Merge pull request #103 from hashicorp/tsccr-auto-pinning/trusted/202…

…3-09-11 SEC-090: Automated trusted workflow pinning (2023-09-11)
hashicorp · Sep 11, 2023 · 49a403e · 49a403e
2 parents 6c11061 + 1b359e3
commit 49a403e
Show file tree

Hide file tree

Showing 9 changed files with 40 additions and 40 deletions.
diff --git a/.github/workflows/build-utility-packages.yml b/.github/workflows/build-utility-packages.yml
@@ -35,7 +35,7 @@ jobs:
       windows-cache-exists: ${{ steps.inspect.outputs.windows-cache-exists }}
     steps:
       - name: Code Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
         with:
           fetch-depth: 0
       - name: Gather information
@@ -69,10 +69,10 @@ jobs:
             kv/data/github/hashicorp/vagrant-vmware-desktop-builder signore_macos_binary_signer;
             kv/data/github/hashicorp/vagrant-vmware-desktop-builder signore_windows_signer;
       - name: Code Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
       - name: Setup Go
         if: needs.info.outputs.unsigned-cache-exists != 'true'
-        uses: actions/setup-go@v3
+        uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0
         with:
           go-version-file: go.mod
       - name: Build utility binaries
@@ -118,14 +118,14 @@ jobs:
       contents: write
     steps:
       - name: Code Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
       - name: Fetch binaries
         run: ./.ci/restore-cache "${CACHE_ID}" ./bin
         env:
           CACHE_ID: ${{ needs.info.outputs.signed-cache-id }}
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
       - name: Upload for Windows
-        uses: actions/upload-artifact@v3
+        uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2
         with:
           name: windows-binary
           path: ./bin
@@ -138,14 +138,14 @@ jobs:
       contents: write
     steps:
       - name: Code Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
       - name: Fetch binaries
         run: ./.ci/restore-cache "${CACHE_ID}" ./bin
         env:
           CACHE_ID: ${{ needs.info.outputs.signed-cache-id }}
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
       - name: Install ruby
-        uses: ruby/setup-ruby@v1
+        uses: ruby/setup-ruby@250fcd6a742febb1123a77a841497ccaa8b9e939 # v1.152.0
         with:
           ruby-version: 3.1
           bundler-cache: true
@@ -175,7 +175,7 @@ jobs:
       contents: write
     steps:
       - name: Code Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
       - name: Upgrade bash
         run: brew install bash
       - name: Fetch binaries
@@ -193,7 +193,7 @@ jobs:
         env:
           CORE_PKG: ${{ steps.build-core.outputs.core-path }}
       - name: Upload core package
-        uses: actions/upload-artifact@v3
+        uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2
         with:
           name: corepkg-unsigned
           path: ./corepkg
@@ -222,9 +222,9 @@ jobs:
             kv/data/github/hashicorp/vagrant-vmware-desktop-builder signore_client_secret;
             kv/data/github/hashicorp/vagrant-vmware-desktop-builder signore_macos_installer_signer;
       - name: Code Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
       - name: Download unsigned core package
-        uses: actions/download-artifact@v3
+        uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
         with:
           name: corepkg-unsigned
           path: ./corepkg
@@ -236,7 +236,7 @@ jobs:
           SIGNORE_CLIENT_ID: ${{ steps.secrets.outputs.signore_client_id  }}
           SIGNORE_CLIENT_SECRET: ${{ steps.secrets.outputs.signore_client_secret }}
       - name: Upload signed core package
-        uses: actions/upload-artifact@v3
+        uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2
         with:
           name: corepkg-signed
           path: ./corepkg
@@ -247,7 +247,7 @@ jobs:
     needs: [info, sign-macos-corepkg]
     steps:
       - name: Code Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
       - name: Upgrade bash
         run: brew install bash
       - name: Fetch binaries
@@ -256,7 +256,7 @@ jobs:
           CACHE_ID: ${{ needs.info.outputs.signed-cache-id }}
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
       - name: Download signed core package
-        uses: actions/download-artifact@v3
+        uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
         with:
           name: corepkg-signed
           path: ./corepkg
@@ -270,7 +270,7 @@ jobs:
         env:
           FULL_PKG: ${{ steps.build-full.outputs.full-path }}
       - name: Upload full package
-        uses: actions/upload-artifact@v3
+        uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2
         with:
           name: fullpkg-unsigned
           path: ./fullpkg
@@ -299,9 +299,9 @@ jobs:
             kv/data/github/hashicorp/vagrant-vmware-desktop-builder signore_client_secret;
             kv/data/github/hashicorp/vagrant-vmware-desktop-builder signore_macos_installer_signer;
       - name: Code Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
       - name: Download unsigned full package
-        uses: actions/download-artifact@v3
+        uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
         with:
           name: fullpkg-unsigned
           path: ./fullpkg
@@ -313,7 +313,7 @@ jobs:
           SIGNORE_CLIENT_ID: ${{ steps.secrets.outputs.signore_client_id  }}
           SIGNORE_CLIENT_SECRET: ${{ steps.secrets.outputs.signore_client_secret }}
       - name: Upload signed full package
-        uses: actions/upload-artifact@v3
+        uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2
         with:
           name: fullpkg-signed
           path: ./fullpkg
@@ -324,11 +324,11 @@ jobs:
     needs: [info, sign-macos-fullpkg]
     steps:
       - name: Code Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
       - name: Upgrade bash
         run: brew install bash
       - name: Download signed full package
-        uses: actions/download-artifact@v3
+        uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
         with:
           name: fullpkg-signed
           path: ./fullpkg
@@ -342,7 +342,7 @@ jobs:
         env:
           DMG: ${{ steps.build-dmg.outputs.dmg-path }}
       - name: Upload DMG
-        uses: actions/upload-artifact@v3
+        uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2
         with:
           name: dmg-unsigned
           path: ./dmg
@@ -372,9 +372,9 @@ jobs:
             kv/data/github/hashicorp/vagrant-vmware-desktop-builder signore_client_secret;
             kv/data/github/hashicorp/vagrant-vmware-desktop-builder signore_macos_binary_signer;
       - name: Code Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
       - name: Download unsigned DMG
-        uses: actions/download-artifact@v3
+        uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
         with:
           name: dmg-unsigned
           path: ./dmg
@@ -403,9 +403,9 @@ jobs:
       contents: write
     steps:
       - name: Code Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
       - name: Fetch utility binary
-        uses: actions/download-artifact@v3
+        uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
         with:
           name: windows-binary
           path: ./bin
@@ -414,7 +414,7 @@ jobs:
         env:
           UTILITY_VERSION: ${{ needs.info.outputs.utility-version }}
       - name: Upload unsigned artifact
-        uses: actions/upload-artifact@v3
+        uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2
         with:
           name: windows-unsigned-msi
           path: ./pkg
@@ -443,9 +443,9 @@ jobs:
             kv/data/github/hashicorp/vagrant-vmware-desktop-builder signore_client_secret;
             kv/data/github/hashicorp/vagrant-vmware-desktop-builder signore_windows_signer;
       - name: Code Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
       - name: Fetch MSI
-        uses: actions/download-artifact@v3
+        uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
         with:
           name: windows-unsigned-msi
           path: ./pkg

diff --git a/.github/workflows/code.yaml b/.github/workflows/code.yaml
@@ -28,7 +28,7 @@ jobs:
           secrets:
             kv/data/github/hashicorp/vagrant-vmware-desktop-builder vagrant_vmware_desktop_repo_token;
       - name: Code Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
         with:
           persist-credentials: false
           fetch-depth: 0
@@ -42,7 +42,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Code Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
         with:
           persist-credentials: false
           fetch-depth: 0

diff --git a/.github/workflows/plugin-release-hashigems.yml b/.github/workflows/plugin-release-hashigems.yml
@@ -13,7 +13,7 @@ jobs:
       id-token: write
     steps:
       - name: Code Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
         with:
           token: ${{ secrets.GITHUB_TOKEN }} # set this so we can delete the branch
       - name: Fetch Release RubyGem

diff --git a/.github/workflows/plugin-release.yml b/.github/workflows/plugin-release.yml
@@ -27,7 +27,7 @@ jobs:
             kv/data/github/hashicorp/vagrant-vmware-desktop-builder vagrant_vmware_desktop_builder_repo_token;
             kv/data/github/hashicorp/vagrant-vmware-desktop-builder vagrant_vmware_desktop_repo_token;
       - name: Code Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
         with:
           # NOTE: This is set so we can push the publish branch
           #       for the hashigems workflow. A custom token is

diff --git a/.github/workflows/prune.yml b/.github/workflows/prune.yml
@@ -11,7 +11,7 @@ jobs:
       contents: write
     steps:
       - name: Code Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
       - name: Prune any drafts older than 20 days
         run: . ./.ci/load-ci.sh && github_draft_release_prune "20"
         env:

diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
@@ -22,9 +22,9 @@ jobs:
     name: Vagrant VMware Plugin unit tests on Ruby ${{ matrix.ruby }}
     steps:
       - name: Code Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
       - name: Setup Ruby
-        uses: ruby/setup-ruby@v1
+        uses: ruby/setup-ruby@250fcd6a742febb1123a77a841497ccaa8b9e939 # v1.152.0
         with:
           ruby-version: ${{matrix.ruby}}
           bundler-cache: true

diff --git a/.github/workflows/utility-binaries-build.yml b/.github/workflows/utility-binaries-build.yml
@@ -15,9 +15,9 @@ jobs:
       contents: write
     steps:
       - name: Code Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
       - name: Setup Go
-        uses: actions/setup-go@v3
+        uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0
         with:
           go-version-file: go.mod
       - name: Get info

diff --git a/.github/workflows/utility-prerelease.yml b/.github/workflows/utility-prerelease.yml
@@ -32,7 +32,7 @@ jobs:
           secrets:
             kv/data/github/hashicorp/vagrant-vmware-desktop-builder vagrant_vmware_desktop_repo_token;
       - name: Code Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
       - name: Gather information
         id: inspect
         run: ./.ci/utility-pkgs-information
@@ -70,7 +70,7 @@ jobs:
           secrets:
             kv/data/github/hashicorp/vagrant-vmware-desktop-builder vagrant_vmware_desktop_repo_token;
       - name: Code Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
       - name: Fetch linux packages
         run: ./.ci/restore-cache "${CACHE_ID}" ./pkg
         env:

diff --git a/.github/workflows/utility-release.yml b/.github/workflows/utility-release.yml
@@ -45,7 +45,7 @@ jobs:
             kv/data/github/hashicorp/vagrant-vmware-desktop-builder signore_client_secret;
             kv/data/github/hashicorp/vagrant-vmware-desktop-builder signore_gpg_signer;
       - name: Code Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
       - name: Fetch linux packages
         run: ./.ci/restore-cache "${CACHE_ID}" ./pkg
         env: