From 42554e9544b7c06d456efad1d28710a76eb27661 Mon Sep 17 00:00:00 2001 From: Muhammad Atif Ali Date: Tue, 8 Oct 2024 10:39:28 +0000 Subject: [PATCH 1/2] Update actions in GitHub workflows to specific commits Use specific commit SHAs for GitHub actions across various workflows to enhance reliability and reproducibility. This change ensures that actions run against a known version, reducing the risk of unexpected issues due to updates in the third-party action repositories. --- .github/actions/setup-go/action.yaml | 2 +- .github/actions/setup-node/action.yaml | 4 +- .github/actions/setup-sqlc/action.yaml | 2 +- .github/actions/setup-tf/action.yaml | 2 +- .github/actions/upload-datadog/action.yaml | 3 +- .github/workflows/ci.yaml | 72 +++++++++++----------- .github/workflows/contrib.yaml | 6 +- .github/workflows/docker-base.yaml | 8 +-- .github/workflows/dogfood.yaml | 18 +++--- .github/workflows/nightly-gauntlet.yaml | 4 +- .github/workflows/pr-auto-assign.yaml | 2 +- .github/workflows/pr-cleanup.yaml | 2 +- .github/workflows/pr-deploy.yaml | 20 +++--- .github/workflows/release-validation.yaml | 2 +- .github/workflows/release.yaml | 26 ++++---- .github/workflows/scorecard.yml | 4 +- .github/workflows/security.yaml | 12 ++-- .github/workflows/stale.yaml | 14 ++--- .github/workflows/weekly-docs.yaml | 4 +- 19 files changed, 104 insertions(+), 103 deletions(-) diff --git a/.github/actions/setup-go/action.yaml b/.github/actions/setup-go/action.yaml index e7a50897103ae..387f2feed171f 100644 --- a/.github/actions/setup-go/action.yaml +++ b/.github/actions/setup-go/action.yaml @@ -9,7 +9,7 @@ runs: using: "composite" steps: - name: Setup Go - uses: actions/setup-go@v5 + uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2 with: go-version: ${{ inputs.version }} diff --git a/.github/actions/setup-node/action.yaml b/.github/actions/setup-node/action.yaml index 5caf6eb736ddc..cdf4b383093d1 100644 --- a/.github/actions/setup-node/action.yaml +++ b/.github/actions/setup-node/action.yaml @@ -11,11 +11,11 @@ runs: using: "composite" steps: - name: Install pnpm - uses: pnpm/action-setup@v3 + uses: pnpm/action-setup@fe02b34f77f8bc703788d5817da081398fad5dd2 # v4.0.0 with: version: 9.6 - name: Setup Node - uses: actions/setup-node@v4.0.3 + uses: actions/setup-node@0a44ba7841725637a19e28fa30b79a866c81b0a6 # v4.0.4 with: node-version: 20.16.0 # See https://github.com/actions/setup-node#caching-global-packages-data diff --git a/.github/actions/setup-sqlc/action.yaml b/.github/actions/setup-sqlc/action.yaml index 544d2d4ce923c..d271789551f92 100644 --- a/.github/actions/setup-sqlc/action.yaml +++ b/.github/actions/setup-sqlc/action.yaml @@ -5,6 +5,6 @@ runs: using: "composite" steps: - name: Setup sqlc - uses: sqlc-dev/setup-sqlc@v4 + uses: sqlc-dev/setup-sqlc@c0209b9199cd1cce6a14fc27cabcec491b651761 # v4.0.0 with: sqlc-version: "1.25.0" diff --git a/.github/actions/setup-tf/action.yaml b/.github/actions/setup-tf/action.yaml index b63aac1aa7e55..12ee87f5a5c9f 100644 --- a/.github/actions/setup-tf/action.yaml +++ b/.github/actions/setup-tf/action.yaml @@ -5,7 +5,7 @@ runs: using: "composite" steps: - name: Install Terraform - uses: hashicorp/setup-terraform@v3 + uses: hashicorp/setup-terraform@b9cd54a3c349d3f38e8881555d616ced269862dd # v3.1.2 with: terraform_version: 1.9.2 terraform_wrapper: false diff --git a/.github/actions/upload-datadog/action.yaml b/.github/actions/upload-datadog/action.yaml index 8201b1a76d08a..11eecac636636 100644 --- a/.github/actions/upload-datadog/action.yaml +++ b/.github/actions/upload-datadog/action.yaml @@ -1,5 +1,6 @@ name: Upload tests to datadog -if: always() +description: | + Uploads the test results to datadog. inputs: api-key: description: "Datadog API key" diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index 5acfe45764c7d..b33a970076548 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -43,12 +43,12 @@ jobs: tailnet-integration: ${{ steps.filter.outputs.tailnet-integration }} steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 with: fetch-depth: 1 # For pull requests it's not necessary to checkout the code - name: check changed files - uses: dorny/paths-filter@v3 + uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v3.0.2 id: filter with: filters: | @@ -125,7 +125,7 @@ jobs: # runs-on: ${{ github.repository_owner == 'coder' && 'depot-ubuntu-22.04-8' || 'ubuntu-latest' }} # steps: # - name: Checkout - # uses: actions/checkout@v4 + # uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 # with: # fetch-depth: 1 # # See: https://github.com/stefanzweifel/git-auto-commit-action?tab=readme-ov-file#commits-made-by-this-action-do-not-trigger-new-workflow-runs @@ -138,7 +138,7 @@ jobs: # run: ./scripts/update-flake.sh # # auto update flake for dependabot - # - uses: stefanzweifel/git-auto-commit-action@v5 + # - uses: stefanzweifel/git-auto-commit-action@8621497c8c39c72f3e2a999a26b4ca1b5058a842 # v5.0.1 # if: github.actor == 'dependabot[bot]' # with: # # Allows dependabot to still rebase! @@ -158,7 +158,7 @@ jobs: runs-on: ${{ github.repository_owner == 'coder' && 'depot-ubuntu-22.04-8' || 'ubuntu-latest' }} steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 with: fetch-depth: 1 @@ -176,7 +176,7 @@ jobs: echo "LINT_CACHE_DIR=$dir" >> $GITHUB_ENV - name: golangci-lint cache - uses: actions/cache@v4 + uses: actions/cache@2cdf405574d6ef1f33a1d12acccd3ae82f47b3f2 # v4.1.0 with: path: | ${{ env.LINT_CACHE_DIR }} @@ -186,7 +186,7 @@ jobs: # Check for any typos - name: Check for typos - uses: crate-ci/typos@v1.26.0 + uses: crate-ci/typos@6802cc60d4e7f78b9d5454f6cf3935c042d5e1e3 # v1.26.0 with: config: .github/workflows/typos.toml @@ -199,7 +199,7 @@ jobs: # Needed for helm chart linting - name: Install helm - uses: azure/setup-helm@v4 + uses: azure/setup-helm@fe7b79cd5ee1e45176fcad797de68ecaf3ca4814 # v4.2.0 with: version: v3.9.2 @@ -220,7 +220,7 @@ jobs: if: needs.changes.outputs.docs-only == 'false' || needs.changes.outputs.ci == 'true' || github.ref == 'refs/heads/main' steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 with: fetch-depth: 1 @@ -269,7 +269,7 @@ jobs: timeout-minutes: 7 steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 with: fetch-depth: 1 @@ -305,7 +305,7 @@ jobs: - windows-2022 steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 with: fetch-depth: 1 @@ -359,7 +359,7 @@ jobs: timeout-minutes: 25 steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 with: fetch-depth: 1 @@ -399,7 +399,7 @@ jobs: timeout-minutes: 25 steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 with: fetch-depth: 1 @@ -431,7 +431,7 @@ jobs: timeout-minutes: 25 steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 with: fetch-depth: 1 @@ -467,7 +467,7 @@ jobs: timeout-minutes: 20 steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 with: fetch-depth: 1 @@ -488,7 +488,7 @@ jobs: timeout-minutes: 20 steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 with: fetch-depth: 1 @@ -514,7 +514,7 @@ jobs: name: ${{ matrix.variant.name }} steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 with: fetch-depth: 1 @@ -555,7 +555,7 @@ jobs: - name: Upload Playwright Failed Tests if: always() && github.actor != 'dependabot[bot]' && runner.os == 'Linux' && !github.event.pull_request.head.repo.fork - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@604373da6381bf24206979c74d06a550515601b9 # v4.4.1 with: name: failed-test-videos${{ matrix.variant.enterprise && '-enterprise' || '-agpl' }} path: ./site/test-results/**/*.webm @@ -563,7 +563,7 @@ jobs: - name: Upload pprof dumps if: always() && github.actor != 'dependabot[bot]' && runner.os == 'Linux' && !github.event.pull_request.head.repo.fork - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@604373da6381bf24206979c74d06a550515601b9 # v4.4.1 with: name: debug-pprof-dumps${{ matrix.variant.enterprise && '-enterprise' || '-agpl' }} path: ./site/test-results/**/debug-pprof-*.txt @@ -576,7 +576,7 @@ jobs: if: needs.changes.outputs.ts == 'true' || needs.changes.outputs.ci == 'true' steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 with: # Required by Chromatic for build-over-build history, otherwise we # only get 1 commit on shallow checkout. @@ -590,7 +590,7 @@ jobs: # the check to pass. This is desired in PRs, but not in mainline. - name: Publish to Chromatic (non-mainline) if: github.ref != 'refs/heads/main' && github.repository_owner == 'coder' - uses: chromaui/action@v10 + uses: chromaui/action@30b6228aa809059d46219e0f556752e8672a7e26 # v11.11.0 env: NODE_OPTIONS: "--max_old_space_size=4096" STORYBOOK: true @@ -621,7 +621,7 @@ jobs: # infinitely "in progress" in mainline unless we re-review each build. - name: Publish to Chromatic (mainline) if: github.ref == 'refs/heads/main' && github.repository_owner == 'coder' - uses: chromaui/action@v10 + uses: chromaui/action@30b6228aa809059d46219e0f556752e8672a7e26 # v11.11.0 env: NODE_OPTIONS: "--max_old_space_size=4096" STORYBOOK: true @@ -648,7 +648,7 @@ jobs: steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 with: # 0 is required here for version.sh to work. fetch-depth: 0 @@ -749,12 +749,12 @@ jobs: IMAGE: ghcr.io/coder/coder-preview:${{ steps.build-docker.outputs.tag }} steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 with: fetch-depth: 0 - name: GHCR Login - uses: docker/login-action@v3 + uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0 with: registry: ghcr.io username: ${{ github.actor }} @@ -829,7 +829,7 @@ jobs: - name: Prune old images if: github.ref == 'refs/heads/main' - uses: vlaurin/action-ghcr-prune@v0.6.0 + uses: vlaurin/action-ghcr-prune@0cf7d39f88546edd31965acba78cdcb0be14d641 # v0.6.0 with: token: ${{ secrets.GITHUB_TOKEN }} organization: coder @@ -844,7 +844,7 @@ jobs: - name: Upload build artifacts if: github.ref == 'refs/heads/main' - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@604373da6381bf24206979c74d06a550515601b9 # v4.4.1 with: name: coder path: | @@ -868,27 +868,27 @@ jobs: id-token: write steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 with: fetch-depth: 0 - name: Authenticate to Google Cloud - uses: google-github-actions/auth@v2 + uses: google-github-actions/auth@8254fb75a33b976a221574d287e93919e6a36f70 # v2.1.6 with: workload_identity_provider: projects/573722524737/locations/global/workloadIdentityPools/github/providers/github service_account: coder-ci@coder-dogfood.iam.gserviceaccount.com - name: Set up Google Cloud SDK - uses: google-github-actions/setup-gcloud@v2 + uses: google-github-actions/setup-gcloud@f0990588f1e5b5af6827153b93673613abdc6ec7 # v2.1.1 - name: Set up Flux CLI - uses: fluxcd/flux2/action@main + uses: fluxcd/flux2/action@9b3958825a314eb79495c6993ef397ddbf87f32f # v2.2.1 with: - # Keep this up to date with the version of flux installed in dogfood cluster + # Keep this and the github action up to date with the version of flux installed in dogfood cluster version: "2.2.1" - name: Get Cluster Credentials - uses: "google-github-actions/get-gke-credentials@v2" + uses: google-github-actions/get-gke-credentials@6051de21ad50fbb1767bc93c11357a49082ad116 # v2.2.1 with: cluster_name: dogfood-v2 location: us-central1-a @@ -925,12 +925,12 @@ jobs: if: github.ref == 'refs/heads/main' && !github.event.pull_request.head.repo.fork steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 with: fetch-depth: 0 - name: Setup flyctl - uses: superfly/flyctl-actions/setup-flyctl@master + uses: superfly/flyctl-actions/setup-flyctl@fc53c09e1bc3be6f54706524e3b82c4f462f77be # v1.5 - name: Deploy workspace proxies run: | @@ -955,7 +955,7 @@ jobs: if: needs.changes.outputs.db == 'true' || needs.changes.outputs.ci == 'true' || github.ref == 'refs/heads/main' steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 with: fetch-depth: 1 # We need golang to run the migration main.go diff --git a/.github/workflows/contrib.yaml b/.github/workflows/contrib.yaml index 8b3d189002b96..239e26c6a911b 100644 --- a/.github/workflows/contrib.yaml +++ b/.github/workflows/contrib.yaml @@ -28,7 +28,7 @@ jobs: pull-requests: write steps: - name: auto-approve dependabot - uses: hmarr/auto-approve-action@v4 + uses: hmarr/auto-approve-action@f0939ea97e9205ef24d872e76833fa908a770363 # v4.0.0 if: github.actor == 'dependabot[bot]' cla: @@ -36,7 +36,7 @@ jobs: steps: - name: cla if: (github.event.comment.body == 'recheck' || github.event.comment.body == 'I have read the CLA Document and I hereby sign the CLA') || github.event_name == 'pull_request_target' - uses: contributor-assistant/github-action@v2.6.1 + uses: contributor-assistant/github-action@ca4a40a7d1004f18d9960b404b97e5f30a505a08 # v2.6.1 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # the below token should have repo scope and must be manually added by you in the repository's secret @@ -57,7 +57,7 @@ jobs: if: ${{ github.event_name == 'pull_request_target' && !github.event.pull_request.draft }} steps: - name: release-labels - uses: actions/github-script@v7 + uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1 with: # This script ensures PR title and labels are in sync: # diff --git a/.github/workflows/docker-base.yaml b/.github/workflows/docker-base.yaml index 942d80cfa4679..9b3d4da63198c 100644 --- a/.github/workflows/docker-base.yaml +++ b/.github/workflows/docker-base.yaml @@ -37,10 +37,10 @@ jobs: if: github.repository_owner == 'coder' steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 - name: Docker login - uses: docker/login-action@v3 + uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0 with: registry: ghcr.io username: ${{ github.actor }} @@ -50,11 +50,11 @@ jobs: run: mkdir base-build-context - name: Install depot.dev CLI - uses: depot/setup-action@v1 + uses: depot/setup-action@b0b1ea4f69e92ebf5dea3f8713a1b0c37b2126a5 # v1.6.0 # This uses OIDC authentication, so no auth variables are required. - name: Build base Docker image via depot.dev - uses: depot/build-push-action@v1 + uses: depot/build-push-action@636daae76684e38c301daa0c5eca1c095b24e780 # v1.14.0 with: project: wl5hnrrkns context: base-build-context diff --git a/.github/workflows/dogfood.yaml b/.github/workflows/dogfood.yaml index c9ad797c56815..3b28124984f36 100644 --- a/.github/workflows/dogfood.yaml +++ b/.github/workflows/dogfood.yaml @@ -27,11 +27,11 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 - name: Get branch name id: branch-name - uses: tj-actions/branch-names@v8 + uses: tj-actions/branch-names@6871f53176ad61624f978536bbf089c574dc19a2 # v8.0.1 - name: "Branch name to Docker tag name" id: docker-tag-name @@ -42,20 +42,20 @@ jobs: echo "tag=${tag}" >> $GITHUB_OUTPUT - name: Set up Depot CLI - uses: depot/setup-action@v1 + uses: depot/setup-action@b0b1ea4f69e92ebf5dea3f8713a1b0c37b2126a5 # v1.6.0 - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 + uses: docker/setup-buildx-action@c47758b77c9736f4b2ef4073d4d51994fabfe349 # v3.7.1 - name: Login to DockerHub if: github.ref == 'refs/heads/main' - uses: docker/login-action@v3 + uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0 with: username: ${{ secrets.DOCKERHUB_USERNAME }} password: ${{ secrets.DOCKERHUB_PASSWORD }} - name: Build and push Non-Nix image - uses: depot/build-push-action@v1 + uses: depot/build-push-action@636daae76684e38c301daa0c5eca1c095b24e780 # v1.14.0 with: project: b4q6ltmpzh token: ${{ secrets.DEPOT_TOKEN }} @@ -67,7 +67,7 @@ jobs: tags: "codercom/oss-dogfood:${{ steps.docker-tag-name.outputs.tag }},codercom/oss-dogfood:latest" - name: Build and push Nix image - uses: depot/build-push-action@v1 + uses: depot/build-push-action@636daae76684e38c301daa0c5eca1c095b24e780 # v1.14.0 with: project: b4q6ltmpzh token: ${{ secrets.DEPOT_TOKEN }} @@ -84,13 +84,13 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 - name: Setup Terraform uses: ./.github/actions/setup-tf - name: Authenticate to Google Cloud - uses: google-github-actions/auth@v2 + uses: google-github-actions/auth@8254fb75a33b976a221574d287e93919e6a36f70 # v2.1.6 with: workload_identity_provider: projects/573722524737/locations/global/workloadIdentityPools/github/providers/github service_account: coder-ci@coder-dogfood.iam.gserviceaccount.com diff --git a/.github/workflows/nightly-gauntlet.yaml b/.github/workflows/nightly-gauntlet.yaml index 4d04f824e9cfc..1657e05ab63f4 100644 --- a/.github/workflows/nightly-gauntlet.yaml +++ b/.github/workflows/nightly-gauntlet.yaml @@ -17,7 +17,7 @@ jobs: timeout-minutes: 240 steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 - name: Setup Go uses: ./.github/actions/setup-go @@ -44,7 +44,7 @@ jobs: timeout-minutes: 10 steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 - name: Setup Go uses: ./.github/actions/setup-go diff --git a/.github/workflows/pr-auto-assign.yaml b/.github/workflows/pr-auto-assign.yaml index d8210637f1061..453679eb0b466 100644 --- a/.github/workflows/pr-auto-assign.yaml +++ b/.github/workflows/pr-auto-assign.yaml @@ -14,4 +14,4 @@ jobs: runs-on: ubuntu-latest steps: - name: Assign author - uses: toshimaru/auto-author-assign@v2.1.1 + uses: toshimaru/auto-author-assign@16f0022cf3d7970c106d8d1105f75a1165edb516 # v2.1.1 diff --git a/.github/workflows/pr-cleanup.yaml b/.github/workflows/pr-cleanup.yaml index d32ea2f5d49b7..32445c3904f4b 100644 --- a/.github/workflows/pr-cleanup.yaml +++ b/.github/workflows/pr-cleanup.yaml @@ -26,7 +26,7 @@ jobs: - name: Delete image continue-on-error: true - uses: bots-house/ghcr-delete-image-action@v1.1.0 + uses: bots-house/ghcr-delete-image-action@3827559c68cb4dcdf54d813ea9853be6d468d3a4 # v1.1.0 with: owner: coder name: coder-preview diff --git a/.github/workflows/pr-deploy.yaml b/.github/workflows/pr-deploy.yaml index 1e7de50d2b21d..a764d4c492ca6 100644 --- a/.github/workflows/pr-deploy.yaml +++ b/.github/workflows/pr-deploy.yaml @@ -40,7 +40,7 @@ jobs: PR_OPEN: ${{ steps.check_pr.outputs.pr_open }} steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 - name: Check if PR is open id: check_pr @@ -70,7 +70,7 @@ jobs: runs-on: "ubuntu-latest" steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 with: fetch-depth: 0 @@ -119,7 +119,7 @@ jobs: echo "NEW=$NEW" >> $GITHUB_OUTPUT - name: Check changed files - uses: dorny/paths-filter@v3 + uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v3.0.2 id: filter with: base: ${{ github.ref }} @@ -163,7 +163,7 @@ jobs: runs-on: "ubuntu-latest" steps: - name: Find Comment - uses: peter-evans/find-comment@v3 + uses: peter-evans/find-comment@3eae4d37986fb5a8592848f6a574fdf654e61f9e # v3.1.0 id: fc with: issue-number: ${{ needs.get_info.outputs.PR_NUMBER }} @@ -173,7 +173,7 @@ jobs: - name: Comment on PR id: comment_id - uses: peter-evans/create-or-update-comment@v4 + uses: peter-evans/create-or-update-comment@71345be0265236311c031f5c7866368bd1eff043 # v4.0.0 with: comment-id: ${{ steps.fc.outputs.comment-id }} issue-number: ${{ needs.get_info.outputs.PR_NUMBER }} @@ -199,7 +199,7 @@ jobs: CODER_IMAGE_TAG: ${{ needs.get_info.outputs.CODER_IMAGE_TAG }} steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 with: fetch-depth: 0 @@ -213,7 +213,7 @@ jobs: uses: ./.github/actions/setup-sqlc - name: GHCR Login - uses: docker/login-action@v3 + uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0 with: registry: ghcr.io username: ${{ github.actor }} @@ -294,7 +294,7 @@ jobs: kubectl create namespace "pr${{ env.PR_NUMBER }}" - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 - name: Check and Create Certificate if: needs.get_info.outputs.NEW == 'true' || github.event.inputs.deploy == 'true' @@ -441,7 +441,7 @@ jobs: echo "Slack notification sent" - name: Find Comment - uses: peter-evans/find-comment@v3 + uses: peter-evans/find-comment@3eae4d37986fb5a8592848f6a574fdf654e61f9e # v3.1.0 id: fc with: issue-number: ${{ env.PR_NUMBER }} @@ -450,7 +450,7 @@ jobs: direction: last - name: Comment on PR - uses: peter-evans/create-or-update-comment@v4 + uses: peter-evans/create-or-update-comment@71345be0265236311c031f5c7866368bd1eff043 # v4.0.0 env: STATUS: ${{ needs.get_info.outputs.NEW == 'true' && 'Created' || 'Updated' }} with: diff --git a/.github/workflows/release-validation.yaml b/.github/workflows/release-validation.yaml index 9ccbb747bec46..ed5098d6d8ad9 100644 --- a/.github/workflows/release-validation.yaml +++ b/.github/workflows/release-validation.yaml @@ -11,7 +11,7 @@ jobs: steps: - name: Run Schmoder CI - uses: benc-uk/workflow-dispatch@v1.2.4 + uses: benc-uk/workflow-dispatch@e2e5e9a103e331dad343f381a29e654aea3cf8fc # v1.2.4 with: workflow: ci.yaml repo: coder/schmoder diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index 0732d0bbfa125..7f030cc3deb6a 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -47,7 +47,7 @@ jobs: version: ${{ steps.version.outputs.version }} steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 with: fetch-depth: 0 @@ -116,7 +116,7 @@ jobs: cat "$CODER_RELEASE_NOTES_FILE" - name: Docker Login - uses: docker/login-action@v3 + uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0 with: registry: ghcr.io username: ${{ github.actor }} @@ -130,7 +130,7 @@ jobs: # Necessary for signing Windows binaries. - name: Setup Java - uses: actions/setup-java@v4 + uses: actions/setup-java@b36c23c0d998641eff861008f374ee103c25ac73 # v4.4.0 with: distribution: "zulu" java-version: "11.0" @@ -185,14 +185,14 @@ jobs: # Setup GCloud for signing Windows binaries. - name: Authenticate to Google Cloud id: gcloud_auth - uses: google-github-actions/auth@v2 + uses: google-github-actions/auth@8254fb75a33b976a221574d287e93919e6a36f70 # v2.1.6 with: workload_identity_provider: ${{ secrets.GCP_CODE_SIGNING_WORKLOAD_ID_PROVIDER }} service_account: ${{ secrets.GCP_CODE_SIGNING_SERVICE_ACCOUNT }} token_format: "access_token" - name: Setup GCloud SDK - uses: "google-github-actions/setup-gcloud@v2" + uses: google-github-actions/setup-gcloud@f0990588f1e5b5af6827153b93673613abdc6ec7 # v2.1.1 - name: Build binaries run: | @@ -245,12 +245,12 @@ jobs: - name: Install depot.dev CLI if: steps.image-base-tag.outputs.tag != '' - uses: depot/setup-action@v1 + uses: depot/setup-action@b0b1ea4f69e92ebf5dea3f8713a1b0c37b2126a5 # v1.6.0 # This uses OIDC authentication, so no auth variables are required. - name: Build base Docker image via depot.dev if: steps.image-base-tag.outputs.tag != '' - uses: depot/build-push-action@v1 + uses: depot/build-push-action@636daae76684e38c301daa0c5eca1c095b24e780 # v1.14.0 with: project: wl5hnrrkns context: base-build-context @@ -358,13 +358,13 @@ jobs: CODER_GPG_RELEASE_KEY_BASE64: ${{ secrets.GPG_RELEASE_KEY_BASE64 }} - name: Authenticate to Google Cloud - uses: google-github-actions/auth@v2 + uses: google-github-actions/auth@8254fb75a33b976a221574d287e93919e6a36f70 # v2.1.6 with: workload_identity_provider: ${{ secrets.GCP_WORKLOAD_ID_PROVIDER }} service_account: ${{ secrets.GCP_SERVICE_ACCOUNT }} - name: Setup GCloud SDK - uses: "google-github-actions/setup-gcloud@v2" + uses: google-github-actions/setup-gcloud@f0990588f1e5b5af6827153b93673613abdc6ec7 # 2.1.1 - name: Publish Helm Chart if: ${{ !inputs.dry_run }} @@ -383,7 +383,7 @@ jobs: - name: Upload artifacts to actions (if dry-run) if: ${{ inputs.dry_run }} - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@604373da6381bf24206979c74d06a550515601b9 # v4.4.1 with: name: release-artifacts path: | @@ -398,7 +398,7 @@ jobs: - name: Send repository-dispatch event if: ${{ !inputs.dry_run }} - uses: peter-evans/repository-dispatch@v3 + uses: peter-evans/repository-dispatch@ff45666b9427631e3450c54a1bcbee4d9ff4d7c0 # v3.0.0 with: token: ${{ secrets.CDRCI_GITHUB_TOKEN }} repository: coder/packages @@ -491,7 +491,7 @@ jobs: GH_TOKEN: ${{ secrets.CDRCI_GITHUB_TOKEN }} - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 with: fetch-depth: 0 @@ -571,7 +571,7 @@ jobs: if: ${{ !inputs.dry_run }} steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 with: fetch-depth: 1 diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml index ebfe64040a399..25f4df6da4557 100644 --- a/.github/workflows/scorecard.yml +++ b/.github/workflows/scorecard.yml @@ -34,7 +34,7 @@ jobs: # Upload the results as artifacts. - name: "Upload artifact" - uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0 + uses: actions/upload-artifact@604373da6381bf24206979c74d06a550515601b9 # v4.4.1 with: name: SARIF file path: results.sarif @@ -42,6 +42,6 @@ jobs: # Upload the results to GitHub's code scanning dashboard. - name: "Upload to code-scanning" - uses: github/codeql-action/upload-sarif@e2b3eafc8d227b0241d48be5f425d47c2d750a13 # v3.26.10 + uses: github/codeql-action/upload-sarif@c36620d31ac7c881962c3d9dd939c40ec9434f2b # v3.26.12 with: sarif_file: results.sarif diff --git a/.github/workflows/security.yaml b/.github/workflows/security.yaml index 30bcd47bf4ace..de4b53b8dab2f 100644 --- a/.github/workflows/security.yaml +++ b/.github/workflows/security.yaml @@ -26,13 +26,13 @@ jobs: runs-on: ${{ github.repository_owner == 'coder' && 'depot-ubuntu-22.04-8' || 'ubuntu-latest' }} steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 - name: Setup Go uses: ./.github/actions/setup-go - name: Initialize CodeQL - uses: github/codeql-action/init@v3 + uses: github/codeql-action/init@c36620d31ac7c881962c3d9dd939c40ec9434f2b # v3.26.12 with: languages: go, javascript @@ -42,7 +42,7 @@ jobs: rm Makefile - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v3 + uses: github/codeql-action/analyze@c36620d31ac7c881962c3d9dd939c40ec9434f2b # v3.26.12 - name: Send Slack notification on failure if: ${{ failure() }} @@ -59,7 +59,7 @@ jobs: runs-on: ${{ github.repository_owner == 'coder' && 'depot-ubuntu-22.04-8' || 'ubuntu-latest' }} steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 with: fetch-depth: 0 @@ -122,13 +122,13 @@ jobs: severity: "CRITICAL,HIGH" - name: Upload Trivy scan results to GitHub Security tab - uses: github/codeql-action/upload-sarif@v3 + uses: github/codeql-action/upload-sarif@c36620d31ac7c881962c3d9dd939c40ec9434f2b # v3.26.12 with: sarif_file: trivy-results.sarif category: "Trivy" - name: Upload Trivy scan results as an artifact - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@604373da6381bf24206979c74d06a550515601b9 # v4.4.1 with: name: trivy path: trivy-results.sarif diff --git a/.github/workflows/stale.yaml b/.github/workflows/stale.yaml index 5a25c977517c1..df4cbd84a997e 100644 --- a/.github/workflows/stale.yaml +++ b/.github/workflows/stale.yaml @@ -13,7 +13,7 @@ jobs: actions: write steps: - name: stale - uses: actions/stale@v9.0.0 + uses: actions/stale@28ca1036281a5e5922ead5184a1bbf96e5fc984e # v9.0.0 with: stale-issue-label: "stale" stale-pr-label: "stale" @@ -34,7 +34,7 @@ jobs: # Start with the oldest issues, always. ascending: true - name: "Close old issues labeled likely-no" - uses: actions/github-script@v7 + uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1 with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | @@ -60,7 +60,7 @@ jobs: }); const labelEvent = timeline.data.find(event => event.event === 'labeled' && event.label.name === 'likely-no'); - + if (labelEvent) { console.log(`Issue #${issue.number} was labeled with 'likely-no' at ${labelEvent.created_at}`); @@ -83,9 +83,9 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout repository - uses: actions/checkout@v4 + uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 - name: Run delete-old-branches-action - uses: beatlabs/delete-old-branches-action@v0.0.10 + uses: beatlabs/delete-old-branches-action@6e94df089372a619c01ae2c2f666bf474f890911 # v0.0.10 with: repo_token: ${{ github.token }} date: "6 months ago" @@ -97,7 +97,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Delete PR Cleanup workflow runs - uses: Mattraks/delete-workflow-runs@v2 + uses: Mattraks/delete-workflow-runs@39f0bbed25d76b34de5594dceab824811479e5de # v2.0.6 with: token: ${{ github.token }} repository: ${{ github.repository }} @@ -106,7 +106,7 @@ jobs: delete_workflow_pattern: pr-cleanup.yaml - name: Delete PR Deploy workflow skipped runs - uses: Mattraks/delete-workflow-runs@v2 + uses: Mattraks/delete-workflow-runs@39f0bbed25d76b34de5594dceab824811479e5de # v2.0.6 with: token: ${{ github.token }} repository: ${{ github.repository }} diff --git a/.github/workflows/weekly-docs.yaml b/.github/workflows/weekly-docs.yaml index 049b31b85155e..8dbf77746c00c 100644 --- a/.github/workflows/weekly-docs.yaml +++ b/.github/workflows/weekly-docs.yaml @@ -15,10 +15,10 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@master + uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 - name: Check Markdown links - uses: gaurav-nelson/github-action-markdown-link-check@v1 + uses: gaurav-nelson/github-action-markdown-link-check@d53a906aa6b22b8979d33bc86170567e619495ec # v1.0.15 id: markdown-link-check # checks all markdown files from /docs including all subfolders with: From 361e9c88b46b06686737f6396901ffd53cda888e Mon Sep 17 00:00:00 2001 From: Muhammad Atif Ali Date: Tue, 8 Oct 2024 11:25:08 +0000 Subject: [PATCH 2/2] chore: update setup-node action by removing pnpm version --- .github/actions/setup-node/action.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/actions/setup-node/action.yaml b/.github/actions/setup-node/action.yaml index cdf4b383093d1..02ffa14312ffe 100644 --- a/.github/actions/setup-node/action.yaml +++ b/.github/actions/setup-node/action.yaml @@ -12,8 +12,7 @@ runs: steps: - name: Install pnpm uses: pnpm/action-setup@fe02b34f77f8bc703788d5817da081398fad5dd2 # v4.0.0 - with: - version: 9.6 + - name: Setup Node uses: actions/setup-node@0a44ba7841725637a19e28fa30b79a866c81b0a6 # v4.0.4 with: @@ -21,6 +20,7 @@ runs: # See https://github.com/actions/setup-node#caching-global-packages-data cache: "pnpm" cache-dependency-path: ${{ inputs.directory }}/pnpm-lock.yaml + - name: Install root node_modules shell: bash run: ./scripts/pnpm_install.sh