Skip to content

Commit e5e406e

Browse files
pjonssonpjonsson
committed
CI: pin actions by hash
Pin the actions by hash so a compromised release of an action is not automatically used and leaks our secrets. This is not bulletproof, but better than nothing.
1 parent 0cc572c commit e5e406e

File tree

5 files changed

+23
-23
lines changed

5 files changed

+23
-23
lines changed

.github/workflows/create-new-tag.yml

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -12,7 +12,7 @@ jobs:
1212
bump_version:
1313
runs-on: ubuntu-latest
1414
steps:
15-
- uses: actions/checkout@v3
15+
- uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
1616
with:
1717
fetch-depth: 2
1818

@@ -23,7 +23,7 @@ jobs:
2323
2424
- name: Patch Package Versions when code change.
2525
id: patch-version
26-
uses: anothrNick/github-tag-action@v1
26+
uses: anothrNick/github-tag-action@e528bc2b9628971ce0e6f823f3052d1dcd9d512c # 1.73.0
2727
env:
2828
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
2929
DEFAULT_BUMP: patch

.github/workflows/main.yml

Lines changed: 6 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -29,18 +29,18 @@ jobs:
2929
&& github.event.workflow_run.conclusion == 'success')
3030
runs-on: ubuntu-latest
3131
steps:
32-
- uses: actions/checkout@v4
32+
- uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
3333
with:
3434
fetch-depth: 0
3535

36-
- uses: actions/cache@v4
36+
- uses: actions/cache@0400d5f644dc74513175e3cd8d07132dd4860809 # v4.2.4
3737
id: wheels_cache
3838
with:
3939
path: ./wheels
4040
key: wheels-${{ github.sha }}
4141

4242
- name: Setup Python
43-
uses: actions/setup-python@v5
43+
uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0
4444
with:
4545
python-version: "3.10"
4646

@@ -84,7 +84,7 @@ jobs:
8484
- build-wheels
8585

8686
steps:
87-
- uses: actions/checkout@v4
87+
- uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
8888

8989
- name: Install Dependencies
9090
shell: bash
@@ -100,7 +100,7 @@ jobs:
100100
pip freeze
101101
102102
- name: Get Wheels from Cache
103-
uses: actions/cache@v4
103+
uses: actions/cache@0400d5f644dc74513175e3cd8d07132dd4860809 # v4.2.4
104104
id: wheels_cache
105105
with:
106106
path: ./wheels
@@ -149,7 +149,7 @@ jobs:
149149
if: |
150150
github.repository == 'opendatacube/odc-stats'
151151
152-
uses: codecov/codecov-action@v4
152+
uses: codecov/codecov-action@18283e04ce6e62d37312384ff67231eb8fd56d24 # v5.4.3
153153
with:
154154
token: ${{ secrets.CODECOV_TOKEN }}
155155
fail_ci_if_error: false

.github/workflows/publish-new-version.yml

Lines changed: 5 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -14,15 +14,15 @@ jobs:
1414
&& github.event.workflow_run.conclusion == 'success'
1515
runs-on: ubuntu-latest
1616
steps:
17-
- uses: actions/checkout@v4
18-
- uses: actions/cache@v4
17+
- uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
18+
- uses: actions/cache@0400d5f644dc74513175e3cd8d07132dd4860809 # v4.2.4
1919
id: wheels_cache
2020
with:
2121
path: ./wheels
2222
key: wheels-${{ github.sha }}
2323

2424
- name: Setup Python
25-
uses: actions/setup-python@v5
25+
uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0
2626
with:
2727
python-version: "3.10"
2828

@@ -51,8 +51,8 @@ jobs:
5151
&& github.event.workflow_run.conclusion == 'success'
5252
runs-on: ubuntu-latest
5353
steps:
54-
- uses: actions/checkout@v4
55-
- uses: actions/cache@v4
54+
- uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
55+
- uses: actions/cache@0400d5f644dc74513175e3cd8d07132dd4860809 # v4.2.4
5656
id: wheels_cache
5757
with:
5858
path: ./wheels

.github/workflows/statistician-dive.yml

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -26,7 +26,7 @@ jobs:
2626
name: Analyze image efficiency
2727
steps:
2828
- name: Checkout
29-
uses: actions/checkout@v3
29+
uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
3030

3131
- name: lint
3232
uses: luke142367/Docker-Lint-Action@v1.1.1
@@ -47,7 +47,7 @@ jobs:
4747
wagoodman/dive:v0.12.0 --ci-config /.dive-ci ${ORG}/${IMAGE}:_build
4848
4949
- name: Docker image size check
50-
uses: wemake-services/docker-image-size-limit@2.0.0
50+
uses: wemake-services/docker-image-size-limit@cbc4fff807e8d490ec7d808c52991387649ffa65 # 2.1.0
5151
with:
5252
image: ${{ env.ORG }}/${{ env.IMAGE}}:_build
5353
size: "3 GiB"

.github/workflows/statistician-image.yml

Lines changed: 8 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -31,10 +31,10 @@ jobs:
3131
runs-on: ubuntu-latest
3232
steps:
3333
- name: Checkout code
34-
uses: actions/checkout@v3
34+
uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
3535

3636
- name: lint Dockerfile
37-
uses: hadolint/hadolint-action@v2.0.0
37+
uses: hadolint/hadolint-action@54c9adbab1582c2ef04b2016b760714a4bfde3cf # v3.1.0
3838
with:
3939
dockerfile: docker/Dockerfile
4040
ignore: DL3008,DL3002,DL3013,DL3059,SC2102
@@ -59,7 +59,7 @@ jobs:
5959
runs-on: ubuntu-latest
6060
steps:
6161
- name: Checkout code
62-
uses: actions/checkout@v3
62+
uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
6363

6464
- name: Build a new docker image with tag
6565
id: tag-image
@@ -76,16 +76,16 @@ jobs:
7676
runs-on: ubuntu-latest
7777
steps:
7878
- name: Checkout code
79-
uses: actions/checkout@v3
79+
uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
8080

8181
- name: Configure AWS credentials
82-
uses: aws-actions/configure-aws-credentials@v1
82+
uses: aws-actions/configure-aws-credentials@7474bc4690e29a8392af63c5b98e7449536d5c3a # v4.3.1
8383
with:
8484
role-to-assume: arn:aws:iam::538673716275:role/github-actions-role
8585
aws-region: ap-southeast-2
8686

8787
- name: Push image to ECR
88-
uses: whoan/docker-build-with-cache-action@master
88+
uses: whoan/docker-build-with-cache-action@d8d3ad518e7ac382b880720d0751815e656fe032 # v8.1.0
8989
with:
9090
context: ./docker
9191
registry: 538673716275.dkr.ecr.ap-southeast-2.amazonaws.com
@@ -101,10 +101,10 @@ jobs:
101101

102102
steps:
103103
- name: Checkout code
104-
uses: actions/checkout@v3
104+
uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
105105

106106
- name: Push image to ghcr
107-
uses: whoan/docker-build-with-cache-action@master
107+
uses: whoan/docker-build-with-cache-action@d8d3ad518e7ac382b880720d0751815e656fe032 # v8.1.0
108108
with:
109109
context: ./docker
110110
registry: ghcr.io

0 commit comments

Comments
 (0)