ci: pin all GitHub Actions to full SHA256 hashes (#8059)

2026-03-05 03:31:03 +01:00 · 2025-11-25 19:03:04 -05:00
parent d0d4de70ca
commit 3488e22a40
5 changed files with 48 additions and 48 deletions
--- a/.github/workflows/docker.yml
+++ b/.github/workflows/docker.yml
@@ -25,14 +25,14 @@ jobs:
      packages: write
    steps:
      - name: Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
      - name: Set up QEMU
-        uses: docker/setup-qemu-action@v3
+        uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130 # v3.7.0
        with:
          platforms: linux/amd64,linux/arm64,linux/arm/v7
      - name: Set up Docker Buildx
        id: buildx
-        uses: docker/setup-buildx-action@v3
+        uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1
      - name: Inspect builder
        run: |
          echo "Name:      ${{ steps.buildx.outputs.name }}"
@@ -41,24 +41,24 @@ jobs:
          echo "Flags:     ${{ steps.buildx.outputs.flags }}"
          echo "Platforms: ${{ steps.buildx.outputs.platforms }}"
      - name: Login to Docker Hub
-        uses: docker/login-action@v3
+        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
        with:
          username: ${{ secrets.DOCKERHUB_USERNAME }}
          password: ${{ secrets.DOCKERHUB_TOKEN }}
      - name: Login to GitHub Container registry
-        uses: docker/login-action@v3
+        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
        with:
          registry: ghcr.io
          username: ${{ github.repository_owner }}
          password: ${{ secrets.GITHUB_TOKEN }}
      - name: Login to DigitalOcean Container registry
-        uses: docker/login-action@v3
+        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
        with:
          registry: registry.digitalocean.com
          username: ${{ secrets.DIGITALOCEAN_USERNAME }}
          password: ${{ secrets.DIGITALOCEAN_ACCESS_TOKEN }}
      - name: Build and push images
-        uses: docker/build-push-action@v5
+        uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
        with:
          context: .
          platforms: linux/amd64,linux/arm64,linux/arm/v7
@@ -68,12 +68,12 @@ jobs:
            ghcr.io/gogs/gogs:latest
            registry.digitalocean.com/gogs/gogs:latest
      - name: Scan for container vulnerabilities
-        uses: aquasecurity/trivy-action@master
+        uses: aquasecurity/trivy-action@b6643a29fecd7f34b3597bc6acb0a98b03d33ff8 # 0.33.1
        with:
          image-ref: gogs/gogs:latest
          exit-code: '1'
      - name: Send email on failure
-        uses: dawidd6/action-send-mail@v3
+        uses: dawidd6/action-send-mail@2cea9617b09d79a095af21254fbcb7ae95903dde # v3.12.0
        if: ${{ failure() }}
        with:
          server_address: smtp.mailgun.org
@@ -97,7 +97,7 @@ jobs:
      contents: read
    steps:
      - name: Install doctl
-        uses: digitalocean/action-doctl@v2
+        uses: digitalocean/action-doctl@135ac0aa0eed4437d547c6f12c364d3006b42824 # v2.5.1
        with:
          token: ${{ secrets.DIGITALOCEAN_ACCESS_TOKEN }}
      - name: Configure kubectl
@@ -107,7 +107,7 @@ jobs:
          kubectl rollout restart deployment gogs-demo -n gogs
          kubectl rollout status deployment gogs-demo -n gogs
      - name: Send email on failure
-        uses: dawidd6/action-send-mail@v3
+        uses: dawidd6/action-send-mail@2cea9617b09d79a095af21254fbcb7ae95903dde # v3.12.0
        if: ${{ failure() }}
        with:
          server_address: smtp.mailgun.org
@@ -130,10 +130,10 @@ jobs:
      contents: read
    steps:
      - name: Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
      - name: Set up Docker Buildx
        id: buildx
-        uses: docker/setup-buildx-action@v2
+        uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1
        with:
          config-inline: |
            [worker.oci]
@@ -147,9 +147,9 @@ jobs:
          echo "Platforms: ${{ steps.buildx.outputs.platforms }}"
      - name: Compute short commit SHA
        id: short-sha
-        uses: benjlevesque/short-sha@v2.1
+        uses: benjlevesque/short-sha@599815c8ee942a9616c92bcfb4f947a3b670ab0b # v3.0
      - name: Build and push images
-        uses: docker/build-push-action@v5
+        uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
        with:
          context: .
          platforms: linux/amd64
@@ -157,7 +157,7 @@ jobs:
          tags: |
            ttl.sh/gogs/gogs-${{ steps.short-sha.outputs.sha }}:1d
      - name: Scan for container vulnerabilities
-        uses: aquasecurity/trivy-action@master
+        uses: aquasecurity/trivy-action@b6643a29fecd7f34b3597bc6acb0a98b03d33ff8 # 0.33.1
        with:
          image-ref: ttl.sh/gogs/gogs-${{ steps.short-sha.outputs.sha }}:1d
          exit-code: '1'
@@ -174,14 +174,14 @@ jobs:
      - name: Compute image tag name
        run: echo "IMAGE_TAG=$(echo $GITHUB_REF_NAME | cut -c 2-)" >> $GITHUB_ENV
      - name: Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
      - name: Set up QEMU
-        uses: docker/setup-qemu-action@v3
+        uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130 # v3.7.0
        with:
          platforms: linux/amd64,linux/arm64,linux/arm/v7
      - name: Set up Docker Buildx
        id: buildx
-        uses: docker/setup-buildx-action@v3
+        uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1
      - name: Inspect builder
        run: |
          echo "Name:      ${{ steps.buildx.outputs.name }}"
@@ -190,18 +190,18 @@ jobs:
          echo "Flags:     ${{ steps.buildx.outputs.flags }}"
          echo "Platforms: ${{ steps.buildx.outputs.platforms }}"
      - name: Login to Docker Hub
-        uses: docker/login-action@v3
+        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
        with:
          username: ${{ secrets.DOCKERHUB_USERNAME }}
          password: ${{ secrets.DOCKERHUB_TOKEN }}
      - name: Login to GitHub Container registry
-        uses: docker/login-action@v3
+        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
        with:
          registry: ghcr.io
          username: ${{ github.repository_owner }}
          password: ${{ secrets.GITHUB_TOKEN }}
      - name: Build and push images
-        uses: docker/build-push-action@v5
+        uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
        with:
          context: .
          platforms: linux/amd64,linux/arm64,linux/arm/v7
@@ -210,7 +210,7 @@ jobs:
            gogs/gogs:${{ env.IMAGE_TAG }}
            ghcr.io/gogs/gogs:${{ env.IMAGE_TAG }}
      - name: Send email on failure
-        uses: dawidd6/action-send-mail@v3
+        uses: dawidd6/action-send-mail@2cea9617b09d79a095af21254fbcb7ae95903dde # v3.12.0
        if: ${{ failure() }}
        with:
          server_address: smtp.mailgun.org