Skip to content

Commit 28084b7

Browse files
infeoinfeo
authored
pin ci actions with SHA checksum (#362)
1 parent 901c7ef commit 28084b7

File tree

3 files changed

+22
-22
lines changed

3 files changed

+22
-22
lines changed

.github/workflows/build.yml

Lines changed: 14 additions & 14 deletions
Original file line numberDiff line numberDiff line change
@@ -18,10 +18,10 @@ jobs:
1818
name: Run Tests
1919
runs-on: ubuntu-latest
2020
steps:
21-
- uses: actions/checkout@v4
21+
- uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
2222
with:
2323
fetch-depth: 0 # Shallow clones should be disabled for a better relevancy of analysis
24-
- uses: actions/setup-node@v4
24+
- uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
2525
with:
2626
node-version: ${{ env.NODE_VERSION }}
2727
cache: 'npm'
@@ -36,7 +36,7 @@ jobs:
3636
working-directory: frontend
3737
run: npm run dist
3838
- name: SonarCloud Scan Frontend
39-
uses: SonarSource/sonarqube-scan-action@v6
39+
uses: SonarSource/sonarqube-scan-action@fd88b7d7ccbaefd23d8f36f73b59db7a3d246602 # v6.0.0
4040
with:
4141
projectBaseDir: frontend
4242
args: >
@@ -49,13 +49,13 @@ jobs:
4949
env:
5050
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # Needed to get PR information, if any
5151
SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
52-
- uses: actions/setup-java@v4
52+
- uses: actions/setup-java@dded0888837ed1f317902acf8a20df0ad188d165 # v5.0.0
5353
with:
5454
distribution: 'temurin'
5555
java-version: ${{ env.JAVA_VERSION }}
5656
cache: 'maven'
5757
- name: Cache SonarCloud packages
58-
uses: actions/cache@v4
58+
uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0
5959
with:
6060
path: ~/.sonar/cache
6161
key: ${{ runner.os }}-sonar
@@ -95,8 +95,8 @@ jobs:
9595
contents: read
9696
packages: write
9797
steps:
98-
- uses: actions/checkout@v4
99-
- uses: actions/setup-node@v4
98+
- uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
99+
- uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
100100
with:
101101
node-version: ${{ env.NODE_VERSION }}
102102
cache: 'npm'
@@ -112,7 +112,7 @@ jobs:
112112
run: ./mvnw versions:set --file pom.xml -DnewVersion=${GITHUB_REF##*/}
113113
- name: Docker metadata
114114
id: meta
115-
uses: docker/metadata-action@v5
115+
uses: docker/metadata-action@c1e51972afc2121e065aed6d45c65596fe445f3f # v5.8.0
116116
with:
117117
images: ghcr.io/cryptomator/hub
118118
tags: |
@@ -123,16 +123,16 @@ jobs:
123123
org.opencontainers.image.title=Cryptomator Hub
124124
org.opencontainers.image.vendor=Skymatic GmbH
125125
- name: Set up Docker Buildx
126-
uses: docker/setup-buildx-action@v3
126+
uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1
127127
- name: Login to GHCR
128-
uses: docker/login-action@v3
128+
uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
129129
with:
130130
registry: ghcr.io
131131
username: ${{ github.actor }}
132132
password: ${{ secrets.GITHUB_TOKEN }}
133133
- name: Build and Push Container Image
134134
id: push
135-
uses: docker/build-push-action@v6
135+
uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
136136
with:
137137
context: backend
138138
file: backend/src/main/docker/Dockerfile.native
@@ -156,14 +156,14 @@ jobs:
156156
packages: write
157157
steps:
158158
- name: Set up Docker Buildx
159-
uses: docker/setup-buildx-action@v3
159+
uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1
160160
- name: Determine short Commit SHA
161161
id: sha
162162
run: echo "short_sha=${LONG_SHA:0:7}" >> "$GITHUB_OUTPUT"
163163
env:
164164
LONG_SHA: ${{ github.sha }}
165165
- name: Login to GHCR
166-
uses: docker/login-action@v3
166+
uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
167167
with:
168168
registry: ghcr.io
169169
username: ${{ github.actor }}
@@ -179,7 +179,7 @@ jobs:
179179
DIGEST=$(docker buildx imagetools inspect ghcr.io/cryptomator/hub:${{ steps.sha.outputs.short_sha }} --format "{{json .Manifest}}" | jq -r .digest)
180180
echo "digest_multiarch=${DIGEST}" >> "$GITHUB_OUTPUT"
181181
- name: Generate artifact attestation
182-
uses: actions/attest-build-provenance@v2
182+
uses: actions/attest-build-provenance@977bb373ede98d70efdf65b84cb5f73e068dcc2a # v3.0.0
183183
with:
184184
subject-name: ghcr.io/cryptomator/hub
185185
subject-digest: ${{ steps.inspect.outputs.digest_multiarch }}

.github/workflows/keycloak.yml

Lines changed: 7 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -24,8 +24,8 @@ jobs:
2424
attestations: write
2525
packages: write
2626
steps:
27-
- uses: actions/checkout@v4
28-
- uses: actions/setup-node@v4
27+
- uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
28+
- uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
2929
with:
3030
node-version: ${{ env.NODE_VERSION }}
3131
cache: 'npm'
@@ -37,26 +37,26 @@ jobs:
3737
working-directory: keycloak/themes/cryptomator/common/resources
3838
run: npm run build
3939
- name: Set up QEMU
40-
uses: docker/setup-qemu-action@v3
40+
uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v3.6.0
4141
- name: Set up Docker Buildx
42-
uses: docker/setup-buildx-action@v3
42+
uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1
4343
- name: Login to GHCR
44-
uses: docker/login-action@v3
44+
uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
4545
with:
4646
registry: ghcr.io
4747
username: ${{ github.actor }}
4848
password: ${{ secrets.GITHUB_TOKEN }}
4949
- name: Build and Push Container Image
5050
id: push
51-
uses: docker/build-push-action@v6
51+
uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
5252
with:
5353
context: keycloak
5454
platforms: linux/amd64,linux/arm64
5555
push: true
5656
tags: |
5757
ghcr.io/cryptomator/keycloak:${{ github.event.inputs.tag }}
5858
- name: Generate artifact attestation
59-
uses: actions/attest-build-provenance@v2
59+
uses: actions/attest-build-provenance@977bb373ede98d70efdf65b84cb5f73e068dcc2a # v3.0.0
6060
with:
6161
subject-name: ghcr.io/cryptomator/keycloak
6262
subject-digest: ${{ steps.push.outputs.digest }}

.github/workflows/tag.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -24,7 +24,7 @@ jobs:
2424
- name: Tag image in github registry
2525
run: docker tag ghcr.io/cryptomator/hub@${{ github.event.inputs.digest}} ghcr.io/cryptomator/hub:${{ github.event.inputs.tag }}
2626
- name: Login to GitHub Container Registry
27-
uses: docker/login-action@v3
27+
uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
2828
with:
2929
registry: ghcr.io
3030
username: ${{ github.actor }}

0 commit comments

Comments
 (0)