/metadata-action@902fa8ec7d6ecbf8d84d538b9b233a880e428804 # v5.7.0 https://github.com/docker/metadata-action/releases/tag/v5.7.0
112112
with:
113113
images: |
114114
${{ env.DOCKER_IMAGE_NAME }}
@@ -124,7 +124,7 @@ jobs:
124124
# semver
125125
type=semver,pattern={{version}}
126126
- name: push
127-
uses: docker/build-push-action@v6
127+
uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0 https://github.com/docker/build-push-action/releases/tag/v6.18.0
128128
with:
129129
context: .
130130
push: true
@@ -156,22 +156,22 @@ jobs:
156156
contents: read
157157
packages: write
158158
steps:
159-
- uses: actions/checkout@v4
160-
- uses: docker/setup-buildx-action@v3
159+
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 https://github.com/actions/checkout/releases/tag/v4.2.2
160+
- uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1 https://github.com/docker/setup-buildx-action/releases/tag/v3.11.1
161161
- name: Login to Docker Hub
162-
uses: docker/login-action@v3
162+
uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0 https://github.com/docker/login-action/releases/tag/v3.4.0
163163
with:
164164
username: blinklabs
165165
password: ${{ secrets.DOCKER_PASSWORD }} # uses token
166166
- name: Login to GHCR
167-
uses: docker/login-action@v3
167+
uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0 https://github.com/docker/login-action/releases/tag/v3.4.0
168168
with:
169169
registry: ghcr.io
170170
username: ${{ github.actor }}
171171
password: ${{ secrets.GITHUB_TOKEN }}
172172
- id: meta-dockerhub
173173
name: Metadata - Docker Hub
174-
uses: docker/metadata-action@v5
174+
uses: docker/metadata-action@902fa8ec7d6ecbf8d84d538b9b233a880e428804 # v5.7.0 https://github.com/docker/metadata-action/releases/tag/v5.7.0
175175
with:
176176
images: ${{ env.DOCKER_IMAGE_NAME }}
177177
flavor: |
@@ -185,7 +185,7 @@ jobs:
185185
type=semver,pattern={{version}}
186186
- id: meta-dockerhub-tag
187187
name: Metadata - Docker Hub (Tags)
188-
uses: docker/metadata-action@v5
188+
uses: docker/metadata-action@902fa8ec7d6ecbf8d84d538b9b233a880e428804 # v5.7.0 https://github.com/docker/metadata-action/releases/tag/v5.7.0
189189
with:
190190
images: |
191191
${{ env.DOCKER_IMAGE_NAME }}
@@ -196,7 +196,7 @@ jobs:
196196
type=match,pattern=v(.*)-(.*),group=1
197197
- id: meta-ghcr
198198
name: Metadata - GHCR
199-
uses: docker/metadata-action@v5
199+
uses: docker/metadata-action@902fa8ec7d6ecbf8d84d538b9b233a880e428804 # v5.7.0 https://github.com/docker/metadata-action/releases/tag/v5.7.0
200200
with:
201201
images: ${{ env.GHCR_IMAGE_NAME }}
202202
flavor: |
@@ -210,7 +210,7 @@ jobs:
210210
type=semver,pattern={{version}}
211211
- id: meta-ghcr-tag
212212
name: Metadata - GHCR (Tags)
213-
uses: docker/metadata-action@v5
213+
uses: docker/metadata-action@902fa8ec7d6ecbf8d84d538b9b233a880e428804 # v5.7.0 https://github.com/docker/metadata-action/releases/tag/v5.7.0
214214
with:
215215
images: |
216216
${{ env.GHCR_IMAGE_NAME }}
@@ -265,7 +265,7 @@ jobs:
265265
# Update Docker Hub from README
266266

267267
- name: Docker Hub Description
268-
uses: peter-evans/dockerhub-description@v4
268+
uses: peter-evans/dockerhub-description@432a30c9e07499fd01da9f8a49f0faf9e0ca5b77 # v4.0.2 https://github.com/peter-evans/dockerhub-description/releases/tag/v4.0.2
269269
with:
270270
username: blinklabs
271271
password: ${{ secrets.DOCKER_PASSWORD }}
@@ -280,7 +280,7 @@ jobs:
280280
needs: [multi-arch-manifest]
281281
steps:
282282
- run: "echo \"RELEASE_TAG=${GITHUB_REF#refs/tags/}\" >> $GITHUB_ENV"
283-
- uses: actions/github-script@v7
283+
- uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1 https://github.com/actions/github-script/releases/tag/v7.0.1
284284
if: startsWith(github.ref, 'refs/tags/')
285285
with:
286286
github-token: ${{ secrets.GITHUB_TOKEN }}

0 commit comments

Comments
 (0)