From dfa91333a960607119b837993f4437b881362470 Mon Sep 17 00:00:00 2001 From: Tuomas Katila Date: Tue, 28 May 2024 11:31:12 +0300 Subject: [PATCH] workflow: pin actions with sha's And update sha's once a week. Signed-off-by: Tuomas Katila --- .github/dependabot.yml | 5 ++-- .github/workflows/lib-build.yaml | 4 +-- .github/workflows/lib-codeql.yaml | 9 +++---- .github/workflows/lib-e2e.yaml | 2 +- .github/workflows/lib-publish.yaml | 8 +++--- .github/workflows/lib-scorecard.yaml | 8 +++--- .github/workflows/lib-trivy.yaml | 40 +++++++++++----------------- .github/workflows/lib-validate.yaml | 21 +++++++-------- .github/workflows/publish.yml | 10 +++---- 9 files changed, 46 insertions(+), 61 deletions(-) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 73b6f079..5eaaa1a8 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -12,5 +12,6 @@ updates: - package-ecosystem: "github-actions" directory: "/" schedule: - # Check for updates to GitHub Actions every weekday - interval: "daily" + # Check for updates to GitHub Actions every week on Sunday + interval: "weekly" + day: "sunday" diff --git a/.github/workflows/lib-build.yaml b/.github/workflows/lib-build.yaml index d44b4e66..f2f19b64 100644 --- a/.github/workflows/lib-build.yaml +++ b/.github/workflows/lib-build.yaml @@ -45,8 +45,8 @@ jobs: - dlb-libdlb-demo builder: [buildah, docker] steps: - - uses: actions/checkout@v4 - - uses: actions/setup-go@v5 + - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4 + - uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5 with: go-version-file: go.mod check-latest: true diff --git a/.github/workflows/lib-codeql.yaml b/.github/workflows/lib-codeql.yaml index 8365c754..2fb0cf7a 100644 --- a/.github/workflows/lib-codeql.yaml +++ b/.github/workflows/lib-codeql.yaml @@ -18,19 +18,18 @@ jobs: steps: - name: Checkout repository - uses: actions/checkout@v4 - - - uses: actions/setup-go@v5 + uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4 + - uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5 with: go-version-file: go.mod check-latest: true - name: Initialize CodeQL - uses: github/codeql-action/init@v3 + uses: github/codeql-action/init@71ace48453080e924b22589f0c397bedde464d78 # v3 with: languages: 'go' - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v3 + uses: github/codeql-action/analyze@71ace48453080e924b22589f0c397bedde464d78 # v3 with: category: "/language:go" diff --git a/.github/workflows/lib-e2e.yaml b/.github/workflows/lib-e2e.yaml index 9752373d..4dc34cb7 100644 --- a/.github/workflows/lib-e2e.yaml +++ b/.github/workflows/lib-e2e.yaml @@ -67,7 +67,7 @@ jobs: IMAGES: ${{ join(matrix.images, ' ') }} steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4 with: fetch-depth: 0 - name: Describe test environment diff --git a/.github/workflows/lib-publish.yaml b/.github/workflows/lib-publish.yaml index cbd27e2b..08c8430f 100644 --- a/.github/workflows/lib-publish.yaml +++ b/.github/workflows/lib-publish.yaml @@ -42,8 +42,8 @@ jobs: - crypto-perf - opae-nlb-demo steps: - - uses: actions/checkout@v4 - - uses: actions/setup-go@v5 + - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4 + - uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5 with: go-version-file: go.mod check-latest: true @@ -54,7 +54,7 @@ jobs: run: | REG=intel/ make ${IMAGE_NAME} BUILDER=docker - name: Trivy scan for image - uses: aquasecurity/trivy-action@master + uses: aquasecurity/trivy-action@fd25fed6972e341ff0007ddb61f77e88103953c2 # 0.21.0 with: scan-type: image image-ref: intel/${{ matrix.image }}:${{ inputs.image_tag }} @@ -64,7 +64,7 @@ jobs: if: ${{ !contains(fromJson(env.no_base_check), matrix.image) }} run: IMG=intel/${{ matrix.image }}:${{ inputs.image_tag }} make test-image-base-layer BUILDER=docker - name: Login - uses: docker/login-action@v3 + uses: docker/login-action@0d4c9c5ea7693da7b068278f7b52bda2a190a446 # v3 with: username: ${{ secrets.DOCKERHUB_USER }} password: ${{ secrets.DOCKERHUB_PASS }} diff --git a/.github/workflows/lib-scorecard.yaml b/.github/workflows/lib-scorecard.yaml index 4d0edb1b..03ad3b4f 100644 --- a/.github/workflows/lib-scorecard.yaml +++ b/.github/workflows/lib-scorecard.yaml @@ -16,18 +16,16 @@ jobs: id-token: write steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4 with: persist-credentials: false - - name: "Analyze project" - uses: ossf/scorecard-action@v2.3.3 + uses: ossf/scorecard-action@e4c423540e964e15ccadc56558705ba15136265c # v2.3.3 with: results_file: results.sarif results_format: sarif publish_results: true - - name: "Upload results to security" - uses: github/codeql-action/upload-sarif@v3 + uses: github/codeql-action/upload-sarif@71ace48453080e924b22589f0c397bedde464d78 # v3 with: sarif_file: results.sarif diff --git a/.github/workflows/lib-trivy.yaml b/.github/workflows/lib-trivy.yaml index 7afe9796..36d6de85 100644 --- a/.github/workflows/lib-trivy.yaml +++ b/.github/workflows/lib-trivy.yaml @@ -30,10 +30,9 @@ jobs: runs-on: ubuntu-22.04 steps: - name: Checkout - uses: actions/checkout@v4 - + uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4 - name: Run Trivy in config mode for deployments - uses: aquasecurity/trivy-action@master + uses: aquasecurity/trivy-action@fd25fed6972e341ff0007ddb61f77e88103953c2 # 0.21.0 with: scan-type: config scan-ref: deployments/ @@ -49,10 +48,9 @@ jobs: runs-on: ubuntu-22.04 steps: - name: Checkout - uses: actions/checkout@v4 - + uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4 - name: Run Trivy in config mode for dockerfiles - uses: aquasecurity/trivy-action@master + uses: aquasecurity/trivy-action@fd25fed6972e341ff0007ddb61f77e88103953c2 # 0.21.0 with: scan-type: config scan-ref: build/docker/ @@ -64,10 +62,9 @@ jobs: name: Scan licenses steps: - name: Checkout - uses: actions/checkout@v4 - + uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4 - name: Run Trivy in fs mode - uses: aquasecurity/trivy-action@master + uses: aquasecurity/trivy-action@fd25fed6972e341ff0007ddb61f77e88103953c2 # 0.21.0 with: scan-type: fs scan-ref: . @@ -78,16 +75,14 @@ jobs: trivy-scan-vulns: permissions: security-events: write - runs-on: ubuntu-22.04 name: Scan vulnerabilities steps: - name: Checkout - uses: actions/checkout@v4 - + uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4 - name: Run Trivy in fs mode continue-on-error: true - uses: aquasecurity/trivy-action@master + uses: aquasecurity/trivy-action@fd25fed6972e341ff0007ddb61f77e88103953c2 # 0.21.0 with: scan-type: fs scan-ref: . @@ -95,19 +90,17 @@ jobs: list-all-pkgs: true format: json output: trivy-report.json - - name: Show report in human-readable format - uses: aquasecurity/trivy-action@master + uses: aquasecurity/trivy-action@fd25fed6972e341ff0007ddb61f77e88103953c2 # 0.21.0 with: scan-type: convert vuln-type: '' severity: '' image-ref: trivy-report.json format: table - - name: Convert report to sarif if: ${{ inputs.upload-to-github-security-tab }} - uses: aquasecurity/trivy-action@master + uses: aquasecurity/trivy-action@fd25fed6972e341ff0007ddb61f77e88103953c2 # 0.21.0 with: scan-type: convert vuln-type: '' @@ -115,16 +108,14 @@ jobs: image-ref: trivy-report.json format: sarif output: trivy-report.sarif - - name: Upload sarif report to GitHub Security tab if: ${{ inputs.upload-to-github-security-tab }} - uses: github/codeql-action/upload-sarif@v3 + uses: github/codeql-action/upload-sarif@71ace48453080e924b22589f0c397bedde464d78 # v3 with: - sarif_file: trivy-report.sarif - + sarif_file: trivy-report.sarif - name: Convert report to csv if: ${{ inputs.export-csv }} - uses: aquasecurity/trivy-action@master + uses: aquasecurity/trivy-action@fd25fed6972e341ff0007ddb61f77e88103953c2 # 0.21.0 with: scan-type: convert vuln-type: '' @@ -133,10 +124,9 @@ jobs: format: template template: "@.github/workflows/template/trivy-csv.tpl" output: trivy-report.csv - - name: Upload CSV report as an artifact if: ${{ inputs.export-csv }} - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4 with: name: trivy-report - path: trivy-report.csv \ No newline at end of file + path: trivy-report.csv diff --git a/.github/workflows/lib-validate.yaml b/.github/workflows/lib-validate.yaml index caa0ef04..83ae7ddf 100644 --- a/.github/workflows/lib-validate.yaml +++ b/.github/workflows/lib-validate.yaml @@ -14,7 +14,7 @@ jobs: run: | sudo apt-get update sudo apt-get install -y python3-venv - - uses: actions/checkout@v4 + - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4 with: fetch-depth: 0 - name: Set up doc directory @@ -28,30 +28,28 @@ jobs: rm -rf _work/venv make vhtml mv _build/html/* $HOME/output/ - golangci: permissions: - pull-requests: read # for golangci/golangci-lint-action to fetch pull requests + pull-requests: read # for golangci/golangci-lint-action to fetch pull requests name: lint runs-on: ubuntu-22.04 steps: - - uses: actions/checkout@v4 - - uses: actions/setup-go@v5 + - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4 + - uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5 with: go-version-file: go.mod check-latest: true - name: golangci-lint - uses: golangci/golangci-lint-action@v6 + uses: golangci/golangci-lint-action@a4f60bb28d35aeee14e6880718e0c85ff1882e64 # v6 with: version: v1.57.2 args: -v --timeout 5m - build: name: Build and check device plugins runs-on: ubuntu-22.04 steps: - - uses: actions/checkout@v4 - - uses: actions/setup-go@v5 + - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4 + - uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5 with: go-version-file: go.mod check-latest: true @@ -63,7 +61,6 @@ jobs: - run: make check-github-actions #- name: Codecov report # run: bash <(curl -s https://codecov.io/bash) - envtest: name: Test APIs using envtest runs-on: ubuntu-22.04 @@ -74,8 +71,8 @@ jobs: - 1.29.x - 1.30.x steps: - - uses: actions/checkout@v4 - - uses: actions/setup-go@v5 + - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4 + - uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5 with: go-version-file: go.mod check-latest: true diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml index 13d5fccc..de4c00c8 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/publish.yml @@ -15,7 +15,7 @@ jobs: build: permissions: - contents: write # for Git to git push + contents: write # for Git to git push runs-on: ubuntu-22.04 steps: @@ -23,7 +23,7 @@ jobs: run: | sudo apt-get update sudo apt-get install -y python3-venv git - - uses: actions/checkout@v4 + - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4 with: fetch-depth: 0 ref: main @@ -44,7 +44,7 @@ jobs: rm -rf _work/venv make vhtml mv _build/html/* $HOME/output/ - - uses: actions/checkout@v4 + - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4 with: fetch-depth: 0 ref: release-0.28 @@ -55,7 +55,7 @@ jobs: rm -rf _work/venv make vhtml mv _build/html $HOME/output/0.28 - - uses: actions/checkout@v4 + - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4 with: fetch-depth: 0 ref: release-0.29 @@ -66,7 +66,7 @@ jobs: rm -rf _work/venv make vhtml mv _build/html $HOME/output/0.29 - - uses: actions/checkout@v4 + - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4 with: fetch-depth: 0 ref: release-0.30