From 266a0b0ef8926ae3a05a105af9c016e63a1691a7 Mon Sep 17 00:00:00 2001 From: Jeromy Cannon Date: Mon, 10 Jul 2023 16:54:28 -0500 Subject: [PATCH] chore: update workflow definitions to use commit based versions for third-party steps (#157) Signed-off-by: Jeromy Cannon --- .../flow-deploy-release-artifact.yaml | 26 +++++++++---------- .../workflows/zxc-release-maven-central.yaml | 18 ++++++------- .github/workflows/zxf-snyk-monitor.yaml | 2 +- 3 files changed, 23 insertions(+), 23 deletions(-) diff --git a/.github/workflows/flow-deploy-release-artifact.yaml b/.github/workflows/flow-deploy-release-artifact.yaml index faf6c7d53..4e1d8785a 100644 --- a/.github/workflows/flow-deploy-release-artifact.yaml +++ b/.github/workflows/flow-deploy-release-artifact.yaml @@ -54,12 +54,12 @@ jobs: version: ${{ steps.tag.outputs.version }} steps: - name: Checkout Code - uses: actions/checkout@v3 + uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # pin@v3 with: fetch-depth: 0 - name: Setup Node - uses: actions/setup-node@v3 + uses: actions/setup-node@64ed1c7eab4cce3362f8c340dee64e5eaeef8f7c # pin@v3 with: node-version: 18 @@ -109,23 +109,23 @@ jobs: - prepare-release steps: - name: Checkout repository - uses: actions/checkout@v3 + uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # pin@v3 - name: Login to GitHub Container Registry - uses: docker/login-action@v2 + uses: docker/login-action@465a07811f14bebb1938fbed4728c6a1ff8901fc # pin@v2 with: registry: ${{ env.REGISTRY }} username: ${{ github.actor }} password: ${{ secrets.GITHUB_TOKEN }} - name: Set up Docker Qemu - uses: docker/setup-qemu-action@v2 + uses: docker/setup-qemu-action@2b82ce82d56a2a04d2637cd93a637ae1b359c0a7 # pin@v2 - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v2 + uses: docker/setup-buildx-action@2a1a44ac4aa01993040736bd95bb470da1a38365 # pin@v2 - name: Build Docker Image (ubi8-init-dind) - uses: docker/build-push-action@v4 + uses: docker/build-push-action@2eb1c1961a95fc15694676618e422e8ba1d63825 # pin@v4 with: context: docker/ubi8-init-dind cache-from: type=gha @@ -135,7 +135,7 @@ jobs: tags: ghcr.io/${{ github.repository }}/ubi8-init-dind:${{ needs.prepare-release.outputs.version }} - name: Build Docker Image (ubi8-init-java17) - uses: docker/build-push-action@v4 + uses: docker/build-push-action@2eb1c1961a95fc15694676618e422e8ba1d63825 # pin@v4 with: context: docker/ubi8-init-java17 cache-from: type=gha @@ -153,7 +153,7 @@ jobs: if: ${{ github.event.inputs.dry-run-enabled != 'true' && !cancelled() && !failure() }} steps: - name: Checkout Code - uses: actions/checkout@v3 + uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # pin@v3 with: token: ${{ secrets.GH_ACCESS_TOKEN }} fetch-depth: 0 @@ -171,7 +171,7 @@ jobs: - name: Import GPG key id: gpg_key - uses: crazy-max/ghaction-import-gpg@v5 + uses: crazy-max/ghaction-import-gpg@72b6676b71ab476b77e676928516f6982eef7a41 # pin@v5 with: gpg_private_key: ${{ secrets.GPG_KEY_CONTENTS }} passphrase: ${{ secrets.GPG_KEY_PASSPHRASE }} @@ -181,13 +181,13 @@ jobs: git_tag_gpgsign: false - name: Setup Java - uses: actions/setup-java@v3 + uses: actions/setup-java@1df8dbefe2a8cbc99770194893dd902763bee34b # pin@v3 with: distribution: ${{ inputs.java-distribution }} java-version: ${{ inputs.java-version }} - name: Setup Gradle - uses: gradle/gradle-build-action@v2 + uses: gradle/gradle-build-action@3fbe033aaae657f011f88f29be9e65ed26bd29ef # pin@v2 with: gradle-version: wrapper gradle-home-cache-includes: | @@ -196,7 +196,7 @@ jobs: dependency-check-data - name: Setup Node - uses: actions/setup-node@v3 + uses: actions/setup-node@64ed1c7eab4cce3362f8c340dee64e5eaeef8f7c # pin@v3 with: node-version: 18 diff --git a/.github/workflows/zxc-release-maven-central.yaml b/.github/workflows/zxc-release-maven-central.yaml index d905f66bf..c65e73ddc 100644 --- a/.github/workflows/zxc-release-maven-central.yaml +++ b/.github/workflows/zxc-release-maven-central.yaml @@ -81,7 +81,7 @@ jobs: notes: ${{ steps.create-release-notes.outputs.RELEASE_NOTES }} steps: - name: Checkout Code - uses: actions/checkout@v3 + uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # pin@v3 with: fetch-depth: 0 @@ -98,7 +98,7 @@ jobs: - name: Import GPG key id: gpg_key - uses: crazy-max/ghaction-import-gpg@v5 + uses: crazy-max/ghaction-import-gpg@72b6676b71ab476b77e676928516f6982eef7a41 # pin@v5 if: ${{ inputs.dry-run-enabled != true && !cancelled() && !failure() }} with: gpg_private_key: ${{ secrets.gpg-key-contents }} @@ -109,13 +109,13 @@ jobs: git_tag_gpgsign: true - name: Setup Java - uses: actions/setup-java@v3 + uses: actions/setup-java@1df8dbefe2a8cbc99770194893dd902763bee34b # pin@v3 with: distribution: ${{ inputs.java-distribution }} java-version: ${{ inputs.java-version }} - name: Setup Gradle - uses: gradle/gradle-build-action@v2 + uses: gradle/gradle-build-action@3fbe033aaae657f011f88f29be9e65ed26bd29ef # pin@v2 with: gradle-version: ${{ inputs.gradle-version }} gradle-home-cache-includes: | @@ -124,20 +124,20 @@ jobs: dependency-check-data - name: Apply Version Number Update (Explicit) - uses: gradle/gradle-build-action@v2 + uses: gradle/gradle-build-action@3fbe033aaae657f011f88f29be9e65ed26bd29ef # pin@v2 with: gradle-version: ${{ inputs.gradle-version }} arguments: versionAsSpecified --scan -PnewVersion=${{ inputs.new-version }} - name: Version Report - uses: gradle/gradle-build-action@v2 + uses: gradle/gradle-build-action@3fbe033aaae657f011f88f29be9e65ed26bd29ef # pin@v2 with: gradle-version: ${{ inputs.gradle-version }} arguments: githubVersionSummary --scan - name: Gradle Assemble id: gradle-build - uses: gradle/gradle-build-action@v2 + uses: gradle/gradle-build-action@3fbe033aaae657f011f88f29be9e65ed26bd29ef # pin@v2 if: ${{ inputs.dry-run-enabled != true && !cancelled() && !failure() }} with: gradle-version: ${{ inputs.gradle-version }} @@ -145,14 +145,14 @@ jobs: - name: Gradle JavaDoc id: gradle-javadoc - uses: gradle/gradle-build-action@v2 + uses: gradle/gradle-build-action@3fbe033aaae657f011f88f29be9e65ed26bd29ef # pin@v2 if: ${{ steps.gradle-build.conclusion == 'success' && !cancelled() && !failure() }} with: gradle-version: ${{ inputs.gradle-version }} arguments: javadoc --scan - name: Gradle Deploy - uses: gradle/gradle-build-action@v2 + uses: gradle/gradle-build-action@3fbe033aaae657f011f88f29be9e65ed26bd29ef # pin@v2 if: ${{ inputs.dry-run-enabled != true && !cancelled() && !failure() }} env: OSSRH_USERNAME: ${{ secrets.ossrh-user-name }} diff --git a/.github/workflows/zxf-snyk-monitor.yaml b/.github/workflows/zxf-snyk-monitor.yaml index ec24c7566..88aa2be30 100644 --- a/.github/workflows/zxf-snyk-monitor.yaml +++ b/.github/workflows/zxf-snyk-monitor.yaml @@ -32,7 +32,7 @@ jobs: runs-on: [self-hosted, Linux, medium, ephemeral] steps: - name: Checkout - uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c + uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # pin@v3 - name: Setup Java uses: actions/setup-java@1df8dbefe2a8cbc99770194893dd902763bee34b # pin@v3