From b73e4278c14f802bf0d2f32148fa50a60fc75bbb Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Lo=C3=AFc=20Houpert?= <10154151+lhoupert@users.noreply.github.com> Date: Fri, 3 Apr 2026 14:27:18 +0100 Subject: [PATCH] ci: pin GitHub Actions to SHA digests --- .github/workflows/gcr-cleanup.yaml | 2 +- .github/workflows/helm.yaml | 8 ++++---- .github/workflows/ingest-docker-build.yaml | 8 ++++---- .github/workflows/trigger-ingest-job-maxar-opendata.yaml | 6 +++--- 4 files changed, 12 insertions(+), 12 deletions(-) diff --git a/.github/workflows/gcr-cleanup.yaml b/.github/workflows/gcr-cleanup.yaml index bdc3655..f4b1ef6 100644 --- a/.github/workflows/gcr-cleanup.yaml +++ b/.github/workflows/gcr-cleanup.yaml @@ -13,7 +13,7 @@ jobs: runs-on: 'ubuntu-latest' steps: - name: Google Auth - uses: 'google-github-actions/auth@v1' + uses: 'google-github-actions/auth@3a3c4c57d294ef65efaaee4ff17b22fa88dd3c69' # v1 with: credentials_json: '${{ secrets.GOOGLE_CREDENTIALS }}' diff --git a/.github/workflows/helm.yaml b/.github/workflows/helm.yaml index cda802e..a0e51fd 100644 --- a/.github/workflows/helm.yaml +++ b/.github/workflows/helm.yaml @@ -12,15 +12,15 @@ jobs: steps: - name: Checkout code - uses: actions/checkout@v2 + uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 # v2 - id: 'auth' - uses: 'google-github-actions/auth@v1' + uses: 'google-github-actions/auth@3a3c4c57d294ef65efaaee4ff17b22fa88dd3c69' # v1 with: credentials_json: '${{ secrets.GOOGLE_CREDENTIALS }}' - name: 'Set up Cloud SDK' - uses: 'google-github-actions/setup-gcloud@v1' + uses: 'google-github-actions/setup-gcloud@e30db14379863a8c79331b04a9969f4c1e225e0b' # v1 - name: Configure kubectl run: | gcloud components install gke-gcloud-auth-plugin @@ -29,7 +29,7 @@ jobs: gcloud container clusters get-credentials ${{ secrets.CLUSTER_NAME }} - name: 'Set up Helm' - uses: 'Azure/setup-helm@v1' + uses: 'Azure/setup-helm@18bc76811624f360dbd7f18c2d4ecb32c7b87bab' # v1 with: version: 'v3.12.0' diff --git a/.github/workflows/ingest-docker-build.yaml b/.github/workflows/ingest-docker-build.yaml index 29a5f3e..812d5b6 100644 --- a/.github/workflows/ingest-docker-build.yaml +++ b/.github/workflows/ingest-docker-build.yaml @@ -17,13 +17,13 @@ jobs: steps: - name: Checkout code - uses: actions/checkout@v2 + uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 # v2 - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v1 + uses: docker/setup-buildx-action@f211e3e9ded2d9377c8cadc4489a4e38014bc4c9 # v1 - name: Login to Google Container Registry - uses: docker/login-action@v1 + uses: docker/login-action@dd4fa0671be5250ee6f50aedf4cb05514abda2c7 # v1 with: registry: gcr.io username: _json_key @@ -34,7 +34,7 @@ jobs: run: echo "SHORT_SHA=$(echo ${{ github.sha }} | cut -c1-7)" >> $GITHUB_ENV - name: Build and push Docker image - uses: docker/build-push-action@v4 + uses: docker/build-push-action@0a97817b6ade9f46837855d676c4cca3a2471fc9 # v4 with: context: ingest push: true diff --git a/.github/workflows/trigger-ingest-job-maxar-opendata.yaml b/.github/workflows/trigger-ingest-job-maxar-opendata.yaml index 8c027b3..0045d3b 100644 --- a/.github/workflows/trigger-ingest-job-maxar-opendata.yaml +++ b/.github/workflows/trigger-ingest-job-maxar-opendata.yaml @@ -8,15 +8,15 @@ jobs: steps: - name: Checkout code - uses: actions/checkout@v2 + uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 # v2 - id: 'auth' - uses: 'google-github-actions/auth@v1' + uses: 'google-github-actions/auth@3a3c4c57d294ef65efaaee4ff17b22fa88dd3c69' # v1 with: credentials_json: '${{ secrets.GOOGLE_CREDENTIALS }}' - name: 'Set up Cloud SDK' - uses: 'google-github-actions/setup-gcloud@v1' + uses: 'google-github-actions/setup-gcloud@e30db14379863a8c79331b04a9969f4c1e225e0b' # v1 - name: Configure kubectl run: | gcloud components install gke-gcloud-auth-plugin