Skip to content

Commit c60df4c

Browse files
overcookedpandaovercookedpanda
committed
chore(ci): pin all actions to hash, comment w/ver & rel link
Signed-off-by: Overcooked Panda <[email protected]>
1 parent c99f37c commit c60df4c

File tree

3 files changed

+38
-38
lines changed

3 files changed

+38
-38
lines changed

.github/workflows/ci-docker.yml

Lines changed: 12 additions & 12 deletions
Original file line numberDiff line numberDiff line change
@@ -16,25 +16,25 @@ jobs:
1616
build-amd64:
1717
runs-on: ubuntu-latest
1818
steps:
19-
- uses: actions/checkout@v4
19+
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 https://github.com/actions/checkout/releases/tag/v4.2.2
2020
- name: qemu
21-
uses: docker/setup-qemu-action@v3
22-
- uses: docker/setup-buildx-action@v3
23-
- uses: actions/cache@v4
21+
uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v3.6.0 https://github.com/docker/setup-qemu-action/releases/tag/v3.6.0
22+
- uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1 https://github.com/docker/setup-buildx-action/releases/tag/v3.11.1
23+
- uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 # v4.2.3 https://github.com/actions/cache/releases/tag/v4.2.3
2424
with:
2525
path: /tmp/.buildx-cache
2626
key: ${{ runner.os }}-${{ runner.arch }}-buildx-${{ github.sha }}
2727
restore-keys: |
2828
${{ runner.os }}-${{ runner.arch }}-buildx-
2929
- id: meta
30-
uses: docker/metadata-action@v5
30+
uses: docker/metadata-action@902fa8ec7d6ecbf8d84d538b9b233a880e428804 # v5.7.0 https://github.com/docker/metadata-action/releases/tag/v5.7.0
3131
with:
3232
images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
3333
flavor: |
3434
latest=false
3535
suffix=-amd64
3636
- name: build
37-
uses: docker/build-push-action@v6
37+
uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0 https://github.com/docker/build-push-action/releases/tag/v6.18.0
3838
with:
3939
context: .
4040
push: false
@@ -53,25 +53,25 @@ jobs:
5353
build-arm64:
5454
runs-on: ubuntu-24.04-arm
5555
steps:
56-
- uses: actions/checkout@v4
56+
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 https://github.com/actions/checkout/releases/tag/v4.2.2
5757
- name: qemu
58-
uses: docker/setup-qemu-action@v3
59-
- uses: docker/setup-buildx-action@v3
60-
- uses: actions/cache@v4
58+
uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v3.6.0 https://github.com/docker/setup-qemu-action/releases/tag/v3.6.0
59+
- uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1 https://github.com/docker/setup-buildx-action/releases/tag/v3.11.1
60+
- uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 # v4.2.3 https://github.com/actions/cache/releases/tag/v4.2.3
6161
with:
6262
path: /tmp/.buildx-cache
6363
key: ${{ runner.os }}-${{ runner.arch }}-buildx-${{ github.sha }}
6464
restore-keys: |
6565
${{ runner.os }}-${{ runner.arch }}-buildx-
6666
- id: meta
67-
uses: docker/metadata-action@v5
67+
uses: docker/metadata-action@902fa8ec7d6ecbf8d84d538b9b233a880e428804 # v5.7.0 https://github.com/docker/metadata-action/releases/tag/v5.7.0
6868
with:
6969
images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
7070
flavor: |
7171
latest=false
7272
suffix=-arm64v8
7373
- name: build
74-
uses: docker/build-push-action@v6
74+
uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0 https://github.com/docker/build-push-action/releases/tag/v6.18.0
7575
with:
7676
context: .
7777
push: false

.github/workflows/conventional-commits.yml

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -13,5 +13,5 @@ jobs:
1313
permissions:
1414
contents: read
1515
steps:
16-
- uses: actions/checkout@v4
17-
- uses: webiny/[email protected]
16+
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 https://github.com/actions/checkout/releases/tag/v4.2.2
17+
- uses: webiny/action-conventional-commits@8bc41ff4e7d423d56fa4905f6ff79209a78776c7 # v1.3.0 https://github.com/webiny/action-conventional-commits/releases/tag/v1.3.0

.github/workflows/publish.yml

Lines changed: 24 additions & 24 deletions
Original file line numberDiff line numberDiff line change
@@ -19,27 +19,27 @@ jobs:
1919
contents: read
2020
packages: write
2121
steps:
22-
- uses: actions/checkout@v4
23-
- uses: docker/setup-buildx-action@v3
22+
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 https://github.com/actions/checkout/releases/tag/v4.2.2
23+
- uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1 https://github.com/docker/setup-buildx-action/releases/tag/v3.11.1
2424
- name: Login to Docker Hub
25-
uses: docker/login-action@v3
25+
uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0 https://github.com/docker/login-action/releases/tag/v3.4.0
2626
with:
2727
username: blinklabs
2828
password: ${{ secrets.DOCKER_PASSWORD }} # uses token
2929
- name: Login to GHCR
30-
uses: docker/login-action@v3
30+
uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0 https://github.com/docker/login-action/releases/tag/v3.4.0
3131
with:
3232
registry: ghcr.io
3333
username: ${{ github.actor }}
3434
password: ${{ secrets.GITHUB_TOKEN }}
35-
- uses: actions/cache@v4
35+
- uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 # v4.2.3 https://github.com/actions/cache/releases/tag/v4.2.3
3636
with:
3737
path: /tmp/.buildx-cache
3838
key: ${{ runner.os }}-${{ runner.arch }}-buildx-${{ github.sha }}
3939
restore-keys: |
4040
${{ runner.os }}-${{ runner.arch }}-buildx-
4141
- id: meta
42-
uses: docker/metadata-action@v5
42+
uses: docker/metadata-action@902fa8ec7d6ecbf8d84d538b9b233a880e428804 # v5.7.0 https://github.com/docker/metadata-action/releases/tag/v5.7.0
4343
with:
4444
images: |
4545
${{ env.DOCKER_IMAGE_NAME }}
@@ -53,7 +53,7 @@ jobs:
5353
# branch
5454
type=ref,event=branch
5555
- name: push
56-
uses: docker/build-push-action@v6
56+
uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0 https://github.com/docker/build-push-action/releases/tag/v6.18.0
5757
with:
5858
context: .
5959
push: true
@@ -84,27 +84,27 @@ jobs:
8484
contents: read
8585
packages: write
8686
steps:
87-
- uses: actions/checkout@v4
88-
- uses: docker/setup-buildx-action@v3
87+
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 https://github.com/actions/checkout/releases/tag/v4.2.2
88+
- uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1 https://github.com/docker/setup-buildx-action/releases/tag/v3.11.1
8989
- name: Login to Docker Hub
90-
uses: docker/login-action@v3
90+
uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0 https://github.com/docker/login-action/releases/tag/v3.4.0
9191
with:
9292
username: blinklabs
9393
password: ${{ secrets.DOCKER_PASSWORD }} # uses token
9494
- name: Login to GHCR
95-
uses: docker/login-action@v3
95+
uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0 https://github.com/docker/login-action/releases/tag/v3.4.0
9696
with:
9797
registry: ghcr.io
9898
username: ${{ github.actor }}
9999
password: ${{ secrets.GITHUB_TOKEN }}
100-
- uses: actions/cache@v4
100+
- uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 # v4.2.3 https://github.com/actions/cache/releases/tag/v4.2.3
101101
with:
102102
path: /tmp/.buildx-cache
103103
key: ${{ runner.os }}-${{ runner.arch }}-buildx-${{ github.sha }}
104104
restore-keys: |
105105
${{ runner.os }}-${{ runner.arch }}-buildx-
106106
- id: meta
107-
uses: docker/metadata-action@v5
107+
uses: docker/metadata-action@902fa8ec7d6ecbf8d84d538b9b233a880e428804 # v5.7.0 https://github.com/docker/metadata-action/releases/tag/v5.7.0
108108
with:
109109
images: |
110110
${{ env.DOCKER_IMAGE_NAME }}
@@ -118,7 +118,7 @@ jobs:
118118
# branch
119119
type=ref,event=branch
120120
- name: push
121-
uses: docker/build-push-action@v6
121+
uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0 https://github.com/docker/build-push-action/releases/tag/v6.18.0
122122
with:
123123
context: .
124124
push: true
@@ -150,22 +150,22 @@ jobs:
150150
contents: read
151151
packages: write
152152
steps:
153-
- uses: actions/checkout@v4
154-
- uses: docker/setup-buildx-action@v3
153+
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 https://github.com/actions/checkout/releases/tag/v4.2.2
154+
- uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1 https://github.com/docker/setup-buildx-action/releases/tag/v3.11.1
155155
- name: Login to Docker Hub
156-
uses: docker/login-action@v3
156+
uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0 https://github.com/docker/login-action/releases/tag/v3.4.0
157157
with:
158158
username: blinklabs
159159
password: ${{ secrets.DOCKER_PASSWORD }} # uses token
160160
- name: Login to GHCR
161-
uses: docker/login-action@v3
161+
uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0 https://github.com/docker/login-action/releases/tag/v3.4.0
162162
with:
163163
registry: ghcr.io
164164
username: ${{ github.actor }}
165165
password: ${{ secrets.GITHUB_TOKEN }}
166166
- id: meta-dockerhub
167167
name: Metadata - Docker Hub
168-
uses: docker/metadata-action@v5
168+
uses: docker/metadata-action@902fa8ec7d6ecbf8d84d538b9b233a880e428804 # v5.7.0 https://github.com/docker/metadata-action/releases/tag/v5.7.0
169169
with:
170170
images: ${{ env.DOCKER_IMAGE_NAME }}
171171
flavor: |
@@ -177,7 +177,7 @@ jobs:
177177
type=ref,event=branch
178178
- id: meta-dockerhub-tag
179179
name: Metadata - Docker Hub (Tags)
180-
uses: docker/metadata-action@v5
180+
uses: docker/metadata-action@902fa8ec7d6ecbf8d84d538b9b233a880e428804 # v5.7.0 https://github.com/docker/metadata-action/releases/tag/v5.7.0
181181
with:
182182
images: |
183183
${{ env.DOCKER_IMAGE_NAME }}
@@ -188,7 +188,7 @@ jobs:
188188
type=match,pattern=v(.*),group=1
189189
- id: meta-ghcr
190190
name: Metadata - GHCR
191-
uses: docker/metadata-action@v5
191+
uses: docker/metadata-action@902fa8ec7d6ecbf8d84d538b9b233a880e428804 # v5.7.0 https://github.com/docker/metadata-action/releases/tag/v5.7.0
192192
with:
193193
images: ${{ env.GHCR_IMAGE_NAME }}
194194
flavor: |
@@ -200,7 +200,7 @@ jobs:
200200
type=ref,event=branch
201201
- id: meta-ghcr-tag
202202
name: Metadata - GHCR (Tags)
203-
uses: docker/metadata-action@v5
203+
uses: docker/metadata-action@902fa8ec7d6ecbf8d84d538b9b233a880e428804 # v5.7.0 https://github.com/docker/metadata-action/releases/tag/v5.7.0
204204
with:
205205
images: |
206206
${{ env.GHCR_IMAGE_NAME }}
@@ -270,7 +270,7 @@ jobs:
270270
# Update Docker Hub from README
271271

272272
- name: Docker Hub Description
273-
uses: peter-evans/dockerhub-description@v4
273+
uses: peter-evans/dockerhub-description@432a30c9e07499fd01da9f8a49f0faf9e0ca5b77 # v4.0.2 https://github.com/peter-evans/dockerhub-description/releases/tag/v4.0.2
274274
with:
275275
username: blinklabs
276276
password: ${{ secrets.DOCKER_PASSWORD }}
@@ -285,7 +285,7 @@ jobs:
285285
needs: [multi-arch-manifest]
286286
steps:
287287
- run: "echo \"RELEASE_TAG=${GITHUB_REF#refs/tags/}\" >> $GITHUB_ENV"
288-
- uses: actions/github-script@v7
288+
- uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1 https://github.com/actions/github-script/releases/tag/v7.0.1
289289
if: startsWith(github.ref, 'refs/tags/')
290290
with:
291291
github-token: ${{ secrets.GITHUB_TOKEN }}

0 commit comments

Comments
 (0)