Merge pull request #257 from sigstore/fixed-tags-actions

loosebazooka · web-flow · commit c54ab9c2040c · 2022-12-21T08:17:14.000-05:00
clean up action references to use hashes
diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
@@ -36,14 +36,14 @@ jobs:
     permissions:
       id-token: write
     steps:
-    - uses: actions/checkout@v3
+    - uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b # tag=v3.2.0
     - name: Set up JDK ${{ matrix.java-version }}
       uses: actions/setup-java@v3
       with:
         java-version: ${{ matrix.java-version }}
         distribution: 'temurin'
     - name: Setup Go environment
-      uses: actions/setup-go@v3.5.0
+      uses: actions/setup-go@6edd4406fa81c3da01a34fa6f6343087c207a568 # tag=v3.5.0
       with:
         go-version: '1.19.x'
 
diff --git a/.github/workflows/gradle-wrapper-validation.yaml b/.github/workflows/gradle-wrapper-validation.yaml
@@ -6,5 +6,6 @@ jobs:
     name: "Validation"
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b # tag=v3.2.0
+      # allstar complains if we don't use tags here (https://github.com/ossf/scorecard/issues/2477)
       - uses: gradle/wrapper-validation-action@v1
diff --git a/.github/workflows/tag-and-build-release.yaml b/.github/workflows/tag-and-build-release.yaml
@@ -29,7 +29,7 @@ jobs:
       contents: write
     steps:
       - name: tag
-        uses: actions/github-script@v6
+        uses: actions/github-script@d556feaca394842dc55e4734bf3bb9f685482fa0 # tag=v6.3.3
         with:
           script: |
             github.rest.git.createRef({
@@ -46,12 +46,12 @@ jobs:
       hashes: ${{ steps.hash.outputs.hashes }}
     steps:
       - name: checkout tag
-        uses: actions/checkout@v3
+        uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b # tag=v3.2.0
         with:
           ref: "refs/tags/v${{ github.event.inputs.release_version }}"
 
       - name: Set up JDK 11
-        uses: actions/setup-java@v3
+        uses: actions/setup-java@1df8dbefe2a8cbc99770194893dd902763bee34b # tag=v3.9.0
         with:
           java-version: 11
           distribution: 'temurin'
@@ -81,6 +81,7 @@ jobs:
       actions: read # To read the workflow path.
       id-token: write # To sign the provenance.
       contents: write # To add assets to a release.
+    # use tags here: https://github.com/slsa-framework/slsa-github-generator#referencing-slsa-builders-and-generators
     uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.4.0
     with:
       attestation-name: "sigstore-java-${{ github.event.inputs.release_version }}.attestation.intoto.jsonl"
@@ -93,17 +94,17 @@ jobs:
       contents: write
     steps:
       - name: Download attestation
-        uses: actions/download-artifact@v3
+        uses: actions/download-artifact@9782bd6a9848b53b110e712e20e42d89988822b7 # tag=v3.0.1
         with:
           name: "${{ needs.provenance.outputs.attestation-name }}"
           path: ./release/
       - name: Download gradle release artifacts
-        uses: actions/download-artifact@v3
+        uses: actions/download-artifact@9782bd6a9848b53b110e712e20e42d89988822b7 # tag=v3.0.1
         with:
           name: project-release-artifacts
           path: ./release/
       - name: Create draft release
-        uses: softprops/action-gh-release@v1
+        uses: softprops/action-gh-release@de2c0eb89ae2a093876385947365aca7b0e5f844 # tag=v0.1.15
         with:
           tag_name: v${{ github.event.inputs.release_version }}
           body: See [CHANGELOG.md](https://github.com/$GITHUB_REPOSITORY/CHANGELOG.md) for more details.
