Skip to content

Pin GH Actions to commit sha #148

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
matttrach merged 3 commits into from
Apr 15, 2026
+15 −15
Merged

Pin GH Actions to commit sha #148

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
48a91f7
Pin GH Actions to commit sha
pdellamore Apr 10, 2026
e1a2e5d
Merge branch 'main' into pin-actions-to-sha
matttrach Apr 15, 2026
45a9338
fix: EIO expects us to pin main for read-vault-secrets
matttrach Apr 15, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 2 additions & 2 deletions .github/workflows/fossa.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -20,13 +20,13 @@ jobs:
# The FOSSA token is shared between all repos in Rancher's GH org. It can be
# used directly and there is no need to request specific access to EIO.
- name: Read FOSSA token
uses: rancher-eio/read-vault-secrets@main
uses: rancher-eio/read-vault-secrets@0da85151ad1f19ed7986c41587e45aac1ace74b6 # v3
Copy link
Copy Markdown
Collaborator

@matttrach matttrach Apr 15, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

EIO wants us to pin main, the v3 release is very old now

with:
secrets: |
secret/data/github/org/rancher/fossa/push token | FOSSA_API_KEY_PUSH_ONLY

- name: FOSSA scan
uses: fossas/fossa-action@main
uses: fossas/fossa-action@ff70fe9fe17cbd2040648f1c45e8ec4e4884dcf3 # v1.9.0
with:
api-key: ${{ env.FOSSA_API_KEY_PUSH_ONLY }}
# Only runs the scan and do not provide/returns any results back to the
Expand Down
14 changes: 7 additions & 7 deletions .github/workflows/release.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -21,7 +21,7 @@ jobs:
outputs:
release_pr: ${{ steps.release-please.outputs.pr }}
steps:
- uses: googleapis/release-please-action@v4
- uses: googleapis/release-please-action@16a9c90856f42705d54a6fda1823352bdc62cf38 # v4
id: release-please
with:
release-type: terraform-module
Expand Down Expand Up @@ -62,7 +62,7 @@ jobs:
echo "Error: Let's Encrypt CA is not being used for verification."
exit 1
fi
- uses: actions/github-script@v8
- uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8
if: steps.release-please.outputs.pr
with:
github-token: ${{secrets.GITHUB_TOKEN}}
Expand All @@ -80,12 +80,12 @@ jobs:
if: needs.release.outputs.release_pr
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v5
- uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
with:
token: ${{secrets.GITHUB_TOKEN}}
fetch-depth: 0
- id: aws-creds
uses: aws-actions/configure-aws-credentials@v6
uses: aws-actions/configure-aws-credentials@ec61189d14ec14c8efccab744f656cffd0e33f37 # v6
with:
role-to-assume: ${{env.AWS_ROLE}}
role-session-name: ${{github.run_id}}
Expand Down Expand Up @@ -123,12 +123,12 @@ jobs:
if: always() && needs.release.outputs.release_pr
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v5
- uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
with:
token: ${{secrets.GITHUB_TOKEN}}
fetch-depth: 0
- id: aws-creds
uses: aws-actions/configure-aws-credentials@v6
uses: aws-actions/configure-aws-credentials@ec61189d14ec14c8efccab744f656cffd0e33f37 # v6
with:
role-to-assume: ${{env.AWS_ROLE}}
role-session-name: ${{github.run_id}}-cleanup
Expand Down Expand Up @@ -160,7 +160,7 @@ jobs:
if: success() && needs.release.outputs.release_pr #Ensure the test jobs succeeded, and that a release PR was created.
runs-on: ubuntu-latest
steps:
- uses: actions/github-script@v8
- uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8
with:
github-token: ${{secrets.GITHUB_TOKEN}}
script: |
Expand Down
14 changes: 7 additions & 7 deletions .github/workflows/validate.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,7 +14,7 @@ jobs:
name: 'Terraform'
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v5
- uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
with:
fetch-depth: 0
- name: install-nix
Expand All @@ -33,7 +33,7 @@ jobs:
name: 'Lint Workflows'
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v5
- uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
with:
fetch-depth: 0
- name: install-nix
Expand All @@ -49,7 +49,7 @@ jobs:
shellcheck:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v5
- uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
with:
fetch-depth: 0
- name: install-nix
Expand All @@ -69,7 +69,7 @@ jobs:
validate-commit-message:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v5
- uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
with:
fetch-depth: 0 # fetch all history so that we can validate the commit messages
- name: install-nix
Expand Down Expand Up @@ -153,7 +153,7 @@ jobs:
name: 'Scan for Secrets'
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v5
- uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
with:
fetch-depth: 0
- name: install-nix
Expand Down Expand Up @@ -213,7 +213,7 @@ jobs:
test-compile-check:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v5
- uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
with:
fetch-depth: 0
- name: install-nix
Expand All @@ -231,7 +231,7 @@ jobs:
lint-tests:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v5
- uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
with:
fetch-depth: 0
- name: install-nix
Expand Down
Loading