From b17c0f7ff9fea7bfc465e6e0ffa959ffa2662c89 Mon Sep 17 00:00:00 2001 From: Tim Gross Date: Fri, 28 Jul 2023 11:49:57 -0400 Subject: [PATCH] GHA pinning updates (#18093) Trusted Supply Chain Component Registry (TSCCR) enforcement starts Monday and an internal report shows our semgrep action is pinned to a version that's not currently permitted. Update all the action versions to whatever's the new hotness to maximum the time-to-live on these until we have automated pinning setup. Also version bumps our chromedriver action, which randomly broke upstream today. --- .github/actions/setup-js/action.yml | 2 +- .github/workflows/actionlint.yml | 2 +- .github/workflows/backport.yml | 4 ++-- .github/workflows/build.yml | 28 +++++++++++++------------- .github/workflows/checks.yaml | 2 +- .github/workflows/copywrite.yml | 2 +- .github/workflows/ember-test-audit.yml | 13 ++++++------ .github/workflows/lock.yml | 2 +- .github/workflows/release.yml | 6 +++--- .github/workflows/semgrep.yml | 4 ++-- .github/workflows/test-core.yaml | 8 ++++---- .github/workflows/test-e2e.yml | 2 +- .github/workflows/test-ui.yml | 6 +++--- .github/workflows/test-windows.yml | 4 ++-- 14 files changed, 42 insertions(+), 43 deletions(-) diff --git a/.github/actions/setup-js/action.yml b/.github/actions/setup-js/action.yml index 977a52c0c05d..77587c48bd11 100644 --- a/.github/actions/setup-js/action.yml +++ b/.github/actions/setup-js/action.yml @@ -26,7 +26,7 @@ runs: # enforce node version (self-hosted default is not necessarily what we want) # after yarn, so we can use yarn for cache. - name: Setup node - uses: actions/setup-node@64ed1c7eab4cce3362f8c340dee64e5eaeef8f7c # v3 + uses: actions/setup-node@e33196f7422957bea03ed53f6fbb155025ffc7b8 # v3.7.0 with: node-version: ${{ inputs.node-version }} cache: yarn diff --git a/.github/workflows/actionlint.yml b/.github/workflows/actionlint.yml index 27761c14aa38..5feae0eb2688 100644 --- a/.github/workflows/actionlint.yml +++ b/.github/workflows/actionlint.yml @@ -10,6 +10,6 @@ jobs: actionlint: runs-on: ubuntu-latest steps: - - uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0 + - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 - name: "Check workflow files" uses: docker://docker.mirror.hashicorp.services/rhysd/actionlint:latest diff --git a/.github/workflows/backport.yml b/.github/workflows/backport.yml index 1cee01046c2e..b62f0dc6010f 100644 --- a/.github/workflows/backport.yml +++ b/.github/workflows/backport.yml @@ -38,13 +38,13 @@ jobs: if: always() && needs.backport.result == 'failure' runs-on: ${{ endsWith(github.repository, '-enterprise') && fromJSON('["self-hosted", "ondemand", "linux"]') || 'ubuntu-latest' }} steps: - - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 + - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 - uses: ./.github/actions/vault-secrets with: paths: |- kv/data/teams/nomad/slack-webhooks feed-nomad | SLACK_FEED_NOMAD ; - name: Send slack notification on failure - uses: slackapi/slack-github-action@007b2c3c751a190b6f0f040e47ed024deaa72844 # v1.23.0 + uses: slackapi/slack-github-action@e28cf165c92ffef168d23c5c9000cffc8a25e117 # v1.24.0 with: payload: | { diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index fa8ac6d39cb7..31e845988977 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -28,7 +28,7 @@ jobs: outputs: go-version: ${{ steps.get-go-version.outputs.go-version }} steps: - - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 + - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 with: ref: ${{ github.event.inputs.build-ref }} - name: Determine Go version @@ -43,7 +43,7 @@ jobs: outputs: product-version: ${{ steps.get-product-version.outputs.product-version }} steps: - - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 + - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 with: ref: ${{ github.event.inputs.build-ref }} - name: get product version @@ -58,7 +58,7 @@ jobs: filepath: ${{ steps.generate-metadata-file.outputs.filepath }} steps: - name: "Checkout directory" - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 + uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 with: ref: ${{ github.event.inputs.build-ref }} - name: Generate metadata file @@ -86,11 +86,11 @@ jobs: name: Go ${{ needs.get-go-version.outputs.go-version }} ${{ matrix.goos }} ${{ matrix.goarch }} build steps: - - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 + - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 with: ref: ${{ github.event.inputs.build-ref }} - name: Setup go - uses: actions/setup-go@4d34df0c2316fe8122ab82dc22947d607c0c91f9 # v4.0.0 + uses: actions/setup-go@fac708d6674e30b6ba41289acaab6d4b75aa0753 # v4.0.1 with: go-version: ${{ needs.get-go-version.outputs.go-version }} @@ -98,7 +98,7 @@ jobs: run: make deps - name: Setup node and yarn - uses: actions/setup-node@64ed1c7eab4cce3362f8c340dee64e5eaeef8f7c # v3.6.0 + uses: actions/setup-node@e33196f7422957bea03ed53f6fbb155025ffc7b8 # v3.7.0 with: node-version: "18" cache-dependency-path: "ui/yarn.lock" @@ -138,11 +138,11 @@ jobs: name: Go ${{ needs.get-go-version.outputs.go-version }} ${{ matrix.goos }} ${{ matrix.goarch }} build steps: - - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 + - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 with: ref: ${{ github.event.inputs.build-ref }} - name: Setup go - uses: actions/setup-go@4d34df0c2316fe8122ab82dc22947d607c0c91f9 # v4.0.0 + uses: actions/setup-go@fac708d6674e30b6ba41289acaab6d4b75aa0753 # v4.0.1 with: go-version: ${{ needs.get-go-version.outputs.go-version }} @@ -150,7 +150,7 @@ jobs: run: make deps - name: Setup node and yarn - uses: actions/setup-node@64ed1c7eab4cce3362f8c340dee64e5eaeef8f7c # v3.6.0 + uses: actions/setup-node@e33196f7422957bea03ed53f6fbb155025ffc7b8 # v3.7.0 with: node-version: "18" cache-dependency-path: "ui/yarn.lock" @@ -243,7 +243,7 @@ jobs: name: Go ${{ needs.get-go-version.outputs.go-version }} ${{ matrix.goos }} ${{ matrix.goarch }} build steps: - - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 + - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 with: ref: ${{ github.event.inputs.build-ref }} @@ -256,7 +256,7 @@ jobs: run: git config --global url.'https://${{ env.ELEVATED_GITHUB_TOKEN }}@github.com'.insteadOf 'https://github.com' - name: Setup go - uses: actions/setup-go@4d34df0c2316fe8122ab82dc22947d607c0c91f9 # v4.0.0 + uses: actions/setup-go@fac708d6674e30b6ba41289acaab6d4b75aa0753 # v4.0.1 with: go-version: ${{ needs.get-go-version.outputs.go-version }} @@ -264,7 +264,7 @@ jobs: run: make deps - name: Setup node and yarn - uses: actions/setup-node@64ed1c7eab4cce3362f8c340dee64e5eaeef8f7c # v3.6.0 + uses: actions/setup-node@e33196f7422957bea03ed53f6fbb155025ffc7b8 # v3.7.0 with: node-version: "18" cache-dependency-path: "ui/yarn.lock" @@ -305,7 +305,7 @@ jobs: version: ${{needs.get-product-version.outputs.product-version}} revision: ${{github.sha}} steps: - - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 + - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 - name: Set revision if: "${{ github.event.inputs.build-ref != '' }}" run: | @@ -347,7 +347,7 @@ jobs: goos: [linux] goarch: [amd64] steps: - - uses: actions/setup-go@4d34df0c2316fe8122ab82dc22947d607c0c91f9 # v4.0.0 + - uses: actions/setup-go@fac708d6674e30b6ba41289acaab6d4b75aa0753 # v4.0.1 with: go-version: ${{needs.get-go-version.outputs.go-version}} - uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2 diff --git a/.github/workflows/checks.yaml b/.github/workflows/checks.yaml index cb748a8bb64b..ccec899e91b7 100644 --- a/.github/workflows/checks.yaml +++ b/.github/workflows/checks.yaml @@ -24,7 +24,7 @@ jobs: runs-on: ${{ endsWith(github.repository, '-enterprise') && fromJSON('["self-hosted", "ondemand", "linux", "disk_gb=255"]') || 'ubuntu-22.04' }} timeout-minutes: 15 steps: - - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 + - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 with: fetch-depth: 0 # needs tags for checkproto - uses: ./.github/actions/vault-secrets diff --git a/.github/workflows/copywrite.yml b/.github/workflows/copywrite.yml index ea9db65eeb7a..6a225c92f767 100644 --- a/.github/workflows/copywrite.yml +++ b/.github/workflows/copywrite.yml @@ -7,7 +7,7 @@ jobs: copywrite: runs-on: ubuntu-latest steps: - - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 + - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 - uses: hashicorp/setup-copywrite@867a1a2a064a0626db322392806428f7dc59cb3e # v1.1.2 name: Setup Copywrite with: diff --git a/.github/workflows/ember-test-audit.yml b/.github/workflows/ember-test-audit.yml index d478b264f6eb..67aa066a6685 100644 --- a/.github/workflows/ember-test-audit.yml +++ b/.github/workflows/ember-test-audit.yml @@ -15,12 +15,12 @@ jobs: time-base: runs-on: ubuntu-latest steps: - - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 + - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 with: ref: ${{ github.event.pull_request.base.sha }} - - uses: nanasess/setup-chromedriver@95301782a076fbe8c9ecf54395a4689f7b195285 # v2.0.0 + - uses: nanasess/setup-chromedriver@6fb8f5ffa6b7dc11e631ff695fbd2fec0b04bb52 # v2.1.1 - name: Use Node.js - uses: actions/setup-node@64ed1c7eab4cce3362f8c340dee64e5eaeef8f7c # v3.6.0 + uses: actions/setup-node@e33196f7422957bea03ed53f6fbb155025ffc7b8 # v3.7.0 with: node-version: '18' - run: yarn --frozen-lockfile @@ -34,10 +34,10 @@ jobs: time-pr: runs-on: ubuntu-latest steps: - - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 - - uses: nanasess/setup-chromedriver@95301782a076fbe8c9ecf54395a4689f7b195285 # v2.0.0 + - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 + - uses: nanasess/setup-chromedriver@6fb8f5ffa6b7dc11e631ff695fbd2fec0b04bb52 # v2.1.1 - name: Use Node.js - uses: actions/setup-node@64ed1c7eab4cce3362f8c340dee64e5eaeef8f7c # v3.6.0 + uses: actions/setup-node@e33196f7422957bea03ed53f6fbb155025ffc7b8 # v3.7.0 with: node-version: '18' - run: yarn --frozen-lockfile @@ -85,4 +85,3 @@ jobs: permissions: contents: read pull-requests: write - diff --git a/.github/workflows/lock.yml b/.github/workflows/lock.yml index 54734525a77a..4fff6ae12306 100644 --- a/.github/workflows/lock.yml +++ b/.github/workflows/lock.yml @@ -8,7 +8,7 @@ jobs: lock: runs-on: ubuntu-latest steps: - - uses: dessant/lock-threads@c1b35aecc5cdb1a34539d14196df55838bb2f836 # v4.0.0 + - uses: dessant/lock-threads@be8aa5be94131386884a6da4189effda9b14aa21 # v4.0.1 with: github-token: ${{ github.token }} issue-lock-comment: > diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 976d73e8d141..1f84d67c0bd7 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -52,7 +52,7 @@ jobs: echo "::error::Version ${{ github.event.inputs.version }} is invalid" exit 1 fi - - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 + - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 - uses: ./.github/actions/vault-secrets with: paths: |- @@ -74,12 +74,12 @@ jobs: echo "go-version=$(cat .go-version)" >> "$GITHUB_OUTPUT" - name: Setup go - uses: actions/setup-go@4d34df0c2316fe8122ab82dc22947d607c0c91f9 # v4.0.0 + uses: actions/setup-go@fac708d6674e30b6ba41289acaab6d4b75aa0753 # v4.0.1 with: go-version: ${{ steps.get-go-version.outputs.go-version }} - name: Setup node and yarn - uses: actions/setup-node@64ed1c7eab4cce3362f8c340dee64e5eaeef8f7c # v3.6.0 + uses: actions/setup-node@e33196f7422957bea03ed53f6fbb155025ffc7b8 # v3.7.0 with: node-version: "18" cache-dependency-path: "ui/yarn.lock" diff --git a/.github/workflows/semgrep.yml b/.github/workflows/semgrep.yml index 70c2e76018e5..75428576ea8c 100644 --- a/.github/workflows/semgrep.yml +++ b/.github/workflows/semgrep.yml @@ -14,8 +14,8 @@ jobs: # Skip any PR created by dependabot to avoid permission issues if: (github.actor != 'dependabot[bot]') steps: - - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 - - uses: returntocorp/semgrep-action@8689a93eca50c91f8e8cfa61e3c4fb7e96d12bf2 # v1 + - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 + - uses: returntocorp/semgrep-action@245bf11ddb2f3d4e35f116608cf6e27ae0f9aa04 # v1 permissions: contents: read diff --git a/.github/workflows/test-core.yaml b/.github/workflows/test-core.yaml index 381a387fa0b5..14d31830b562 100644 --- a/.github/workflows/test-core.yaml +++ b/.github/workflows/test-core.yaml @@ -52,7 +52,7 @@ jobs: runs-on: ${{ endsWith(github.repository, '-enterprise') && fromJSON('["self-hosted", "ondemand", "linux"]') || 'ubuntu-22.04' }} timeout-minutes: 10 steps: - - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 + - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 - uses: ./.github/actions/vault-secrets with: paths: |- @@ -77,7 +77,7 @@ jobs: runs-on: ${{matrix.os}} timeout-minutes: 20 steps: - - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 + - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 - uses: hashicorp/setup-golang@v1 - name: Run make dev run: | @@ -88,7 +88,7 @@ jobs: runs-on: [custom, xl, 22.04] timeout-minutes: 8 steps: - - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 + - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 - uses: hashicorp/setup-golang@v1 - name: Run API tests env: @@ -112,7 +112,7 @@ jobs: - drivers - quick steps: - - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 + - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 - uses: hashicorp/setup-golang@v1 - name: Run Matrix Tests env: diff --git a/.github/workflows/test-e2e.yml b/.github/workflows/test-e2e.yml index 94728854ea3d..d401a503300e 100644 --- a/.github/workflows/test-e2e.yml +++ b/.github/workflows/test-e2e.yml @@ -38,7 +38,7 @@ jobs: test-e2e: runs-on: ${{ endsWith(github.repository, '-enterprise') && fromJSON('["self-hosted", "ondemand", "linux"]') || 'ubuntu-latest' }} steps: - - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 + - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 - uses: ./.github/actions/vault-secrets with: paths: |- diff --git a/.github/workflows/test-ui.yml b/.github/workflows/test-ui.yml index e4578ed49a4b..241334be3c5d 100644 --- a/.github/workflows/test-ui.yml +++ b/.github/workflows/test-ui.yml @@ -45,7 +45,7 @@ jobs: outputs: nonce: ${{ steps.nonce.outputs.nonce }} steps: - - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 + - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 - uses: ./.github/actions/setup-js - name: lint:js run: yarn run lint:js @@ -69,7 +69,7 @@ jobs: partition: [1, 2, 3, 4] split: [4] steps: - - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 + - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 - uses: ./.github/actions/setup-js - uses: browser-actions/setup-chrome@c485fa3bab6be59dce18dbc18ef6ab7cbc8ff5f1 # v1.2.0 - uses: ./.github/actions/vault-secrets @@ -92,7 +92,7 @@ jobs: run: working-directory: ui steps: - - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 + - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 - uses: ./.github/actions/setup-js - uses: ./.github/actions/vault-secrets with: diff --git a/.github/workflows/test-windows.yml b/.github/workflows/test-windows.yml index 3316b5d1dca5..b9bd35c84faa 100644 --- a/.github/workflows/test-windows.yml +++ b/.github/workflows/test-windows.yml @@ -50,9 +50,9 @@ jobs: - name: Docker Info run: docker version - run: git config --global core.autocrlf false - - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 + - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 - name: Setup go - uses: actions/setup-go@4d34df0c2316fe8122ab82dc22947d607c0c91f9 # v4.0.0 + uses: actions/setup-go@fac708d6674e30b6ba41289acaab6d4b75aa0753 # v4.0.1 with: go-version-file: ".go-version" - name: Show installed Go version