Pin github actions to commit hash

Contrast-Security-OSS · Jan 30, 2025 · 2139f16 · 2139f16
1 parent 4021bdb
commit 2139f16
Showing 1 changed file with 38 additions and 38 deletions.
diff --git a/.github/workflows/pipeline.yml b/.github/workflows/pipeline.yml
@@ -31,7 +31,7 @@ jobs:
               {
                   $isRelease = $false
               }
-              else 
+              else
               {
                   $isRelease = $true
               }
@@ -60,30 +60,30 @@ jobs:
       BUILD_VERSION: ${{ needs.generate-version.outputs.version }}
       IS_PUBLIC_BUILD: ${{ needs.generate-version.outputs.is-public-build }}
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           submodules: true
-      - uses: docker/setup-buildx-action@v3
+      - uses: docker/setup-buildx-action@6524bf65af31da8d45b59e8c27de4bd072b392f5 # v3.8.0
         id: buildx
         with:
           install: true
           version: latest
-      - uses: docker/login-action@v3
+      - uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
         with:
           registry: ghcr.io
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
       - name: Docker Meta
         id: meta
-        uses: docker/metadata-action@v5
+        uses: docker/metadata-action@369eb591f429131d6889c46b94e711f089e6ca96 # v5.6.1
         with:
           images: ${{ env.IMAGE_NAME }}
           tags: |
             type=raw,value=trunk-artifact,enable=${{ github.ref == 'refs/heads/master' }}
             type=raw,value=pr-artifact,enable=${{ github.event_name == 'pull_request' }}
             type=raw,value=dispatch-artifact,enable=${{ github.event_name == 'workflow_dispatch' }}
             type=raw,value=release-artifact,enable=${{ needs.generate-version.outputs.version != '0.0.1' }}
-      - uses: docker/build-push-action@v6
+      - uses: docker/build-push-action@ca877d9245402d1537745e0e356eab47c3520991 # v6.13.0
         id: build
         with:
           file: Dockerfile
@@ -102,8 +102,8 @@ jobs:
     env:
       BUILD_VERSION: ${{ needs.generate-version.outputs.version }}
     steps:
-      - uses: actions/checkout@v4
-      - uses: imranismail/setup-kustomize@v2
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - uses: imranismail/setup-kustomize@2ba527d4d055ab63514ba50a99456fc35684947f # v2.1.0
       - name: Generate Manifests (Prod)
         run: |
           set -xe
@@ -127,7 +127,7 @@ jobs:
           cp manifests/install/prod-quay/install-prod-quay.yaml ./install-prod-quay.yaml
         shell: bash
       - name: Publish (Artifacts)
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
         with:
           name: manifests
           path: |
@@ -140,9 +140,9 @@ jobs:
     env:
       BUILD_VERSION: ${{ needs.generate-version.outputs.version }}
     steps:
-      - uses: actions/checkout@v4
-      - uses: imranismail/setup-kustomize@v2
-      - uses: azure/setup-helm@v4
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - uses: imranismail/setup-kustomize@2ba527d4d055ab63514ba50a99456fc35684947f # v2.1.0
+      - uses: azure/setup-helm@fe7b79cd5ee1e45176fcad797de68ecaf3ca4814 # v4.2.0
         with:
           version: v3.10.1
           token: ${{ secrets.GITHUB_TOKEN }}
@@ -163,14 +163,14 @@ jobs:
             | tee ./manifests/helm/dist/output.yaml
         shell: bash
       - name: Publish (Chart)
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
         with:
           name: helm-chart
           path: |
             manifests/helm/dist/*.tgz
           retention-days: 7
       - name: Publish (Manifests)
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
         with:
           name: helm-manifests
           path: |
@@ -193,21 +193,21 @@ jobs:
       IMAGE: ghcr.io/contrast-security-oss/agent-operator/operator@${{ needs.build-image.outputs.digest }}
     if: ${{ github.event_name != 'pull_request' }} # should match push logic in build-image
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           submodules: true
-      - uses: docker/login-action@v3
+      - uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
         with:
           registry: ghcr.io
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
-      - uses: nolar/setup-k3d-k3s@v1
+      - uses: nolar/setup-k3d-k3s@293b8e5822a20bc0d5bcdd4826f1a665e72aba96 # v1.0.9
         name: Deploy K3d
         with:
           version: v${{ matrix.k3s-version }}
           github-token: ${{ secrets.GITHUB_TOKEN }}
       - name: Import Images
-        uses: nick-fields/retry@v3
+        uses: nick-fields/retry@7152eba30c6575329ac0576536151aca5a72780e # v3.0.0
         with:
           timeout_minutes: 10
           max_attempts: 5
@@ -233,7 +233,7 @@ jobs:
           kubectl apply -k manifests/examples/testing
         shell: bash
       - name: Setup .NET SDK
-        uses: actions/setup-dotnet@v4
+        uses: actions/setup-dotnet@87b7050bc53ea08284295505d98d2aa94301e852 # v4.2.0
         with:
           dotnet-version: 8.0.x
       - name: Execute Functional Tests
@@ -242,7 +242,7 @@ jobs:
           dotnet test ./tests/Contrast.K8s.AgentOperator.FunctionalTests/Contrast.K8s.AgentOperator.FunctionalTests.csproj
         shell: bash
       - name: Dump Operator Logs
-        uses: nick-fields/retry@v3
+        uses: nick-fields/retry@7152eba30c6575329ac0576536151aca5a72780e # v3.0.0
         if: ${{ always() }}
         with:
           timeout_minutes: 10
@@ -272,9 +272,9 @@ jobs:
       fail-fast: false
     steps:
       - name: Setup Pluto
-        uses: FairwindsOps/pluto/github-action@master
+        uses: fairwindsops/pluto/github-action@d45f6d122de3d99fc4b7576592939ff62655db66 # v5.21.1
       - name: Setup Polaris
-        uses: fairwindsops/polaris/.github/actions/setup-polaris@master
+        uses: fairwindsops/polaris/.github/actions/setup-polaris@80e6f7214ee611feb8a0ad2f8be6e58f822b868b # v9.6.1
         with:
           version: 7.2.0
       - name: Setup Kubeconform
@@ -284,7 +284,7 @@ jobs:
           tar xf kubeconform-linux-amd64.tar.gz
           sudo install kubeconform /usr/local/bin/kubeconform
       - name: Download Manifests
-        uses: actions/download-artifact@v4
+        uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
         id: download-artifacts
         with:
           name: ${{ matrix.artifact }}
@@ -341,16 +341,16 @@ jobs:
       IMAGE_NAME: ghcr.io/contrast-security-oss/agent-operator/operator
     if: ${{ github.event_name != 'pull_request' && github.actor != 'dependabot[bot]' }}
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       - name: Login (GitHub)
-        uses: docker/login-action@v3
+        uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
         with:
           registry: ghcr.io
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
       - name: Docker Meta
         id: meta
-        uses: docker/metadata-action@v5
+        uses: docker/metadata-action@369eb591f429131d6889c46b94e711f089e6ca96 # v5.6.1
         with:
           images: ${{ env.IMAGE_NAME }}
           tags: |
@@ -359,7 +359,7 @@ jobs:
             type=semver,pattern={{major}},value=${{ env.BUILD_VERSION }},enable=${{ needs.generate-version.outputs.is-release == 'true' }}
             type=raw,latest,enable=${{ needs.generate-version.outputs.is-release == 'true' }}
       - name: Tag for Release
-        uses: akhilerm/[email protected]
+        uses: akhilerm/tag-push-action@f35ff2cb99d407368b5c727adbcc14a2ed81d509 # v2.2.0
         with:
           src: ghcr.io/contrast-security-oss/agent-operator/operator@${{ needs.build-image.outputs.digest }}
           dst: |
@@ -384,27 +384,27 @@ jobs:
       BUILD_VERSION: ${{ needs.generate-version.outputs.version }}
     if: ${{ needs.generate-version.outputs.version != '0.0.1' }}
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       - name: Login (GitHub)
-        uses: docker/login-action@v3
+        uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
         with:
           registry: ghcr.io
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
       - name: Login (Dockerhub)
-        uses: docker/login-action@v3
+        uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
         with:
           username: ${{ secrets.DOCKERHUB_USERNAME }}
           password: ${{ secrets.DOCKERHUB_PAT }}
       - name: Login (Quay)
-        uses: docker/login-action@v3
+        uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
         with:
           registry: quay.io
           username: ${{ secrets.QUAY_USERNAME }}
           password: ${{ secrets.QUAY_PASSWORD }}
       - name: Docker Meta
         id: dockerhub-meta
-        uses: docker/metadata-action@v5
+        uses: docker/metadata-action@369eb591f429131d6889c46b94e711f089e6ca96 # v5.6.1
         with:
           images: |
             docker.io/contrast/agent-operator
@@ -416,18 +416,18 @@ jobs:
             type=semver,pattern={{major}},value=${{ env.BUILD_VERSION }},enable=${{ needs.generate-version.outputs.is-release == 'true' }}
             type=raw,latest,enable=${{ needs.generate-version.outputs.is-release == 'true' }}
       - name: Tag for Release
-        uses: akhilerm/[email protected]
+        uses: akhilerm/tag-push-action@f35ff2cb99d407368b5c727adbcc14a2ed81d509 # v2.2.0
         with:
           src: ghcr.io/contrast-security-oss/agent-operator/operator@${{ needs.build-image.outputs.digest }}
           dst: |
             ${{ steps.dockerhub-meta.outputs.tags }}
-      - uses: actions/download-artifact@v4
+      - uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
         id: download-artifacts
         with:
           name: manifests
           path: ./artifacts
       - name: Publish
-        uses: ncipollo/release-action@v1
+        uses: ncipollo/release-action@cdcc88a9acf3ca41c16c37bb7d21b9ad48560d87 # v1.15.0
         with:
           body: |
             Version v${{ env.BUILD_VERSION }} released!
@@ -443,7 +443,7 @@ jobs:
           allowUpdates: true
           prerelease: ${{ needs.generate-version.outputs.is-release == 'false' }} # pre-releases will have is-release false
       - name: Publish Helm Chart
-        uses: peter-evans/repository-dispatch@v3
+        uses: peter-evans/repository-dispatch@ff45666b9427631e3450c54a1bcbee4d9ff4d7c0 # v3.0.0
         if: ${{ needs.generate-version.outputs.is-release == 'true' }}
         with:
           token: ${{ secrets.GH_PR_WRITE_PAT }}
@@ -456,7 +456,7 @@ jobs:
                 "artifactName": "helm-chart"
             }
       # - name: Create Sentry Release
-      #   uses: getsentry/action-release@v1
+      #   uses: getsentry/action-release@f6dfa3d84a1c740b94aa45255c5e032b744a095d # v1.9.0
       #   with:
       #     environment: production
       #     ignore_empty: true
@@ -467,7 +467,7 @@ jobs:
       #     SENTRY_ORG: sentry
       #     SENTRY_PROJECT: agent-operator
       #     SENTRY_URL: https://sentry.prod.dotnet.contsec.com
-      - uses: act10ns/slack@v2
+      - uses: act10ns/slack@44541246747a30eb3102d87f7a4cc5471b0ffb7d # v2.1.0
         if: ${{ needs.generate-version.outputs.is-release == 'true' }}
         with:
           status: ${{ job.status }}