Skip to content

Commit 70bc140

Browse files
authored
fix: Pin all actions to the commits (#26)
* fix: Pin all actions to the commits * fix: Missing action
1 parent 1bbba90 commit 70bc140

10 files changed

Lines changed: 151 additions & 39 deletions

File tree

.github/workflows/reusable_go_checks.yml

Lines changed: 14 additions & 14 deletions
Original file line numberDiff line numberDiff line change
@@ -75,9 +75,9 @@ jobs:
7575
timeout-minutes: ${{ inputs.timeout-minutes }}
7676
steps:
7777
- name: Checkout
78-
uses: actions/checkout@v4
78+
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
7979
- name: Setup Go
80-
uses: actions/setup-go@v5
80+
uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417
8181
with:
8282
go-version-file: ${{ inputs.go_version_file }}
8383
- name: Run Tidy
@@ -95,9 +95,9 @@ jobs:
9595
timeout-minutes: ${{ inputs.timeout-minutes }}
9696
steps:
9797
- name: Checkout
98-
uses: actions/checkout@v4
98+
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
9999
- name: Setup Go
100-
uses: actions/setup-go@v5
100+
uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417
101101
with:
102102
go-version-file: ${{ inputs.go_version_file }}
103103
- name: Run goimports
@@ -111,9 +111,9 @@ jobs:
111111
timeout-minutes: ${{ inputs.timeout-minutes }}
112112
steps:
113113
- name: Checkout
114-
uses: actions/checkout@v4
114+
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
115115
- name: Setup Go
116-
uses: actions/setup-go@v5
116+
uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417
117117
with:
118118
go-version-file: ${{ inputs.go_version_file }}
119119
- name: Run Staticcheck
@@ -131,13 +131,13 @@ jobs:
131131
timeout-minutes: ${{ inputs.timeout-minutes }}
132132
steps:
133133
- name: Checkout
134-
uses: actions/checkout@v4
134+
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
135135
- name: Setup Go
136-
uses: actions/setup-go@v5
136+
uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417
137137
with:
138138
go-version-file: ${{ inputs.go_version_file }}
139139
- name: Security Scan
140-
uses: securego/gosec@v2.22.5
140+
uses: securego/gosec@223e19b8856e00f02cc67804499a83f77e208f3c
141141
with:
142142
args: ${{ inputs.gosec_args }}
143143
semgrep:
@@ -148,7 +148,7 @@ jobs:
148148
image: returntocorp/semgrep
149149
steps:
150150
- name: Checkout
151-
uses: actions/checkout@v4
151+
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
152152
- name: semgrep scan
153153
run: ${{ inputs.semgrep_cmd }}
154154
unit_test:
@@ -157,11 +157,11 @@ jobs:
157157
timeout-minutes: ${{ inputs.timeout-minutes }}
158158
steps:
159159
- name: Checkout
160-
uses: actions/checkout@v4
160+
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
161161
with:
162162
fetch-depth: 0
163163
- name: Setup Go
164-
uses: actions/setup-go@v5
164+
uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417
165165
with:
166166
go-version-file: ${{ inputs.go_version_file }}
167167
- name: Run tests
@@ -180,11 +180,11 @@ jobs:
180180
timeout-minutes: ${{ inputs.timeout-minutes }}
181181
steps:
182182
- name: Checkout
183-
uses: actions/checkout@v4
183+
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
184184
with:
185185
fetch-depth: 0
186186
- name: Setup Go
187-
uses: actions/setup-go@v5
187+
uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417
188188
with:
189189
go-version-file: ${{ inputs.go_version_file }}
190190
- name: Run tests

.github/workflows/reusable_goreleaser.yml

Lines changed: 6 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -100,15 +100,15 @@ jobs:
100100
runs-on: ${{ inputs.runs_on }}
101101
steps:
102102
- name: Checkout
103-
uses: actions/checkout@v4
104-
- uses: google-github-actions/auth@v2
103+
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
104+
- uses: google-github-actions/auth@7c6bc770dae815cd3e89ee6cdf493a5fab2cc093
105105
with:
106106
token_format: "access_token"
107107
project_id: ${{ inputs.gcp_ar_project_id }}
108108
workload_identity_provider: ${{ inputs.gcp_ar_pusher_workload_identity_provider }}
109109
service_account: ${{ inputs.gcp_ar_pusher_service_account }}
110110
- name: Set up Cloud CLI
111-
uses: 'google-github-actions/setup-gcloud@v2'
111+
uses: 'google-github-actions/setup-gcloud@aa5489c8933f4cc7a4f7d45035b3b1440c9c10db'
112112
with:
113113
version: '>= 497.0.0'
114114
install_components: "beta"
@@ -118,9 +118,9 @@ jobs:
118118
# nosemgrep: yaml.github-actions.security.run-shell-injection.run-shell-injection
119119
run: 'gcloud --project ${{ inputs.gcp_ar_registry_cache_project_id }} auth configure-docker us-docker.pkg.dev'
120120
- name: Set up Docker Buildx
121-
uses: docker/setup-buildx-action@v3
121+
uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd
122122
- name: Build in Docker
123-
uses: docker/build-push-action@v6
123+
uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294
124124
if: ${{ !inputs.gcp_ar_registry_cache_enabled }}
125125
with:
126126
file: ${{ inputs.build_dockerfile }}
@@ -140,7 +140,7 @@ jobs:
140140
"gpg_key=${{ secrets.build_gpg_key }}"
141141
"gpg_passphrase=${{ secrets.build_gpg_passphrase }}"
142142
- name: Build in Docker with GCP AR cache
143-
uses: docker/build-push-action@v6
143+
uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294
144144
if: ${{ inputs.gcp_ar_registry_cache_enabled }}
145145
with:
146146
file: ${{ inputs.build_dockerfile }}

.github/workflows/reusable_pr_checks.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -17,7 +17,7 @@ jobs:
1717
timeout-minutes: ${{ inputs.timeout-minutes }}
1818
steps:
1919
- name: Checkout
20-
uses: actions/checkout@v5
20+
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
2121
- name: Install commitlint
2222
run: npm install -D @commitlint/cli @commitlint/config-conventional
2323
- name: Validate PR commits with commitlint

.github/workflows/reusable_python_checks.yml

Lines changed: 7 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -45,11 +45,11 @@ jobs:
4545
timeout-minutes: ${{ inputs.timeout-minutes }}
4646
steps:
4747
- name: Checkout repository
48-
uses: actions/checkout@v4
48+
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
4949
- name: Install uv
50-
uses: astral-sh/setup-uv@v6
50+
uses: astral-sh/setup-uv@37802adc94f370d6bfd71619e3f0bf239e1f3b78
5151
- name: Set up Python
52-
uses: actions/setup-python@v5
52+
uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405
5353
with:
5454
python-version-file: "pyproject.toml"
5555
- name: Install the project
@@ -66,13 +66,13 @@ jobs:
6666
timeout-minutes: ${{ inputs.timeout-minutes }}
6767
steps:
6868
- name: Checkout repository
69-
uses: actions/checkout@v4
69+
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
7070
with:
7171
fetch-depth: 0
7272
- name: Install uv
73-
uses: astral-sh/setup-uv@v6
73+
uses: astral-sh/setup-uv@37802adc94f370d6bfd71619e3f0bf239e1f3b78
7474
- name: Set up Python
75-
uses: actions/setup-python@v5
75+
uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405
7676
with:
7777
python-version-file: "pyproject.toml"
7878
- name: Install the project
@@ -83,7 +83,7 @@ jobs:
8383
run: ${{ inputs.unit_test_report_coverage_cmd }}
8484
- name: SonarCloud Scan
8585
if: ${{ inputs.sonarcloud_run }}
86-
uses: SonarSource/sonarqube-scan-action@v6
86+
uses: SonarSource/sonarqube-scan-action@a31c9398be7ace6bbfaf30c0bd5d415f843d45e9
8787
with:
8888
args: >
8989
-Dsonar.projectKey=${{ inputs.sonarcloud_project_key }}

.github/workflows/reusable_release_tag.yml

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -40,12 +40,12 @@ jobs:
4040
version: ${{ steps.semver.outputs.version }}
4141
version_tag: ${{ steps.semver.outputs.version_tag }}
4242
steps:
43-
- uses: actions/checkout@v4
43+
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
4444
with:
4545
fetch-depth: 0
4646
- name: Bump semver
4747
id: semver
48-
uses: paulhatch/semantic-version@v5.4.0
48+
uses: paulhatch/semantic-version@9f72830310d5ed81233b641ee59253644cd8a8fc
4949
with:
5050
tag_prefix: ${{ inputs.tag_prefix }}
5151
namespace: ${{ inputs.tag_suffix }}
Lines changed: 14 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,14 @@
1+
on:
2+
workflow_call:
3+
4+
jobs:
5+
renovate_config_validator:
6+
name: renovate config validator
7+
runs-on: ubuntu-latest
8+
container:
9+
image: renovate/renovate:latest
10+
options: --user root # root is needed for checkout to work
11+
steps:
12+
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
13+
- name: Validate Renovate config
14+
run: renovate-config-validator --strict
Lines changed: 98 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,98 @@
1+
on:
2+
workflow_call:
3+
inputs:
4+
checks_enabled:
5+
type: string
6+
default: '["tf_fmt", "trivy_config_scan", "tflint", "terraform_docs"]'
7+
working_directory:
8+
type: string
9+
default: "./"
10+
description: Working directory for the checks to run in
11+
tf_fmt_args:
12+
type: string
13+
default: -recursive -check -diff
14+
description: Arguments to pass to "terraform fmt"
15+
trivy_skip_dirs:
16+
type: string
17+
default: ""
18+
description: Comma separated list of directories where traversal is skipped
19+
tflint_config:
20+
type: string
21+
default: ${GITHUB_WORKSPACE}/.tflint.hcl
22+
description: TFLint config file path
23+
tflint_args:
24+
type: string
25+
default: --recursive --color
26+
description: Arguments to pass to "tflint"
27+
28+
jobs:
29+
tf_fmt:
30+
name: run terraform fmt
31+
runs-on: ubuntu-latest
32+
if: ${{ contains(fromJson(inputs.checks_enabled), 'tf_fmt') }}
33+
steps:
34+
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
35+
- name: Setup terraform
36+
uses: hashicorp/setup-terraform@5e8dbf3c6d9deaf4193ca7a8fb23f2ac83bb6c85
37+
- name: Run terraform fmt
38+
run: terraform fmt ${{ inputs.tf_fmt_args }} ${{ inputs.working_directory }}
39+
40+
trivy_config_scan:
41+
name: run trivy config scan
42+
runs-on: ubuntu-latest
43+
if: ${{ contains(fromJson(inputs.checks_enabled), 'trivy_config_scan') }}
44+
steps:
45+
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
46+
- name: Run trivy config scan
47+
uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1
48+
with:
49+
github-pat: ${{ secrets.GITHUB_TOKEN }}
50+
scan-type: config
51+
scan-ref: ${{ inputs.working_directory }}
52+
skip-dirs: ${{ inputs.trivy_skip_dirs }}
53+
exit-code: '1'
54+
format: table
55+
56+
tflint:
57+
name: run tflint
58+
runs-on: ubuntu-latest
59+
if: ${{ contains(fromJson(inputs.checks_enabled), 'tflint') }}
60+
steps:
61+
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
62+
- uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7
63+
name: Cache plugin dir
64+
with:
65+
path: ~/.tflint.d/plugins
66+
key: tflint-${{ hashFiles('.tflint.hcl') }}
67+
- uses: terraform-linters/setup-tflint@b480b8fcdaa6f2c577f8e4fa799e89e756bb7c93
68+
name: Setup TFLint
69+
with:
70+
tflint_version: latest
71+
- name: Init TFLint
72+
run: tflint --init -c ${{ inputs.tflint_config }}
73+
- name: Run TFLint
74+
run: tflint -c ${{ inputs.tflint_config }} ${{ inputs.tflint_args }}
75+
76+
terraform_docs:
77+
name: run terraform-docs
78+
runs-on: ubuntu-latest
79+
if: ${{ contains(fromJson(inputs.checks_enabled), 'terraform_docs') }}
80+
steps:
81+
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
82+
with:
83+
fetch-depth: 0
84+
- name: Validate terraform docs are present and valid
85+
uses: terraform-docs/gh-actions@6de6da0cefcc6b4b7a5cbea4d79d97060733093c
86+
with:
87+
find-dir: ${{ inputs.working_directory }}
88+
fail-on-diff: true
89+
- name: List README.md diff files
90+
if: ${{ failure() }}
91+
run: |
92+
git status
93+
echo "## run terraform-docs failure" >> $GITHUB_STEP_SUMMARY
94+
echo "### Newly generated or changed README.md files" >> $GITHUB_STEP_SUMMARY
95+
echo "There should be no new files generated by terraform-docs" >> $GITHUB_STEP_SUMMARY
96+
echo '```' >> $GITHUB_STEP_SUMMARY
97+
git status >> $GITHUB_STEP_SUMMARY
98+
echo '```' >> $GITHUB_STEP_SUMMARY

actions/docker-build-push/README.md

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -25,7 +25,7 @@ CI:
2525
}
2626
steps:
2727
- name: Checkout
28-
uses: actions/checkout@v5
28+
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
2929
- name: Build docker image
3030
uses: elastiflow/gha-reusable/actions/docker-build-push@v0
3131
with:
@@ -64,7 +64,7 @@ Release:
6464
}
6565
steps:
6666
- name: Checkout
67-
uses: actions/checkout@v5
67+
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
6868
- name: Build docker image
6969
uses: elastiflow/gha-reusable/actions/docker-build-push@v0
7070
with:

actions/docker-build-push/action.yml

Lines changed: 5 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -48,23 +48,23 @@ runs:
4848
using: "composite"
4949
steps:
5050
- name: Set up Docker Buildx
51-
uses: docker/setup-buildx-action@v3
51+
uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd
5252
- name: Log in to the Container registry
5353
if: ${{ fromJson(inputs.push) }}
54-
uses: docker/login-action@v3
54+
uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2
5555
with:
5656
registry: ${{ inputs.registry }}
5757
username: ${{ inputs.registry_username }}
5858
password: ${{ inputs.registry_password }}
5959
- name: Extract metadata (tags, labels) for Docker
6060
id: meta
6161
if: ${{ fromJson(inputs.push) }}
62-
uses: docker/metadata-action@v5
62+
uses: docker/metadata-action@030e881283bb7a6894de51c315a6bfe6a94e05cf
6363
with:
6464
images: ${{ inputs.registry }}/${{ inputs.image }}
6565
- name: Build and push Docker image
6666
id: push
67-
uses: docker/build-push-action@v6
67+
uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294
6868
with:
6969
file: ${{ inputs.dockerfile }}
7070
platforms: ${{ inputs.platforms }}
@@ -79,7 +79,7 @@ runs:
7979
push: ${{ fromJson(inputs.push) }}
8080
labels: ${{ steps.meta.outputs.labels }}
8181
- name: Generate artifact attestation
82-
uses: actions/attest-build-provenance@v3
82+
uses: actions/attest-build-provenance@a2bbfa25375fe432b6a289bc6b6cd05ecd0c4c32
8383
if: ${{ fromJson(inputs.push) }}
8484
with:
8585
subject-name: ${{ inputs.registry }}/${{ inputs.image}}

actions/prepare-release/README.md

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,6 @@
11
# Overview
22

3-
`prepare-release` is the opinionated way to generate [semver](https://semver.org/) version number and changelog using [git-cliff](https://git-cliff.org/docs/).
3+
`prepare-release` is the opinionated way to generate [semver](https://semver.org/) version number and changelog using [git-cliff](https://git-cliff.org/docs/).
44
Action supports:
55

66
- Generate and update the Changelog
@@ -22,7 +22,7 @@ It is expected this action to be used with other actions to perform tag and rele
2222
contents: write
2323
steps:
2424
- name: Checkout
25-
uses: actions/checkout@v5
25+
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
2626
with:
2727
fetch-depth: 0 # Required, git-cliff uses the local git repo to read through tags and commits
2828
- name: Prepare Release

0 commit comments

Comments
 (0)