diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index db280829..658828f0 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -36,7 +36,7 @@ jobs: df -h - name: Checkout - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 with: ref: ${{ github.event.pull_request.head.sha }} @@ -63,7 +63,7 @@ jobs: extra_args: --only-verified - name: Setup Go - uses: actions/setup-go@0aaccfd150d50ccaeb58ebd88d36e91967a5f35b # v5 + uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5 with: go-version-file: "go.mod" @@ -92,13 +92,13 @@ jobs: run: UNAME_M=arm64 VERSION=${RELEASE_TAG:-commit-$GITHUB_SHA} make kvisor-linter - name: Set up QEMU - uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v3 + uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130 # v3 - name: Set up Docker Buildx - uses: docker/setup-buildx-action@b5ca514318bd6ebac0fb2aedd5d36ec1b5c232a2 # v3 + uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3 - name: Login to GitHub Container Registry - uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3 + uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3 with: registry: ghcr.io username: ${{ github.actor }} @@ -106,7 +106,7 @@ jobs: - name: Docker build and push pr (controller) if: ${{ github.event_name == 'pull_request' }} - uses: docker/build-push-action@471d1dc4e07e5cdedd4c2171150001c434f0b7a4 # v6 + uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6 with: context: . file: ./Dockerfile.controller @@ -116,7 +116,7 @@ jobs: - name: Docker build and push pr (agent) if: ${{ github.event_name == 'pull_request' }} - uses: docker/build-push-action@471d1dc4e07e5cdedd4c2171150001c434f0b7a4 # v6 + uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6 with: context: . file: ./Dockerfile.agent @@ -126,7 +126,7 @@ jobs: - name: Docker build and push pr (scanners) if: ${{ github.event_name == 'pull_request' }} - uses: docker/build-push-action@471d1dc4e07e5cdedd4c2171150001c434f0b7a4 # v6 + uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6 with: context: . file: ./Dockerfile.scanners @@ -136,7 +136,7 @@ jobs: - name: Docker build and push main (controller) if: ${{ github.event_name != 'pull_request' && github.event_name != 'release'}} - uses: docker/build-push-action@471d1dc4e07e5cdedd4c2171150001c434f0b7a4 # v6 + uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6 with: context: . file: ./Dockerfile.controller @@ -146,7 +146,7 @@ jobs: - name: Docker build and push main (agent) if: ${{ github.event_name != 'pull_request' && github.event_name != 'release'}} - uses: docker/build-push-action@471d1dc4e07e5cdedd4c2171150001c434f0b7a4 # v6 + uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6 with: context: . file: ./Dockerfile.agent @@ -156,7 +156,7 @@ jobs: - name: Docker build and push main (scanners) if: ${{ github.event_name != 'pull_request' && github.event_name != 'release'}} - uses: docker/build-push-action@471d1dc4e07e5cdedd4c2171150001c434f0b7a4 # v6 + uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6 with: context: . file: ./Dockerfile.scanners @@ -168,7 +168,7 @@ jobs: # You may pin to the exact commit or the version. # uses: golangci/golangci-lint-action@537aa1903e5d359d0b27dbc19ddd22c5087f3fbc if: ${{ github.event_name == 'pull_request' && !contains(env.head_commit_message, '#skip-lint') }} - uses: golangci/golangci-lint-action@1481404843c368bc19ca9406f87d6e0fc97bdcfd # v7.0.0 + uses: golangci/golangci-lint-action@9fae48acfc02a90574d7c304a1758ef9895495fa # v7.0.1 with: args: -v --timeout=5m version: v2.0.2 @@ -196,7 +196,7 @@ jobs: if: ${{ github.event_name == 'pull_request' }} steps: - name: Checkout - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 with: ref: ${{ github.event.pull_request.head.sha }} fetch-depth: 2 @@ -212,7 +212,7 @@ jobs: - name: Setup Helm if: steps.changes.outputs.charts_changed == 'true' - uses: azure/setup-helm@b9e51907a09c216f16ebe8536097933489208112 # v4 + uses: azure/setup-helm@1a275c3b69536ee54be43f2070a358922e12c8d4 # v4 # TODO: re-add verification when https://github.com/helm-unittest/helm-unittest/issues/777 is resolved - name: Install helm-unittest plugin @@ -232,7 +232,7 @@ jobs: needs: build steps: - name: Checkout - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 with: ref: ${{ github.event.pull_request.head.sha }} @@ -244,19 +244,19 @@ jobs: echo "Head commit sha ${head}" - name: Setup Go - uses: actions/setup-go@0aaccfd150d50ccaeb58ebd88d36e91967a5f35b # v5 + uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5 with: go-version-file: "go.mod" - name: Login to GitHub Container Registry - uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3 + uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3 with: registry: ghcr.io username: ${{ github.actor }} password: ${{ secrets.GITHUB_TOKEN }} - name: Create kind cluster - uses: helm/kind-action@a1b0e391336a6ee6713a0583f8c6240d70863de3 # v1.12.0 + uses: helm/kind-action@92086f6be054225fa813e0a4b13787fc9088faab # v1.13.0 with: config: ./e2e/kind-config.yaml cluster_name: kvisor-e2e diff --git a/.github/workflows/fossa.yaml b/.github/workflows/fossa.yaml index 404fc72c..00498289 100644 --- a/.github/workflows/fossa.yaml +++ b/.github/workflows/fossa.yaml @@ -9,7 +9,7 @@ jobs: fossa-scan: runs-on: ubuntu-latest steps: - - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 - uses: fossas/fossa-action@65a5a12203e31a5fcc54154db9c52647f84b1169 # v1 with: api-key: ${{ secrets.FOSSA_API_KEY }} diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index 2a0871c0..e44f1d66 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -19,10 +19,10 @@ jobs: runs-on: ubuntu-24.04 steps: - name: Checkout - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 - name: Setup Go - uses: actions/setup-go@0aaccfd150d50ccaeb58ebd88d36e91967a5f35b # v5 + uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5 with: go-version-file: "go.mod" @@ -54,27 +54,27 @@ jobs: run: UNAME_M=arm64 VERSION=${RELEASE_TAG:-commit-$GITHUB_SHA} make kvisor-linter - name: Set up QEMU - uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v3 + uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130 # v3 - name: Set up Docker Buildx - uses: docker/setup-buildx-action@b5ca514318bd6ebac0fb2aedd5d36ec1b5c232a2 # v3 + uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3 - name: Login to Google Container Registry - uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3 + uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3 with: registry: us-docker.pkg.dev username: _json_key password: ${{ secrets.ARTIFACT_BUILDER_JSON_KEY }} - name: Login to GitHub Container Registry - uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3 + uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3 with: registry: ghcr.io username: ${{ github.actor }} password: ${{ secrets.GITHUB_TOKEN }} - name: Build and push release (kvisor-agent) - uses: docker/build-push-action@471d1dc4e07e5cdedd4c2171150001c434f0b7a4 # v6 + uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6 with: context: . push: true @@ -87,7 +87,7 @@ jobs: us-docker.pkg.dev/castai-hub/library/kvisor-agent:latest - name: Build and push release (kvisor-controller) - uses: docker/build-push-action@471d1dc4e07e5cdedd4c2171150001c434f0b7a4 # v6 + uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6 with: context: . push: true @@ -100,7 +100,7 @@ jobs: us-docker.pkg.dev/castai-hub/library/kvisor-controller:latest - name: Build and push release (kvisor-scanners) - uses: docker/build-push-action@471d1dc4e07e5cdedd4c2171150001c434f0b7a4 # v6 + uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6 with: context: . push: true @@ -118,7 +118,7 @@ jobs: needs: release_docker steps: - name: Checkout - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 with: fetch-depth: "0" @@ -127,7 +127,7 @@ jobs: - name: Checkout helm-charts # The cr tool only works if the target repository is already checked out - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 with: fetch-depth: 0 repository: castai/helm-charts @@ -141,7 +141,7 @@ jobs: git config user.email "$GITHUB_ACTOR@users.noreply.github.com" - name: Install Helm - uses: azure/setup-helm@b9e51907a09c216f16ebe8536097933489208112 # v4 + uses: azure/setup-helm@1a275c3b69536ee54be43f2070a358922e12c8d4 # v4 with: version: v3.5.2 @@ -181,7 +181,7 @@ jobs: git status - name: Make helm charts github release - uses: softprops/action-gh-release@da05d552573ad5aba039eaac05058a918a7bf631 # v2 + uses: softprops/action-gh-release@a06a81a03ee405af7f2048a818ed3f03bbf83c7b # v2 with: body: | ${{ steps.parse-chart.outputs.desc }} diff --git a/.github/workflows/syft-sbom.yaml b/.github/workflows/syft-sbom.yaml index d0723962..685c30ba 100644 --- a/.github/workflows/syft-sbom.yaml +++ b/.github/workflows/syft-sbom.yaml @@ -11,9 +11,9 @@ jobs: steps: - name: Checkout - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 - name: Anchore SBOM Action - uses: anchore/sbom-action@f325610c9f50a54015d37c8d16cb3b0e2c8f4de0 # v0 + uses: anchore/sbom-action@0b82b0b1a22399a1c542d4d656f70cd903571b5c # v0 with: artifact-name: ${{ github.event.repository.name }}-spdx.json