Skip to content

Commit

Permalink
Use SHAs for GHA versions
Browse files Browse the repository at this point in the history
Per GitHub's security guidelines, GHAs should be pinned using full
length commit SHAs instead of tags.

The SHAs are of the commits currently resolved by the versions.

Even "trusted" GHAs from GitHub developers are pinned because it's
possible their repo right could be compromised and a malicious GHA
published. These core repos are not frequently substantially updated.

Submariner-internal GHAs are left pinned at devel because we want
automatic updates from Shipyard's shared tooling.

Signed-off-by: Daniel Farrell <[email protected]>
  • Loading branch information
dfarrell07 authored and skitt committed Aug 31, 2021
1 parent 4b89f7e commit a1401a8
Show file tree
Hide file tree
Showing 9 changed files with 23 additions and 22 deletions.
2 changes: 1 addition & 1 deletion .github/workflows/codeowners.yml
Original file line number Diff line number Diff line change
Expand Up @@ -13,7 +13,7 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Check out the repository
uses: actions/checkout@v2
uses: actions/checkout@5a4ac9002d0be2fb38bd78e4b4dbde5606d7042f
- name: Delete current CODEOWNERS file
run: rm CODEOWNERS
- name: Run gen-codeowners to rebuild CODEOWNERS file
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/e2e-full.yml
Original file line number Diff line number Diff line change
Expand Up @@ -23,7 +23,7 @@ jobs:
- k8s_version: '1.20'
steps:
- name: Check out the repository
uses: actions/checkout@v2
uses: actions/checkout@5a4ac9002d0be2fb38bd78e4b4dbde5606d7042f

- name: Run E2E deployment and tests
uses: submariner-io/shipyard/gh-actions/e2e@devel
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/e2e.yml
Original file line number Diff line number Diff line change
Expand Up @@ -11,7 +11,7 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Check out the repository
uses: actions/checkout@v2
uses: actions/checkout@5a4ac9002d0be2fb38bd78e4b4dbde5606d7042f

- name: Run E2E deployment and tests
uses: submariner-io/shipyard/gh-actions/e2e@devel
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/flake_finder.yml
Original file line number Diff line number Diff line change
Expand Up @@ -23,7 +23,7 @@ jobs:
- k8s_version: '1.20'
steps:
- name: Check out the repository
uses: actions/checkout@v2
uses: actions/checkout@5a4ac9002d0be2fb38bd78e4b4dbde5606d7042f

- name: Run E2E deployment and tests
uses: submariner-io/shipyard/gh-actions/e2e@devel
Expand Down
22 changes: 11 additions & 11 deletions .github/workflows/linting.yml
Original file line number Diff line number Diff line change
Expand Up @@ -11,12 +11,12 @@ jobs:
steps:
- name: Get PR commits
id: 'get-pr-commits'
uses: tim-actions/get-pr-commits@v1.1.0
uses: tim-actions/get-pr-commits@55b867b9b28954e6f5c1a0fe2f729dc926c306d0
with:
token: ${{ secrets.GITHUB_TOKEN }}

- name: 'Verify no "Apply suggestions from code review" commits'
uses: tim-actions/commit-message-checker-with-regex@v0.3.1
uses: tim-actions/commit-message-checker-with-regex@d6d9770051dd6460679d1cab1dcaa8cffc5c2bbd
with:
commits: ${{ steps.get-pr-commits.outputs.commits }}
pattern: '^(?!.*(apply suggestions from code review))'
Expand All @@ -28,7 +28,7 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Check out the repository
uses: actions/checkout@v2
uses: actions/checkout@5a4ac9002d0be2fb38bd78e4b4dbde5606d7042f
with:
fetch-depth: 0
- name: Run gitlint
Expand All @@ -39,7 +39,7 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Check out the repository
uses: actions/checkout@v2
uses: actions/checkout@5a4ac9002d0be2fb38bd78e4b4dbde5606d7042f
- name: Run golangci-lint
run: make golangci-lint

Expand All @@ -48,17 +48,17 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Check out the repository
uses: actions/checkout@v2
uses: actions/checkout@5a4ac9002d0be2fb38bd78e4b4dbde5606d7042f

- name: Check License Headers
uses: kt3k/license_checker@v1.0.6
uses: kt3k/license_checker@d12a6d90c58e30fefed09f2c4d03ba57f4c673a8

licenses:
name: Dependency Licenses
runs-on: ubuntu-latest
steps:
- name: Check out the repository
uses: actions/checkout@v2
uses: actions/checkout@5a4ac9002d0be2fb38bd78e4b4dbde5606d7042f

- name: Check the licenses
run: make licensecheck
Expand All @@ -68,10 +68,10 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Check out the repository
uses: actions/checkout@v2
uses: actions/checkout@5a4ac9002d0be2fb38bd78e4b4dbde5606d7042f

- name: Run markdown-link-check
uses: gaurav-nelson/github-action-markdown-link-check@v1
uses: gaurav-nelson/github-action-markdown-link-check@9710f0fec812ce0a3b98bef4c9d842fc1f39d976
with:
config-file: ".markdownlinkcheck.json"
check-modified-files-only: "yes"
Expand All @@ -82,7 +82,7 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Check out the repository
uses: actions/checkout@v2
uses: actions/checkout@5a4ac9002d0be2fb38bd78e4b4dbde5606d7042f
- name: Run markdownlint
run: make markdownlint

Expand All @@ -91,6 +91,6 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Check out the repository
uses: actions/checkout@v2
uses: actions/checkout@5a4ac9002d0be2fb38bd78e4b4dbde5606d7042f
- name: Run yamllint
run: make yamllint
6 changes: 3 additions & 3 deletions .github/workflows/periodic.yml
Original file line number Diff line number Diff line change
Expand Up @@ -12,16 +12,16 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Check out the repository
uses: actions/checkout@v2
uses: actions/checkout@5a4ac9002d0be2fb38bd78e4b4dbde5606d7042f

- name: Run markdown-link-check
uses: gaurav-nelson/github-action-markdown-link-check@v1
uses: gaurav-nelson/github-action-markdown-link-check@9710f0fec812ce0a3b98bef4c9d842fc1f39d976
with:
config-file: ".markdownlinkcheck.json"

- name: Raise an Issue to report broken links
if: ${{ failure() }}
uses: peter-evans/create-issue-from-file@v2.3.2
uses: peter-evans/create-issue-from-file@a04ce672e3acedb1f8e416b46716ddfd09905326
with:
title: Broken link detected by CI
content-filepath: .github/ISSUE_TEMPLATE/broken-link.md
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/release.yml
Original file line number Diff line number Diff line change
Expand Up @@ -13,7 +13,7 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Check out the repository
uses: actions/checkout@v2
uses: actions/checkout@5a4ac9002d0be2fb38bd78e4b4dbde5606d7042f
with:
fetch-depth: 0

Expand Down
4 changes: 2 additions & 2 deletions .github/workflows/unit.yml
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,7 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Check out the repository
uses: actions/checkout@v2
uses: actions/checkout@5a4ac9002d0be2fb38bd78e4b4dbde5606d7042f

- name: Create artifacts directory
run: mkdir artifacts
Expand All @@ -28,7 +28,7 @@ jobs:
done
- name: Upload artifacts
uses: actions/upload-artifact@v1
uses: actions/upload-artifact@3446296876d12d4e3a0f3145a3c87e67bf0a16b5
with:
name: Unit test artifacts
path: artifacts
3 changes: 2 additions & 1 deletion .github/workflows/upgrade-e2e.yml
Original file line number Diff line number Diff line change
Expand Up @@ -12,7 +12,8 @@ jobs:
strategy:
fail-fast: false
steps:
- uses: actions/checkout@v2
- name: Check out the repository
uses: actions/checkout@5a4ac9002d0be2fb38bd78e4b4dbde5606d7042f

- name: Install an old cluster, upgrade it and check it
uses: submariner-io/shipyard/gh-actions/upgrade-e2e@devel
Expand Down

0 comments on commit a1401a8

Please sign in to comment.