From a1401a8878e27171d58ab9ce793fa28a35bc49a2 Mon Sep 17 00:00:00 2001 From: Daniel Farrell Date: Fri, 20 Aug 2021 11:00:26 -0400 Subject: [PATCH] Use SHAs for GHA versions Per GitHub's security guidelines, GHAs should be pinned using full length commit SHAs instead of tags. The SHAs are of the commits currently resolved by the versions. Even "trusted" GHAs from GitHub developers are pinned because it's possible their repo right could be compromised and a malicious GHA published. These core repos are not frequently substantially updated. Submariner-internal GHAs are left pinned at devel because we want automatic updates from Shipyard's shared tooling. Signed-off-by: Daniel Farrell --- .github/workflows/codeowners.yml | 2 +- .github/workflows/e2e-full.yml | 2 +- .github/workflows/e2e.yml | 2 +- .github/workflows/flake_finder.yml | 2 +- .github/workflows/linting.yml | 22 +++++++++++----------- .github/workflows/periodic.yml | 6 +++--- .github/workflows/release.yml | 2 +- .github/workflows/unit.yml | 4 ++-- .github/workflows/upgrade-e2e.yml | 3 ++- 9 files changed, 23 insertions(+), 22 deletions(-) diff --git a/.github/workflows/codeowners.yml b/.github/workflows/codeowners.yml index 703b90026..eff4f887b 100644 --- a/.github/workflows/codeowners.yml +++ b/.github/workflows/codeowners.yml @@ -13,7 +13,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Check out the repository - uses: actions/checkout@v2 + uses: actions/checkout@5a4ac9002d0be2fb38bd78e4b4dbde5606d7042f - name: Delete current CODEOWNERS file run: rm CODEOWNERS - name: Run gen-codeowners to rebuild CODEOWNERS file diff --git a/.github/workflows/e2e-full.yml b/.github/workflows/e2e-full.yml index ef9f17c69..c69448864 100644 --- a/.github/workflows/e2e-full.yml +++ b/.github/workflows/e2e-full.yml @@ -23,7 +23,7 @@ jobs: - k8s_version: '1.20' steps: - name: Check out the repository - uses: actions/checkout@v2 + uses: actions/checkout@5a4ac9002d0be2fb38bd78e4b4dbde5606d7042f - name: Run E2E deployment and tests uses: submariner-io/shipyard/gh-actions/e2e@devel diff --git a/.github/workflows/e2e.yml b/.github/workflows/e2e.yml index 0d6be3a70..192f4b58b 100644 --- a/.github/workflows/e2e.yml +++ b/.github/workflows/e2e.yml @@ -11,7 +11,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Check out the repository - uses: actions/checkout@v2 + uses: actions/checkout@5a4ac9002d0be2fb38bd78e4b4dbde5606d7042f - name: Run E2E deployment and tests uses: submariner-io/shipyard/gh-actions/e2e@devel diff --git a/.github/workflows/flake_finder.yml b/.github/workflows/flake_finder.yml index 1d1d1ee1c..536399708 100644 --- a/.github/workflows/flake_finder.yml +++ b/.github/workflows/flake_finder.yml @@ -23,7 +23,7 @@ jobs: - k8s_version: '1.20' steps: - name: Check out the repository - uses: actions/checkout@v2 + uses: actions/checkout@5a4ac9002d0be2fb38bd78e4b4dbde5606d7042f - name: Run E2E deployment and tests uses: submariner-io/shipyard/gh-actions/e2e@devel diff --git a/.github/workflows/linting.yml b/.github/workflows/linting.yml index 8a9662f16..976c81de6 100644 --- a/.github/workflows/linting.yml +++ b/.github/workflows/linting.yml @@ -11,12 +11,12 @@ jobs: steps: - name: Get PR commits id: 'get-pr-commits' - uses: tim-actions/get-pr-commits@v1.1.0 + uses: tim-actions/get-pr-commits@55b867b9b28954e6f5c1a0fe2f729dc926c306d0 with: token: ${{ secrets.GITHUB_TOKEN }} - name: 'Verify no "Apply suggestions from code review" commits' - uses: tim-actions/commit-message-checker-with-regex@v0.3.1 + uses: tim-actions/commit-message-checker-with-regex@d6d9770051dd6460679d1cab1dcaa8cffc5c2bbd with: commits: ${{ steps.get-pr-commits.outputs.commits }} pattern: '^(?!.*(apply suggestions from code review))' @@ -28,7 +28,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Check out the repository - uses: actions/checkout@v2 + uses: actions/checkout@5a4ac9002d0be2fb38bd78e4b4dbde5606d7042f with: fetch-depth: 0 - name: Run gitlint @@ -39,7 +39,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Check out the repository - uses: actions/checkout@v2 + uses: actions/checkout@5a4ac9002d0be2fb38bd78e4b4dbde5606d7042f - name: Run golangci-lint run: make golangci-lint @@ -48,17 +48,17 @@ jobs: runs-on: ubuntu-latest steps: - name: Check out the repository - uses: actions/checkout@v2 + uses: actions/checkout@5a4ac9002d0be2fb38bd78e4b4dbde5606d7042f - name: Check License Headers - uses: kt3k/license_checker@v1.0.6 + uses: kt3k/license_checker@d12a6d90c58e30fefed09f2c4d03ba57f4c673a8 licenses: name: Dependency Licenses runs-on: ubuntu-latest steps: - name: Check out the repository - uses: actions/checkout@v2 + uses: actions/checkout@5a4ac9002d0be2fb38bd78e4b4dbde5606d7042f - name: Check the licenses run: make licensecheck @@ -68,10 +68,10 @@ jobs: runs-on: ubuntu-latest steps: - name: Check out the repository - uses: actions/checkout@v2 + uses: actions/checkout@5a4ac9002d0be2fb38bd78e4b4dbde5606d7042f - name: Run markdown-link-check - uses: gaurav-nelson/github-action-markdown-link-check@v1 + uses: gaurav-nelson/github-action-markdown-link-check@9710f0fec812ce0a3b98bef4c9d842fc1f39d976 with: config-file: ".markdownlinkcheck.json" check-modified-files-only: "yes" @@ -82,7 +82,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Check out the repository - uses: actions/checkout@v2 + uses: actions/checkout@5a4ac9002d0be2fb38bd78e4b4dbde5606d7042f - name: Run markdownlint run: make markdownlint @@ -91,6 +91,6 @@ jobs: runs-on: ubuntu-latest steps: - name: Check out the repository - uses: actions/checkout@v2 + uses: actions/checkout@5a4ac9002d0be2fb38bd78e4b4dbde5606d7042f - name: Run yamllint run: make yamllint diff --git a/.github/workflows/periodic.yml b/.github/workflows/periodic.yml index 092cf9935..339baffa6 100644 --- a/.github/workflows/periodic.yml +++ b/.github/workflows/periodic.yml @@ -12,16 +12,16 @@ jobs: runs-on: ubuntu-latest steps: - name: Check out the repository - uses: actions/checkout@v2 + uses: actions/checkout@5a4ac9002d0be2fb38bd78e4b4dbde5606d7042f - name: Run markdown-link-check - uses: gaurav-nelson/github-action-markdown-link-check@v1 + uses: gaurav-nelson/github-action-markdown-link-check@9710f0fec812ce0a3b98bef4c9d842fc1f39d976 with: config-file: ".markdownlinkcheck.json" - name: Raise an Issue to report broken links if: ${{ failure() }} - uses: peter-evans/create-issue-from-file@v2.3.2 + uses: peter-evans/create-issue-from-file@a04ce672e3acedb1f8e416b46716ddfd09905326 with: title: Broken link detected by CI content-filepath: .github/ISSUE_TEMPLATE/broken-link.md diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index fea3d10eb..dc34bf887 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -13,7 +13,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Check out the repository - uses: actions/checkout@v2 + uses: actions/checkout@5a4ac9002d0be2fb38bd78e4b4dbde5606d7042f with: fetch-depth: 0 diff --git a/.github/workflows/unit.yml b/.github/workflows/unit.yml index b927fbaab..4eb297701 100644 --- a/.github/workflows/unit.yml +++ b/.github/workflows/unit.yml @@ -10,7 +10,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Check out the repository - uses: actions/checkout@v2 + uses: actions/checkout@5a4ac9002d0be2fb38bd78e4b4dbde5606d7042f - name: Create artifacts directory run: mkdir artifacts @@ -28,7 +28,7 @@ jobs: done - name: Upload artifacts - uses: actions/upload-artifact@v1 + uses: actions/upload-artifact@3446296876d12d4e3a0f3145a3c87e67bf0a16b5 with: name: Unit test artifacts path: artifacts diff --git a/.github/workflows/upgrade-e2e.yml b/.github/workflows/upgrade-e2e.yml index c88b6fc01..6ad9a6534 100644 --- a/.github/workflows/upgrade-e2e.yml +++ b/.github/workflows/upgrade-e2e.yml @@ -12,7 +12,8 @@ jobs: strategy: fail-fast: false steps: - - uses: actions/checkout@v2 + - name: Check out the repository + uses: actions/checkout@5a4ac9002d0be2fb38bd78e4b4dbde5606d7042f - name: Install an old cluster, upgrade it and check it uses: submariner-io/shipyard/gh-actions/upgrade-e2e@devel