diff --git a/.github/workflows/benchmark.yml b/.github/workflows/benchmark.yml index 6d8ed403d4..65e2aca80f 100644 --- a/.github/workflows/benchmark.yml +++ b/.github/workflows/benchmark.yml @@ -13,11 +13,11 @@ jobs: name: Run OpenTelemetry-cpp benchmarks runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: submodules: 'recursive' - name: Mount Bazel Cache - uses: actions/cache@v4 + uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 # v4.2.3 env: cache-name: bazel_cache with: @@ -35,7 +35,7 @@ jobs: mv api-benchmark_result.json benchmarks mv sdk-benchmark_result.json benchmarks mv exporters-benchmark_result.json benchmarks - - uses: actions/upload-artifact@v4 + - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 with: name: benchmark_results path: benchmarks @@ -47,8 +47,8 @@ jobs: name: Store benchmark result runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 - - uses: actions/download-artifact@master + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + - uses: actions/download-artifact@2a5974104b6d5dbdb2f9468a3e54da3bdd241578 # master with: name: benchmark_results path: benchmarks @@ -57,7 +57,7 @@ jobs: run: | cat benchmarks/* - name: Push benchmark result - uses: benchmark-action/github-action-benchmark@v1 + uses: benchmark-action/github-action-benchmark@d48d326b4ca9ba73ca0cd0d59f108f9e02a381c7 # v1.20.4 with: name: OpenTelemetry-cpp ${{ matrix.components }} Benchmark tool: 'googlecpp' diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 05d10e3213..bccd010dda 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -13,7 +13,7 @@ jobs: # name: CMake test arm64 (with modern protobuf,grpc and abseil) # runs-on: actuated-arm64-4cpu-16gb # steps: -# - uses: actions/checkout@v4 +# - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 # with: # submodules: 'recursive' # - name: setup @@ -37,7 +37,7 @@ jobs: env: CXX_STANDARD: '17' steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: submodules: 'recursive' - name: setup @@ -53,7 +53,7 @@ jobs: name: CMake gcc 14 (maintainer mode, sync) runs-on: ubuntu-24.04 steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: submodules: 'recursive' - name: setup @@ -90,7 +90,7 @@ jobs: name: CMake gcc 14 (maintainer mode, async) runs-on: ubuntu-24.04 steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: submodules: 'recursive' - name: setup @@ -127,7 +127,7 @@ jobs: name: CMake clang 18 (maintainer mode, sync) runs-on: ubuntu-24.04 steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: submodules: 'recursive' - name: setup @@ -164,7 +164,7 @@ jobs: name: CMake clang 18 (maintainer mode, async) runs-on: ubuntu-24.04 steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: submodules: 'recursive' - name: setup @@ -201,7 +201,7 @@ jobs: name: CMake clang 18 (maintainer mode, abiv2) runs-on: ubuntu-24.04 steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: submodules: 'recursive' - name: setup @@ -238,7 +238,7 @@ jobs: name: CMake msvc (maintainer mode) runs-on: windows-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: submodules: 'recursive' - name: setup @@ -252,7 +252,7 @@ jobs: name: CMake msvc (maintainer mode) with C++20 runs-on: windows-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: submodules: 'recursive' - name: setup @@ -268,7 +268,7 @@ jobs: name: CMake msvc (maintainer mode, abiv2) runs-on: windows-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: submodules: 'recursive' - name: setup @@ -284,7 +284,7 @@ jobs: name: CMake test (without otlp-exporter and with async export) runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: submodules: 'recursive' - name: setup @@ -306,7 +306,7 @@ jobs: name: CMake test (with opentracing-shim) runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: submodules: 'recursive' - name: setup @@ -321,7 +321,7 @@ jobs: name: CMake C++14 test(GCC) runs-on: ubuntu-22.04 steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: submodules: 'recursive' - name: setup @@ -338,7 +338,7 @@ jobs: name: CMake C++17 test(GCC) runs-on: ubuntu-22.04 steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: submodules: 'recursive' - name: setup @@ -355,7 +355,7 @@ jobs: name: CMake C++20 test(GCC) runs-on: ubuntu-22.04 steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: submodules: 'recursive' - name: setup @@ -376,7 +376,7 @@ jobs: name: CMake C++20 test(Clang with libc++) runs-on: ubuntu-22.04 steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: submodules: 'recursive' - name: setup @@ -407,7 +407,7 @@ jobs: name: CMake C++23 test(GCC) runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: submodules: 'recursive' - name: setup @@ -428,7 +428,7 @@ jobs: name: CMake C++23 test(Clang with libc++) runs-on: ubuntu-22.04 steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: submodules: 'recursive' - name: setup @@ -459,7 +459,7 @@ jobs: name: CMake test (with otlp-exporter) runs-on: ubuntu-22.04 steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: submodules: 'recursive' - name: setup @@ -485,7 +485,7 @@ jobs: name: CMake test (with modern protobuf,grpc and abseil) runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: submodules: 'recursive' - name: setup @@ -510,7 +510,7 @@ jobs: name: CMake do not install test (with otlp-exporter) runs-on: ubuntu-22.04 steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: submodules: 'recursive' - name: setup @@ -527,7 +527,7 @@ jobs: name: CMake test (build shared libraries with otlp-exporter and static gRPC) runs-on: ubuntu-22.04 steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: submodules: 'recursive' - name: setup @@ -544,7 +544,7 @@ jobs: name: Plugin -> CMake runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: submodules: 'recursive' - name: setup @@ -565,11 +565,11 @@ jobs: name: Bazel runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: submodules: 'recursive' - name: Mount Bazel Cache - uses: actions/cache@v4 + uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 # v4.2.3 env: cache-name: bazel_cache with: @@ -587,11 +587,11 @@ jobs: name: Bazel without bzlmod runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: submodules: 'recursive' - name: Mount Bazel Cache - uses: actions/cache@v4 + uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 # v4.2.3 env: cache-name: bazel_cache with: @@ -609,11 +609,11 @@ jobs: name: Bazel with async export runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: submodules: 'recursive' - name: Mount Bazel Cache - uses: actions/cache@v4 + uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 # v4.2.3 env: cache-name: bazel_cache with: @@ -631,11 +631,11 @@ jobs: name: Bazel valgrind runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: submodules: 'recursive' - name: Mount Bazel Cache - uses: actions/cache@v4 + uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 # v4.2.3 env: cache-name: bazel_cache with: @@ -653,11 +653,11 @@ jobs: name: Bazel noexcept runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: submodules: 'recursive' - name: Mount Bazel Cache - uses: actions/cache@v4 + uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 # v4.2.3 env: cache-name: bazel_cache with: @@ -675,11 +675,11 @@ jobs: name: Bazel nortti runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: submodules: 'recursive' - name: Mount Bazel Cache - uses: actions/cache@v4 + uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 # v4.2.3 env: cache-name: bazel_cache with: @@ -697,11 +697,11 @@ jobs: name: Bazel asan config runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: submodules: 'recursive' - name: Mount Bazel Cache - uses: actions/cache@v4 + uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 # v4.2.3 env: cache-name: bazel_cache with: @@ -719,11 +719,11 @@ jobs: name: Bazel tsan config runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: submodules: 'recursive' - name: Mount Bazel Cache - uses: actions/cache@v4 + uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 # v4.2.3 env: cache-name: bazel_cache with: @@ -741,11 +741,11 @@ jobs: name: Bazel on MacOS runs-on: macos-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: submodules: 'recursive' - name: Mount Bazel Cache - uses: actions/cache@v4 + uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 # v4.2.3 env: cache-name: bazel_cache with: @@ -758,11 +758,11 @@ jobs: name: Benchmark runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: submodules: 'recursive' - name: Mount Bazel Cache - uses: actions/cache@v4 + uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 # v4.2.3 env: cache-name: bazel_cache with: @@ -777,7 +777,7 @@ jobs: env BENCHMARK_DIR=/benchmark ./ci/do_ci.sh benchmark - name: Upload benchmark results - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 with: name: benchmark_reports path: /home/runner/benchmark @@ -786,7 +786,7 @@ jobs: name: Format runs-on: ubuntu-24.04 steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: setup run: sudo apt remove needrestart && sudo ./ci/install_format_tools.sh #refer: https://github.com/actions/runner-images/issues/9937 - name: run tests @@ -796,7 +796,7 @@ jobs: name: Copyright runs-on: ubuntu-22.04 steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: check copyright run: ./tools/check_copyright.sh @@ -804,7 +804,7 @@ jobs: name: CMake -> exporter proto runs-on: windows-2019 steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: submodules: 'recursive' - name: setup @@ -821,7 +821,7 @@ jobs: name: CMake -> exporter proto (Build as DLL) runs-on: windows-2019 steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: submodules: 'recursive' - name: setup @@ -840,7 +840,7 @@ jobs: name: CMake (With async export) -> exporter proto runs-on: windows-2019 steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: submodules: 'recursive' - name: setup @@ -857,7 +857,7 @@ jobs: name: Bazel Windows runs-on: windows-2019 steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: submodules: 'recursive' - name: setup @@ -870,7 +870,7 @@ jobs: name: Plugin -> CMake Windows runs-on: windows-2019 steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: submodules: 'recursive' - name: setup @@ -884,7 +884,7 @@ jobs: name: Code coverage runs-on: ubuntu-22.04 steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: submodules: 'recursive' - name: setup @@ -901,7 +901,7 @@ jobs: CXX: /usr/bin/g++-10 run: ./ci/do_ci.sh code.coverage - name: upload report - uses: codecov/codecov-action@v5 + uses: codecov/codecov-action@0565863a31f2c772f9f0395002a31e3f06189574 # v5.4.0 with: files: /home/runner/build/coverage.info @@ -910,7 +910,7 @@ jobs: steps: - name: check out code - uses: actions/checkout@v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: install markdownlint-cli run: sudo npm install -g markdownlint-cli @@ -922,7 +922,7 @@ jobs: runs-on: ubuntu-latest steps: - name: check out code - uses: actions/checkout@v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: install shellcheck run: sudo apt install --assume-yes shellcheck - name: run shellcheck @@ -932,7 +932,7 @@ jobs: runs-on: ubuntu-latest steps: - name: check out code - uses: actions/checkout@v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: install misspell run: | curl -L -o ./install-misspell.sh https://git.io/misspell @@ -944,7 +944,7 @@ jobs: name: DocFX check runs-on: windows-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: install docfx run: choco install docfx -y --version=2.58.5 - name: run ./ci/docfx.cmd @@ -956,7 +956,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout open-telemetry/opentelemetry-cpp - uses: actions/checkout@v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: submodules: 'recursive' - name: setup @@ -975,7 +975,7 @@ jobs: cd $HOME/build/ext/test/w3c_tracecontext_http_test_server ./w3c_tracecontext_http_test_server & - name: Checkout w3c/trace-context repo - uses: actions/checkout@v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: repository: w3c/trace-context path: trace-context diff --git a/.github/workflows/cmake_install.yml b/.github/workflows/cmake_install.yml index 15075bb90b..0ace3a9185 100644 --- a/.github/workflows/cmake_install.yml +++ b/.github/workflows/cmake_install.yml @@ -14,7 +14,7 @@ jobs: env: CXX_STANDARD: '17' steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: submodules: 'recursive' - name: Build dependencies with vcpkg submodule @@ -32,7 +32,7 @@ jobs: env: CXX_STANDARD: '14' steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: submodules: 'recursive' - name: Build dependencies with vcpkg submodule @@ -50,7 +50,7 @@ jobs: CXX_STANDARD: '17' BUILD_TYPE: 'Debug' steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: submodules: 'recursive' - name: Install libcurl, zlib, nlohmann-json with apt @@ -79,7 +79,7 @@ jobs: CXX_STANDARD: '20' BUILD_TYPE: 'Debug' steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: submodules: 'recursive' - name: Install gtest, libcurl, zlib, nlohmann-json with apt @@ -109,7 +109,7 @@ jobs: CXX_STANDARD: '17' BUILD_TYPE: 'Debug' steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: submodules: 'recursive' - name: Install gtest, libcurl, zlib, nlohmann-json with apt @@ -143,7 +143,7 @@ jobs: CXX_STANDARD: '14' BUILD_TYPE: 'Debug' steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: submodules: 'recursive' - name: Install gtest, libcurl, zlib, nlohmann-json with apt @@ -178,7 +178,7 @@ jobs: CMAKE_TOOLCHAIN_FILE: /home/runner/conan/build/Debug/generators/conan_toolchain.cmake BUILD_TYPE: 'Debug' steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: submodules: 'recursive' - name: Install Conan @@ -214,7 +214,7 @@ jobs: CMAKE_TOOLCHAIN_FILE: /home/runner/conan/build/Debug/generators/conan_toolchain.cmake BUILD_TYPE: 'Debug' steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: submodules: 'recursive' - name: Install Conan @@ -244,7 +244,7 @@ jobs: CMAKE_TOOLCHAIN_FILE: '/Users/runner/conan/build/Debug/generators/conan_toolchain.cmake' BUILD_TYPE: 'Debug' steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: submodules: 'recursive' - name: Install Conan and tools @@ -266,7 +266,7 @@ jobs: CXX_STANDARD: '17' BUILD_TYPE: 'Debug' steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: submodules: 'recursive' - name: Install Dependencies with Homebrew diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index ebf367e4aa..80c49f8d79 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -12,7 +12,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout repository - uses: actions/checkout@v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: submodules: 'recursive' - name: Remove Third_party Modules from Code Scan @@ -27,10 +27,10 @@ jobs: sudo -E ./ci/setup_googletest.sh sudo -E ./ci/setup_ci_environment.sh - name: Initialize CodeQL - uses: github/codeql-action/init@v3 + uses: github/codeql-action/init@1b549b9259bda1cb5ddde3b41741a82a2d15a841 # v3.28.13 with: languages: cpp - name: Autobuild - uses: github/codeql-action/autobuild@v3 + uses: github/codeql-action/autobuild@1b549b9259bda1cb5ddde3b41741a82a2d15a841 # v3.28.13 - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v3 + uses: github/codeql-action/analyze@1b549b9259bda1cb5ddde3b41741a82a2d15a841 # v3.28.13 diff --git a/.github/workflows/cppcheck.yml b/.github/workflows/cppcheck.yml index 708f075c85..a1239c75a1 100644 --- a/.github/workflows/cppcheck.yml +++ b/.github/workflows/cppcheck.yml @@ -11,7 +11,7 @@ jobs: cppcheck: runs-on: ubuntu-24.04 steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: submodules: 'recursive' @@ -47,7 +47,7 @@ jobs: -j $(nproc) \ . 2>&1 | tee --append cppcheck.log - - uses: actions/upload-artifact@v4 + - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 if: success() || failure() with: name: Logs (cppcheck) diff --git a/.github/workflows/dependencies_image.yml b/.github/workflows/dependencies_image.yml index 0c7bad843f..9e5043e91d 100644 --- a/.github/workflows/dependencies_image.yml +++ b/.github/workflows/dependencies_image.yml @@ -11,17 +11,17 @@ jobs: steps: - name: checkout - uses: actions/checkout@v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: Set up QEMU - uses: docker/setup-qemu-action@v3 + uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v3.6.0 - name: Set up Docker Buildx id: buildx - uses: docker/setup-buildx-action@v3 + uses: docker/setup-buildx-action@b5ca514318bd6ebac0fb2aedd5d36ec1b5c232a2 # v3.10.0 - name: Build Image - uses: docker/build-push-action@v6 + uses: docker/build-push-action@471d1dc4e07e5cdedd4c2171150001c434f0b7a4 # v6.15.0 with: builder: ${{ steps.buildx.outputs.name }} context: ci/ @@ -39,7 +39,7 @@ jobs: docker save -o /opt/otel-cpp-deps-debian.tar otel-cpp-deps - name: Upload Image - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 with: name: otel-cpp-deps path: /opt/otel-cpp-deps-debian.tar diff --git a/.github/workflows/iwyu.yml b/.github/workflows/iwyu.yml index db19cd80f3..a9954820a7 100644 --- a/.github/workflows/iwyu.yml +++ b/.github/workflows/iwyu.yml @@ -7,6 +7,9 @@ on: pull_request: branches: [ main ] +permissions: + contents: read + jobs: iwyu: runs-on: ubuntu-latest diff --git a/.github/workflows/ossf-scorecard.yml b/.github/workflows/ossf-scorecard.yml index 10064047a7..ea930e5942 100644 --- a/.github/workflows/ossf-scorecard.yml +++ b/.github/workflows/ossf-scorecard.yml @@ -19,6 +19,11 @@ jobs: # Needed for GitHub OIDC token if publish_results is true id-token: write steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@c6295a65d1254861815972266d5933fd6e532bdf # v2.11.1 + with: + egress-policy: audit + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: persist-credentials: false diff --git a/.github/workflows/project_management_issue_open.yml b/.github/workflows/project_management_issue_open.yml index 28ee771ed1..c9291b1dcd 100644 --- a/.github/workflows/project_management_issue_open.yml +++ b/.github/workflows/project_management_issue_open.yml @@ -4,13 +4,16 @@ on: types: - reopened - opened +permissions: + contents: read + jobs: label_issues: runs-on: ubuntu-latest permissions: issues: write steps: - - uses: actions/github-script@v7 + - uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1 with: script: | github.rest.issues.addLabels({ diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml index 8949173a42..931403638d 100644 --- a/.github/workflows/stale.yml +++ b/.github/workflows/stale.yml @@ -3,11 +3,17 @@ on: schedule: - cron: "30 1 * * *" +permissions: + contents: read + jobs: stale: + permissions: + issues: write # for actions/stale to close stale issues + pull-requests: write # for actions/stale to close stale PRs runs-on: ubuntu-latest steps: - - uses: actions/stale@v9 + - uses: actions/stale@5bef64f19d7facfb25b37b414482c7164d639639 # v9.1.0 with: stale-issue-message: "This issue was marked as stale due to lack of activity." days-before-issue-stale: 60