From 62801b3b1371a221f0c485abe50f22b005155fe7 Mon Sep 17 00:00:00 2001 From: freeze <1615081+Vicente-Cheng@users.noreply.github.com> Date: Wed, 25 Mar 2026 10:12:25 +0800 Subject: [PATCH] chore: pin GH Actions to commit sha (#765) --- .github/actions/setup/action.yaml | 2 +- .github/workflows/auto-assign-reviewer.yaml | 4 +-- .github/workflows/backport-label.yaml | 2 +- .github/workflows/backport-request.yaml | 2 +- .../build-and-publish-catalog-on-release.yaml | 2 +- .../build-and-publish-standalone.yaml | 32 +++++++++---------- .github/workflows/build-extension-catalog.yml | 12 +++---- .../workflows/build-extension-on-merge.yml | 18 +++++------ .../workflows/build-extension-on-release.yml | 6 ++-- .../build-standalone-on-release.yaml | 2 +- .github/workflows/fossa.yml | 4 +-- .github/workflows/release-label.yaml | 2 +- .github/workflows/run-lint.yaml | 2 +- 13 files changed, 45 insertions(+), 45 deletions(-) diff --git a/.github/actions/setup/action.yaml b/.github/actions/setup/action.yaml index fa6d2458..d29cbbf8 100644 --- a/.github/actions/setup/action.yaml +++ b/.github/actions/setup/action.yaml @@ -4,7 +4,7 @@ description: Setup node and install dependencies runs: using: 'composite' steps: - - uses: actions/setup-node@v4 + - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4 with: node-version-file: '.nvmrc' cache: 'yarn' diff --git a/.github/workflows/auto-assign-reviewer.yaml b/.github/workflows/auto-assign-reviewer.yaml index d84147b9..b998e2c3 100644 --- a/.github/workflows/auto-assign-reviewer.yaml +++ b/.github/workflows/auto-assign-reviewer.yaml @@ -12,6 +12,6 @@ jobs: if: github.event.pull_request.draft == false runs-on: ubuntu-latest steps: - - uses: rancher/gh-issue-mgr/auto-assign-action@main + - uses: rancher/gh-issue-mgr/auto-assign-action@b70f0bdf12a03e5e3f33e4f92ccb6c89deb3ebd9 # main with: - configuration-path: .github/auto-assign-config.yaml \ No newline at end of file + configuration-path: .github/auto-assign-config.yaml diff --git a/.github/workflows/backport-label.yaml b/.github/workflows/backport-label.yaml index 9fd7c12f..8ef584da 100644 --- a/.github/workflows/backport-label.yaml +++ b/.github/workflows/backport-label.yaml @@ -17,7 +17,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout repository - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 with: ref: ${{ github.base_ref }} diff --git a/.github/workflows/backport-request.yaml b/.github/workflows/backport-request.yaml index be94274d..5b4ee7da 100644 --- a/.github/workflows/backport-request.yaml +++ b/.github/workflows/backport-request.yaml @@ -14,7 +14,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout repository - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 with: ref: ${{ github.base_ref }} diff --git a/.github/workflows/build-and-publish-catalog-on-release.yaml b/.github/workflows/build-and-publish-catalog-on-release.yaml index 9e91f057..66ac3ff3 100644 --- a/.github/workflows/build-and-publish-catalog-on-release.yaml +++ b/.github/workflows/build-and-publish-catalog-on-release.yaml @@ -15,7 +15,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout repository - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 - name: Check package version env: diff --git a/.github/workflows/build-and-publish-standalone.yaml b/.github/workflows/build-and-publish-standalone.yaml index eda93b6f..204321c9 100644 --- a/.github/workflows/build-and-publish-standalone.yaml +++ b/.github/workflows/build-and-publish-standalone.yaml @@ -25,12 +25,12 @@ jobs: name: Build & Upload Hosted runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3 with: fetch-depth: 1 # Note - Cannot use the setup action here as it uses a different yarn install arg - - uses: actions/setup-node@v4 + - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4 with: node-version-file: '.nvmrc' cache: 'yarn' @@ -45,19 +45,19 @@ jobs: run: ./scripts/build-upload-gate - name: Get gcs auth - uses: rancher-eio/read-vault-secrets@main + uses: rancher-eio/read-vault-secrets@0da85151ad1f19ed7986c41587e45aac1ace74b6 # v3 with: secrets: | secret/data/github/repo/${{ github.repository }}/google-auth/harvester/credentials token | GOOGLE_AUTH ; - name: Apply gcs auth # https://github.com/google-github-actions/auth - uses: 'google-github-actions/auth@v2' + uses: 'google-github-actions/auth@c200f3691d83b41bf9bbd8638997a462592937ed # v2' with: credentials_json: "${{ env.GOOGLE_AUTH }}" - name: Upload build - uses: 'google-github-actions/upload-cloud-storage@v2' + uses: 'google-github-actions/upload-cloud-storage@c0f6160ff80057923ff50e5e567695cea181ec23 # v2' # https://github.com/google-github-actions/upload-cloud-storage with: path: ${{steps.build-hosted.outputs.BUILD_HOSTED_DIR}} @@ -71,12 +71,12 @@ jobs: name: Build & Upload Embedded runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3 with: fetch-depth: 1 # Note - Cannot use the setup action here as it uses a different yarn install arg - - uses: actions/setup-node@v4 + - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4 with: node-version-file: '.nvmrc' cache: 'yarn' @@ -89,19 +89,19 @@ jobs: DISABLED_EMBED_PKG: https://releases.rancher.com/harvester-ui/plugin/harvester-1.0.3.tar.gz - name: Get gcs auth - uses: rancher-eio/read-vault-secrets@main + uses: rancher-eio/read-vault-secrets@0da85151ad1f19ed7986c41587e45aac1ace74b6 # v3 with: secrets: | secret/data/github/repo/${{ github.repository }}/google-auth/harvester/credentials token | GOOGLE_AUTH ; - name: Apply gcs auth # https://github.com/google-github-actions/auth - uses: 'google-github-actions/auth@v2' + uses: 'google-github-actions/auth@c200f3691d83b41bf9bbd8638997a462592937ed # v2' with: credentials_json: "${{ env.GOOGLE_AUTH }}" - name: Upload tar - uses: 'google-github-actions/upload-cloud-storage@v2' + uses: 'google-github-actions/upload-cloud-storage@c0f6160ff80057923ff50e5e567695cea181ec23 # v2' with: path: ${{steps.build-embedded.outputs.BUILD_EMBEDED_TGZ}} destination: releases.rancher.com/harvester-ui/dashboard @@ -114,12 +114,12 @@ jobs: name: Build & Upload Plugin runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3 with: fetch-depth: 1 # Note - Cannot use the setup action here as it uses a different yarn install arg - - uses: actions/setup-node@v4 + - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4 with: node-version-file: '.nvmrc' cache: 'yarn' @@ -133,19 +133,19 @@ jobs: run: ./scripts/build-upload-gate - name: Get gcs auth - uses: rancher-eio/read-vault-secrets@main + uses: rancher-eio/read-vault-secrets@0da85151ad1f19ed7986c41587e45aac1ace74b6 # v3 with: secrets: | secret/data/github/repo/${{ github.repository }}/google-auth/harvester/credentials token | GOOGLE_AUTH ; - name: Apply gcs auth # https://github.com/google-github-actions/auth - uses: 'google-github-actions/auth@v2' + uses: 'google-github-actions/auth@c200f3691d83b41bf9bbd8638997a462592937ed # v2' with: credentials_json: "${{ env.GOOGLE_AUTH }}" - name: Upload plugin tar - uses: 'google-github-actions/upload-cloud-storage@v2' + uses: 'google-github-actions/upload-cloud-storage@c0f6160ff80057923ff50e5e567695cea181ec23 # v2' with: path: dist-pkg/${{steps.ci-build-pkg.outputs.PKG_TARBALL}} destination: releases.rancher.com/harvester-ui/plugin @@ -155,7 +155,7 @@ jobs: process_gcloudignore: false - name: Upload plugin directory - uses: 'google-github-actions/upload-cloud-storage@v2' + uses: 'google-github-actions/upload-cloud-storage@c0f6160ff80057923ff50e5e567695cea181ec23 # v2' with: path: dist-pkg/${{steps.ci-build-pkg.outputs.PKG_NAME}} destination: releases.rancher.com/harvester-ui/plugin/${{steps.ci-build-pkg.outputs.PKG_NAME}} diff --git a/.github/workflows/build-extension-catalog.yml b/.github/workflows/build-extension-catalog.yml index 3e2f2cfc..0b93dd1b 100644 --- a/.github/workflows/build-extension-catalog.yml +++ b/.github/workflows/build-extension-catalog.yml @@ -27,14 +27,14 @@ jobs: build-status: ${{ job.status }} steps: - name: Read Secrets - uses: rancher-eio/read-vault-secrets@main + uses: rancher-eio/read-vault-secrets@0da85151ad1f19ed7986c41587e45aac1ace74b6 # v3 with: secrets: | secret/data/github/repo/${{ github.repository }}/dockerhub/rancher/credentials username | DOCKER_USERNAME ; secret/data/github/repo/${{ github.repository }}/dockerhub/rancher/credentials password | DOCKER_PASSWORD ; - name: Checkout repository (normal flow) - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 - name: Enable Corepack run: corepack enable @@ -45,18 +45,18 @@ jobs: git config user.email 'github-actions[bot]@users.noreply.github.com' - name: Login to Docker Hub - uses: docker/login-action@v3 + uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3 with: username: ${{ env.DOCKER_USERNAME }} password: ${{ env.DOCKER_PASSWORD }} - name: Setup Helm - uses: azure/setup-helm@v3 + uses: azure/setup-helm@5119fcb9089d432beecbf79bb2c7915207344b78 # v3 with: version: v3.8.0 - name: Setup Nodejs with yarn caching - uses: actions/setup-node@v4 + uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4 with: node-version: '20' cache: yarn @@ -67,4 +67,4 @@ jobs: - name: Build and push UI image run: | publish="yarn publish-pkgs -cp -r ${{ inputs.registry_target }} -o ${{ inputs.registry_user }}" - $publish \ No newline at end of file + $publish diff --git a/.github/workflows/build-extension-on-merge.yml b/.github/workflows/build-extension-on-merge.yml index fbd55dd5..d7622f9d 100644 --- a/.github/workflows/build-extension-on-merge.yml +++ b/.github/workflows/build-extension-on-merge.yml @@ -13,7 +13,7 @@ jobs: target_branch: ${{ steps.get-version.outputs.target_branch }} steps: - name: Checkout repository - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 - name: Determine target branch id: get-version @@ -44,7 +44,7 @@ jobs: version: ${{ steps.get_version.outputs.version }} steps: - name: Checkout repository - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 - name: Extract version from package.json id: get_version @@ -62,7 +62,7 @@ jobs: contents: write steps: - name: Checkout repository - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 - name: Setup environment run: | @@ -70,7 +70,7 @@ jobs: yarn install --frozen-lockfile - name: Setup Helm - uses: azure/setup-helm@v3 + uses: azure/setup-helm@5119fcb9089d432beecbf79bb2c7915207344b78 # v3 with: version: v3.8.0 @@ -79,7 +79,7 @@ jobs: yarn publish-pkgs -s ${{ github.repository }} -b ${{ needs.setup-target-branch.outputs.target_branch }} -t harvester-${{ needs.extract-version.outputs.version }} - name: Upload charts artifact - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4 with: name: charts path: tmp @@ -94,7 +94,7 @@ jobs: contents: write steps: - name: Checkout release branch - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 with: ref: '${{ github.ref_name }}' @@ -105,7 +105,7 @@ jobs: echo "LAST_COMMIT=${LAST_COMMIT}" >> $GITHUB_ENV - name: Checkout target branch - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 with: ref: '${{ needs.setup-target-branch.outputs.target_branch }}' @@ -121,7 +121,7 @@ jobs: git config user.email 'github-actions[bot]@users.noreply.github.com' - name: Download build artifacts - uses: actions/download-artifact@v4 + uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4 with: name: charts @@ -132,7 +132,7 @@ jobs: git push origin ${{ needs.setup-target-branch.outputs.target_branch }} - name: Run Helm chart releaser - uses: helm/chart-releaser-action@v1.7.0 + uses: helm/chart-releaser-action@cae68fefc6b5f367a0275617c9f83181ba54714f # v1.7.0 with: charts_dir: ./charts env: diff --git a/.github/workflows/build-extension-on-release.yml b/.github/workflows/build-extension-on-release.yml index 92dd6fea..d76501ea 100644 --- a/.github/workflows/build-extension-on-release.yml +++ b/.github/workflows/build-extension-on-release.yml @@ -17,7 +17,7 @@ jobs: release_tag: ${{ steps.determine_tag.outputs.release_tag }} steps: - name: Checkout repository - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 - name: Determine release tag id: determine_tag @@ -33,7 +33,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout repository - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 - name: Check package version env: TAG_VERSION: ${{ github.event.release.tag_name }} @@ -43,7 +43,7 @@ jobs: needs: - setup-release-tag - check-version - uses: rancher/dashboard/.github/workflows/build-extension-charts.yml@master + uses: rancher/dashboard/.github/workflows/build-extension-charts.yml@9eb70a732e9be146722e1dbab431338366c2afc6 # creators-pkg-v3.0.10 permissions: actions: write contents: write diff --git a/.github/workflows/build-standalone-on-release.yaml b/.github/workflows/build-standalone-on-release.yaml index e1553eec..2b589720 100644 --- a/.github/workflows/build-standalone-on-release.yaml +++ b/.github/workflows/build-standalone-on-release.yaml @@ -9,7 +9,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout repository - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 - name: Check package version env: TAG_VERSION: ${{github.ref_name}} diff --git a/.github/workflows/fossa.yml b/.github/workflows/fossa.yml index ef264152..ca6a9f9f 100644 --- a/.github/workflows/fossa.yml +++ b/.github/workflows/fossa.yml @@ -20,13 +20,13 @@ jobs: # The FOSSA token is shared between all repos in Harvester's GH org. It can # be used directly and there is no need to request specific access to EIO. - name: Read FOSSA token - uses: rancher-eio/read-vault-secrets@main + uses: rancher-eio/read-vault-secrets@0da85151ad1f19ed7986c41587e45aac1ace74b6 # v3 with: secrets: | secret/data/github/org/harvester/fossa/credentials token | FOSSA_API_KEY_PUSH_ONLY - name: FOSSA scan - uses: fossas/fossa-action@main + uses: fossas/fossa-action@c414b9ad82eaad041e47a7cf62a4f02411f427a0 # v1.8.0 with: api-key: ${{ env.FOSSA_API_KEY_PUSH_ONLY }} # Only runs the scan and do not provide/returns any results back to the diff --git a/.github/workflows/release-label.yaml b/.github/workflows/release-label.yaml index 9ccd3124..5c600b48 100644 --- a/.github/workflows/release-label.yaml +++ b/.github/workflows/release-label.yaml @@ -16,7 +16,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout repository - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 with: ref: ${{ github.base_ref }} - name: Setup Nodejs and yarn install diff --git a/.github/workflows/run-lint.yaml b/.github/workflows/run-lint.yaml index a2cc22f4..e9fd1480 100644 --- a/.github/workflows/run-lint.yaml +++ b/.github/workflows/run-lint.yaml @@ -16,7 +16,7 @@ jobs: lint: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 with: fetch-depth: 0 # Need full history for commit-lint