From 4e79bfd9e794db22ad1349710f7e332c43294663 Mon Sep 17 00:00:00 2001 From: "Sam Wang (holyspectral)" Date: Wed, 25 Mar 2026 14:14:07 -0400 Subject: [PATCH] Pin GH Actions to commit sha --- .github/workflows/add_issue.yaml | 4 ++-- .github/workflows/fossa.yml | 4 ++-- .github/workflows/release.yml | 6 +++--- .github/workflows/renovate-vault.yml | 2 +- 4 files changed, 8 insertions(+), 8 deletions(-) diff --git a/.github/workflows/add_issue.yaml b/.github/workflows/add_issue.yaml index af5e74a2..b77fded5 100644 --- a/.github/workflows/add_issue.yaml +++ b/.github/workflows/add_issue.yaml @@ -13,13 +13,13 @@ jobs: name: Add issue to project runs-on: ubuntu-latest steps: - - uses: actions/create-github-app-token@v2 + - uses: actions/create-github-app-token@fee1f7d63c2ff003460e3d139729b119787bc349 # v2 id: app-token with: app-id: ${{ secrets.ADD_ISSUE_APP_ID }} private-key: ${{ secrets.ADD_ISSUE_PRIVATE_KEY }} owner: ${{ github.repository_owner }} - - uses: actions/add-to-project@v1.0.2 + - uses: actions/add-to-project@244f685bbc3b7adfa8466e08b698b5577571133e # v1.0.2 with: project-url: https://github.com/orgs/neuvector/projects/15 github-token: ${{ steps.app-token.outputs.token }} diff --git a/.github/workflows/fossa.yml b/.github/workflows/fossa.yml index 77e3b538..80c770c7 100644 --- a/.github/workflows/fossa.yml +++ b/.github/workflows/fossa.yml @@ -20,13 +20,13 @@ jobs: # The FOSSA token is shared between all repos in NeuVector's GH org. It can # be used directly and there is no need to request specific access to EIO. - name: Read FOSSA token - uses: rancher-eio/read-vault-secrets@main + uses: rancher-eio/read-vault-secrets@0da85151ad1f19ed7986c41587e45aac1ace74b6 # v3 with: secrets: | secret/data/github/org/neuvector/fossa/credentials token | FOSSA_API_KEY_PUSH_ONLY - name: FOSSA scan - uses: fossas/fossa-action@main + uses: fossas/fossa-action@c414b9ad82eaad041e47a7cf62a4f02411f427a0 # v1.8.0 with: api-key: ${{ env.FOSSA_API_KEY_PUSH_ONLY }} # Only runs the scan and do not provide/returns any results back to the diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index ff7e6dc9..2d031d23 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -21,7 +21,7 @@ jobs: uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 - name: Load Secrets from Vault - uses: rancher-eio/read-vault-secrets@main + uses: rancher-eio/read-vault-secrets@0da85151ad1f19ed7986c41587e45aac1ace74b6 # v3 with: secrets: | secret/data/github/repo/${{ github.repository }}/dockerhub/rancher/credentials username | RANCHER_DOCKER_USERNAME ; @@ -36,7 +36,7 @@ jobs: TARGET=${{ github.ref_name }} echo "TAG=${TARGET#v}" >> $GITHUB_ENV - name: Publish neuvector manifest - uses: rancher/ecm-distro-tools/actions/publish-image@master + uses: rancher/ecm-distro-tools/actions/publish-image@10ab39987d39be83da6a252c1c3b540e496e0287 # v0.66.0 with: push-to-public: true push-to-prime: false @@ -49,7 +49,7 @@ jobs: public-username: ${{ env.DOCKER_USERNAME }} public-password: ${{ env.DOCKER_PASSWORD }} - name: Publish rancher manifest - uses: rancher/ecm-distro-tools/actions/publish-image@master + uses: rancher/ecm-distro-tools/actions/publish-image@10ab39987d39be83da6a252c1c3b540e496e0287 # v0.66.0 env: IMAGE_PREFIX: neuvector- with: diff --git a/.github/workflows/renovate-vault.yml b/.github/workflows/renovate-vault.yml index 52f6a5d2..73fb9a3b 100644 --- a/.github/workflows/renovate-vault.yml +++ b/.github/workflows/renovate-vault.yml @@ -22,7 +22,7 @@ permissions: jobs: call-workflow: - uses: rancher/renovate-config/.github/workflows/renovate-vault.yml@release + uses: rancher/renovate-config/.github/workflows/renovate-vault.yml@c88cbe41a49d02648b9bf83aa5a64902151323fa # release with: logLevel: ${{ inputs.logLevel || 'info' }} overrideSchedule: ${{ github.event.inputs.overrideSchedule == 'true' && '{''schedule'':null}' || '' }}