From feae5e8db0a079309979245cee9f07e8fdbba61f Mon Sep 17 00:00:00 2001 From: Pietro Dell'Amore Date: Fri, 10 Apr 2026 10:02:02 -0300 Subject: [PATCH] Pin GH Actions to commit sha --- .github/actions/fetchimages/action.yml | 4 +-- .github/workflows/build.yaml | 6 ++-- .github/workflows/build_and_test_arm.yaml | 32 +++++++++---------- .github/workflows/build_and_test_x86.yaml | 38 +++++++++++------------ .github/workflows/cache-cleanup.yaml | 2 +- .github/workflows/cli.yaml | 6 ++-- .github/workflows/docs-publish.yaml | 8 ++--- .github/workflows/fossa.yml | 4 +-- .github/workflows/nightly.yaml | 4 +-- .github/workflows/push-images.yaml | 8 ++--- 10 files changed, 56 insertions(+), 56 deletions(-) diff --git a/.github/actions/fetchimages/action.yml b/.github/actions/fetchimages/action.yml index 98b4c2b5bfc..0c71f518a4e 100644 --- a/.github/actions/fetchimages/action.yml +++ b/.github/actions/fetchimages/action.yml @@ -27,7 +27,7 @@ runs: - if: ${{ inputs.toolkit == 'true' }} name: Fetch toolkit image id: cache-toolkit - uses: actions/cache/restore@v4 + uses: actions/cache/restore@0057852bfaa89a56745cba8c7296529d2fc39830 # v4 env: cache-name: toolkit-build-x86_64-${{ github.event_name }} with: @@ -43,7 +43,7 @@ runs: - if: ${{ inputs.os == 'true' }} name: Fetch OS image id: cache-os - uses: actions/cache/restore@v4 + uses: actions/cache/restore@0057852bfaa89a56745cba8c7296529d2fc39830 # v4 env: cache-name: os-build-x86_64-${{ inputs.flavor }}-${{ github.event_name }} with: diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index 6410d9d59d7..fe6191af376 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -40,7 +40,7 @@ jobs: outputs: version: ${{ steps.version.outputs.version }} steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: ref: "${{ github.event.pull_request.head.sha }}" - run: | @@ -50,7 +50,7 @@ jobs: uses: ./.github/actions/version - name: Check cache for Toolkit image id: cache-toolkit - uses: actions/cache/restore@v4 + uses: actions/cache/restore@0057852bfaa89a56745cba8c7296529d2fc39830 # v4 env: cache-name: toolkit-build-x86_64-${{ github.event_name }} lookup-only: true @@ -67,7 +67,7 @@ jobs: - if: ${{ steps.cache-toolkit.outputs.cache-hit != 'true' }} name: Save toolkit image in cache id: save-toolkit - uses: actions/cache/save@v4 + uses: actions/cache/save@0057852bfaa89a56745cba8c7296529d2fc39830 # v4 env: cache-name: toolkit-build-x86_64-${{ github.event_name }} with: diff --git a/.github/workflows/build_and_test_arm.yaml b/.github/workflows/build_and_test_arm.yaml index c5839349b0d..08d35ed0b37 100644 --- a/.github/workflows/build_and_test_arm.yaml +++ b/.github/workflows/build_and_test_arm.yaml @@ -25,12 +25,12 @@ jobs: FLAVOR: ${{ inputs.flavor }} ARCH: aarch64 steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - run: | git fetch --prune --unshallow - name: Cached ISO id: cache-iso - uses: actions/cache/restore@v4 + uses: actions/cache/restore@0057852bfaa89a56745cba8c7296529d2fc39830 # v4 env: cache-name: pr-iso-build-aarch64-${{ inputs.flavor }} enableCrossOsArchive: true @@ -50,7 +50,7 @@ jobs: - if: ${{ steps.cache-iso.outputs.cache-hit != 'true' }} name: Save ISO id: save-iso - uses: actions/cache/save@v4 + uses: actions/cache/save@0057852bfaa89a56745cba8c7296529d2fc39830 # v4 env: cache-name: pr-iso-build-aarch64-${{ inputs.flavor }} with: @@ -65,11 +65,11 @@ jobs: FLAVOR: ${{ inputs.flavor }} ARCH: aarch64 steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - run: | git fetch --prune --unshallow - name: Checks cached Disk - uses: actions/cache/restore@v4 + uses: actions/cache/restore@0057852bfaa89a56745cba8c7296529d2fc39830 # v4 id: cache-check env: cache-name: pr-disk-build-aarch64-${{ inputs.flavor }} @@ -94,7 +94,7 @@ jobs: - if: ${{ steps.cache-check.outputs.cache-hit != 'true' }} name: Save cached disk id: cache-disk - uses: actions/cache/save@v4 + uses: actions/cache/save@0057852bfaa89a56745cba8c7296529d2fc39830 # v4 env: cache-name: pr-disk-build-aarch64-${{ inputs.flavor }} with: @@ -117,16 +117,16 @@ jobs: - test-smoke fail-fast: false steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - name: Install Go - uses: actions/setup-go@v6 + uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6 with: go-version-file: go.mod - run: | git fetch --prune --unshallow - name: Cached Disk id: cache-disk - uses: actions/cache/restore@v4 + uses: actions/cache/restore@0057852bfaa89a56745cba8c7296529d2fc39830 # v4 env: cache-name: pr-disk-build-aarch64-${{ inputs.flavor }} with: @@ -138,7 +138,7 @@ jobs: run: | make DISK=/tmp/elemental-${{ env.FLAVOR }}.${{ env.ARCH}}.qcow2 ELMNTL_ACCEL=none ELMNTL_MACHINETYPE=virt ELMNTL_TARGETARCH=${{ env.ARCH }} ELMNTL_FIRMWARE=/usr/share/AAVMF/AAVMF_CODE.fd ${{ matrix.test }} - name: Upload serial console for ${{ matrix.test }} - uses: actions/upload-artifact@v5 + uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5 if: always() with: name: serial-${{ env.ARCH }}-${{ env.FLAVOR }}-${{ matrix.test }}.log @@ -146,7 +146,7 @@ jobs: if-no-files-found: error overwrite: true - name: Upload qemu stdout for ${{ matrix.test }} - uses: actions/upload-artifact@v5 + uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5 if: failure() with: name: vmstdout-${{ env.ARCH }}-${{ env.FLAVOR }}-${{ matrix.test }}.log @@ -168,16 +168,16 @@ jobs: ARCH: aarch64 COS_TIMEOUT: 1600 steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - name: Install Go - uses: actions/setup-go@v6 + uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6 with: go-version-file: go.mod - run: | git fetch --prune --unshallow - name: Cached ISO id: cache-iso - uses: actions/cache/restore@v4 + uses: actions/cache/restore@0057852bfaa89a56745cba8c7296529d2fc39830 # v4 env: cache-name: pr-iso-build-aarch64-${{ inputs.flavor }} with: @@ -189,7 +189,7 @@ jobs: run: | make ISO=/tmp/elemental-${{ env.FLAVOR }}.${{ env.ARCH}}.iso ELMNTL_ACCEL=none ELMNTL_MACHINETYPE=virt ELMNTL_TARGETARCH=${{ env.ARCH }} ELMNTL_FIRMWARE=/usr/share/AAVMF/AAVMF_CODE.fd test-installer - name: Upload serial console for installer tests - uses: actions/upload-artifact@v5 + uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5 if: always() with: name: serial-${{ env.ARCH }}-${{ env.FLAVOR }}-installer.log @@ -197,7 +197,7 @@ jobs: if-no-files-found: error overwrite: true - name: Upload qemu stdout for installer tests - uses: actions/upload-artifact@v5 + uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5 if: failure() with: name: vmstdout-${{ env.ARCH }}-${{ env.FLAVOR }}-installer.log diff --git a/.github/workflows/build_and_test_x86.yaml b/.github/workflows/build_and_test_x86.yaml index 53aa1fdf506..6e5e414d0cb 100644 --- a/.github/workflows/build_and_test_x86.yaml +++ b/.github/workflows/build_and_test_x86.yaml @@ -24,14 +24,14 @@ jobs: ARCH: x86_64 VERSION: ${{ inputs.version }} steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: ref: "${{ github.event.pull_request.head.sha }}" - run: | git fetch --prune --unshallow - name: Check cache for OS image id: cache-os - uses: actions/cache/restore@v4 + uses: actions/cache/restore@0057852bfaa89a56745cba8c7296529d2fc39830 # v4 env: cache-name: os-build-x86_64-${{ inputs.flavor }}-${{ github.event_name }} lookup-only: true @@ -52,7 +52,7 @@ jobs: - if: ${{ steps.cache-os.outputs.cache-hit != 'true' }} name: Save OS image in cache id: save-os - uses: actions/cache/save@v4 + uses: actions/cache/save@0057852bfaa89a56745cba8c7296529d2fc39830 # v4 env: cache-name: os-build-x86_64-${{ inputs.flavor }}-${{ github.event_name }} with: @@ -70,14 +70,14 @@ jobs: ARCH: x86_64 VERSION: ${{ inputs.version }} steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: ref: "${{ github.event.pull_request.head.sha }}" - run: | git fetch --prune --unshallow - name: Cached ISO id: cache-iso - uses: actions/cache/restore@v4 + uses: actions/cache/restore@0057852bfaa89a56745cba8c7296529d2fc39830 # v4 env: cache-name: iso-build-x86_64-${{ inputs.flavor }}-${{ github.event_name }} lookup-only: true @@ -98,7 +98,7 @@ jobs: - if: ${{ steps.cache-iso.outputs.cache-hit != 'true' }} name: Save ISO id: save-iso - uses: actions/cache/save@v4 + uses: actions/cache/save@0057852bfaa89a56745cba8c7296529d2fc39830 # v4 env: cache-name: iso-build-x86_64-${{ inputs.flavor }}-${{ github.event_name }} with: @@ -116,13 +116,13 @@ jobs: ARCH: x86_64 VERSION: ${{ inputs.version }} steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: ref: "${{ github.event.pull_request.head.sha }}" - run: | git fetch --prune --unshallow - name: Checks cached Disk - uses: actions/cache/restore@v4 + uses: actions/cache/restore@0057852bfaa89a56745cba8c7296529d2fc39830 # v4 id: cache-disk env: cache-name: disk-build-x86_64-${{ inputs.flavor }}-${{ github.event_name }} @@ -145,7 +145,7 @@ jobs: - if: ${{ steps.cache-disk.outputs.cache-hit != 'true' }} name: Save cached disk id: save-disk - uses: actions/cache/save@v4 + uses: actions/cache/save@0057852bfaa89a56745cba8c7296529d2fc39830 # v4 env: cache-name: disk-build-x86_64-${{ inputs.flavor }}-${{ github.event_name }} with: @@ -186,11 +186,11 @@ jobs: test: ${{ fromJson(needs.detect.outputs.tests) }} fail-fast: false steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: ref: "${{ github.event.pull_request.head.sha }}" - name: Install Go - uses: actions/setup-go@v6 + uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6 with: go-version-file: go.mod - run: | @@ -204,7 +204,7 @@ jobs: - if: ${{ matrix.test != 'test-upgrade' }} name: Cached Disk id: cache-disk - uses: actions/cache/restore@v4 + uses: actions/cache/restore@0057852bfaa89a56745cba8c7296529d2fc39830 # v4 env: cache-name: disk-build-x86_64-${{ inputs.flavor }}-${{ github.event_name }} with: @@ -222,7 +222,7 @@ jobs: run: | make DISK=/tmp/elemental-${{ env.FLAVOR }}.${{ env.ARCH}}.qcow2 ELMNTL_TARGETARCH=${{ env.ARCH }} ELMNTL_FIRMWARE=/usr/share/OVMF/OVMF_CODE_4M.fd ${{ matrix.test }} - name: Upload serial console for ${{ matrix.test }} - uses: actions/upload-artifact@v5 + uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5 if: always() with: name: serial-${{ env.ARCH }}-${{ env.FLAVOR }}-${{ matrix.test }}.log @@ -230,7 +230,7 @@ jobs: if-no-files-found: error overwrite: true - name: Upload qemu stdout for ${{ matrix.test }} - uses: actions/upload-artifact@v5 + uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5 if: failure() with: name: vmstdout-${{ env.ARCH }}-${{ env.FLAVOR }}-${{ matrix.test }}.log @@ -255,18 +255,18 @@ jobs: COS_TIMEOUT: 1600 VERSION: ${{ inputs.version }} steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: ref: "${{ github.event.pull_request.head.sha }}" - name: Install Go - uses: actions/setup-go@v6 + uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6 with: go-version-file: go.mod - run: | git fetch --prune --unshallow - name: Cached ISO id: cache-iso - uses: actions/cache/restore@v4 + uses: actions/cache/restore@0057852bfaa89a56745cba8c7296529d2fc39830 # v4 env: cache-name: iso-build-x86_64-${{ inputs.flavor }}-${{ github.event_name }} with: @@ -284,7 +284,7 @@ jobs: run: | make ISO=/tmp/elemental-${{ env.FLAVOR }}.${{ env.ARCH}}.iso ELMNTL_TARGETARCH=${{ env.ARCH }} ELMNTL_FIRMWARE=/usr/share/OVMF/OVMF_CODE_4M.fd test-installer - name: Upload serial console for installer tests - uses: actions/upload-artifact@v5 + uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5 if: always() with: name: serial-${{ env.ARCH }}-${{ env.FLAVOR }}-installer.log @@ -292,7 +292,7 @@ jobs: if-no-files-found: error overwrite: true - name: Upload qemu stdout for installer tests - uses: actions/upload-artifact@v5 + uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5 if: failure() with: name: vmstdout-${{ env.ARCH }}-${{ env.FLAVOR }}-installer.log diff --git a/.github/workflows/cache-cleanup.yaml b/.github/workflows/cache-cleanup.yaml index 979918caebb..e566e865399 100644 --- a/.github/workflows/cache-cleanup.yaml +++ b/.github/workflows/cache-cleanup.yaml @@ -23,7 +23,7 @@ jobs: outputs: version: ${{ steps.version.outputs.version }} steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: ref: "${{ github.event.pull_request.head.sha }}" - run: | diff --git a/.github/workflows/cli.yaml b/.github/workflows/cli.yaml index 1230e5c8f79..c542841825a 100644 --- a/.github/workflows/cli.yaml +++ b/.github/workflows/cli.yaml @@ -13,15 +13,15 @@ jobs: runs-on: ubuntu-24.04 steps: - name: Checkout code - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - name: Install Go - uses: actions/setup-go@v6 + uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6 with: go-version-file: go.mod - name: Build run: make build-cli - name: Analysis - uses: golangci/golangci-lint-action@v6 + uses: golangci/golangci-lint-action@55c2c1448f86e01eaae002a5a3a9624417608d84 # v6 with: args: -v - name: Run tests diff --git a/.github/workflows/docs-publish.yaml b/.github/workflows/docs-publish.yaml index b78ceb6b94d..49fc610ec81 100644 --- a/.github/workflows/docs-publish.yaml +++ b/.github/workflows/docs-publish.yaml @@ -20,13 +20,13 @@ jobs: - name: Install Dart Sass run: sudo snap install dart-sass - name: Checkout - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: submodules: recursive fetch-depth: 0 - name: Setup Pages id: pages - uses: actions/configure-pages@v5 + uses: actions/configure-pages@983d7736d9b0ae728b81ab479565c72886d7745b # v5 - name: Install Node.js dependencies run: "[[ -f package-lock.json || -f npm-shrinkwrap.json ]] && npm ci || true" - name: Install npm dependencies @@ -40,7 +40,7 @@ jobs: run: | make BASE_URL=https://rancher.github.io/elemental-toolkit build-docs - name: Upload artifact - uses: actions/upload-pages-artifact@v4 + uses: actions/upload-pages-artifact@7b1f4a764d45c48632c6b24a0339c27f5614fb0b # v4 with: path: ./public @@ -57,4 +57,4 @@ jobs: steps: - name: Deploy to GitHub Pages id: deployment - uses: actions/deploy-pages@v4 + uses: actions/deploy-pages@d6db90164ac5ed86f2b6aed7e0febac5b3c0c03e # v4 diff --git a/.github/workflows/fossa.yml b/.github/workflows/fossa.yml index a56851826c8..bdc4328aa89 100644 --- a/.github/workflows/fossa.yml +++ b/.github/workflows/fossa.yml @@ -20,13 +20,13 @@ jobs: # The FOSSA token is shared between all repos in Rancher's GH org. It can be # used directly and there is no need to request specific access to EIO. - name: Read FOSSA token - uses: rancher-eio/read-vault-secrets@main + uses: rancher-eio/read-vault-secrets@0da85151ad1f19ed7986c41587e45aac1ace74b6 # v3 with: secrets: | secret/data/github/org/rancher/fossa/push token | FOSSA_API_KEY_PUSH_ONLY - name: FOSSA scan - uses: fossas/fossa-action@main + uses: fossas/fossa-action@ff70fe9fe17cbd2040648f1c45e8ec4e4884dcf3 # v1.9.0 with: api-key: ${{ env.FOSSA_API_KEY_PUSH_ONLY }} # Only runs the scan and do not provide/returns any results back to the diff --git a/.github/workflows/nightly.yaml b/.github/workflows/nightly.yaml index ed43b561c3f..5c5d1876652 100644 --- a/.github/workflows/nightly.yaml +++ b/.github/workflows/nightly.yaml @@ -15,11 +15,11 @@ jobs: PLATFORM: x86_64 TOOLKIT_REPO: ghcr.io/${{github.repository}}/elemental-cli steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - run: | git fetch --prune --unshallow - name: Log in to ghcr.io - uses: docker/login-action@v3 + uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3 with: registry: ghcr.io username: ${{ github.actor }} diff --git a/.github/workflows/push-images.yaml b/.github/workflows/push-images.yaml index 6bde7ea5915..ee3ba7d0f83 100644 --- a/.github/workflows/push-images.yaml +++ b/.github/workflows/push-images.yaml @@ -20,18 +20,18 @@ jobs: REPO: ghcr.io/${{github.repository}}/elemental-${{ github.event.inputs.flavor }} steps: - name: Setup QEMU - uses: docker/setup-qemu-action@v3 + uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130 # v3 - name: Setup Buildx - uses: docker/setup-buildx-action@v3 + uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3 with: install: true - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: ref: ${{ github.event.inputs.ref }} - run: | git fetch --prune --unshallow - name: Log in to ghcr.io - uses: docker/login-action@v3 + uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3 with: registry: ghcr.io username: ${{ github.actor }}