Skip to content

Commit 7e1643c

Browse files
overcookedpandaovercookedpanda
authored
chore(ci): pin all actions to hash, comment w/ver & rel link (#267)
1 parent 0bded16 commit 7e1643c

File tree

3 files changed

+38
-38
lines changed

3 files changed

+38
-38
lines changed

.github/workflows/ci-docker.yml

Lines changed: 12 additions & 12 deletions
Original file line numberDiff line numberDiff line change
@@ -16,25 +16,25 @@ jobs:
1616
build-amd64:
1717
runs-on: ubuntu-latest
1818
steps:
19-
- uses: actions/checkout@v4
19+
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 https://github.com/actions/checkout/releases/tag/v4.2.2
2020
- name: qemu
21-
uses: docker/setup-qemu-action@v3
22-
- uses: docker/setup-buildx-action@v3
23-
- uses: actions/cache@v4
21+
uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v3.6.0 https://github.com/docker/setup-qemu-action/releases/tag/v3.6.0
22+
- uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1 https://github.com/docker/setup-buildx-action/releases/tag/v3.11.1
23+
- uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 # v4.2.3 https://github.com/actions/cache/releases/tag/v4.2.3
2424
with:
2525
path: /tmp/.buildx-cache
2626
key: ${{ runner.os }}-${{ runner.arch }}-buildx-${{ github.sha }}
2727
restore-keys: |
2828
${{ runner.os }}-${{ runner.arch }}-buildx-
2929
- id: meta
30-
uses: docker/metadata-action@v5
30+
uses: docker/metadata-action@902fa8ec7d6ecbf8d84d538b9b233a880e428804 # v5.7.0 https://github.com/docker/metadata-action/releases/tag/v5.7.0
3131
with:
3232
images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
3333
flavor: |
3434
latest=false
3535
suffix=-amd64
3636
- name: build
37-
uses: docker/build-push-action@v6
37+
uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0 https://github.com/docker/build-push-action/releases/tag/v6.18.0
3838
with:
3939
context: .
4040
push: false
@@ -53,25 +53,25 @@ jobs:
5353
build-arm64:
5454
runs-on: ubuntu-24.04-arm
5555
steps:
56-
- uses: actions/checkout@v4
56+
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 https://github.com/actions/checkout/releases/tag/v4.2.2
5757
- name: qemu
58-
uses: docker/setup-qemu-action@v3
59-
- uses: docker/setup-buildx-action@v3
60-
- uses: actions/cache@v4
58+
uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v3.6.0 https://github.com/docker/setup-qemu-action/releases/tag/v3.6.0
59+
- uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1 https://github.com/docker/setup-buildx-action/releases/tag/v3.11.1
60+
- uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 # v4.2.3 https://github.com/actions/cache/releases/tag/v4.2.3
6161
with:
6262
path: /tmp/.buildx-cache
6363
key: ${{ runner.os }}-${{ runner.arch }}-buildx-${{ github.sha }}
6464
restore-keys: |
6565
${{ runner.os }}-${{ runner.arch }}-buildx-
6666
- id: meta
67-
uses: docker/metadata-action@v5
67+
uses: docker/metadata-action@902fa8ec7d6ecbf8d84d538b9b233a880e428804 # v5.7.0 https://github.com/docker/metadata-action/releases/tag/v5.7.0
6868
with:
6969
images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
7070
flavor: |
7171
latest=false
7272
suffix=-arm64v8
7373
- name: build
74-
uses: docker/build-push-action@v6
74+
uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0 https://github.com/docker/build-push-action/releases/tag/v6.18.0
7575
with:
7676
context: .
7777
push: false

.github/workflows/conventional-commits.yml

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -13,5 +13,5 @@ jobs:
1313
permissions:
1414
contents: read
1515
steps:
16-
- uses: actions/checkout@v4
17-
- uses: webiny/[email protected]
16+
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 https://github.com/actions/checkout/releases/tag/v4.2.2
17+
- uses: webiny/action-conventional-commits@8bc41ff4e7d423d56fa4905f6ff79209a78776c7 # v1.3.0 https://github.com/webiny/action-conventional-commits/releases/tag/v1.3.0

.github/workflows/publish.yml

Lines changed: 24 additions & 24 deletions
Original file line numberDiff line numberDiff line change
@@ -19,27 +19,27 @@ jobs:
1919
contents: read
2020
packages: write
2121
steps:
22-
- uses: actions/checkout@v4
23-
- uses: docker/setup-buildx-action@v3
22+
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 https://github.com/actions/checkout/releases/tag/v4.2.2
23+
- uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1 https://github.com/docker/setup-buildx-action/releases/tag/v3.11.1
2424
- name: Login to Docker Hub
25-
uses: docker/login-action@v3
25+
uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0 https://github.com/docker/login-action/releases/tag/v3.4.0
2626
with:
2727
username: blinklabs
2828
password: ${{ secrets.DOCKER_PASSWORD }} # uses token
2929
- name: Login to GHCR
30-
uses: docker/login-action@v3
30+
uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0 https://github.com/docker/login-action/releases/tag/v3.4.0
3131
with:
3232
registry: ghcr.io
3333
username: ${{ github.actor }}
3434
password: ${{ secrets.GITHUB_TOKEN }}
35-
- uses: actions/cache@v4
35+
- uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 # v4.2.3 https://github.com/actions/cache/releases/tag/v4.2.3
3636
with:
3737
path: /tmp/.buildx-cache
3838
key: ${{ runner.os }}-${{ runner.arch }}-buildx-${{ github.sha }}
3939
restore-keys: |
4040
${{ runner.os }}-${{ runner.arch }}-buildx-
4141
- id: meta
42-
uses: docker/metadata-action@v5
42+
uses: docker/metadata-action@902fa8ec7d6ecbf8d84d538b9b233a880e428804 # v5.7.0 https://github.com/docker/metadata-action/releases/tag/v5.7.0
4343
with:
4444
images: |
4545
${{ env.DOCKER_IMAGE_NAME }}
@@ -55,7 +55,7 @@ jobs:
5555
# semver
5656
type=semver,pattern={{version}}
5757
- name: push
58-
uses: docker/build-push-action@v6
58+
uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0 https://github.com/docker/build-push-action/releases/tag/v6.18.0
5959
with:
6060
context: .
6161
push: true
@@ -86,27 +86,27 @@ jobs:
8686
contents: read
8787
packages: write
8888
steps:
89-
- uses: actions/checkout@v4
90-
- uses: docker/setup-buildx-action@v3
89+
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 https://github.com/actions/checkout/releases/tag/v4.2.2
90+
- uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1 https://github.com/docker/setup-buildx-action/releases/tag/v3.11.1
9191
- name: Login to Docker Hub
92-
uses: docker/login-action@v3
92+
uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0 https://github.com/docker/login-action/releases/tag/v3.4.0
9393
with:
9494
username: blinklabs
9595
password: ${{ secrets.DOCKER_PASSWORD }} # uses token
9696
- name: Login to GHCR
97-
uses: docker/login-action@v3
97+
uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0 https://github.com/docker/login-action/releases/tag/v3.4.0
9898
with:
9999
registry: ghcr.io
100100
username: ${{ github.actor }}
101101
password: ${{ secrets.GITHUB_TOKEN }}
102-
- uses: actions/cache@v4
102+
- uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 # v4.2.3 https://github.com/actions/cache/releases/tag/v4.2.3
103103
with:
104104
path: /tmp/.buildx-cache
105105
key: ${{ runner.os }}-${{ runner.arch }}-buildx-${{ github.sha }}
106106
restore-keys: |
107107
${{ runner.os }}-${{ runner.arch }}-buildx-
108108
- id: meta
109-
uses: docker/metadata-action@v5
109+
uses: docker/metadata-action@902fa8ec7d6ecbf8d84d538b9b233a880e428804 # v5.7.0 https://github.com/docker/metadata-action/releases/tag/v5.7.0
110110
with:
111111
images: |
112112
${{ env.DOCKER_IMAGE_NAME }}
@@ -122,7 +122,7 @@ jobs:
122122
# semver
123123
type=semver,pattern={{version}}
124124
- name: push
125-
uses: docker/build-push-action@v6
125+
uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0 https://github.com/docker/build-push-action/releases/tag/v6.18.0
126126
with:
127127
context: .
128128
push: true
@@ -154,22 +154,22 @@ jobs:
154154
contents: read
155155
packages: write
156156
steps:
157-
- uses: actions/checkout@v4
158-
- uses: docker/setup-buildx-action@v3
157+
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 https://github.com/actions/checkout/releases/tag/v4.2.2
158+
- uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1 https://github.com/docker/setup-buildx-action/releases/tag/v3.11.1
159159
- name: Login to Docker Hub
160-
uses: docker/login-action@v3
160+
uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0 https://github.com/docker/login-action/releases/tag/v3.4.0
161161
with:
162162
username: blinklabs
163163
password: ${{ secrets.DOCKER_PASSWORD }} # uses token
164164
- name: Login to GHCR
165-
uses: docker/login-action@v3
165+
uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0 https://github.com/docker/login-action/releases/tag/v3.4.0
166166
with:
167167
registry: ghcr.io
168168
username: ${{ github.actor }}
169169
password: ${{ secrets.GITHUB_TOKEN }}
170170
- id: meta-dockerhub
171171
name: Metadata - Docker Hub
172-
uses: docker/metadata-action@v5
172+
uses: docker/metadata-action@902fa8ec7d6ecbf8d84d538b9b233a880e428804 # v5.7.0 https://github.com/docker/metadata-action/releases/tag/v5.7.0
173173
with:
174174
images: ${{ env.DOCKER_IMAGE_NAME }}
175175
flavor: |
@@ -183,7 +183,7 @@ jobs:
183183
type=semver,pattern={{version}}
184184
- id: meta-dockerhub-tag
185185
name: Metadata - Docker Hub (Tags)
186-
uses: docker/metadata-action@v5
186+
uses: docker/metadata-action@902fa8ec7d6ecbf8d84d538b9b233a880e428804 # v5.7.0 https://github.com/docker/metadata-action/releases/tag/v5.7.0
187187
with:
188188
images: |
189189
${{ env.DOCKER_IMAGE_NAME }}
@@ -194,7 +194,7 @@ jobs:
194194
type=match,pattern=v(.*)-(.*),group=1
195195
- id: meta-ghcr
196196
name: Metadata - GHCR
197-
uses: docker/metadata-action@v5
197+
uses: docker/metadata-action@902fa8ec7d6ecbf8d84d538b9b233a880e428804 # v5.7.0 https://github.com/docker/metadata-action/releases/tag/v5.7.0
198198
with:
199199
images: ${{ env.GHCR_IMAGE_NAME }}
200200
flavor: |
@@ -208,7 +208,7 @@ jobs:
208208
type=semver,pattern={{version}}
209209
- id: meta-ghcr-tag
210210
name: Metadata - GHCR (Tags)
211-
uses: docker/metadata-action@v5
211+
uses: docker/metadata-action@902fa8ec7d6ecbf8d84d538b9b233a880e428804 # v5.7.0 https://github.com/docker/metadata-action/releases/tag/v5.7.0
212212
with:
213213
images: |
214214
${{ env.GHCR_IMAGE_NAME }}
@@ -278,7 +278,7 @@ jobs:
278278
# Update Docker Hub from README
279279

280280
- name: Docker Hub Description
281-
uses: peter-evans/dockerhub-description@v4
281+
uses: peter-evans/dockerhub-description@432a30c9e07499fd01da9f8a49f0faf9e0ca5b77 # v4.0.2 https://github.com/peter-evans/dockerhub-description/releases/tag/v4.0.2
282282
with:
283283
username: blinklabs
284284
password: ${{ secrets.DOCKER_PASSWORD }}
@@ -293,7 +293,7 @@ jobs:
293293
needs: [multi-arch-manifest]
294294
steps:
295295
- run: "echo \"RELEASE_TAG=${GITHUB_REF#refs/tags/}\" >> $GITHUB_ENV"
296-
- uses: actions/github-script@v7
296+
- uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1 https://github.com/actions/github-script/releases/tag/v7.0.1
297297
if: startsWith(github.ref, 'refs/tags/')
298298
with:
299299
github-token: ${{ secrets.GITHUB_TOKEN }}

0 commit comments

Comments
 (0)