Skip to content

Update workflow actions #52

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
arktronic-sep merged 1 commit into from
Apr 4, 2026
Merged

Update workflow actions #52

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
14 changes: 7 additions & 7 deletions .github/workflows/ci.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,9 +18,9 @@ jobs:
name: Unit Tests on Linux
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/checkout@v6
- name: Set up dotnet
uses: actions/setup-dotnet@v4
uses: actions/setup-dotnet@v5
with:
dotnet-version: '10.x'
Comment on lines +21 to 25
Copy link

Copilot AI Apr 4, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

These workflow actions are referenced via moving version tags. For supply-chain security and to make CI runs reproducible, pin actions/checkout and actions/setup-dotnet to commit SHAs (similar to how other workflows pin third-party actions).

Copilot uses AI. Check for mistakes.
- name: Run unit tests
Expand Down Expand Up @@ -54,9 +54,9 @@ jobs:
SAMA_ENCRYPTION_KEY: test-encryption-key-for-ci-only

steps:
- uses: actions/checkout@v4
- uses: actions/checkout@v6
- name: Set up dotnet
uses: actions/setup-dotnet@v4
uses: actions/setup-dotnet@v5
with:
dotnet-version: '10.x'
Comment on lines +57 to 61
Copy link

Copilot AI Apr 4, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

These workflow actions are referenced via moving version tags. Pin actions/checkout and actions/setup-dotnet to commit SHAs so integration test runs are reproducible and less exposed to upstream tag changes.

Copilot uses AI. Check for mistakes.
- name: Run integration tests
Expand Down Expand Up @@ -97,9 +97,9 @@ jobs:
SAMA_ENCRYPTION_KEY: test-encryption-key-for-ci-only

steps:
- uses: actions/checkout@v4
- uses: actions/checkout@v6
- name: Set up dotnet
uses: actions/setup-dotnet@v4
uses: actions/setup-dotnet@v5
with:
dotnet-version: '10.x'
Comment on lines +100 to 104
Copy link

Copilot AI Apr 4, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

These workflow actions are referenced via moving version tags. Pin actions/checkout and actions/setup-dotnet to commit SHAs (and keep them updated) to avoid unexpected CI breakages when upstream tags move.

Copilot uses AI. Check for mistakes.
- name: Build
Expand All @@ -117,6 +117,6 @@ jobs:
name: Docker Build
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/checkout@v6
Copy link

Copilot AI Apr 4, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

actions/checkout is referenced by a moving version tag here. Consider pinning it to a commit SHA for CI reproducibility/supply-chain hardening, consistent with the approach used for other actions in this repo.

Copilot uses AI. Check for mistakes.
- name: Build Docker image
run: docker build -t sama:ci-test .
16 changes: 8 additions & 8 deletions .github/workflows/release-ghcr.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -20,12 +20,12 @@ jobs:
outputs:
version: ${{ steps.minver.outputs.version }}
steps:
- uses: actions/checkout@v4
- uses: actions/checkout@v6
with:
fetch-depth: 0

- name: Set up dotnet
uses: actions/setup-dotnet@v4
uses: actions/setup-dotnet@v5
with:
dotnet-version: '10.x'
Comment on lines +23 to 30
Copy link

Copilot AI Apr 4, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

actions/checkout and actions/setup-dotnet are referenced by moving version tags here, while other actions in this workflow are pinned to immutable commit SHAs. For supply-chain security and reproducibility, pin these actions to specific commit SHAs as well (and keep them updated via Dependabot).

Copilot uses AI. Check for mistakes.

Expand Down Expand Up @@ -58,19 +58,19 @@ jobs:
description: "Service Availability Monitoring and Alerting - A modern uptime monitoring system (with sudo)"

steps:
- uses: actions/checkout@v4
- uses: actions/checkout@v6
with:
fetch-depth: 0

- name: Set up QEMU
uses: docker/setup-qemu-action@v3
uses: docker/setup-qemu-action@ce360397dd3f832beb865e1373c09c0e9f86d70a
Comment on lines +61 to +66
Copy link

Copilot AI Apr 4, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This job pins the Docker actions to commit SHAs but leaves actions/checkout on a moving tag. Pin actions/checkout to a commit SHA too so the full release pipeline is reproducible and less susceptible to upstream tag movement.

Copilot uses AI. Check for mistakes.

- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd

- name: Extract metadata
id: meta
uses: docker/metadata-action@v5
uses: docker/metadata-action@030e881283bb7a6894de51c315a6bfe6a94e05cf
with:
images: ${{ env.TAG_NAME }}
tags: |
Expand All @@ -86,14 +86,14 @@ jobs:
DOCKER_METADATA_ANNOTATIONS_LEVELS: manifest,index

- name: Log in to GHCR
uses: docker/login-action@v3
uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}

- name: Build and push
uses: docker/build-push-action@v5
uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294
with:
context: .
file: ${{ matrix.dockerfile }}
Expand Down
Loading