Merge pull request #338 from codefresh-io/cr-24608-sync-upstream-3.5.7

feat: sync upstream `v3.5.7`

Author: ATGardner

.github/workflows/changelog.yaml

@@ -5,6 +5,7 @@ on:
     tags:
       - v*
       - "!v0.0.0"
+
 permissions:
   contents: read
 
@@ -17,15 +18,15 @@ jobs:
       pull-requests: write  # for peter-evans/create-pull-request to create a PR
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
         with:
           ref: main
           fetch-depth: 0
       - run: git fetch --prune --prune-tags
       - run: git tag -l 'v*'
       # avoid invoking `make` to reduce the risk of a Makefile bug failing this workflow
       - run: ./hack/changelog.sh > CHANGELOG.md
-      - uses: peter-evans/create-pull-request@v5
+      - uses: peter-evans/create-pull-request@153407881ec5c347639a548ade7d8ad1d6740e38 # v5.0.2
         with:
           title: 'docs: updated CHANGELOG.md'
           commit-message: 'docs: updated CHANGELOG.md'

.github/workflows/ci-build.yaml

@@ -29,12 +29,12 @@ jobs:
       ui: ${{ steps.changed-files.outputs.ui_any_modified == 'true' }}
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
         with:
           fetch-depth: 50 # assume PRs are less than 50 commits
       - name: Get relevant files changed per group
         id: changed-files
-        uses: tj-actions/changed-files@v40
+        uses: tj-actions/changed-files@cbda684547adc8c052d50711417fa61b428a9f88 # v41.1.2
         with:
           files_yaml: |
             common: &common
@@ -57,6 +57,7 @@ jobs:
             e2e-tests:
               - *tests
               # plus manifests and SDKs that are used in E2E tests
+              - Dockerfile
               - manifests/**
               - sdks/**
             codegen:
@@ -73,6 +74,7 @@ jobs:
               - pkg/**
               - cmd/**
               - examples/** # examples are used within the fields lists
+              - manifests/** # a few of these are generated and committed
               # generation scripts
               - hack/cli/**
               - hack/jsonschema/**
@@ -88,6 +90,8 @@ jobs:
               - *tests
               # plus lint config
               - .golangci.yml
+              # all GH workflows / actions
+              - .github/workflows/**
               # docs files below
               - docs/**
               # generated files are covered by codegen
@@ -111,8 +115,8 @@ jobs:
     runs-on: ubuntu-latest
     timeout-minutes: 10
     steps:
-      - uses: actions/checkout@v4
-      - uses: actions/setup-go@v4
+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+      - uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
         with:
           go-version: "1.21"
           cache: true
@@ -122,33 +126,40 @@ jobs:
         if: github.ref == 'refs/heads/main'
         run: bash <(curl -s https://codecov.io/bash)
 
-  argoexec-image:
-    name: argoexec-image
+  argo-images:
+    name: argo-images
     # needs: [ lint ]
     runs-on: ubuntu-latest
     timeout-minutes: 10
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - image: argoexec
+          - image: argocli
     steps:
-      - uses: actions/checkout@v4
-      - uses: docker/setup-buildx-action@v3
+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+      - uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3.0.0
       - name: Build and export
-        uses: docker/build-push-action@v5
+        uses: docker/build-push-action@4a13e500e55cf31b7a5d59a38ab2040ab0f42f56 # v5.1.0
         with:
           context: .
-          tags: quay.io/argoproj/argoexec:latest
-          outputs: type=docker,dest=/tmp/argoexec_image.tar
-          target: argoexec
+          tags: quay.io/argoproj/${{matrix.image}}:latest
+          outputs: type=docker,dest=/tmp/${{matrix.image}}_image.tar
+          target: ${{matrix.image}}
           cache-from: type=gha
           cache-to: type=gha,mode=max
       - name: Upload
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
         with:
-          name: argoexec
-          path: /tmp/argoexec_image.tar
+          name: ${{matrix.image}}_image.tar
+          path: /tmp/${{matrix.image}}_image.tar
           if-no-files-found: error
 
   e2e-tests:
     name: E2E Tests
-    needs: [ argoexec-image ]
+    needs: [ changed-files, argo-images ]
+    if: ${{ needs.changed-files.outputs.e2e-tests == 'true' }}
     runs-on: ubuntu-latest
     timeout-minutes: 30
     env:
@@ -190,21 +201,21 @@ jobs:
     steps:
       - name: Install socat (needed by Kubernetes v1.25)
         run: sudo apt-get -y install socat
-      - uses: actions/checkout@v4
-      - uses: actions/setup-go@v4
+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+      - uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
         with:
           go-version: "1.21"
           cache: true
       - name: Install Java for the SDK
         if: ${{matrix.test == 'test-java-sdk'}}
-        uses: actions/setup-java@v4
+        uses: actions/setup-java@387ac29b308b003ca37ba93a6cab5eb57c8f5f93 # v4.0.0
         with:
           java-version: '8'
           distribution: adopt
           cache: maven
       - name: Install Python for the SDK
         if: ${{matrix.test == 'test-python-sdk'}}
-        uses: actions/setup-python@v5
+        uses: actions/setup-python@0a5c61591373683505ea898e09a3ea4f39ef2b9c # v5.0.0
         with:
           python-version: '3.x'
           cache: pip
@@ -222,13 +233,16 @@ jobs:
           echo "  user:" >> $KUBECONFIG
           echo "    token: xxxxxx" >> $KUBECONFIG
           until kubectl cluster-info ; do sleep 10s ; done
-      - name: Download argoexec image
-        uses: actions/download-artifact@v4
+      - name: Download images
+        uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
         with:
-          name: argoexec
+          pattern: '*_image.tar'
           path: /tmp
-      - name: Load argoexec image
-        run: docker load < /tmp/argoexec_image.tar
+      - name: Load images
+        run: |
+          set -eux
+          docker load < /tmp/argoexec_image.tar/argoexec_image.tar
+          docker load < /tmp/argocli_image.tar/argocli_image.tar
       - name: Set-up /etc/hosts
         run: |
           echo '127.0.0.1 dex'      | sudo tee -a /etc/hosts
@@ -295,8 +309,8 @@ jobs:
     env:
       GOPATH: /home/runner/go
     steps:
-      - uses: actions/checkout@v4
-      - uses: actions/setup-go@v4
+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+      - uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
         with:
           go-version: "1.21"
           cache: true
@@ -331,15 +345,18 @@ jobs:
     env:
       GOPATH: /home/runner/go
     steps:
-      - uses: actions/checkout@v4
-      - uses: actions/setup-go@v4
+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+      - uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
         with:
           go-version: "1.21"
           cache: true
       - run: make lint STATIC_FILES=false
       # if lint makes changes that are not in the PR, fail the build
       - name: Check if lint made changes not present in the PR
         run: git diff --exit-code
+      # lint GH Actions
+      - name: Ensure GH Actions are pinned to SHAs
+        uses: zgosalvez/github-actions-ensure-sha-pinned-actions@ba37328d4ea95eaf8b3bd6c6cef308f709a5f2ec # v3.0.3
 
   ui:
     name: UI
@@ -348,8 +365,8 @@ jobs:
     env:
       NODE_OPTIONS: --max-old-space-size=4096
     steps:
-      - uses: actions/checkout@v4
-      - uses: actions/setup-node@v4
+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+      - uses: actions/setup-node@b39b52d1213e96004bfcb1c61a8a6fa8ab84f3e8 # v4.0.1
         with:
           node-version: "20" # change in all GH Workflows
           cache: yarn

.github/workflows/default-branch-check.yaml

@@ -12,7 +12,7 @@ jobs:
     steps:
     - name: fail if base branch is not default branch
       if: ${{ github.event.pull_request.base.ref != github.event.repository.default_branch }}
-      uses: actions/github-script@v3
+      uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
       with:
         script: |
             core.setFailed("Base branch of the PR - ${{ github.event.pull_request.base.ref }} is not a default branch. Please reopen your PR to ${{ github.event.repository.default_branch }}")

.github/workflows/dependabot-reviewer.yml

@@ -9,13 +9,13 @@ jobs:
   review:
     if: ${{ github.actor == 'dependabot[bot]' && github.repository == 'argoproj/argo-workflows'}}
     permissions:
-      pull-requests: write
-      contents: write
+      pull-requests: write # for approving a PR
+      contents: write # for enabling auto-merge on a PR
     runs-on: ubuntu-latest
     steps:
       - name: Dependabot metadata
         id: metadata
-        uses: dependabot/[email protected]
+        uses: dependabot/fetch-metadata@c9c4182bf1b97f5224aee3906fd373f6b61b4526 # v1.6.0
         with:
           github-token: "${{ secrets.GITHUB_TOKEN }}"
       - name: Approve PR

.github/workflows/docs.yaml

@@ -13,38 +13,40 @@ concurrency:
   cancel-in-progress: true
 
 permissions:
-  contents: write
+  contents: read
 
 jobs:
   docs:
     runs-on: ubuntu-latest
+    permissions:
+      contents: write # for publishing the docs to GH Pages
     steps:
-      - uses: actions/checkout@v4
-      - uses: actions/setup-python@v5
+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+      - uses: actions/setup-python@0a5c61591373683505ea898e09a3ea4f39ef2b9c # v5.0.0
         with:
           python-version: 3.9
-      - uses: actions/setup-go@v4
+      - uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
         with:
           go-version: '1.21'
-      - uses: actions/setup-node@v4
+      - uses: actions/setup-node@b39b52d1213e96004bfcb1c61a8a6fa8ab84f3e8 # v4.0.1
         with:
           node-version: "19"
       # Use the same make target both locally and on CI to make it easier to debug failures.
       - name: Build & Lint docs
         run: make docs
-      # If markdownlint fixes issues, files will be changed. If so, fail the build.
-      - name: Check if markdownlint --fix made changes
+      # If linters auto-fix issues, files will be changed. If so, fail the build.
+      - name: Check if linters made changes
         run: git diff --exit-code
       # Upload the site so reviewers see it.
       - name: Upload Docs Site
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
         with:
           name: docs
           path: site
           if-no-files-found: error
       - name: Publish to GH Pages (when on main)
         if: github.repository == 'argoproj/argo-workflows' && github.ref == 'refs/heads/main'
-        uses: peaceiris/actions-gh-pages@v3
+        uses: peaceiris/actions-gh-pages@373f7f263a76c20808c831209c920827a82a2847 # v3.9.3
         with:
           github_token: ${{ secrets.GITHUB_TOKEN }}
           publish_branch: gh-pages

.github/workflows/pr.yaml

@@ -8,11 +8,14 @@ on:
       - reopened
       - synchronize
 
+permissions:
+  contents: read
+
 jobs:
   title-check:
     runs-on: ubuntu-latest
     steps:
       - name: Check PR Title's semantic conformance
-        uses: amannn/action-semantic-pull-request@v5
+        uses: amannn/action-semantic-pull-request@e9fabac35e210fea40ca5b14c0da95a099eff26f # v5.4.0
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}