Skip to content

Commit 8be2389

Browse files
committed
chore: pin GitHub Actions to commit SHAs
Pin all action references to immutable commit SHAs to prevent supply chain attacks via tag poisoning. Version comments preserved for auditability.
1 parent a6b896c commit 8be2389

9 files changed

Lines changed: 29 additions & 34 deletions

File tree

.github/workflows/checks.yml

Lines changed: 3 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -13,17 +13,16 @@ jobs:
1313
runs-on: ubuntu-latest
1414
steps:
1515
- name: Install Go
16-
uses: actions/setup-go@v6.4.0
16+
uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
1717
with:
1818
go-version: 1.23
1919

20-
- uses: actions/checkout@v6.0.2
21-
20+
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
2221
- name: setup git access to private repos
2322
run: git config --global url."https://${TOKEN}:x-oauth-basic@github.com/sprintertech/".insteadOf "https://github.com/sprintertech/"
2423

2524
- name: golangci-lint
26-
uses: golangci/golangci-lint-action@v9.2.0
25+
uses: golangci/golangci-lint-action@1e7e51e771db61008b38414a730f564565cf7c20 # v9.2.0
2726
with:
2827
args: --timeout=10m
2928
only-new-issues: true

.github/workflows/deploy-portainer-staging.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -26,7 +26,7 @@ jobs:
2626

2727
steps:
2828
- name: Checkout code
29-
uses: actions/checkout@v6.0.2
29+
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
3030
with:
3131
clean: true
3232

.github/workflows/mocks.yml

Lines changed: 2 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -13,12 +13,11 @@ jobs:
1313
mocks-check:
1414
runs-on: ubuntu-latest
1515
steps:
16-
- uses: actions/checkout@v6.0.2
17-
16+
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
1817
- name: setup git access to private repos
1918
run: git config --global url."https://${TOKEN}:x-oauth-basic@github.com/sprintertech/".insteadOf "https://github.com/sprintertech/"
2019

21-
- uses: actions/setup-go@v6.4.0
20+
- uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
2221
with:
2322
go-version: "^1.23"
2423

.github/workflows/pr.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -9,7 +9,7 @@ jobs:
99
name: Validate PR title
1010
runs-on: ubuntu-latest
1111
steps:
12-
- uses: amannn/action-semantic-pull-request@v6.1.1
12+
- uses: amannn/action-semantic-pull-request@48f256284bd46cdaab1048c3721360e808335d50 # v6.1.1
1313
env:
1414
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
1515
with:

.github/workflows/publish-binaries.yml

Lines changed: 10 additions & 11 deletions
Original file line numberDiff line numberDiff line change
@@ -17,42 +17,41 @@ jobs:
1717
runs-on: ubuntu-latest
1818
steps:
1919
- name: Checkout code
20-
uses: actions/checkout@v6.0.2
21-
22-
- uses: actions/setup-go@v6.4.0
20+
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
21+
- uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
2322
with:
2423
go-version: '1.23'
2524

2625
- name: Build
2726
run: make build-all
2827

2928
- name: Archive Linux 64
30-
uses: thedoctor0/zip-release@0.7.6
29+
uses: thedoctor0/zip-release@b57d897cb5d60cb78b51a507f63fa184cfe35554 # 0.7.6
3130
with:
3231
filename: 'relayer-linux-amd64.zip'
3332
directory: 'build/linux-amd64/'
3433

3534
- name: Archive Linux Arm
36-
uses: thedoctor0/zip-release@0.7.6
35+
uses: thedoctor0/zip-release@b57d897cb5d60cb78b51a507f63fa184cfe35554 # 0.7.6
3736
with:
3837
filename: 'relayer-linux-arm.zip'
3938
directory: 'build/linux-arm/'
4039

4140
- name: Archive Darwin 64
42-
uses: thedoctor0/zip-release@0.7.6
41+
uses: thedoctor0/zip-release@b57d897cb5d60cb78b51a507f63fa184cfe35554 # 0.7.6
4342
with:
4443
filename: 'relayer-darwin-amd64.zip'
4544
directory: 'build/darwin-amd64/'
4645

4746
- name: Archive Darwin Arm 64
48-
uses: thedoctor0/zip-release@0.7.6
47+
uses: thedoctor0/zip-release@b57d897cb5d60cb78b51a507f63fa184cfe35554 # 0.7.6
4948
with:
5049
filename: 'relayer-darwin-arm64.zip'
5150
directory: 'build/darwin-arm64/'
5251

5352
- name: Upload Linux amd64
5453
id: relayer-linux-amd64
55-
uses: AButler/upload-release-assets@v3.0
54+
uses: AButler/upload-release-assets@3d6774fae0ed91407dc5ae29d576b166536d1777 # v3.0
5655
env:
5756
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
5857
with:
@@ -61,7 +60,7 @@ jobs:
6160

6261
- name: Upload Linux arm
6362
id: relayer-linux-arm
64-
uses: AButler/upload-release-assets@v3.0
63+
uses: AButler/upload-release-assets@3d6774fae0ed91407dc5ae29d576b166536d1777 # v3.0
6564
env:
6665
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
6766
with:
@@ -70,7 +69,7 @@ jobs:
7069

7170
- name: Upload Darwin amd64
7271
id: relayer-darwin-amd64
73-
uses: AButler/upload-release-assets@v3.0
72+
uses: AButler/upload-release-assets@3d6774fae0ed91407dc5ae29d576b166536d1777 # v3.0
7473
env:
7574
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
7675
with:
@@ -79,7 +78,7 @@ jobs:
7978

8079
- name: Upload Darwin arm
8180
id: relayer-darwin-arm64
82-
uses: AButler/upload-release-assets@v3.0
81+
uses: AButler/upload-release-assets@3d6774fae0ed91407dc5ae29d576b166536d1777 # v3.0
8382
env:
8483
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
8584
with:

.github/workflows/publish-latest.yml

Lines changed: 3 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -22,15 +22,14 @@ jobs:
2222
steps:
2323
# Checkout the repository
2424
- name: Checkout code
25-
uses: actions/checkout@v6.0.2
26-
25+
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
2726
- name: setup git access to private repos
2827
run: git config --global url."https://${TOKEN}:x-oauth-basic@github.com/sprintertech/".insteadOf "https://github.com/sprintertech/"
2928

3029
# Log in to GHCR
3130
- name: Log in to GHCR
3231
id: ghcr
33-
uses: docker/login-action@v4.0.0
32+
uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
3433
with:
3534
registry: ${{ env.REGISTRY }}
3635
username: ${{ github.actor }}
@@ -39,7 +38,7 @@ jobs:
3938

4039
# Build and push the Docker image
4140
- name: Build and push Docker image
42-
uses: docker/build-push-action@v7.0.0
41+
uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7.0.0
4342
with:
4443
context: .
4544
push: true

.github/workflows/publish-tagged.yml

Lines changed: 3 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -23,15 +23,14 @@ jobs:
2323
steps:
2424
# Checkout the repository
2525
- name: Checkout code
26-
uses: actions/checkout@v6.0.2
27-
26+
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
2827
- name: setup git access to private repos
2928
run: git config --global url."https://${TOKEN}:x-oauth-basic@github.com/sprintertech/".insteadOf "https://github.com/sprintertech/"
3029

3130
# Log in to GHCR
3231
- name: Log in to GHCR
3332
id: ghcr
34-
uses: docker/login-action@v4.0.0
33+
uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
3534
with:
3635
registry: ${{ env.REGISTRY }}
3736
username: ${{ github.actor }}
@@ -40,7 +39,7 @@ jobs:
4039

4140
# Build and push the Docker image
4241
- name: Build and push Docker image
43-
uses: docker/build-push-action@v7.0.0
42+
uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7.0.0
4443
with:
4544
context: .
4645
push: true

.github/workflows/release.yml

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -14,8 +14,8 @@ jobs:
1414
if: github.event_name == 'push' && github.ref == 'refs/heads/main'
1515
steps:
1616

17-
- uses: actions/checkout@v6.0.2
18-
- uses: google-github-actions/release-please-action@v4.1.1
17+
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
18+
- uses: google-github-actions/release-please-action@e4dc86ba9405554aeba3c6bb2d169500e7d3b4ee # v4.1.1
1919
id: release
2020
with:
2121
token: ${{ secrets.RELEASE_PLEASE_PAT }}

.github/workflows/test.yml

Lines changed: 4 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -24,16 +24,16 @@ jobs:
2424
runs-on: ubuntu-latest
2525
steps:
2626
- name: Install Go
27-
uses: actions/setup-go@v6.4.0
27+
uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
2828
with:
2929
go-version: ${{ matrix.go-version }}
3030
- name: Checkout code
31-
uses: actions/checkout@v6.0.2
31+
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
3232
- id: go-cache-paths
3333
run: |
3434
echo "GO_BUILD=$(go env GOCACHE)" >> "$GITHUB_OUTPUT"
3535
echo "GO_MOD=$(go env GOMODCACHE)" >> "$GITHUB_OUTPUT"
36-
- uses: actions/cache@v5.0.4
36+
- uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4
3737
with:
3838
path: |
3939
${{ steps.go-cache-paths.outputs.GO_BUILD }}
@@ -48,7 +48,7 @@ jobs:
4848
- name: Cover
4949
run: echo "COVER=$(go tool cover -func cover.out | grep total | awk '{print substr($3, 1, length($3)-1)}')" >> $GITHUB_ENV
5050
- name: Create comment
51-
uses: peter-evans/create-or-update-comment@v5.0.0
51+
uses: peter-evans/create-or-update-comment@e8674b075228eee787fea43ef493e45ece1004c9 # v5.0.0
5252
with:
5353
issue-number: ${{github.event.number}}
5454
body: |

0 commit comments

Comments
 (0)