@@ -43,12 +43,12 @@ jobs:
4343 tailnet-integration : ${{ steps.filter.outputs.tailnet-integration }}
4444 steps :
4545 - name : Checkout
46- uses : actions/checkout@v4
46+ uses : actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
4747 with :
4848 fetch-depth : 1
4949 # For pull requests it's not necessary to checkout the code
5050 - name : check changed files
51- uses : dorny/paths-filter@v3
51+ uses : dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v3.0.2
5252 id : filter
5353 with :
5454 filters : |
@@ -125,7 +125,7 @@ jobs:
125125 # runs-on: ${{ github.repository_owner == 'coder' && 'depot-ubuntu-22.04-8' || 'ubuntu-latest' }}
126126 # steps:
127127 # - name: Checkout
128- # uses: actions/checkout@v4
128+ # uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
129129 # with:
130130 # fetch-depth: 1
131131 # # See: https://github.com/stefanzweifel/git-auto-commit-action?tab=readme-ov-file#commits-made-by-this-action-do-not-trigger-new-workflow-runs
@@ -138,7 +138,7 @@ jobs:
138138 # run: ./scripts/update-flake.sh
139139
140140 # # auto update flake for dependabot
141- # - uses: stefanzweifel/git-auto-commit-action@v5
141+ # - uses: stefanzweifel/git-auto-commit-action@8621497c8c39c72f3e2a999a26b4ca1b5058a842 # v5.0.1
142142 # if: github.actor == 'dependabot[bot]'
143143 # with:
144144 # # Allows dependabot to still rebase!
@@ -158,7 +158,7 @@ jobs:
158158 runs-on : ${{ github.repository_owner == 'coder' && 'depot-ubuntu-22.04-8' || 'ubuntu-latest' }}
159159 steps :
160160 - name : Checkout
161- uses : actions/checkout@v4
161+ uses : actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
162162 with :
163163 fetch-depth : 1
164164
@@ -176,7 +176,7 @@ jobs:
176176 echo "LINT_CACHE_DIR=$dir" >> $GITHUB_ENV
177177
178178name : golangci-lint cache
179- uses : actions/cache@v4
179+ uses : actions/cache@2cdf405574d6ef1f33a1d12acccd3ae82f47b3f2 # v4.1.0
180180 with :
181181 path : |
182182 ${{ env.LINT_CACHE_DIR }}
@@ -186,7 +186,7 @@ jobs:
186186
187187# Check for any typos
188188 - name : Check for typos
189- uses : crate-ci/typos@v1.24.6
189+ uses : crate-ci/typos@6802cc60d4e7f78b9d5454f6cf3935c042d5e1e3 # v1.26.0
190190 with :
191191 config : .github/workflows/typos.toml
192192
@@ -199,7 +199,7 @@ jobs:
199199
200200# Needed for helm chart linting
201201 - name : Install helm
202- uses : azure/setup-helm@v4
202+ uses : azure/setup-helm@fe7b79cd5ee1e45176fcad797de68ecaf3ca4814 # v4.2.0
203203 with :
204204 version : v3.9.2
205205
@@ -220,7 +220,7 @@ jobs:
220220 if : needs.changes.outputs.docs-only == 'false' || needs.changes.outputs.ci == 'true' || github.ref == 'refs/heads/main'
221221 steps :
222222 - name : Checkout
223- uses : actions/checkout@v4
223+ uses : actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
224224 with :
225225 fetch-depth : 1
226226
@@ -269,7 +269,7 @@ jobs:
269269 timeout-minutes : 7
270270 steps :
271271 - name : Checkout
272- uses : actions/checkout@v4
272+ uses : actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
273273 with :
274274 fetch-depth : 1
275275
@@ -305,7 +305,7 @@ jobs:
305305 - windows-2022
306306 steps :
307307 - name : Checkout
308- uses : actions/checkout@v4
308+ uses : actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
309309 with :
310310 fetch-depth : 1
311311
@@ -359,7 +359,7 @@ jobs:
359359 timeout-minutes : 25
360360 steps :
361361 - name : Checkout
362- uses : actions/checkout@v4
362+ uses : actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
363363 with :
364364 fetch-depth : 1
365365
@@ -399,7 +399,7 @@ jobs:
399399 timeout-minutes : 25
400400 steps :
401401 - name : Checkout
402- uses : actions/checkout@v4
402+ uses : actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
403403 with :
404404 fetch-depth : 1
405405
@@ -431,7 +431,7 @@ jobs:
431431 timeout-minutes : 25
432432 steps :
433433 - name : Checkout
434- uses : actions/checkout@v4
434+ uses : actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
435435 with :
436436 fetch-depth : 1
437437
@@ -467,7 +467,7 @@ jobs:
467467 timeout-minutes : 20
468468 steps :
469469 - name : Checkout
470- uses : actions/checkout@v4
470+ uses : actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
471471 with :
472472 fetch-depth : 1
473473
@@ -488,7 +488,7 @@ jobs:
488488 timeout-minutes : 20
489489 steps :
490490 - name : Checkout
491- uses : actions/checkout@v4
491+ uses : actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
492492 with :
493493 fetch-depth : 1
494494
@@ -499,7 +499,8 @@ jobs:
499499 working-directory : site
500500
501501 test-e2e :
502- runs-on : ${{ github.repository_owner == 'coder' && 'depot-ubuntu-22.04-16' || 'ubuntu-latest' }}
502+ runs-on : ${{ github.repository_owner == 'coder' && (matrix.variant.enterprise && 'depot-ubuntu-22.04' || 'depot-ubuntu-22.04-4') || 'ubuntu-latest' }}
503+ # test-e2e fails on 2-core 8GB runners, so we use the 4-core 16GB runner
503504 needs : changes
504505 if : needs.changes.outputs.go == 'true' || needs.changes.outputs.ts == 'true' || needs.changes.outputs.ci == 'true' || github.ref == 'refs/heads/main'
505506 timeout-minutes : 20
@@ -514,7 +515,7 @@ jobs:
514515 name : ${{ matrix.variant.name }}
515516 steps :
516517 - name : Checkout
517- uses : actions/checkout@v4
518+ uses : actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
518519 with :
519520 fetch-depth : 1
520521
@@ -555,15 +556,15 @@ jobs:
555556
556557 - name : Upload Playwright Failed Tests
557558 if : always() && github.actor != 'dependabot[bot]' && runner.os == 'Linux' && !github.event.pull_request.head.repo.fork
558- uses : actions/upload-artifact@v4
559+ uses : actions/upload-artifact@604373da6381bf24206979c74d06a550515601b9 # v4.4.1
559560 with :
560561 name : failed-test-videos${{ matrix.variant.premium && '-premium' || '-agpl' }}
561562 path : ./site/test-results/**/*.webm
562563 retention-days : 7
563564
564565 - name : Upload pprof dumps
565566 if : always() && github.actor != 'dependabot[bot]' && runner.os == 'Linux' && !github.event.pull_request.head.repo.fork
566- uses : actions/upload-artifact@v4
567+ uses : actions/upload-artifact@604373da6381bf24206979c74d06a550515601b9 # v4.4.1
567568 with :
568569 name : debug-pprof-dumps${{ matrix.variant.premium && '-premium' || '-agpl' }}
569570 path : ./site/test-results/**/debug-pprof-*.txt
@@ -576,7 +577,7 @@ jobs:
576577 if : needs.changes.outputs.ts == 'true' || needs.changes.outputs.ci == 'true'
577578 steps :
578579 - name : Checkout
579- uses : actions/checkout@v4
580+ uses : actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
580581 with :
581582 # Required by Chromatic for build-over-build history, otherwise we
582583 # only get 1 commit on shallow checkout.
@@ -590,7 +591,7 @@ jobs:
590591 # the check to pass. This is desired in PRs, but not in mainline.
591592 - name : Publish to Chromatic (non-mainline)
592593 if : github.ref != 'refs/heads/main' && github.repository_owner == 'coder'
593- uses : chromaui/action@v10
594+ uses : chromaui/action@30b6228aa809059d46219e0f556752e8672a7e26 # v11.11.0
594595 env :
595596 NODE_OPTIONS : " --max_old_space_size=4096"
596597 STORYBOOK : true
@@ -621,7 +622,7 @@ jobs:
621622 # infinitely "in progress" in mainline unless we re-review each build.
622623 - name : Publish to Chromatic (mainline)
623624 if : github.ref == 'refs/heads/main' && github.repository_owner == 'coder'
624- uses : chromaui/action@v10
625+ uses : chromaui/action@30b6228aa809059d46219e0f556752e8672a7e26 # v11.11.0
625626 env :
626627 NODE_OPTIONS : " --max_old_space_size=4096"
627628 STORYBOOK : true
@@ -648,7 +649,7 @@ jobs:
648649
649650 steps :
650651 - name : Checkout
651- uses : actions/checkout@v4
652+ uses : actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
652653 with :
653654 # 0 is required here for version.sh to work.
654655 fetch-depth : 0
@@ -749,12 +750,12 @@ jobs:
749750 IMAGE : ghcr.io/coder/coder-preview:${{ steps.build-docker.outputs.tag }}
750751 steps :
751752 - name : Checkout
752- uses : actions/checkout@v4
753+ uses : actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
753754 with :
754755 fetch-depth : 0
755756
756757 - name : GHCR Login
757- uses : docker/login-action@v3
758+ uses : docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
758759 with :
759760 registry : ghcr.io
760761 username : ${{ github.actor }}
@@ -829,7 +830,7 @@ jobs:
829830
830831name : Prune old images
831832 if : github.ref == 'refs/heads/main'
832- uses : vlaurin/action-ghcr-prune@v0.6.0
833+ uses : vlaurin/action-ghcr-prune@0cf7d39f88546edd31965acba78cdcb0be14d641 # v0.6.0
833834 with :
834835 token : ${{ secrets.GITHUB_TOKEN }}
835836 organization : coder
@@ -844,7 +845,7 @@ jobs:
844845
845846 - name : Upload build artifacts
846847 if : github.ref == 'refs/heads/main'
847- uses : actions/upload-artifact@v4
848+ uses : actions/upload-artifact@604373da6381bf24206979c74d06a550515601b9 # v4.4.1
848849 with :
849850 name : coder
850851 path : |
@@ -868,27 +869,27 @@ jobs:
868869 id-token : write
869870 steps :
870871 - name : Checkout
871- uses : actions/checkout@v4
872+ uses : actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
872873 with :
873874 fetch-depth : 0
874875
875876 - name : Authenticate to Google Cloud
876- uses : google-github-actions/auth@v2
877+ uses : google-github-actions/auth@8254fb75a33b976a221574d287e93919e6a36f70 # v2.1.6
877878 with :
878879 workload_identity_provider : projects/573722524737/locations/global/workloadIdentityPools/github/providers/github
879880 service_account : coder-ci@coder-dogfood.iam.gserviceaccount.com
880881
881882 - name : Set up Google Cloud SDK
882- uses : google-github-actions/setup-gcloud@v2
883+ uses : google-github-actions/setup-gcloud@f0990588f1e5b5af6827153b93673613abdc6ec7 # v2.1.1
883884
884885 - name : Set up Flux CLI
885- uses : fluxcd/flux2/action@main
886+ uses : fluxcd/flux2/action@9b3958825a314eb79495c6993ef397ddbf87f32f # v2.2.1
886887 with :
887- # Keep this up to date with the version of flux installed in dogfood cluster
888+ # Keep this and the github action up to date with the version of flux installed in dogfood cluster
888889 version : " 2.2.1"
889890
890891 - name : Get Cluster Credentials
891- uses : " google-github-actions/get-gke-credentials@v2 "
892+ uses : google-github-actions/get-gke-credentials@6051de21ad50fbb1767bc93c11357a49082ad116 # v2.2.1
892893 with :
893894 cluster_name : dogfood-v2
894895 location : us-central1-a
@@ -925,12 +926,12 @@ jobs:
925926 if : github.ref == 'refs/heads/main' && !github.event.pull_request.head.repo.fork
926927 steps :
927928 - name : Checkout
928- uses : actions/checkout@v4
929+ uses : actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
929930 with :
930931 fetch-depth : 0
931932
932933 - name : Setup flyctl
933- uses : superfly/flyctl-actions/setup-flyctl@master
934+ uses : superfly/flyctl-actions/setup-flyctl@fc53c09e1bc3be6f54706524e3b82c4f462f77be # v1.5
934935
935936 - name : Deploy workspace proxies
936937 run : |
@@ -955,7 +956,7 @@ jobs:
955956 if : needs.changes.outputs.db == 'true' || needs.changes.outputs.ci == 'true' || github.ref == 'refs/heads/main'
956957 steps :
957958 - name : Checkout
958- uses : actions/checkout@v4
959+ uses : actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
959960 with :
960961 fetch-depth : 1
961962 # We need golang to run the migration main.go
0 commit comments