From 5f51bcf339abaa43b0cf2717e089c418bab8e6a1 Mon Sep 17 00:00:00 2001 From: Flavio Castelli Date: Mon, 11 Sep 2023 10:24:39 +0200 Subject: [PATCH] chore(deps): be explicit about GH actions Reference GH actions by shasum, plus leave a comment about the full version being referenced by the checksum Signed-off-by: Flavio Castelli --- .github/workflows/ci.yaml | 8 ++++---- .github/workflows/e2e-tests.yml | 10 ++++------ .github/workflows/helm-chart-release.yml | 15 +++++++-------- .github/workflows/update-charts.yml | 18 +++++++++--------- renovate.json | 7 +++++-- 5 files changed, 29 insertions(+), 29 deletions(-) diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index 6ff11597..436e1a26 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -3,18 +3,18 @@ name: CI on: push: branches: - - '*' + - "*" tags: - - 'v*' + - "v*" pull_request: branches: - - '*' + - "*" jobs: verify: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0 - name: Check Helm generated values are up-to-date run: | make check-generated-values diff --git a/.github/workflows/e2e-tests.yml b/.github/workflows/e2e-tests.yml index 636b2d27..7f235edb 100644 --- a/.github/workflows/e2e-tests.yml +++ b/.github/workflows/e2e-tests.yml @@ -3,12 +3,12 @@ name: End-to-end tests on: push: branches: - - '*' + - "*" tags: - - 'v*' + - "v*" pull_request: branches: - - 'main' + - "main" jobs: images: @@ -21,8 +21,7 @@ jobs: policy-server-tag: ${{ steps.get-policy-server.outputs.policy-server-tag }} steps: - name: "Checkout repository" - uses: actions/checkout@v4 - + uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0 - name: "Get controller container image" id: get-controller shell: bash @@ -46,4 +45,3 @@ jobs: controller-image-tag: ${{ needs.images.outputs.controller-image-tag }} policy-server-repository: ${{ needs.images.outputs.policy-server-repository }} policy-server-tag: ${{ needs.images.outputs.policy-server-tag }} - diff --git a/.github/workflows/helm-chart-release.yml b/.github/workflows/helm-chart-release.yml index 62e5b2ec..835674fc 100644 --- a/.github/workflows/helm-chart-release.yml +++ b/.github/workflows/helm-chart-release.yml @@ -32,8 +32,7 @@ name: Release helm chart on: push: branches: - - main - + - main jobs: release: @@ -44,7 +43,7 @@ jobs: contents: write steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0 with: fetch-depth: 0 @@ -58,12 +57,12 @@ jobs: make check-generated-values - name: Install Helm - uses: azure/setup-helm@v3 + uses: azure/setup-helm@5119fcb9089d432beecbf79bb2c7915207344b78 # v3.5 with: version: v3.8.0 - name: Install cosign - uses: sigstore/cosign-installer@v3 + uses: sigstore/cosign-installer@11086d25041f77fe8fe7b9ea4e48e3b9192b8f19 # v3.1.2 - name: Generate container image files run: | @@ -80,7 +79,7 @@ jobs: make generate-changelog-files - name: Run chart-releaser - uses: helm/chart-releaser-action@v1.5.0 + uses: helm/chart-releaser-action@be16258da8010256c6e82849661221415f031968 # v1.5.0 with: charts_dir: charts env: @@ -99,7 +98,7 @@ jobs: cp -f artifacthub-repo.yml ./to-gh-pages/ - name: Deploy readme to GH pages - uses: peaceiris/actions-gh-pages@v3.9.3 + uses: peaceiris/actions-gh-pages@373f7f263a76c20808c831209c920827a82a2847 # v3.9.3 with: github_token: ${{ secrets.GITHUB_TOKEN }} publish_dir: ./to-gh-pages @@ -143,7 +142,7 @@ jobs: done - name: Login to GitHub Container Registry - uses: docker/login-action@v2 + uses: docker/login-action@465a07811f14bebb1938fbed4728c6a1ff8901fc # v2.2.0 with: registry: ghcr.io username: ${{ github.repository_owner }} diff --git a/.github/workflows/update-charts.yml b/.github/workflows/update-charts.yml index e0146bed..35ba63d5 100644 --- a/.github/workflows/update-charts.yml +++ b/.github/workflows/update-charts.yml @@ -14,7 +14,7 @@ jobs: prerelease: ${{ steps.check_update_type.outputs.prerelease }} steps: - name: Validate payload - uses: actions/github-script@v6 + uses: actions/github-script@d7906e4ad0b1822421a7e6a35d5ca353c962f410 # v6.4.1 with: script: | let repository = context.payload.client_payload.repository @@ -68,7 +68,7 @@ jobs: pull-requests: write steps: - name: Set environment variables - uses: actions/github-script@v6 + uses: actions/github-script@d7906e4ad0b1822421a7e6a35d5ca353c962f410 # v6.4.1 with: script: | core.exportVariable("UPDATECLI_GITHUB_OWNER", context.repo["owner"]) @@ -79,7 +79,7 @@ jobs: - name: Download CRDS controller if: endsWith(github.event.client_payload.repository, 'kubewarden-controller') - uses: actions/github-script@v6 + uses: actions/github-script@d7906e4ad0b1822421a7e6a35d5ca353c962f410 # v6.4.1 with: script: | let repository = context.payload.client_payload.repository @@ -99,7 +99,7 @@ jobs: - name: Download CRDS audit-scanner if: endsWith(github.event.client_payload.repository, 'audit-scanner') - uses: actions/github-script@v6 + uses: actions/github-script@d7906e4ad0b1822421a7e6a35d5ca353c962f410 # v6.4.1 with: script: | let repository = context.payload.client_payload.repository @@ -166,10 +166,10 @@ jobs: if: needs.check-update-type.outputs.update_type == 'major' || needs.check-update-type.outputs.update_type == 'minor' || needs.check-update-type.outputs.update_type == 'prerelease' steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0 - name: Check if all components has a release with the same tag - uses: actions/github-script@v6 + uses: actions/github-script@d7906e4ad0b1822421a7e6a35d5ca353c962f410 # v6.4.1 with: script: | let repository_split = context.payload.client_payload.repository.split("/") @@ -187,7 +187,7 @@ jobs: - name: Check if CRD are available in the Kubewarden controller id: download_crds_controller - uses: actions/github-script@v6 + uses: actions/github-script@d7906e4ad0b1822421a7e6a35d5ca353c962f410 # v6.4.1 with: script: | let repository_split = context.payload.client_payload.repository.split("/") @@ -229,7 +229,7 @@ jobs: - name: Check if CRD are available in the audit scanner id: download_crds_audit_scanner - uses: actions/github-script@v6 + uses: actions/github-script@d7906e4ad0b1822421a7e6a35d5ca353c962f410 # v6.4.1 with: script: | let repository_split = context.payload.client_payload.repository.split("/") @@ -294,7 +294,7 @@ jobs: echo "must_update_crds_chart=$?" >> $GITHUB_OUTPUT - name: Install Updatecli in the runner - uses: updatecli/updatecli-action@v2 + uses: updatecli/updatecli-action@44ba4a4e7e8252bef669b5525de7ca158830750e # v2.35.0 - name: Major or minor update Kubewarden charts with NO CRDs update if: steps.update_crds.outputs.must_update_crds_chart==0 && (needs.check-update-type.outputs.update_type == 'major' || needs.check-update-type.outputs.update_type == 'minor') diff --git a/renovate.json b/renovate.json index 16613b2e..18ccfca5 100644 --- a/renovate.json +++ b/renovate.json @@ -2,7 +2,10 @@ "extends": [ "config:base", "group:allNonMajor", - "schedule:earlyMondays" + "schedule:earlyMondays", + "helpers:pinGitHubActionDigests" ], - "labels": ["dependencies"] + "labels": [ + "dependencies" + ] }