Skip to content

Commit

Permalink
feat: Pin actions to hashes
Browse files Browse the repository at this point in the history 
Done with pin-github-action <https://github.com/mheap/pin-github-action>
1.8.0 using `npx pin-github-action .github/workflows/*.yml`.

Dependabot should support updating in the same fashion
<dependabot/dependabot-core#8277 (comment)>.
  • Loading branch information
@l0b0
l0b0 committed Nov 16, 2023
1 parent aa374b9 commit 5315d92
Show file tree
Hide file tree
Showing 2 changed files with 22 additions and 22 deletions.
24 changes: 12 additions & 12 deletions .github/workflows/push.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,16 +6,16 @@ jobs:
build:
runs-on: ubuntu-latest
steps:
- uses: linz/action-typescript@v3
- uses: linz/action-typescript@dee99184c4305aea6c380a52db9b2d7abaaa3e78 # v3

# Only build containers on branches otherwise container builds are duplicated deploy-nonprod-containers
- name: Set up Docker Buildx
if: ${{ github.ref != 'refs/heads/master' }}
uses: docker/setup-buildx-action@v3
uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3

- name: Build container
if: ${{ github.ref != 'refs/heads/master' }}
uses: docker/build-push-action@v5
uses: docker/build-push-action@0565240e2d4ab88bba5387d719585280857ece09 # v5
with:
context: .
platforms: linux/amd64
Expand Down Expand Up @@ -46,7 +46,7 @@ jobs:
name: nonprod

steps:
- uses: linz/action-typescript@v3
- uses: linz/action-typescript@dee99184c4305aea6c380a52db9b2d7abaaa3e78 # v3

- name: Download actionlint
run: docker build --tag actionlint - < .github/workflows/actionlint.dockerfile
Expand All @@ -65,29 +65,29 @@ jobs:
- name: Set up Docker Qemu
id: qemu
uses: docker/setup-qemu-action@v2
uses: docker/setup-qemu-action@2b82ce82d56a2a04d2637cd93a637ae1b359c0a7 # v2

- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3

- name: Docker meta
id: meta
uses: docker/metadata-action@v5
uses: docker/metadata-action@96383f45573cb7f253c731d3b3ab81c87ef81934 # v5
with:
images: ${{ github.repository }}
labels: |
org.opencontainers.image.version=${{ steps.version.outputs.version }}
- name: Login to GitHub Container Registry
uses: docker/login-action@v3
uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3
with:
registry: ghcr.io
username: ${{ github.repository_owner }}
password: ${{ secrets.GITHUB_TOKEN }}

- name: Configure AWS Credentials
if: ${{env.AWS_CI_ROLE != ''}}
uses: aws-actions/configure-aws-credentials@v4
uses: aws-actions/configure-aws-credentials@010d0da01d0b5a38af31e9c3470dbfdabdecca3a # v4
with:
aws-region: ap-southeast-2
mask-aws-account-id: true
Expand All @@ -96,11 +96,11 @@ jobs:
- name: Login to Amazon ECR
if: ${{env.AWS_CI_ROLE != ''}}
id: login-ecr
uses: aws-actions/amazon-ecr-login@v1
uses: aws-actions/amazon-ecr-login@2fc7aceee09e9e4a7105c0d060c656fad0b4f63d # v1

- name: Setup docker tags
id: tags
uses: actions/github-script@v6
uses: actions/github-script@d7906e4ad0b1822421a7e6a35d5ca353c962f410 # v6
with:
result-encoding: string
script: |
Expand All @@ -115,7 +115,7 @@ jobs:
return tags.join(', ')
- name: Build and push container
uses: docker/build-push-action@v5
uses: docker/build-push-action@0565240e2d4ab88bba5387d719585280857ece09 # v5
with:
context: .
tags: ${{ steps.tags.outputs.result }}
Expand Down
20 changes: 10 additions & 10 deletions .github/workflows/release-please.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,7 @@ jobs:
outputs:
release_created: ${{ steps.release.outputs.release_created }}
steps:
- uses: google-github-actions/release-please-action@v3
- uses: google-github-actions/release-please-action@db8f2c60ee802b3748b512940dde88eabd7b7e01 # v3
id: release
with:
release-type: node
Expand All @@ -29,7 +29,7 @@ jobs:
packages: write
if: ${{ needs.release-please.outputs.release_created }}
steps:
- uses: linz/action-typescript@v3
- uses: linz/action-typescript@dee99184c4305aea6c380a52db9b2d7abaaa3e78 # v3

- name: Setup GIT version
id: version
Expand All @@ -42,40 +42,40 @@ jobs:
- name: Set up Docker Qemu
id: qemu
uses: docker/setup-qemu-action@v2
uses: docker/setup-qemu-action@2b82ce82d56a2a04d2637cd93a637ae1b359c0a7 # v2

- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3

- name: Docker meta
id: meta
uses: docker/metadata-action@v5
uses: docker/metadata-action@96383f45573cb7f253c731d3b3ab81c87ef81934 # v5
with:
images: ${{ github.repository }}
labels: |
org.opencontainers.image.version=${{ steps.version.outputs.version }}
- name: Login to GitHub Container Registry
uses: docker/login-action@v3
uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3
with:
registry: ghcr.io
username: ${{ github.repository_owner }}
password: ${{ secrets.GITHUB_TOKEN }}

- name: Configure AWS Credentials
uses: aws-actions/configure-aws-credentials@v4
uses: aws-actions/configure-aws-credentials@010d0da01d0b5a38af31e9c3470dbfdabdecca3a # v4
with:
aws-region: ap-southeast-2
mask-aws-account-id: true
role-to-assume: ${{ secrets.AWS_CI_ROLE }}

- name: Login to Amazon ECR
id: login-ecr
uses: aws-actions/amazon-ecr-login@v1
uses: aws-actions/amazon-ecr-login@2fc7aceee09e9e4a7105c0d060c656fad0b4f63d # v1

- name: Setup docker tags
id: tags
uses: actions/github-script@v6
uses: actions/github-script@d7906e4ad0b1822421a7e6a35d5ca353c962f410 # v6
with:
result-encoding: string
script: |
Expand All @@ -94,7 +94,7 @@ jobs:
return tags.join(', ')
- name: Build and push container
uses: docker/build-push-action@v5
uses: docker/build-push-action@0565240e2d4ab88bba5387d719585280857ece09 # v5
with:
context: .
tags: ${{ steps.tags.outputs.result }}
Expand Down

0 comments on commit 5315d92

Please sign in to comment.