From 15b1ff5d9b5a03b80e07060acefaec73e5c1584a Mon Sep 17 00:00:00 2001 From: Bram van de Kerkhof Date: Wed, 12 Feb 2025 14:58:58 +0100 Subject: [PATCH] fix Unpinned tag for a non-immutable Action in workflow in codeql --- .github/workflows/boefjes_container_image.yml | 8 ++++---- .github/workflows/build-debian-docker-image.yml | 4 ++-- .github/workflows/bytes_container_image.yml | 8 ++++---- .github/workflows/containerized_boefjes.yml | 8 ++++---- .github/workflows/debian_package.yml | 4 ++-- .github/workflows/keiko_container_image.yml | 8 ++++---- .github/workflows/masscan_container_image.yml | 6 +++--- .github/workflows/mula_container_image.yml | 8 ++++---- .github/workflows/octopoes_container_image.yml | 8 ++++---- .github/workflows/octopoes_rtest.yml | 2 +- .github/workflows/rocky_container_image.yml | 8 ++++---- .github/workflows/sonar-cloud.yml | 4 ++-- .github/workflows/test_debian_packages_on_ubuntu.yml | 2 +- 13 files changed, 39 insertions(+), 39 deletions(-) diff --git a/.github/workflows/boefjes_container_image.yml b/.github/workflows/boefjes_container_image.yml index 83ac04f6046..114accbaebe 100644 --- a/.github/workflows/boefjes_container_image.yml +++ b/.github/workflows/boefjes_container_image.yml @@ -26,7 +26,7 @@ jobs: - name: Docker meta id: meta - uses: docker/metadata-action@v5 + uses: docker/metadata-action@369eb591f429131d6889c46b94e711f089e6ca96 # v5.6.1 with: images: | ghcr.io/${{ github.repository_owner }}/nl-kat-boefjes @@ -36,11 +36,11 @@ jobs: type=ref,event=pr - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 + uses: docker/setup-buildx-action@f7ce87c1d6bead3e36075b2ce75da1f6cc28aaca # v3.9.0 id: buildx - name: Login to GitHub Container Registry - uses: docker/login-action@v3 + uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0 with: registry: ghcr.io username: ${{ github.repository_owner }} @@ -54,7 +54,7 @@ jobs: cp _version.py boefjes/boefjes/katalogus/version.py - name: Build container image - uses: docker/build-push-action@v6 + uses: docker/build-push-action@ca877d9245402d1537745e0e356eab47c3520991 # v6.13.0 with: # We don't use git context because that doesn't process .dockerignore # https://github.com/docker/cli/issues/2827 diff --git a/.github/workflows/build-debian-docker-image.yml b/.github/workflows/build-debian-docker-image.yml index 0f46fb11e4a..37078232e49 100644 --- a/.github/workflows/build-debian-docker-image.yml +++ b/.github/workflows/build-debian-docker-image.yml @@ -31,7 +31,7 @@ jobs: uses: actions/checkout@v4 - name: Log in to the Container registry - uses: docker/login-action@v3 + uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0 with: registry: ${{ env.REGISTRY }} username: ${{ github.actor }} @@ -51,7 +51,7 @@ jobs: type=sha - name: Build and push Docker image - uses: docker/build-push-action@v6 + uses: docker/build-push-action@ca877d9245402d1537745e0e356eab47c3520991 # v6.13.0 with: context: ./packaging/${{ matrix.dist }} push: true diff --git a/.github/workflows/bytes_container_image.yml b/.github/workflows/bytes_container_image.yml index cf7c735a290..977a37259a6 100644 --- a/.github/workflows/bytes_container_image.yml +++ b/.github/workflows/bytes_container_image.yml @@ -24,7 +24,7 @@ jobs: - name: Docker meta id: meta - uses: docker/metadata-action@v5 + uses: docker/metadata-action@369eb591f429131d6889c46b94e711f089e6ca96 # v5.6.1 with: images: | ghcr.io/${{ github.repository_owner }}/nl-kat-bytes @@ -34,11 +34,11 @@ jobs: type=ref,event=pr - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 + uses: docker/setup-buildx-action@f7ce87c1d6bead3e36075b2ce75da1f6cc28aaca # v3.9.0 id: buildx - name: Login to GitHub Container Registry - uses: docker/login-action@v3 + uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0 with: registry: ghcr.io username: ${{ github.repository_owner }} @@ -51,7 +51,7 @@ jobs: cp _version.py bytes/bytes/version.py - name: Build container image - uses: docker/build-push-action@v6 + uses: docker/build-push-action@ca877d9245402d1537745e0e356eab47c3520991 # v6.13.0 with: # We don't use git context because that doesn't process .dockerignore # https://github.com/docker/cli/issues/2827 diff --git a/.github/workflows/containerized_boefjes.yml b/.github/workflows/containerized_boefjes.yml index fa30bf5c84e..a93b82ae855 100644 --- a/.github/workflows/containerized_boefjes.yml +++ b/.github/workflows/containerized_boefjes.yml @@ -35,7 +35,7 @@ jobs: - name: Docker meta id: meta - uses: docker/metadata-action@v5 + uses: docker/metadata-action@369eb591f429131d6889c46b94e711f089e6ca96 # v5.6.1 with: images: | ghcr.io/${{ github.repository_owner }}/${{ matrix.image }} @@ -45,18 +45,18 @@ jobs: type=ref,event=pr - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 + uses: docker/setup-buildx-action@f7ce87c1d6bead3e36075b2ce75da1f6cc28aaca # v3.9.0 id: buildx - name: Login to GitHub Container Registry - uses: docker/login-action@v3 + uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0 with: registry: ghcr.io username: ${{ github.repository_owner }} password: ${{ secrets.GITHUB_TOKEN }} - name: Build container image for ${{ matrix.image }} - uses: docker/build-push-action@v6 + uses: docker/build-push-action@ca877d9245402d1537745e0e356eab47c3520991 # v6.13.0 with: # We don't use git context because that doesn't process .dockerignore # https://github.com/docker/cli/issues/2827 diff --git a/.github/workflows/debian_package.yml b/.github/workflows/debian_package.yml index d1895dd7fef..36e56867f0e 100644 --- a/.github/workflows/debian_package.yml +++ b/.github/workflows/debian_package.yml @@ -15,7 +15,7 @@ jobs: outputs: packages: ${{ steps.filter.outputs.changes }} steps: - - uses: dorny/paths-filter@v3 + - uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v3.0.2 if: github.event_name != 'push' id: filter with: @@ -76,7 +76,7 @@ jobs: cp _version.py rocky/rocky/version.py - name: Run debian package build - uses: addnab/docker-run-action@v3 + uses: addnab/docker-run-action@4f65fabd2431ebc8d299f8e5a018d79a769ae185 # v3 with: run: packaging/scripts/build-debian-package.sh registry: ghcr.io diff --git a/.github/workflows/keiko_container_image.yml b/.github/workflows/keiko_container_image.yml index e8e8d6e5a55..71586ec1b33 100644 --- a/.github/workflows/keiko_container_image.yml +++ b/.github/workflows/keiko_container_image.yml @@ -24,7 +24,7 @@ jobs: - name: Docker meta id: meta - uses: docker/metadata-action@v5 + uses: docker/metadata-action@369eb591f429131d6889c46b94e711f089e6ca96 # v5.6.1 with: images: | ghcr.io/${{ github.repository_owner }}/nl-kat-keiko @@ -34,11 +34,11 @@ jobs: type=ref,event=pr - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 + uses: docker/setup-buildx-action@f7ce87c1d6bead3e36075b2ce75da1f6cc28aaca # v3.9.0 id: buildx - name: Login to GitHub Container Registry - uses: docker/login-action@v3 + uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0 with: registry: ghcr.io username: ${{ github.repository_owner }} @@ -51,7 +51,7 @@ jobs: cp _version.py keiko/keiko/version.py - name: Build container image - uses: docker/build-push-action@v6 + uses: docker/build-push-action@ca877d9245402d1537745e0e356eab47c3520991 # v6.13.0 with: # We don't use git context because that doesn't process .dockerignore # https://github.com/docker/cli/issues/2827 diff --git a/.github/workflows/masscan_container_image.yml b/.github/workflows/masscan_container_image.yml index 1594c7d6b70..49fa7cc2d99 100644 --- a/.github/workflows/masscan_container_image.yml +++ b/.github/workflows/masscan_container_image.yml @@ -31,11 +31,11 @@ jobs: uses: actions/checkout@v4 - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 + uses: docker/setup-buildx-action@f7ce87c1d6bead3e36075b2ce75da1f6cc28aaca # v3.9.0 id: buildx - name: Log in to the Container registry - uses: docker/login-action@v3 + uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0 with: registry: ${{ env.REGISTRY }} username: ${{ github.actor }} @@ -55,7 +55,7 @@ jobs: type=sha - name: Build and push Docker image - uses: docker/build-push-action@v6 + uses: docker/build-push-action@ca877d9245402d1537745e0e356eab47c3520991 # v6.13.0 with: context: ./boefjes/images/masscan push: true diff --git a/.github/workflows/mula_container_image.yml b/.github/workflows/mula_container_image.yml index c38f60956e3..f3a3fee9a99 100644 --- a/.github/workflows/mula_container_image.yml +++ b/.github/workflows/mula_container_image.yml @@ -24,7 +24,7 @@ jobs: - name: Docker meta id: meta - uses: docker/metadata-action@v5 + uses: docker/metadata-action@369eb591f429131d6889c46b94e711f089e6ca96 # v5.6.1 with: images: | ghcr.io/${{ github.repository_owner }}/nl-kat-mula @@ -34,11 +34,11 @@ jobs: type=ref,event=pr - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 + uses: docker/setup-buildx-action@f7ce87c1d6bead3e36075b2ce75da1f6cc28aaca # v3.9.0 id: buildx - name: Login to GitHub Container Registry - uses: docker/login-action@v3 + uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0 with: registry: ghcr.io username: ${{ github.repository_owner }} @@ -51,7 +51,7 @@ jobs: cp _version.py mula/scheduler/version.py - name: Build container image - uses: docker/build-push-action@v6 + uses: docker/build-push-action@ca877d9245402d1537745e0e356eab47c3520991 # v6.13.0 with: # We don't use git context because that doesn't process .dockerignore # https://github.com/docker/cli/issues/2827 diff --git a/.github/workflows/octopoes_container_image.yml b/.github/workflows/octopoes_container_image.yml index ad33ba68147..5972e4cc29f 100644 --- a/.github/workflows/octopoes_container_image.yml +++ b/.github/workflows/octopoes_container_image.yml @@ -24,7 +24,7 @@ jobs: - name: Docker meta id: meta - uses: docker/metadata-action@v5 + uses: docker/metadata-action@369eb591f429131d6889c46b94e711f089e6ca96 # v5.6.1 with: images: | ghcr.io/${{ github.repository_owner }}/nl-kat-octopoes @@ -34,11 +34,11 @@ jobs: type=ref,event=pr - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 + uses: docker/setup-buildx-action@f7ce87c1d6bead3e36075b2ce75da1f6cc28aaca # v3.9.0 id: buildx - name: Login to GitHub Container Registry - uses: docker/login-action@v3 + uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0 with: registry: ghcr.io username: ${{ github.repository_owner }} @@ -51,7 +51,7 @@ jobs: cp _version.py octopoes/octopoes/version.py - name: Build container image - uses: docker/build-push-action@v6 + uses: docker/build-push-action@ca877d9245402d1537745e0e356eab47c3520991 # v6.13.0 with: # We don't use git context because that doesn't process .dockerignore # https://github.com/docker/cli/issues/2827 diff --git a/.github/workflows/octopoes_rtest.yml b/.github/workflows/octopoes_rtest.yml index adb3bc07b8a..6d92b3e0140 100644 --- a/.github/workflows/octopoes_rtest.yml +++ b/.github/workflows/octopoes_rtest.yml @@ -32,7 +32,7 @@ jobs: working-directory: ./octopoes - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 + uses: docker/setup-buildx-action@f7ce87c1d6bead3e36075b2ce75da1f6cc28aaca # v3.9.0 id: buildx - name: Run robot tests diff --git a/.github/workflows/rocky_container_image.yml b/.github/workflows/rocky_container_image.yml index e2e3a09bc8a..f2237ed65ff 100644 --- a/.github/workflows/rocky_container_image.yml +++ b/.github/workflows/rocky_container_image.yml @@ -26,7 +26,7 @@ jobs: - name: Docker meta id: meta - uses: docker/metadata-action@v5 + uses: docker/metadata-action@369eb591f429131d6889c46b94e711f089e6ca96 # v5.6.1 with: images: | ghcr.io/${{ github.repository_owner }}/nl-kat-rocky @@ -36,11 +36,11 @@ jobs: type=ref,event=pr - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 + uses: docker/setup-buildx-action@f7ce87c1d6bead3e36075b2ce75da1f6cc28aaca # v3.9.0 id: buildx - name: Login to GitHub Container Registry - uses: docker/login-action@v3 + uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0 with: registry: ghcr.io username: ${{ github.repository_owner }} @@ -53,7 +53,7 @@ jobs: cp _version.py rocky/rocky/version.py - name: Build container image - uses: docker/build-push-action@v6 + uses: docker/build-push-action@ca877d9245402d1537745e0e356eab47c3520991 # v6.13.0 with: # We don't use git context because that doesn't process .dockerignore # https://github.com/docker/cli/issues/2827 diff --git a/.github/workflows/sonar-cloud.yml b/.github/workflows/sonar-cloud.yml index faf71ac8d4d..2b01f2778b6 100644 --- a/.github/workflows/sonar-cloud.yml +++ b/.github/workflows/sonar-cloud.yml @@ -58,7 +58,7 @@ jobs: path: ${{ matrix.module['name'] }}-coverage-unit - name: Fix coverage report sources - uses: Mudlet/xmlstarlet-action@master + uses: Mudlet/xmlstarlet-action@9866e85e774e0fb50bc49de15274d005b5a69f0e # master with: args: edit --inplace --update "coverage/sources" --value "/github/workspace/${{ matrix.module['name'] }}/" "${{ matrix.module['name'] }}-coverage-unit/coverage.xml" @@ -89,6 +89,6 @@ jobs: pattern: "*-coverage-unit-fixed" - name: SonarCloud - uses: SonarSource/sonarcloud-github-action@v4.0.0 + uses: SonarSource/sonarcloud-github-action@02ef91109b2d589e757aefcfb2854c2783fd7b19 # v4.0.0 env: SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} diff --git a/.github/workflows/test_debian_packages_on_ubuntu.yml b/.github/workflows/test_debian_packages_on_ubuntu.yml index 2fcc3bdf89c..8b09be85f5e 100644 --- a/.github/workflows/test_debian_packages_on_ubuntu.yml +++ b/.github/workflows/test_debian_packages_on_ubuntu.yml @@ -34,7 +34,7 @@ jobs: fi - name: Run debian package build - uses: addnab/docker-run-action@v3 + uses: addnab/docker-run-action@4f65fabd2431ebc8d299f8e5a018d79a769ae185 # v3 with: run: packaging/scripts/build-debian-package.sh registry: ghcr.io