Skip to content

Commit ea04835

Browse files
AAraKKeAAraKKe
authored
Pin GitHub actions hashes (#20244)
* Pin all GitHub Actions to the current version and add a PR check to validate not unpinned versions are used * Remove duplicated workflow for pin hash and use the same version for PR creation action * Exclude DataDog static analyzer GHA from requiring pinned hash
1 parent 66b359f commit ea04835

29 files changed

+141
-107
lines changed

.github/pinact.yml

Lines changed: 8 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,8 @@
1+
# Configuration file for pinact used to validate that no
2+
# GitHub actions are left unpined: .github/workflows/validate-pinned-actions.yml
3+
# Used to exclude specific actions from the pin check
4+
version: 3
5+
ignore_actions:
6+
# Lets keep static analyzer action updated as much as possible
7+
- name: DataDog/datadog-static-analyzer-github-action
8+
ref: .*

.github/workflows/backport-pr.yml

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -20,13 +20,13 @@ jobs:
2020
)
2121
steps:
2222
- name: Create token
23-
uses: actions/create-github-app-token@v1
23+
uses: actions/create-github-app-token@d72941d797fd3113feb6b93fd0dec494b13a2547 # v1.12.0
2424
id: token-generator
2525
with:
2626
app-id: ${{ secrets.DD_AGENT_INTEGRATIONS_BOT_APP_ID }}
2727
private-key: ${{ secrets.DD_AGENT_INTEGRATIONS_BOT_PRIVATE_KEY_2 }}
2828
repositories: integrations-core
29-
- uses: tibdex/backport@v2
29+
- uses: tibdex/backport@9565281eda0731b1d20c4025c43339fb0a23812e # v2.0.4
3030
with:
3131
label_pattern: "^backport/(?<base>([^ ]+))$"
3232
labels_template: "[\"backport\", \"bot\"]"

.github/workflows/build-ddev.yml

Lines changed: 27 additions & 27 deletions
Original file line numberDiff line numberDiff line change
@@ -34,7 +34,7 @@ jobs:
3434

3535
steps:
3636
- name: Checkout code
37-
uses: actions/checkout@v4
37+
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
3838
with:
3939
fetch-depth: 0
4040

@@ -45,7 +45,7 @@ jobs:
4545
run: python -m build
4646

4747
- name: Upload artifacts
48-
uses: actions/upload-artifact@v4
48+
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
4949
with:
5050
name: python-artifacts
5151
path: ddev/dist/*
@@ -96,7 +96,7 @@ jobs:
9696

9797
steps:
9898
- name: Checkout code
99-
uses: actions/checkout@v4
99+
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
100100
with:
101101
fetch-depth: 0
102102

@@ -108,7 +108,7 @@ jobs:
108108
tar --strip-components=1 -xzf - -C $PYAPP_REPO
109109
110110
- name: Set up Python ${{ env.PYTHON_VERSION }}
111-
uses: actions/setup-python@v5
111+
uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0
112112
with:
113113
python-version: ${{ env.PYTHON_VERSION }}
114114

@@ -119,13 +119,13 @@ jobs:
119119
run: pip install -e . --no-deps
120120

121121
- name: Install Rust toolchain
122-
uses: dtolnay/rust-toolchain@stable
122+
uses: dtolnay/rust-toolchain@b56f20b9f22943bc548a7945b40601028db81a31 # 1.86.0 Latest rust stable version as of 2025-05-08 (https://forge.rust-lang.org/)
123123
with:
124124
targets: ${{ matrix.job.target }}
125125

126126
- name: Set up cross compiling
127127
if: matrix.job.cross
128-
uses: taiki-e/install-action@v2
128+
uses: taiki-e/install-action@97a83ae1347bc407f550a16fb0694d6f446eec88 # v2.50.9
129129
with:
130130
tool: cross
131131

@@ -142,7 +142,7 @@ jobs:
142142
143143
- name: Download Python artifacts
144144
if: ${{ !startsWith(github.event.ref, 'refs/tags') }}
145-
uses: actions/download-artifact@v4
145+
uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
146146
with:
147147
name: python-artifacts
148148
path: ddev/dist
@@ -214,7 +214,7 @@ jobs:
214214

215215
- name: Upload staged managed archive
216216
if: runner.os != 'Linux'
217-
uses: actions/upload-artifact@v4
217+
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
218218
with:
219219
name: staged-managed-${{ runner.os }}-${{ matrix.job.target }}
220220
path: ddev/packaging/*
@@ -235,7 +235,7 @@ jobs:
235235

236236
- name: Upload staged standalone archive
237237
if: runner.os != 'Linux'
238-
uses: actions/upload-artifact@v4
238+
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
239239
with:
240240
name: staged-standalone-${{ runner.os }}-${{ matrix.job.target }}
241241
path: ddev/packaging/*
@@ -245,7 +245,7 @@ jobs:
245245
# can upload directly at this point
246246
- name: Upload standalone archive
247247
if: runner.os == 'Linux'
248-
uses: actions/upload-artifact@v4
248+
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
249249
with:
250250
name: standalone-${{ matrix.job.target }}
251251
path: ddev/packaging/*
@@ -262,10 +262,10 @@ jobs:
262262

263263
steps:
264264
- name: Checkout code
265-
uses: actions/checkout@v4
265+
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
266266

267267
- name: Set up Python ${{ env.PYTHON_VERSION }}
268-
uses: actions/setup-python@v5
268+
uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0
269269
with:
270270
python-version: ${{ env.PYTHON_VERSION }}
271271

@@ -304,7 +304,7 @@ jobs:
304304
OUTER
305305
306306
- name: Download staged standalone binaries
307-
uses: actions/download-artifact@v4
307+
uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
308308
with:
309309
pattern: staged-standalone-${{ runner.os }}-*
310310
path: ddev/archives
@@ -317,7 +317,7 @@ jobs:
317317
run: ${{ steps.script-prepare.outputs.script }}
318318

319319
- name: Upload standalone binaries
320-
uses: actions/upload-artifact@v4
320+
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
321321
with:
322322
name: standalone-${{ matrix.job.target }}
323323
path: ddev/archives/*
@@ -327,7 +327,7 @@ jobs:
327327
run: rm -rf archives bin targets
328328

329329
- name: Download staged managed binaries
330-
uses: actions/download-artifact@v4
330+
uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
331331
with:
332332
pattern: staged-managed-${{ runner.os }}-*
333333
path: ddev/archives
@@ -351,7 +351,7 @@ jobs:
351351
mv build/*/release/*/*.{exe,msi} installers
352352
353353
- name: Upload installers
354-
uses: actions/upload-artifact@v4
354+
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
355355
with:
356356
name: installers-${{ runner.os }}
357357
path: ddev/installers/*
@@ -368,10 +368,10 @@ jobs:
368368

369369
steps:
370370
- name: Checkout code
371-
uses: actions/checkout@v4
371+
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
372372

373373
- name: Set up Python ${{ env.PYTHON_VERSION }}
374-
uses: actions/setup-python@v5
374+
uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0
375375
with:
376376
python-version: ${{ env.PYTHON_VERSION }}
377377

@@ -454,7 +454,7 @@ jobs:
454454
OUTER
455455
456456
- name: Download staged standalone binaries
457-
uses: actions/download-artifact@v4
457+
uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
458458
with:
459459
pattern: staged-standalone-${{ runner.os }}-*
460460
path: ddev/archives
@@ -479,7 +479,7 @@ jobs:
479479
done
480480
481481
- name: Upload standalone binaries
482-
uses: actions/upload-artifact@v4
482+
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
483483
with:
484484
name: standalone-${{ runner.os }}
485485
path: ddev/archives/*
@@ -489,7 +489,7 @@ jobs:
489489
run: rm -rf archives bin notarize-bin
490490

491491
- name: Download staged managed binaries
492-
uses: actions/download-artifact@v4
492+
uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
493493
with:
494494
pattern: staged-managed-${{ runner.os }}-*
495495
path: ddev/archives
@@ -559,7 +559,7 @@ jobs:
559559
"signed/${{ steps.pkg.outputs.path }}"
560560
561561
- name: Upload installer
562-
uses: actions/upload-artifact@v4
562+
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
563563
with:
564564
name: installers-${{ runner.os }}
565565
path: ddev/signed/${{ steps.pkg.outputs.path }}
@@ -580,34 +580,34 @@ jobs:
580580

581581
steps:
582582
- name: Download Python artifacts
583-
uses: actions/download-artifact@v4
583+
uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
584584
with:
585585
name: python-artifacts
586586
path: dist
587587

588588
- name: Download binaries
589-
uses: actions/download-artifact@v4
589+
uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
590590
with:
591591
pattern: standalone*
592592
path: archives
593593
merge-multiple: true
594594

595595
- name: Download installers
596-
uses: actions/download-artifact@v4
596+
uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
597597
with:
598598
pattern: installers-*
599599
path: installers
600600
merge-multiple: true
601601

602602
- name: Push Python artifacts to PyPI
603-
uses: pypa/gh-action-pypi-publish@release/v1
603+
uses: pypa/gh-action-pypi-publish@76f52bc884231f62b9a034ebfe128415bbaabdfc # v1.12.4
604604
with:
605605
skip-existing: true
606606
user: __token__
607607
password: ${{ secrets.PYPI_TOKEN_DDEV_2 }}
608608

609609
- name: Add assets to current release
610-
uses: softprops/action-gh-release@v2
610+
uses: softprops/action-gh-release@da05d552573ad5aba039eaac05058a918a7bf631 # v2.2.2
611611
with:
612612
files: |-
613613
archives/*

.github/workflows/cache-shared-deps.yml

Lines changed: 4 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -19,16 +19,16 @@ jobs:
1919
PYTHON_VERSION: "3.12"
2020

2121
steps:
22-
- uses: actions/checkout@v4
22+
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
2323

2424
- name: Set up Python ${{ env.PYTHON_VERSION }}
25-
uses: actions/setup-python@v5
25+
uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0
2626
id: python
2727
with:
2828
python-version: "${{ env.PYTHON_VERSION }}"
2929

3030
- name: Check cache
31-
uses: actions/cache/restore@v4
31+
uses: actions/cache/restore@5a3ec84eff668545956fd18022155c47e93e2684 # v4.2.3
3232
id: cache
3333
with:
3434
path: ${{ runner.os == 'Windows' && '~\AppData\Local\pip\Cache' || runner.os == 'macOS' && '~/Library/Caches/pip' || '~/.cache/pip' }}
@@ -68,7 +68,7 @@ jobs:
6868
run: pip install ./datadog_checks_base[deps] ./datadog_checks_dev
6969

7070
- name: Cache dependencies
71-
uses: actions/cache/save@v4
71+
uses: actions/cache/save@5a3ec84eff668545956fd18022155c47e93e2684 # v4.2.3
7272
if: steps.cache.outputs.cache-hit != 'true'
7373
with:
7474
path: ${{ runner.os == 'Windows' && '~\AppData\Local\pip\Cache' || runner.os == 'macOS' && '~/Library/Caches/pip' || '~/.cache/pip' }}

.github/workflows/claim-pypi-name.yaml

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -23,10 +23,10 @@ jobs:
2323

2424
steps:
2525
- name: Checkout code
26-
uses: actions/checkout@v4
26+
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
2727

2828
- name: Set up Python 3.11
29-
uses: actions/setup-python@v5
29+
uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0
3030
with:
3131
python-version: 3.11
3232

@@ -38,7 +38,7 @@ jobs:
3838
bash .github/workflows/scripts/build_placeholders.sh
3939
4040
- name: Push Python artifacts to PyPI
41-
uses: pypa/gh-action-pypi-publish@release/v1
41+
uses: pypa/gh-action-pypi-publish@76f52bc884231f62b9a034ebfe128415bbaabdfc # v1.12.4
4242
with:
4343
# We don't mind invalid metadata, we only want to claim the package name.
4444
verify-metadata: false

.github/workflows/codeql-analysis.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -27,7 +27,7 @@ jobs:
2727

2828
steps:
2929
- name: Checkout repository
30-
uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c
30+
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
3131

3232
# Initializes the CodeQL tools for scanning.
3333
- name: Initialize CodeQL

.github/workflows/compute-matrix.yml

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -26,12 +26,12 @@ jobs:
2626
data: "${{ steps.compute.outputs.data }}"
2727

2828
steps:
29-
- uses: actions/checkout@v4
29+
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
3030
with:
3131
ref: "${{ github.event.pull_request.head.sha }}"
3232

3333
- name: Set up Python ${{ env.PYTHON_VERSION }}
34-
uses: actions/setup-python@v5
34+
uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0
3535
with:
3636
python-version: "${{ env.PYTHON_VERSION }}"
3737

.github/workflows/datadog-static-analysis.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -8,7 +8,7 @@ jobs:
88
name: Datadog Static Analyzer
99
steps:
1010
- name: Checkout
11-
uses: actions/checkout@v3
11+
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
1212
- name: Check code meets quality and security standards
1313
id: datadog-static-analysis
1414
uses: DataDog/datadog-static-analyzer-github-action@v1

.github/workflows/do-not-merge-label.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -15,7 +15,7 @@ jobs:
1515
steps:
1616
- name: Get PR labels
1717
id: pr-labels
18-
uses: joerick/pr-labels-action@v1.0.9
18+
uses: joerick/pr-labels-action@0543b277721e852d821c6738d449f2f4dea03d5f # v1.0.9
1919

2020
- run: |
2121
echo "A 'do-not-merge/*' label has been found in this PR."

.github/workflows/docs.yml

Lines changed: 5 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -24,13 +24,13 @@ jobs:
2424
runs-on: ubuntu-latest
2525

2626
steps:
27-
- uses: actions/checkout@v4
27+
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
2828
with:
2929
# Fetch all history for applying timestamps to every page
3030
fetch-depth: 0
3131

3232
- name: Set up Python
33-
uses: actions/setup-python@v5
33+
uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0
3434
with:
3535
python-version: '3.12'
3636
cache: 'pip'
@@ -59,7 +59,7 @@ jobs:
5959
- name: Build documentation
6060
run: ddev -v docs build
6161

62-
- uses: actions/upload-artifact@v4
62+
- uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
6363
with:
6464
name: documentation
6565
path: site
@@ -75,12 +75,12 @@ jobs:
7575
contents: write
7676

7777
steps:
78-
- uses: actions/download-artifact@v4
78+
- uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
7979
with:
8080
name: documentation
8181
path: site
8282

83-
- uses: peaceiris/actions-gh-pages@v3
83+
- uses: peaceiris/actions-gh-pages@373f7f263a76c20808c831209c920827a82a2847 # v3.9.3
8484
with:
8585
github_token: ${{ secrets.GITHUB_TOKEN }}
8686
publish_dir: ./site

0 commit comments

Comments
 (0)