From e7dca0aa5b84a96b60248aa103488e5f9d19a42b Mon Sep 17 00:00:00 2001 From: Matthieu MOREL Date: Fri, 8 Aug 2025 14:47:37 +0200 Subject: [PATCH] chore: use pinned dependencies for github-actions Signed-off-by: Matthieu MOREL --- .github/dependabot.yml | 4 +++ .github/workflows/ci.yml | 56 ++++++++++++++--------------- .github/workflows/docs-upstream.yml | 4 +-- .github/workflows/merge.yml | 20 +++++------ .github/workflows/stale.yml | 2 +- 5 files changed, 45 insertions(+), 41 deletions(-) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 3810add71fc..25a56229fa0 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -1,5 +1,9 @@ version: 2 updates: + - package-ecosystem: github-actions + directory: / + schedule: + interval: weekly - package-ecosystem: gomod directory: / schedule: diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index d536ec517c1..6a099a3d1aa 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -29,7 +29,7 @@ jobs: steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # tag=v4.2.2 - name: Create matrix id: platforms @@ -53,10 +53,10 @@ jobs: steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # tag=v4.2.2 - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 + uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # tag=v3.11.1 - name: Run run: | @@ -73,7 +73,7 @@ jobs: steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # tag=v4.2.2 - name: Prepare run: | @@ -83,13 +83,13 @@ jobs: MATRIX_PLATFORM: ${{ matrix.platform }} - name: Set up QEMU - uses: docker/setup-qemu-action@v3 + uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # tag=v3.6.0 - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 + uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # tag=v3.11.1 - name: Build - uses: docker/bake-action@v6 + uses: docker/bake-action@37816e747588cb137173af99ab33873600c46ea8 # tag=v6.8.0 with: source: . targets: release @@ -114,7 +114,7 @@ jobs: tree -nh ./bin/release - name: Upload artifacts - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # tag=v4.6.2 with: name: compose-${{ env.PLATFORM_PAIR }} path: ./bin/release @@ -125,10 +125,10 @@ jobs: steps: - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 + uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # tag=v3.11.1 - name: Test - uses: docker/bake-action@v6 + uses: docker/bake-action@37816e747588cb137173af99ab33873600c46ea8 # tag=v6.8.0 with: targets: test set: | @@ -136,14 +136,14 @@ jobs: *.cache-to=type=gha,scope=test - name: Gather coverage data - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # tag=v4.6.2 with: name: coverage-data-unit path: bin/coverage/unit/ if-no-files-found: error - name: Unit Test Summary - uses: test-summary/action@v2 + uses: test-summary/action@31493c76ec9e7aa675f1585d3ed6f1da69269a86 # tag=v2.4 with: paths: bin/coverage/unit/report.xml if: always() @@ -167,7 +167,7 @@ jobs: echo "MODE_ENGINE_PAIR=${mode}-${engine}" >> $GITHUB_ENV - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # tag=v4.2.2 - name: Install Docker ${{ matrix.engine }} run: | @@ -181,7 +181,7 @@ jobs: run: docker --version - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 + uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # tag=v3.11.1 - name: Set up Docker Model run: | @@ -189,7 +189,7 @@ jobs: docker model version - name: Set up Go - uses: actions/setup-go@v5 + uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # tag=v5.5.0 with: go-version-file: 'go.mod' check-latest: true @@ -199,7 +199,7 @@ jobs: run: make example-provider - name: Build - uses: docker/bake-action@v6 + uses: docker/bake-action@37816e747588cb137173af99ab33873600c46ea8 # tag=v6.8.0 with: source: . targets: binary-with-coverage @@ -212,7 +212,7 @@ jobs: - name: Setup tmate session if: ${{ github.event_name == 'workflow_dispatch' && github.event.inputs.debug_enabled }} - uses: mxschmitt/action-tmate@8b4e4ac71822ed7e0ad5fb3d1c33483e9e8fb270 # v3.11 + uses: mxschmitt/action-tmate@8b4e4ac71822ed7e0ad5fb3d1c33483e9e8fb270 # tag=v3.11 with: limit-access-to-actor: true github-token: ${{ secrets.GITHUB_TOKEN }} @@ -226,7 +226,7 @@ jobs: - name: Gather coverage data if: ${{ matrix.mode == 'plugin' }} - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # tag=v4.6.2 with: name: coverage-data-e2e-${{ env.MODE_ENGINE_PAIR }} path: bin/coverage/e2e/ @@ -240,7 +240,7 @@ jobs: make e2e-compose-standalone - name: e2e Test Summary - uses: test-summary/action@v2 + uses: test-summary/action@31493c76ec9e7aa675f1585d3ed6f1da69269a86 # tag=v2.4 with: paths: /tmp/report/report.xml if: always() @@ -252,20 +252,20 @@ jobs: steps: # codecov won't process the report without the source code available - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: Set up Go - uses: actions/setup-go@v5 + uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0 with: go-version-file: 'go.mod' check-latest: true - name: Download unit test coverage - uses: actions/download-artifact@v4 + uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0 with: name: coverage-data-unit path: coverage/unit merge-multiple: true - name: Download E2E test coverage - uses: actions/download-artifact@v4 + uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0 with: pattern: coverage-data-e2e-* path: coverage/e2e @@ -274,13 +274,13 @@ jobs: run: | go tool covdata textfmt -i=./coverage/unit,./coverage/e2e -o ./coverage.txt - name: Store coverage report in GitHub Actions - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 with: name: go-covdata-txt path: ./coverage.txt if-no-files-found: error - name: Upload coverage to Codecov - uses: codecov/codecov-action@v3 + uses: codecov/codecov-action@ab904c41d6ece82784817410c45d8b8c02684457 # v3.1.6 with: files: ./coverage.txt @@ -294,10 +294,10 @@ jobs: steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: Download artifacts - uses: actions/download-artifact@v4 + uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0 with: pattern: compose-* path: ./bin/release @@ -325,7 +325,7 @@ jobs: - name: GitHub Release if: startsWith(github.ref, 'refs/tags/v') - uses: ncipollo/release-action@58ae73b360456532aafd58ee170c045abbeaee37 # v1.10.0 + uses: ncipollo/release-action@58ae73b360456532aafd58ee170c045abbeaee37 # tag=v1.10.0 with: artifacts: ./bin/release/* generateReleaseNotes: true diff --git a/.github/workflows/docs-upstream.yml b/.github/workflows/docs-upstream.yml index 214c88381fd..474ec758809 100644 --- a/.github/workflows/docs-upstream.yml +++ b/.github/workflows/docs-upstream.yml @@ -34,10 +34,10 @@ jobs: steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # tag=v4.2.2 - name: Upload reference YAML docs - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # tag=v4.6.2 with: name: docs-yaml path: docs/reference diff --git a/.github/workflows/merge.yml b/.github/workflows/merge.yml index cb1872a9d31..6cd66385195 100644 --- a/.github/workflows/merge.yml +++ b/.github/workflows/merge.yml @@ -31,9 +31,9 @@ jobs: env: GO111MODULE: "on" steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # tag=v4.2.2 - - uses: actions/setup-go@v5 + - uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # tag=v5.5.0 with: go-version-file: go.mod cache: true @@ -81,7 +81,7 @@ jobs: steps: - name: Free disk space - uses: jlumbroso/free-disk-space@54081f138730dfa15788a46383842cd2f914a1be # v1.3.1 + uses: jlumbroso/free-disk-space@54081f138730dfa15788a46383842cd2f914a1be # tag=v1.3.1 with: android: true dotnet: true @@ -90,7 +90,7 @@ jobs: swap-storage: true - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # tag=v4.2.2 - name: Login to DockerHub if: github.event_name != 'pull_request' @@ -100,14 +100,14 @@ jobs: password: ${{ secrets.DOCKERPUBLICBOT_WRITE_PAT }} - name: Set up QEMU - uses: docker/setup-qemu-action@v3 + uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # tag=v3.6.0 - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 + uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # tag=v3.11.1 - name: Docker meta id: meta - uses: docker/metadata-action@v5 + uses: docker/metadata-action@c1e51972afc2121e065aed6d45c65596fe445f3f # tag=v5.8.0 with: images: | ${{ env.REPO_SLUG }} @@ -117,7 +117,7 @@ jobs: bake-target: meta-helper - name: Build and push image - uses: docker/bake-action@v6 + uses: docker/bake-action@37816e747588cb137173af99ab33873600c46ea8 # tag=v6.8.0 id: bake with: source: . @@ -139,7 +139,7 @@ jobs: - name: Generate Token id: generate_token - uses: actions/create-github-app-token@v1 + uses: actions/create-github-app-token@d72941d797fd3113feb6b93fd0dec494b13a2547 # tag=v1.12.0 with: app-id: ${{ vars.DOCKERDESKTOP_APP_ID }} private-key: ${{ secrets.DOCKERDESKTOP_APP_PRIVATEKEY }} @@ -148,7 +148,7 @@ jobs: ${{ secrets.DOCKERDESKTOP_REPO }} - name: Trigger Docker Desktop e2e with edge version - uses: actions/github-script@v7 + uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # tag=v7.0.1 with: github-token: ${{ steps.generate_token.outputs.token }} script: | diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml index 2a747ee1c25..5863f13e3e5 100644 --- a/.github/workflows/stale.yml +++ b/.github/workflows/stale.yml @@ -19,7 +19,7 @@ jobs: issues: write pull-requests: write steps: - - uses: actions/stale@v9 + - uses: actions/stale@5bef64f19d7facfb25b37b414482c7164d639639 # tag=v9.1.0 with: repo-token: ${{ secrets.GITHUB_TOKEN }} stale-issue-message: >