From ea67d11c79fed2666e04c7833b702450f8967f62 Mon Sep 17 00:00:00 2001 From: Rohan K Date: Tue, 24 Mar 2026 13:14:05 +0530 Subject: [PATCH] ci: pin GitHub Actions to commit SHAs for supply chain security Replace mutable tag references with immutable commit SHAs across workflow files. Original tags are preserved as inline comments. Co-Authored-By: Claude Opus 4.6 (1M context) --- .github/workflows/build-ddn-workspace.yaml | 10 +++---- .github/workflows/ddn-workspace-testing.yaml | 26 +++++++++---------- .github/workflows/go-tests.yaml | 4 +-- .github/workflows/pr-scan.yaml | 6 ++--- .github/workflows/registry-e2e-tests.yaml | 10 +++---- .github/workflows/registry-updates-prod.yaml | 6 ++--- .github/workflows/registry-updates.yaml | 6 ++--- .../validate-connector-metadata-schema.yml | 4 +-- .github/workflows/validate.yaml | 4 +-- 9 files changed, 38 insertions(+), 38 deletions(-) diff --git a/.github/workflows/build-ddn-workspace.yaml b/.github/workflows/build-ddn-workspace.yaml index 26f8cfc98..45cd35cea 100644 --- a/.github/workflows/build-ddn-workspace.yaml +++ b/.github/workflows/build-ddn-workspace.yaml @@ -28,14 +28,14 @@ jobs: connector_matrix: ${{ steps.check-changes.outputs.connector_matrix }} steps: - name: Checkout repository - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 with: # Fetch more history for PR events to detect changes fetch-depth: ${{ github.event_name == 'pull_request' && 0 || 1 }} - name: Get all connector version package changes id: connector-version-changed-files - uses: tj-actions/changed-files@v46.0.1 + uses: tj-actions/changed-files@2f7c5bfce28377bc069a65ba478de0a74aa0ca32 # v46.0.1 with: json: true escape_json: false @@ -174,12 +174,12 @@ jobs: if: needs.detect-connector-changes.outputs.should_build == 'true' steps: - name: Checkout repository - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 with: fetch-depth: 1 - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 + uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3 - name: Setup gcloud env: @@ -299,7 +299,7 @@ jobs: - name: Send Slack notification if: success() - uses: 8398a7/action-slack@v3 + uses: 8398a7/action-slack@77eaa4f1c608a7d68b38af4e3f739dcd8cba273e # v3 with: status: success channel: '#ddn-workspace-releases' diff --git a/.github/workflows/ddn-workspace-testing.yaml b/.github/workflows/ddn-workspace-testing.yaml index 9df728b2e..f818110b8 100644 --- a/.github/workflows/ddn-workspace-testing.yaml +++ b/.github/workflows/ddn-workspace-testing.yaml @@ -22,13 +22,13 @@ jobs: matrix: ${{ steps.connector-matrix.outputs.matrix }} steps: - name: Checkout repository - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 with: fetch-depth: 1 - name: Get all connector version package changes id: connector-version-changed-files - uses: tj-actions/changed-files@v46.0.1 + uses: tj-actions/changed-files@2f7c5bfce28377bc069a65ba478de0a74aa0ca32 # v46.0.1 with: json: true escape_json: false @@ -45,7 +45,7 @@ jobs: cat changed_files.json - name: Setup Go - uses: actions/setup-go@v4 + uses: actions/setup-go@7b8cf10d4e4a01d4992d18a89f4d7dc5a3e6d6f4 # v4 with: go-version: 1.21.x @@ -169,7 +169,7 @@ jobs: timeout-minutes: 30 steps: - name: Checkout repository - uses: actions/checkout@v2 + uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 # v2 with: fetch_depth: 1 @@ -490,14 +490,14 @@ jobs: fi - name: Upload DDN Workspace image - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4 with: name: ddn-workspace-image path: ddn-workspace.tar.gz retention-days: 1 - name: Upload connector-versions.json - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4 with: name: connector-versions path: connector-versions.json @@ -512,7 +512,7 @@ jobs: SECRETS_JSON: ${{ toJson(secrets) }} steps: - name: Checkout repository - uses: actions/checkout@v2 + uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 # v2 with: fetch_depth: 1 @@ -539,7 +539,7 @@ jobs: fi - name: Install bun - uses: oven-sh/setup-bun@v2 + uses: oven-sh/setup-bun@0c5077e51419868618aeaa5fe8019c62421857d6 # v2 with: bun-version: 1.2.4 @@ -548,7 +548,7 @@ jobs: run: bun install - name: Download connector-versions.json - uses: actions/download-artifact@v4 + uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4 with: name: connector-versions @@ -567,7 +567,7 @@ jobs: fi - name: Download DDN Workspace image - uses: actions/download-artifact@v4 + uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4 with: name: ddn-workspace-image @@ -657,7 +657,7 @@ jobs: echo "🎉 All DDN workspace tests completed successfully!" - name: Run Trivy vulnerability scanner (json output) - uses: aquasecurity/trivy-action@0.35.0 + uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # 0.35.0 with: image-ref: "ddn-workspace:test" format: json @@ -665,7 +665,7 @@ jobs: scanners: vuln - name: Upload Trivy scan results to PromptQL Security Agent - uses: hasura/security-agent-tools/upload-file@v1 + uses: hasura/security-agent-tools/upload-file@f16c24be07f6cc89535b6fcdab29e15b1ee799b0 # v1 with: file_path: trivy-results.json security_agent_api_key: ${{ secrets.SECURITY_AGENT_API_KEY }} @@ -679,7 +679,7 @@ jobs: team=promptql - name: Fail build on High/Critical Vulnerabilities - uses: aquasecurity/trivy-action@v0.35.0 + uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # v0.35.0 with: skip-setup-trivy: true # setup was already done by the previous call to this action above image-ref: "ddn-workspace:test" diff --git a/.github/workflows/go-tests.yaml b/.github/workflows/go-tests.yaml index 818d79e66..2f206c14d 100644 --- a/.github/workflows/go-tests.yaml +++ b/.github/workflows/go-tests.yaml @@ -12,10 +12,10 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3 - name: Set up Go - uses: actions/setup-go@v4 + uses: actions/setup-go@7b8cf10d4e4a01d4992d18a89f4d7dc5a3e6d6f4 # v4 with: go-version: '1.21' cache: true diff --git a/.github/workflows/pr-scan.yaml b/.github/workflows/pr-scan.yaml index 082de2385..69f1469d2 100644 --- a/.github/workflows/pr-scan.yaml +++ b/.github/workflows/pr-scan.yaml @@ -14,13 +14,13 @@ jobs: steps: - name: Checkout repository - uses: actions/checkout@v2 + uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 # v2 with: fetch_depth: 1 - name: Get all connector version package changes id: connector-version-changed-files - uses: tj-actions/changed-files@v46.0.1 + uses: tj-actions/changed-files@2f7c5bfce28377bc069a65ba478de0a74aa0ca32 # v46.0.1 with: json: true escape_json: false @@ -41,7 +41,7 @@ jobs: cat changed_files.json - name: Setup Go - uses: actions/setup-go@v4 + uses: actions/setup-go@7b8cf10d4e4a01d4992d18a89f4d7dc5a3e6d6f4 # v4 with: go-version: 1.21.x diff --git a/.github/workflows/registry-e2e-tests.yaml b/.github/workflows/registry-e2e-tests.yaml index d798fdfe6..d1c697e2f 100644 --- a/.github/workflows/registry-e2e-tests.yaml +++ b/.github/workflows/registry-e2e-tests.yaml @@ -14,13 +14,13 @@ jobs: matrix: ${{ steps.e2e-test-matrix.outputs.matrix }} steps: - name: Checkout repository - uses: actions/checkout@v2 + uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 # v2 with: fetch_depth: 1 - name: Get all connector version package changes id: connector-version-changed-files - uses: tj-actions/changed-files@v46.0.1 + uses: tj-actions/changed-files@2f7c5bfce28377bc069a65ba478de0a74aa0ca32 # v46.0.1 with: json: true escape_json: false @@ -41,7 +41,7 @@ jobs: cat changed_files.json - name: Setup Go - uses: actions/setup-go@v4 + uses: actions/setup-go@7b8cf10d4e4a01d4992d18a89f4d7dc5a3e6d6f4 # v4 with: go-version: 1.21.x @@ -85,7 +85,7 @@ jobs: run: | echo "Running e2e tests for ${{ toJSON(matrix.task) }}" - name: Checkout repository - uses: actions/checkout@v2 + uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 # v2 with: fetch_depth: 1 - name: Set matching env vars @@ -110,7 +110,7 @@ jobs: fi - name: Install bun - uses: oven-sh/setup-bun@v2 + uses: oven-sh/setup-bun@0c5077e51419868618aeaa5fe8019c62421857d6 # v2 with: bun-version: 1.2.4 - name: Run e2e tests diff --git a/.github/workflows/registry-updates-prod.yaml b/.github/workflows/registry-updates-prod.yaml index 3654e8598..70b6b1851 100644 --- a/.github/workflows/registry-updates-prod.yaml +++ b/.github/workflows/registry-updates-prod.yaml @@ -14,13 +14,13 @@ jobs: steps: - name: Checkout repository - uses: actions/checkout@v2 + uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 # v2 with: fetch_depth: 1 - name: Get all connector version package changes id: connector-version-changed-files - uses: tj-actions/changed-files@v46.0.1 + uses: tj-actions/changed-files@2f7c5bfce28377bc069a65ba478de0a74aa0ca32 # v46.0.1 with: json: true escape_json: false @@ -41,7 +41,7 @@ jobs: cat changed_files.json - name: Setup Go - uses: actions/setup-go@v4 + uses: actions/setup-go@7b8cf10d4e4a01d4992d18a89f4d7dc5a3e6d6f4 # v4 with: go-version: 1.21.x diff --git a/.github/workflows/registry-updates.yaml b/.github/workflows/registry-updates.yaml index bc6f91464..7bb3a1d7e 100644 --- a/.github/workflows/registry-updates.yaml +++ b/.github/workflows/registry-updates.yaml @@ -14,7 +14,7 @@ jobs: steps: - name: Checkout repository - uses: actions/checkout@v2 + uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 # v2 with: # In the case of forked PRs, the forked repository will # be checked out. @@ -25,7 +25,7 @@ jobs: - name: Get all connector version package changes id: connector-version-changed-files - uses: tj-actions/changed-files@v46.0.1 + uses: tj-actions/changed-files@2f7c5bfce28377bc069a65ba478de0a74aa0ca32 # v46.0.1 with: json: true escape_json: false @@ -46,7 +46,7 @@ jobs: cat changed_files.json - name: Setup Go - uses: actions/setup-go@v4 + uses: actions/setup-go@7b8cf10d4e4a01d4992d18a89f4d7dc5a3e6d6f4 # v4 with: go-version: 1.21.x diff --git a/.github/workflows/validate-connector-metadata-schema.yml b/.github/workflows/validate-connector-metadata-schema.yml index 655d7a55a..e2c4ffe0e 100644 --- a/.github/workflows/validate-connector-metadata-schema.yml +++ b/.github/workflows/validate-connector-metadata-schema.yml @@ -12,10 +12,10 @@ jobs: steps: - name: Checkout code - uses: actions/checkout@v3 + uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3 - name: Use Node.js - uses: actions/setup-node@v4 + uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4 with: node-version: '18' diff --git a/.github/workflows/validate.yaml b/.github/workflows/validate.yaml index 18fdf4f8a..ee11d74ef 100644 --- a/.github/workflows/validate.yaml +++ b/.github/workflows/validate.yaml @@ -11,10 +11,10 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout code - uses: actions/checkout@v3 + uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3 - name: Setup Go - uses: actions/setup-go@v4 + uses: actions/setup-go@7b8cf10d4e4a01d4992d18a89f4d7dc5a3e6d6f4 # v4 with: go-version: 1.21.x