diff --git a/.github/workflows/bake.yaml b/.github/workflows/bake.yaml index 9b8d4f53..a85bcb73 100644 --- a/.github/workflows/bake.yaml +++ b/.github/workflows/bake.yaml @@ -33,10 +33,10 @@ jobs: images: ${{ steps.images.outputs.images }} steps: - name: Checkout Code - uses: actions/checkout@v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 - name: Log in to the GitHub Container registry - uses: docker/login-action@v3 + uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3 with: registry: ghcr.io username: ${{ github.actor }} @@ -45,15 +45,15 @@ jobs: # TODO: review this when GitHub has linux/arm64 runners available (Q1 2025?) # https://github.com/github/roadmap/issues/970 - name: Set up QEMU - uses: docker/setup-qemu-action@v3 + uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v3 with: platforms: 'arm64' - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 + uses: docker/setup-buildx-action@b5ca514318bd6ebac0fb2aedd5d36ec1b5c232a2 # v3 - name: Build and push - uses: docker/bake-action@v6 + uses: docker/bake-action@76f9fa3a758507623da19f6092dc4089a7e61592 # v6 id: build env: environment: testing @@ -71,7 +71,7 @@ jobs: # Even if we're testing we sign the images, so we can push them to production later if that's required - name: Install cosign - uses: sigstore/cosign-installer@v3 + uses: sigstore/cosign-installer@d7d6bc7722e3daa8354c50bcb52f4837da5e9b6a # v3 # See https://github.blog/security/supply-chain-security/safeguard-container-signing-capability-actions/ # and https://github.com/actions/starter-workflows/blob/main/ci/docker-publish.yml for more details on # how to use cosign. @@ -91,17 +91,17 @@ jobs: image: ${{fromJson(needs.testbuild.outputs.images)}} steps: - name: Checkout Code - uses: actions/checkout@v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 - name: Log in to the GitHub Container registry - uses: docker/login-action@v3 + uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3 with: registry: ghcr.io username: ${{ github.actor }} password: ${{ secrets.GITHUB_TOKEN }} - name: Dockle - uses: erzz/dockle-action@v1 + uses: erzz/dockle-action@69369bc745ee29813f730231a821bcd4f71cd290 # v1 with: image: ${{ matrix.image }} exit-code: '1' @@ -116,7 +116,7 @@ jobs: args: --severity-threshold=high --file=Dockerfile - name: Upload result to GitHub Code Scanning - uses: github/codeql-action/upload-sarif@v3 + uses: github/codeql-action/upload-sarif@28deaeda66b76a05916b6923827895f2b14ab387 # v3 continue-on-error: true with: sarif_file: snyk.sarif @@ -141,7 +141,7 @@ jobs: id-token: write steps: - name: Log in to the GitHub Container registry - uses: docker/login-action@v3 + uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3 with: registry: ghcr.io username: ${{ github.actor }} @@ -172,7 +172,7 @@ jobs: done - name: Install cosign - uses: sigstore/cosign-installer@v3 + uses: sigstore/cosign-installer@d7d6bc7722e3daa8354c50bcb52f4837da5e9b6a # v3 - name: Sign images run: | diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 64c1e896..f7ae4763 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -21,7 +21,7 @@ jobs: strategy: ${{ steps.generate-jobs.outputs.strategy }} steps: - name: Checkout Code - uses: actions/checkout@v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 - name: Generate Jobs id: generate-jobs shell: bash @@ -39,10 +39,10 @@ jobs: security-events: write steps: - name: Checkout Code - uses: actions/checkout@v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 - name: Set up QEMU - uses: docker/setup-qemu-action@v3 + uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v3 with: platforms: ${{ matrix.platforms }} @@ -63,10 +63,10 @@ jobs: echo "TAGS=${RESULT%,}" >> $GITHUB_ENV - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 + uses: docker/setup-buildx-action@b5ca514318bd6ebac0fb2aedd5d36ec1b5c232a2 # v3 - name: Log in to the GitHub Container registry - uses: docker/login-action@v3 + uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3 with: registry: ghcr.io username: ${{ github.actor }} @@ -93,7 +93,7 @@ jobs: fi - name: Build and load - uses: docker/build-push-action@v6 + uses: docker/build-push-action@14487ce63c7a62a4a324b0bfb37086795e31c6c1 # v6 if: ${{ env.MISSING_TAG == 'true' }} with: context: ${{ matrix.dir }} @@ -103,7 +103,7 @@ jobs: tags: ${{ env.TAGS }} - name: Dockle scan - uses: erzz/dockle-action@v1 + uses: erzz/dockle-action@69369bc745ee29813f730231a821bcd4f71cd290 # v1 if: ${{ env.MISSING_TAG == 'true' }} with: image: "${{ env.IMAGE_STAGING }}:${{ matrix.tags[0] }}" @@ -123,7 +123,7 @@ jobs: args: --severity-threshold=high --file=${{ matrix.file }} - name: Upload result to GitHub Code Scanning - uses: github/codeql-action/upload-sarif@v3 + uses: github/codeql-action/upload-sarif@28deaeda66b76a05916b6923827895f2b14ab387 # v3 if: ${{ env.MISSING_TAG == 'true' }} continue-on-error: true with: @@ -131,7 +131,7 @@ jobs: - name: Build and push id: build - uses: docker/build-push-action@v6 + uses: docker/build-push-action@14487ce63c7a62a4a324b0bfb37086795e31c6c1 # v6 if: ${{ env.MISSING_TAG == 'true' }} with: context: ${{ matrix.dir }} @@ -170,7 +170,7 @@ jobs: }' > ${{ matrix.version }}-${{ matrix.distro }}.yaml - name: Upload artifact - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4 with: name: ${{ matrix.version }}-${{ matrix.distro }}-clusterimagecatalog path: ${{ matrix.version }}-${{ matrix.distro }}.yaml @@ -181,12 +181,12 @@ jobs: needs: build steps: - name: Checkout Code - uses: actions/checkout@v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 with: token: ${{ secrets.REPO_GHA_PAT }} - name: Download artifacts - uses: actions/download-artifact@v4 + uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4 with: pattern: '*-clusterimagecatalog' path: clusterimagecatalog @@ -202,14 +202,14 @@ jobs: - name: Temporarily disable "include administrators" branch protection if: ${{ always() && github.ref == 'refs/heads/main' }} id: disable_include_admins - uses: benjefferies/branch-protection-bot@v1.1.2 + uses: benjefferies/branch-protection-bot@af281f37de86139d1c7a27b91176b5dc1c2c827c # v1.1.2 with: access_token: ${{ secrets.REPO_GHA_PAT }} branch: main enforce_admins: false - name: Push ClusterImageCatalog updates - uses: EndBug/add-and-commit@v9 + uses: EndBug/add-and-commit@a94899bca583c204427a224a7af87c02f9b325d5 # v9 if: ${{ github.ref == 'refs/heads/main' }} with: author_name: CloudNativePG Automated Updates @@ -218,7 +218,7 @@ jobs: add: 'Debian/ClusterImageCatalog*.yaml' - name: Enable "include administrators" branch protection - uses: benjefferies/branch-protection-bot@v1.1.2 + uses: benjefferies/branch-protection-bot@af281f37de86139d1c7a27b91176b5dc1c2c827c # v1.1.2 if: ${{ always() && github.ref == 'refs/heads/main' }} with: access_token: ${{ secrets.REPO_GHA_PAT }} diff --git a/.github/workflows/update.yml b/.github/workflows/update.yml index 0f871c43..3bf7c047 100644 --- a/.github/workflows/update.yml +++ b/.github/workflows/update.yml @@ -14,16 +14,16 @@ jobs: name: Run update script runs-on: ubuntu-24.04 steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 with: token: ${{ secrets.REPO_GHA_PAT }} - - uses: actions/setup-python@v5 + - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5 with: python-version: 3.9 - name: Run update script - uses: nick-fields/retry@v3 + uses: nick-fields/retry@ce71cc2ab81d554ebbe88c79ab5975992d79ba08 # v3 with: timeout_minutes: 15 max_attempts: 3 @@ -35,12 +35,12 @@ jobs: echo "Updating Debian bullseye images" ./Debian/update.sh -d bullseye - - uses: actions/setup-python@v5 + - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5 with: python-version: 3.11 - name: Run update script - uses: nick-fields/retry@v3 + uses: nick-fields/retry@ce71cc2ab81d554ebbe88c79ab5975992d79ba08 # v3 with: timeout_minutes: 15 max_attempts: 3 @@ -60,20 +60,20 @@ jobs: - name: Temporarily disable "include administrators" branch protection if: ${{ always() && github.ref == 'refs/heads/main' }} id: disable_include_admins - uses: benjefferies/branch-protection-bot@v1.1.2 + uses: benjefferies/branch-protection-bot@af281f37de86139d1c7a27b91176b5dc1c2c827c # v1.1.2 with: access_token: ${{ secrets.REPO_GHA_PAT }} branch: main enforce_admins: false - - uses: EndBug/add-and-commit@v9 + - uses: EndBug/add-and-commit@a94899bca583c204427a224a7af87c02f9b325d5 # v9 with: author_name: CloudNativePG Automated Updates author_email: noreply@cnpg.com message: 'Daily automatic update' - name: Enable "include administrators" branch protection - uses: benjefferies/branch-protection-bot@v1.1.2 + uses: benjefferies/branch-protection-bot@af281f37de86139d1c7a27b91176b5dc1c2c827c # v1.1.2 if: ${{ always() && github.ref == 'refs/heads/main' }} with: access_token: ${{ secrets.REPO_GHA_PAT }}