Skip to content

Commit 1454fef

Browse files
johnwatson484johnwatson484
committed
Use commit SHA in GitHub Actions
1 parent 6be7c08 commit 1454fef

4 files changed

Lines changed: 29 additions & 21 deletions

File tree

.github/dependabot.yml

Lines changed: 8 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,8 @@
1+
version: 2
2+
updates:
3+
- package-ecosystem: "github-actions"
4+
directory: "/"
5+
schedule:
6+
interval: "daily"
7+
open-pull-requests-limit: 0
8+

.github/workflows/auto-update.yml

Lines changed: 4 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -13,7 +13,7 @@ jobs:
1313
runs-on: ubuntu-latest
1414
steps:
1515
- name: Checkout repository
16-
uses: actions/checkout@v3
16+
uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3
1717

1818
- name: Fetch latest .NET versions
1919
run: |
@@ -117,20 +117,20 @@ jobs:
117117
- name: Generate GitHub App token
118118
if: env.update_needed == 'true'
119119
id: generate-token
120-
uses: tibdex/github-app-token@v2
120+
uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a # v2
121121
with:
122122
app_id: ${{ secrets.APP_ID }}
123123
private_key: ${{ secrets.APP_PRIVATE_KEY }}
124124

125125
- name: Render PR template
126126
id: template
127-
uses: chuhlomin/render-template@v1
127+
uses: chuhlomin/render-template@a7c644e341797d050d1cb24332d83791b9a46dae # v1
128128
with:
129129
template: .github/pull_request_template.md
130130

131131
- name: Create pull request
132132
if: env.update_needed == 'true'
133-
uses: peter-evans/create-pull-request@v7
133+
uses: peter-evans/create-pull-request@22a9089034f40e5a961c8808d113e2c98fb63676 # v7
134134
with:
135135
token: ${{ steps.generate-token.outputs.token }}
136136
branch: ${{ env.pull_request_branch }}

.github/workflows/build-scan-push.yml

Lines changed: 11 additions & 11 deletions
Original file line numberDiff line numberDiff line change
@@ -12,7 +12,7 @@ jobs:
1212
outputs:
1313
image: ${{ steps.set-var.outputs.image }}
1414
steps:
15-
- uses: actions/checkout@v4
15+
- uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
1616
- id: set-var
1717
run: |
1818
echo 'image<<EOF' >> $GITHUB_OUTPUT
@@ -28,7 +28,7 @@ jobs:
2828
target: ["development", "production"]
2929
image: ${{fromJSON(needs.get-matrix-values.outputs.image)}}
3030
steps:
31-
- uses: actions/checkout@v4
31+
- uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
3232
- id: setEnv
3333
name: Set Job env vars
3434
run: |
@@ -56,7 +56,7 @@ jobs:
5656
echo "dockerTags=$DOCKERTAGS" >> $GITHUB_OUTPUT
5757
5858
- name: Set up Docker
59-
uses: docker/setup-docker-action@v4
59+
uses: docker/setup-docker-action@e43656e248c0bd0647d3f5c195d116aacf6fcaf4 # v4
6060
with:
6161
daemon-config: |
6262
{
@@ -67,10 +67,10 @@ jobs:
6767
}
6868
6969
- name: Set up QEMU
70-
uses: docker/setup-qemu-action@v3
70+
uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130 # v3
7171

7272
- name: Set up Docker Buildx
73-
uses: docker/setup-buildx-action@v3
73+
uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3
7474

7575
- name: Build the Docker image
7676
run: |
@@ -101,7 +101,7 @@ jobs:
101101
- name: Run Anchore Grype scan
102102
id: grype-scan
103103
if: ${{ matrix.target == 'production' }}
104-
uses: anchore/scan-action@v7
104+
uses: anchore/scan-action@e1165082ffb1fe366ebaf02d8526e7c4989ea9d2 # v7
105105
with:
106106
image: docker-archive:image-${{ matrix.image.netVersion }}.tar
107107
fail-build: true
@@ -111,7 +111,7 @@ jobs:
111111
- name: Run Aqua Trivy scan
112112
id: trivy-scan
113113
if: ${{ matrix.target == 'production' }}
114-
uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1
114+
uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # 0.35.0
115115
with:
116116
input: image-${{ matrix.image.netVersion }}.tar
117117
scan-type: image
@@ -124,14 +124,14 @@ jobs:
124124

125125
- name: Upload Grype SARIF report
126126
if: ${{ steps.grype-scan.outcome == 'failure' && matrix.target == 'production' }}
127-
uses: actions/upload-artifact@v4
127+
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4
128128
with:
129129
name: grype-reports-dotnet-${{ matrix.image.netVersion }}
130130
path: ${{ steps.grype-scan.outputs.sarif }}
131131

132132
- name: Upload Trivy SARIF report
133133
if: ${{ steps.trivy-scan.outcome == 'failure' && matrix.target == 'production' }}
134-
uses: actions/upload-artifact@v4
134+
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4
135135
with:
136136
name: trivy-reports-dotnet-${{ matrix.image.netVersion }}
137137
path: trivy-reports-dotnet-${{ matrix.image.netVersion }}
@@ -145,7 +145,7 @@ jobs:
145145
exit 1
146146
147147
- name: Login to DockerHub
148-
uses: docker/login-action@v2
148+
uses: docker/login-action@465a07811f14bebb1938fbed4728c6a1ff8901fc # v2
149149
if: github.ref == 'refs/heads/main'
150150
with:
151151
username: ${{ secrets.DOCKER_USERNAME }}
@@ -165,7 +165,7 @@ jobs:
165165
runs-on: ubuntu-latest
166166
needs: build-images
167167
steps:
168-
- uses: actions/checkout@v3
168+
- uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3
169169

170170
- name: Create GitHub release
171171
if: github.ref == 'refs/heads/main'

.github/workflows/nightly-scan.yml

Lines changed: 6 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -11,7 +11,7 @@ jobs:
1111
outputs:
1212
image: ${{ steps.set-var.outputs.image }}
1313
steps:
14-
- uses: actions/checkout@v4
14+
- uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
1515
- id: set-var
1616
run: |
1717
echo 'image<<EOF' >> $GITHUB_OUTPUT
@@ -26,14 +26,14 @@ jobs:
2626
matrix:
2727
image: ${{fromJSON(needs.get-matrix-values.outputs.image)}}
2828
steps:
29-
- uses: actions/checkout@v4
29+
- uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
3030

3131
- name: Set job environment variables
3232
run: cat JOB.env >> $GITHUB_ENV
3333

3434
- name: Run Anchore Grype scan
3535
id: grype-scan
36-
uses: anchore/scan-action@v6
36+
uses: anchore/scan-action@1638637db639e0ade3258b51db49a9a137574c3e # v6
3737
with:
3838
image: defradigital/${{env.IMAGE_NAME}}:${{env.DEFRA_VERSION}}-dotnet${{matrix.image.netVersion}}
3939
fail-build: true
@@ -42,7 +42,7 @@ jobs:
4242

4343
- name: Run Aqua Trivy scan
4444
id: trivy-scan
45-
uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1
45+
uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # 0.35.0
4646
with:
4747
image-ref: defradigital/${{env.IMAGE_NAME}}:${{env.DEFRA_VERSION}}-dotnet${{matrix.image.netVersion}}
4848
format: sarif
@@ -54,14 +54,14 @@ jobs:
5454

5555
- name: Upload Grype SARIF report
5656
if: ${{ steps.grype-scan.outcome == 'failure' }}
57-
uses: actions/upload-artifact@v4
57+
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4
5858
with:
5959
name: grype-reports-dotnet-${{ matrix.image.netVersion }}
6060
path: ${{ steps.grype-scan.outputs.sarif }}
6161

6262
- name: Upload Trivy SARIF report
6363
if: ${{ steps.trivy-scan.outcome == 'failure' }}
64-
uses: actions/upload-artifact@v4
64+
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4
6565
with:
6666
name: trivy-reports-dotnet-${{ matrix.image.netVersion }}
6767
path: trivy-reports-dotnet-${{ matrix.image.netVersion }}

0 commit comments

Comments
 (0)