workflow: pin actions with sha's

And update sha's once a week. Signed-off-by: Tuomas Katila <tuomas.katila@intel.com>
2025-06-03 03:59:37 +00:00 · 2024-05-28 11:31:12 +03:00 · 2024-05-28 11:31:12 +03:00 · dfa91333a9
commit dfa91333a9
parent 11c9753aca
9 changed files with 46 additions and 61 deletions
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@ -12,5 +12,6 @@ updates:
  - package-ecosystem: "github-actions"
    directory: "/"
    schedule:
-      # Check for updates to GitHub Actions every weekday
-      interval: "daily"
+      # Check for updates to GitHub Actions every week on Sunday
+      interval: "weekly"
+      day: "sunday"
--- a/.github/workflows/lib-build.yaml
+++ b/.github/workflows/lib-build.yaml
@ -45,8 +45,8 @@ jobs:
          - dlb-libdlb-demo
        builder: [buildah, docker]
    steps:
-      - uses: actions/checkout@v4
-      - uses: actions/setup-go@v5
+      - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4
+      - uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5
        with:
          go-version-file: go.mod
          check-latest: true
--- a/.github/workflows/lib-codeql.yaml
+++ b/.github/workflows/lib-codeql.yaml
@ -18,19 +18,18 @@ jobs:

    steps:
    - name: Checkout repository
-      uses: actions/checkout@v4
-
-    - uses: actions/setup-go@v5
+      uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4
+    - uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5
      with:
        go-version-file: go.mod
        check-latest: true

    - name: Initialize CodeQL
-      uses: github/codeql-action/init@v3
+      uses: github/codeql-action/init@71ace48453080e924b22589f0c397bedde464d78 # v3
      with:
        languages: 'go'

    - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@v3
+      uses: github/codeql-action/analyze@71ace48453080e924b22589f0c397bedde464d78 # v3
      with:
        category: "/language:go"
--- a/.github/workflows/lib-e2e.yaml
+++ b/.github/workflows/lib-e2e.yaml
@ -67,7 +67,7 @@ jobs:
      IMAGES: ${{ join(matrix.images, ' ') }}

    steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4
        with:
          fetch-depth: 0
      - name: Describe test environment
--- a/.github/workflows/lib-publish.yaml
+++ b/.github/workflows/lib-publish.yaml
@ -42,8 +42,8 @@ jobs:
          - crypto-perf
          - opae-nlb-demo
    steps:
-      - uses: actions/checkout@v4
-      - uses: actions/setup-go@v5
+      - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4
+      - uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5
        with:
          go-version-file: go.mod
          check-latest: true
@ -54,7 +54,7 @@ jobs:
        run: |
          REG=intel/ make ${IMAGE_NAME} BUILDER=docker
      - name: Trivy scan for image
-        uses: aquasecurity/trivy-action@master
+        uses: aquasecurity/trivy-action@fd25fed6972e341ff0007ddb61f77e88103953c2 # 0.21.0
        with:
          scan-type: image
          image-ref: intel/${{ matrix.image }}:${{ inputs.image_tag }}
@ -64,7 +64,7 @@ jobs:
        if: ${{ !contains(fromJson(env.no_base_check), matrix.image) }}
        run: IMG=intel/${{ matrix.image }}:${{ inputs.image_tag }} make test-image-base-layer BUILDER=docker
      - name: Login
-        uses: docker/login-action@v3
+        uses: docker/login-action@0d4c9c5ea7693da7b068278f7b52bda2a190a446 # v3
        with:
          username: ${{ secrets.DOCKERHUB_USER }}
          password: ${{ secrets.DOCKERHUB_PASS }}
--- a/.github/workflows/lib-scorecard.yaml
+++ b/.github/workflows/lib-scorecard.yaml
@ -16,18 +16,16 @@ jobs:
      id-token: write

    steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4
        with:
          persist-credentials: false
-
      - name: "Analyze project"
-        uses: ossf/scorecard-action@v2.3.3
+        uses: ossf/scorecard-action@e4c423540e964e15ccadc56558705ba15136265c # v2.3.3
        with:
          results_file: results.sarif
          results_format: sarif
          publish_results: true
-
      - name: "Upload results to security"
-        uses: github/codeql-action/upload-sarif@v3
+        uses: github/codeql-action/upload-sarif@71ace48453080e924b22589f0c397bedde464d78 # v3
        with:
          sarif_file: results.sarif
--- a/.github/workflows/lib-trivy.yaml
+++ b/.github/workflows/lib-trivy.yaml
@ -30,10 +30,9 @@ jobs:
    runs-on: ubuntu-22.04
    steps:
    - name: Checkout
-      uses: actions/checkout@v4
-
+      uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4
    - name: Run Trivy in config mode for deployments
-      uses: aquasecurity/trivy-action@master
+      uses: aquasecurity/trivy-action@fd25fed6972e341ff0007ddb61f77e88103953c2 # 0.21.0
      with:
        scan-type: config
        scan-ref: deployments/
@ -49,10 +48,9 @@ jobs:
    runs-on: ubuntu-22.04
    steps:
    - name: Checkout
-      uses: actions/checkout@v4
-
+      uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4
    - name: Run Trivy in config mode for dockerfiles
-      uses: aquasecurity/trivy-action@master
+      uses: aquasecurity/trivy-action@fd25fed6972e341ff0007ddb61f77e88103953c2 # 0.21.0
      with:
        scan-type: config
        scan-ref: build/docker/
@ -64,10 +62,9 @@ jobs:
    name: Scan licenses
    steps:
    - name: Checkout
-      uses: actions/checkout@v4
-
+      uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4
    - name: Run Trivy in fs mode
-      uses: aquasecurity/trivy-action@master
+      uses: aquasecurity/trivy-action@fd25fed6972e341ff0007ddb61f77e88103953c2 # 0.21.0
      with:
        scan-type: fs
        scan-ref: .
@ -78,16 +75,14 @@ jobs:
  trivy-scan-vulns:
    permissions:
      security-events: write
-
    runs-on: ubuntu-22.04
    name: Scan vulnerabilities
    steps:
    - name: Checkout
-      uses: actions/checkout@v4
-
+      uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4
    - name: Run Trivy in fs mode
      continue-on-error: true
-      uses: aquasecurity/trivy-action@master
+      uses: aquasecurity/trivy-action@fd25fed6972e341ff0007ddb61f77e88103953c2 # 0.21.0
      with:
        scan-type: fs
        scan-ref: .
@ -95,19 +90,17 @@ jobs:
        list-all-pkgs: true
        format: json
        output: trivy-report.json
-
    - name: Show report in human-readable format
-      uses: aquasecurity/trivy-action@master
+      uses: aquasecurity/trivy-action@fd25fed6972e341ff0007ddb61f77e88103953c2 # 0.21.0
      with:
        scan-type: convert
        vuln-type: ''
        severity: ''
        image-ref: trivy-report.json
        format: table
-
    - name: Convert report to sarif
      if: ${{ inputs.upload-to-github-security-tab }}
-      uses: aquasecurity/trivy-action@master
+      uses: aquasecurity/trivy-action@fd25fed6972e341ff0007ddb61f77e88103953c2 # 0.21.0
      with:
        scan-type: convert
        vuln-type: ''
@ -115,16 +108,14 @@ jobs:
        image-ref: trivy-report.json
        format: sarif
        output: trivy-report.sarif
-
    - name: Upload sarif report to GitHub Security tab
      if: ${{ inputs.upload-to-github-security-tab }}
-      uses: github/codeql-action/upload-sarif@v3
+      uses: github/codeql-action/upload-sarif@71ace48453080e924b22589f0c397bedde464d78 # v3
      with:
-       sarif_file: trivy-report.sarif
-
+        sarif_file: trivy-report.sarif
    - name: Convert report to csv
      if: ${{ inputs.export-csv }}
-      uses: aquasecurity/trivy-action@master
+      uses: aquasecurity/trivy-action@fd25fed6972e341ff0007ddb61f77e88103953c2 # 0.21.0
      with:
        scan-type: convert
        vuln-type: ''
@ -133,10 +124,9 @@ jobs:
        format: template
        template: "@.github/workflows/template/trivy-csv.tpl"
        output: trivy-report.csv
-
    - name: Upload CSV report as an artifact
      if: ${{ inputs.export-csv }}
-      uses: actions/upload-artifact@v4
+      uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4
      with:
        name: trivy-report
-        path: trivy-report.csv
+        path: trivy-report.csv
--- a/.github/workflows/lib-validate.yaml
+++ b/.github/workflows/lib-validate.yaml
@ -14,7 +14,7 @@ jobs:
      run: |
        sudo apt-get update
        sudo apt-get install -y python3-venv
-    - uses: actions/checkout@v4
+    - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4
      with:
        fetch-depth: 0
    - name: Set up doc directory
@ -28,30 +28,28 @@ jobs:
        rm -rf _work/venv
        make vhtml
        mv _build/html/* $HOME/output/
-
  golangci:
    permissions:
-      pull-requests: read  # for golangci/golangci-lint-action to fetch pull requests
+      pull-requests: read # for golangci/golangci-lint-action to fetch pull requests
    name: lint
    runs-on: ubuntu-22.04
    steps:
-      - uses: actions/checkout@v4
-      - uses: actions/setup-go@v5
+      - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4
+      - uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5
        with:
          go-version-file: go.mod
          check-latest: true
      - name: golangci-lint
-        uses: golangci/golangci-lint-action@v6
+        uses: golangci/golangci-lint-action@a4f60bb28d35aeee14e6880718e0c85ff1882e64 # v6
        with:
          version: v1.57.2
          args: -v --timeout 5m
-
  build:
    name: Build and check device plugins
    runs-on: ubuntu-22.04
    steps:
-      - uses: actions/checkout@v4
-      - uses: actions/setup-go@v5
+      - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4
+      - uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5
        with:
          go-version-file: go.mod
          check-latest: true
@ -63,7 +61,6 @@ jobs:
      - run: make check-github-actions
      #- name: Codecov report
      #  run: bash <(curl -s https://codecov.io/bash)
-
  envtest:
    name: Test APIs using envtest
    runs-on: ubuntu-22.04
@ -74,8 +71,8 @@ jobs:
          - 1.29.x
          - 1.30.x
    steps:
-      - uses: actions/checkout@v4
-      - uses: actions/setup-go@v5
+      - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4
+      - uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5
        with:
          go-version-file: go.mod
          check-latest: true
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@ -15,7 +15,7 @@ jobs:
  build:

    permissions:
-      contents: write  # for Git to git push
+      contents: write # for Git to git push
    runs-on: ubuntu-22.04

    steps:
@ -23,7 +23,7 @@ jobs:
      run: |
        sudo apt-get update
        sudo apt-get install -y python3-venv git
-    - uses: actions/checkout@v4
+    - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4
      with:
        fetch-depth: 0
        ref: main
@ -44,7 +44,7 @@ jobs:
        rm -rf _work/venv
        make vhtml
        mv _build/html/* $HOME/output/
-    - uses: actions/checkout@v4
+    - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4
      with:
        fetch-depth: 0
        ref: release-0.28
@ -55,7 +55,7 @@ jobs:
        rm -rf _work/venv
        make vhtml
        mv _build/html $HOME/output/0.28
-    - uses: actions/checkout@v4
+    - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4
      with:
        fetch-depth: 0
        ref: release-0.29
@ -66,7 +66,7 @@ jobs:
        rm -rf _work/venv
        make vhtml
        mv _build/html $HOME/output/0.29
-    - uses: actions/checkout@v4
+    - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4
      with:
        fetch-depth: 0
        ref: release-0.30