ci(workflows): pin actions to full sha (#84)

* ci(workflows): pin actions to full sha

Signed-off-by: Dariusz Porowski <3431813+DariuszPorowski@users.noreply.github.com>

* ci(dependabot): add configuration for GitHub Actions updates

Signed-off-by: Dariusz Porowski <3431813+DariuszPorowski@users.noreply.github.com>

* fix: add missing steps to install oras

Signed-off-by: Dariusz Porowski <3431813+DariuszPorowski@users.noreply.github.com>

---------

Signed-off-by: Dariusz Porowski <3431813+DariuszPorowski@users.noreply.github.com>

Author: DariuszPorowski

.github/dependabot.yml

@@ -0,0 +1,18 @@
+# yaml-language-server: $schema=https://www.schemastore.org/dependabot-2.0.json
+# See GitHub's documentation for more information on this file:
+# https://docs.github.com/en/code-security/dependabot/working-with-dependabot/dependabot-options-reference
+---
+version: 2
+
+updates:
+  - package-ecosystem: github-actions
+    directory: /
+    schedule:
+      interval: weekly
+    commit-message:
+      prefix: ci
+      include: scope
+    groups:
+      all:
+        patterns:
+          - "*"

.github/workflows/devops-board.yaml

@@ -1,3 +1,5 @@
+# yaml-language-server: $schema=https://www.schemastore.org/github-workflow.json
+---
 name: Sync issue to Azure DevOps work item
 
 on:
@@ -23,27 +25,31 @@ jobs:
       # Auth using Azure Service Principals was added as a part of v2.3
       # reference: https://github.com/danhellem/github-actions-issue-to-work-item/pull/143
       - name: Login to Azure
-        uses: azure/login@v2
+        uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0
         with:
           client-id: ${{ vars.AZURE_SP_DEVOPS_SYNC_CLIENT_ID }}
           tenant-id: ${{ vars.AZURE_SP_DEVOPS_SYNC_TENANT_ID }}
           allow-no-subscriptions: true
+
       - name: Get Azure DevOps token
         id: get_ado_token
         run:
           # The resource ID for Azure DevOps is always 499b84ac-1321-427f-aa17-267ca6975798
           # https://learn.microsoft.com/azure/devops/integrate/get-started/authentication/service-principal-managed-identity
-          echo "ADO_TOKEN=$(az account get-access-token --resource 499b84ac-1321-427f-aa17-267ca6975798 --query "accessToken" --output tsv)" >> $GITHUB_ENV
+          ADO_TOKEN=$(az account get-access-token --resource 499b84ac-1321-427f-aa17-267ca6975798 --query "accessToken" --output tsv)
+          echo "::add-mask::$ADO_TOKEN"
+          echo "ADO_TOKEN=$ADO_TOKEN" >> $GITHUB_ENV
+
       - name: Sync issue to Azure DevOps
-        uses: danhellem/github-actions-issue-to-work-item@v2.3
+        uses: danhellem/github-actions-issue-to-work-item@8d0ead9b49a65aa66dac6949b1ff149d7ef8b4de # v2.5
         env:
           ado_token: ${{ env.ADO_TOKEN }}
-          github_token: '${{ secrets.GH_RAD_CI_BOT_PAT }}'
-          ado_organization: 'azure-octo'
-          ado_project: 'Incubations'
+          github_token: ${{ secrets.GH_RAD_CI_BOT_PAT }}
+          ado_organization: azure-octo
+          ado_project: Incubations
           ado_area_path: "Incubations\\Radius"
           ado_iteration_path: "Incubations\\Radius"
-          ado_new_state: 'New'
-          ado_active_state: 'Active'
-          ado_close_state: 'Closed'
-          ado_wit: 'GitHub Issue'
+          ado_new_state: New
+          ado_active_state: Active
+          ado_close_state: Closed
+          ado_wit: GitHub Issue

.github/workflows/publish-recipes.yaml

@@ -4,7 +4,7 @@
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
 # You may obtain a copy of the License at
-#    
+#
 #     http://www.apache.org/licenses/LICENSE-2.0
 #
 # Unless required by applicable law or agreed to in writing, software
@@ -14,6 +14,8 @@
 # limitations under the License.
 # ------------------------------------------------------------
 
+# yaml-language-server: $schema=https://www.schemastore.org/github-workflow.json
+---
 name: Publish Recipes
 
 on:
@@ -39,29 +41,35 @@ jobs:
       contents: read
       packages: write
     steps:
-    - name: Check out repo
-      uses: actions/checkout@v3
-    - name: Parse release version and set environment variables
-      run: python ./.github/scripts/get_release_version.py
-    - name: Set up ORAS
-      uses: oras-project/setup-oras@v1
-      with:
-        version: '1.2.0'
-    - name: Verify ORAS installation
-      run: oras version
-    - name: Download rad CLI
-      run: |
-        echo "Downloading latest rad CLI"
-        wget -q "${{ env.RAD_CLI_URL }}" -O - | /bin/bash -s edge
-    - name: Login to GitHub Container Registry
-      uses: docker/login-action@v2
-      with:
-        registry: ghcr.io
-        username: ${{ github.actor }}
-        password: ${{ secrets.GITHUB_TOKEN }}
-    - name: Publish Recipes to GHCR
-      # Uses REL_VERSION as the recipe version so PR builds result in a `pr-<pr number>` tag
-      run: ./.github/scripts/publish-recipes.sh radius-project dev/recipes ${{ env.REL_VERSION }}
+      - name: Check out repo
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
+
+      - name: Parse release version and set environment variables
+        run: python ./.github/scripts/get_release_version.py
+
+      - name: Set up ORAS
+        uses: oras-project/setup-oras@22ce207df3b08e061f537244349aac6ae1d214f6 # v1.2.4
+        with:
+          version: "1.2.0"
+
+      - name: Verify ORAS installation
+        run: oras version
+
+      - name: Download rad CLI
+        run: |
+          echo "Downloading latest rad CLI"
+          wget -q "${{ env.RAD_CLI_URL }}" -O - | /bin/bash -s edge
+
+      - name: Login to GitHub Container Registry
+        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Publish Recipes to GHCR
+        # Uses REL_VERSION as the recipe version so PR builds result in a `pr-<pr number>` tag
+        run: ./.github/scripts/publish-recipes.sh radius-project dev/recipes ${{ env.REL_VERSION }}
 
   delete-dev:
     name: Delete GHCR recipes - Dev
@@ -72,55 +80,64 @@ jobs:
       contents: read
       packages: write
     steps:
-    - name: Check out repo
-      uses: actions/checkout@v3
-    - name: Parse release version and set environment variables
-      run: python ./.github/scripts/get_release_version.py
-    - name: Login to GitHub Container Registry
-      uses: docker/login-action@v2
-      with:
-        registry: ghcr.io
-        username: ${{ github.actor }}
-        password: ${{ secrets.GITHUB_TOKEN }}
-    - name: Delete Recipes from GHCR
-      # Uses REL_VERSION as the recipe version so PR builds result in a `pr-<pr number>` tag
-      run: ./.github/scripts/delete-recipes.sh radius-project dev/recipes ${{ env.REL_VERSION }}
+      - name: Check out repo
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
+
+      - name: Parse release version and set environment variables
+        run: python ./.github/scripts/get_release_version.py
+
+      - name: Login to GitHub Container Registry
+        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Delete Recipes from GHCR
+        # Uses REL_VERSION as the recipe version so PR builds result in a `pr-<pr number>` tag
+        run: ./.github/scripts/delete-recipes.sh radius-project dev/recipes ${{ env.REL_VERSION }}
 
   # This is where we can add integration tests in the future
 
   publish-public:
     if: github.event_name != 'pull_request'
     name: Publish Recipes to GHCR - Public
     runs-on: ubuntu-latest
-    environment: 
+    environment:
       name: Public
     permissions:
       contents: read
       packages: write
     steps:
-    - name: Check out repo
-      uses: actions/checkout@v3
-    - name: Parse release version and set environment variables
-      run: python ./.github/scripts/get_release_version.py
-    - name: Set up ORAS
-      uses: oras-project/setup-oras@v1
-      with:
-        version: '1.2.0'
-    - name: Verify ORAS installation
-      run: oras version
-    - name: Download rad CLI
-      run: |
-        echo "Downloading latest rad CLI"
-        wget -q "${{ env.RAD_CLI_URL }}" -O - | /bin/bash -s edge
-    - name: Login to GitHub Container Registry
-      uses: docker/login-action@v2
-      with:
-        registry: ghcr.io
-        username: ${{ github.actor }}
-        password: ${{ secrets.GITHUB_TOKEN }}
-    - name: Publish Recipes to GHCR
-      run: |
-        ./.github/scripts/publish-recipes.sh radius-project recipes ${{ env.REL_CHANNEL }}
-        if [ "${{ env.REL_TAG }}" != "${{ env.REL_CHANNEL }}" ]; then
-          ./.github/scripts/publish-recipes.sh radius-project recipes ${{ env.REL_TAG }}
-        fi
+      - name: Check out repo
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
+
+      - name: Parse release version and set environment variables
+        run: python ./.github/scripts/get_release_version.py
+
+      - name: Set up ORAS
+        uses: oras-project/setup-oras@22ce207df3b08e061f537244349aac6ae1d214f6 # v1.2.4
+        with:
+          version: "1.2.0"
+
+      - name: Verify ORAS installation
+        run: oras version
+
+      - name: Download rad CLI
+        run: |
+          echo "Downloading latest rad CLI"
+          wget -q "${{ env.RAD_CLI_URL }}" -O - | /bin/bash -s edge
+
+      - name: Login to GitHub Container Registry
+        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Publish Recipes to GHCR
+        run: |
+          ./.github/scripts/publish-recipes.sh radius-project recipes ${{ env.REL_CHANNEL }}
+          if [ "${{ env.REL_TAG }}" != "${{ env.REL_CHANNEL }}" ]; then
+            ./.github/scripts/publish-recipes.sh radius-project recipes ${{ env.REL_TAG }}
+          fi

.github/workflows/test.yaml

@@ -1,13 +1,15 @@
+# yaml-language-server: $schema=https://www.schemastore.org/github-workflow.json
+---
 name: Test Recipes
 
 on:
   workflow_dispatch:
-      inputs:
-        version:
-          description: 'Radius version number to use (e.g. 0.1.0, 0.1.0-rc1, edge). Defaults to edge.'
-          required: false
-          default: 'edge'
-          type: string
+    inputs:
+      version:
+        description: "Radius version number to use (e.g. 0.1.0, 0.1.0-rc1, edge). Defaults to edge."
+        required: false
+        default: "edge"
+        type: string
   push:
     branches:
       - v*.*
@@ -17,10 +19,12 @@ on:
       - ".github/workflows/**"
   pull_request:
     types: [opened, synchronize, reopened]
+
 env:
   RUN_IDENTIFIER: recipestest-${{ github.run_id }}-${{ github.run_attempt }}
   APP_NAME: local-dev-recipe-app
   APP_NAMESPACE: local-dev-recipe-app
+
 jobs:
   test:
     name: "Recipe tests"
@@ -31,21 +35,35 @@ jobs:
         run: |
           # Set output variables to be used in the other jobs
           echo "RUN_IDENTIFIER=${RUN_IDENTIFIER}" >> $GITHUB_OUTPUT
+
       - name: Checkout code
-        uses: actions/checkout@v3
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
+
       - name: Setup Node
-        uses: actions/setup-node@v3
+        uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903 # v6.0.0
         with:
           node-version: 16
+
       - name: Download k3d
         run: wget -q -O - https://raw.githubusercontent.com/k3d-io/k3d/main/install.sh | bash
+
       - name: Create k3d cluster
         # Map localhost port 80 on the external load balancer, and disable traefik and the internal load balancer.
         run: k3d cluster create --agents 2 -p "80:80@loadbalancer" --k3s-arg "--disable=traefik@server:*" --k3s-arg "--disable=servicelb@server:*" --registry-create reciperegistry:51351
+
       - name: Install Dapr
         run: |
           helm repo add dapr https://dapr.github.io/helm-charts/
           helm install dapr dapr/dapr --version=1.12 --namespace dapr-system --create-namespace --wait
+
+      - name: Install ORAS
+        uses: oras-project/setup-oras@22ce207df3b08e061f537244349aac6ae1d214f6 # v1.2.4
+        with:
+          version: "1.2.0"
+
+      - name: Verify ORAS installation
+        run: oras version
+
       - name: Download rad CLI
         run: |
           RADIUS_VERSION="${{ inputs.version }}"
@@ -54,6 +72,7 @@ jobs:
           fi
           chmod +x ./.github/scripts/install-radius.sh
           ./.github/scripts/install-radius.sh $RADIUS_VERSION
+
       - name: Publish Recipes
         run: |
           files_list=$(ls "local-dev" | grep '\.bicep$')
@@ -62,6 +81,7 @@ jobs:
             recipeName="${file%.*}"
             rad bicep publish --file local-dev/$file --target br:localhost:51351/recipes/local-dev/$recipeName:latest --plain-http
           done
+
       - name: Initialize default environment
         run: |
           rad install kubernetes --set rp.publicEndpointOverride=localhost
@@ -70,14 +90,17 @@ jobs:
           rad group switch default
           rad env create default
           rad env switch default
+
       - name: Deploy app
         id: deploy-app
         run: rad deploy ./tests/test-local-dev-recipes.bicep --parameters magpieimage="ghcr.io/radius-project/magpiego:latest" --parameters registry="reciperegistry:5000" --parameters version="latest"
+
       - name: Wait for all pods to be ready
         id: wait-for-pods
         run: |
           label="radapp.io/application=${APP_NAME}"
           kubectl rollout status deployment -l $label -n ${APP_NAMESPACE} --timeout=90s
+
       - name: Get Pod logs for failed tests
         id: get-pod-logs
         if: failure() && (steps.deploy-app.outcome == 'failure' || steps.wait-for-pods.outcome == 'failure')
@@ -93,8 +116,9 @@ jobs:
           echo "Pod logs saved to recipe-tests/pod-logs/local_dev_recipe_test_container_logs/"
           # Get kubernetes events and save to file
           kubectl get events -n ${APP_NAMESPACE} > recipe-tests/pod-logs/local_dev_recipe_test_container_logs/events.txt
+
       - name: Upload Pod logs for failed tests
-        uses: actions/upload-artifact@v3
+        uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
         if: failure() && steps.get-pod-logs.outcome == 'success'
         with:
           name: local_dev_recipe_test_container_logs-pod-logs