From ef458899568bd10b313c0a843196a63981a0d1cc Mon Sep 17 00:00:00 2001 From: Simon Lamon <32477463+silamon@users.noreply.github.com> Date: Mon, 15 Sep 2025 11:39:47 +0200 Subject: [PATCH] Pin SHA for all Github Actions (#4305) --- .github/workflows/artifacts-index.yaml | 4 +-- .github/workflows/build.yaml | 40 +++++++++++++------------- .github/workflows/label-actions.yml | 2 +- .github/workflows/lock.yml | 2 +- .github/workflows/pr-checks.yml | 6 ++-- .github/workflows/release-drafter.yml | 2 +- .github/workflows/stale.yml | 2 +- .github/workflows/test.yaml | 12 ++++---- 8 files changed, 35 insertions(+), 35 deletions(-) diff --git a/.github/workflows/artifacts-index.yaml b/.github/workflows/artifacts-index.yaml index c79522e96..d1de82d7a 100644 --- a/.github/workflows/artifacts-index.yaml +++ b/.github/workflows/artifacts-index.yaml @@ -39,12 +39,12 @@ jobs: runs-on: ubuntu-22.04 steps: - name: Checkout source - uses: actions/checkout@v5 + uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 with: persist-credentials: false - name: Setup Python version ${{ env.PYTHON_VERSION }} - uses: actions/setup-python@v6 + uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0 with: python-version: ${{ env.PYTHON_VERSION }} diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index 737500585..186722f2d 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -55,7 +55,7 @@ jobs: self_signed_cert: ${{ steps.generate_signing_key.outputs.self_signed_cert }} steps: - name: Checkout source - uses: actions/checkout@v5 + uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 with: persist-credentials: false @@ -147,7 +147,7 @@ jobs: fi - name: Create build matrix - uses: actions/github-script@v8 + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 id: generate_matrix with: script: | @@ -177,15 +177,15 @@ jobs: } - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3.11.1 + uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1 - name: Log in to the GitHub container registry - uses: docker/login-action@v3.5.0 + uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3.5.0 with: registry: ghcr.io username: ${{ github.repository_owner }} password: ${{ secrets.GITHUB_TOKEN }} - name: Build and Push - uses: docker/build-push-action@v6.18.0 + uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0 id: build_haos_builder with: context: . @@ -207,7 +207,7 @@ jobs: echo "self_signed_cert=true" >> $GITHUB_OUTPUT - name: Create signing key - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 if: steps.generate_signing_key.outcome == 'success' with: name: signing-key @@ -227,14 +227,14 @@ jobs: steps: - name: Checkout source - uses: actions/checkout@v5 + uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 with: submodules: true persist-credentials: false - name: Setup Python version ${{ env.PYTHON_VERSION }} if: ${{ github.event_name != 'release' }} - uses: actions/setup-python@v6 + uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0 with: python-version: ${{ env.PYTHON_VERSION }} @@ -260,7 +260,7 @@ jobs: - name: Get self-signed certificate from the prepare job if: ${{ needs.prepare.outputs.self_signed_cert == 'true' }} - uses: actions/download-artifact@v5 + uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5.0.0 with: name: signing-key @@ -281,7 +281,7 @@ jobs: df -h - name: "Restore cache: object files" - uses: actions/cache/restore@v4 + uses: actions/cache/restore@0400d5f644dc74513175e3cd8d07132dd4860809 # v4.2.4 with: path: /mnt/cache/cc key: haos-cc-${{ matrix.board.id }} @@ -329,7 +329,7 @@ jobs: - name: Upload release assets if: ${{ github.event_name == 'release' }} - uses: shogo82148/actions-upload-release-asset@v1 + uses: shogo82148/actions-upload-release-asset@59cbc563d11314e48122193f8fe5cdda62ea6cf9 # v1.9.1 with: upload_url: ${{ github.event.release.upload_url }} asset_path: output/images/haos_* @@ -344,7 +344,7 @@ jobs: - name: "Save cache: object files" if: github.ref == 'refs/heads/dev' - uses: actions/cache/save@v4 + uses: actions/cache/save@0400d5f644dc74513175e3cd8d07132dd4860809 # v4.2.4 with: path: /mnt/cache/cc key: haos-cc-${{ matrix.board.id }}-${{ github.run_id }} @@ -378,7 +378,7 @@ jobs: done - name: Upload OS image artifact - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 if: ${{ github.event_name != 'release' && needs.prepare.outputs.publish_build != 'true' && matrix.board.id != 'ova' }} with: name: haos_${{ matrix.board.id }}-${{ needs.prepare.outputs.version_full }}.img.xz @@ -386,7 +386,7 @@ jobs: output/images/haos_${{ matrix.board.id }}-${{ needs.prepare.outputs.version_full }}.img.xz - name: Upload RAUC bundle artifact - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 if: ${{ github.event_name != 'release' && needs.prepare.outputs.publish_build != 'true' }} with: name: haos_${{ matrix.board.id }}-${{ needs.prepare.outputs.version_full }}.raucb @@ -394,7 +394,7 @@ jobs: output/images/haos_${{ matrix.board.id }}-${{ needs.prepare.outputs.version_full }}.raucb - name: Upload Open Virtualization Format (OVA) artifact - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 if: ${{ github.event_name != 'release' && needs.prepare.outputs.publish_build != 'true' && matrix.board.id == 'ova' }} with: name: haos_${{ matrix.board.id }}-${{ needs.prepare.outputs.version_full }}.ova @@ -402,7 +402,7 @@ jobs: output/images/haos_${{ matrix.board.id }}-${{ needs.prepare.outputs.version_full }}.ova - name: Upload QEMU disk image artifact - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 # Create artifact for ova every time - it's used by the called tests workflow if: ${{ matrix.board.id == 'ova' || (github.event_name != 'release' && needs.prepare.outputs.publish_build != 'true' && matrix.board.id == 'generic-aarch64') }} with: @@ -411,7 +411,7 @@ jobs: output/images/haos_${{ matrix.board.id }}-${{ needs.prepare.outputs.version_full }}.qcow2.xz - name: Upload VMware Virtual Machine Disk (VMDK) artifact - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 if: ${{ github.event_name != 'release' && needs.prepare.outputs.publish_build != 'true' && (matrix.board.id == 'generic-aarch64' || matrix.board.id == 'ova') }} with: name: haos_${{ matrix.board.id }}-${{ needs.prepare.outputs.version_full }}.vmdk.zip @@ -419,7 +419,7 @@ jobs: output/images/haos_${{ matrix.board.id }}-${{ needs.prepare.outputs.version_full }}.vmdk.zip - name: Upload VirtualBox Virtual Disk Image (VDI) artifact - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 if: ${{ github.event_name != 'release' && needs.prepare.outputs.publish_build != 'true' && matrix.board.id == 'ova' }} with: name: haos_${{ matrix.board.id }}-${{ needs.prepare.outputs.version_full }}.vdi.zip @@ -427,7 +427,7 @@ jobs: output/images/haos_${{ matrix.board.id }}-${{ needs.prepare.outputs.version_full }}.vdi.zip - name: Upload Virtual Hard Disk v2 (VHDX) artifact - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 if: ${{ github.event_name != 'release' && needs.prepare.outputs.publish_build != 'true' && matrix.board.id == 'ova' }} with: name: haos_${{ matrix.board.id }}-${{ needs.prepare.outputs.version_full }}.vhdx.zip @@ -466,7 +466,7 @@ jobs: steps: - name: Checkout source - uses: actions/checkout@v5 + uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 with: persist-credentials: false diff --git a/.github/workflows/label-actions.yml b/.github/workflows/label-actions.yml index cbf66f53c..b8e0dfc6c 100644 --- a/.github/workflows/label-actions.yml +++ b/.github/workflows/label-actions.yml @@ -14,4 +14,4 @@ jobs: action: runs-on: ubuntu-latest steps: - - uses: dessant/label-actions@v4.0.1 + - uses: dessant/label-actions@102faf474a544be75fbaf4df54e73d3c515a0e65 # v4.0.1 diff --git a/.github/workflows/lock.yml b/.github/workflows/lock.yml index 9978e5155..2f6b13371 100644 --- a/.github/workflows/lock.yml +++ b/.github/workflows/lock.yml @@ -14,7 +14,7 @@ jobs: if: github.repository_owner == 'home-assistant' runs-on: ubuntu-latest steps: - - uses: dessant/lock-threads@v5.0.1 + - uses: dessant/lock-threads@1bf7ec25051fe7c00bdd17e6a7cf3d7bfb7dc771 # v5.0.1 with: github-token: ${{ github.token }} issue-inactive-days: "30" diff --git a/.github/workflows/pr-checks.yml b/.github/workflows/pr-checks.yml index a23e4c46f..1e4840499 100644 --- a/.github/workflows/pr-checks.yml +++ b/.github/workflows/pr-checks.yml @@ -15,17 +15,17 @@ jobs: python3-flake8 - name: Check out code - uses: actions/checkout@v5 + uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 with: submodules: true - name: Check Dockerfile - uses: brpaz/hadolint-action@v1.5.0 + uses: brpaz/hadolint-action@c27bd9edc1e95eed30474db8f295ff5807ebca14 # v1.5.0 with: dockerfile: Dockerfile - name: Check shell scripts - uses: ludeeus/action-shellcheck@2.0.0 + uses: ludeeus/action-shellcheck@00cae500b08a931fb5698e11e79bfbd38e612a38 # 2.0.0 with: ignore_paths: buildroot diff --git a/.github/workflows/release-drafter.yml b/.github/workflows/release-drafter.yml index 8a212980c..17e34ef9a 100644 --- a/.github/workflows/release-drafter.yml +++ b/.github/workflows/release-drafter.yml @@ -13,6 +13,6 @@ jobs: pull-requests: read # for release-drafter/release-drafter to read PR content and labels runs-on: ubuntu-latest steps: - - uses: release-drafter/release-drafter@v6 + - uses: release-drafter/release-drafter@b1476f6e6eb133afa41ed8589daba6dc69b4d3f5 # v6.1.0 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml index ba9d08a3d..784d668bb 100644 --- a/.github/workflows/stale.yml +++ b/.github/workflows/stale.yml @@ -19,7 +19,7 @@ jobs: # - No PRs marked as no-stale or pinned # - No issues marked as no-stale, help-wanted or pinned - name: 90 days stale issues & PRs policy - uses: actions/stale@v10.0.0 + uses: actions/stale@3a9db7e6a41a89f618792c92c0e97cc736e1b13f # v10.0.0 with: repo-token: ${{ secrets.GITHUB_TOKEN }} days-before-stale: 90 diff --git a/.github/workflows/test.yaml b/.github/workflows/test.yaml index cb03539d2..e49353ba9 100644 --- a/.github/workflows/test.yaml +++ b/.github/workflows/test.yaml @@ -32,7 +32,7 @@ jobs: runs-on: ubuntu-22.04 steps: - name: Checkout source - uses: actions/checkout@v5 + uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 with: persist-credentials: false @@ -42,7 +42,7 @@ jobs: sudo apt install -y qemu-system-x86 ovmf - name: Setup Python - uses: actions/setup-python@v6 + uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0 with: python-version: 3.12 @@ -57,7 +57,7 @@ jobs: - name: Get OS image artifact if: ${{ inputs.use-artifact }} - uses: actions/download-artifact@v5 + uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5.0.0 with: name: haos_ova-${{ inputs.version }}.qcow2.xz @@ -77,7 +77,7 @@ jobs: ./tests/run_tests.sh --durations=0 --durations-min=5.0 - name: Archive logs - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 if: always() with: name: logs @@ -85,7 +85,7 @@ jobs: tests/lg_logs/** - name: Archive JUnit reports - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 if: always() with: name: junit_reports @@ -93,7 +93,7 @@ jobs: tests/junit_reports/*.xml - name: Publish test report - uses: mikepenz/action-junit-report@v5 + uses: mikepenz/action-junit-report@3585e9575db828022551b4231f165eb59a0e74e3 # v5.6.2 if: always() with: report_paths: 'tests/junit_reports/*.xml'