From 3488e22a40fce68e8244d7987f5f2c66771ded7a Mon Sep 17 00:00:00 2001 From: Copilot <198982749+Copilot@users.noreply.github.com> Date: Tue, 25 Nov 2025 19:03:04 -0500 Subject: [PATCH] ci: pin all GitHub Actions to full SHA256 hashes (#8059) --- .github/workflows/codeql.yml | 8 +++---- .github/workflows/docker.yml | 46 ++++++++++++++++++------------------ .github/workflows/go.yml | 36 ++++++++++++++-------------- .github/workflows/lock.yml | 2 +- .github/workflows/shell.yml | 4 ++-- 5 files changed, 48 insertions(+), 48 deletions(-) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 9fc1f7806..24a551e90 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -39,7 +39,7 @@ jobs: steps: - name: Checkout repository - uses: actions/checkout@v4 + uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 with: # We must fetch at least the immediate parents so that if this is # a pull request then we can checkout the head. @@ -47,7 +47,7 @@ jobs: # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL - uses: github/codeql-action/init@v2 + uses: github/codeql-action/init@fdbfb4d2750291e159f0156def62b853c2798ca2 # v3.28.3 with: languages: ${{ matrix.language }} # If you wish to specify custom queries, you can do so here or in a config file. @@ -58,7 +58,7 @@ jobs: # Autobuild attempts to build any compiled languages (C/C++, C#, or Java). # If this step fails, then you should remove it and run the build manually (see below) - name: Autobuild - uses: github/codeql-action/autobuild@v2 + uses: github/codeql-action/autobuild@fdbfb4d2750291e159f0156def62b853c2798ca2 # v3.28.3 # ℹī¸ Command-line programs to run using the OS shell. # 📚 https://git.io/JvXDl @@ -72,4 +72,4 @@ jobs: # make release - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v2 + uses: github/codeql-action/analyze@fdbfb4d2750291e159f0156def62b853c2798ca2 # v3.28.3 diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml index 9f998220d..5b5708395 100644 --- a/.github/workflows/docker.yml +++ b/.github/workflows/docker.yml @@ -25,14 +25,14 @@ jobs: packages: write steps: - name: Checkout code - uses: actions/checkout@v4 + uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 - name: Set up QEMU - uses: docker/setup-qemu-action@v3 + uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130 # v3.7.0 with: platforms: linux/amd64,linux/arm64,linux/arm/v7 - name: Set up Docker Buildx id: buildx - uses: docker/setup-buildx-action@v3 + uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1 - name: Inspect builder run: | echo "Name: ${{ steps.buildx.outputs.name }}" @@ -41,24 +41,24 @@ jobs: echo "Flags: ${{ steps.buildx.outputs.flags }}" echo "Platforms: ${{ steps.buildx.outputs.platforms }}" - name: Login to Docker Hub - uses: docker/login-action@v3 + uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0 with: username: ${{ secrets.DOCKERHUB_USERNAME }} password: ${{ secrets.DOCKERHUB_TOKEN }} - name: Login to GitHub Container registry - uses: docker/login-action@v3 + uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0 with: registry: ghcr.io username: ${{ github.repository_owner }} password: ${{ secrets.GITHUB_TOKEN }} - name: Login to DigitalOcean Container registry - uses: docker/login-action@v3 + uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0 with: registry: registry.digitalocean.com username: ${{ secrets.DIGITALOCEAN_USERNAME }} password: ${{ secrets.DIGITALOCEAN_ACCESS_TOKEN }} - name: Build and push images - uses: docker/build-push-action@v5 + uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0 with: context: . platforms: linux/amd64,linux/arm64,linux/arm/v7 @@ -68,12 +68,12 @@ jobs: ghcr.io/gogs/gogs:latest registry.digitalocean.com/gogs/gogs:latest - name: Scan for container vulnerabilities - uses: aquasecurity/trivy-action@master + uses: aquasecurity/trivy-action@b6643a29fecd7f34b3597bc6acb0a98b03d33ff8 # 0.33.1 with: image-ref: gogs/gogs:latest exit-code: '1' - name: Send email on failure - uses: dawidd6/action-send-mail@v3 + uses: dawidd6/action-send-mail@2cea9617b09d79a095af21254fbcb7ae95903dde # v3.12.0 if: ${{ failure() }} with: server_address: smtp.mailgun.org @@ -97,7 +97,7 @@ jobs: contents: read steps: - name: Install doctl - uses: digitalocean/action-doctl@v2 + uses: digitalocean/action-doctl@135ac0aa0eed4437d547c6f12c364d3006b42824 # v2.5.1 with: token: ${{ secrets.DIGITALOCEAN_ACCESS_TOKEN }} - name: Configure kubectl @@ -107,7 +107,7 @@ jobs: kubectl rollout restart deployment gogs-demo -n gogs kubectl rollout status deployment gogs-demo -n gogs - name: Send email on failure - uses: dawidd6/action-send-mail@v3 + uses: dawidd6/action-send-mail@2cea9617b09d79a095af21254fbcb7ae95903dde # v3.12.0 if: ${{ failure() }} with: server_address: smtp.mailgun.org @@ -130,10 +130,10 @@ jobs: contents: read steps: - name: Checkout code - uses: actions/checkout@v4 + uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 - name: Set up Docker Buildx id: buildx - uses: docker/setup-buildx-action@v2 + uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1 with: config-inline: | [worker.oci] @@ -147,9 +147,9 @@ jobs: echo "Platforms: ${{ steps.buildx.outputs.platforms }}" - name: Compute short commit SHA id: short-sha - uses: benjlevesque/short-sha@v2.1 + uses: benjlevesque/short-sha@599815c8ee942a9616c92bcfb4f947a3b670ab0b # v3.0 - name: Build and push images - uses: docker/build-push-action@v5 + uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0 with: context: . platforms: linux/amd64 @@ -157,7 +157,7 @@ jobs: tags: | ttl.sh/gogs/gogs-${{ steps.short-sha.outputs.sha }}:1d - name: Scan for container vulnerabilities - uses: aquasecurity/trivy-action@master + uses: aquasecurity/trivy-action@b6643a29fecd7f34b3597bc6acb0a98b03d33ff8 # 0.33.1 with: image-ref: ttl.sh/gogs/gogs-${{ steps.short-sha.outputs.sha }}:1d exit-code: '1' @@ -174,14 +174,14 @@ jobs: - name: Compute image tag name run: echo "IMAGE_TAG=$(echo $GITHUB_REF_NAME | cut -c 2-)" >> $GITHUB_ENV - name: Checkout code - uses: actions/checkout@v4 + uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 - name: Set up QEMU - uses: docker/setup-qemu-action@v3 + uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130 # v3.7.0 with: platforms: linux/amd64,linux/arm64,linux/arm/v7 - name: Set up Docker Buildx id: buildx - uses: docker/setup-buildx-action@v3 + uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1 - name: Inspect builder run: | echo "Name: ${{ steps.buildx.outputs.name }}" @@ -190,18 +190,18 @@ jobs: echo "Flags: ${{ steps.buildx.outputs.flags }}" echo "Platforms: ${{ steps.buildx.outputs.platforms }}" - name: Login to Docker Hub - uses: docker/login-action@v3 + uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0 with: username: ${{ secrets.DOCKERHUB_USERNAME }} password: ${{ secrets.DOCKERHUB_TOKEN }} - name: Login to GitHub Container registry - uses: docker/login-action@v3 + uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0 with: registry: ghcr.io username: ${{ github.repository_owner }} password: ${{ secrets.GITHUB_TOKEN }} - name: Build and push images - uses: docker/build-push-action@v5 + uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0 with: context: . platforms: linux/amd64,linux/arm64,linux/arm/v7 @@ -210,7 +210,7 @@ jobs: gogs/gogs:${{ env.IMAGE_TAG }} ghcr.io/gogs/gogs:${{ env.IMAGE_TAG }} - name: Send email on failure - uses: dawidd6/action-send-mail@v3 + uses: dawidd6/action-send-mail@2cea9617b09d79a095af21254fbcb7ae95903dde # v3.12.0 if: ${{ failure() }} with: server_address: smtp.mailgun.org diff --git a/.github/workflows/go.yml b/.github/workflows/go.yml index d48fd14de..7f86982d9 100644 --- a/.github/workflows/go.yml +++ b/.github/workflows/go.yml @@ -30,13 +30,13 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout code - uses: actions/checkout@v4 + uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 - name: Install Go - uses: actions/setup-go@v5 + uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0 with: go-version: 1.24.x - name: Install Task - uses: arduino/setup-task@v2 + uses: arduino/setup-task@b91d5d2c96a56797b48ac1e0e89220bf64044611 # v2.0.0 with: repo-token: ${{ secrets.GITHUB_TOKEN }} - name: Check Go module tidiness and generated files @@ -52,7 +52,7 @@ jobs: exit 1 fi - name: Run golangci-lint - uses: golangci/golangci-lint-action@v7 + uses: golangci/golangci-lint-action@9fae48acfc02a90574d7c304a1758ef9895495fa # v7.0.1 with: version: latest args: --timeout=30m @@ -66,20 +66,20 @@ jobs: runs-on: ${{ matrix.platform }} steps: - name: Checkout code - uses: actions/checkout@v4 + uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 - name: Install Go - uses: actions/setup-go@v5 + uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0 with: go-version: ${{ matrix.go-version }} - name: Run tests with coverage run: go test -shuffle=on -v -race -coverprofile=coverage -covermode=atomic ./... - name: Upload coverage report to Codecov - uses: codecov/codecov-action@v4 + uses: codecov/codecov-action@5a1091511ad55cbe89839c7260b706298ca349f7 # v5.5.1 with: file: ./coverage flags: unittests - name: Send email on failure - uses: dawidd6/action-send-mail@v3 + uses: dawidd6/action-send-mail@2cea9617b09d79a095af21254fbcb7ae95903dde # v3.12.0 if: ${{ failure() && github.event_name == 'push' && github.ref == 'refs/heads/main' }} with: server_address: smtp.mailgun.org @@ -106,20 +106,20 @@ jobs: runs-on: ${{ matrix.platform }} steps: - name: Checkout code - uses: actions/checkout@v4 + uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 - name: Install Go - uses: actions/setup-go@v5 + uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0 with: go-version: ${{ matrix.go-version }} - name: Run tests with coverage run: go test -shuffle=on -v -coverprofile=coverage -covermode=atomic ./... - name: Upload coverage report to Codecov - uses: codecov/codecov-action@v4 + uses: codecov/codecov-action@5a1091511ad55cbe89839c7260b706298ca349f7 # v5.5.1 with: file: ./coverage flags: unittests - name: Send email on failure - uses: dawidd6/action-send-mail@v3 + uses: dawidd6/action-send-mail@2cea9617b09d79a095af21254fbcb7ae95903dde # v3.12.0 if: ${{ failure() && github.event_name == 'push' && github.ref == 'refs/heads/main' }} with: server_address: smtp.mailgun.org @@ -156,9 +156,9 @@ jobs: - 5432:5432 steps: - name: Checkout code - uses: actions/checkout@v4 + uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 - name: Install Go - uses: actions/setup-go@v5 + uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0 with: go-version: ${{ matrix.go-version }} - name: Run tests with coverage @@ -182,9 +182,9 @@ jobs: - name: Start MySQL server run: sudo systemctl start mysql - name: Checkout code - uses: actions/checkout@v4 + uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 - name: Install Go - uses: actions/setup-go@v5 + uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0 with: go-version: ${{ matrix.go-version }} - name: Run tests with coverage @@ -205,9 +205,9 @@ jobs: runs-on: ${{ matrix.platform }} steps: - name: Checkout code - uses: actions/checkout@v4 + uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 - name: Install Go - uses: actions/setup-go@v5 + uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0 with: go-version: ${{ matrix.go-version }} - name: Run tests with coverage diff --git a/.github/workflows/lock.yml b/.github/workflows/lock.yml index 7c84bdfc3..431efde3d 100644 --- a/.github/workflows/lock.yml +++ b/.github/workflows/lock.yml @@ -16,7 +16,7 @@ jobs: action: runs-on: ubuntu-latest steps: - - uses: dessant/lock-threads@v5 + - uses: dessant/lock-threads@1bf7ec25051fe7c00bdd17e6a7cf3d7bfb7dc771 # v5.0.1 with: github-token: ${{ github.token }} issue-inactive-days: '90' diff --git a/.github/workflows/shell.yml b/.github/workflows/shell.yml index a83e4e2f6..d7c0e0b46 100644 --- a/.github/workflows/shell.yml +++ b/.github/workflows/shell.yml @@ -12,6 +12,6 @@ jobs: name: Shellcheck runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 - name: Run ShellCheck - uses: ludeeus/action-shellcheck@master + uses: ludeeus/action-shellcheck@00cae500b08a931fb5698e11e79bfbd38e612a38 # 2.0.0