diff --git a/.github/actions/setup-nix/action.yaml b/.github/actions/setup-nix/action.yaml index 324a9d1a81..aaeb54723f 100644 --- a/.github/actions/setup-nix/action.yaml +++ b/.github/actions/setup-nix/action.yaml @@ -11,8 +11,8 @@ inputs: runs: using: composite steps: - - uses: nixbuild/nix-quick-install-action@v26 - - uses: cachix/cachix-action@v14 + - uses: nixbuild/nix-quick-install-action@1fe9e97a7bb9eea2f717fa55360c33293d5e2524 # v26 + - uses: cachix/cachix-action@18cf96c7c98e048e10a83abd92116114cd8504be # v14 with: name: postgrest authToken: ${{ inputs.authToken }} diff --git a/.github/scripts/arm/docker-env/Dockerfile b/.github/scripts/arm/docker-env/Dockerfile index b94fcaaeee..8d040a88af 100644 --- a/.github/scripts/arm/docker-env/Dockerfile +++ b/.github/scripts/arm/docker-env/Dockerfile @@ -1,6 +1,6 @@ # PostgREST docker hub image -FROM ubuntu:focal AS postgrest +FROM ubuntu:focal@sha256:bb1c41682308d7040f74d103022816d41c50d7b0c89e9d706a74b4e548636e54 AS postgrest RUN apt-get update -y \ && apt install -y --no-install-recommends libpq-dev zlib1g-dev jq gcc libnuma-dev \ diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index 9f11f65f47..7b3c768eee 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -33,7 +33,7 @@ jobs: name: Nix - Linux static runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4 - name: Setup Nix Environment uses: ./.github/actions/setup-nix with: @@ -42,7 +42,7 @@ jobs: - name: Build static executable run: nix-build -A postgrestStatic - name: Save built executable as artifact - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4 with: name: postgrest-linux-static-x64 path: result/bin/postgrest @@ -51,7 +51,7 @@ jobs: - name: Build Docker image run: nix-build -A docker.image --out-link postgrest-docker.tar.gz - name: Save built Docker image as artifact - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4 with: name: postgrest-docker-x64 path: postgrest-docker.tar.gz @@ -62,7 +62,7 @@ jobs: name: Nix - MacOS runs-on: macos-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4 - name: Setup Nix Environment uses: ./.github/actions/setup-nix with: @@ -104,9 +104,9 @@ jobs: name: Stack - ${{ matrix.name }} runs-on: ${{ matrix.runs-on }} steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4 - name: Stack working files cache - uses: actions/cache@v4 + uses: actions/cache@13aacd865c20de90d75de3b17ebe84f7a17d57d2 # v4 with: path: ${{ matrix.cache }} key: cache-stack-${{ runner.os }}-${{ hashFiles('stack.yaml.lock') }} @@ -121,7 +121,7 @@ jobs: run: strip result/postgrest* - name: Save built executable as artifact if: matrix.artifact - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4 with: name: ${{ matrix.artifact }} path: | @@ -134,7 +134,7 @@ jobs: name: Stack - FreeBSD from CirrusCI runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4 - name: Get FreeBSD executable from CirrusCI env: # GITHUB_SHA does weird things for pull request, so we roll our own: @@ -142,7 +142,7 @@ jobs: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} run: .github/get_cirrusci_freebsd - name: Save executable as artifact - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4 with: name: postgrest-freebsd-x64 path: postgrest @@ -157,7 +157,7 @@ jobs: name: Cabal - Linux GHC ${{ matrix.ghc }} runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4 - name: ghcup run: | # GHC 9.8.2 is not available in regular release channel, yet. @@ -169,7 +169,7 @@ jobs: mkdir ~/.cabal cp cabal.project.non-nix cabal.project - name: Cache - uses: actions/cache@v4 + uses: actions/cache@13aacd865c20de90d75de3b17ebe84f7a17d57d2 # v4 with: path: | ~/.cabal/packages diff --git a/.github/workflows/check.yaml b/.github/workflows/check.yaml index e705079064..ad226214db 100644 --- a/.github/workflows/check.yaml +++ b/.github/workflows/check.yaml @@ -20,7 +20,7 @@ jobs: name: Lint & Style runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4 - name: Setup Nix Environment uses: ./.github/actions/setup-nix with: diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index 11c4b07e28..953082628f 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -53,7 +53,7 @@ jobs: GITHUB_COMMIT: ${{ github.sha }} GHC_VERSION: '9.4.8' steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4 - id: Remote-Dir name: Unique directory name for the remote build run: echo "remotepath=postgrest-build-$(uuidgen)" >> "$GITHUB_OUTPUT" @@ -105,7 +105,7 @@ jobs: - name: Extract downloaded binaries run: tar -xvf result.tar.xz && rm result.tar.xz - name: Save aarch64 executable as artifact - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4 with: name: postgrest-ubuntu-aarch64 path: result/postgrest @@ -127,7 +127,7 @@ jobs: version: ${{ steps.Identify-Version.outputs.version }} isprerelease: ${{ steps.Identify-Version.outputs.isprerelease }} steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4 - id: Identify-Version name: Identify the version to be released run: | @@ -164,7 +164,7 @@ jobs: echo "Relevant extract from CHANGELOG.md:" cat CHANGES.md - name: Save CHANGES.md as artifact - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4 with: name: release-changes path: CHANGES.md @@ -180,9 +180,9 @@ jobs: env: VERSION: ${{ needs.prepare.outputs.version }} steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4 - name: Download all artifacts - uses: actions/download-artifact@v4 + uses: actions/download-artifact@eaceaf801fd36c7dee90939fad912460b18a1ffe # v4 with: path: artifacts - name: Create release bundle with archives for all builds @@ -207,7 +207,7 @@ jobs: artifacts/postgrest-windows-x64/postgrest.exe - name: Save release bundle - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4 with: name: release-bundle path: release-bundle @@ -240,14 +240,14 @@ jobs: VERSION: ${{ needs.prepare.outputs.version }} ISPRERELEASE: ${{ needs.prepare.outputs.isprerelease }} steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4 - name: Setup Nix Environment uses: ./.github/actions/setup-nix with: authToken: '${{ secrets.CACHIX_AUTH_TOKEN }}' tools: release - name: Download Docker image - uses: actions/download-artifact@v4 + uses: actions/download-artifact@eaceaf801fd36c7dee90939fad912460b18a1ffe # v4 with: name: postgrest-docker-x64 - name: Publish images on Docker Hub @@ -295,7 +295,7 @@ jobs: VERSION: ${{ needs.prepare.outputs.version }} ISPRERELEASE: ${{ needs.prepare.outputs.isprerelease }} steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4 - name: Publish images for ARM builds on Docker Hub uses: appleboy/ssh-action@master env: @@ -320,7 +320,7 @@ jobs: env: REMOTE_DIR: ${{ needs.arm.outputs.remotepath }} steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4 - name: Remove uploaded files from server uses: appleboy/ssh-action@master with: diff --git a/.github/workflows/docs.yaml b/.github/workflows/docs.yaml index 3c6db3bf0d..cb0f4a4689 100644 --- a/.github/workflows/docs.yaml +++ b/.github/workflows/docs.yaml @@ -27,7 +27,7 @@ jobs: name: Build runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4 - name: Setup Nix Environment uses: ./.github/actions/setup-nix with: @@ -41,7 +41,7 @@ jobs: name: Spellcheck runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4 - name: Setup Nix Environment uses: ./.github/actions/setup-nix with: @@ -58,7 +58,7 @@ jobs: if: github.base_ref == 'main' runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4 - name: Setup Nix Environment uses: ./.github/actions/setup-nix with: diff --git a/.github/workflows/report.yaml b/.github/workflows/report.yaml index 61433fa568..6b5c118480 100644 --- a/.github/workflows/report.yaml +++ b/.github/workflows/report.yaml @@ -17,14 +17,14 @@ jobs: if: github.event.workflow_run.conclusion == 'success' || github.event.workflow_run.conclusion == 'failure' steps: - name: Download from Artifacts - uses: actions/download-artifact@v4 + uses: actions/download-artifact@eaceaf801fd36c7dee90939fad912460b18a1ffe # v4 with: github-token: ${{ github.token }} run-id: ${{ github.event.workflow_run.id }} name: loadtest.md path: artifacts - name: Upload to GitHub Checks - uses: LouisBrunner/checks-action@v2.0.0 + uses: LouisBrunner/checks-action@6b626ffbad7cc56fd58627f774b9067e6118af23 # v2.0.0 with: token: ${{ secrets.GITHUB_TOKEN }} sha: ${{ github.event.workflow_run.head_sha }} diff --git a/.github/workflows/test.yaml b/.github/workflows/test.yaml index 89b5f31a36..3807b2193a 100644 --- a/.github/workflows/test.yaml +++ b/.github/workflows/test.yaml @@ -39,7 +39,7 @@ jobs: # https://github.com/actions/runner/issues/241#issuecomment-842566950 shell: script -qec "bash --noprofile --norc -eo pipefail {0}" steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4 - name: Setup Nix Environment uses: ./.github/actions/setup-nix with: @@ -76,7 +76,7 @@ jobs: # https://github.com/actions/runner/issues/241#issuecomment-842566950 shell: script -qec "bash --noprofile --norc -eo pipefail {0}" steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4 - name: Setup Nix Environment uses: ./.github/actions/setup-nix with: @@ -96,7 +96,7 @@ jobs: name: Memory runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4 - name: Setup Nix Environment uses: ./.github/actions/setup-nix with: @@ -110,7 +110,7 @@ jobs: name: Loadtest runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4 with: fetch-depth: 0 - name: Setup Nix Environment @@ -127,7 +127,7 @@ jobs: postgrest-loadtest-against main ${{ steps.get-latest-tag.outputs.tag }} postgrest-loadtest-report > loadtest/loadtest.md - name: Upload report - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4 with: name: loadtest.md path: loadtest/loadtest.md