Skip to content

Commit

Permalink
Merge pull request #514 from flavio/be-explicit-about-gh-action-version
Browse files Browse the repository at this point in the history
chore(deps): be explicit about the GH actions versions
  • Loading branch information
flavio authored Sep 5, 2023
2 parents f0bab36 + 5158c20 commit 1781757
Show file tree
Hide file tree
Showing 8 changed files with 60 additions and 71 deletions.
22 changes: 11 additions & 11 deletions .github/workflows/ci.yml
Original file line number Diff line number Diff line change
Expand Up @@ -13,32 +13,32 @@ jobs:
name: Unit tests
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3
- uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4
- uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0
- uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0
with:
go-version: '1.19'
go-version: "1.19"
- run: make unit-tests

integration_tests:
name: Integration tests
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3
- uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4
- uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0
- uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0
with:
go-version: '1.19'
go-version: "1.19"
- run: make integration-tests

golangci:
name: Golangci-lint
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3
- uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4
- uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0
- uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0
with:
go-version: '1.19'
go-version: "1.19"
- name: golangci-lint
uses: golangci/golangci-lint-action@3a919529898de77ec3da873e3063ca4b10e7f5cc # v3
uses: golangci/golangci-lint-action@3a919529898de77ec3da873e3063ca4b10e7f5cc # v3.7.0
with:
version: v1.49.0

Expand All @@ -47,5 +47,5 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3
uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0
- run: shellcheck $(find scripts/ -name '*.sh')
49 changes: 19 additions & 30 deletions .github/workflows/container-image.yml
Original file line number Diff line number Diff line change
Expand Up @@ -32,72 +32,61 @@ jobs:
artifact: ${{ steps.setoutput.outputs.artifact }}
digest: ${{ steps.setoutput.outputs.digest }}
steps:
-
name: Checkout code
uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3
-
name: Set up QEMU
uses: docker/setup-qemu-action@2b82ce82d56a2a04d2637cd93a637ae1b359c0a7 # v2
-
name: Set up Docker Buildx
uses: docker/setup-buildx-action@885d1462b80bc1c1c7f0b00334ad271f09369c55 # v2
-
name: Login to GitHub Container Registry
uses: docker/login-action@465a07811f14bebb1938fbed4728c6a1ff8901fc # v2
- name: Checkout code
uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0
- name: Set up QEMU
uses: docker/setup-qemu-action@2b82ce82d56a2a04d2637cd93a637ae1b359c0a7 # v2.2.0
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@885d1462b80bc1c1c7f0b00334ad271f09369c55 # v2.10.0
- name: Login to GitHub Container Registry
uses: docker/login-action@465a07811f14bebb1938fbed4728c6a1ff8901fc # v2.2.0
with:
registry: ghcr.io
username: ${{ github.repository_owner }}
password: ${{ secrets.GITHUB_TOKEN }}
-
name: Retrieve tag name (main branch)
- name: Retrieve tag name (main branch)
if: ${{ startsWith(github.ref, 'refs/heads/main') }}
run: |
echo TAG_NAME=latest >> $GITHUB_ENV
-
name: Retrieve tag name (feat branch)
- name: Retrieve tag name (feat branch)
if: ${{ startsWith(github.ref, 'refs/heads/feat') }}
run: |
echo "TAG_NAME=latest-$(echo ${GITHUB_REF#refs/heads/})" >> $GITHUB_ENV
-
name: Retrieve tag name (tag)
- name: Retrieve tag name (tag)
if: ${{ startsWith(github.ref, 'refs/tags/') }}
run: |
echo TAG_NAME=$(echo $GITHUB_REF | sed -e "s|refs/tags/||") >> $GITHUB_ENV
-
name: Build and push container image
echo TAG_NAME=$(echo $GITHUB_REF | sed -e "s|refs/tags/||") >> $GITHUB_ENV
- name: Build and push container image
if: ${{ inputs.push-image }}
id: build-image
uses: docker/build-push-action@2eb1c1961a95fc15694676618e422e8ba1d63825 # v4
uses: docker/build-push-action@2eb1c1961a95fc15694676618e422e8ba1d63825 # v4.1.1
with:
context: .
file: ./Dockerfile
platforms: linux/amd64, linux/arm64
push: true
tags: |
ghcr.io/${{github.repository_owner}}/kubewarden-controller:${{ env.TAG_NAME }}
-
# Only build amd64 because buildx does not allow multiple platforms when
- # Only build amd64 because buildx does not allow multiple platforms when
# exporting the image to a tarball. As we use this only for end-to-end tests
# and they run on amd64 arch, let's skip the arm64 build for now.
name: Build linux/amd64 container image
if: ${{ inputs.push-image == false }}
uses: docker/build-push-action@2eb1c1961a95fc15694676618e422e8ba1d63825 # v4
uses: docker/build-push-action@2eb1c1961a95fc15694676618e422e8ba1d63825 # v4.1.1
with:
context: .
file: ./Dockerfile
platforms: linux/amd64
outputs: type=docker,dest=/tmp/kubewarden-controller-image-${{ env.TAG_NAME }}.tar
tags: |
ghcr.io/${{github.repository_owner}}/kubewarden-controller:${{ env.TAG_NAME }}
-
name: Upload container image to use in other jobs
- name: Upload container image to use in other jobs
if: ${{ inputs.push-image == false }}
uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3
uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2
with:
name: kubewarden-controller-image-${{ env.TAG_NAME }}
path: /tmp/kubewarden-controller-image-${{ env.TAG_NAME }}.tar
-
id: setoutput
- id: setoutput
name: Set output parameters
run: |
echo "repository=ghcr.io/${{github.repository_owner}}/kubewarden-controller" >> $GITHUB_OUTPUT
Expand Down
6 changes: 3 additions & 3 deletions .github/workflows/fossa.yml
Original file line number Diff line number Diff line change
Expand Up @@ -2,9 +2,9 @@ name: fossa scanning
on:
push:
tags:
- 'v*'
- "v*"
branches:
- 'main'
- "main"

# Declare default permissions as read only.
permissions: read-all
Expand All @@ -13,7 +13,7 @@ jobs:
fossa-scan:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3
- uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0
- uses: fossas/fossa-action@f61a4c0c263690f2ddb54b9822a719c25a7b608f # v1.3.1
with:
api-key: ${{secrets.FOSSA_API_TOKEN}}
6 changes: 3 additions & 3 deletions .github/workflows/openssf.yml
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
name: Scorecards supply-chain security
on:
push:
branches: [ main ]
branches: [main]

# Declare default permissions as read only.
permissions: read-all
Expand All @@ -18,12 +18,12 @@ jobs:

steps:
- name: "Checkout code"
uses: actions/checkout@a12a3943b4bdde767164f792f33f40b04645d846 # tag=v3.0.0
uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0
with:
persist-credentials: false

- name: "Run analysis"
uses: ossf/scorecard-action@80e868c13c90f172d68d1f4501dee99e2479f7af # v2.1.3
uses: ossf/scorecard-action@08b4669551908b1024bb425080c797723083c031 # v2.2.0
with:
results_file: results.sarif
results_format: sarif
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/release-drafter.yml
Original file line number Diff line number Diff line change
Expand Up @@ -28,7 +28,7 @@ jobs:
runs-on: ubuntu-latest
steps:
# Drafts your next Release notes as Pull Requests are merged into "master"
- uses: release-drafter/release-drafter@65c5fb495d1e69aa8c08a3317bc44ff8aabe9772 # v5
- uses: release-drafter/release-drafter@65c5fb495d1e69aa8c08a3317bc44ff8aabe9772 # v5.24.0
# (Optional) specify config name to use, relative to .github/. Default: release-drafter.yml
# with:
# config-name: my-config.yml
Expand Down
29 changes: 15 additions & 14 deletions .github/workflows/release.yml
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@ name: kubewarden-controller release
on:
push:
tags:
- 'v*'
- "v*"

# Declare default permissions as read only.
permissions: read-all
Expand All @@ -24,20 +24,19 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Install Golang
uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4
uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0
with:
go-version: '1.19'
go-version: "1.19"

- name: Checkout code
uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3
uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0

- name: Generate CRDs
run: |
make generate-crds
tar -czf CRDS.tar.gz -C generated-crds $(ls generated-crds)
-
name: Upload CRDs as artifacts
uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3
- name: Upload CRDs as artifacts
uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2
with:
name: CRDS
path: CRDS.tar.gz
Expand All @@ -63,7 +62,7 @@ jobs:
- name: Get latest release tag
id: get_last_release_tag
uses: actions/github-script@d7906e4ad0b1822421a7e6a35d5ca353c962f410 # v6
uses: actions/github-script@d7906e4ad0b1822421a7e6a35d5ca353c962f410 # v6.4.1
with:
script: |
let release = await github.rest.repos.getLatestRelease({
Expand All @@ -78,7 +77,7 @@ jobs:
core.setFailed("Cannot find latest release")
- name: Get release ID from the release created by release drafter
uses: actions/github-script@d7906e4ad0b1822421a7e6a35d5ca353c962f410 # v6
uses: actions/github-script@d7906e4ad0b1822421a7e6a35d5ca353c962f410 # v6.4.1
with:
script: |
let releases = await github.rest.repos.listReleases({
Expand All @@ -95,12 +94,12 @@ jobs:
core.setFailed(`Draft release not found`)
- name: Download SBOM artifact
uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3
uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
with:
name: sbom

- name: Download CRDs artifact
uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3
uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
with:
name: CRDS

Expand All @@ -109,10 +108,12 @@ jobs:

- name: Upload release assets
id: upload_release_assets
uses: actions/github-script@d7906e4ad0b1822421a7e6a35d5ca353c962f410 # v6
uses: actions/github-script@d7906e4ad0b1822421a7e6a35d5ca353c962f410 # v6.4.1
with:
script: |
let fs = require('fs');
let path = require('path');
let files = [
'kubewarden-controller-sbom-amd64.spdx',
'kubewarden-controller-sbom-amd64.spdx.cert',
Expand All @@ -130,7 +131,7 @@ jobs:
owner: context.repo.owner,
repo: context.repo.repo,
release_id: `${RELEASE_ID}`,
name: file,
name: path.basename(file),
data: file_data,
});
// store the crds asset id used it in the helm chart update
Expand All @@ -140,7 +141,7 @@ jobs:
}
- name: Publish release
uses: actions/github-script@d7906e4ad0b1822421a7e6a35d5ca353c962f410 # v6
uses: actions/github-script@d7906e4ad0b1822421a7e6a35d5ca353c962f410 # v6.4.1
with:
script: |
const {RELEASE_ID} = process.env
Expand Down
13 changes: 6 additions & 7 deletions .github/workflows/sbom.yml
Original file line number Diff line number Diff line change
Expand Up @@ -21,16 +21,16 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Install cosign
uses: sigstore/cosign-installer@6e04d228eb30da1757ee4e1dd75a0ec73a653e06 # v3
uses: sigstore/cosign-installer@11086d25041f77fe8fe7b9ea4e48e3b9192b8f19 # v3.1.2

- name: Install the syft command
uses: kubewarden/github-actions/syft-installer@00836d4962f80890a32cca1dd324d2ebafc4e29c # v3.1.5
uses: kubewarden/github-actions/syft-installer@0b73198f5d655ef4ad84e423f8047044ed73fd4b # v3.1.9

- name: Install the crane command
uses: kubewarden/github-actions/crane-installer@00836d4962f80890a32cca1dd324d2ebafc4e29c # v3.1.5
uses: kubewarden/github-actions/crane-installer@0b73198f5d655ef4ad84e423f8047044ed73fd4b # v3.1.9

- name: Login to GitHub Container Registry
uses: docker/login-action@465a07811f14bebb1938fbed4728c6a1ff8901fc # v2
uses: docker/login-action@465a07811f14bebb1938fbed4728c6a1ff8901fc # v2.2.0
with:
registry: ghcr.io
username: ${{ github.repository_owner }}
Expand Down Expand Up @@ -76,9 +76,8 @@ jobs:
cosign sign --yes \
ghcr.io/${{github.repository_owner}}/kubewarden-controller:${SBOM_TAG}
-
name: Upload SBOMs as artifacts
uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3
- name: Upload SBOMs as artifacts
uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2
with:
name: sbom
path: kubewarden-controller-sbom-*
4 changes: 2 additions & 2 deletions .github/workflows/sign-image.yml
Original file line number Diff line number Diff line change
Expand Up @@ -17,10 +17,10 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Install cosign
uses: sigstore/cosign-installer@6e04d228eb30da1757ee4e1dd75a0ec73a653e06 # v3
uses: sigstore/cosign-installer@11086d25041f77fe8fe7b9ea4e48e3b9192b8f19 # v3.1.2

- name: Login to GitHub Container Registry
uses: docker/login-action@465a07811f14bebb1938fbed4728c6a1ff8901fc # v2
uses: docker/login-action@465a07811f14bebb1938fbed4728c6a1ff8901fc # v2.2.0
with:
registry: ghcr.io
username: ${{ github.repository_owner }}
Expand Down

0 comments on commit 1781757

Please sign in to comment.