Skip to content

Commit 61422a4

Browse files
crazy-maxcrazy-max
committed
pin all actions
Signed-off-by: CrazyMax <1951866+crazy-max@users.noreply.github.com>
1 parent 47f3277 commit 61422a4

File tree

4 files changed

+53
-107
lines changed

4 files changed

+53
-107
lines changed

.github/workflows/.test.yml

Lines changed: 12 additions & 61 deletions
Original file line numberDiff line numberDiff line change
@@ -56,7 +56,7 @@ jobs:
5656
steps:
5757
-
5858
name: Builder outputs
59-
uses: actions/github-script@v8
59+
uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
6060
env:
6161
INPUT_BUILDER-OUTPUTS: ${{ toJSON(needs.build-aws-single.outputs) }}
6262
with:
@@ -107,7 +107,7 @@ jobs:
107107
steps:
108108
-
109109
name: Builder outputs
110-
uses: actions/github-script@v8
110+
uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
111111
env:
112112
INPUT_BUILDER-OUTPUTS: ${{ toJSON(needs.build-aws.outputs) }}
113113
with:
@@ -156,7 +156,7 @@ jobs:
156156
steps:
157157
-
158158
name: Builder outputs
159-
uses: actions/github-script@v8
159+
uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
160160
env:
161161
INPUT_BUILDER-OUTPUTS: ${{ toJSON(needs.build-ghcr.outputs) }}
162162
with:
@@ -204,63 +204,14 @@ jobs:
204204
steps:
205205
-
206206
name: Builder outputs
207-
uses: actions/github-script@v8
207+
uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
208208
env:
209209
INPUT_BUILDER-OUTPUTS: ${{ toJSON(needs.build-dockerhub-stage.outputs) }}
210210
with:
211211
script: |
212212
const builderOutputs = JSON.parse(core.getInput('builder-outputs'));
213213
core.info(JSON.stringify(builderOutputs, null, 2));
214214
215-
build-dockerhub-stage-oidc:
216-
uses: ./.github/workflows/build.yml
217-
permissions:
218-
contents: read
219-
id-token: write
220-
with:
221-
output: image
222-
push: ${{ github.event_name != 'pull_request' }}
223-
meta-images: registry-1-stage.docker.io/docker/github-builder-test
224-
meta-tags: |
225-
type=raw,value=${{ github.run_id }},prefix=oidc-
226-
build-file: test/hello.Dockerfile
227-
build-sbom: true
228-
build-platforms: linux/amd64,linux/arm64
229-
secrets:
230-
registry-auths: |
231-
- registry: registry-1-stage.docker.io
232-
username: docker:cdeb5882-30b7-4076-be92-bfdceb258e9c
233-
234-
build-dockerhub-stage-oidc-verify:
235-
uses: ./.github/workflows/verify.yml
236-
if: ${{ github.event_name != 'pull_request' }}
237-
permissions:
238-
contents: read
239-
id-token: write
240-
needs:
241-
- build-dockerhub-stage-oidc
242-
with:
243-
builder-outputs: ${{ toJSON(needs.build-dockerhub-stage-oidc.outputs) }}
244-
secrets:
245-
registry-auths: |
246-
- registry: registry-1-stage.docker.io
247-
username: docker:cdeb5882-30b7-4076-be92-bfdceb258e9c
248-
249-
build-dockerhub-stage-oidc-outputs:
250-
runs-on: ubuntu-24.04
251-
needs:
252-
- build-dockerhub-stage-oidc
253-
steps:
254-
-
255-
name: Builder outputs
256-
uses: actions/github-script@v8
257-
env:
258-
INPUT_BUILDER-OUTPUTS: ${{ toJSON(needs.build-dockerhub-stage-oidc.outputs) }}
259-
with:
260-
script: |
261-
const builderOutputs = JSON.parse(core.getInput('builder-outputs'));
262-
core.info(JSON.stringify(builderOutputs, null, 2));
263-
264215
build-ghcr-and-aws:
265216
uses: ./.github/workflows/build.yml
266217
permissions:
@@ -310,7 +261,7 @@ jobs:
310261
steps:
311262
-
312263
name: Builder outputs
313-
uses: actions/github-script@v8
264+
uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
314265
env:
315266
INPUT_BUILDER-OUTPUTS: ${{ toJSON(needs.build-ghcr-and-aws.outputs) }}
316267
with:
@@ -346,7 +297,7 @@ jobs:
346297
steps:
347298
-
348299
name: Builder outputs
349-
uses: actions/github-script@v8
300+
uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
350301
env:
351302
INPUT_BUILDER-OUTPUTS: ${{ toJSON(needs.local.outputs) }}
352303
with:
@@ -381,7 +332,7 @@ jobs:
381332
steps:
382333
-
383334
name: Builder outputs
384-
uses: actions/github-script@v8
335+
uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
385336
env:
386337
INPUT_BUILDER-OUTPUTS: ${{ toJSON(needs.build-local-single.outputs) }}
387338
with:
@@ -447,7 +398,7 @@ jobs:
447398
steps:
448399
-
449400
name: Builder outputs
450-
uses: actions/github-script@v8
401+
uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
451402
env:
452403
INPUT_BUILDER-OUTPUTS: ${{ toJSON(needs.bake-aws-single.outputs) }}
453404
with:
@@ -498,7 +449,7 @@ jobs:
498449
steps:
499450
-
500451
name: Builder outputs
501-
uses: actions/github-script@v8
452+
uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
502453
env:
503454
INPUT_BUILDER-OUTPUTS: ${{ toJSON(needs.bake-aws.outputs) }}
504455
with:
@@ -557,7 +508,7 @@ jobs:
557508
steps:
558509
-
559510
name: Builder outputs
560-
uses: actions/github-script@v8
511+
uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
561512
env:
562513
INPUT_BUILDER-OUTPUTS: ${{ toJSON(needs.bake-ghcr-and-aws.outputs) }}
563514
with:
@@ -594,7 +545,7 @@ jobs:
594545
steps:
595546
-
596547
name: Builder outputs
597-
uses: actions/github-script@v8
548+
uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
598549
env:
599550
INPUT_BUILDER-OUTPUTS: ${{ toJSON(needs.bake-local.outputs) }}
600551
with:
@@ -631,7 +582,7 @@ jobs:
631582
steps:
632583
-
633584
name: Builder outputs
634-
uses: actions/github-script@v8
585+
uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
635586
env:
636587
INPUT_BUILDER-OUTPUTS: ${{ toJSON(needs.bake-local-single.outputs) }}
637588
with:

.github/workflows/bake.yml

Lines changed: 20 additions & 22 deletions
Original file line numberDiff line numberDiff line change
@@ -157,7 +157,7 @@ jobs:
157157
steps:
158158
-
159159
name: Environment variables
160-
uses: actions/github-script@v8
160+
uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
161161
env:
162162
INPUT_ENVS: ${{ inputs.envs }}
163163
with:
@@ -169,7 +169,7 @@ jobs:
169169
}
170170
-
171171
name: Install @docker/actions-toolkit
172-
uses: actions/github-script@v8
172+
uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
173173
env:
174174
INPUT_DAT-MODULE: ${{ env.DOCKER_ACTIONS_TOOLKIT_MODULE }}
175175
with:
@@ -178,7 +178,7 @@ jobs:
178178
-
179179
name: Set includes
180180
id: set
181-
uses: actions/github-script@v8
181+
uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
182182
env:
183183
INPUT_MATRIX-SIZE-LIMIT: ${{ env.MATRIX_SIZE_LIMIT }}
184184
INPUT_RUNNER: ${{ inputs.runner }}
@@ -304,7 +304,7 @@ jobs:
304304
steps:
305305
-
306306
name: Environment variables
307-
uses: actions/github-script@v8
307+
uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
308308
env:
309309
INPUT_ENVS: ${{ inputs.envs }}
310310
with:
@@ -316,7 +316,7 @@ jobs:
316316
}
317317
-
318318
name: Install @docker/actions-toolkit
319-
uses: actions/github-script@v8
319+
uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
320320
env:
321321
INPUT_DAT-MODULE: ${{ env.DOCKER_ACTIONS_TOOLKIT_MODULE }}
322322
with:
@@ -326,7 +326,7 @@ jobs:
326326
name: Docker meta
327327
id: meta
328328
if: ${{ inputs.output == 'image' }}
329-
uses: docker/metadata-action@v5
329+
uses: docker/metadata-action@c299e40c65443455700f0fdfc63efafe5b349051 # v5.10.0
330330
with:
331331
images: ${{ inputs.meta-images }}
332332
tags: ${{ inputs.meta-tags }}
@@ -336,21 +336,21 @@ jobs:
336336
bake-target: ${{ inputs.meta-bake-target }}
337337
-
338338
name: Set up QEMU
339-
uses: docker/setup-qemu-action@v3
339+
uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130 # v3.7.0
340340
if: ${{ inputs.setup-qemu }}
341341
with:
342342
image: ${{ inputs.qemu-image }}
343343
-
344344
name: Set up Docker Buildx
345-
uses: docker/setup-buildx-action@v3
345+
uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1
346346
with:
347347
version: ${{ env.BUILDX_VERSION }}
348348
buildkitd-flags: --debug
349349
driver-opts: image=${{ env.BUILDKIT_IMAGE }}
350350
-
351351
name: Prepare
352352
id: prepare
353-
uses: actions/github-script@v8
353+
uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
354354
env:
355355
INPUT_PLATFORM: ${{ matrix.platform }}
356356
INPUT_LOCAL-EXPORT-DIR: ${{ env.LOCAL_EXPORT_DIR }}
@@ -493,8 +493,7 @@ jobs:
493493
-
494494
name: Login to registry
495495
if: ${{ inputs.push && inputs.output == 'image' }}
496-
# TODO: switch to docker/login-action when OIDC is supported
497-
uses: crazy-max/docker-login-action@dockerhub-oidc
496+
uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
498497
with:
499498
registry-auth: ${{ secrets.registry-auths }}
500499
-
@@ -516,7 +515,7 @@ jobs:
516515
name: Get image digest
517516
id: get-image-digest
518517
if: ${{ inputs.output == 'image' }}
519-
uses: actions/github-script@v8
518+
uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
520519
env:
521520
INPUT_TARGET: ${{ steps.prepare.outputs.target }}
522521
INPUT_METADATA: ${{ steps.bake.outputs.metadata }}
@@ -530,7 +529,7 @@ jobs:
530529
-
531530
name: Install Cosign
532531
if: ${{ inputs.push }}
533-
uses: actions/github-script@v8
532+
uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
534533
env:
535534
INPUT_COSIGN-VERSION: ${{ env.COSIGN_VERSION }}
536535
with:
@@ -548,7 +547,7 @@ jobs:
548547
name: Signing attestation manifests
549548
id: signing-attestation-manifests
550549
if: ${{ inputs.push && inputs.output == 'image' }}
551-
uses: actions/github-script@v8
550+
uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
552551
env:
553552
INPUT_IMAGE-NAMES: ${{ inputs.meta-images }}
554553
INPUT_IMAGE-DIGEST: ${{ steps.get-image-digest.outputs.digest }}
@@ -595,7 +594,7 @@ jobs:
595594
name: Signing local artifacts
596595
id: signing-local-artifacts
597596
if: ${{ inputs.push && inputs.output == 'local' }}
598-
uses: actions/github-script@v8
597+
uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
599598
env:
600599
INPUT_LOCAL-OUTPUT-DIR: ${{ env.LOCAL_EXPORT_DIR }}
601600
with:
@@ -639,7 +638,7 @@ jobs:
639638
-
640639
name: Set result output
641640
id: result
642-
uses: actions/github-script@v8
641+
uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
643642
env:
644643
INPUT_INDEX: ${{ matrix.index }}
645644
INPUT_VERIFY-COMMANDS: ${{ steps.signing-attestation-manifests.outputs.verify-commands || steps.signing-local-artifacts.outputs.verify-commands }}
@@ -676,7 +675,7 @@ jobs:
676675
name: Docker meta
677676
id: meta
678677
if: ${{ inputs.output == 'image' }}
679-
uses: docker/metadata-action@v5
678+
uses: docker/metadata-action@c299e40c65443455700f0fdfc63efafe5b349051 # v5.10.0
680679
with:
681680
images: ${{ inputs.meta-images }}
682681
tags: ${{ inputs.meta-tags }}
@@ -687,22 +686,21 @@ jobs:
687686
-
688687
name: Login to registry
689688
if: ${{ inputs.push && inputs.output == 'image' }}
690-
# TODO: switch to docker/login-action when OIDC is supported
691-
uses: crazy-max/docker-login-action@dockerhub-oidc
689+
uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
692690
with:
693691
registry-auth: ${{ secrets.registry-auths }}
694692
-
695693
name: Set up Docker Buildx
696694
if: ${{ inputs.push && inputs.output == 'image' }}
697-
uses: docker/setup-buildx-action@v3
695+
uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1
698696
with:
699697
version: ${{ env.BUILDX_VERSION }}
700698
buildkitd-flags: --debug
701699
driver-opts: image=${{ env.BUILDKIT_IMAGE }}
702700
-
703701
name: Create manifest
704702
if: ${{ inputs.output == 'image' }}
705-
uses: actions/github-script@v8
703+
uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
706704
env:
707705
INPUT_PUSH: ${{ inputs.push }}
708706
INPUT_IMAGE-NAMES: ${{ inputs.meta-images }}
@@ -751,7 +749,7 @@ jobs:
751749
-
752750
name: Set outputs
753751
id: set
754-
uses: actions/github-script@v8
752+
uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
755753
env:
756754
INPUT_BUILD-OUTPUTS: ${{ toJSON(needs.build.outputs) }}
757755
with:

0 commit comments

Comments
 (0)