From 4cb1c90a4cdba8bcf2db9128cd9bfdfb31a6d1c6 Mon Sep 17 00:00:00 2001 From: Jerry Duffy Date: Mon, 20 May 2024 09:41:00 -0400 Subject: [PATCH] pin gh actions --- .github/workflows/publish_main_snapshot.yml | 29 ++++++++++----------- .github/workflows/publish_release.yml | 29 ++++++++++----------- .github/workflows/pull_request.yml | 21 +++++++-------- .github/workflows/repolinter.yml | 8 +++--- .github/workflows/snyk_scan.yml | 8 +++--- 5 files changed, 46 insertions(+), 49 deletions(-) diff --git a/.github/workflows/publish_main_snapshot.yml b/.github/workflows/publish_main_snapshot.yml index 45f6531..285fb5b 100644 --- a/.github/workflows/publish_main_snapshot.yml +++ b/.github/workflows/publish_main_snapshot.yml @@ -8,18 +8,17 @@ jobs: build-and-publish: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 - - name: Set up JDK 11 - uses: actions/setup-java@v4 - with: - distribution: 'temurin' - java-version: '11' - - name: Build with Gradle - env: - SONATYPE_USERNAME: ${{ secrets.SONATYPE_USERNAME }} - SONATYPE_PASSWORD: ${{ secrets.SONATYPE_PASSWORD }} - ORG_GRADLE_PROJECT_signingKey: ${{ secrets.SIGNING_KEY }} - ORG_GRADLE_PROJECT_signingKeyId: ${{ secrets.SIGNING_KEY_ID }} - ORG_GRADLE_PROJECT_signingPassword: ${{ secrets.SIGNING_PASSWORD }} - run: ./gradlew build publish - + - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # pin@v4 + - name: Set up JDK 11 + uses: actions/setup-java@99b8673ff64fbf99d8d325f52d9a5bdedb8483e9 # pin@v4 + with: + distribution: 'temurin' + java-version: '11' + - name: Build with Gradle + env: + SONATYPE_USERNAME: ${{ secrets.SONATYPE_USERNAME }} + SONATYPE_PASSWORD: ${{ secrets.SONATYPE_PASSWORD }} + ORG_GRADLE_PROJECT_signingKey: ${{ secrets.SIGNING_KEY }} + ORG_GRADLE_PROJECT_signingKeyId: ${{ secrets.SIGNING_KEY_ID }} + ORG_GRADLE_PROJECT_signingPassword: ${{ secrets.SIGNING_PASSWORD }} + run: ./gradlew build publish diff --git a/.github/workflows/publish_release.yml b/.github/workflows/publish_release.yml index d1f425a..2af48e2 100644 --- a/.github/workflows/publish_release.yml +++ b/.github/workflows/publish_release.yml @@ -9,18 +9,17 @@ jobs: build-and-publish: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 - - name: Set up JDK 11 - uses: actions/setup-java@v4 - with: - distribution: 'temurin' - java-version: '11' - - name: Build with Gradle - env: - SONATYPE_USERNAME: ${{ secrets.SONATYPE_USERNAME }} - SONATYPE_PASSWORD: ${{ secrets.SONATYPE_PASSWORD }} - ORG_GRADLE_PROJECT_signingKey: ${{ secrets.SIGNING_KEY }} - ORG_GRADLE_PROJECT_signingKeyId: ${{ secrets.SIGNING_KEY_ID }} - ORG_GRADLE_PROJECT_signingPassword: ${{ secrets.SIGNING_PASSWORD }} - run: ./gradlew build publish -Prelease=true - + - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # pin@v4 + - name: Set up JDK 11 + uses: actions/setup-java@99b8673ff64fbf99d8d325f52d9a5bdedb8483e9 # pin@v4 + with: + distribution: 'temurin' + java-version: '11' + - name: Build with Gradle + env: + SONATYPE_USERNAME: ${{ secrets.SONATYPE_USERNAME }} + SONATYPE_PASSWORD: ${{ secrets.SONATYPE_PASSWORD }} + ORG_GRADLE_PROJECT_signingKey: ${{ secrets.SIGNING_KEY }} + ORG_GRADLE_PROJECT_signingKeyId: ${{ secrets.SIGNING_KEY_ID }} + ORG_GRADLE_PROJECT_signingPassword: ${{ secrets.SIGNING_PASSWORD }} + run: ./gradlew build publish -Prelease=true diff --git a/.github/workflows/pull_request.yml b/.github/workflows/pull_request.yml index 0466f63..d8a47c7 100644 --- a/.github/workflows/pull_request.yml +++ b/.github/workflows/pull_request.yml @@ -8,14 +8,13 @@ jobs: build: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 - - name: Set up JDK 11 - uses: actions/setup-java@v4 - with: - distribution: 'temurin' - java-version: '11' - - name: Check formatting - run: ./gradlew verifyGoogleJavaFormat - - name: Check build and test - run: ./gradlew check javadoc - + - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # pin@v4 + - name: Set up JDK 11 + uses: actions/setup-java@99b8673ff64fbf99d8d325f52d9a5bdedb8483e9 # pin@v4 + with: + distribution: 'temurin' + java-version: '11' + - name: Check formatting + run: ./gradlew verifyGoogleJavaFormat + - name: Check build and test + run: ./gradlew check javadoc diff --git a/.github/workflows/repolinter.yml b/.github/workflows/repolinter.yml index 3ac456d..326a5c6 100644 --- a/.github/workflows/repolinter.yml +++ b/.github/workflows/repolinter.yml @@ -6,7 +6,7 @@ name: Repolinter Action # Currently there is no elegant way to specify the default # branch in the event filtering, so branches are instead # filtered in the "Test Default Branch" step. -on: [push, workflow_dispatch] +on: [ push, workflow_dispatch ] jobs: repolint: @@ -15,17 +15,17 @@ jobs: steps: - name: Test Default Branch id: default-branch - uses: actions/github-script@v7 + uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # pin@v7 with: script: | const data = await github.rest.repos.get(context.repo) return data.data && data.data.default_branch === context.ref.split('/').slice(-1)[0] - name: Checkout Self if: ${{ steps.default-branch.outputs.result == 'true' }} - uses: actions/checkout@v4 + uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # pin@v4 - name: Run Repolinter if: ${{ steps.default-branch.outputs.result == 'true' }} - uses: newrelic/repolinter-action@v1 + uses: newrelic/repolinter-action@3f4448f855c351e9695b24524a4111c7847b84cb # pin@v1 with: config_url: https://raw.githubusercontent.com/newrelic/.github/main/repolinter-rulesets/community-project.yml output_type: issue diff --git a/.github/workflows/snyk_scan.yml b/.github/workflows/snyk_scan.yml index 2e0a1eb..7740a37 100644 --- a/.github/workflows/snyk_scan.yml +++ b/.github/workflows/snyk_scan.yml @@ -4,7 +4,7 @@ name: Snyk Vulnerability Scan on: workflow_dispatch: schedule: - - cron: '00 15 * * 1' + - cron: '00 15 * * 1' push: branches: - main @@ -14,12 +14,12 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout Code - uses: actions/checkout@v4 + uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # pin@v4 with: ref: 'main' - + - name: Run Snyk To Check For Vulnerabilities - uses: snyk/actions/gradle-jdk11@master + uses: snyk/actions/gradle-jdk11@8349f9043a8b7f0f3ee8885bf28f0b388d2446e8 # pin@master env: SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} with: