Skip to content

Commit 4abebd2

Browse files
authored
chore: pin action versions to latest release and fix semver comments (#127)
Ensures each `uses` block in a workflow or action in this repo: - pins the sha of the latest release - except setup-helm, which is pinned to 4.0.0 in most orgs - includes a comment of the full sha tag next to the SHA
1 parent 4784cb7 commit 4abebd2

File tree

10 files changed

+22
-22
lines changed

10 files changed

+22
-22
lines changed

.github/workflows/build-and-push.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -76,7 +76,7 @@ jobs:
7676

7777
steps:
7878
- name: Checkout Repository
79-
uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8
79+
uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 #v6.0.1
8080
with:
8181
ref: ${{ (github.event_name == 'pull_request' && github.event.pull_request.head.sha) || github.ref }}
8282
persist-credentials: false

.github/workflows/codeowners.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -23,7 +23,7 @@ jobs:
2323
options: --cpus 1
2424
steps:
2525
- name: Clone Repository
26-
uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6
26+
uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
2727
with:
2828
persist-credentials: false
2929

.github/workflows/diff-rendered-charts.yml

Lines changed: 5 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -17,7 +17,7 @@ jobs:
1717
charts: ${{ steps.find_changed_charts.outputs.changed_charts }}
1818
steps:
1919
- name: checkout repository
20-
uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
20+
uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 #v6.0.1
2121
with:
2222
fetch-depth: '100'
2323
persist-credentials: true # We are using these credentials in later steps
@@ -37,14 +37,14 @@ jobs:
3737
strategy:
3838
matrix:
3939
chart: ${{ fromJSON(needs.get_changed_helm_charts.outputs.matrix_charts) }}
40-
ref:
40+
ref:
4141
- name: base
4242
sha: ${{ github.base_ref }}
4343
- name: head
4444
sha: ${{ github.head_ref }}
4545
steps:
4646
- name: checkout repository
47-
uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
47+
uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 #v6.0.1
4848
with:
4949
persist-credentials: true # We are using these credentials in later steps
5050
ref: ${{ matrix.ref.sha }}
@@ -91,7 +91,7 @@ jobs:
9191
MATRIX_REF_NAME: ${{ matrix.ref.name }}
9292

9393
- name: upload artifact
94-
uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5
94+
uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f #v6.0.0
9595
with:
9696
name: "shared-${{ matrix.ref.name }}-${{ steps.render.outputs.sanitized_name }}"
9797
path: "shared"
@@ -106,7 +106,7 @@ jobs:
106106
uses: azure/setup-helm@29960d0f5f19214b88e1d9ba750a9914ab0f1a2f #v4.0.0
107107

108108
- name: download artifacts
109-
uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6
109+
uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 #v7.0.0
110110
with:
111111
pattern: shared-*
112112
merge-multiple: true

.github/workflows/pre-commit.yml

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -11,8 +11,8 @@ jobs:
1111
permissions:
1212
contents: read
1313
steps:
14-
- uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 #v6.0.0
14+
- uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 #v6.0.1
1515
with:
1616
persist-credentials: false
17-
- uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 #v6.1.0
17+
- uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 #v6.2.0
1818
- uses: pre-commit/action@2c7b3805fd2a0fd8c1884dcaebf91fc102a13ecd #v3.0.1

.github/workflows/psa-checker.yml

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -30,7 +30,7 @@ jobs:
3030
charts: ${{ steps.find_changed_charts.outputs.changed_charts }}
3131
steps:
3232
- name: checkout repository
33-
uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
33+
uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 #v6.0.1
3434
with:
3535
fetch-depth: '100'
3636
persist-credentials: true # We are using these credentials in the next step
@@ -52,7 +52,7 @@ jobs:
5252
steps:
5353
# Download charts already rendered by validate action
5454
- name: download artifacts
55-
uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6
55+
uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 #v7.0.0
5656
with:
5757
pattern: k8s-manifests-*
5858
merge-multiple: true

.github/workflows/release.yaml

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -15,13 +15,13 @@ jobs:
1515

1616
steps:
1717
- name: checkout
18-
uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
18+
uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 #v6.0.1
1919
with:
2020
fetch-depth: 0
2121
persist-credentials: false
2222

2323
- name: setup node.js
24-
uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6
24+
uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 #v6.2.0
2525
with:
2626
node-version: "lts/*"
2727

.github/workflows/validate-k8s-manifests.yml

Lines changed: 4 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -31,7 +31,7 @@ jobs:
3131
charts: ${{ steps.find_changed_charts.outputs.changed_charts }}
3232
steps:
3333
- name: checkout repository
34-
uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
34+
uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 #v6.0.1
3535
with:
3636
fetch-depth: '100'
3737
persist-credentials: true # We are using these credentials in later steps
@@ -53,7 +53,7 @@ jobs:
5353
chart: ${{ fromJSON(needs.get_changed_helm_charts.outputs.matrix_charts) }}
5454
steps:
5555
- name: checkout repository
56-
uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
56+
uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 #v6.0.1
5757
with:
5858
persist-credentials: true # We are using these credentials in later steps
5959

@@ -106,7 +106,7 @@ jobs:
106106
MATRIX_CHART: ${{ matrix.chart }}
107107

108108
- name: upload artifact
109-
uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5
109+
uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f #v6.0.0
110110
with:
111111
name: "k8s-manifests-${{ steps.render_head.outputs.sanitized_name }}"
112112
path: "shared"
@@ -135,7 +135,7 @@ jobs:
135135
sudo mv kubeconform /usr/local/bin/kubeconform
136136
137137
- name: download artifacts
138-
uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6
138+
uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 #v7.0.0
139139
with:
140140
pattern: k8s-manifests-*
141141
merge-multiple: true

.github/workflows/zizmor.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -19,7 +19,7 @@ jobs:
1919
runs-on: ubuntu-latest
2020
steps:
2121
- name: Clone Repository
22-
uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
22+
uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 #v6.0.1
2323
with:
2424
persist-credentials: false
2525

docker-build/action.yml

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -62,7 +62,7 @@ runs:
6262
steps:
6363
- name: Set up Docker
6464
if: ${{ inputs.enable_attestations == 'true' }}
65-
uses: docker/setup-docker-action@e43656e248c0bd0647d3f5c195d116aacf6fcaf4 # v4
65+
uses: docker/setup-docker-action@e43656e248c0bd0647d3f5c195d116aacf6fcaf4 #v4.7.0
6666
with:
6767
daemon-config: |
6868
{
@@ -140,7 +140,7 @@ runs:
140140
141141
- name: Docker meta
142142
id: meta
143-
uses: docker/metadata-action@902fa8ec7d6ecbf8d84d538b9b233a880e428804 #v5.7.0
143+
uses: docker/metadata-action@c299e40c65443455700f0fdfc63efafe5b349051 #v5.10.0
144144
with:
145145
images: ${{ steps.set-images.outputs.images }}
146146
tags: ${{ steps.set-tags.outputs.tags }}

docker-push/action.yml

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -30,14 +30,14 @@ runs:
3030
steps:
3131
- name: Authenticate to GCP
3232
id: gcp_auth
33-
uses: google-github-actions/auth@3a3c4c57d294ef65efaaee4ff17b22fa88dd3c69 #v1
33+
uses: google-github-actions/auth@7c6bc770dae815cd3e89ee6cdf493a5fab2cc093 #v3
3434
with:
3535
workload_identity_provider: "projects/${{ inputs.workload_identity_pool_project_number }}/locations/global/workloadIdentityPools/github-actions/providers/github-actions"
3636
service_account: "${{ inputs.service_account_name }}@${{ inputs.project_id }}.iam.gserviceaccount.com"
3737
token_format: access_token
3838
create_credentials_file: false
3939
- name: Log in to GAR
40-
uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 #v3.4.0
40+
uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 #v3.7.0
4141
with:
4242
registry: ${{ inputs.gar_location }}-docker.pkg.dev
4343
username: oauth2accesstoken

0 commit comments

Comments
 (0)