From 5442e00a8ff8ac19604d4bd8b7d5411ff1449583 Mon Sep 17 00:00:00 2001 From: yubiuser Date: Wed, 27 Aug 2025 21:31:58 +0200 Subject: [PATCH] Pin github actions to SHA Signed-off-by: yubiuser --- .github/workflows/build.yml | 32 ++++++++++++------------- .github/workflows/codeql.yml | 12 +++++----- .github/workflows/codespell.yml | 4 ++-- .github/workflows/merge-conflict.yml | 2 +- .github/workflows/openapi-validator.yml | 4 ++-- .github/workflows/stale.yml | 4 ++-- .github/workflows/stale_pr.yml | 2 +- .github/workflows/sync-back-to-dev.yml | 2 +- 8 files changed, 31 insertions(+), 31 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 2abaacfe..59523692 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -32,7 +32,7 @@ jobs: steps: - name: Checkout code - uses: actions/checkout@v4.1.7 + uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 #v5.0.0 - name: "Calculate required variables" id: variables @@ -100,14 +100,14 @@ jobs: steps: - name: Checkout code - uses: actions/checkout@v4.1.7 + uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 #v5.0.0 # QEMU should come before Buildx - name: Set up QEMU - uses: docker/setup-qemu-action@v3.6.0 + uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 #v3.6.0 - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3.10.0 + uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 #v3.11.1 - name: Print directory contents shell: bash @@ -115,7 +115,7 @@ jobs: - name: Build FTL in ftl-build container (QEMU) # Creates an image to build FTL and load it into the local Docker daemon - uses: nick-fields/retry@v3.0.2 + uses: nick-fields/retry@ce71cc2ab81d554ebbe88c79ab5975992d79ba08 #v3.0.2 with: max_attempts: 3 timeout_minutes: 15 @@ -134,7 +134,7 @@ jobs: name: Test FTL in ftl-build container (QEMU) # Uses the ftl-builder image to run tests # set STATIC to true for all except clang builds as we do in build.sh - uses: nick-fields/retry@v3.0.2 + uses: nick-fields/retry@ce71cc2ab81d554ebbe88c79ab5975992d79ba08 #v3.0.2 with: max_attempts: 3 timeout_minutes: 10 @@ -169,13 +169,13 @@ jobs: sha1sum pihole-FTL-* > ${{ matrix.bin_name }}.sha1 - name: Upload pihole-FTL binary - uses: actions/upload-artifact@v4.6.2 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 #v4.6.2 with: name: ${{ matrix.bin_name }}-binary path: '${{ matrix.bin_name }}*' - name: Generate artifact attestation - uses: actions/attest-build-provenance@v2.3.0 + uses: actions/attest-build-provenance@e8998f949152b193b063cb0ec769d69d929409be #v2.4.0 # Skip attestation if ACTIONS_ID_TOKEN_REQUEST_URL env variable is not # available (e.g., PR originating from a fork) if: env.DO_DEPLOY == 'true' && env.ACTIONS_ID_TOKEN_REQUEST_URL != '' @@ -184,21 +184,21 @@ jobs: - name: Upload documentation files if: matrix.bin_name == 'pihole-FTL-amd64' - uses: actions/upload-artifact@v4.6.2 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 #v4.6.2 with: name: pihole-api-docs path: 'api-docs.tar.gz' - name: Upload pihole.toml template if: matrix.bin_name == 'pihole-FTL-amd64' - uses: actions/upload-artifact@v4.6.2 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 #v4.6.2 with: name: pihole-toml path: 'pihole.toml' - name: Get binaries built in previous jobs if: env.DO_DEPLOY == 'true' - uses: actions/download-artifact@v4.3.0 + uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 #v5.0.0 id: download with: path: ftl_builds/ @@ -207,14 +207,14 @@ jobs: - name: Get documentation files built in previous jobs if: env.DO_DEPLOY == 'true' && matrix.bin_name == 'pihole-FTL-amd64' - uses: actions/download-artifact@v4.3.0 + uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 #v5.0.0 with: path: ftl_builds/ name: pihole-api-docs - name: Get pihole.toml built in previous job if: env.DO_DEPLOY == 'true' && matrix.bin_name == 'pihole-FTL-amd64' - uses: actions/download-artifact@v4.3.0 + uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 #v5.0.0 with: path: ftl_builds/ name: pihole-toml @@ -227,7 +227,7 @@ jobs: - name: Install SSH Key if: env.DO_DEPLOY == 'true' - uses: benoitchantre/setup-ssh-authentication-action@1.0.1 + uses: benoitchantre/setup-ssh-authentication-action@8e8bd40230ad7d206617c475f35624828640ceb3 #1.0.1 with: private-key: ${{ secrets.SSH_KEY }} private-key-name: id_rsa @@ -265,7 +265,7 @@ jobs: - name: Attach binaries to release if: github.event_name == 'release' - uses: softprops/action-gh-release@v2.3.2 + uses: softprops/action-gh-release@72f2c25fcb47643c292f7107632f7a47c1df5cd8 #v2.3.2 with: files: | ftl_builds/* @@ -278,7 +278,7 @@ jobs: - name: Create Pull Request to pi-hole/docs if: env.GIT_BRANCH == 'master' && env.DO_DEPLOY == 'true' && matrix.bin_name == 'pihole-FTL-amd64' - uses: peter-evans/create-pull-request@v6 + uses: peter-evans/create-pull-request@271a8d0340265f705b14b6d32b9829c1cb33d45e #v7.0.8 with: token: ${{ secrets.PRALOR_PULL_REQUESTS }} commit-message: "docs: update pihole.toml documentation" diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index bed7e1bb..b84be3cd 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -58,7 +58,7 @@ jobs: # your codebase is analyzed, see https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages steps: - name: Checkout repository - uses: actions/checkout@v4 + uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 #v5.0.0 - name: Install dependencies run: | @@ -85,7 +85,7 @@ jobs: # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL - uses: github/codeql-action/init@v3 + uses: github/codeql-action/init@96f518a34f7a870018057716cc4d7a5c014bd61c #v3.29.10 with: languages: ${{ matrix.language }} build-mode: ${{ matrix.build-mode }} @@ -108,14 +108,14 @@ jobs: ./build.sh - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v3 + uses: github/codeql-action/analyze@96f518a34f7a870018057716cc4d7a5c014bd61c #v3.29.10 with: category: "/language:${{matrix.language}}" upload: failure-only # upload only in case of failure, otherwise upload later after filtering output: codeql-results - name: Filter SARIF - uses: advanced-security/filter-sarif@v1 + uses: advanced-security/filter-sarif@bc96d9fb9338c5b48cc440b1b4d0a350b26a20db #v1.0.0 with: # filter out third-party dependencies patterns: | @@ -134,13 +134,13 @@ jobs: output: codeql-results/cpp.sarif - name: Upload SARIF - uses: github/codeql-action/upload-sarif@v3 + uses: github/codeql-action/upload-sarif@96f518a34f7a870018057716cc4d7a5c014bd61c #v3.29.10 with: sarif_file: codeql-results/cpp.sarif - name: Upload CodeQL results as an artifact if: success() || failure() - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 #v4.6.2 with: name: codeql-results path: codeql-results diff --git a/.github/workflows/codespell.yml b/.github/workflows/codespell.yml index c65acde9..3e9c4a51 100644 --- a/.github/workflows/codespell.yml +++ b/.github/workflows/codespell.yml @@ -13,10 +13,10 @@ jobs: steps: - name: Checkout repository - uses: actions/checkout@v4.1.7 + uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 #v5.0.0 - name: Spell-Checking - uses: codespell-project/actions-codespell@master + uses: codespell-project/actions-codespell@406322ec52dd7b488e48c1c4b82e2a8b3a1bf630 #v2.1 with: ignore_words_file: .github/.codespellignore skip: ./src/database/sqlite3.c,./src/database/sqlite3.h,./src/database/shell.c,./src/lua,./src/dnsmasq,./src/tre-regex,./.git,./test/libs,./src/webserver/civetweb,./src/zip/miniz,./src/api/docs/content/external,./src/database/sqlite3_rsync.c,./package-lock.json,./src/config/tomlc17 diff --git a/.github/workflows/merge-conflict.yml b/.github/workflows/merge-conflict.yml index dce55407..ae2fabbe 100644 --- a/.github/workflows/merge-conflict.yml +++ b/.github/workflows/merge-conflict.yml @@ -13,7 +13,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Check if PRs are have merge conflicts - uses: eps1lon/actions-label-merge-conflict@v3.0.3 + uses: eps1lon/actions-label-merge-conflict@1df065ebe6e3310545d4f4c4e862e43bdca146f0 #v3.0.3 with: dirtyLabel: "Merge conflicts" repoToken: "${{ secrets.GITHUB_TOKEN }}" diff --git a/.github/workflows/openapi-validator.yml b/.github/workflows/openapi-validator.yml index ab88d1b4..e03c7a8f 100644 --- a/.github/workflows/openapi-validator.yml +++ b/.github/workflows/openapi-validator.yml @@ -12,10 +12,10 @@ jobs: steps: - name: Clone repository - uses: actions/checkout@v4.2.2 + uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 #v5.0.0 - name: Set up Node.js - uses: actions/setup-node@v4.4.0 + uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 #v4.4.0 with: node-version: "20" cache: npm diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml index 4db61c5c..62afe8cc 100644 --- a/.github/workflows/stale.yml +++ b/.github/workflows/stale.yml @@ -17,7 +17,7 @@ jobs: issues: write steps: - - uses: actions/stale@v9.1.0 + - uses: actions/stale@5bef64f19d7facfb25b37b414482c7164d639639 #v9.1.0 with: repo-token: ${{ secrets.GITHUB_TOKEN }} days-before-stale: 30 @@ -40,7 +40,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@v4.1.7 + uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 #v5.0.0 - name: Remove 'stale' label run: gh issue edit ${{ github.event.issue.number }} --remove-label ${{ env.stale_label }} env: diff --git a/.github/workflows/stale_pr.yml b/.github/workflows/stale_pr.yml index 1d969366..ff5bf892 100644 --- a/.github/workflows/stale_pr.yml +++ b/.github/workflows/stale_pr.yml @@ -17,7 +17,7 @@ jobs: pull-requests: write steps: - - uses: actions/stale@v9.1.0 + - uses: actions/stale@5bef64f19d7facfb25b37b414482c7164d639639 #v9.1.0 with: repo-token: ${{ secrets.GITHUB_TOKEN }} # Do not automatically mark PR/issue as stale diff --git a/.github/workflows/sync-back-to-dev.yml b/.github/workflows/sync-back-to-dev.yml index e15d1049..67f993ae 100644 --- a/.github/workflows/sync-back-to-dev.yml +++ b/.github/workflows/sync-back-to-dev.yml @@ -11,7 +11,7 @@ jobs: name: Syncing branches steps: - name: Checkout - uses: actions/checkout@v4.1.7 + uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 #v5.0.0 - name: Opening pull request run: gh pr create -B development -H master --title 'Sync master back into development' --body 'Created by Github action' --label 'internal' env: