Skip to content

chore: pin GitHub Actions to SHA (PDE-215) #21189

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Draft
corneliusludmann wants to merge 1 commit into
base: main
Choose a base branch
from
Draft

chore: pin GitHub Actions to SHA (PDE-215) #21189

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
10 changes: 5 additions & 5 deletions .github/workflows/Monitor Branch Protection Changes.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,7 +14,7 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Send Tampering Alert
uses: slackapi/slack-github-action@v1.24.0
uses: slackapi/slack-github-action@e28cf165c92ffef168d23c5c9000cffc8a25e117 # pin@v1.24.0
env:
SLACK_BOT_TOKEN: ${{ secrets.BRANCH_PROTECTION_SLACK_BOT_TOKEN }}
with:
Expand Down Expand Up @@ -72,7 +72,7 @@ jobs:
steps:
- name: Check Branch Protection Rules
id: check-rules
uses: actions/github-script@v7
uses: actions/github-script@f28e40c7f34bde8b3046d885e986cb6290c5673b # pin@v7
with:
github-token: ${{ secrets.BRANCH_PROTECTION_PAT }}
script: |
Expand Down Expand Up @@ -205,7 +205,7 @@ jobs:

- name: Send Slack Notification - Branch Protection Event
if: github.event_name == 'branch_protection_rule'
uses: slackapi/slack-github-action@v1.24.0
uses: slackapi/slack-github-action@e28cf165c92ffef168d23c5c9000cffc8a25e117 # pin@v1.24.0
env:
SLACK_BOT_TOKEN: ${{ secrets.BRANCH_PROTECTION_SLACK_BOT_TOKEN }}
with:
Expand Down Expand Up @@ -264,7 +264,7 @@ jobs:

- name: Send Slack Notification - Changes Detected
if: steps.check-rules.outputs.changes_detected == 'true'
uses: slackapi/slack-github-action@v1.24.0
uses: slackapi/slack-github-action@e28cf165c92ffef168d23c5c9000cffc8a25e117 # pin@v1.24.0
env:
SLACK_BOT_TOKEN: ${{ secrets.BRANCH_PROTECTION_SLACK_BOT_TOKEN }}
with:
Expand Down Expand Up @@ -315,7 +315,7 @@ jobs:

- name: Send Slack Notification - Error
if: failure()
uses: slackapi/slack-github-action@v1.24.0
uses: slackapi/slack-github-action@e28cf165c92ffef168d23c5c9000cffc8a25e117 # pin@v1.24.0
env:
SLACK_BOT_TOKEN: ${{ secrets.BRANCH_PROTECTION_SLACK_BOT_TOKEN }}
with:
Expand Down
4 changes: 2 additions & 2 deletions .github/workflows/authorization.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -12,8 +12,8 @@ jobs:
name: Validate schema
steps:
- name: Checkout
uses: actions/checkout@v4
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # pin@v4
- name: Validate SpiceDB schema
uses: authzed/action-spicedb-validate@v1.0.1
uses: authzed/action-spicedb-validate@3c2214196c200ff012a12d4fc12204efa7a3a416 # pin@v1.0.1
with:
validationfile: "components/spicedb/schema/schema.yaml"
26 changes: 13 additions & 13 deletions .github/workflows/branch-build.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -60,7 +60,7 @@ jobs:
steps:
- name: "Determine Branch"
id: branches
uses: transferwise/sanitize-branch-name@v1
uses: transferwise/sanitize-branch-name@009d85a96fcfe62a685b371dc8f299e53385ed9c # pin@v1
# Since we trigger this worklow on other event types, besides pull_request
# We use this action to help us get the pr body, as it's not included in push/workflow_dispatch events
- uses: 8BitJonny/gh-get-current-pr@2.2.0
Expand Down Expand Up @@ -110,7 +110,7 @@ jobs:
image: eu.gcr.io/gitpod-core-dev/dev/dev-environment:main-gha.34181
options: --user root
steps:
- uses: actions/checkout@v4
- uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # pin@v4
- name: Setup Environment
uses: ./.github/actions/setup-environment
with:
Expand All @@ -137,7 +137,7 @@ jobs:
group: ${{ github.ref == 'refs/heads/main' && github.run_id || github.sha }}-infrastructure
cancel-in-progress: true
steps:
- uses: actions/checkout@v4
- uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # pin@v4
- name: Setup Environment
uses: ./.github/actions/setup-environment
with:
Expand Down Expand Up @@ -189,7 +189,7 @@ jobs:
# GitHub action + MySQL 8.0 need longer to initialize
DB_RETRIES: 5
steps:
- uses: actions/checkout@v4
- uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # pin@v4
- uses: ./.github/actions/setup-environment
with:
identity_provider: ${{ github.ref == 'refs/heads/main' && secrets.CORE_DEV_PROVIDER || secrets.DEV_PREVIEW_PROVIDER }}
Expand Down Expand Up @@ -240,7 +240,7 @@ jobs:

exit $RESULT
- name: Login to GitHub Container Registry
uses: docker/login-action@v3
uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # pin@v3
with:
registry: ghcr.io
username: ${{ github.actor }}
Expand Down Expand Up @@ -382,12 +382,12 @@ jobs:
echo "No critical vulnerabilities found."
fi
- name: Upload SBOMs
uses: actions/upload-artifact@v4
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # pin@v4
with:
name: sboms
path: ${{ steps.scan.outputs.leeway_sboms_dir }}
- name: Upload vulnerability reports
uses: actions/upload-artifact@v4
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # pin@v4
with:
name: vulnerability-reports
path: ${{ steps.scan.outputs.leeway_vulnerability_reports_dir }}
Expand All @@ -408,7 +408,7 @@ jobs:
app-id: 308947
installation-id: 35574470
- name: trigger installation
uses: actions/github-script@v6
uses: actions/github-script@00f12e3e20659f42342b1c0226afda7f7c042325 # pin@v6
with:
github-token: ${{ steps.auth.outputs.token }}
script: |
Expand Down Expand Up @@ -440,7 +440,7 @@ jobs:
group: ${{ github.ref == 'refs/heads/main' && github.run_id || github.sha }}-install
cancel-in-progress: ${{ needs.configuration.outputs.is_main_branch == 'false' }}
steps:
- uses: actions/checkout@v4
- uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # pin@v4
- name: Setup Environment
uses: ./.github/actions/setup-environment
with:
Expand All @@ -457,7 +457,7 @@ jobs:
analytics: ${{needs.configuration.outputs.analytics}}
workspace_feature_flags: ${{needs.configuration.outputs.workspace_feature_flags}}
image_repo_base: ${{needs.configuration.outputs.image_repo_base}}/build
- uses: actions/github-script@v6
- uses: actions/github-script@00f12e3e20659f42342b1c0226afda7f7c042325 # pin@v6
if: needs.configuration.outputs.pr_number != '' && contains(needs.configuration.outputs.pr_body, 'gitpod:summary')
with:
script: |
Expand Down Expand Up @@ -491,7 +491,7 @@ jobs:
group: ${{ github.ref == 'refs/heads/main' && github.run_id || github.sha }}-monitoring
cancel-in-progress: true
steps:
- uses: actions/checkout@v4
- uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # pin@v4
- name: Setup Environment
uses: ./.github/actions/setup-environment
with:
Expand Down Expand Up @@ -523,7 +523,7 @@ jobs:
group: ${{ needs.configuration.outputs.preview_name }}-integration-test
cancel-in-progress: true
steps:
- uses: actions/checkout@v4
- uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # pin@v4
- name: Run integration test
id: integration-test
uses: ./.github/actions/integration-tests
Expand Down Expand Up @@ -584,7 +584,7 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Slack Notification
uses: rtCamp/action-slack-notify@v2
uses: rtCamp/action-slack-notify@cdf0a2130cbcdfd82ba5fcac8e076370bf381b36 # pin@v2
env:
SLACK_WEBHOOK: ${{ secrets.WORKSPACE_SLACK_WEBHOOK }}
SLACK_ICON_EMOJI: ":x:"
Expand Down
26 changes: 13 additions & 13 deletions .github/workflows/build.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -63,7 +63,7 @@ jobs:
steps:
- name: "Determine Branch"
id: branches
uses: transferwise/sanitize-branch-name@v1
uses: transferwise/sanitize-branch-name@009d85a96fcfe62a685b371dc8f299e53385ed9c # pin@v1
# Since we trigger this worklow on other event types, besides pull_request
# We use this action to help us get the pr body, as it's not included in push/workflow_dispatch events
- uses: 8BitJonny/gh-get-current-pr@2.2.0
Expand Down Expand Up @@ -113,7 +113,7 @@ jobs:
image: eu.gcr.io/gitpod-core-dev/dev/dev-environment:main-gha.34181
options: --user root
steps:
- uses: actions/checkout@v4
- uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # pin@v4
- name: Setup Environment
uses: ./.github/actions/setup-environment
with:
Expand All @@ -140,7 +140,7 @@ jobs:
group: ${{ github.ref == 'refs/heads/main' && github.run_id || github.sha }}-infrastructure
cancel-in-progress: true
steps:
- uses: actions/checkout@v4
- uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # pin@v4
- name: Setup Environment
uses: ./.github/actions/setup-environment
with:
Expand Down Expand Up @@ -192,7 +192,7 @@ jobs:
# GitHub action + MySQL 8.0 need longer to initialize
DB_RETRIES: 5
steps:
- uses: actions/checkout@v4
- uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # pin@v4
- uses: ./.github/actions/setup-environment
with:
identity_provider: ${{ github.ref == 'refs/heads/main' && secrets.CORE_DEV_PROVIDER || secrets.DEV_PREVIEW_PROVIDER }}
Expand Down Expand Up @@ -243,7 +243,7 @@ jobs:

exit $RESULT
- name: Login to GitHub Container Registry
uses: docker/login-action@v3
uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # pin@v3
with:
registry: ghcr.io
username: ${{ github.actor }}
Expand Down Expand Up @@ -385,12 +385,12 @@ jobs:
echo "No critical vulnerabilities found."
fi
- name: Upload SBOMs
uses: actions/upload-artifact@v4
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # pin@v4
with:
name: sboms
path: ${{ steps.scan.outputs.leeway_sboms_dir }}
- name: Upload vulnerability reports
uses: actions/upload-artifact@v4
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # pin@v4
with:
name: vulnerability-reports
path: ${{ steps.scan.outputs.leeway_vulnerability_reports_dir }}
Expand All @@ -411,7 +411,7 @@ jobs:
app-id: 308947
installation-id: 35574470
- name: trigger installation
uses: actions/github-script@v6
uses: actions/github-script@00f12e3e20659f42342b1c0226afda7f7c042325 # pin@v6
with:
github-token: ${{ steps.auth.outputs.token }}
script: |
Expand Down Expand Up @@ -443,7 +443,7 @@ jobs:
group: ${{ github.ref == 'refs/heads/main' && github.run_id || github.sha }}-install
cancel-in-progress: ${{ needs.configuration.outputs.is_main_branch == 'false' }}
steps:
- uses: actions/checkout@v4
- uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # pin@v4
- name: Setup Environment
uses: ./.github/actions/setup-environment
with:
Expand All @@ -460,7 +460,7 @@ jobs:
analytics: ${{needs.configuration.outputs.analytics}}
workspace_feature_flags: ${{needs.configuration.outputs.workspace_feature_flags}}
image_repo_base: ${{needs.configuration.outputs.image_repo_base}}/build
- uses: actions/github-script@v6
- uses: actions/github-script@00f12e3e20659f42342b1c0226afda7f7c042325 # pin@v6
if: needs.configuration.outputs.pr_number != '' && contains(needs.configuration.outputs.pr_body, 'gitpod:summary')
with:
script: |
Expand Down Expand Up @@ -494,7 +494,7 @@ jobs:
group: ${{ github.ref == 'refs/heads/main' && github.run_id || github.sha }}-monitoring
cancel-in-progress: true
steps:
- uses: actions/checkout@v4
- uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # pin@v4
- name: Setup Environment
uses: ./.github/actions/setup-environment
with:
Expand Down Expand Up @@ -526,7 +526,7 @@ jobs:
group: ${{ needs.configuration.outputs.preview_name }}-integration-test
cancel-in-progress: true
steps:
- uses: actions/checkout@v4
- uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # pin@v4
- name: Run integration test
id: integration-test
uses: ./.github/actions/integration-tests
Expand Down Expand Up @@ -587,7 +587,7 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Slack Notification
uses: rtCamp/action-slack-notify@v2
uses: rtCamp/action-slack-notify@cdf0a2130cbcdfd82ba5fcac8e076370bf381b36 # pin@v2
env:
SLACK_WEBHOOK: ${{ secrets.WORKSPACE_SLACK_WEBHOOK }}
SLACK_ICON_EMOJI: ":x:"
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/check-gitpodyaml.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,7 +11,7 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Notify
uses: KeisukeYamashita/create-comment@v1
uses: KeisukeYamashita/create-comment@1d95d97d7b1b73ab66e5ca931610e4e10ddc5eed # pin@v1
with:
number: ${{ github.event.pull_request.number }}
comment: |
Expand Down
8 changes: 4 additions & 4 deletions .github/workflows/code-build.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,7 @@ jobs:
update:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # pin@v4
- name: Install dependencies
run: |
curl -fsSL https://github.com/csweichel/oci-tool/releases/download/v0.2.1/oci-tool_0.2.1_linux_amd64.tar.gz | tar xz -C /usr/local/bin
Expand Down Expand Up @@ -40,7 +40,7 @@ jobs:
fi
- name: Create Release Pull Request
if: steps.changes.outputs.dirty
uses: peter-evans/create-pull-request@v6
uses: peter-evans/create-pull-request@c5a7806660adbe173f04e3e038b0ccdcd758773c # pin@v6
with:
title: "[VS Code Browser] Build stable code `${{steps.updates.outputs.codeVersion}}`"
body: |
Expand Down Expand Up @@ -89,10 +89,10 @@ jobs:
team-experience
- name: Get previous job's status
id: lastrun
uses: filiptronicek/get-last-job-status@main
uses: filiptronicek/get-last-job-status@1c211ff20d1706ff0bc3fc8022f7bd6518b88bc4 # pin@main
- name: Slack Notification
if: ${{ (success() && steps.lastrun.outputs.status == 'failed') || failure() }}
uses: rtCamp/action-slack-notify@v2
uses: rtCamp/action-slack-notify@cdf0a2130cbcdfd82ba5fcac8e076370bf381b36 # pin@v2
env:
SLACK_WEBHOOK: ${{ secrets.IDE_SLACK_WEBHOOK }}
SLACK_COLOR: ${{ job.status }}
Expand Down
6 changes: 3 additions & 3 deletions .github/workflows/code-nightly.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,7 +14,7 @@ jobs:
image: eu.gcr.io/gitpod-core-dev/dev/dev-environment:main-gha.34181
options: --user root
steps:
- uses: actions/checkout@v4
- uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # pin@v4
- uses: ./.github/actions/setup-environment
with:
identity_provider: ${{ github.ref == 'refs/heads/main' && secrets.CORE_DEV_PROVIDER || secrets.DEV_PREVIEW_PROVIDER }}
Expand Down Expand Up @@ -42,10 +42,10 @@ jobs:
.:docker-nightly
- name: Get previous job's status
id: lastrun
uses: filiptronicek/get-last-job-status@main
uses: filiptronicek/get-last-job-status@1c211ff20d1706ff0bc3fc8022f7bd6518b88bc4 # pin@main
- name: Slack Notification
if: ${{ (success() && steps.lastrun.outputs.status == 'failed') || failure() }}
uses: rtCamp/action-slack-notify@v2
uses: rtCamp/action-slack-notify@cdf0a2130cbcdfd82ba5fcac8e076370bf381b36 # pin@v2
env:
SLACK_WEBHOOK: ${{ secrets.IDE_SLACK_WEBHOOK }}
SLACK_COLOR: ${{ job.status }}
Expand Down
10 changes: 5 additions & 5 deletions .github/workflows/code-updates.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,7 @@ jobs:
update:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # pin@v4
- name: Install dependencies
run: |
curl -fsSL https://github.com/csweichel/oci-tool/releases/download/v0.2.1/oci-tool_0.2.1_linux_amd64.tar.gz | tar xz -C /usr/local/bin
Expand Down Expand Up @@ -38,7 +38,7 @@ jobs:
- name: Create Release Pull Request
if: ${{steps.changes.outputs.dirty && steps.updates.outputs.codeVersion}}
id: code-update-pr
uses: peter-evans/create-pull-request@v6
uses: peter-evans/create-pull-request@c5a7806660adbe173f04e3e038b0ccdcd758773c # pin@v6
with:
title: "[VS Code Browser] Update stable code to `${{steps.updates.outputs.codeVersion}}`"
body: |
Expand Down Expand Up @@ -70,7 +70,7 @@ jobs:

- name: Create Images Update Pull Request
if: ${{steps.changes.outputs.dirty && !steps.updates.outputs.codeVersion}}
uses: peter-evans/create-pull-request@v6
uses: peter-evans/create-pull-request@c5a7806660adbe173f04e3e038b0ccdcd758773c # pin@v6
with:
title: "[code] update code image layers"
body: |
Expand Down Expand Up @@ -104,7 +104,7 @@ jobs:
team-experience
- name: Slack notification (code)
if: ${{ steps.code-update-pr.outputs.pull-request-url }}
uses: rtCamp/action-slack-notify@v2
uses: rtCamp/action-slack-notify@cdf0a2130cbcdfd82ba5fcac8e076370bf381b36 # pin@v2
env:
SLACK_WEBHOOK: ${{ secrets.IDE_SLACK_WEBHOOK }}
SLACK_COLOR: ${{ job.status }}
Expand All @@ -124,7 +124,7 @@ jobs:
app-id: 308947
installation-id: 35574470
- name: Trigger Open VS Code Server Release
uses: actions/github-script@v6
uses: actions/github-script@00f12e3e20659f42342b1c0226afda7f7c042325 # pin@v6
with:
github-token: ${{ steps.auth.outputs.token }}
script: |
Expand Down
Loading
Loading