From 88d27a7265707deed88c27a081ae9805c4ca7b9a Mon Sep 17 00:00:00 2001 From: Ayaz Salikhov Date: Wed, 23 Apr 2025 17:35:40 +0100 Subject: [PATCH] chore: Pin external actions using hashes (#2019) Note: I used exactly the version which are already being used (didn't update anything). Updates will come when we merge https://github.com/XRPLF/clio/pull/2018 --- .github/actions/build_docker_image/action.yml | 14 +++++++------- .github/workflows/build.yml | 2 +- .github/workflows/build_impl.yml | 2 +- .github/workflows/check_pr_title.yml | 2 +- .github/workflows/clang-tidy.yml | 4 ++-- .github/workflows/nightly.yml | 2 +- .github/workflows/upload_coverage_report.yml | 2 +- 7 files changed, 14 insertions(+), 14 deletions(-) diff --git a/.github/actions/build_docker_image/action.yml b/.github/actions/build_docker_image/action.yml index c3118a6d..e23df13b 100644 --- a/.github/actions/build_docker_image/action.yml +++ b/.github/actions/build_docker_image/action.yml @@ -24,30 +24,30 @@ runs: steps: - name: Login to DockerHub if: ${{ inputs.push_image == 'true' }} - uses: docker/login-action@v3 + uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 #v3.4.0 with: username: ${{ env.DOCKERHUB_USER }} password: ${{ env.DOCKERHUB_PW }} - name: Login to GitHub Container Registry if: ${{ inputs.push_image == 'true' }} - uses: docker/login-action@v3 + uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 #v3.4.0 with: registry: ghcr.io username: ${{ github.repository_owner }} password: ${{ env.GITHUB_TOKEN }} - - uses: docker/setup-qemu-action@v3 - - uses: docker/setup-buildx-action@v3 + - uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 #v3.6.0 + - uses: docker/setup-buildx-action@b5ca514318bd6ebac0fb2aedd5d36ec1b5c232a2 #v3.10.0 - - uses: docker/metadata-action@v5 + - uses: docker/metadata-action@902fa8ec7d6ecbf8d84d538b9b233a880e428804 #v5.7.0 id: meta with: images: ${{ inputs.image_name }} tags: ${{ inputs.tags }} - name: Build and push - uses: docker/build-push-action@v5 + uses: docker/build-push-action@ca052bb54ab0790a636c9b5f226502c73d547a25 #v5.4.0 with: context: ${{ inputs.directory }} platforms: ${{ inputs.platforms }} @@ -56,7 +56,7 @@ runs: - name: Update DockerHub description if: ${{ inputs.push_image == 'true' }} - uses: peter-evans/dockerhub-description@v4 + uses: peter-evans/dockerhub-description@432a30c9e07499fd01da9f8a49f0faf9e0ca5b77 #v4.0.2 with: username: ${{ env.DOCKERHUB_USER }} password: ${{ env.DOCKERHUB_PW }} diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 45d62bb7..c776e171 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -117,7 +117,7 @@ jobs: steps: - name: Clean workdir if: ${{ runner.os == 'macOS' }} - uses: kuznetsss/workspace-cleanup@1.0 + uses: kuznetsss/workspace-cleanup@80b9863b45562c148927c3d53621ef354e5ae7ce #v1.0 - uses: actions/download-artifact@v4 with: diff --git a/.github/workflows/build_impl.yml b/.github/workflows/build_impl.yml index db4a7edd..08e90d75 100644 --- a/.github/workflows/build_impl.yml +++ b/.github/workflows/build_impl.yml @@ -81,7 +81,7 @@ jobs: steps: - name: Clean workdir if: ${{ runner.os == 'macOS' }} - uses: kuznetsss/workspace-cleanup@1.0 + uses: kuznetsss/workspace-cleanup@80b9863b45562c148927c3d53621ef354e5ae7ce #v1.0 - uses: actions/checkout@v4 with: diff --git a/.github/workflows/check_pr_title.yml b/.github/workflows/check_pr_title.yml index 5e6f8685..44b5aaee 100644 --- a/.github/workflows/check_pr_title.yml +++ b/.github/workflows/check_pr_title.yml @@ -10,7 +10,7 @@ jobs: # permissions: # pull-requests: write steps: - - uses: ytanikin/PRConventionalCommits@1.3.0 + - uses: ytanikin/PRConventionalCommits@b628c5a234cc32513014b7bfdd1e47b532124d98 #v1.3.0 with: task_types: '["build","feat","fix","docs","test","ci","style","refactor","perf","chore"]' add_label: false diff --git a/.github/workflows/clang-tidy.yml b/.github/workflows/clang-tidy.yml index 83f5251c..7962adfa 100644 --- a/.github/workflows/clang-tidy.yml +++ b/.github/workflows/clang-tidy.yml @@ -89,7 +89,7 @@ jobs: List of the issues found: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}/ - - uses: crazy-max/ghaction-import-gpg@v6 + - uses: crazy-max/ghaction-import-gpg@e89d40939c28e39f97cf32126055eeae86ba74ec #v6.3.0 if: ${{ steps.run_clang_tidy.outcome != 'success' }} with: gpg_private_key: ${{ secrets.ACTIONS_GPG_PRIVATE_KEY }} @@ -99,7 +99,7 @@ jobs: - name: Create PR with fixes if: ${{ steps.run_clang_tidy.outcome != 'success' }} - uses: peter-evans/create-pull-request@v7 + uses: peter-evans/create-pull-request@271a8d0340265f705b14b6d32b9829c1cb33d45e #v7.0.8 env: GH_REPO: ${{ github.repository }} GH_TOKEN: ${{ github.token }} diff --git a/.github/workflows/nightly.yml b/.github/workflows/nightly.yml index 12d215dc..663211b5 100644 --- a/.github/workflows/nightly.yml +++ b/.github/workflows/nightly.yml @@ -76,7 +76,7 @@ jobs: steps: - name: Clean workdir if: ${{ runner.os == 'macOS' }} - uses: kuznetsss/workspace-cleanup@1.0 + uses: kuznetsss/workspace-cleanup@80b9863b45562c148927c3d53621ef354e5ae7ce #v1.0 - uses: actions/download-artifact@v4 with: diff --git a/.github/workflows/upload_coverage_report.yml b/.github/workflows/upload_coverage_report.yml index 1f9c46c7..404d8615 100644 --- a/.github/workflows/upload_coverage_report.yml +++ b/.github/workflows/upload_coverage_report.yml @@ -23,7 +23,7 @@ jobs: - name: Upload coverage report if: ${{ hashFiles('build/coverage_report.xml') != '' }} - uses: wandalen/wretry.action@v3.7.3 + uses: wandalen/wretry.action@ffdd254f4eaf1562b8a2c66aeaa37f1ff2231179 #v3.7.3 with: action: codecov/codecov-action@v4 with: |