From 5e2879a0b26085a1508141056e875d1f26c64de8 Mon Sep 17 00:00:00 2001 From: Jakub Hrozek Date: Thu, 20 Jun 2024 12:23:58 +0200 Subject: [PATCH] Pin GitHub actions using frizbee This commit pins actions to their commit hash. Pinning actions to their commit hash ensures that the same version of the image or action is used every time the workflow runs. This is important for reproducibility and security. Pinning is a security practice recommended by GitHub: https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-third-party-actions --- .github/workflows/automatus-cs8.yaml | 28 +++++++++---------- .github/workflows/automatus-cs9.yaml | 28 +++++++++---------- .github/workflows/automatus-sanity.yaml | 8 +++--- .github/workflows/automatus-sle15.yaml | 28 +++++++++---------- .github/workflows/automatus-ubuntu2204.yaml | 28 +++++++++---------- .github/workflows/automatus.yaml | 28 +++++++++---------- .github/workflows/compare-ds.yaml | 24 ++++++++-------- .github/workflows/ctf.yaml | 14 +++++----- .../workflows/gate-lint-ansible-roles.yaml | 2 +- .github/workflows/gate.yaml | 16 +++++------ .github/workflows/gate_fedora.yml | 4 +-- .github/workflows/gate_thin_ds.yml | 2 +- .github/workflows/gh-pages.yaml | 6 ++-- .github/workflows/k8s-content-pr-test.yaml | 4 +-- .github/workflows/k8s-content-pr-trigger.yaml | 2 +- .github/workflows/k8s-content-pr.yaml | 16 +++++------ .github/workflows/nightly_build.yml | 4 +-- .github/workflows/release.yaml | 6 ++-- .github/workflows/srg-mapping-table.yaml | 16 +++++------ .github/workflows/stabilize.yaml | 2 +- .github/workflows/update-oscal.yml | 6 ++-- 21 files changed, 136 insertions(+), 136 deletions(-) diff --git a/.github/workflows/automatus-cs8.yaml b/.github/workflows/automatus-cs8.yaml index 9917af66f22..6ff4fd8a77a 100644 --- a/.github/workflows/automatus-cs8.yaml +++ b/.github/workflows/automatus-cs8.yaml @@ -19,11 +19,11 @@ jobs: - name: Install deps python run: pip install gitpython xmldiff - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4 with: fetch-depth: 0 - name: Checkout (CTF) - uses: actions/checkout@v4 + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4 with: repository: ComplianceAsCode/content-test-filtering path: ctf @@ -40,7 +40,7 @@ jobs: - name: Test if there are no content changes run: echo "CTF_OUTPUT_SIZE=$(stat --printf="%s" output.json)" >> $GITHUB_OUTPUT id: ctf - - uses: actions/upload-artifact@v4 + - uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4 if: ${{ steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }} with: name: output.json @@ -51,14 +51,14 @@ jobs: - name: Get product attribute if: ${{ steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }} id: product - uses: notiz-dev/github-action-json-property@v0.2.0 + uses: notiz-dev/github-action-json-property@a5a9c668b16513c737c3e1f8956772c99c73f6e8 # v0.2.0 with: path: 'output.json' prop_path: 'product' - name: Build product if: ${{ steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }} run: ./build_product rhel8 --derivatives - - uses: actions/upload-artifact@v4 + - uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4 if: ${{ steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }} with: name: ${{ env.DATASTREAM }} @@ -71,9 +71,9 @@ jobs: - name: Install Deps run: sudo apt-get update && sudo apt-get install cmake ninja-build libopenscap8 libxml2-utils xsltproc python3-jinja2 python3-yaml ansible-lint podman - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4 - name: Get cached CTF output - uses: actions/download-artifact@v4 + uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4 id: get_ctf_output with: name: output.json @@ -105,32 +105,32 @@ jobs: - name: Get rule ids to be tested if: ${{ steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }} id: rules - uses: notiz-dev/github-action-json-property@v0.2.0 + uses: notiz-dev/github-action-json-property@a5a9c668b16513c737c3e1f8956772c99c73f6e8 # v0.2.0 with: path: 'output.json' prop_path: 'rules' - name: Get product attribute if: ${{ steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }} id: product - uses: notiz-dev/github-action-json-property@v0.2.0 + uses: notiz-dev/github-action-json-property@a5a9c668b16513c737c3e1f8956772c99c73f6e8 # v0.2.0 with: path: 'output.json' prop_path: 'product' - name: Get bash attribute if: ${{ steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }} id: bash - uses: notiz-dev/github-action-json-property@v0.2.0 + uses: notiz-dev/github-action-json-property@a5a9c668b16513c737c3e1f8956772c99c73f6e8 # v0.2.0 with: path: 'output.json' prop_path: 'bash' - name: Get ansible attribute if: ${{ steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }} id: ansible - uses: notiz-dev/github-action-json-property@v0.2.0 + uses: notiz-dev/github-action-json-property@a5a9c668b16513c737c3e1f8956772c99c73f6e8 # v0.2.0 with: path: 'output.json' prop_path: 'ansible' - - uses: actions/download-artifact@v4 + - uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4 if: ${{ steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }} with: name: ${{ env.DATASTREAM }} @@ -151,7 +151,7 @@ jobs: continue-on-error: true - name: Upload logs in case of failure if: ${{steps.bash.outputs.prop == 'True' && steps.check_results_bash.outcome == 'success' && steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }} - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4 with: name: logs_bash path: logs_bash/ @@ -167,7 +167,7 @@ jobs: continue-on-error: true - name: Upload logs in case of failure if: ${{ steps.ansible.outputs.prop == 'True' && steps.check_results_ansible.outcome == 'success' && steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }} - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4 with: name: logs_ansible path: logs_ansible/ diff --git a/.github/workflows/automatus-cs9.yaml b/.github/workflows/automatus-cs9.yaml index 8ab289fd82e..45e276e2b50 100644 --- a/.github/workflows/automatus-cs9.yaml +++ b/.github/workflows/automatus-cs9.yaml @@ -19,11 +19,11 @@ jobs: - name: Install deps python run: pip install gitpython xmldiff - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4 with: fetch-depth: 0 - name: Checkout (CTF) - uses: actions/checkout@v4 + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4 with: repository: ComplianceAsCode/content-test-filtering path: ctf @@ -40,7 +40,7 @@ jobs: - name: Test if there are no content changes run: echo "CTF_OUTPUT_SIZE=$(stat --printf="%s" output.json)" >> $GITHUB_OUTPUT id: ctf - - uses: actions/upload-artifact@v4 + - uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4 if: ${{ steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }} with: name: output.json @@ -51,14 +51,14 @@ jobs: - name: Get product attribute if: ${{ steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }} id: product - uses: notiz-dev/github-action-json-property@v0.2.0 + uses: notiz-dev/github-action-json-property@a5a9c668b16513c737c3e1f8956772c99c73f6e8 # v0.2.0 with: path: 'output.json' prop_path: 'product' - name: Build product if: ${{ steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }} run: ./build_product rhel9 --derivatives - - uses: actions/upload-artifact@v4 + - uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4 if: ${{ steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }} with: name: ${{ env.DATASTREAM }} @@ -71,9 +71,9 @@ jobs: - name: Install Deps run: sudo apt-get update && sudo apt-get install cmake ninja-build libopenscap8 libxml2-utils xsltproc python3-jinja2 python3-yaml ansible-lint podman - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4 - name: Get cached CTF output - uses: actions/download-artifact@v4 + uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4 id: get_ctf_output with: name: output.json @@ -105,32 +105,32 @@ jobs: - name: Get rule ids to be tested if: ${{ steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }} id: rules - uses: notiz-dev/github-action-json-property@v0.2.0 + uses: notiz-dev/github-action-json-property@a5a9c668b16513c737c3e1f8956772c99c73f6e8 # v0.2.0 with: path: 'output.json' prop_path: 'rules' - name: Get product attribute if: ${{ steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }} id: product - uses: notiz-dev/github-action-json-property@v0.2.0 + uses: notiz-dev/github-action-json-property@a5a9c668b16513c737c3e1f8956772c99c73f6e8 # v0.2.0 with: path: 'output.json' prop_path: 'product' - name: Get bash attribute if: ${{ steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }} id: bash - uses: notiz-dev/github-action-json-property@v0.2.0 + uses: notiz-dev/github-action-json-property@a5a9c668b16513c737c3e1f8956772c99c73f6e8 # v0.2.0 with: path: 'output.json' prop_path: 'bash' - name: Get ansible attribute if: ${{ steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }} id: ansible - uses: notiz-dev/github-action-json-property@v0.2.0 + uses: notiz-dev/github-action-json-property@a5a9c668b16513c737c3e1f8956772c99c73f6e8 # v0.2.0 with: path: 'output.json' prop_path: 'ansible' - - uses: actions/download-artifact@v4 + - uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4 if: ${{ steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }} with: name: ${{ env.DATASTREAM }} @@ -151,7 +151,7 @@ jobs: continue-on-error: true - name: Upload logs in case of failure if: ${{steps.bash.outputs.prop == 'True' && steps.check_results_bash.outcome == 'success' && steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }} - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4 with: name: logs_bash path: logs_bash/ @@ -167,7 +167,7 @@ jobs: continue-on-error: true - name: Upload logs in case of failure if: ${{ steps.ansible.outputs.prop == 'True' && steps.check_results_ansible.outcome == 'success' && steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }} - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4 with: name: logs_ansible path: logs_ansible/ diff --git a/.github/workflows/automatus-sanity.yaml b/.github/workflows/automatus-sanity.yaml index 37fe70be619..1b2c9eaec1f 100644 --- a/.github/workflows/automatus-sanity.yaml +++ b/.github/workflows/automatus-sanity.yaml @@ -17,12 +17,12 @@ jobs: - name: Install Deps run: dnf install -y cmake make openscap-utils python3-pyyaml python3-jinja2 git python3-pip - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4 with: fetch-depth: 0 - name: Build product run: ./build_product fedora --debug - - uses: actions/upload-artifact@v4 + - uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4 with: name: ${{ env.DATASTREAM }} path: build/${{ env.DATASTREAM }} @@ -35,7 +35,7 @@ jobs: - name: Install Deps run: sudo apt-get update && sudo apt-get install cmake ninja-build libopenscap8 libxml2-utils xsltproc python3-jinja2 python3-yaml ansible-lint podman - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4 - name: Generate id_rsa key run: ssh-keygen -N '' -t rsa -f ~/.ssh/id_rsa - name: Build test suite container @@ -49,7 +49,7 @@ jobs: sudo chown root:root /usr/local/bin/oscap-ssh rm -f oscap-ssh - name: Get Datastream - uses: actions/download-artifact@v4 + uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4 with: name: ${{ env.DATASTREAM }} - name: Check One Rule diff --git a/.github/workflows/automatus-sle15.yaml b/.github/workflows/automatus-sle15.yaml index 9933a7fc9d8..26f9cfe2e47 100644 --- a/.github/workflows/automatus-sle15.yaml +++ b/.github/workflows/automatus-sle15.yaml @@ -27,11 +27,11 @@ jobs: - name: Install deps python run: pip install json2html sphinxcontrib.jinjadomain GitPython deepdiff Jinja2 xmldiff - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4 with: fetch-depth: 0 - name: Checkout (CTF) - uses: actions/checkout@v4 + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4 with: repository: ComplianceAsCode/content-test-filtering path: ctf @@ -48,7 +48,7 @@ jobs: - name: Test if there are no content changes run: echo "CTF_OUTPUT_SIZE=$(stat --printf="%s" output.json)" >> $GITHUB_OUTPUT id: ctf - - uses: actions/upload-artifact@v4 + - uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4 if: ${{ steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }} with: name: output.json @@ -59,14 +59,14 @@ jobs: - name: Get product attribute if: ${{ steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }} id: product - uses: notiz-dev/github-action-json-property@v0.2.0 + uses: notiz-dev/github-action-json-property@a5a9c668b16513c737c3e1f8956772c99c73f6e8 # v0.2.0 with: path: 'output.json' prop_path: 'product' - name: Build product if: ${{ steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }} run: ./build_product sle15 - - uses: actions/upload-artifact@v4 + - uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4 if: ${{ steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }} with: name: ${{ env.DATASTREAM }} @@ -79,9 +79,9 @@ jobs: - name: Install Deps run: sudo apt-get update && sudo apt-get install cmake ninja-build libopenscap8 libxml2-utils xsltproc python3-jinja2 python3-yaml ansible-lint podman - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4 - name: Get cached CTF output - uses: actions/download-artifact@v4 + uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4 id: get_ctf_output with: name: output.json @@ -113,32 +113,32 @@ jobs: - name: Get rule ids to be tested if: ${{ steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }} id: rules - uses: notiz-dev/github-action-json-property@v0.2.0 + uses: notiz-dev/github-action-json-property@a5a9c668b16513c737c3e1f8956772c99c73f6e8 # v0.2.0 with: path: 'output.json' prop_path: 'rules' - name: Get product attribute if: ${{ steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }} id: product - uses: notiz-dev/github-action-json-property@v0.2.0 + uses: notiz-dev/github-action-json-property@a5a9c668b16513c737c3e1f8956772c99c73f6e8 # v0.2.0 with: path: 'output.json' prop_path: 'product' - name: Get bash attribute if: ${{ steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }} id: bash - uses: notiz-dev/github-action-json-property@v0.2.0 + uses: notiz-dev/github-action-json-property@a5a9c668b16513c737c3e1f8956772c99c73f6e8 # v0.2.0 with: path: 'output.json' prop_path: 'bash' - name: Get ansible attribute if: ${{ steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }} id: ansible - uses: notiz-dev/github-action-json-property@v0.2.0 + uses: notiz-dev/github-action-json-property@a5a9c668b16513c737c3e1f8956772c99c73f6e8 # v0.2.0 with: path: 'output.json' prop_path: 'ansible' - - uses: actions/download-artifact@v4 + - uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4 if: ${{ steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }} with: name: ${{ env.DATASTREAM }} @@ -159,7 +159,7 @@ jobs: continue-on-error: true - name: Upload logs in case of failure if: ${{steps.bash.outputs.prop == 'True' && steps.check_results_bash.outcome == 'success' && steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }} - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4 with: name: logs_bash path: logs_bash/ @@ -175,7 +175,7 @@ jobs: continue-on-error: true - name: Upload logs in case of failure if: ${{ steps.ansible.outputs.prop == 'True' && steps.check_results_ansible.outcome == 'success' && steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }} - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4 with: name: logs_ansible path: logs_ansible/ diff --git a/.github/workflows/automatus-ubuntu2204.yaml b/.github/workflows/automatus-ubuntu2204.yaml index e1d93adb260..33f2d5f5f57 100644 --- a/.github/workflows/automatus-ubuntu2204.yaml +++ b/.github/workflows/automatus-ubuntu2204.yaml @@ -17,11 +17,11 @@ jobs: - name: Install deps python run: pip3 install gitpython xmldiff - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4 with: fetch-depth: 0 - name: Checkout (CTF) - uses: actions/checkout@v4 + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4 with: repository: ComplianceAsCode/content-test-filtering path: ctf @@ -38,7 +38,7 @@ jobs: - name: Test if there are no content changes run: echo "CTF_OUTPUT_SIZE=$(stat --printf="%s" output.json)" >> $GITHUB_OUTPUT id: ctf - - uses: actions/upload-artifact@v4 + - uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4 if: ${{ steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }} with: name: output.json @@ -49,14 +49,14 @@ jobs: - name: Get product attribute if: ${{ steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }} id: product - uses: notiz-dev/github-action-json-property@v0.2.0 + uses: notiz-dev/github-action-json-property@a5a9c668b16513c737c3e1f8956772c99c73f6e8 # v0.2.0 with: path: 'output.json' prop_path: 'product' - name: Build product if: ${{ steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }} run: ./build_product ubuntu2204 - - uses: actions/upload-artifact@v4 + - uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4 if: ${{ steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }} with: name: ${{ env.DATASTREAM }} @@ -69,9 +69,9 @@ jobs: - name: Install Deps run: sudo apt update && sudo apt install -y cmake ninja-build libopenscap8 libxml2-utils xsltproc python3-jinja2 python3-yaml ansible-lint podman - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4 - name: Get cached CTF output - uses: actions/download-artifact@v4 + uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4 id: get_ctf_output with: name: output.json @@ -103,32 +103,32 @@ jobs: - name: Get rule ids to be tested if: ${{ steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }} id: rules - uses: notiz-dev/github-action-json-property@v0.2.0 + uses: notiz-dev/github-action-json-property@a5a9c668b16513c737c3e1f8956772c99c73f6e8 # v0.2.0 with: path: 'output.json' prop_path: 'rules' - name: Get product attribute if: ${{ steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }} id: product - uses: notiz-dev/github-action-json-property@v0.2.0 + uses: notiz-dev/github-action-json-property@a5a9c668b16513c737c3e1f8956772c99c73f6e8 # v0.2.0 with: path: 'output.json' prop_path: 'product' - name: Get bash attribute if: ${{ steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }} id: bash - uses: notiz-dev/github-action-json-property@v0.2.0 + uses: notiz-dev/github-action-json-property@a5a9c668b16513c737c3e1f8956772c99c73f6e8 # v0.2.0 with: path: 'output.json' prop_path: 'bash' - name: Get ansible attribute if: ${{ steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }} id: ansible - uses: notiz-dev/github-action-json-property@v0.2.0 + uses: notiz-dev/github-action-json-property@a5a9c668b16513c737c3e1f8956772c99c73f6e8 # v0.2.0 with: path: 'output.json' prop_path: 'ansible' - - uses: actions/download-artifact@v4 + - uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4 if: ${{ steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }} with: name: ${{ env.DATASTREAM }} @@ -149,7 +149,7 @@ jobs: continue-on-error: true - name: Upload logs in case of failure if: ${{steps.bash.outputs.prop == 'True' && steps.check_results_bash.outcome == 'success' && steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }} - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4 with: name: logs_bash path: logs_bash/ @@ -165,7 +165,7 @@ jobs: continue-on-error: true - name: Upload logs in case of failure if: ${{ steps.ansible.outputs.prop == 'True' && steps.check_results_ansible.outcome == 'success' && steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }} - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4 with: name: logs_ansible path: logs_ansible/ diff --git a/.github/workflows/automatus.yaml b/.github/workflows/automatus.yaml index 4a1c76d81c3..d41b7e7e011 100644 --- a/.github/workflows/automatus.yaml +++ b/.github/workflows/automatus.yaml @@ -17,11 +17,11 @@ jobs: - name: Install deps python run: pip install gitpython xmldiff - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4 with: fetch-depth: 0 - name: Checkout (CTF) - uses: actions/checkout@v4 + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4 with: repository: ComplianceAsCode/content-test-filtering path: ctf @@ -38,7 +38,7 @@ jobs: - name: Test if there are no content changes run: echo "CTF_OUTPUT_SIZE=$(stat --printf="%s" output.json)" >> $GITHUB_OUTPUT id: ctf - - uses: actions/upload-artifact@v4 + - uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4 if: ${{ steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }} with: name: output.json @@ -49,14 +49,14 @@ jobs: - name: Get product attribute if: ${{ steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }} id: product - uses: notiz-dev/github-action-json-property@v0.2.0 + uses: notiz-dev/github-action-json-property@a5a9c668b16513c737c3e1f8956772c99c73f6e8 # v0.2.0 with: path: 'output.json' prop_path: 'product' - name: Build product if: ${{ steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }} run: ./build_product ${{steps.product.outputs.prop}} --datastream-only - - uses: actions/upload-artifact@v4 + - uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4 if: ${{ steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }} with: name: ssg-${{steps.product.outputs.prop}}-ds.xml @@ -69,9 +69,9 @@ jobs: - name: Install Deps run: sudo apt-get update && sudo apt-get install cmake ninja-build libopenscap8 libxml2-utils xsltproc python3-jinja2 python3-yaml ansible-lint podman - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4 - name: Get cached CTF output - uses: actions/download-artifact@v4 + uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4 id: get_ctf_output with: name: output.json @@ -103,32 +103,32 @@ jobs: - name: Get rule ids to be tested if: ${{ steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }} id: rules - uses: notiz-dev/github-action-json-property@v0.2.0 + uses: notiz-dev/github-action-json-property@a5a9c668b16513c737c3e1f8956772c99c73f6e8 # v0.2.0 with: path: 'output.json' prop_path: 'rules' - name: Get product attribute if: ${{ steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }} id: product - uses: notiz-dev/github-action-json-property@v0.2.0 + uses: notiz-dev/github-action-json-property@a5a9c668b16513c737c3e1f8956772c99c73f6e8 # v0.2.0 with: path: 'output.json' prop_path: 'product' - name: Get bash attribute if: ${{ steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }} id: bash - uses: notiz-dev/github-action-json-property@v0.2.0 + uses: notiz-dev/github-action-json-property@a5a9c668b16513c737c3e1f8956772c99c73f6e8 # v0.2.0 with: path: 'output.json' prop_path: 'bash' - name: Get ansible attribute if: ${{ steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }} id: ansible - uses: notiz-dev/github-action-json-property@v0.2.0 + uses: notiz-dev/github-action-json-property@a5a9c668b16513c737c3e1f8956772c99c73f6e8 # v0.2.0 with: path: 'output.json' prop_path: 'ansible' - - uses: actions/download-artifact@v4 + - uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4 if: ${{ steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }} with: name: ssg-${{steps.product.outputs.prop}}-ds.xml @@ -149,7 +149,7 @@ jobs: continue-on-error: true - name: Upload logs in case of failure if: ${{steps.bash.outputs.prop == 'True' && steps.check_results_bash.outcome == 'success' && steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }} - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4 with: name: logs_bash path: logs_bash/ @@ -165,7 +165,7 @@ jobs: continue-on-error: true - name: Upload logs in case of failure if: ${{ steps.ansible.outputs.prop == 'True' && steps.check_results_ansible.outcome == 'success' && steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }} - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4 with: name: logs_ansible path: logs_ansible/ diff --git a/.github/workflows/compare-ds.yaml b/.github/workflows/compare-ds.yaml index 809dc512376..49d777f951f 100644 --- a/.github/workflows/compare-ds.yaml +++ b/.github/workflows/compare-ds.yaml @@ -14,7 +14,7 @@ jobs: - name: Install deps python run: pip install gitpython xmldiff - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4 with: ref: ${{ github.event.pull_request.head.sha }} fetch-depth: 0 @@ -27,12 +27,12 @@ jobs: run: echo "FORK_POINT=$(git merge-base origin/$BASE_BRANCH ${{ github.event.pull_request.head.sha }})" >> $GITHUB_OUTPUT id: fork_point - name: Checkout fork point - uses: actions/checkout@v4 + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4 with: ref: ${{ steps.fork_point.outputs.FORK_POINT }} fetch-depth: 0 - name: Checkout (CTF) - uses: actions/checkout@v4 + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4 with: repository: ComplianceAsCode/content-test-filtering path: ctf @@ -47,7 +47,7 @@ jobs: - name: Get product attribute if: ${{ steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }} id: product - uses: notiz-dev/github-action-json-property@v0.2.0 + uses: notiz-dev/github-action-json-property@a5a9c668b16513c737c3e1f8956772c99c73f6e8 # v0.2.0 with: path: 'output.json' prop_path: 'product' @@ -59,7 +59,7 @@ jobs: run: cp build/ssg-${{steps.product.outputs.prop}}-ds.xml ssg-${{steps.product.outputs.prop}}-ds.xml - name: Checkout if: ${{ steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }} - uses: actions/checkout@v4 + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4 with: ref: ${{ github.event.pull_request.head.sha }} clean: false @@ -88,7 +88,7 @@ jobs: echo "${body:0:65000}" >> "$GITHUB_OUTPUT" echo "$EOF" >> "$GITHUB_OUTPUT" - name: Find Comment - uses: peter-evans/find-comment@v3 + uses: peter-evans/find-comment@3eae4d37986fb5a8592848f6a574fdf654e61f9e # v3 id: fc with: issue-number: ${{ github.event.pull_request.number }} @@ -96,7 +96,7 @@ jobs: body-includes: This datastream diff is auto generated by the check - name: Create or update comment if: ${{ steps.compare_ds.outputs.COMPARE_DS_OUTPUT_SIZE != '0' && steps.compare_ds.outputs.COMPARE_DS_OUTPUT_SIZE <= 65000 }} - uses: peter-evans/create-or-update-comment@v4 + uses: peter-evans/create-or-update-comment@71345be0265236311c031f5c7866368bd1eff043 # v4 with: comment-id: ${{ steps.fc.outputs.comment-id }} issue-number: ${{ github.event.pull_request.number }} @@ -113,7 +113,7 @@ jobs: edit-mode: replace - name: Create or update a trimmed comment if: ${{ steps.compare_ds.outputs.COMPARE_DS_OUTPUT_SIZE > 65000 }} - uses: peter-evans/create-or-update-comment@v4 + uses: peter-evans/create-or-update-comment@71345be0265236311c031f5c7866368bd1eff043 # v4 with: comment-id: ${{ steps.fc.outputs.comment-id }} issue-number: ${{ github.event.pull_request.number }} @@ -133,7 +133,7 @@ jobs: edit-mode: replace - name: Delete existing comment in case new commits trigger no changes in Compare DS tool if: ${{ (steps.compare_ds.outputs.COMPARE_DS_OUTPUT_SIZE == '0' || steps.ctf.outputs.CTF_OUTPUT_SIZE == '0') && steps.fc.outputs.comment-id != 0 }} - uses: jungwinter/comment@v1 + uses: jungwinter/comment@fda92dbcb5e7e79cccd55ecb107a8a3d7802a469 # v1 with: type: delete comment_id: ${{ steps.fc.outputs.comment-id }} @@ -148,7 +148,7 @@ jobs: run: echo "SHELL_DIFF_OUTPUT_SIZE=$(stat --printf="%s" diff.log)" >> $GITHUB_OUTPUT id: ansible_shell_diff - name: Find Comment - uses: peter-evans/find-comment@v3 + uses: peter-evans/find-comment@3eae4d37986fb5a8592848f6a574fdf654e61f9e # v3 id: shell_diff with: issue-number: ${{ github.event.pull_request.number }} @@ -156,7 +156,7 @@ jobs: body-includes: Change in Ansible 'shell' module found. - name: Create comment if: ${{ steps.ansible_shell_diff.outputs.SHELL_DIFF_OUTPUT_SIZE != '0' && steps.shell_diff.outputs.comment-id == 0 }} - uses: peter-evans/create-or-update-comment@v4 + uses: peter-evans/create-or-update-comment@71345be0265236311c031f5c7866368bd1eff043 # v4 with: issue-number: ${{ github.event.pull_request.number }} body: | @@ -165,7 +165,7 @@ jobs: Please consider using more suitable Ansible module than `shell` if possible. - name: Delete existing comment in case new commits trigger no changes in Ansible shell module if: ${{ (steps.ansible_shell_diff.outputs.SHELL_DIFF_OUTPUT_SIZE == '0' || steps.ctf.outputs.CTF_OUTPUT_SIZE == '0') && steps.shell_diff.outputs.comment-id != 0 }} - uses: jungwinter/comment@v1 + uses: jungwinter/comment@fda92dbcb5e7e79cccd55ecb107a8a3d7802a469 # v1 with: type: delete comment_id: ${{ steps.shell_diff.outputs.comment-id }} diff --git a/.github/workflows/ctf.yaml b/.github/workflows/ctf.yaml index 682baeacb84..235fe654f01 100644 --- a/.github/workflows/ctf.yaml +++ b/.github/workflows/ctf.yaml @@ -10,7 +10,7 @@ jobs: - name: Install Deps run: sudo apt-get update && sudo apt-get install git python3-jinja2 python3-yaml python3-setuptools python3-deepdiff python3-git python3-github python3-requests xmldiff - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4 with: ref: ${{ github.event.pull_request.head.sha }} fetch-depth: 0 @@ -23,12 +23,12 @@ jobs: run: echo "FORK_POINT=$(git merge-base origin/$BASE_BRANCH ${{ github.event.pull_request.head.sha }})" >> $GITHUB_OUTPUT id: fork_point - name: Checkout fork point - uses: actions/checkout@v4 + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4 with: ref: ${{ steps.fork_point.outputs.FORK_POINT }} fetch-depth: 0 - name: Checkout (CTF) - uses: actions/checkout@v4 + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4 with: repository: ComplianceAsCode/content-test-filtering path: ctf @@ -43,12 +43,12 @@ jobs: - name: Get product attribute if: ${{ steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }} id: product - uses: notiz-dev/github-action-json-property@v0.2.0 + uses: notiz-dev/github-action-json-property@a5a9c668b16513c737c3e1f8956772c99c73f6e8 # v0.2.0 with: path: 'output.json' prop_path: 'product' - name: Find Comment - uses: peter-evans/find-comment@v3 + uses: peter-evans/find-comment@3eae4d37986fb5a8592848f6a574fdf654e61f9e # v3 id: fc with: issue-number: ${{ github.event.pull_request.number }} @@ -56,7 +56,7 @@ jobs: body-includes: Start a new ephemeral environment with changes proposed in this pull request - name: Create or update comment if: ${{ steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }} - uses: peter-evans/create-or-update-comment@v4 + uses: peter-evans/create-or-update-comment@71345be0265236311c031f5c7866368bd1eff043 # v4 with: comment-id: ${{ steps.fc.outputs.comment-id }} issue-number: ${{ github.event.pull_request.number }} @@ -75,7 +75,7 @@ jobs: edit-mode: replace - name: Create or update a trimmed comment if: ${{ steps.ctf.outputs.CTF_OUTPUT_SIZE == '0' }} - uses: peter-evans/create-or-update-comment@v4 + uses: peter-evans/create-or-update-comment@71345be0265236311c031f5c7866368bd1eff043 # v4 with: comment-id: ${{ steps.fc.outputs.comment-id }} issue-number: ${{ github.event.pull_request.number }} diff --git a/.github/workflows/gate-lint-ansible-roles.yaml b/.github/workflows/gate-lint-ansible-roles.yaml index 0d377e02e50..1093584626b 100644 --- a/.github/workflows/gate-lint-ansible-roles.yaml +++ b/.github/workflows/gate-lint-ansible-roles.yaml @@ -15,7 +15,7 @@ jobs: - name: Install Deps run: dnf install -y cmake make ninja-build openscap-utils python3-pyyaml python3-setuptools python3-jinja2 python3-pygithub ansible ansible-lint libxslt git - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4 - name: Configure run: cmake -DSSG_PRODUCT_DEFAULT=OFF -DSSG_PRODUCT_RHEL7=ON -DSSG_PRODUCT_RHEL8=ON -DSSG_PRODUCT_RHEL9=ON -G Ninja .. working-directory: ./build diff --git a/.github/workflows/gate.yaml b/.github/workflows/gate.yaml index 482c477ca01..22b2dfdfd05 100644 --- a/.github/workflows/gate.yaml +++ b/.github/workflows/gate.yaml @@ -19,7 +19,7 @@ jobs: - name: Install Deps run: yum install -y cmake make openscap-utils PyYAML libxslt xml-common python-jinja2 python-setuptools - name: Checkout - uses: actions/checkout@v3 + uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3 - name: Build run: |- ./build_product rhel7 rhel8 rhel9 rhel10 --derivatives @@ -52,7 +52,7 @@ jobs: - name: Install deps python run: pip install pytest pytest-cov - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4 - name: Build run: ./build_product sle12 sle15 - name: Test @@ -68,7 +68,7 @@ jobs: - name: Install Deps run: zypper install -y git cmake make openscap-utils python3-PyYAML bats python3-pytest python3-pytest-cov python3-Jinja2 python3-setuptools libxslt-tools libxml2-tools ShellCheck - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4 - name: Build run: ./build_product opensuse env: @@ -88,7 +88,7 @@ jobs: - name: Install Deps run: apt-get install -y ansible-lint bats check cmake libopenscap8 libxml2-utils ninja-build python3-github python3-pip xsltproc libxslt1-dev libxml2-dev zlib1g-dev - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4 - name: Upgrade pip python run: pip3 install --upgrade pip - name: Install deps python @@ -109,7 +109,7 @@ jobs: - name: Install Deps run: sudo apt-get update && sudo apt-get install cmake ninja-build libopenscap8 libxml2-utils xsltproc ansible-lint bats python3-github python3-jinja2 python3-pip python3-pytest python3-pytest-cov python3-setuptools python3-yaml shellcheck - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4 - name: Install deps python run: pip3 install -r requirements.txt -r test-requirements.txt - name: Build @@ -128,7 +128,7 @@ jobs: - name: Install Deps run: sudo apt-get update && sudo apt-get install cmake ninja-build libopenscap8 libxml2-utils xsltproc ansible-lint bats python3-github python3-jinja2 python3-pip python3-pytest python3-pytest-cov python3-setuptools python3-yaml shellcheck - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4 - name: Install deps python run: pip3 install -r requirements.txt -r test-requirements.txt - name: Build @@ -151,7 +151,7 @@ jobs: - name: Install Deps run: dnf install -y cmake make openscap-utils bats ansible python3-pip ShellCheck git python3-devel gcc-c++ - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4 - name: Install deps python run: pip install -r requirements-base.txt -r test-requirements.txt - name: Build @@ -196,7 +196,7 @@ jobs: shell: powershell run: "msiexec.exe /norestart /q /i ${{ github.workspace }}\\openscap-win\\OpenSCAP-${env:OPENSCAP_VERSION}-win64.msi" - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4 - name: Install Python Deps run: pip install -r requirements.txt -r test-requirements.txt - name: Build diff --git a/.github/workflows/gate_fedora.yml b/.github/workflows/gate_fedora.yml index 452722f3e24..3c7df4a56f5 100644 --- a/.github/workflows/gate_fedora.yml +++ b/.github/workflows/gate_fedora.yml @@ -19,7 +19,7 @@ jobs: - name: Install Deps run: dnf install -y cmake make openscap-utils python3-pyyaml bats ansible python3-pip ShellCheck git gcc gcc-c++ python3-devel - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4 - name: Install deps python run: pip install pcre2 -r requirements.txt -r test-requirements.txt - name: Build @@ -57,7 +57,7 @@ jobs: run: git config --global --add safe.directory "$GITHUB_WORKSPACE" - name: Upload coverage to Code Climate # Requires: git package if: ${{ github.repository == 'ComplianceAsCode/content' }} - uses: paambaati/codeclimate-action@v8.0.0 + uses: paambaati/codeclimate-action@7c100bd1ed15de0bdee476b38ca759d8c94207b5 # v8.0.0 env: CC_TEST_REPORTER_ID: e67e068471d32b63f8e9561dba8f6a3f84dcc76b05ebfd98e44ced1a91cff854 with: diff --git a/.github/workflows/gate_thin_ds.yml b/.github/workflows/gate_thin_ds.yml index 5a709f9d2db..8fc5bb185b4 100644 --- a/.github/workflows/gate_thin_ds.yml +++ b/.github/workflows/gate_thin_ds.yml @@ -19,7 +19,7 @@ jobs: - name: Install Deps run: dnf install -y cmake make openscap-utils python3-pyyaml bats ansible python3-pip ShellCheck git gcc gcc-c++ python3-devel python3-lxml python3-pytest - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4 - name: Install deps python # pytest-xdist is used for parallel execution of thin ds test run: pip install pcre2 pytest-xdist -r requirements.txt -r test-requirements.txt diff --git a/.github/workflows/gh-pages.yaml b/.github/workflows/gh-pages.yaml index e48995a16c2..779b134f2da 100644 --- a/.github/workflows/gh-pages.yaml +++ b/.github/workflows/gh-pages.yaml @@ -23,7 +23,7 @@ jobs: - name: Install deps python run: pip3 install json2html prometheus_client - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4 - name: Build run: cmake .. -G Ninja -DCMAKE_BUILD_TYPE=Debug working-directory: ./build @@ -50,7 +50,7 @@ jobs: git config --global --add safe.directory "$GITHUB_WORKSPACE" - name: Deploy if: ${{ github.event_name == 'push' && github.repository == 'ComplianceAsCode/content' && github.ref == 'refs/heads/master' }} - uses: JamesIves/github-pages-deploy-action@v4.6.1 + uses: JamesIves/github-pages-deploy-action@5c6e9e9f3672ce8fd37b9856193d2a537941e66c # v4.6.1 with: branch: main # The branch the action should deploy to. folder: ${{ env.PAGES_DIR }} # The folder the action should deploy. @@ -61,7 +61,7 @@ jobs: git-config-name: openscap-ci git-config-email: openscap-ci@gmail.com - name: Upload artifact if the event is pull request - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4 if: ${{ github.event_name == 'pull_request' }} with: name: built-content diff --git a/.github/workflows/k8s-content-pr-test.yaml b/.github/workflows/k8s-content-pr-test.yaml index fe7540ddfe3..662b75b4696 100644 --- a/.github/workflows/k8s-content-pr-test.yaml +++ b/.github/workflows/k8s-content-pr-test.yaml @@ -18,7 +18,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Copy XCCDF files from existing content image - uses: nick-fields/retry@v3 + uses: nick-fields/retry@7152eba30c6575329ac0576536151aca5a72780e # v3 with: timeout_minutes: 20 max_attempts: 3 @@ -43,7 +43,7 @@ jobs: id: save-go-version run: | echo "go-version=$(cat compliance-operator/go-version)" > compliance-operator/go-version - - uses: actions/setup-go@v5 + - uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5 with: go-version: ${{ steps.save-go-version.outputs.go-version }} - name: Run ginkgo tests and check if each XCCDF file is parsed correctly diff --git a/.github/workflows/k8s-content-pr-trigger.yaml b/.github/workflows/k8s-content-pr-trigger.yaml index b6138235af0..a4669ba9060 100644 --- a/.github/workflows/k8s-content-pr-trigger.yaml +++ b/.github/workflows/k8s-content-pr-trigger.yaml @@ -23,7 +23,7 @@ jobs: run: | mkdir -p ./pr echo $PR_NUMBER > ./pr/pr_number - - uses: actions/upload-artifact@v4 + - uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4 with: name: pr_number path: pr/ diff --git a/.github/workflows/k8s-content-pr.yaml b/.github/workflows/k8s-content-pr.yaml index 3e5e713cc26..6c9189e1bf5 100644 --- a/.github/workflows/k8s-content-pr.yaml +++ b/.github/workflows/k8s-content-pr.yaml @@ -14,7 +14,7 @@ jobs: pr-number: ${{ steps.pr_number.outputs.pr_number }} steps: - name: 'Download artifacts' - uses: actions/github-script@v7 + uses: actions/github-script@5c56fde4671bc2d3592fb0f2c5b5bab9ddae03b1 # v7 with: script: | let allArtifacts = await github.rest.actions.listWorkflowRunArtifacts({ @@ -53,22 +53,22 @@ jobs: image-tags: ${{ steps.container_info.outputs.image-tags }} steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4 with: ref: refs/pull/${{ needs.get-pr-number.outputs.pr-number }}/head - name: Login to ghcr.io - uses: docker/login-action@v3.2.0 + uses: docker/login-action@0d4c9c5ea7693da7b068278f7b52bda2a190a446 # v3.2.0 with: registry: ghcr.io username: ${{ github.actor }} password: ${{ secrets.GITHUB_TOKEN }} - name: Set up QEMU - uses: docker/setup-qemu-action@v3 + uses: docker/setup-qemu-action@68827325e0b33c7199eb31dd4e31fbe9023e06e3 # v3 - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 + uses: docker/setup-buildx-action@d70bba72b1f3fd22344832f00baa16ece964efeb # v3 - name: Docker metadata id: meta - uses: docker/metadata-action@v5 + uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81 # v5 with: images: ghcr.io/complianceascode/k8scontent flavor: | @@ -84,7 +84,7 @@ jobs: org.opencontainers.image.vendor='Compliance Operator Authors' - name: Build container images and push id: docker_build - uses: docker/build-push-action@v6 + uses: docker/build-push-action@94f8f8c2eec4bc3f1d78c1755580779804cb87b2 # v6 with: context: . file: ./Dockerfiles/ocp4_content @@ -106,7 +106,7 @@ jobs: runs-on: ubuntu-latest name: Upsert comment on the PR steps: - - uses: thollander/actions-comment-pull-request@v2 + - uses: thollander/actions-comment-pull-request@fabd468d3a1a0b97feee5f6b9e499eab0dd903f6 # v2 with: message: | :robot: A k8s content image for this PR is available at: diff --git a/.github/workflows/nightly_build.yml b/.github/workflows/nightly_build.yml index 903d47e7d2d..8d9014f4416 100644 --- a/.github/workflows/nightly_build.yml +++ b/.github/workflows/nightly_build.yml @@ -13,7 +13,7 @@ jobs: - name: Install Dependencies run: dnf install -y cmake ninja-build openscap-utils python3-pip python3-devel gcc-c++ ansible-lint libxslt ansible - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4 - name: Install python deps run: pip install -r requirements-base.txt -r test-requirements.txt - name: Configure @@ -32,7 +32,7 @@ jobs: run: ninja -j2 package_source working-directory: ./build - name: 'Upload Artifact' - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4 with: name: Nightly Build path: | diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index 4d73d8c505d..4963c4e26b1 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -12,7 +12,7 @@ jobs: - name: Install Deps run: dnf install -y cmake ninja-build openscap-utils python3-pip python3-devel gcc-c++ ansible ansible-lint libxslt - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4 - name: Install python deps run: pip install -r requirements-base.txt -r test-requirements.txt - name: Configure @@ -39,13 +39,13 @@ jobs: GITHUB_REF: ${{ github.ref }} - name: Build Changelog id: build_changelog - uses: mikepenz/release-changelog-builder-action@v4 + uses: mikepenz/release-changelog-builder-action@32e3c96f29a6532607f638797455e9e98cfc703d # v4 with: configuration: .github/workflows/release-changelog.json env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Release - uses: softprops/action-gh-release@v2.0.6 + uses: softprops/action-gh-release@a74c6b72af54cfa997e81df42d94703d6313a2d0 # v2.0.6 with: draft: True name: Content ${{ steps.set_version.outputs.ver }} diff --git a/.github/workflows/srg-mapping-table.yaml b/.github/workflows/srg-mapping-table.yaml index 7de591b40e2..0e28ecf647f 100644 --- a/.github/workflows/srg-mapping-table.yaml +++ b/.github/workflows/srg-mapping-table.yaml @@ -23,7 +23,7 @@ jobs: - name: Install deps python run: pip3 install pandas openpyxl - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4 - name: Setup Build run: cmake .. -G Ninja working-directory: ./build @@ -60,33 +60,33 @@ jobs: run: python3 utils/create_srg_export.py -c controls/srg_gpos.yml -p rhel10 -m shared/references/disa-os-srg-v2r7.xml --out-format html --output $PAGES_DIR/srg-mapping-rhel10.html env: PYTHONPATH: ${{ github.workspace }} - - uses: actions/upload-artifact@v4 + - uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4 if: ${{ github.event_name == 'pull_request' }} with: name: srg-mapping-rhel9.xlsx path: ${{ env.PAGES_DIR }}/srg-mapping-rhel9.xlsx - - uses: actions/upload-artifact@v4 + - uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4 if: ${{ github.event_name == 'pull_request' }} with: name: srg-mapping-rhel9.html path: ${{ env.PAGES_DIR }}/srg-mapping-rhel9.html - - uses: actions/upload-artifact@v4 + - uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4 if: ${{ github.event_name == 'pull_request' }} with: name: srg-mapping-rhel10.xlsx path: ${{ env.PAGES_DIR }}/srg-mapping-rhel10.xlsx - - uses: actions/upload-artifact@v4 + - uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4 if: ${{ github.event_name == 'pull_request' }} with: name: srg-mapping-rhel10.html path: ${{ env.PAGES_DIR }}/srg-mapping-rhel10.html - - uses: actions/upload-artifact@v4 + - uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4 if: ${{ github.event_name == 'pull_request' }} with: name: srg-mapping-ocp4.xlsx path: ${{ env.PAGES_DIR }}/srg-mapping-ocp4.xlsx - - uses: actions/upload-artifact@v4 + - uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4 if: ${{ github.event_name == 'pull_request' }} with: name: srg-mapping-ocp4.html @@ -99,7 +99,7 @@ jobs: git config --global --add safe.directory "$GITHUB_WORKSPACE" - name: Deploy if: ${{ github.event_name == 'push' && github.repository == 'ComplianceAsCode/content' }} - uses: JamesIves/github-pages-deploy-action@v4.6.1 + uses: JamesIves/github-pages-deploy-action@5c6e9e9f3672ce8fd37b9856193d2a537941e66c # v4.6.1 with: branch: main # The branch the action should deploy to. folder: ${{ env.PAGES_DIR }} # The folder the action should deploy. diff --git a/.github/workflows/stabilize.yaml b/.github/workflows/stabilize.yaml index 0207f47c6c5..5b11f93bac3 100644 --- a/.github/workflows/stabilize.yaml +++ b/.github/workflows/stabilize.yaml @@ -19,7 +19,7 @@ jobs: - name: Install Deps run: dnf install -y cmake ninja-build openscap-utils python3-pyyaml python3-jinja2 python3-pytest ansible libxslt python3-ansible-lint linkchecker java-1.8.0-openjdk unar wget python-unversioned-command git-core - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4 - name: Configure run: cmake -DSSG_OVAL_SCHEMATRON_VALIDATION_ENABLED=OFF -DANSIBLE_CHECKS=ON -DENABLE_SCAPVAL13=ON -DSCAPVAL_PATH='/opt/scapval/SCAP-Content-Validation-Tool-1.3.5/scapval-1.3.5.jar' .. working-directory: ./build diff --git a/.github/workflows/update-oscal.yml b/.github/workflows/update-oscal.yml index 1ccc3874fb5..707ff9718ac 100644 --- a/.github/workflows/update-oscal.yml +++ b/.github/workflows/update-oscal.yml @@ -26,9 +26,9 @@ jobs: catalog-name: "nist_rev4_800_53" steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4 - name: Install Python - uses: actions/setup-python@v5 + uses: actions/setup-python@82c7e631bb3cdc910f68e0081d67478d79c6982d # v5 with: python-version: '3.9' - name: Install python deps @@ -45,7 +45,7 @@ jobs: trestle href --name "${{ matrix.variables.profile-name }}" -hr "trestle://catalogs/${{ matrix.variables.catalog-name }}/catalog.json" working-directory: ./shared/references/oscal - name: Update content - uses: peter-evans/create-pull-request@v6.1.0 + uses: peter-evans/create-pull-request@c5a7806660adbe173f04e3e038b0ccdcd758773c # v6.1.0 with: base: master branch: "oscal-update-${{ github.run_id }}"