From 48a91f7dc25ad68c46e44b9910ee5d25ee33a0ab Mon Sep 17 00:00:00 2001 From: Pietro Dell'Amore Date: Fri, 10 Apr 2026 10:17:01 -0300 Subject: [PATCH 1/2] Pin GH Actions to commit sha --- .github/workflows/fossa.yml | 4 ++-- .github/workflows/release.yaml | 14 +++++++------- .github/workflows/validate.yaml | 14 +++++++------- 3 files changed, 16 insertions(+), 16 deletions(-) diff --git a/.github/workflows/fossa.yml b/.github/workflows/fossa.yml index a568518..bdc4328 100644 --- a/.github/workflows/fossa.yml +++ b/.github/workflows/fossa.yml @@ -20,13 +20,13 @@ jobs: # The FOSSA token is shared between all repos in Rancher's GH org. It can be # used directly and there is no need to request specific access to EIO. - name: Read FOSSA token - uses: rancher-eio/read-vault-secrets@main + uses: rancher-eio/read-vault-secrets@0da85151ad1f19ed7986c41587e45aac1ace74b6 # v3 with: secrets: | secret/data/github/org/rancher/fossa/push token | FOSSA_API_KEY_PUSH_ONLY - name: FOSSA scan - uses: fossas/fossa-action@main + uses: fossas/fossa-action@ff70fe9fe17cbd2040648f1c45e8ec4e4884dcf3 # v1.9.0 with: api-key: ${{ env.FOSSA_API_KEY_PUSH_ONLY }} # Only runs the scan and do not provide/returns any results back to the diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index b50b83e..ced00ad 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -21,7 +21,7 @@ jobs: outputs: release_pr: ${{ steps.release-please.outputs.pr }} steps: - - uses: googleapis/release-please-action@v4 + - uses: googleapis/release-please-action@16a9c90856f42705d54a6fda1823352bdc62cf38 # v4 id: release-please with: release-type: terraform-module @@ -62,7 +62,7 @@ jobs: echo "Error: Let's Encrypt CA is not being used for verification." exit 1 fi - - uses: actions/github-script@v8 + - uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 if: steps.release-please.outputs.pr with: github-token: ${{secrets.GITHUB_TOKEN}} @@ -80,12 +80,12 @@ jobs: if: needs.release.outputs.release_pr runs-on: ubuntu-latest steps: - - uses: actions/checkout@v5 + - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 with: token: ${{secrets.GITHUB_TOKEN}} fetch-depth: 0 - id: aws-creds - uses: aws-actions/configure-aws-credentials@v6 + uses: aws-actions/configure-aws-credentials@ec61189d14ec14c8efccab744f656cffd0e33f37 # v6 with: role-to-assume: ${{env.AWS_ROLE}} role-session-name: ${{github.run_id}} @@ -123,12 +123,12 @@ jobs: if: always() && needs.release.outputs.release_pr runs-on: ubuntu-latest steps: - - uses: actions/checkout@v5 + - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 with: token: ${{secrets.GITHUB_TOKEN}} fetch-depth: 0 - id: aws-creds - uses: aws-actions/configure-aws-credentials@v6 + uses: aws-actions/configure-aws-credentials@ec61189d14ec14c8efccab744f656cffd0e33f37 # v6 with: role-to-assume: ${{env.AWS_ROLE}} role-session-name: ${{github.run_id}}-cleanup @@ -160,7 +160,7 @@ jobs: if: success() && needs.release.outputs.release_pr #Ensure the test jobs succeeded, and that a release PR was created. runs-on: ubuntu-latest steps: - - uses: actions/github-script@v8 + - uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: github-token: ${{secrets.GITHUB_TOKEN}} script: | diff --git a/.github/workflows/validate.yaml b/.github/workflows/validate.yaml index 91bd8aa..dc1a103 100644 --- a/.github/workflows/validate.yaml +++ b/.github/workflows/validate.yaml @@ -14,7 +14,7 @@ jobs: name: 'Terraform' runs-on: ubuntu-latest steps: - - uses: actions/checkout@v5 + - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 with: fetch-depth: 0 - name: install-nix @@ -33,7 +33,7 @@ jobs: name: 'Lint Workflows' runs-on: ubuntu-latest steps: - - uses: actions/checkout@v5 + - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 with: fetch-depth: 0 - name: install-nix @@ -49,7 +49,7 @@ jobs: shellcheck: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v5 + - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 with: fetch-depth: 0 - name: install-nix @@ -69,7 +69,7 @@ jobs: validate-commit-message: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v5 + - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 with: fetch-depth: 0 # fetch all history so that we can validate the commit messages - name: install-nix @@ -153,7 +153,7 @@ jobs: name: 'Scan for Secrets' runs-on: ubuntu-latest steps: - - uses: actions/checkout@v5 + - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 with: fetch-depth: 0 - name: install-nix @@ -213,7 +213,7 @@ jobs: test-compile-check: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v5 + - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 with: fetch-depth: 0 - name: install-nix @@ -231,7 +231,7 @@ jobs: lint-tests: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v5 + - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 with: fetch-depth: 0 - name: install-nix From 45a9338df0dcb1528e5ac15d474e60b6c1780bd1 Mon Sep 17 00:00:00 2001 From: Matt Trachier Date: Wed, 15 Apr 2026 12:10:15 -0500 Subject: [PATCH 2/2] fix: EIO expects us to pin main for read-vault-secrets Signed-off-by: Matt Trachier --- .github/workflows/fossa.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/fossa.yml b/.github/workflows/fossa.yml index bdc4328..1f766bb 100644 --- a/.github/workflows/fossa.yml +++ b/.github/workflows/fossa.yml @@ -20,7 +20,7 @@ jobs: # The FOSSA token is shared between all repos in Rancher's GH org. It can be # used directly and there is no need to request specific access to EIO. - name: Read FOSSA token - uses: rancher-eio/read-vault-secrets@0da85151ad1f19ed7986c41587e45aac1ace74b6 # v3 + uses: rancher-eio/read-vault-secrets@main with: secrets: | secret/data/github/org/rancher/fossa/push token | FOSSA_API_KEY_PUSH_ONLY