SEC-090: Automated trusted workflow pinning (hashicorp#566)

* Pin all actions * Remove dependabot for actions
opentofu · Jul 31, 2023 · 06c04fd · 06c04fd
1 parent 8153e6b
commit 06c04fd
Show file tree

Hide file tree

Showing 7 changed files with 21 additions and 30 deletions.
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -2,15 +2,6 @@
 # https://docs.github.com/en/free-pro-team@latest/github/administering-a-repository/configuration-options-for-dependency-updates
 version: 2
 updates:
-  # Maintain dependencies for GitHub Actions
-  - package-ecosystem: "github-actions"
-    directory: "/"
-    schedule:
-      # Check for updates to GitHub Actions every weekday
-      interval: "daily"
-    labels:
-      - "pr/no-changelog"
-
   # Maintain dependencies for Go modules
   - package-ecosystem: "gomod"
     directory: "/"

diff --git a/.github/workflows/changelog-check.yml b/.github/workflows/changelog-check.yml
@@ -21,7 +21,7 @@ jobs:
       !contains(github.event.pull_request.labels.*.name, 'pr/no-changelog')
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
         with:
           fetch-depth: 0 # by default the checkout action doesn't checkout all branches
 

diff --git a/.github/workflows/prerelease.yml b/.github/workflows/prerelease.yml
@@ -22,13 +22,13 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout Repository
-        uses: actions/checkout@v3
+        uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
         with:
           fetch-depth: 0
           token: ${{ secrets.HCP_SDK_PIPELINE_TOKEN }}
 
       - name: Setup Go
-        uses: actions/setup-go@v4
+        uses: actions/setup-go@fac708d6674e30b6ba41289acaab6d4b75aa0753 # v4.0.1
         with:
           cache: true
           go-version-file: 'go.mod'

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -14,19 +14,19 @@ jobs:
     outputs:
       version: ${{ steps.go-version.outputs.version }}
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
       - id: go-version
         run: echo "version=$(cat ./.go-version)" >> $GITHUB_OUTPUT
 
   release-notes:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
         with:
           fetch-depth: 0
       - name: Generate Release Notes
         run: sed -n -e "1{/# v /d;}" -e "2{/^$/d;}" -e "/# v$(git describe --abbrev=0 --exclude="$(git describe --abbrev=0 --match='v*.*.*' --tags)" --match='v*.*.*' --tags | tr -d v)/q;p" CHANGELOG.md > release-notes.txt
-      - uses: actions/upload-artifact@v3
+      - uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2
         with:
           name: release-notes
           path: release-notes.txt

diff --git a/.github/workflows/sync-internal-and-public.yml b/.github/workflows/sync-internal-and-public.yml
@@ -13,14 +13,14 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout Public Repo
-        uses: actions/checkout@v3
+        uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
         with:
           fetch-depth: 0
           token: ${{ secrets.HCP_SDK_PIPELINE_TOKEN }}
           path: public
 
       - name: Checkout Internal Repo
-        uses: actions/checkout@v3
+        uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
         with:
           token: ${{ secrets.HCP_SDK_PIPELINE_TOKEN }}
           repository: hashicorp/terraform-provider-hcp-internal

diff --git a/.github/workflows/terraform_provider.yml b/.github/workflows/terraform_provider.yml
@@ -18,10 +18,10 @@ jobs:
     steps:
 
     - name: Check out code into the Go module directory
-      uses: actions/checkout@v3
+      uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
 
     - name: Set up Go
-      uses: actions/setup-go@v4
+      uses: actions/setup-go@fac708d6674e30b6ba41289acaab6d4b75aa0753 # v4.0.1
       with:
         cache: true
         go-version-file: 'go.mod'
@@ -40,10 +40,10 @@ jobs:
     steps:
 
     - name: Check out code into the Go module directory
-      uses: actions/checkout@v3
+      uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
 
     - name: Set up Go
-      uses: actions/setup-go@v4
+      uses: actions/setup-go@fac708d6674e30b6ba41289acaab6d4b75aa0753 # v4.0.1
       with:
         cache: true
         go-version-file: 'go.mod'
@@ -65,10 +65,10 @@ jobs:
     steps:
 
     - name: Check out code into the Go module directory
-      uses: actions/checkout@v3
+      uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
 
     - name: Set up Go
-      uses: actions/setup-go@v4
+      uses: actions/setup-go@fac708d6674e30b6ba41289acaab6d4b75aa0753 # v4.0.1
       with:
         cache: true
         go-version-file: 'go.mod'
@@ -85,7 +85,7 @@ jobs:
         make test-ci
     
     - name: Upload Coverage Artifacts
-      uses: actions/upload-artifact@v3
+      uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2
       with:
         name: Test Coverage
         path: coverage.html
@@ -98,10 +98,10 @@ jobs:
     steps:
 
     - name: Check out code into the Go module directory
-      uses: actions/checkout@v3
+      uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
 
     - name: Set up Go
-      uses: actions/setup-go@v4
+      uses: actions/setup-go@fac708d6674e30b6ba41289acaab6d4b75aa0753 # v4.0.1
       with:
         cache: true
         go-version-file: 'go.mod'

diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
@@ -23,13 +23,13 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout Repository
-        uses: actions/checkout@v3
+        uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
         with:
           fetch-depth: 0
           token: ${{ secrets.HCP_SDK_PIPELINE_TOKEN }}
 
       - name: Setup Go
-        uses: actions/setup-go@v3
+        uses: actions/setup-go@fac708d6674e30b6ba41289acaab6d4b75aa0753 # v4.0.1
         with:
           cache: true
           go-version-file: 'go.mod'
@@ -48,7 +48,7 @@ jobs:
         run: make test-ci
 
       - name: Upload Unit Test Coverage Artifact
-        uses: actions/upload-artifact@v3
+        uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2
         with:
           name: Test Coverage
           path: coverage.html
@@ -88,7 +88,7 @@ jobs:
           make testacc-ci TESTARGS='-run=${{ inputs.acc-test-pattern }} -test.v'
 
       - name: Upload E2E Coverage Artifact
-        uses: actions/upload-artifact@v3
+        uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2
         with:
           name: Test Coverage
           path: coverage-e2e.html