Merge branch 'v1.9.x' into renovate/v1.9.x-patch-digest-dependencies

derekbit · web-flow · commit 6f756db10d2e · 2026-04-28T16:21:12.000+08:00
Signed-off-by: Derek Su &lt;derek.su@suse.com&gt;
diff --git a/.github/workflows/backport-pr.yml b/.github/workflows/backport-pr.yml
@@ -9,4 +9,4 @@ on:
 
 jobs:
   call-workflow:
-    uses: longhorn/longhorn/.github/workflows/backport-pr.yml@master
+    uses: longhorn/longhorn/.github/workflows/backport-pr.yml@eb3790253449e3577b4acb88b5620258cde6d747 # v1.11.1
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -20,7 +20,7 @@ jobs:
 
     steps:
     - name: Checkout code
-      uses: actions/checkout@v4
+      uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
 
     - id: build_info
       name: Declare build info
@@ -58,7 +58,7 @@ jobs:
     - name: Run ci
       run: make ci
 
-    - uses: codecov/codecov-action@v4
+    - uses: codecov/codecov-action@b9fd7d16f6d7d1b5d2bec1a2887e65ceed900238 # v4
       with:
         files: ./coverage.out
         flags: unittests
@@ -71,16 +71,16 @@ jobs:
     if: ${{ startsWith(github.ref, 'refs/heads/') || startsWith(github.ref, 'refs/tags/') }}
     steps:
     - name: Checkout code
-      uses: actions/checkout@v4
+      uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
 
     # For multi-platform support
     - name: Set up QEMU
-      uses: docker/setup-qemu-action@v3
+      uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130 # v3
     - name: Set up Docker Buildx
-      uses: docker/setup-buildx-action@v3
+      uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3
 
     - name: Login to Docker Hub
-      uses: docker/login-action@v3
+      uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3
       with:
         username: ${{ secrets.DOCKER_USERNAME }}
         password: ${{ secrets.DOCKER_PASSWORD }}
diff --git a/.github/workflows/codespell.yml b/.github/workflows/codespell.yml
@@ -12,11 +12,11 @@ jobs:
     runs-on: ubuntu-latest
     steps:
     - name: Checkout
-      uses: actions/checkout@v4
+      uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
       with:
         fetch-depth: 1
     - name: Check code spell
-      uses: codespell-project/actions-codespell@v2
+      uses: codespell-project/actions-codespell@406322ec52dd7b488e48c1c4b82e2a8b3a1bf630 # v2
       with:
         check_filenames: true
         skip: "./proto,*/**.yaml,*/**.yml,./scripts,./vendor,MAINTAINERS,LICENSE,go.mod,go.sum"
diff --git a/.github/workflows/conventional_commits.yml b/.github/workflows/conventional_commits.yml
@@ -1,41 +1,46 @@
 name: Conventional Commits
 
 on:
-  pull_request_target:
+  pull_request:
     types:
-    - opened
-    - edited
-    - synchronize
-    - reopened
+      - opened
+      - edited
+      - synchronize
+      - reopened
 
 permissions:
+  contents: read
   pull-requests: read
 
 jobs:
   commit-lint:
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@v4
-      with:
-        fetch-depth: 0
-    - name: Lint Commits
-      uses: wagoid/commitlint-github-action@v6
-    - name: Lint Pull Request
-      uses: amannn/action-semantic-pull-request@v5.5.3
-      env:
-        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-      with:
-        types: |
-          feat
-          fix
-          docs
-          style
-          refactor
-          perf
-          test
-          chore
-          vendor
-          build
-          ci
-          revert
-          BREAKING
+      - name: Checkout PR commits
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
+        with:
+          fetch-depth: 0
+          ref: ${{ github.event.pull_request.head.sha }}
+
+      - name: Lint Commits
+        uses: wagoid/commitlint-github-action@b948419dd99f3fd78a6548d48f94e3df7f6bf3ed # v6
+
+      - name: Lint Pull Request
+        uses: amannn/action-semantic-pull-request@0723387faaf9b38adef4775cd42cfd5155ed6017 # v5.5.3
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        with:
+          types: |
+            feat
+            fix
+            docs
+            style
+            refactor
+            perf
+            test
+            chore
+            vendor
+            build
+            ci
+            revert
+            BREAKING
diff --git a/.github/workflows/fossa.yml b/.github/workflows/fossa.yml
@@ -0,0 +1,33 @@
+name: fossa
+on:
+  push:
+    branches:
+      - master
+      - v*
+    tags:
+      - v*
+  pull_request:
+    branches:
+      - master
+      - v*
+  workflow_dispatch: {}
+
+permissions: {}
+
+jobs:
+  fossa-scan:
+    if: github.repository == 'longhorn/longhorn-share-manager' # FOSSA is not intended to run on forks.
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+    env:
+      FOSSA_API_KEY: ${{ secrets.FOSSA_API_KEY }}
+    steps:
+      - name: "Checkout code"
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
+
+      - name: "Run FOSSA Scan"
+        uses: fossas/fossa-action@c414b9ad82eaad041e47a7cf62a4f02411f427a0 # v1.8.0 # Use a specific version if locking is preferred
+        with:
+          api-key: ${{ secrets.FOSSA_API_KEY }}
+          project: longhorn-share-manager
diff --git a/.github/workflows/stale.yaml b/.github/workflows/stale.yaml
@@ -7,4 +7,4 @@ on:
 
 jobs:
   call-workflow:
-    uses: longhorn/longhorn/.github/workflows/stale.yaml@master
+    uses: longhorn/longhorn/.github/workflows/stale.yaml@eb3790253449e3577b4acb88b5620258cde6d747 # v1.11.1
diff --git a/Dockerfile.dapper b/Dockerfile.dapper
@@ -1,4 +1,4 @@
-FROM registry.suse.com/bci/golang:1.25
+FROM registry.suse.com/bci/golang:1.24@sha256:ae722bb8954485d10eb26d90c14d521d90810d8b0c84c3c72b58cbb1fc1ee284
 
 ARG DAPPER_HOST_ARCH
 ARG SRC_BRANCH=master
diff --git a/package/Dockerfile b/package/Dockerfile
@@ -1,5 +1,5 @@
-# syntax=docker/dockerfile:1.15.1
-FROM registry.suse.com/bci/golang:1.25 AS app_builder
+# syntax=docker/dockerfile:1.15.1@sha256:9857836c9ee4268391bb5b09f9f157f3c91bb15821bb77969642813b0d00518d
+FROM registry.suse.com/bci/golang:1.24@sha256:ae722bb8954485d10eb26d90c14d521d90810d8b0c84c3c72b58cbb1fc1ee284 AS app_builder
 
 WORKDIR /app
 
@@ -12,7 +12,7 @@ RUN chmod +x /app/scripts/build
 # Run the build script
 RUN /app/scripts/build
 
-FROM registry.suse.com/bci/bci-base:15.7 AS lib_builder
+FROM registry.suse.com/bci/bci-base:15.7@sha256:3267acc7b9744218250e91e1d2d3176a113d88c4c55158945beb46150c0c7df2 AS lib_builder
 
 ARG SRC_BRANCH=master
 ARG SRC_TAG
@@ -45,7 +45,7 @@ RUN export REPO_OVERRIDE="" && \
     bash /usr/src/dep-versions/scripts/build-nfs-ganesha.sh "${REPO_OVERRIDE}" "${COMMIT_ID_OVERRIDE}"
 
 
-FROM registry.suse.com/bci/bci-base:15.7 AS release
+FROM registry.suse.com/bci/bci-base:15.7@sha256:3267acc7b9744218250e91e1d2d3176a113d88c4c55158945beb46150c0c7df2 AS release
 
 ARG TARGETPLATFORM
 RUN if [ "$TARGETPLATFORM" != "linux/amd64" ] && [ "$TARGETPLATFORM" != "linux/arm64" ]; then \

Original file line number	Diff line number	Diff line change
`@@ -1,4 +1,4 @@`
`1`		`-FROM registry.suse.com/bci/golang:1.25`
	`1`	`+FROM registry.suse.com/bci/golang:1.24@sha256:ae722bb8954485d10eb26d90c14d521d90810d8b0c84c3c72b58cbb1fc1ee284`
`2`	`2`
`3`	`3`	`ARG DAPPER_HOST_ARCH`
`4`	`4`	`ARG SRC_BRANCH=master`