From 5158c20256caf99d9cd1b41c861bffd06abe26fc Mon Sep 17 00:00:00 2001 From: Flavio Castelli Date: Tue, 5 Sep 2023 16:52:14 +0200 Subject: [PATCH] chore(deps): be explicit about the GH actions versions Provide full version for GH actions Signed-off-by: Flavio Castelli --- .github/workflows/ci.yml | 22 ++++++------ .github/workflows/container-image.yml | 49 +++++++++++---------------- .github/workflows/fossa.yml | 6 ++-- .github/workflows/openssf.yml | 6 ++-- .github/workflows/release-drafter.yml | 2 +- .github/workflows/release.yml | 29 ++++++++-------- .github/workflows/sbom.yml | 13 ++++--- .github/workflows/sign-image.yml | 4 +-- 8 files changed, 60 insertions(+), 71 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index fe810c2c..542145f2 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -13,32 +13,32 @@ jobs: name: Unit tests runs-on: ubuntu-latest steps: - - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3 - - uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4 + - uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0 + - uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0 with: - go-version: '1.19' + go-version: "1.19" - run: make unit-tests integration_tests: name: Integration tests runs-on: ubuntu-latest steps: - - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3 - - uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4 + - uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0 + - uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0 with: - go-version: '1.19' + go-version: "1.19" - run: make integration-tests golangci: name: Golangci-lint runs-on: ubuntu-latest steps: - - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3 - - uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4 + - uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0 + - uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0 with: - go-version: '1.19' + go-version: "1.19" - name: golangci-lint - uses: golangci/golangci-lint-action@3a919529898de77ec3da873e3063ca4b10e7f5cc # v3 + uses: golangci/golangci-lint-action@3a919529898de77ec3da873e3063ca4b10e7f5cc # v3.7.0 with: version: v1.49.0 @@ -47,5 +47,5 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3 + uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0 - run: shellcheck $(find scripts/ -name '*.sh') diff --git a/.github/workflows/container-image.yml b/.github/workflows/container-image.yml index 7f6edc29..101f8b62 100644 --- a/.github/workflows/container-image.yml +++ b/.github/workflows/container-image.yml @@ -32,42 +32,34 @@ jobs: artifact: ${{ steps.setoutput.outputs.artifact }} digest: ${{ steps.setoutput.outputs.digest }} steps: - - - name: Checkout code - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3 - - - name: Set up QEMU - uses: docker/setup-qemu-action@2b82ce82d56a2a04d2637cd93a637ae1b359c0a7 # v2 - - - name: Set up Docker Buildx - uses: docker/setup-buildx-action@885d1462b80bc1c1c7f0b00334ad271f09369c55 # v2 - - - name: Login to GitHub Container Registry - uses: docker/login-action@465a07811f14bebb1938fbed4728c6a1ff8901fc # v2 + - name: Checkout code + uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0 + - name: Set up QEMU + uses: docker/setup-qemu-action@2b82ce82d56a2a04d2637cd93a637ae1b359c0a7 # v2.2.0 + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@885d1462b80bc1c1c7f0b00334ad271f09369c55 # v2.10.0 + - name: Login to GitHub Container Registry + uses: docker/login-action@465a07811f14bebb1938fbed4728c6a1ff8901fc # v2.2.0 with: registry: ghcr.io username: ${{ github.repository_owner }} password: ${{ secrets.GITHUB_TOKEN }} - - - name: Retrieve tag name (main branch) + - name: Retrieve tag name (main branch) if: ${{ startsWith(github.ref, 'refs/heads/main') }} run: | echo TAG_NAME=latest >> $GITHUB_ENV - - - name: Retrieve tag name (feat branch) + - name: Retrieve tag name (feat branch) if: ${{ startsWith(github.ref, 'refs/heads/feat') }} run: | echo "TAG_NAME=latest-$(echo ${GITHUB_REF#refs/heads/})" >> $GITHUB_ENV - - - name: Retrieve tag name (tag) + - name: Retrieve tag name (tag) if: ${{ startsWith(github.ref, 'refs/tags/') }} run: | - echo TAG_NAME=$(echo $GITHUB_REF | sed -e "s|refs/tags/||") >> $GITHUB_ENV - - - name: Build and push container image + echo TAG_NAME=$(echo $GITHUB_REF | sed -e "s|refs/tags/||") >> $GITHUB_ENV + - name: Build and push container image if: ${{ inputs.push-image }} id: build-image - uses: docker/build-push-action@2eb1c1961a95fc15694676618e422e8ba1d63825 # v4 + uses: docker/build-push-action@2eb1c1961a95fc15694676618e422e8ba1d63825 # v4.1.1 with: context: . file: ./Dockerfile @@ -75,13 +67,12 @@ jobs: push: true tags: | ghcr.io/${{github.repository_owner}}/kubewarden-controller:${{ env.TAG_NAME }} - - - # Only build amd64 because buildx does not allow multiple platforms when + - # Only build amd64 because buildx does not allow multiple platforms when # exporting the image to a tarball. As we use this only for end-to-end tests # and they run on amd64 arch, let's skip the arm64 build for now. name: Build linux/amd64 container image if: ${{ inputs.push-image == false }} - uses: docker/build-push-action@2eb1c1961a95fc15694676618e422e8ba1d63825 # v4 + uses: docker/build-push-action@2eb1c1961a95fc15694676618e422e8ba1d63825 # v4.1.1 with: context: . file: ./Dockerfile @@ -89,15 +80,13 @@ jobs: outputs: type=docker,dest=/tmp/kubewarden-controller-image-${{ env.TAG_NAME }}.tar tags: | ghcr.io/${{github.repository_owner}}/kubewarden-controller:${{ env.TAG_NAME }} - - - name: Upload container image to use in other jobs + - name: Upload container image to use in other jobs if: ${{ inputs.push-image == false }} - uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3 + uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2 with: name: kubewarden-controller-image-${{ env.TAG_NAME }} path: /tmp/kubewarden-controller-image-${{ env.TAG_NAME }}.tar - - - id: setoutput + - id: setoutput name: Set output parameters run: | echo "repository=ghcr.io/${{github.repository_owner}}/kubewarden-controller" >> $GITHUB_OUTPUT diff --git a/.github/workflows/fossa.yml b/.github/workflows/fossa.yml index 907ab1af..8c59c94e 100644 --- a/.github/workflows/fossa.yml +++ b/.github/workflows/fossa.yml @@ -2,9 +2,9 @@ name: fossa scanning on: push: tags: - - 'v*' + - "v*" branches: - - 'main' + - "main" # Declare default permissions as read only. permissions: read-all @@ -13,7 +13,7 @@ jobs: fossa-scan: runs-on: ubuntu-latest steps: - - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3 + - uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0 - uses: fossas/fossa-action@f61a4c0c263690f2ddb54b9822a719c25a7b608f # v1.3.1 with: api-key: ${{secrets.FOSSA_API_TOKEN}} diff --git a/.github/workflows/openssf.yml b/.github/workflows/openssf.yml index 773ae339..e5eda433 100644 --- a/.github/workflows/openssf.yml +++ b/.github/workflows/openssf.yml @@ -1,7 +1,7 @@ name: Scorecards supply-chain security on: push: - branches: [ main ] + branches: [main] # Declare default permissions as read only. permissions: read-all @@ -18,12 +18,12 @@ jobs: steps: - name: "Checkout code" - uses: actions/checkout@a12a3943b4bdde767164f792f33f40b04645d846 # tag=v3.0.0 + uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0 with: persist-credentials: false - name: "Run analysis" - uses: ossf/scorecard-action@80e868c13c90f172d68d1f4501dee99e2479f7af # v2.1.3 + uses: ossf/scorecard-action@08b4669551908b1024bb425080c797723083c031 # v2.2.0 with: results_file: results.sarif results_format: sarif diff --git a/.github/workflows/release-drafter.yml b/.github/workflows/release-drafter.yml index e1511655..63da4709 100644 --- a/.github/workflows/release-drafter.yml +++ b/.github/workflows/release-drafter.yml @@ -28,7 +28,7 @@ jobs: runs-on: ubuntu-latest steps: # Drafts your next Release notes as Pull Requests are merged into "master" - - uses: release-drafter/release-drafter@65c5fb495d1e69aa8c08a3317bc44ff8aabe9772 # v5 + - uses: release-drafter/release-drafter@65c5fb495d1e69aa8c08a3317bc44ff8aabe9772 # v5.24.0 # (Optional) specify config name to use, relative to .github/. Default: release-drafter.yml # with: # config-name: my-config.yml diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 0fd2bba7..dd71dbbc 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -2,7 +2,7 @@ name: kubewarden-controller release on: push: tags: - - 'v*' + - "v*" # Declare default permissions as read only. permissions: read-all @@ -24,20 +24,19 @@ jobs: runs-on: ubuntu-latest steps: - name: Install Golang - uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4 + uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0 with: - go-version: '1.19' + go-version: "1.19" - name: Checkout code - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3 + uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0 - name: Generate CRDs run: | make generate-crds tar -czf CRDS.tar.gz -C generated-crds $(ls generated-crds) - - - name: Upload CRDs as artifacts - uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3 + - name: Upload CRDs as artifacts + uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2 with: name: CRDS path: CRDS.tar.gz @@ -63,7 +62,7 @@ jobs: - name: Get latest release tag id: get_last_release_tag - uses: actions/github-script@d7906e4ad0b1822421a7e6a35d5ca353c962f410 # v6 + uses: actions/github-script@d7906e4ad0b1822421a7e6a35d5ca353c962f410 # v6.4.1 with: script: | let release = await github.rest.repos.getLatestRelease({ @@ -78,7 +77,7 @@ jobs: core.setFailed("Cannot find latest release") - name: Get release ID from the release created by release drafter - uses: actions/github-script@d7906e4ad0b1822421a7e6a35d5ca353c962f410 # v6 + uses: actions/github-script@d7906e4ad0b1822421a7e6a35d5ca353c962f410 # v6.4.1 with: script: | let releases = await github.rest.repos.listReleases({ @@ -95,12 +94,12 @@ jobs: core.setFailed(`Draft release not found`) - name: Download SBOM artifact - uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3 + uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2 with: name: sbom - name: Download CRDs artifact - uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3 + uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2 with: name: CRDS @@ -109,10 +108,12 @@ jobs: - name: Upload release assets id: upload_release_assets - uses: actions/github-script@d7906e4ad0b1822421a7e6a35d5ca353c962f410 # v6 + uses: actions/github-script@d7906e4ad0b1822421a7e6a35d5ca353c962f410 # v6.4.1 with: script: | let fs = require('fs'); + let path = require('path'); + let files = [ 'kubewarden-controller-sbom-amd64.spdx', 'kubewarden-controller-sbom-amd64.spdx.cert', @@ -130,7 +131,7 @@ jobs: owner: context.repo.owner, repo: context.repo.repo, release_id: `${RELEASE_ID}`, - name: file, + name: path.basename(file), data: file_data, }); // store the crds asset id used it in the helm chart update @@ -140,7 +141,7 @@ jobs: } - name: Publish release - uses: actions/github-script@d7906e4ad0b1822421a7e6a35d5ca353c962f410 # v6 + uses: actions/github-script@d7906e4ad0b1822421a7e6a35d5ca353c962f410 # v6.4.1 with: script: | const {RELEASE_ID} = process.env diff --git a/.github/workflows/sbom.yml b/.github/workflows/sbom.yml index 7f757a77..905fbd15 100644 --- a/.github/workflows/sbom.yml +++ b/.github/workflows/sbom.yml @@ -21,16 +21,16 @@ jobs: runs-on: ubuntu-latest steps: - name: Install cosign - uses: sigstore/cosign-installer@6e04d228eb30da1757ee4e1dd75a0ec73a653e06 # v3 + uses: sigstore/cosign-installer@11086d25041f77fe8fe7b9ea4e48e3b9192b8f19 # v3.1.2 - name: Install the syft command - uses: kubewarden/github-actions/syft-installer@00836d4962f80890a32cca1dd324d2ebafc4e29c # v3.1.5 + uses: kubewarden/github-actions/syft-installer@0b73198f5d655ef4ad84e423f8047044ed73fd4b # v3.1.9 - name: Install the crane command - uses: kubewarden/github-actions/crane-installer@00836d4962f80890a32cca1dd324d2ebafc4e29c # v3.1.5 + uses: kubewarden/github-actions/crane-installer@0b73198f5d655ef4ad84e423f8047044ed73fd4b # v3.1.9 - name: Login to GitHub Container Registry - uses: docker/login-action@465a07811f14bebb1938fbed4728c6a1ff8901fc # v2 + uses: docker/login-action@465a07811f14bebb1938fbed4728c6a1ff8901fc # v2.2.0 with: registry: ghcr.io username: ${{ github.repository_owner }} @@ -76,9 +76,8 @@ jobs: cosign sign --yes \ ghcr.io/${{github.repository_owner}}/kubewarden-controller:${SBOM_TAG} - - - name: Upload SBOMs as artifacts - uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3 + - name: Upload SBOMs as artifacts + uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2 with: name: sbom path: kubewarden-controller-sbom-* diff --git a/.github/workflows/sign-image.yml b/.github/workflows/sign-image.yml index 1b07febe..faa5c096 100644 --- a/.github/workflows/sign-image.yml +++ b/.github/workflows/sign-image.yml @@ -17,10 +17,10 @@ jobs: runs-on: ubuntu-latest steps: - name: Install cosign - uses: sigstore/cosign-installer@6e04d228eb30da1757ee4e1dd75a0ec73a653e06 # v3 + uses: sigstore/cosign-installer@11086d25041f77fe8fe7b9ea4e48e3b9192b8f19 # v3.1.2 - name: Login to GitHub Container Registry - uses: docker/login-action@465a07811f14bebb1938fbed4728c6a1ff8901fc # v2 + uses: docker/login-action@465a07811f14bebb1938fbed4728c6a1ff8901fc # v2.2.0 with: registry: ghcr.io username: ${{ github.repository_owner }}