From 57aaf909f6a52d6429889e227d6abbd74d400c06 Mon Sep 17 00:00:00 2001 From: Graham Beckley Date: Wed, 28 Jan 2026 16:27:33 -0500 Subject: [PATCH] chore: pin action versions to latest release and fix semver comments Ensures each `uses` block in a workflow or action in this repo: - pins the sha of the latest release - except setup-helm, which is pinned to 4.0.0 in most orgs - includes a comment of the full sha tag next to the SHA --- .github/workflows/build-and-push.yml | 2 +- .github/workflows/codeowners.yml | 2 +- .github/workflows/diff-rendered-charts.yml | 10 +++++----- .github/workflows/pre-commit.yml | 4 ++-- .github/workflows/psa-checker.yml | 4 ++-- .github/workflows/release.yaml | 4 ++-- .github/workflows/validate-k8s-manifests.yml | 8 ++++---- .github/workflows/zizmor.yml | 2 +- docker-build/action.yml | 4 ++-- docker-push/action.yml | 4 ++-- 10 files changed, 22 insertions(+), 22 deletions(-) diff --git a/.github/workflows/build-and-push.yml b/.github/workflows/build-and-push.yml index 8e78566..9524dc4 100644 --- a/.github/workflows/build-and-push.yml +++ b/.github/workflows/build-and-push.yml @@ -76,7 +76,7 @@ jobs: steps: - name: Checkout Repository - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 #v6.0.1 with: ref: ${{ (github.event_name == 'pull_request' && github.event.pull_request.head.sha) || github.ref }} persist-credentials: false diff --git a/.github/workflows/codeowners.yml b/.github/workflows/codeowners.yml index 64e489b..3ccc277 100644 --- a/.github/workflows/codeowners.yml +++ b/.github/workflows/codeowners.yml @@ -23,7 +23,7 @@ jobs: options: --cpus 1 steps: - name: Clone Repository - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 with: persist-credentials: false diff --git a/.github/workflows/diff-rendered-charts.yml b/.github/workflows/diff-rendered-charts.yml index f34f3b4..46f6c88 100644 --- a/.github/workflows/diff-rendered-charts.yml +++ b/.github/workflows/diff-rendered-charts.yml @@ -17,7 +17,7 @@ jobs: charts: ${{ steps.find_changed_charts.outputs.changed_charts }} steps: - name: checkout repository - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 #v6.0.1 with: fetch-depth: '100' persist-credentials: true # We are using these credentials in later steps @@ -37,14 +37,14 @@ jobs: strategy: matrix: chart: ${{ fromJSON(needs.get_changed_helm_charts.outputs.matrix_charts) }} - ref: + ref: - name: base sha: ${{ github.base_ref }} - name: head sha: ${{ github.head_ref }} steps: - name: checkout repository - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 #v6.0.1 with: persist-credentials: true # We are using these credentials in later steps ref: ${{ matrix.ref.sha }} @@ -91,7 +91,7 @@ jobs: MATRIX_REF_NAME: ${{ matrix.ref.name }} - name: upload artifact - uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5 + uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f #v6.0.0 with: name: "shared-${{ matrix.ref.name }}-${{ steps.render.outputs.sanitized_name }}" path: "shared" @@ -106,7 +106,7 @@ jobs: uses: azure/setup-helm@29960d0f5f19214b88e1d9ba750a9914ab0f1a2f #v4.0.0 - name: download artifacts - uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6 + uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 #v7.0.0 with: pattern: shared-* merge-multiple: true diff --git a/.github/workflows/pre-commit.yml b/.github/workflows/pre-commit.yml index 5941be0..55f77f7 100644 --- a/.github/workflows/pre-commit.yml +++ b/.github/workflows/pre-commit.yml @@ -11,8 +11,8 @@ jobs: permissions: contents: read steps: - - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 #v6.0.0 + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 #v6.0.1 with: persist-credentials: false - - uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 #v6.1.0 + - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 #v6.2.0 - uses: pre-commit/action@2c7b3805fd2a0fd8c1884dcaebf91fc102a13ecd #v3.0.1 diff --git a/.github/workflows/psa-checker.yml b/.github/workflows/psa-checker.yml index 06259bf..a004e96 100644 --- a/.github/workflows/psa-checker.yml +++ b/.github/workflows/psa-checker.yml @@ -30,7 +30,7 @@ jobs: charts: ${{ steps.find_changed_charts.outputs.changed_charts }} steps: - name: checkout repository - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 #v6.0.1 with: fetch-depth: '100' persist-credentials: true # We are using these credentials in the next step @@ -52,7 +52,7 @@ jobs: steps: # Download charts already rendered by validate action - name: download artifacts - uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6 + uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 #v7.0.0 with: pattern: k8s-manifests-* merge-multiple: true diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index 769d444..7444a9e 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -15,13 +15,13 @@ jobs: steps: - name: checkout - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 #v6.0.1 with: fetch-depth: 0 persist-credentials: false - name: setup node.js - uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6 + uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 #v6.2.0 with: node-version: "lts/*" diff --git a/.github/workflows/validate-k8s-manifests.yml b/.github/workflows/validate-k8s-manifests.yml index e4e1b53..9b7e981 100644 --- a/.github/workflows/validate-k8s-manifests.yml +++ b/.github/workflows/validate-k8s-manifests.yml @@ -31,7 +31,7 @@ jobs: charts: ${{ steps.find_changed_charts.outputs.changed_charts }} steps: - name: checkout repository - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 #v6.0.1 with: fetch-depth: '100' persist-credentials: true # We are using these credentials in later steps @@ -53,7 +53,7 @@ jobs: chart: ${{ fromJSON(needs.get_changed_helm_charts.outputs.matrix_charts) }} steps: - name: checkout repository - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 #v6.0.1 with: persist-credentials: true # We are using these credentials in later steps @@ -79,7 +79,7 @@ jobs: MATRIX_CHART: ${{ matrix.chart }} - name: upload artifact - uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5 + uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f #v6.0.0 with: name: "k8s-manifests-${{ steps.render_head.outputs.sanitized_name }}" path: "shared" @@ -108,7 +108,7 @@ jobs: sudo mv kubeconform /usr/local/bin/kubeconform - name: download artifacts - uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6 + uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 #v7.0.0 with: pattern: k8s-manifests-* merge-multiple: true diff --git a/.github/workflows/zizmor.yml b/.github/workflows/zizmor.yml index dd9866f..a125a7a 100644 --- a/.github/workflows/zizmor.yml +++ b/.github/workflows/zizmor.yml @@ -19,7 +19,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Clone Repository - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 #v6.0.1 with: persist-credentials: false diff --git a/docker-build/action.yml b/docker-build/action.yml index b14daed..df6edf5 100644 --- a/docker-build/action.yml +++ b/docker-build/action.yml @@ -62,7 +62,7 @@ runs: steps: - name: Set up Docker if: ${{ inputs.enable_attestations == 'true' }} - uses: docker/setup-docker-action@e43656e248c0bd0647d3f5c195d116aacf6fcaf4 # v4 + uses: docker/setup-docker-action@e43656e248c0bd0647d3f5c195d116aacf6fcaf4 #v4.7.0 with: daemon-config: | { @@ -140,7 +140,7 @@ runs: - name: Docker meta id: meta - uses: docker/metadata-action@902fa8ec7d6ecbf8d84d538b9b233a880e428804 #v5.7.0 + uses: docker/metadata-action@c299e40c65443455700f0fdfc63efafe5b349051 #v5.10.0 with: images: ${{ steps.set-images.outputs.images }} tags: ${{ steps.set-tags.outputs.tags }} diff --git a/docker-push/action.yml b/docker-push/action.yml index 3523a7a..4e6506c 100644 --- a/docker-push/action.yml +++ b/docker-push/action.yml @@ -30,14 +30,14 @@ runs: steps: - name: Authenticate to GCP id: gcp_auth - uses: google-github-actions/auth@3a3c4c57d294ef65efaaee4ff17b22fa88dd3c69 #v1 + uses: google-github-actions/auth@7c6bc770dae815cd3e89ee6cdf493a5fab2cc093 #v3 with: workload_identity_provider: "projects/${{ inputs.workload_identity_pool_project_number }}/locations/global/workloadIdentityPools/github-actions/providers/github-actions" service_account: "${{ inputs.service_account_name }}@${{ inputs.project_id }}.iam.gserviceaccount.com" token_format: access_token create_credentials_file: false - name: Log in to GAR - uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 #v3.4.0 + uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 #v3.7.0 with: registry: ${{ inputs.gar_location }}-docker.pkg.dev username: oauth2accesstoken