From fef65ca2f09fe5efa6f74ba4dfe113fe1ec36e23 Mon Sep 17 00:00:00 2001 From: Evan Huus Date: Mon, 4 May 2026 11:25:13 -0400 Subject: [PATCH] Harden CI image refs --- .github/workflows/changie-gen.yml | 4 ++-- .github/workflows/enum-gen.yaml | 6 +++--- .github/workflows/release.yml | 12 ++++++------ .github/workflows/reports.yml | 4 ++-- .github/workflows/security.yml | 2 +- .github/workflows/tests.yml | 8 ++++---- 6 files changed, 18 insertions(+), 18 deletions(-) diff --git a/.github/workflows/changie-gen.yml b/.github/workflows/changie-gen.yml index 5f57d53a..06df7a64 100644 --- a/.github/workflows/changie-gen.yml +++ b/.github/workflows/changie-gen.yml @@ -15,7 +15,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout branch that Dependabot labeled - uses: actions/checkout@v5 + uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 with: ref: ${{ github.event.pull_request.head.ref }} token: ${{ secrets.GITHUB_TOKEN }} @@ -34,7 +34,7 @@ jobs: - name: Create changie log if: steps.changelog_check.outputs.exists == 'false' - uses: miniscruff/changie-action@v2 + uses: miniscruff/changie-action@6dcc2533cac0495148ed4046c438487e4dceaa23 # v2 with: version: latest args: new --kind Dependency --body "${{ github.event.pull_request.title }}" diff --git a/.github/workflows/enum-gen.yaml b/.github/workflows/enum-gen.yaml index 8158a339..55a4aa25 100644 --- a/.github/workflows/enum-gen.yaml +++ b/.github/workflows/enum-gen.yaml @@ -8,17 +8,17 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@v5 + uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 with: fetch-depth: 0 - name: Fetch all tags run: git fetch --force --tags - name: Set up Go - uses: actions/setup-go@v6 + uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6 with: go-version-file: 'go.mod' - name: Install Task - uses: arduino/setup-task@v2 + uses: arduino/setup-task@b91d5d2c96a56797b48ac1e0e89220bf64044611 # v2 with: version: 3.x repo-token: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 6e64f518..331d529c 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -14,7 +14,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@v5 + uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 with: fetch-depth: 0 submodules: 'true' @@ -22,11 +22,11 @@ jobs: - name: Fetch All Tags run: git fetch --force --tags - name: Set up Go - uses: actions/setup-go@v6 + uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6 with: go-version-file: 'go.mod' - name: Cache Go modules - uses: actions/cache@v4 + uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4 with: path: ~/go/pkg/mod key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }} @@ -34,7 +34,7 @@ jobs: ${{ runner.os }}-go- - name: Import GPG Key id: import_gpg - uses: crazy-max/ghaction-import-gpg@v6 + uses: crazy-max/ghaction-import-gpg@e89d40939c28e39f97cf32126055eeae86ba74ec # v6 with: gpg_private_key: ${{ secrets.GPG_PRIVATE_KEY }} passphrase: ${{ secrets.GPG_PASSPHRASE }} @@ -71,7 +71,7 @@ jobs: git tag -f ${{ steps.version.outputs.RELEASE_VERSION }} -m "Cut Release '${{ steps.version.outputs.RELEASE_VERSION }}'" git push -f origin refs/tags/${{ steps.version.outputs.RELEASE_VERSION }} - name: Run GoReleaser - uses: goreleaser/goreleaser-action@v6.1.0 + uses: goreleaser/goreleaser-action@9ed2f89a662bf1735a48bc8557fd212fa902bebf # v6.1.0 with: args: release --clean --release-notes=./.changes/${{ steps.version.outputs.RELEASE_VERSION }}.md env: @@ -79,7 +79,7 @@ jobs: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} ORG_GITHUB_TOKEN: ${{ secrets.ORG_GITHUB_TOKEN }} - name: Report Release To OpsLevel - uses: opslevel/report-deploy-github-action/with-docker@v3.0.0 + uses: opslevel/report-deploy-github-action/with-docker@96f726be9dd07b2b862b4b2b6e13d775e322f708 # v3.0.0 with: integration_url: ${{ secrets.DEPLOY_INTEGRATION_URL }} service: "opslevel_api_clients" diff --git a/.github/workflows/reports.yml b/.github/workflows/reports.yml index 5feecee6..51a1d602 100644 --- a/.github/workflows/reports.yml +++ b/.github/workflows/reports.yml @@ -14,12 +14,12 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@v5 + uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 with: fetch-depth: 0 submodules: 'true' - name: Snyk Test - uses: snyk/actions/golang@master + uses: snyk/actions/golang@9adf32b1121593767fc3c057af55b55db032dc04 # master continue-on-error: true env: SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml index 84cbf14b..be919e0c 100644 --- a/.github/workflows/security.yml +++ b/.github/workflows/security.yml @@ -9,7 +9,7 @@ on: jobs: call-grype: - uses: opslevel/actions/.github/workflows/grype.yml@main + uses: opslevel/actions/.github/workflows/grype.yml@d66c9d7c93ff6df99a929e012366433e564d58fa # main with: alias: opslevel-go secrets: inherit diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml index 4917c906..7da5fd82 100644 --- a/.github/workflows/tests.yml +++ b/.github/workflows/tests.yml @@ -14,22 +14,22 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@v5 + uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 with: fetch-depth: 0 - name: Fetch all tags run: git fetch --force --tags - name: Set up Go - uses: actions/setup-go@v6 + uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6 with: go-version-file: 'go.mod' - name: Install Task - uses: arduino/setup-task@v2 + uses: arduino/setup-task@b91d5d2c96a56797b48ac1e0e89220bf64044611 # v2 with: version: 3.x repo-token: ${{ secrets.GITHUB_TOKEN }} - name: Cache Go modules - uses: actions/cache@v4 + uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4 with: path: | ~/.cache/go-build