From 26edf3ac91b2f7fd48343f230102e50b46667b2d Mon Sep 17 00:00:00 2001 From: Denys Fedoryshchenko Date: Mon, 27 Apr 2026 14:12:47 +0300 Subject: [PATCH] ci: Secure github actions by pinning them to commit SHA Signed-off-by: Denys Fedoryshchenko --- .github/workflows/docker_images.yml | 12 ++++++------ .github/workflows/main.yml | 8 ++++---- .github/workflows/production.yml | 16 ++++++++-------- .github/workflows/rootfs.yml | 16 ++++++++-------- .github/workflows/staging.yml | 2 +- 5 files changed, 27 insertions(+), 27 deletions(-) diff --git a/.github/workflows/docker_images.yml b/.github/workflows/docker_images.yml index 0475ecf3d6..41aa628431 100644 --- a/.github/workflows/docker_images.yml +++ b/.github/workflows/docker_images.yml @@ -41,7 +41,7 @@ jobs: environment: deploydocker steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 with: repository: ${{ env.USER_GIT_OWNER }}/kernelci-core ref: ${{ env.USER_GIT_BRANCH }} @@ -55,7 +55,7 @@ jobs: python3 -m pip install '.[dev]' --break-system-packages sudo cp -R config /etc/kernelci/ - name: Cache apt packages - uses: awalsh128/cache-apt-pkgs-action@latest + uses: awalsh128/cache-apt-pkgs-action@2c09a5e66da6c8016428a2172bd76e5e4f14bb17 # v1.5.4 with: packages: python3-pip git docker.io python3-docker version: 1.0 @@ -124,21 +124,21 @@ jobs: environment: deploydocker steps: - name: Checkout kernelci-core - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 with: repository: ${{ env.USER_GIT_OWNER }}/kernelci-core ref: ${{ env.USER_GIT_BRANCH }} fetch-depth: 0 path: kernelci-core - name: Checkout kernelci-pipeline - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 with: repository: ${{ env.USER_GIT_OWNER }}/kernelci-pipeline ref: ${{ env.USER_GIT_BRANCH }} fetch-depth: 0 path: kernelci-pipeline - name: Checkout kernelci-api - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 with: repository: ${{ env.USER_GIT_OWNER }}/kernelci-api ref: ${{ env.USER_GIT_BRANCH }} @@ -151,7 +151,7 @@ jobs: python3 -m pip install '.[dev]' --break-system-packages sudo cp -R config /etc/kernelci/ - name: Cache apt packages - uses: awalsh128/cache-apt-pkgs-action@latest + uses: awalsh128/cache-apt-pkgs-action@2c09a5e66da6c8016428a2172bd76e5e4f14bb17 # v1.5.4 with: packages: python3-pip git docker.io python3-docker version: 1.0 diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 36c669a813..a3daaa11ae 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -15,10 +15,10 @@ jobs: runs-on: ubuntu-slim steps: - name: Check out source code - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 - name: Set up Python - uses: actions/setup-python@v5 + uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5 with: python-version: '3.10' cache: 'pip' @@ -37,10 +37,10 @@ jobs: name: Lint steps: - name: Check out source code - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 - name: Set up Python - uses: actions/setup-python@v5 + uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5 with: python-version: "3.10" cache: 'pip' diff --git a/.github/workflows/production.yml b/.github/workflows/production.yml index 72329863c7..32c1e73a80 100644 --- a/.github/workflows/production.yml +++ b/.github/workflows/production.yml @@ -18,7 +18,7 @@ jobs: - name: Discord notification for start env: DISCORD_WEBHOOK: ${{ secrets.DISCORD_WEBHOOK }} - uses: Ilshidur/action-discord@master + uses: Ilshidur/action-discord@d2594079a10f1d6739ee50a2471f0ca57418b554 # 0.4.0 with: args: 'Maestro production deploy started: "${{ inputs.message }}" by ${{ github.actor }}' tag-core: @@ -26,7 +26,7 @@ jobs: needs: discord-notify-start steps: - name: Checkout code - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 with: repository: kernelci/kernelci-core ref: main @@ -46,7 +46,7 @@ jobs: needs: discord-notify-start steps: - name: Checkout code - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 with: repository: kernelci/kernelci-pipeline ref: main @@ -71,7 +71,7 @@ jobs: needs: discord-notify-start steps: - name: Checkout code - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 with: repository: kernelci/kernelci-api ref: main @@ -103,12 +103,12 @@ jobs: needs: call-docker-build steps: - name: Checkout code - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 with: repository: kernelci/kernelci-deploy ref: main - name: Set up kubectl - uses: azure/k8s-set-context@v4 + uses: azure/k8s-set-context@ae59a723ba9abe7a9655538854a025448dbab4aa # v4 with: method: kubeconfig kubeconfig: ${{ secrets.KUBECONFIG }} @@ -119,7 +119,7 @@ jobs: - name: Discord notification for end env: DISCORD_WEBHOOK: ${{ secrets.DISCORD_WEBHOOK }} - uses: Ilshidur/action-discord@master + uses: Ilshidur/action-discord@d2594079a10f1d6739ee50a2471f0ca57418b554 # 0.4.0 with: args: 'Maestro production deploy completed.' discord-notify-failure: @@ -130,6 +130,6 @@ jobs: - name: Notify failure to Discord env: DISCORD_WEBHOOK: ${{ secrets.DISCORD_WEBHOOK }} - uses: Ilshidur/action-discord@master + uses: Ilshidur/action-discord@d2594079a10f1d6739ee50a2471f0ca57418b554 # 0.4.0 with: args: '❌ Maestro production deploy failed.' diff --git a/.github/workflows/rootfs.yml b/.github/workflows/rootfs.yml index b1723e29af..21624a62e6 100644 --- a/.github/workflows/rootfs.yml +++ b/.github/workflows/rootfs.yml @@ -41,7 +41,7 @@ jobs: - name: Discord notification for start env: DISCORD_WEBHOOK: ${{ secrets.DISCORD_WEBHOOK }} - uses: Ilshidur/action-discord@master + uses: Ilshidur/action-discord@d2594079a10f1d6739ee50a2471f0ca57418b554 # 0.4.0 with: args: 'Rootfs build started: "${{ github.event.inputs.ROOTFS_NAME }}" for architecture "${{ github.event.inputs.ROOTFS_ARCH }}" by ${{ github.actor }}' @@ -52,13 +52,13 @@ jobs: environment: deploysecrets steps: - name: Checkout kernelci-deploy - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 with: repository: kernelci/kernelci-deploy path: kernelci-deploy ref: 'main' - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 with: repository: ${{ env.USER_GIT_REPO }} ref: ${{ env.USER_GIT_BRANCH }} @@ -80,7 +80,7 @@ jobs: echo "ROOTFS_TIMECODE=$(date +%Y%m%d.0)" >> $GITHUB_ENV - name: Copy files via scp to staging if: ${{ env.ROOTFS_DESTINATION == 'staging' }} - uses: appleboy/scp-action@v1 + uses: appleboy/scp-action@ff85246acaad7bdce478db94a363cd2bf7c90345 # v1.0.0 with: host: ${{ secrets.STAGING_HOST }} username: ${{ secrets.STAGING_USERNAME }} @@ -91,7 +91,7 @@ jobs: strip_components: 8 - name: Copy files via scp to production if: ${{ env.ROOTFS_DESTINATION == 'production' }} - uses: appleboy/scp-action@v1 + uses: appleboy/scp-action@ff85246acaad7bdce478db94a363cd2bf7c90345 # v1.0.0 with: host: ${{ secrets.PRODUCTION_HOST }} username: ${{ secrets.PRODUCTION_USERNAME }} @@ -105,7 +105,7 @@ jobs: echo "FINAL_MSG=Rootfs build completed: ${{ secrets.STAGING_URL }}/${{ env.ROOTFS_NAME }}/${{ env.ROOTFS_TIMECODE }}/${{ env.ROOTFS_ARCH }}" >> $GITHUB_ENV cat $GITHUB_ENV|grep FINAL_MSG - name: Slack notification - uses: rtCamp/action-slack-notify@v2 + uses: rtCamp/action-slack-notify@e31e87e03dd19038e411e38ae27cbad084a90661 # v2.3.3 env: SLACK_TOKEN: ${{ secrets.SLACK_TOKEN }} SLACK_CHANNEL: 'bot' @@ -122,7 +122,7 @@ jobs: - name: Discord notification for end env: DISCORD_WEBHOOK: ${{ secrets.DISCORD_WEBHOOK }} - uses: Ilshidur/action-discord@master + uses: Ilshidur/action-discord@d2594079a10f1d6739ee50a2471f0ca57418b554 # 0.4.0 with: args: 'Rootfs build completed: "${{ github.event.inputs.ROOTFS_NAME }}" for architecture "${{ github.event.inputs.ROOTFS_ARCH }}". Check the logs for more details.' @@ -134,6 +134,6 @@ jobs: - name: Notify failure to Discord env: DISCORD_WEBHOOK: ${{ secrets.DISCORD_WEBHOOK }} - uses: Ilshidur/action-discord@master + uses: Ilshidur/action-discord@d2594079a10f1d6739ee50a2471f0ca57418b554 # 0.4.0 with: args: 'Rootfs build failed: "${{ github.event.inputs.ROOTFS_NAME }}" for architecture "${{ github.event.inputs.ROOTFS_ARCH }}". Check the logs for more details.' diff --git a/.github/workflows/staging.yml b/.github/workflows/staging.yml index 2b1387b2db..5a835d0eef 100644 --- a/.github/workflows/staging.yml +++ b/.github/workflows/staging.yml @@ -15,7 +15,7 @@ jobs: environment: deploydocker steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 with: repository: 'kernelci/kernelci-deploy' ref: 'main'