diff --git a/.github/workflows/pipeline.yml b/.github/workflows/pipeline.yml index 31beaa8..9363e98 100644 --- a/.github/workflows/pipeline.yml +++ b/.github/workflows/pipeline.yml @@ -31,7 +31,7 @@ jobs: { $isRelease = $false } - else + else { $isRelease = $true } @@ -60,22 +60,22 @@ jobs: BUILD_VERSION: ${{ needs.generate-version.outputs.version }} IS_PUBLIC_BUILD: ${{ needs.generate-version.outputs.is-public-build }} steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: submodules: true - - uses: docker/setup-buildx-action@v3 + - uses: docker/setup-buildx-action@6524bf65af31da8d45b59e8c27de4bd072b392f5 # v3.8.0 id: buildx with: install: true version: latest - - uses: docker/login-action@v3 + - uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0 with: registry: ghcr.io username: ${{ github.actor }} password: ${{ secrets.GITHUB_TOKEN }} - name: Docker Meta id: meta - uses: docker/metadata-action@v5 + uses: docker/metadata-action@369eb591f429131d6889c46b94e711f089e6ca96 # v5.6.1 with: images: ${{ env.IMAGE_NAME }} tags: | @@ -83,7 +83,7 @@ jobs: type=raw,value=pr-artifact,enable=${{ github.event_name == 'pull_request' }} type=raw,value=dispatch-artifact,enable=${{ github.event_name == 'workflow_dispatch' }} type=raw,value=release-artifact,enable=${{ needs.generate-version.outputs.version != '0.0.1' }} - - uses: docker/build-push-action@v6 + - uses: docker/build-push-action@ca877d9245402d1537745e0e356eab47c3520991 # v6.13.0 id: build with: file: Dockerfile @@ -102,8 +102,8 @@ jobs: env: BUILD_VERSION: ${{ needs.generate-version.outputs.version }} steps: - - uses: actions/checkout@v4 - - uses: imranismail/setup-kustomize@v2 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + - uses: imranismail/setup-kustomize@2ba527d4d055ab63514ba50a99456fc35684947f # v2.1.0 - name: Generate Manifests (Prod) run: | set -xe @@ -127,7 +127,7 @@ jobs: cp manifests/install/prod-quay/install-prod-quay.yaml ./install-prod-quay.yaml shell: bash - name: Publish (Artifacts) - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0 with: name: manifests path: | @@ -140,9 +140,9 @@ jobs: env: BUILD_VERSION: ${{ needs.generate-version.outputs.version }} steps: - - uses: actions/checkout@v4 - - uses: imranismail/setup-kustomize@v2 - - uses: azure/setup-helm@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + - uses: imranismail/setup-kustomize@2ba527d4d055ab63514ba50a99456fc35684947f # v2.1.0 + - uses: azure/setup-helm@fe7b79cd5ee1e45176fcad797de68ecaf3ca4814 # v4.2.0 with: version: v3.10.1 token: ${{ secrets.GITHUB_TOKEN }} @@ -163,14 +163,14 @@ jobs: | tee ./manifests/helm/dist/output.yaml shell: bash - name: Publish (Chart) - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0 with: name: helm-chart path: | manifests/helm/dist/*.tgz retention-days: 7 - name: Publish (Manifests) - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0 with: name: helm-manifests path: | @@ -193,21 +193,21 @@ jobs: IMAGE: ghcr.io/contrast-security-oss/agent-operator/operator@${{ needs.build-image.outputs.digest }} if: ${{ github.event_name != 'pull_request' }} # should match push logic in build-image steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: submodules: true - - uses: docker/login-action@v3 + - uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0 with: registry: ghcr.io username: ${{ github.actor }} password: ${{ secrets.GITHUB_TOKEN }} - - uses: nolar/setup-k3d-k3s@v1 + - uses: nolar/setup-k3d-k3s@293b8e5822a20bc0d5bcdd4826f1a665e72aba96 # v1.0.9 name: Deploy K3d with: version: v${{ matrix.k3s-version }} github-token: ${{ secrets.GITHUB_TOKEN }} - name: Import Images - uses: nick-fields/retry@v3 + uses: nick-fields/retry@7152eba30c6575329ac0576536151aca5a72780e # v3.0.0 with: timeout_minutes: 10 max_attempts: 5 @@ -233,7 +233,7 @@ jobs: kubectl apply -k manifests/examples/testing shell: bash - name: Setup .NET SDK - uses: actions/setup-dotnet@v4 + uses: actions/setup-dotnet@87b7050bc53ea08284295505d98d2aa94301e852 # v4.2.0 with: dotnet-version: 8.0.x - name: Execute Functional Tests @@ -242,7 +242,7 @@ jobs: dotnet test ./tests/Contrast.K8s.AgentOperator.FunctionalTests/Contrast.K8s.AgentOperator.FunctionalTests.csproj shell: bash - name: Dump Operator Logs - uses: nick-fields/retry@v3 + uses: nick-fields/retry@7152eba30c6575329ac0576536151aca5a72780e # v3.0.0 if: ${{ always() }} with: timeout_minutes: 10 @@ -272,9 +272,9 @@ jobs: fail-fast: false steps: - name: Setup Pluto - uses: FairwindsOps/pluto/github-action@master + uses: fairwindsops/pluto/github-action@d45f6d122de3d99fc4b7576592939ff62655db66 # v5.21.1 - name: Setup Polaris - uses: fairwindsops/polaris/.github/actions/setup-polaris@master + uses: fairwindsops/polaris/.github/actions/setup-polaris@80e6f7214ee611feb8a0ad2f8be6e58f822b868b # v9.6.1 with: version: 7.2.0 - name: Setup Kubeconform @@ -284,7 +284,7 @@ jobs: tar xf kubeconform-linux-amd64.tar.gz sudo install kubeconform /usr/local/bin/kubeconform - name: Download Manifests - uses: actions/download-artifact@v4 + uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 id: download-artifacts with: name: ${{ matrix.artifact }} @@ -341,16 +341,16 @@ jobs: IMAGE_NAME: ghcr.io/contrast-security-oss/agent-operator/operator if: ${{ github.event_name != 'pull_request' && github.actor != 'dependabot[bot]' }} steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: Login (GitHub) - uses: docker/login-action@v3 + uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0 with: registry: ghcr.io username: ${{ github.actor }} password: ${{ secrets.GITHUB_TOKEN }} - name: Docker Meta id: meta - uses: docker/metadata-action@v5 + uses: docker/metadata-action@369eb591f429131d6889c46b94e711f089e6ca96 # v5.6.1 with: images: ${{ env.IMAGE_NAME }} tags: | @@ -359,7 +359,7 @@ jobs: type=semver,pattern={{major}},value=${{ env.BUILD_VERSION }},enable=${{ needs.generate-version.outputs.is-release == 'true' }} type=raw,latest,enable=${{ needs.generate-version.outputs.is-release == 'true' }} - name: Tag for Release - uses: akhilerm/tag-push-action@v2.2.0 + uses: akhilerm/tag-push-action@f35ff2cb99d407368b5c727adbcc14a2ed81d509 # v2.2.0 with: src: ghcr.io/contrast-security-oss/agent-operator/operator@${{ needs.build-image.outputs.digest }} dst: | @@ -384,27 +384,27 @@ jobs: BUILD_VERSION: ${{ needs.generate-version.outputs.version }} if: ${{ needs.generate-version.outputs.version != '0.0.1' }} steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: Login (GitHub) - uses: docker/login-action@v3 + uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0 with: registry: ghcr.io username: ${{ github.actor }} password: ${{ secrets.GITHUB_TOKEN }} - name: Login (Dockerhub) - uses: docker/login-action@v3 + uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0 with: username: ${{ secrets.DOCKERHUB_USERNAME }} password: ${{ secrets.DOCKERHUB_PAT }} - name: Login (Quay) - uses: docker/login-action@v3 + uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0 with: registry: quay.io username: ${{ secrets.QUAY_USERNAME }} password: ${{ secrets.QUAY_PASSWORD }} - name: Docker Meta id: dockerhub-meta - uses: docker/metadata-action@v5 + uses: docker/metadata-action@369eb591f429131d6889c46b94e711f089e6ca96 # v5.6.1 with: images: | docker.io/contrast/agent-operator @@ -416,18 +416,18 @@ jobs: type=semver,pattern={{major}},value=${{ env.BUILD_VERSION }},enable=${{ needs.generate-version.outputs.is-release == 'true' }} type=raw,latest,enable=${{ needs.generate-version.outputs.is-release == 'true' }} - name: Tag for Release - uses: akhilerm/tag-push-action@v2.2.0 + uses: akhilerm/tag-push-action@f35ff2cb99d407368b5c727adbcc14a2ed81d509 # v2.2.0 with: src: ghcr.io/contrast-security-oss/agent-operator/operator@${{ needs.build-image.outputs.digest }} dst: | ${{ steps.dockerhub-meta.outputs.tags }} - - uses: actions/download-artifact@v4 + - uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 id: download-artifacts with: name: manifests path: ./artifacts - name: Publish - uses: ncipollo/release-action@v1 + uses: ncipollo/release-action@cdcc88a9acf3ca41c16c37bb7d21b9ad48560d87 # v1.15.0 with: body: | Version v${{ env.BUILD_VERSION }} released! @@ -443,7 +443,7 @@ jobs: allowUpdates: true prerelease: ${{ needs.generate-version.outputs.is-release == 'false' }} # pre-releases will have is-release false - name: Publish Helm Chart - uses: peter-evans/repository-dispatch@v3 + uses: peter-evans/repository-dispatch@ff45666b9427631e3450c54a1bcbee4d9ff4d7c0 # v3.0.0 if: ${{ needs.generate-version.outputs.is-release == 'true' }} with: token: ${{ secrets.GH_PR_WRITE_PAT }} @@ -456,7 +456,7 @@ jobs: "artifactName": "helm-chart" } # - name: Create Sentry Release - # uses: getsentry/action-release@v1 + # uses: getsentry/action-release@f6dfa3d84a1c740b94aa45255c5e032b744a095d # v1.9.0 # with: # environment: production # ignore_empty: true @@ -467,7 +467,7 @@ jobs: # SENTRY_ORG: sentry # SENTRY_PROJECT: agent-operator # SENTRY_URL: https://sentry.prod.dotnet.contsec.com - - uses: act10ns/slack@v2 + - uses: act10ns/slack@44541246747a30eb3102d87f7a4cc5471b0ffb7d # v2.1.0 if: ${{ needs.generate-version.outputs.is-release == 'true' }} with: status: ${{ job.status }}