Skip to content

pin all actions #53

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
crazy-max merged 1 commit into from
Dec 2, 2025
Merged

pin all actions #53

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
73 changes: 12 additions & 61 deletions .github/workflows/.test.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -56,7 +56,7 @@ jobs:
steps:
-
name: Builder outputs
uses: actions/github-script@v8
uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
env:
INPUT_BUILDER-OUTPUTS: ${{ toJSON(needs.build-aws-single.outputs) }}
with:
Expand Down Expand Up @@ -107,7 +107,7 @@ jobs:
steps:
-
name: Builder outputs
uses: actions/github-script@v8
uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
env:
INPUT_BUILDER-OUTPUTS: ${{ toJSON(needs.build-aws.outputs) }}
with:
Expand Down Expand Up @@ -156,7 +156,7 @@ jobs:
steps:
-
name: Builder outputs
uses: actions/github-script@v8
uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
env:
INPUT_BUILDER-OUTPUTS: ${{ toJSON(needs.build-ghcr.outputs) }}
with:
Expand Down Expand Up @@ -204,63 +204,14 @@ jobs:
steps:
-
name: Builder outputs
uses: actions/github-script@v8
uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
env:
INPUT_BUILDER-OUTPUTS: ${{ toJSON(needs.build-dockerhub-stage.outputs) }}
with:
script: |
const builderOutputs = JSON.parse(core.getInput('builder-outputs'));
core.info(JSON.stringify(builderOutputs, null, 2));

build-dockerhub-stage-oidc:
uses: ./.github/workflows/build.yml
permissions:
contents: read
id-token: write
with:
output: image
push: ${{ github.event_name != 'pull_request' }}
meta-images: registry-1-stage.docker.io/docker/github-builder-test
meta-tags: |
type=raw,value=${{ github.run_id }},prefix=oidc-
build-file: test/hello.Dockerfile
build-sbom: true
build-platforms: linux/amd64,linux/arm64
secrets:
registry-auths: |
- registry: registry-1-stage.docker.io
username: docker:cdeb5882-30b7-4076-be92-bfdceb258e9c

build-dockerhub-stage-oidc-verify:
uses: ./.github/workflows/verify.yml
if: ${{ github.event_name != 'pull_request' }}
permissions:
contents: read
id-token: write
needs:
- build-dockerhub-stage-oidc
with:
builder-outputs: ${{ toJSON(needs.build-dockerhub-stage-oidc.outputs) }}
secrets:
registry-auths: |
- registry: registry-1-stage.docker.io
username: docker:cdeb5882-30b7-4076-be92-bfdceb258e9c

build-dockerhub-stage-oidc-outputs:
runs-on: ubuntu-24.04
needs:
- build-dockerhub-stage-oidc
steps:
-
name: Builder outputs
uses: actions/github-script@v8
env:
INPUT_BUILDER-OUTPUTS: ${{ toJSON(needs.build-dockerhub-stage-oidc.outputs) }}
with:
script: |
const builderOutputs = JSON.parse(core.getInput('builder-outputs'));
core.info(JSON.stringify(builderOutputs, null, 2));

build-ghcr-and-aws:
uses: ./.github/workflows/build.yml
permissions:
Expand Down Expand Up @@ -310,7 +261,7 @@ jobs:
steps:
-
name: Builder outputs
uses: actions/github-script@v8
uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
env:
INPUT_BUILDER-OUTPUTS: ${{ toJSON(needs.build-ghcr-and-aws.outputs) }}
with:
Expand Down Expand Up @@ -346,7 +297,7 @@ jobs:
steps:
-
name: Builder outputs
uses: actions/github-script@v8
uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
env:
INPUT_BUILDER-OUTPUTS: ${{ toJSON(needs.local.outputs) }}
with:
Expand Down Expand Up @@ -381,7 +332,7 @@ jobs:
steps:
-
name: Builder outputs
uses: actions/github-script@v8
uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
env:
INPUT_BUILDER-OUTPUTS: ${{ toJSON(needs.build-local-single.outputs) }}
with:
Expand Down Expand Up @@ -447,7 +398,7 @@ jobs:
steps:
-
name: Builder outputs
uses: actions/github-script@v8
uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
env:
INPUT_BUILDER-OUTPUTS: ${{ toJSON(needs.bake-aws-single.outputs) }}
with:
Expand Down Expand Up @@ -498,7 +449,7 @@ jobs:
steps:
-
name: Builder outputs
uses: actions/github-script@v8
uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
env:
INPUT_BUILDER-OUTPUTS: ${{ toJSON(needs.bake-aws.outputs) }}
with:
Expand Down Expand Up @@ -557,7 +508,7 @@ jobs:
steps:
-
name: Builder outputs
uses: actions/github-script@v8
uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
env:
INPUT_BUILDER-OUTPUTS: ${{ toJSON(needs.bake-ghcr-and-aws.outputs) }}
with:
Expand Down Expand Up @@ -594,7 +545,7 @@ jobs:
steps:
-
name: Builder outputs
uses: actions/github-script@v8
uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
env:
INPUT_BUILDER-OUTPUTS: ${{ toJSON(needs.bake-local.outputs) }}
with:
Expand Down Expand Up @@ -631,7 +582,7 @@ jobs:
steps:
-
name: Builder outputs
uses: actions/github-script@v8
uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
env:
INPUT_BUILDER-OUTPUTS: ${{ toJSON(needs.bake-local-single.outputs) }}
with:
Expand Down
42 changes: 20 additions & 22 deletions .github/workflows/bake.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -157,7 +157,7 @@ jobs:
steps:
-
name: Environment variables
uses: actions/github-script@v8
uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
env:
INPUT_ENVS: ${{ inputs.envs }}
with:
Expand All @@ -169,7 +169,7 @@ jobs:
}
-
name: Install @docker/actions-toolkit
uses: actions/github-script@v8
uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
env:
INPUT_DAT-MODULE: ${{ env.DOCKER_ACTIONS_TOOLKIT_MODULE }}
with:
Expand All @@ -178,7 +178,7 @@ jobs:
-
name: Set includes
id: set
uses: actions/github-script@v8
uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
env:
INPUT_MATRIX-SIZE-LIMIT: ${{ env.MATRIX_SIZE_LIMIT }}
INPUT_RUNNER: ${{ inputs.runner }}
Expand Down Expand Up @@ -304,7 +304,7 @@ jobs:
steps:
-
name: Environment variables
uses: actions/github-script@v8
uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
env:
INPUT_ENVS: ${{ inputs.envs }}
with:
Expand All @@ -316,7 +316,7 @@ jobs:
}
-
name: Install @docker/actions-toolkit
uses: actions/github-script@v8
uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
env:
INPUT_DAT-MODULE: ${{ env.DOCKER_ACTIONS_TOOLKIT_MODULE }}
with:
Expand All @@ -326,7 +326,7 @@ jobs:
name: Docker meta
id: meta
if: ${{ inputs.output == 'image' }}
uses: docker/metadata-action@v5
uses: docker/metadata-action@c299e40c65443455700f0fdfc63efafe5b349051 # v5.10.0
with:
images: ${{ inputs.meta-images }}
tags: ${{ inputs.meta-tags }}
Expand All @@ -336,21 +336,21 @@ jobs:
bake-target: ${{ inputs.meta-bake-target }}
-
name: Set up QEMU
uses: docker/setup-qemu-action@v3
uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130 # v3.7.0
if: ${{ inputs.setup-qemu }}
with:
image: ${{ inputs.qemu-image }}
-
name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1
with:
version: ${{ env.BUILDX_VERSION }}
buildkitd-flags: --debug
driver-opts: image=${{ env.BUILDKIT_IMAGE }}
-
name: Prepare
id: prepare
uses: actions/github-script@v8
uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
env:
INPUT_PLATFORM: ${{ matrix.platform }}
INPUT_LOCAL-EXPORT-DIR: ${{ env.LOCAL_EXPORT_DIR }}
Expand Down Expand Up @@ -493,8 +493,7 @@ jobs:
-
name: Login to registry
if: ${{ inputs.push && inputs.output == 'image' }}
# TODO: switch to docker/login-action when OIDC is supported
uses: crazy-max/docker-login-action@dockerhub-oidc
uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
with:
registry-auth: ${{ secrets.registry-auths }}
-
Expand All @@ -516,7 +515,7 @@ jobs:
name: Get image digest
id: get-image-digest
if: ${{ inputs.output == 'image' }}
uses: actions/github-script@v8
uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
env:
INPUT_TARGET: ${{ steps.prepare.outputs.target }}
INPUT_METADATA: ${{ steps.bake.outputs.metadata }}
Expand All @@ -530,7 +529,7 @@ jobs:
-
name: Install Cosign
if: ${{ inputs.push }}
uses: actions/github-script@v8
uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
env:
INPUT_COSIGN-VERSION: ${{ env.COSIGN_VERSION }}
with:
Expand All @@ -548,7 +547,7 @@ jobs:
name: Signing attestation manifests
id: signing-attestation-manifests
if: ${{ inputs.push && inputs.output == 'image' }}
uses: actions/github-script@v8
uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
env:
INPUT_IMAGE-NAMES: ${{ inputs.meta-images }}
INPUT_IMAGE-DIGEST: ${{ steps.get-image-digest.outputs.digest }}
Expand Down Expand Up @@ -595,7 +594,7 @@ jobs:
name: Signing local artifacts
id: signing-local-artifacts
if: ${{ inputs.push && inputs.output == 'local' }}
uses: actions/github-script@v8
uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
env:
INPUT_LOCAL-OUTPUT-DIR: ${{ env.LOCAL_EXPORT_DIR }}
with:
Expand Down Expand Up @@ -639,7 +638,7 @@ jobs:
-
name: Set result output
id: result
uses: actions/github-script@v8
uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
env:
INPUT_INDEX: ${{ matrix.index }}
INPUT_VERIFY-COMMANDS: ${{ steps.signing-attestation-manifests.outputs.verify-commands || steps.signing-local-artifacts.outputs.verify-commands }}
Expand Down Expand Up @@ -676,7 +675,7 @@ jobs:
name: Docker meta
id: meta
if: ${{ inputs.output == 'image' }}
uses: docker/metadata-action@v5
uses: docker/metadata-action@c299e40c65443455700f0fdfc63efafe5b349051 # v5.10.0
with:
images: ${{ inputs.meta-images }}
tags: ${{ inputs.meta-tags }}
Expand All @@ -687,22 +686,21 @@ jobs:
-
name: Login to registry
if: ${{ inputs.push && inputs.output == 'image' }}
# TODO: switch to docker/login-action when OIDC is supported
uses: crazy-max/docker-login-action@dockerhub-oidc
uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
with:
registry-auth: ${{ secrets.registry-auths }}
-
name: Set up Docker Buildx
if: ${{ inputs.push && inputs.output == 'image' }}
uses: docker/setup-buildx-action@v3
uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1
with:
version: ${{ env.BUILDX_VERSION }}
buildkitd-flags: --debug
driver-opts: image=${{ env.BUILDKIT_IMAGE }}
-
name: Create manifest
if: ${{ inputs.output == 'image' }}
uses: actions/github-script@v8
uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
env:
INPUT_PUSH: ${{ inputs.push }}
INPUT_IMAGE-NAMES: ${{ inputs.meta-images }}
Expand Down Expand Up @@ -751,7 +749,7 @@ jobs:
-
name: Set outputs
id: set
uses: actions/github-script@v8
uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
env:
INPUT_BUILD-OUTPUTS: ${{ toJSON(needs.build.outputs) }}
with:
Expand Down
Loading