From d0e6fcad3fbf5c9248ecadb6fa85602ab1695d73 Mon Sep 17 00:00:00 2001 From: Paulo Gomes Date: Thu, 17 Nov 2022 15:33:59 +0000 Subject: [PATCH] build: Pin GitHub Actions The main benefit of pinning GitHub actions is the determinism it brings in terms of what version of a given action will be executed. This is a step towards having hermetic builds. Once pinned to a commit, dependabot will automatically issue PRs to update to newer versions. Pinned versions is the only security metric from OpenSSF scorecard that this repository currently have a zero score. Signed-off-by: Paulo Gomes --- .github/dependabot.yml | 2 ++ .github/workflows/e2e-arm64.yaml | 4 ++-- .github/workflows/e2e-azure.yaml | 8 ++++---- .github/workflows/e2e-bootstrap.yaml | 8 ++++---- .github/workflows/e2e.yaml | 8 ++++---- .github/workflows/release.yaml | 30 +++++++++++++--------------- .github/workflows/scan.yaml | 20 +++++++++---------- .github/workflows/update.yaml | 6 +++--- 8 files changed, 43 insertions(+), 43 deletions(-) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 718572bf27..6e4be73944 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -3,5 +3,7 @@ version: 2 updates: - package-ecosystem: "github-actions" directory: "/" + labels: ["area/build"] schedule: + # by default this will be on a monday. interval: "weekly" diff --git a/.github/workflows/e2e-arm64.yaml b/.github/workflows/e2e-arm64.yaml index c39e45fe63..3621304ee0 100644 --- a/.github/workflows/e2e-arm64.yaml +++ b/.github/workflows/e2e-arm64.yaml @@ -19,9 +19,9 @@ jobs: KUBERNETES_VERSION: [ 1.23.13, 1.24.7, 1.25.3 ] steps: - name: Checkout - uses: actions/checkout@v3 + uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 - name: Setup Go - uses: actions/setup-go@v3 + uses: actions/setup-go@c4a742cab115ed795e34d4513e2cf7d472deb55f with: go-version: 1.19.x - name: Prepare diff --git a/.github/workflows/e2e-azure.yaml b/.github/workflows/e2e-azure.yaml index f1ad2f73e1..e4fed22472 100644 --- a/.github/workflows/e2e-azure.yaml +++ b/.github/workflows/e2e-azure.yaml @@ -15,16 +15,16 @@ jobs: runs-on: ubuntu-22.04 steps: - name: Checkout - uses: actions/checkout@v3 + uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 - name: Restore Go cache - uses: actions/cache@v3 + uses: actions/cache@9b0c1fce7a93df8e3bb8926b0d6e9d89e92f20a7 with: path: ~/go/pkg/mod key: ${{ runner.os }}-go1.18-${{ hashFiles('**/go.sum') }} restore-keys: | ${{ runner.os }}-go1.18- - name: Setup Go - uses: actions/setup-go@v3 + uses: actions/setup-go@c4a742cab115ed795e34d4513e2cf7d472deb55f with: go-version: 1.19.x - name: Install libgit2 @@ -44,7 +44,7 @@ jobs: mkdir -p $HOME/.local/bin mv sops-v3.7.1.linux $HOME/.local/bin/sops - name: Setup Terraform - uses: hashicorp/setup-terraform@v2.0.3 + uses: hashicorp/setup-terraform@633666f66e0061ca3b725c73b2ec20cd13a8fdd1 # v2 with: terraform_version: 1.2.8 terraform_wrapper: false diff --git a/.github/workflows/e2e-bootstrap.yaml b/.github/workflows/e2e-bootstrap.yaml index 484aec1f3e..7f301de938 100644 --- a/.github/workflows/e2e-bootstrap.yaml +++ b/.github/workflows/e2e-bootstrap.yaml @@ -16,20 +16,20 @@ jobs: if: (github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository) && github.actor != 'dependabot[bot]' steps: - name: Checkout - uses: actions/checkout@v3 + uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 - name: Restore Go cache - uses: actions/cache@v3 + uses: actions/cache@9b0c1fce7a93df8e3bb8926b0d6e9d89e92f20a7 with: path: ~/go/pkg/mod key: ${{ runner.os }}-go1.18-${{ hashFiles('**/go.sum') }} restore-keys: | ${{ runner.os }}-go1.18- - name: Setup Go - uses: actions/setup-go@v3 + uses: actions/setup-go@c4a742cab115ed795e34d4513e2cf7d472deb55f with: go-version: 1.19.x - name: Setup Kubernetes - uses: engineerd/setup-kind@v0.5.0 + uses: engineerd/setup-kind@aa272fe2a7309878ffc2a81c56cfe3ef108ae7d0 # v0.5.0 with: version: v0.16.0 image: kindest/node:v1.25.2@sha256:9be91e9e9cdf116809841fc77ebdb8845443c4c72fe5218f3ae9eb57fdb4bace diff --git a/.github/workflows/e2e.yaml b/.github/workflows/e2e.yaml index c15e2ee20f..23e4cc6b20 100644 --- a/.github/workflows/e2e.yaml +++ b/.github/workflows/e2e.yaml @@ -20,20 +20,20 @@ jobs: - 5000:5000 steps: - name: Checkout - uses: actions/checkout@v3 + uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 - name: Restore Go cache - uses: actions/cache@v3 + uses: actions/cache@9b0c1fce7a93df8e3bb8926b0d6e9d89e92f20a7 with: path: ~/go/pkg/mod key: ${{ runner.os }}-go1.18-${{ hashFiles('**/go.sum') }} restore-keys: | ${{ runner.os }}-go1.18- - name: Setup Go - uses: actions/setup-go@v3 + uses: actions/setup-go@c4a742cab115ed795e34d4513e2cf7d472deb55f with: go-version: 1.19.x - name: Setup Kubernetes - uses: engineerd/setup-kind@v0.5.0 + uses: engineerd/setup-kind@aa272fe2a7309878ffc2a81c56cfe3ef108ae7d0 # v0.5.0 with: version: v0.11.1 image: kindest/node:v1.20.7 diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index 885f86767b..e07aa45ea9 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -16,32 +16,32 @@ jobs: packages: write # needed for ghcr access steps: - name: Checkout - uses: actions/checkout@v3 + uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 - name: Unshallow run: git fetch --prune --unshallow - name: Setup Go - uses: actions/setup-go@v3 + uses: actions/setup-go@c4a742cab115ed795e34d4513e2cf7d472deb55f with: go-version: 1.19.x - name: Setup QEMU - uses: docker/setup-qemu-action@v2 + uses: docker/setup-qemu-action@e81a89b1732b9c48d79cd809d8d81d79c4647a18 # v2 - name: Setup Docker Buildx id: buildx - uses: docker/setup-buildx-action@v2 + uses: docker/setup-buildx-action@8c0edbc76e98fa90f69d9a2c020dcb50019dc325 # v2 - name: Setup Syft - uses: anchore/sbom-action/download-syft@v0 + uses: anchore/sbom-action/download-syft@06e109483e6aa305a2b2395eabae554e51530e1d # v0.13.1 - name: Setup Cosign - uses: sigstore/cosign-installer@main + uses: sigstore/cosign-installer@7bca8b41164994a7dc93749d266e2f1db492f8a2 - name: Setup Kustomize uses: fluxcd/pkg//actions/kustomize@main - name: Login to GitHub Container Registry - uses: docker/login-action@v2 + uses: docker/login-action@f4ef78c080cd8ba55a85445d5b36e214a81df20a # v2 with: registry: ghcr.io username: fluxcdbot password: ${{ secrets.GHCR_TOKEN }} - name: Login to Docker Hub - uses: docker/login-action@v2 + uses: docker/login-action@f4ef78c080cd8ba55a85445d5b36e214a81df20a # v2 with: username: fluxcdbot password: ${{ secrets.DOCKER_FLUXCD_PASSWORD }} @@ -53,10 +53,8 @@ jobs: - name: Build CRDs run: | kustomize build manifests/crds > all-crds.yaml - # Pinned to commit before https://github.com/fluxcd/pkg/pull/189 due to - # introduction faulty behavior. - name: Generate OpenAPI JSON schemas from CRDs - uses: fluxcd/pkg//actions/crdjsonschema@49e26aa2ee9e734c3233c560253fd9542afe18ae + uses: fluxcd/pkg//actions/crdjsonschema@main with: crd: all-crds.yaml output: schemas @@ -75,7 +73,7 @@ jobs: env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Run GoReleaser - uses: goreleaser/goreleaser-action@v3 + uses: goreleaser/goreleaser-action@b508e2e3ef3b19d4e4146d4f8fb3ba9db644a757 # v3 with: version: latest args: release --release-notes=output/notes.md --skip-validate @@ -90,7 +88,7 @@ jobs: id-token: write packages: write steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 - name: Setup Kustomize uses: fluxcd/pkg/actions/kustomize@main - name: Setup Flux CLI @@ -101,13 +99,13 @@ jobs: VERSION=$(flux version --client | awk '{ print $NF }') echo ::set-output name=VERSION::${VERSION} - name: Login to GHCR - uses: docker/login-action@v2 + uses: docker/login-action@f4ef78c080cd8ba55a85445d5b36e214a81df20a # v2 with: registry: ghcr.io username: fluxcdbot password: ${{ secrets.GHCR_TOKEN }} - name: Login to DockerHub - uses: docker/login-action@v2 + uses: docker/login-action@f4ef78c080cd8ba55a85445d5b36e214a81df20a # v2 with: username: fluxcdbot password: ${{ secrets.DOCKER_FLUXCD_PASSWORD }} @@ -135,7 +133,7 @@ jobs: --path="./flux-system" \ --source=${{ github.repositoryUrl }} \ --revision="${{ github.ref_name }}/${{ github.sha }}" - - uses: sigstore/cosign-installer@main + - uses: sigstore/cosign-installer@7cc35d7fdbe70d4278a0c96779081e6fac665f88 # v2.8.0 - name: Sign manifests env: COSIGN_EXPERIMENTAL: 1 diff --git a/.github/workflows/scan.yaml b/.github/workflows/scan.yaml index 3156d81ca8..6ea9b6ae80 100644 --- a/.github/workflows/scan.yaml +++ b/.github/workflows/scan.yaml @@ -17,9 +17,9 @@ jobs: runs-on: ubuntu-latest if: github.actor != 'dependabot[bot]' steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 - name: Run FOSSA scan and upload build data - uses: fossa-contrib/fossa-action@v1 + uses: fossa-contrib/fossa-action@6cffaa064112e1cf9b5798c6224f9487dc1ec316 # v1 with: # FOSSA Push-Only API Token fossa-api-key: 5ee8bf422db1471e0bcf2bcb289185de @@ -31,21 +31,21 @@ jobs: security-events: write if: (github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository) && github.actor != 'dependabot[bot]' steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 - name: Setup Kustomize uses: fluxcd/pkg//actions/kustomize@main - name: Build manifests run: | make cmd/flux/.manifests.done - name: Run Snyk to check for vulnerabilities - uses: snyk/actions/golang@master + uses: snyk/actions/golang@a8dd587d8a94f5663fa3d67d51abd0cc66aff244 # v0.3.0 continue-on-error: true env: SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} with: args: --sarif-file-output=snyk.sarif - name: Upload result to GitHub Code Scanning - uses: github/codeql-action/upload-sarif@v2 + uses: github/codeql-action/upload-sarif@678fc3afe258fb2e0cdc165ccf77b85719de7b3c # v2 with: sarif_file: snyk.sarif @@ -56,16 +56,16 @@ jobs: if: github.actor != 'dependabot[bot]' steps: - name: Checkout repository - uses: actions/checkout@v3 + uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 - name: Set up Go - uses: actions/setup-go@v3 + uses: actions/setup-go@c4a742cab115ed795e34d4513e2cf7d472deb55f with: go-version: 1.19.x - name: Initialize CodeQL - uses: github/codeql-action/init@v2 + uses: github/codeql-action/init@678fc3afe258fb2e0cdc165ccf77b85719de7b3c # v2 with: languages: go - name: Autobuild - uses: github/codeql-action/autobuild@v2 + uses: github/codeql-action/autobuild@678fc3afe258fb2e0cdc165ccf77b85719de7b3c # v2 - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v2 + uses: github/codeql-action/analyze@678fc3afe258fb2e0cdc165ccf77b85719de7b3c # v2 diff --git a/.github/workflows/update.yaml b/.github/workflows/update.yaml index 65a1f3075e..8a309eea1c 100644 --- a/.github/workflows/update.yaml +++ b/.github/workflows/update.yaml @@ -18,9 +18,9 @@ jobs: pull-requests: write steps: - name: Check out code - uses: actions/checkout@v3 + uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 - name: Setup Go - uses: actions/setup-go@v3 + uses: actions/setup-go@c4a742cab115ed795e34d4513e2cf7d472deb55f with: go-version: 1.19.x - name: Update component versions @@ -75,7 +75,7 @@ jobs: - name: Create Pull Request id: cpr - uses: peter-evans/create-pull-request@v4 + uses: peter-evans/create-pull-request@b4d51739f96fca8047ad065eccef63442d8e99f7 # v4 with: token: ${{ secrets.BOT_GITHUB_TOKEN }} commit-message: |