From 728f3f1a11811144e5d17e87de16ca274c33ca43 Mon Sep 17 00:00:00 2001 From: harshitasao Date: Sun, 18 Aug 2024 17:02:15 +0530 Subject: [PATCH] fix: fixed the token-permission and pinned dependencies Signed-off-by: harshitasao --- .github/workflows/check-size.yml | 4 ++-- .github/workflows/ci.yml | 25 ++++++++++++---------- .github/workflows/codeql-analysis.yml | 11 ++++++---- .github/workflows/compatibility-e2e-v1.yml | 24 ++++++++++----------- .github/workflows/compatibility-e2e-v2.yml | 20 ++++++++--------- .github/workflows/cr.yml | 2 +- .github/workflows/docker.yml | 17 +++++++++------ .github/workflows/e2e-v1-nydus.yml | 19 +++++++++------- .github/workflows/e2e-v1.yml | 24 ++++++++++----------- .github/workflows/e2e-v2-nydus.yml | 16 +++++++------- .github/workflows/e2e-v2.yml | 20 ++++++++--------- .github/workflows/lint.yml | 11 ++++++---- .github/workflows/release.yml | 13 +++++++---- 13 files changed, 113 insertions(+), 93 deletions(-) diff --git a/.github/workflows/check-size.yml b/.github/workflows/check-size.yml index 1cfcd9b5fb6..d0b6560900a 100644 --- a/.github/workflows/check-size.yml +++ b/.github/workflows/check-size.yml @@ -16,12 +16,12 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout code - uses: actions/checkout@v4 + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 with: fetch-depth: 1 - name: Check large files - uses: actionsdesk/lfs-warning@v3.2 + uses: actionsdesk/lfs-warning@e5f9a4c21f4bee104db7c0f23954dde59e5df909 # v3.2 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} with: diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 5fbdf75902b..a189156c49e 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -10,6 +10,9 @@ on: schedule: - cron: '0 4 * * *' +permissions: + contents: read + jobs: test: name: Test @@ -17,12 +20,12 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout code - uses: actions/checkout@v4 + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 with: submodules: recursive - name: Install Go - uses: actions/setup-go@v5 + uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2 with: go-version-file: go.mod @@ -41,7 +44,7 @@ jobs: sudo make test-coverage - name: Upload coverage to Codecov - uses: codecov/codecov-action@v4 + uses: codecov/codecov-action@e28ff129e5465c2c0dcc6f003fc735cb6ae0c673 # v4.5.0 with: token: ${{ secrets.CODECOV_TOKEN }} files: ./coverage.txt @@ -54,23 +57,23 @@ jobs: needs: [test] steps: - name: Check out code - uses: actions/checkout@v4 + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 with: submodules: recursive - name: Setup Go - uses: actions/setup-go@v5 + uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2 with: go-version-file: go.mod - name: Setup QEMU - uses: docker/setup-qemu-action@v3 + uses: docker/setup-qemu-action@49b3bc8e6bdd4a60e6116a5414239cba5943d3cf # v3.2.0 - name: Setup Docker Buildx - uses: docker/setup-buildx-action@v3 + uses: docker/setup-buildx-action@988b5a0280414f521da01fcc63a27aeeb4b104db # v3.6.1 - name: Cache Docker layers - uses: actions/cache@v4 + uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2 with: path: /tmp/.buildx-cache key: ${{ runner.os }}-buildx-${{ github.sha }} @@ -78,7 +81,7 @@ jobs: ${{ runner.os }}-buildx- - name: Build Scheduler Image - uses: docker/build-push-action@v6 + uses: docker/build-push-action@5cd11c3a4ced054e52742c5fd54dca954e0edd85 # v6.7.0 with: context: . file: build/images/scheduler/Dockerfile @@ -88,7 +91,7 @@ jobs: cache-to: type=local,dest=/tmp/.buildx-cache-new - name: Build Manager Image - uses: docker/build-push-action@v6 + uses: docker/build-push-action@5cd11c3a4ced054e52742c5fd54dca954e0edd85 # v6.7.0 with: context: . file: build/images/manager/Dockerfile @@ -98,7 +101,7 @@ jobs: cache-to: type=local,dest=/tmp/.buildx-cache-new - name: Build Dfdaemon Image - uses: docker/build-push-action@v6 + uses: docker/build-push-action@5cd11c3a4ced054e52742c5fd54dca954e0edd85 # v6.7.0 with: context: . file: build/images/dfdaemon/Dockerfile diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index 6918a083e32..94970e4b4aa 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -10,6 +10,9 @@ on: schedule: - cron: '0 4 * * *' +permissions: + contents: read + jobs: analyze: name: Analyze @@ -22,15 +25,15 @@ jobs: steps: - name: Checkout repository - uses: actions/checkout@v4 + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - name: Initialize CodeQL - uses: github/codeql-action/init@v3 + uses: github/codeql-action/init@429e1977040da7a23b6822b13c129cd1ba93dbb2 # v3.26.2 with: languages: ${{ matrix.language }} - name: Autobuild - uses: github/codeql-action/autobuild@v3 + uses: github/codeql-action/autobuild@429e1977040da7a23b6822b13c129cd1ba93dbb2 # v3.26.2 - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v3 + uses: github/codeql-action/analyze@429e1977040da7a23b6822b13c129cd1ba93dbb2 # v3.26.2 diff --git a/.github/workflows/compatibility-e2e-v1.yml b/.github/workflows/compatibility-e2e-v1.yml index 507aa232ae2..187c7beb9cb 100644 --- a/.github/workflows/compatibility-e2e-v1.yml +++ b/.github/workflows/compatibility-e2e-v1.yml @@ -45,7 +45,7 @@ jobs: chart-name: seedPeer steps: - name: Free Disk Space (Ubuntu) - uses: jlumbroso/free-disk-space@main + uses: jlumbroso/free-disk-space@54081f138730dfa15788a46383842cd2f914a1be # main with: tool-cache: false android: true @@ -56,12 +56,12 @@ jobs: swap-storage: true - name: Checkout code - uses: actions/checkout@v4 + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 with: submodules: recursive - name: Install Go - uses: actions/setup-go@v5 + uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2 with: go-version-file: go.mod @@ -72,13 +72,13 @@ jobs: go mod vendor - name: Setup buildx - uses: docker/setup-buildx-action@v3 + uses: docker/setup-buildx-action@988b5a0280414f521da01fcc63a27aeeb4b104db # v3.6.1 id: buildx with: install: true - name: Cache Docker layers - uses: actions/cache@v4 + uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2 with: path: /tmp/.buildx-cache key: ${{ runner.os }}-buildx-${{ github.sha }} @@ -86,7 +86,7 @@ jobs: ${{ runner.os }}-buildx- - name: Build Scheduler Image - uses: docker/build-push-action@v6 + uses: docker/build-push-action@5cd11c3a4ced054e52742c5fd54dca954e0edd85 # v6.7.0 with: context: . file: build/images/scheduler/Dockerfile @@ -97,7 +97,7 @@ jobs: cache-to: type=local,dest=/tmp/.buildx-cache-new - name: Build Manager Image - uses: docker/build-push-action@v6 + uses: docker/build-push-action@5cd11c3a4ced054e52742c5fd54dca954e0edd85 # v6.7.0 with: context: . file: build/images/manager/Dockerfile @@ -108,7 +108,7 @@ jobs: cache-to: type=local,dest=/tmp/.buildx-cache-new - name: Build Dfdaemon Image - uses: docker/build-push-action@v6 + uses: docker/build-push-action@5cd11c3a4ced054e52742c5fd54dca954e0edd85 # v6.7.0 with: context: . file: build/images/dfdaemon/Dockerfile @@ -119,7 +119,7 @@ jobs: cache-to: type=local,dest=/tmp/.buildx-cache-new - name: Build No Content Length Image - uses: docker/build-push-action@v6 + uses: docker/build-push-action@5cd11c3a4ced054e52742c5fd54dca954e0edd85 # v6.7.0 with: context: test/tools/no-content-length/ file: test/tools/no-content-length/Dockerfile @@ -130,7 +130,7 @@ jobs: cache-to: type=local,dest=/tmp/.buildx-cache-new - name: Setup Kind - uses: helm/kind-action@v1.10.0 + uses: helm/kind-action@0025e74a8c7512023d06dc019c617aa3cf561fde # v1.10.0 with: version: ${{ env.KIND_VERSION }} config: ${{ env.KIND_CONFIG_PATH }} @@ -171,14 +171,14 @@ jobs: mv /tmp/.buildx-cache-new /tmp/.buildx-cache - name: Upload coverage to Codecov - uses: codecov/codecov-action@v4 + uses: codecov/codecov-action@e28ff129e5465c2c0dcc6f003fc735cb6ae0c673 # v4.5.0 with: token: ${{ secrets.CODECOV_TOKEN }} files: ./coverage.txt flags: ${{ matrix }}-compatibility-e2etests - name: Upload Logs - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@834a144ee995460fba8ed112a2fc961b36a5ec5a # v4.3.6 if: always() with: name: ${{ matrix.module }}-compatibility-e2e-tests-logs diff --git a/.github/workflows/compatibility-e2e-v2.yml b/.github/workflows/compatibility-e2e-v2.yml index 2006fc8cc7b..7d0c2a54b1c 100644 --- a/.github/workflows/compatibility-e2e-v2.yml +++ b/.github/workflows/compatibility-e2e-v2.yml @@ -45,7 +45,7 @@ jobs: steps: - name: Free Disk Space (Ubuntu) - uses: jlumbroso/free-disk-space@main + uses: jlumbroso/free-disk-space@54081f138730dfa15788a46383842cd2f914a1be # main with: tool-cache: false android: true @@ -56,13 +56,13 @@ jobs: swap-storage: true - name: Checkout code - uses: actions/checkout@v4 + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 with: submodules: recursive fetch-depth: 0 - name: Install Go - uses: actions/setup-go@v5 + uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2 with: go-version-file: go.mod @@ -72,13 +72,13 @@ jobs: mkdir -p /tmp/artifact - name: Setup buildx - uses: docker/setup-buildx-action@v3 + uses: docker/setup-buildx-action@988b5a0280414f521da01fcc63a27aeeb4b104db # v3.6.1 id: buildx with: install: true - name: Cache Docker layers - uses: actions/cache@v4 + uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2 with: path: /tmp/.buildx-cache key: ${{ runner.os }}-buildx-${{ github.sha }} @@ -95,7 +95,7 @@ jobs: docker tag dragonflyoss/dfinit:$CLIENT_TAG dragonflyoss/dfinit:latest - name: Build Scheduler Image - uses: docker/build-push-action@v6 + uses: docker/build-push-action@5cd11c3a4ced054e52742c5fd54dca954e0edd85 # v6.7.0 with: context: . file: build/images/scheduler/Dockerfile @@ -106,7 +106,7 @@ jobs: cache-to: type=local,dest=/tmp/.buildx-cache-new - name: Build Manager Image - uses: docker/build-push-action@v6 + uses: docker/build-push-action@5cd11c3a4ced054e52742c5fd54dca954e0edd85 # v6.7.0 with: context: . file: build/images/manager/Dockerfile @@ -117,7 +117,7 @@ jobs: cache-to: type=local,dest=/tmp/.buildx-cache-new - name: Setup Kind - uses: helm/kind-action@v1.10.0 + uses: helm/kind-action@0025e74a8c7512023d06dc019c617aa3cf561fde # v1.10.0 with: version: ${{ env.KIND_VERSION }} config: ${{ env.KIND_CONFIG_PATH }} @@ -147,14 +147,14 @@ jobs: mv /tmp/.buildx-cache-new /tmp/.buildx-cache - name: Upload coverage to Codecov - uses: codecov/codecov-action@v4 + uses: codecov/codecov-action@e28ff129e5465c2c0dcc6f003fc735cb6ae0c673 # v4.5.0 with: token: ${{ secrets.CODECOV_TOKEN }} files: ./coverage.txt flags: e2etests - name: Upload Logs - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@834a144ee995460fba8ed112a2fc961b36a5ec5a # v4.3.6 if: always() with: name: ${{ matrix.module }}-e2e-tests-logs diff --git a/.github/workflows/cr.yml b/.github/workflows/cr.yml index d38b0067296..9928fe34851 100644 --- a/.github/workflows/cr.yml +++ b/.github/workflows/cr.yml @@ -15,7 +15,7 @@ jobs: runs-on: ubuntu-latest steps: - name: ChatGPT Code Review - uses: anc95/ChatGPT-CodeReview@main + uses: anc95/ChatGPT-CodeReview@8c74515780ea4f00def44ce7c17cfe6b5500602a # main env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY }} diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml index 5fe1763151e..5aebd8babed 100644 --- a/.github/workflows/docker.yml +++ b/.github/workflows/docker.yml @@ -7,6 +7,9 @@ on: tags: - v* +permissions: + contents: read + jobs: push_image_to_registry: name: Push Image @@ -26,7 +29,7 @@ jobs: timeout-minutes: 120 steps: - name: Check out code - uses: actions/checkout@v4 + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 with: submodules: recursive @@ -50,13 +53,13 @@ jobs: echo IMAGE_REPOSITORY=$(echo ${{ github.repository }} | tr '[:upper:]' '[:lower:]') >> $GITHUB_ENV - name: Setup QEMU - uses: docker/setup-qemu-action@v3 + uses: docker/setup-qemu-action@49b3bc8e6bdd4a60e6116a5414239cba5943d3cf # v3.2.0 - name: Setup Docker Buildx - uses: docker/setup-buildx-action@v3 + uses: docker/setup-buildx-action@988b5a0280414f521da01fcc63a27aeeb4b104db # v3.6.1 - name: Cache Docker layers - uses: actions/cache@v4 + uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2 with: path: /tmp/.buildx-cache key: ${{ runner.os }}-buildx-${{ github.sha }} @@ -64,21 +67,21 @@ jobs: ${{ runner.os }}-buildx- - name: Login Docker Hub - uses: docker/login-action@v3 + uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0 with: registry: docker.io username: ${{ secrets.DOCKER_USERNAME }} password: ${{ secrets.DOCKER_PASSWORD }} - name: Login to GitHub Container Registry - uses: docker/login-action@v3 + uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0 with: registry: ghcr.io username: ${{ github.repository_owner }} password: ${{ secrets.GITHUB_TOKEN }} - name: Push to Registry - uses: docker/build-push-action@v6 + uses: docker/build-push-action@5cd11c3a4ced054e52742c5fd54dca954e0edd85 # v6.7.0 with: context: . platforms: ${{ matrix.platforms }} diff --git a/.github/workflows/e2e-v1-nydus.yml b/.github/workflows/e2e-v1-nydus.yml index 165ef0c8cee..3ff2047d873 100644 --- a/.github/workflows/e2e-v1-nydus.yml +++ b/.github/workflows/e2e-v1-nydus.yml @@ -18,24 +18,27 @@ env: KIND_CONFIG_PATH: test/testdata/kind/config.yaml NYDUS_SNAPSHOTTER_CHARTS_PATH: deploy/helm-charts/charts/nydus-snapshotter +permissions: + contents: read + jobs: e2e_tests_nydus: runs-on: ubuntu-latest timeout-minutes: 60 steps: - name: Checkout code - uses: actions/checkout@v4 + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 with: submodules: recursive - name: Setup buildx - uses: docker/setup-buildx-action@v3 + uses: docker/setup-buildx-action@988b5a0280414f521da01fcc63a27aeeb4b104db # v3.6.1 id: buildx with: install: true - name: Cache Docker layers - uses: actions/cache@v4 + uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2 with: path: /tmp/.buildx-cache key: ${{ runner.os }}-buildx-${{ github.sha }} @@ -43,7 +46,7 @@ jobs: ${{ runner.os }}-buildx- - name: Build Scheduler Image - uses: docker/build-push-action@v6 + uses: docker/build-push-action@5cd11c3a4ced054e52742c5fd54dca954e0edd85 # v6.7.0 with: context: . file: build/images/scheduler/Dockerfile @@ -54,7 +57,7 @@ jobs: cache-to: type=local,dest=/tmp/.buildx-cache-new - name: Build Manager Image - uses: docker/build-push-action@v6 + uses: docker/build-push-action@5cd11c3a4ced054e52742c5fd54dca954e0edd85 # v6.7.0 with: context: . file: build/images/manager/Dockerfile @@ -65,7 +68,7 @@ jobs: cache-to: type=local,dest=/tmp/.buildx-cache-new - name: Build Dfdaemon Image - uses: docker/build-push-action@v6 + uses: docker/build-push-action@5cd11c3a4ced054e52742c5fd54dca954e0edd85 # v6.7.0 with: context: . file: build/images/dfdaemon/Dockerfile @@ -76,7 +79,7 @@ jobs: cache-to: type=local,dest=/tmp/.buildx-cache-new - name: Setup Kind - uses: helm/kind-action@v1.10.0 + uses: helm/kind-action@0025e74a8c7512023d06dc019c617aa3cf561fde # v1.10.0 with: version: ${{ env.KIND_VERSION }} config: ${{ env.KIND_CONFIG_PATH }} @@ -144,7 +147,7 @@ jobs: docker exec kind-control-plane journalctl -u kubelet >> $log_dir/kubelet.log - name: Upload Logs - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@834a144ee995460fba8ed112a2fc961b36a5ec5a # v4.3.6 if: always() with: name: nydus-e2e-tests-logs diff --git a/.github/workflows/e2e-v1.yml b/.github/workflows/e2e-v1.yml index 1c96613d10e..f48da970c79 100644 --- a/.github/workflows/e2e-v1.yml +++ b/.github/workflows/e2e-v1.yml @@ -65,7 +65,7 @@ jobs: skip: "" steps: - name: Free Disk Space (Ubuntu) - uses: jlumbroso/free-disk-space@main + uses: jlumbroso/free-disk-space@54081f138730dfa15788a46383842cd2f914a1be # main with: tool-cache: false android: true @@ -76,12 +76,12 @@ jobs: swap-storage: true - name: Checkout code - uses: actions/checkout@v4 + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 with: submodules: recursive - name: Install Go - uses: actions/setup-go@v5 + uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2 with: go-version-file: go.mod @@ -91,13 +91,13 @@ jobs: mkdir -p /tmp/artifact - name: Setup buildx - uses: docker/setup-buildx-action@v3 + uses: docker/setup-buildx-action@988b5a0280414f521da01fcc63a27aeeb4b104db # v3.6.1 id: buildx with: install: true - name: Cache Docker layers - uses: actions/cache@v4 + uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2 with: path: /tmp/.buildx-cache key: ${{ runner.os }}-buildx-${{ github.sha }} @@ -105,7 +105,7 @@ jobs: ${{ runner.os }}-buildx- - name: Build Scheduler Image - uses: docker/build-push-action@v6 + uses: docker/build-push-action@5cd11c3a4ced054e52742c5fd54dca954e0edd85 # v6.7.0 with: context: . file: build/images/scheduler/Dockerfile @@ -116,7 +116,7 @@ jobs: cache-to: type=local,dest=/tmp/.buildx-cache-new - name: Build Manager Image - uses: docker/build-push-action@v6 + uses: docker/build-push-action@5cd11c3a4ced054e52742c5fd54dca954e0edd85 # v6.7.0 with: context: . file: build/images/manager/Dockerfile @@ -127,7 +127,7 @@ jobs: cache-to: type=local,dest=/tmp/.buildx-cache-new - name: Build Dfdaemon Image - uses: docker/build-push-action@v6 + uses: docker/build-push-action@5cd11c3a4ced054e52742c5fd54dca954e0edd85 # v6.7.0 with: context: . file: build/images/dfdaemon/Dockerfile @@ -138,7 +138,7 @@ jobs: cache-to: type=local,dest=/tmp/.buildx-cache-new - name: Build No Content Length Image - uses: docker/build-push-action@v6 + uses: docker/build-push-action@5cd11c3a4ced054e52742c5fd54dca954e0edd85 # v6.7.0 with: context: test/tools/no-content-length/ file: test/tools/no-content-length/Dockerfile @@ -149,7 +149,7 @@ jobs: cache-to: type=local,dest=/tmp/.buildx-cache-new - name: Setup Kind - uses: helm/kind-action@v1.10.0 + uses: helm/kind-action@0025e74a8c7512023d06dc019c617aa3cf561fde # v1.10.0 with: version: ${{ env.KIND_VERSION }} config: ${{ env.KIND_CONFIG_PATH }} @@ -194,14 +194,14 @@ jobs: mv /tmp/.buildx-cache-new /tmp/.buildx-cache - name: Upload coverage to Codecov - uses: codecov/codecov-action@v4 + uses: codecov/codecov-action@e28ff129e5465c2c0dcc6f003fc735cb6ae0c673 # v4.5.0 with: token: ${{ secrets.CODECOV_TOKEN }} files: ./coverage.txt flags: e2etests - name: Upload Logs - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@834a144ee995460fba8ed112a2fc961b36a5ec5a # v4.3.6 if: always() with: name: ${{ matrix.module }}-e2e-tests-logs diff --git a/.github/workflows/e2e-v2-nydus.yml b/.github/workflows/e2e-v2-nydus.yml index 0a41aee85b3..0b20226ccd7 100644 --- a/.github/workflows/e2e-v2-nydus.yml +++ b/.github/workflows/e2e-v2-nydus.yml @@ -25,7 +25,7 @@ jobs: timeout-minutes: 60 steps: - name: Free Disk Space (Ubuntu) - uses: jlumbroso/free-disk-space@main + uses: jlumbroso/free-disk-space@54081f138730dfa15788a46383842cd2f914a1be # main with: tool-cache: false android: true @@ -36,19 +36,19 @@ jobs: swap-storage: true - name: Checkout code - uses: actions/checkout@v4 + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 with: submodules: recursive fetch-depth: 0 - name: Setup buildx - uses: docker/setup-buildx-action@v3 + uses: docker/setup-buildx-action@988b5a0280414f521da01fcc63a27aeeb4b104db # v3.6.1 id: buildx with: install: true - name: Cache Docker layers - uses: actions/cache@v4 + uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2 with: path: /tmp/.buildx-cache key: ${{ runner.os }}-buildx-${{ github.sha }} @@ -65,7 +65,7 @@ jobs: docker tag dragonflyoss/dfinit:$CLIENT_TAG dragonflyoss/dfinit:latest - name: Build Scheduler Image - uses: docker/build-push-action@v6 + uses: docker/build-push-action@5cd11c3a4ced054e52742c5fd54dca954e0edd85 # v6.7.0 with: context: . file: build/images/scheduler/Dockerfile @@ -76,7 +76,7 @@ jobs: cache-to: type=local,dest=/tmp/.buildx-cache-new - name: Build Manager Image - uses: docker/build-push-action@v6 + uses: docker/build-push-action@5cd11c3a4ced054e52742c5fd54dca954e0edd85 # v6.7.0 with: context: . file: build/images/manager/Dockerfile @@ -87,7 +87,7 @@ jobs: cache-to: type=local,dest=/tmp/.buildx-cache-new - name: Setup Kind - uses: helm/kind-action@v1.10.0 + uses: helm/kind-action@0025e74a8c7512023d06dc019c617aa3cf561fde # v1.10.0 with: version: ${{ env.KIND_VERSION }} config: ${{ env.KIND_CONFIG_PATH }} @@ -167,7 +167,7 @@ jobs: done - name: Upload Logs - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@834a144ee995460fba8ed112a2fc961b36a5ec5a # v4.3.6 if: always() with: name: nydus-e2e-tests-logs diff --git a/.github/workflows/e2e-v2.yml b/.github/workflows/e2e-v2.yml index 633461170f4..967d04728c6 100644 --- a/.github/workflows/e2e-v2.yml +++ b/.github/workflows/e2e-v2.yml @@ -32,7 +32,7 @@ jobs: steps: - name: Free Disk Space (Ubuntu) - uses: jlumbroso/free-disk-space@main + uses: jlumbroso/free-disk-space@54081f138730dfa15788a46383842cd2f914a1be # main with: tool-cache: false android: true @@ -43,13 +43,13 @@ jobs: swap-storage: true - name: Checkout code - uses: actions/checkout@v4 + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 with: submodules: recursive fetch-depth: 0 - name: Install Go - uses: actions/setup-go@v5 + uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2 with: go-version-file: go.mod @@ -59,13 +59,13 @@ jobs: mkdir -p /tmp/artifact - name: Setup buildx - uses: docker/setup-buildx-action@v3 + uses: docker/setup-buildx-action@988b5a0280414f521da01fcc63a27aeeb4b104db # v3.6.1 id: buildx with: install: true - name: Cache Docker layers - uses: actions/cache@v4 + uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2 with: path: /tmp/.buildx-cache key: ${{ runner.os }}-buildx-${{ github.sha }} @@ -82,7 +82,7 @@ jobs: docker tag dragonflyoss/dfinit:$CLIENT_TAG dragonflyoss/dfinit:latest - name: Build Scheduler Image - uses: docker/build-push-action@v6 + uses: docker/build-push-action@5cd11c3a4ced054e52742c5fd54dca954e0edd85 # v6.7.0 with: context: . file: build/images/scheduler/Dockerfile @@ -93,7 +93,7 @@ jobs: cache-to: type=local,dest=/tmp/.buildx-cache-new - name: Build Manager Image - uses: docker/build-push-action@v6 + uses: docker/build-push-action@5cd11c3a4ced054e52742c5fd54dca954e0edd85 # v6.7.0 with: context: . file: build/images/manager/Dockerfile @@ -104,7 +104,7 @@ jobs: cache-to: type=local,dest=/tmp/.buildx-cache-new - name: Setup Kind - uses: helm/kind-action@v1.10.0 + uses: helm/kind-action@0025e74a8c7512023d06dc019c617aa3cf561fde # v1.10.0 with: version: ${{ env.KIND_VERSION }} config: ${{ env.KIND_CONFIG_PATH }} @@ -134,14 +134,14 @@ jobs: mv /tmp/.buildx-cache-new /tmp/.buildx-cache - name: Upload coverage to Codecov - uses: codecov/codecov-action@v4 + uses: codecov/codecov-action@e28ff129e5465c2c0dcc6f003fc735cb6ae0c673 # v4.5.0 with: token: ${{ secrets.CODECOV_TOKEN }} files: ./coverage.txt flags: e2etests - name: Upload Logs - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@834a144ee995460fba8ed112a2fc961b36a5ec5a # v4.3.6 if: always() with: name: ${{ matrix.module }}-e2e-tests-logs diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml index d24263fcda2..b361b36ae47 100644 --- a/.github/workflows/lint.yml +++ b/.github/workflows/lint.yml @@ -9,6 +9,9 @@ on: env: GO_VERSION: '1.21' +permissions: + contents: read + jobs: lint: name: Lint @@ -16,21 +19,21 @@ jobs: timeout-minutes: 30 steps: - name: Checkout code - uses: actions/checkout@v4 + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - - uses: actions/setup-go@v5 + - uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2 with: go-version-file: go.mod cache: false - name: Golangci lint - uses: golangci/golangci-lint-action@v6 + uses: golangci/golangci-lint-action@aaa42aa0628b4ae2578232a66b541047968fac86 # v6.1.0 with: version: v1.54 args: --verbose - name: Markdown lint - uses: docker://avtodev/markdown-lint:v1 + uses: docker://avtodev/markdown-lint:v1@sha256:6aeedc2f49138ce7a1cd0adffc1b1c0321b841dc2102408967d9301c031949ee with: config: '.markdownlint.yml' args: '**/*.md' diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 2dcd2ec64bf..1c7756b76c8 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -5,30 +5,35 @@ on: tags: - v* +permissions: + contents: read + jobs: goreleaser: + permissions: + contents: write # for goreleaser/goreleaser-action to create a GitHub release runs-on: ubuntu-latest timeout-minutes: 60 steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 with: fetch-depth: 0 submodules: recursive - name: Setup Go - uses: actions/setup-go@v5 + uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2 with: go-version-file: go.mod - name: Check GoReleaser config - uses: goreleaser/goreleaser-action@v6 + uses: goreleaser/goreleaser-action@286f3b13b1b49da4ac219696163fb8c1c93e1200 # v6.0.0 with: version: latest args: check - name: Run GoReleaser - uses: goreleaser/goreleaser-action@v6 + uses: goreleaser/goreleaser-action@286f3b13b1b49da4ac219696163fb8c1c93e1200 # v6.0.0 with: distribution: goreleaser version: latest