rancher
diff --git a/‎.envrc‎
Lines changed: 5 additions & 5 deletions b/‎.envrc‎
Lines changed: 5 additions & 5 deletions
diff --git a/‎.github/workflows/fossa.yml‎
Lines changed: 2 additions & 1 deletion b/‎.github/workflows/fossa.yml‎
Lines changed: 2 additions & 1 deletion
diff --git a/‎.github/workflows/release.yaml‎
Lines changed: 24 additions & 44 deletions b/‎.github/workflows/release.yaml‎
Lines changed: 24 additions & 44 deletions
@@ -25,14 +25,14 @@ cleanup() {
 }
 
 if ! which "$0" | grep -q nix; then
-  print 'Entering Environment...'
+  echo 'Entering Environment...'
   basename="$(get_repo_basename)"
   profile="$(get_profile)"
   export NIX_PROFILE="$profile"
 
-  print 'Updating Nix Cache...'
+  echo 'Updating Nix Cache...'
   if ! nf flake update; then
-    print 'Failed to update Nix flake, continuing with existing cache...'
+    echo 'Failed to update Nix flake, continuing with existing cache...'
     git checkout flake.lock
   fi
 
@@ -45,7 +45,7 @@ if ! which "$0" | grep -q nix; then
 
   nf profile list --profile "$profile"
 
-  print 'Starting...'
+  echo 'Starting...'
   # --impure allows Nix to reuse previously built paths
   # --ignore-environment ignores the environment variables and paths to tools not installed by nix
   nf develop \
@@ -68,7 +68,7 @@ if ! which "$0" | grep -q nix; then
     --profile "$profile" \
     --command bash -c "bash --rcfile .envrc"
 
-  print 'Exiting Dev Environment...'
+  echo 'Exiting Dev Environment...'
   cleanup
 else
   # this is run inside the dev environment so we can make assumptions about what is available
 
@@ -15,13 +15,14 @@ jobs:
     timeout-minutes: 30
     steps:
     - name: Checkout
+      # https://github.com/actions/checkout/releases
       uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
 
     # The FOSSA token is shared between all repos in Rancher's GH org. It can be
     # used directly and there is no need to request specific access to EIO.
     - name: Read FOSSA token
       # https://github.com/rancher-eio/read-vault-secrets/commits/main/
-      uses: rancher-eio/read-vault-secrets@7282bf97898cd1c16c89f837e0bb442e6d384c89 # latest
+      uses: rancher-eio/read-vault-secrets@7282bf97898cd1c16c89f837e0bb442e6d384c89 # latest 
       with:
         secrets: |
           secret/data/github/org/rancher/fossa/push token | FOSSA_API_KEY_PUSH_ONLY
 
@@ -12,6 +12,8 @@ env:
   ACME_SERVER_URL: https://acme-v02.api.letsencrypt.org/directory
   AWS_MAX_ATTEMPTS: 100
   AWS_RETRY_MODE: adaptive
+  NIX_INSTALL_SHA: e9d447ce3d2ff62d7ff9cb6ef401de6fa8acb148839dd00f7271945d7b638b14
+  NIX_INSTALL_VERSION: 2.34.7
 
 permissions: write-all
 
@@ -21,48 +23,13 @@ jobs:
     outputs:
       release_pr: ${{ steps.release-please.outputs.pr }}
     steps:
-      - uses: googleapis/release-please-action@16a9c90856f42705d54a6fda1823352bdc62cf38 # v4
+      # https://github.com/googleapis/release-please-action/releases
+      - uses: googleapis/release-please-action@45996ed1f6d02564a971a2fa1b5860e934307cf7 # v5.0.0
         id: release-please
         with:
           release-type: terraform-module
-      - name: Install Let's Encrypt Roots and Intermediate Certificates
-        if: steps.release-please.outputs.pr
-        run: |
-          # https://letsencrypt.org/certificates/
-          sudo apt-get update -y
-          sudo apt-get install -y ca-certificates wget openssl libssl-dev
-          wget https://letsencrypt.org/certs/isrgrootx1.pem # rsa
-          sudo cp isrgrootx1.pem /usr/local/share/ca-certificates/
-          wget https://letsencrypt.org/certs/isrg-root-x2.pem # ecdsa
-          sudo cp isrg-root-x2.pem /usr/local/share/ca-certificates/
-          wget https://letsencrypt.org/certs/2024/r11.pem
-          sudo cp r11.pem /usr/local/share/ca-certificates/
-          wget https://letsencrypt.org/certs/2024/r10.pem
-          sudo cp r10.pem /usr/local/share/ca-certificates/
-          wget https://letsencrypt.org/certs/2024/e5.pem
-          sudo cp e5.pem /usr/local/share/ca-certificates/
-          wget https://letsencrypt.org/certs/2024/e6.pem
-          sudo cp e6.pem /usr/local/share/ca-certificates/
-          sudo update-ca-certificates
-      - name: Verify Lets Encrypt CA Functionality
-        if: steps.release-please.outputs.pr
-        run: |
-          # Function to check if Let's Encrypt CA is effectively used by openssl
-          check_letsencrypt_ca() {
-            # Try to verify a known Let's Encrypt certificate (you can use any valid one)
-            if openssl s_client -showcerts -connect letsencrypt.org:443 < /dev/null | openssl x509 -noout -issuer | grep -q "Let's Encrypt"; then
-              return 0 # Success
-            else
-              return 1 # Failure
-            fi
-          }
-          if check_letsencrypt_ca; then
-            echo "Let's Encrypt CA is functioning correctly."
-          else
-            echo "Error: Let's Encrypt CA is not being used for verification."
-            exit 1
-          fi
-      - uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8
+      # https://github.com/actions/github-script/releases
+      - uses: actions/github-script@d746ffe35508b1917358783b479e04febd2b8f71 # v9.0.0
         if: steps.release-please.outputs.pr
         with:
           github-token: ${{secrets.GITHUB_TOKEN}}
@@ -80,12 +47,14 @@ jobs:
     if: needs.release.outputs.release_pr
     runs-on: ubuntu-latest
     steps:
+      # https://github.com/actions/checkout/releases
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           token: ${{secrets.GITHUB_TOKEN}}
           fetch-depth: 0
       - id: aws-creds
-        uses: aws-actions/configure-aws-credentials@ec61189d14ec14c8efccab744f656cffd0e33f37 # v6
+        # https://github.com/aws-actions/configure-aws-credentials/releases
+        uses: aws-actions/configure-aws-credentials@ec61189d14ec14c8efccab744f656cffd0e33f37 # v6.1.0
         with:
           role-to-assume: ${{env.AWS_ROLE}}
           role-session-name: ${{github.run_id}}
@@ -94,10 +63,14 @@ jobs:
           output-credentials: true
       - name: install-nix
         run: |
-          curl -L https://nixos.org/nix/install | sh
+          curl -L -o install-nix.sh "https://releases.nixos.org/nix/nix-${NIX_INSTALL_VERSION}/install"
+          echo "${NIX_INSTALL_SHA} install-nix.sh" | sha256sum -c -
+          chmod +x install-nix.sh
+          ./install-nix.sh
           source /home/runner/.nix-profile/etc/profile.d/nix.sh
           nix --version
           which nix
+          rm -f install-nix.sh
       - name: run_tests
         shell: '/home/runner/.nix-profile/bin/nix develop --ignore-environment --extra-experimental-features nix-command --extra-experimental-features flakes --keep HOME --keep SSH_AUTH_SOCK --keep IDENTIFIER --keep GITHUB_TOKEN --keep GITHUB_OWNER --keep ZONE --keep AWS_ROLE --keep AWS_REGION --keep AWS_DEFAULT_REGION --keep AWS_ACCESS_KEY_ID --keep AWS_SECRET_ACCESS_KEY --keep AWS_SESSION_TOKEN --keep UPDATECLI_GPGTOKEN --keep UPDATECLI_GITHUB_TOKEN --keep UPDATECLI_GITHUB_ACTOR --keep GPG_SIGNING_KEY --keep NIX_SSL_CERT_FILE --keep NIX_ENV_LOADED --keep TERM --command bash -e {0}'
         env:
@@ -123,12 +96,14 @@ jobs:
     if: always() && needs.release.outputs.release_pr
     runs-on: ubuntu-latest
     steps:
+      # https://github.com/actions/checkout/releases
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           token: ${{secrets.GITHUB_TOKEN}}
           fetch-depth: 0
       - id: aws-creds
-        uses: aws-actions/configure-aws-credentials@ec61189d14ec14c8efccab744f656cffd0e33f37 # v6
+        # https://github.com/aws-actions/configure-aws-credentials/releases
+        uses: aws-actions/configure-aws-credentials@ec61189d14ec14c8efccab744f656cffd0e33f37 # v6.1.0
         with:
           role-to-assume: ${{env.AWS_ROLE}}
           role-session-name: ${{github.run_id}}-cleanup
@@ -137,10 +112,14 @@ jobs:
           output-credentials: true
       - name: install-nix
         run: |
-          curl -L https://nixos.org/nix/install | sh
+          curl -L -o install-nix.sh "https://releases.nixos.org/nix/nix-${NIX_INSTALL_VERSION}/install"
+          echo "${NIX_INSTALL_SHA} install-nix.sh" | sha256sum -c -
+          chmod +x install-nix.sh
+          ./install-nix.sh
           source /home/runner/.nix-profile/etc/profile.d/nix.sh
           nix --version
           which nix
+          rm -f install-nix.sh
       - name: cleanup
         shell: '/home/runner/.nix-profile/bin/nix develop --ignore-environment --extra-experimental-features nix-command --extra-experimental-features flakes --keep HOME --keep SSH_AUTH_SOCK --keep IDENTIFIER --keep GITHUB_TOKEN --keep GITHUB_OWNER --keep ZONE --keep AWS_ROLE --keep AWS_REGION --keep AWS_DEFAULT_REGION --keep AWS_ACCESS_KEY_ID --keep AWS_SECRET_ACCESS_KEY --keep AWS_SESSION_TOKEN --keep UPDATECLI_GPGTOKEN --keep UPDATECLI_GITHUB_TOKEN --keep UPDATECLI_GITHUB_ACTOR --keep GPG_SIGNING_KEY --keep NIX_SSL_CERT_FILE --keep NIX_ENV_LOADED --keep TERM --command bash -e {0}'
         env:
@@ -160,7 +139,8 @@ jobs:
     if: success() && needs.release.outputs.release_pr #Ensure the test jobs succeeded, and that a release PR was created.
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8
+      # https://github.com/actions/github-script/releases
+      - uses: actions/github-script@d746ffe35508b1917358783b479e04febd2b8f71 # v9.0.0
         with:
           github-token: ${{secrets.GITHUB_TOKEN}}
           script: |