Skip to content

Commit af7a046

Browse files
mergify[bot]kruskall
mergify[bot]
and
kruskall
authored
[8.16](backport #16297) ci: pin actions to specific commits (#16301)
* ci: pin actions to specific commits (#16297) replace mutable tag with commit hash to improve security and reproducibility (cherry picked from commit 43108a0) # Conflicts: # .github/workflows/benchmarks.yml # .github/workflows/ci.yml # .github/workflows/docs-build.yml # .github/workflows/docs-cleanup.yml # .github/workflows/functional-tests.yml # .github/workflows/mergify-labels-copier.yml # .github/workflows/pre-commit.yml # .github/workflows/run-major-release.yml # .github/workflows/smoke-tests-ess.yml # .github/workflows/smoke-tests-os.yml * Delete .github/workflows/run-major-release.yml * Delete .github/workflows/docs-build.yml * Delete .github/workflows/docs-cleanup.yml * Delete .github/workflows/functional-tests.yml * Delete .github/workflows/mergify-labels-copier.yml * Delete .github/workflows/pre-commit.yml * Update benchmarks.yml * Update ci.yml * Update benchmarks.yml * Update smoke-tests-os.yml * Update smoke-tests-ess.yml --------- Co-authored-by: kruskall <99559985+kruskall@users.noreply.github.com> Co-authored-by: mergify[bot] <37929162+mergify[bot]@users.noreply.github.com>
1 parent aa898b2 commit af7a046

20 files changed

+81
-82
lines changed

.github/workflows/add-to-docs-project.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -22,7 +22,7 @@ jobs:
2222
"organization_projects": "write",
2323
"issues": "read"
2424
}
25-
- uses: octokit/graphql-action@v2.x
25+
- uses: octokit/graphql-action@51bf543c240dcd14761320e2efc625dc32ec0d32 # v2.x
2626
id: add_to_project
2727
with:
2828
query: |

.github/workflows/add-to-project.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -25,7 +25,7 @@ jobs:
2525
"organization_projects": "write",
2626
"issues": "read"
2727
}
28-
- uses: actions/add-to-project@v1.0.2
28+
- uses: actions/add-to-project@244f685bbc3b7adfa8466e08b698b5577571133e # v1.0.2
2929
with:
3030
project-url: https://github.com/orgs/elastic/projects/1286
3131
github-token: ${{ steps.get_token.outputs.token }}

.github/workflows/benchmarks.yml

Lines changed: 11 additions & 12 deletions
Original file line numberDiff line numberDiff line change
@@ -62,13 +62,13 @@ jobs:
6262
GOBENCH_USERNAME: ${{ secrets.GOBENCH_USERNAME }}
6363
GOBENCH_HOST: ${{ secrets.GOBENCH_HOST }}
6464
steps:
65-
- uses: actions/checkout@v4
65+
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
6666

67-
- uses: actions/setup-go@v5
67+
- uses: actions/setup-go@0aaccfd150d50ccaeb58ebd88d36e91967a5f35b # v5
6868
with:
6969
go-version-file: 'go.mod'
7070

71-
- uses: rlespinasse/github-slug-action@797d68864753cbceedc271349d402da4590e6302
71+
- uses: rlespinasse/github-slug-action@955b5ba4560860f8a633bd24190941f16016e42c # v5.1.0
7272

7373
- name: Set up env
7474
run: |
@@ -92,10 +92,9 @@ jobs:
9292
username: ${{ secrets.ELASTIC_DOCKER_USERNAME }}
9393
password: ${{ secrets.ELASTIC_DOCKER_PASSWORD }}
9494

95+
- uses: elastic/oblt-actions/google/auth@31e93d1dfb82adc106fc7820f505db1afefe43b1 # v1
9596

96-
- uses: elastic/oblt-actions/google/auth@v1
97-
98-
- uses: elastic/oblt-actions/aws/auth@v1
97+
- uses: elastic/oblt-actions/aws/auth@31e93d1dfb82adc106fc7820f505db1afefe43b1 # v1
9998
with:
10099
role-duration-seconds: 18000 # 5 hours
101100

@@ -105,7 +104,7 @@ jobs:
105104
secrets: |-
106105
EC_API_KEY:elastic-observability/elastic-cloud-observability-team-pro-api-key
107106
108-
- uses: hashicorp/setup-terraform@v3
107+
- uses: hashicorp/setup-terraform@b9cd54a3c349d3f38e8881555d616ced269862dd # v3
109108
with:
110109
terraform_version: 1.3.7
111110
terraform_wrapper: false
@@ -158,7 +157,7 @@ jobs:
158157
$PNG_REPORT_FILE
159158
160159
- name: Upload PNG
161-
uses: actions/upload-artifact@v4
160+
uses: actions/upload-artifact@4cec3d8aa04e39d1a68397de0c4cd6fb9dce8ec1 # v4
162161
with:
163162
name: kibana-png-report
164163
path: ${{ env.WORKING_DIRECTORY }}/${{ env.PNG_REPORT_FILE }}
@@ -174,7 +173,7 @@ jobs:
174173
echo "png_report_url=https://elastic-apm-server-benchmark-reports.s3.amazonaws.com/${DEST_NAME}" >> "$GITHUB_OUTPUT"
175174
176175
- name: Upload benchmark result
177-
uses: actions/upload-artifact@v4
176+
uses: actions/upload-artifact@4cec3d8aa04e39d1a68397de0c4cd6fb9dce8ec1 # v4
178177
with:
179178
name: benchmark-result
180179
path: ${{ env.WORKING_DIRECTORY }}/${{ env.BENCHMARK_RESULT }}
@@ -188,7 +187,7 @@ jobs:
188187
run: make cp-cpuprof
189188

190189
- name: Upload CPU profile
191-
uses: actions/upload-artifact@v4
190+
uses: actions/upload-artifact@4cec3d8aa04e39d1a68397de0c4cd6fb9dce8ec1 # v4
192191
with:
193192
name: cpu-profile
194193
path: ${{ env.WORKING_DIRECTORY }}/${{ env.BENCHMARK_CPU_OUT }}
@@ -210,7 +209,7 @@ jobs:
210209
# GitHub bot won't trigger any CI builds.
211210
# See https://github.com/peter-evans/create-pull-request/issues/48#issuecomment-537478081
212211
- name: Configure git user
213-
uses: elastic/oblt-actions/git/setup@v1
212+
uses: elastic/oblt-actions/git/setup@31e93d1dfb82adc106fc7820f505db1afefe43b1 # v1
214213
with:
215214
github-token: ${{ steps.get_token.outputs.token }}
216215

@@ -248,7 +247,7 @@ jobs:
248247

249248
# Notify failure to Slack only on schedule (nightly run)
250249
- if: failure() && github.event_name == 'schedule'
251-
uses: elastic/oblt-actions/slack/notify-result@v1
250+
uses: elastic/oblt-actions/slack/notify-result@31e93d1dfb82adc106fc7820f505db1afefe43b1 # v1
252251
with:
253252
bot-token: ${{ secrets.SLACK_BOT_TOKEN }}
254253
channel-id: "#apm-server"

.github/workflows/bump-elastic-stack.yml

Lines changed: 4 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -17,7 +17,7 @@ jobs:
1717
matrix: ${{ steps.generator.outputs.matrix }}
1818
steps:
1919
- id: generator
20-
uses: elastic/oblt-actions/elastic/active-branches@v1
20+
uses: elastic/oblt-actions/elastic/active-branches@31e93d1dfb82adc106fc7820f505db1afefe43b1 # v1
2121

2222
bump-elastic-stack:
2323
runs-on: ubuntu-latest
@@ -26,7 +26,7 @@ jobs:
2626
fail-fast: false
2727
matrix: ${{ fromJson(needs.filter.outputs.matrix) }}
2828
steps:
29-
- uses: actions/checkout@v4
29+
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
3030
with:
3131
ref: ${{ matrix.branch }}
3232

@@ -42,15 +42,15 @@ jobs:
4242
"pull_requests": "write"
4343
}
4444
45-
- uses: elastic/oblt-actions/updatecli/run@v1
45+
- uses: elastic/oblt-actions/updatecli/run@31e93d1dfb82adc106fc7820f505db1afefe43b1 # v1
4646
with:
4747
command: --experimental apply --config .ci/updatecli/bump-elastic-stack-snapshot.yml --values .ci/updatecli/values.d/scm.yml
4848
env:
4949
BRANCH: ${{ matrix.branch }}
5050
GITHUB_TOKEN: ${{ steps.get_token.outputs.token }}
5151

5252
- if: ${{ failure() }}
53-
uses: elastic/oblt-actions/slack/send@v1
53+
uses: elastic/oblt-actions/slack/send@31e93d1dfb82adc106fc7820f505db1afefe43b1 # v1
5454
with:
5555
channel-id: '#apm-server'
5656
message: ":traffic_cone: updatecli failed for `${{ github.repository }}@${{ github.ref_name }}`, @robots-ci please look what's going on <https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}|here>"

.github/workflows/bump-golang.yml

Lines changed: 8 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -19,10 +19,10 @@ jobs:
1919
steps:
2020
- id: generate
2121
name: Generate matrix
22-
uses: elastic/oblt-actions/elastic/active-branches@v1
22+
uses: elastic/oblt-actions/elastic/active-branches@31e93d1dfb82adc106fc7820f505db1afefe43b1 # v1
2323
with:
2424
exclude-branches: '7.17,main'
25-
- uses: actions/github-script@v7
25+
- uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7
2626
id: labels
2727
env:
2828
BRANCHES: ${{ steps.generate.outputs.branches }}
@@ -39,7 +39,7 @@ jobs:
3939
needs: [labels]
4040
steps:
4141

42-
- uses: actions/checkout@v4
42+
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
4343

4444
- name: Get token
4545
id: get_token
@@ -53,7 +53,7 @@ jobs:
5353
"pull_requests": "write"
5454
}
5555
56-
- uses: elastic/oblt-actions/updatecli/run@v1
56+
- uses: elastic/oblt-actions/updatecli/run@31e93d1dfb82adc106fc7820f505db1afefe43b1 # v1
5757
with:
5858
command: --experimental apply --config .ci/updatecli/bump-golang.yml --values .ci/updatecli/values.d/scm.yml
5959
env:
@@ -64,11 +64,11 @@ jobs:
6464
bump-7:
6565
runs-on: ubuntu-latest
6666
steps:
67-
- uses: actions/checkout@v4
67+
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
6868
with:
6969
ref: '7.17'
7070

71-
- uses: elastic/oblt-actions/updatecli/run@v1
71+
- uses: elastic/oblt-actions/updatecli/run@31e93d1dfb82adc106fc7820f505db1afefe43b1 # v1
7272
with:
7373
command: --experimental apply --config .ci/updatecli/bump-golang.yml --values .ci/updatecli/values.d/scm.yml
7474
env:
@@ -82,11 +82,11 @@ jobs:
8282
if: always()
8383
steps:
8484
- id: check
85-
uses: elastic/oblt-actions/check-dependent-jobs@v1
85+
uses: elastic/oblt-actions/check-dependent-jobs@31e93d1dfb82adc106fc7820f505db1afefe43b1 # v1
8686
with:
8787
jobs: ${{ toJSON(needs) }}
8888
- if: ${{ steps.check.outputs.isSuccess == 'false' }}
89-
uses: elastic/oblt-actions/slack/send@v1
89+
uses: elastic/oblt-actions/slack/send@31e93d1dfb82adc106fc7820f505db1afefe43b1 # v1
9090
with:
9191
bot-token: ${{ secrets.SLACK_BOT_TOKEN }}
9292
channel-id: "#apm-server"

.github/workflows/check-docker-compose.yml

Lines changed: 5 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -17,7 +17,7 @@ jobs:
1717
matrix: ${{ steps.generator.outputs.matrix }}
1818
steps:
1919
- id: generator
20-
uses: elastic/oblt-actions/elastic/active-branches@v1
20+
uses: elastic/oblt-actions/elastic/active-branches@31e93d1dfb82adc106fc7820f505db1afefe43b1 # v1
2121

2222
check-docker-compose:
2323
needs:
@@ -27,10 +27,10 @@ jobs:
2727
fail-fast: false
2828
matrix: ${{ fromJson(needs.filter.outputs.matrix) }}
2929
steps:
30-
- uses: actions/checkout@v4
30+
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
3131
with:
3232
ref: ${{ matrix.branch }}
33-
- uses: actions/setup-go@v5
33+
- uses: actions/setup-go@0aaccfd150d50ccaeb58ebd88d36e91967a5f35b # v5
3434
with:
3535
go-version-file: go.mod
3636
cache: true
@@ -47,12 +47,12 @@ jobs:
4747
- check-docker-compose
4848
steps:
4949
- id: check
50-
uses: elastic/oblt-actions/check-dependent-jobs@v1
50+
uses: elastic/oblt-actions/check-dependent-jobs@31e93d1dfb82adc106fc7820f505db1afefe43b1 # v1
5151
with:
5252
jobs: ${{ toJSON(needs) }}
5353
- run: ${{ steps.check.outputs.isSuccess }}
5454
- if: failure()
55-
uses: elastic/oblt-actions/slack/notify-result@v1
55+
uses: elastic/oblt-actions/slack/notify-result@31e93d1dfb82adc106fc7820f505db1afefe43b1 # v1
5656
with:
5757
bot-token: ${{ secrets.SLACK_BOT_TOKEN }}
5858
channel-id: "#apm-server"

.github/workflows/ci.yml

Lines changed: 10 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -27,8 +27,8 @@ jobs:
2727
lint:
2828
runs-on: ubuntu-latest
2929
steps:
30-
- uses: actions/checkout@v4
31-
- uses: actions/setup-go@v5
30+
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
31+
- uses: actions/setup-go@0aaccfd150d50ccaeb58ebd88d36e91967a5f35b # v5
3232
with:
3333
go-version-file: go.mod
3434
cache: true
@@ -46,8 +46,8 @@ jobs:
4646
os: ['macos-latest', 'ubuntu-latest', 'windows-latest']
4747
runs-on: ${{ matrix.os }}
4848
steps:
49-
- uses: actions/checkout@v4
50-
- uses: actions/setup-go@v5
49+
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
50+
- uses: actions/setup-go@0aaccfd150d50ccaeb58ebd88d36e91967a5f35b # v5
5151
with:
5252
go-version-file: go.mod
5353
cache: true
@@ -58,8 +58,8 @@ jobs:
5858
system-test:
5959
runs-on: ubuntu-latest
6060
steps:
61-
- uses: actions/checkout@v4
62-
- uses: actions/setup-go@v5
61+
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
62+
- uses: actions/setup-go@0aaccfd150d50ccaeb58ebd88d36e91967a5f35b # v5
6363
with:
6464
go-version-file: systemtest/go.mod
6565
cache: true
@@ -82,8 +82,8 @@ jobs:
8282
test-package:
8383
runs-on: ubuntu-latest
8484
steps:
85-
- uses: actions/checkout@v4
86-
- uses: actions/setup-go@v5
85+
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
86+
- uses: actions/setup-go@0aaccfd150d50ccaeb58ebd88d36e91967a5f35b # v5
8787
with:
8888
go-version-file: go.mod
8989
cache: false
@@ -98,8 +98,8 @@ jobs:
9898
env:
9999
GENERATE_WOLFI_IMAGES: true
100100
steps:
101-
- uses: actions/checkout@v4
102-
- uses: actions/setup-go@v5
101+
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
102+
- uses: actions/setup-go@0aaccfd150d50ccaeb58ebd88d36e91967a5f35b # v5
103103
with:
104104
go-version-file: go.mod
105105
cache: false

.github/workflows/microbenchmark.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -22,7 +22,7 @@ jobs:
2222
timeout-minutes: 5
2323
steps:
2424
- name: Run buildkite pipeline
25-
uses: elastic/oblt-actions/buildkite/run@v1.9.1
25+
uses: elastic/oblt-actions/buildkite/run@9a8ac45080b2f079246e2a0c665b551c6986b6c3 # v1.9.1
2626
with:
2727
token: ${{ secrets.BUILDKITE_TOKEN }}
2828
pipeline: apm-agent-microbenchmark

.github/workflows/prepare-release/action.yml

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -32,7 +32,7 @@ runs:
3232
steps:
3333
- name: Send slack message when started
3434
id: slack-thread
35-
uses: elastic/oblt-actions/slack/send@v1
35+
uses: elastic/oblt-actions/slack/send@31e93d1dfb82adc106fc7820f505db1afefe43b1 # v1
3636
with:
3737
bot-token: ${{ inputs.slack-bot-token }}
3838
channel-id: ${{ env.SLACK_CHANNEL }}
@@ -89,7 +89,7 @@ runs:
8989
TAG: 'refs/tags/v${{ steps.generate.outputs.release-version }}'
9090

9191
- if: failure()
92-
uses: elastic/oblt-actions/slack/send@v1
92+
uses: elastic/oblt-actions/slack/send@31e93d1dfb82adc106fc7820f505db1afefe43b1 # v1
9393
with:
9494
bot-token: ${{ inputs.slack-bot-token }}
9595
channel-id: ${{ env.SLACK_CHANNEL }}

.github/workflows/run-minor-release.yml

Lines changed: 6 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -29,7 +29,7 @@ jobs:
2929
release-version: ${{ steps.prepare.outputs.release-version }}
3030
slack-thread: ${{ steps.prepare.outputs.slack-thread }}
3131
steps:
32-
- uses: actions/checkout@v4
32+
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
3333
- id: prepare
3434
uses: ./.github/workflows/prepare-release
3535
with:
@@ -48,7 +48,7 @@ jobs:
4848
contents: write
4949
steps:
5050

51-
- uses: elastic/oblt-actions/slack/send@v1.9.1
51+
- uses: elastic/oblt-actions/slack/send@9a8ac45080b2f079246e2a0c665b551c6986b6c3 # v1.9.1
5252
with:
5353
bot-token: ${{ secrets.SLACK_BOT_TOKEN }}
5454
channel-id: ${{ env.SLACK_CHANNEL }}
@@ -69,7 +69,7 @@ jobs:
6969
"pull_requests": "write"
7070
}
7171
72-
- uses: actions/checkout@v4
72+
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
7373
with:
7474
# 0 indicates all history for all branches and tags.
7575
fetch-depth: 0
@@ -78,7 +78,7 @@ jobs:
7878
# GitHub bot won't trigger any CI builds.
7979
# See https://github.com/peter-evans/create-pull-request/issues/48#issuecomment-537478081
8080
- name: Configure git user
81-
uses: elastic/oblt-actions/git/setup@v1
81+
uses: elastic/oblt-actions/git/setup@31e93d1dfb82adc106fc7820f505db1afefe43b1 # v1
8282
with:
8383
github-token: ${{ steps.get_token.outputs.token }}
8484

@@ -95,7 +95,7 @@ jobs:
9595
GH_TOKEN: ${{ steps.get_token.outputs.token }}
9696

9797
- if: success()
98-
uses: elastic/oblt-actions/slack/send@v1.9.1
98+
uses: elastic/oblt-actions/slack/send@9a8ac45080b2f079246e2a0c665b551c6986b6c3 # v1.9.1
9999
with:
100100
bot-token: ${{ secrets.SLACK_BOT_TOKEN }}
101101
channel-id: ${{ env.SLACK_CHANNEL }}
@@ -105,7 +105,7 @@ jobs:
105105
thread-timestamp: ${{ needs.prepare.outputs.slack-thread || '' }}
106106

107107
- if: failure()
108-
uses: elastic/oblt-actions/slack/send@v1.9.1
108+
uses: elastic/oblt-actions/slack/send@9a8ac45080b2f079246e2a0c665b551c6986b6c3 # v1.9.1
109109
with:
110110
bot-token: ${{ secrets.SLACK_BOT_TOKEN }}
111111
channel-id: ${{ env.SLACK_CHANNEL }}

0 commit comments

Comments
 (0)