From e1944739e9fa9b303968b1600ef35e115f388be3 Mon Sep 17 00:00:00 2001 From: Ivan Dyachkov Date: Thu, 11 Jan 2024 11:07:29 +0100 Subject: [PATCH] ci: restrict token permissions and pin deps --- .github/workflows/_pr_entrypoint.yaml | 9 ++- .github/workflows/_push-entrypoint.yaml | 9 ++- .../build_and_push_docker_images.yaml | 10 ++-- .github/workflows/build_docker_for_test.yaml | 4 +- .github/workflows/build_packages.yaml | 15 +++-- .github/workflows/build_packages_cron.yaml | 15 +++-- .github/workflows/build_slim_packages.yaml | 13 ++-- .github/workflows/check_deps_integrity.yaml | 4 +- .github/workflows/codeql.yaml | 2 +- .github/workflows/green_master.yaml | 2 +- .github/workflows/performance_test.yaml | 60 +++++++++---------- .github/workflows/release.yaml | 6 +- .github/workflows/run_conf_tests.yaml | 4 +- .github/workflows/run_docker_tests.yaml | 8 +-- .github/workflows/run_emqx_app_tests.yaml | 4 +- .github/workflows/run_helm_tests.yaml | 6 +- .github/workflows/run_jmeter_tests.yaml | 27 +++++---- .github/workflows/run_relup_tests.yaml | 12 ++-- .github/workflows/run_test_cases.yaml | 23 +++---- .github/workflows/scorecard.yaml | 6 +- .github/workflows/spellcheck.yaml | 2 +- .github/workflows/stale.yaml | 2 +- .github/workflows/static_checks.yaml | 4 +- .github/workflows/upload-helm-charts.yaml | 7 ++- scripts/bump-actions-versions.sh | 21 +++++++ 25 files changed, 160 insertions(+), 115 deletions(-) create mode 100755 scripts/bump-actions-versions.sh diff --git a/.github/workflows/_pr_entrypoint.yaml b/.github/workflows/_pr_entrypoint.yaml index c147143c3..7d7faa8f9 100644 --- a/.github/workflows/_pr_entrypoint.yaml +++ b/.github/workflows/_pr_entrypoint.yaml @@ -14,6 +14,9 @@ on: env: IS_CI: "yes" +permissions: + contents: read + jobs: sanity-checks: runs-on: ubuntu-22.04 @@ -30,7 +33,7 @@ jobs: elixir_vsn: "1.15.7" steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: ref: ${{ github.event.inputs.ref }} fetch-depth: 0 @@ -125,7 +128,7 @@ jobs: - emqx-enterprise steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: fetch-depth: 0 - name: Work around https://github.com/actions/checkout/issues/766 @@ -141,7 +144,7 @@ jobs: echo "PROFILE=${PROFILE}" | tee -a .env echo "PKG_VSN=$(./pkg-vsn.sh ${PROFILE})" | tee -a .env zip -ryq -x@.github/workflows/.zipignore $PROFILE.zip . - - uses: actions/upload-artifact@v3 + - uses: actions/upload-artifact@c7d193f32edcb7bfad88892161225aeda64e9392 # v4.0.0 with: name: ${{ matrix.profile }} path: ${{ matrix.profile }}.zip diff --git a/.github/workflows/_push-entrypoint.yaml b/.github/workflows/_push-entrypoint.yaml index 55dd5997b..1e0dd941b 100644 --- a/.github/workflows/_push-entrypoint.yaml +++ b/.github/workflows/_push-entrypoint.yaml @@ -14,6 +14,9 @@ on: - 'release-5[0-9]' - 'ci/**' +permissions: + contents: read + env: IS_CI: 'yes' @@ -35,7 +38,7 @@ jobs: elixir_vsn: '1.15.7' steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: ref: ${{ github.event.inputs.ref }} fetch-depth: 0 @@ -133,7 +136,7 @@ jobs: - emqx-enterprise steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: ref: ${{ github.event.inputs.ref }} fetch-depth: 0 @@ -149,7 +152,7 @@ jobs: echo "PROFILE=${PROFILE}" | tee -a .env echo "PKG_VSN=$(./pkg-vsn.sh ${PROFILE})" | tee -a .env zip -ryq -x@.github/workflows/.zipignore $PROFILE.zip . - - uses: actions/upload-artifact@v3 + - uses: actions/upload-artifact@c7d193f32edcb7bfad88892161225aeda64e9392 # v4.0.0 with: name: ${{ matrix.profile }} path: ${{ matrix.profile }}.zip diff --git a/.github/workflows/build_and_push_docker_images.yaml b/.github/workflows/build_and_push_docker_images.yaml index ce5115018..49416db92 100644 --- a/.github/workflows/build_and_push_docker_images.yaml +++ b/.github/workflows/build_and_push_docker_images.yaml @@ -91,23 +91,23 @@ jobs: registry: 'public.ecr.aws' steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: ref: ${{ github.event.inputs.ref }} fetch-depth: 0 - - uses: docker/setup-qemu-action@v2 - - uses: docker/setup-buildx-action@v2 + - uses: docker/setup-qemu-action@68827325e0b33c7199eb31dd4e31fbe9023e06e3 # v3.0.0 + - uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3.0.0 - name: Login to hub.docker.com - uses: docker/login-action@v2 + uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0 if: matrix.registry == 'docker.io' with: username: ${{ secrets.DOCKER_HUB_USER }} password: ${{ secrets.DOCKER_HUB_TOKEN }} - name: Login to AWS ECR - uses: docker/login-action@v2 + uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0 if: matrix.registry == 'public.ecr.aws' with: registry: public.ecr.aws diff --git a/.github/workflows/build_docker_for_test.yaml b/.github/workflows/build_docker_for_test.yaml index a4bc58da2..ccff642f9 100644 --- a/.github/workflows/build_docker_for_test.yaml +++ b/.github/workflows/build_docker_for_test.yaml @@ -42,7 +42,7 @@ jobs: - emqx-enterprise-elixir steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - name: build and export to Docker id: build run: | @@ -57,7 +57,7 @@ jobs: - name: export docker image run: | docker save $EMQX_IMAGE_TAG | gzip > $EMQX_NAME-docker-$PKG_VSN.tar.gz - - uses: actions/upload-artifact@v3 + - uses: actions/upload-artifact@c7d193f32edcb7bfad88892161225aeda64e9392 # v4.0.0 with: name: "${{ env.EMQX_NAME }}-docker" path: "${{ env.EMQX_NAME }}-docker-${{ env.PKG_VSN }}.tar.gz" diff --git a/.github/workflows/build_packages.yaml b/.github/workflows/build_packages.yaml index c1edb516a..fad200a93 100644 --- a/.github/workflows/build_packages.yaml +++ b/.github/workflows/build_packages.yaml @@ -64,6 +64,9 @@ on: type: string default: '5.3-2' +permissions: + contents: read + jobs: mac: strategy: @@ -80,7 +83,7 @@ jobs: runs-on: ${{ matrix.os }} steps: - uses: emqx/self-hosted-cleanup-action@v1.0.3 - - uses: actions/checkout@v3 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: ref: ${{ github.event.inputs.ref }} fetch-depth: 0 @@ -93,7 +96,7 @@ jobs: apple_developer_identity: ${{ secrets.APPLE_DEVELOPER_IDENTITY }} apple_developer_id_bundle: ${{ secrets.APPLE_DEVELOPER_ID_BUNDLE }} apple_developer_id_bundle_password: ${{ secrets.APPLE_DEVELOPER_ID_BUNDLE_PASSWORD }} - - uses: actions/upload-artifact@v3 + - uses: actions/upload-artifact@c7d193f32edcb7bfad88892161225aeda64e9392 # v4.0.0 if: success() with: name: ${{ matrix.profile }} @@ -149,7 +152,7 @@ jobs: shell: bash steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: ref: ${{ github.event.inputs.ref }} fetch-depth: 0 @@ -190,7 +193,7 @@ jobs: ./scripts/pkg-tests.sh "${PROFILE}-tgz" ./scripts/pkg-tests.sh "${PROFILE}-pkg" fi - - uses: actions/upload-artifact@v3 + - uses: actions/upload-artifact@c7d193f32edcb7bfad88892161225aeda64e9392 # v4.0.0 with: name: ${{ matrix.profile }} path: _packages/${{ matrix.profile }}/ @@ -208,7 +211,7 @@ jobs: profile: - ${{ inputs.profile }} steps: - - uses: actions/download-artifact@v3 + - uses: actions/download-artifact@6b208ae046db98c579e8a3aa621ab581ff575935 # v4.1.1 with: name: ${{ matrix.profile }} path: packages/${{ matrix.profile }} @@ -224,7 +227,7 @@ jobs: echo "$(cat $var.sha256) $var" | sha256sum -c || exit 1 done cd - - - uses: aws-actions/configure-aws-credentials@v2 + - uses: aws-actions/configure-aws-credentials@010d0da01d0b5a38af31e9c3470dbfdabdecca3a # v4.0.1 with: aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} diff --git a/.github/workflows/build_packages_cron.yaml b/.github/workflows/build_packages_cron.yaml index 8e4ce3a40..ee3be30a2 100644 --- a/.github/workflows/build_packages_cron.yaml +++ b/.github/workflows/build_packages_cron.yaml @@ -9,6 +9,9 @@ on: - cron: '0 */6 * * *' workflow_dispatch: +permissions: + contents: read + jobs: linux: if: github.repository_owner == 'emqx' @@ -32,7 +35,7 @@ jobs: shell: bash steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: ref: ${{ matrix.profile[1] }} fetch-depth: 0 @@ -63,14 +66,14 @@ jobs: set -eu ./scripts/pkg-tests.sh "${PROFILE}-tgz" ./scripts/pkg-tests.sh "${PROFILE}-pkg" - - uses: actions/upload-artifact@v3 + - uses: actions/upload-artifact@c7d193f32edcb7bfad88892161225aeda64e9392 # v4.0.0 if: success() with: name: ${{ matrix.profile[0] }} path: _packages/${{ matrix.profile[0] }}/ retention-days: 7 - name: Send notification to Slack - uses: slackapi/slack-github-action@v1.23.0 + uses: slackapi/slack-github-action@e28cf165c92ffef168d23c5c9000cffc8a25e117 # v1.24.0 if: failure() env: SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }} @@ -95,7 +98,7 @@ jobs: - macos-12-arm64 steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: ref: ${{ matrix.branch }} fetch-depth: 0 @@ -108,14 +111,14 @@ jobs: apple_developer_identity: ${{ secrets.APPLE_DEVELOPER_IDENTITY }} apple_developer_id_bundle: ${{ secrets.APPLE_DEVELOPER_ID_BUNDLE }} apple_developer_id_bundle_password: ${{ secrets.APPLE_DEVELOPER_ID_BUNDLE_PASSWORD }} - - uses: actions/upload-artifact@v3 + - uses: actions/upload-artifact@c7d193f32edcb7bfad88892161225aeda64e9392 # v4.0.0 if: success() with: name: ${{ matrix.profile }} path: _packages/${{ matrix.profile }}/ retention-days: 7 - name: Send notification to Slack - uses: slackapi/slack-github-action@v1.23.0 + uses: slackapi/slack-github-action@e28cf165c92ffef168d23c5c9000cffc8a25e117 # v1.24.0 if: failure() env: SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }} diff --git a/.github/workflows/build_slim_packages.yaml b/.github/workflows/build_slim_packages.yaml index 92fd61d09..bce20191b 100644 --- a/.github/workflows/build_slim_packages.yaml +++ b/.github/workflows/build_slim_packages.yaml @@ -41,6 +41,9 @@ on: type: string default: '1.15.7' +permissions: + contents: read + jobs: linux: runs-on: ${{ github.repository_owner == 'emqx' && fromJSON(format('["self-hosted","ephemeral","linux","{0}"]', matrix.profile[4])) || 'ubuntu-22.04' }} @@ -58,7 +61,7 @@ jobs: container: "ghcr.io/emqx/emqx-builder/${{ inputs.builder_vsn }}:${{ inputs.elixir_vsn }}-${{ matrix.profile[1] }}-${{ matrix.profile[2] }}" steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: fetch-depth: 0 - name: Work around https://github.com/actions/checkout/issues/766 @@ -85,12 +88,12 @@ jobs: run: | make ${EMQX_NAME}-elixir-pkg ./scripts/pkg-tests.sh ${EMQX_NAME}-elixir-pkg - - uses: actions/upload-artifact@v3 + - uses: actions/upload-artifact@c7d193f32edcb7bfad88892161225aeda64e9392 # v4.0.0 with: name: "${{ matrix.profile[0] }}-${{ matrix.profile[1] }}-${{ matrix.profile[2] }}" path: _packages/${{ matrix.profile[0] }}/* retention-days: 7 - - uses: actions/upload-artifact@v3 + - uses: actions/upload-artifact@c7d193f32edcb7bfad88892161225aeda64e9392 # v4.0.0 with: name: "${{ matrix.profile[0] }}_schema_dump" path: | @@ -114,7 +117,7 @@ jobs: EMQX_NAME: ${{ matrix.profile }} steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - uses: ./.github/actions/package-macos with: profile: ${{ matrix.profile }} @@ -124,7 +127,7 @@ jobs: apple_developer_identity: ${{ secrets.APPLE_DEVELOPER_IDENTITY }} apple_developer_id_bundle: ${{ secrets.APPLE_DEVELOPER_ID_BUNDLE }} apple_developer_id_bundle_password: ${{ secrets.APPLE_DEVELOPER_ID_BUNDLE_PASSWORD }} - - uses: actions/upload-artifact@v3 + - uses: actions/upload-artifact@c7d193f32edcb7bfad88892161225aeda64e9392 # v4.0.0 with: name: ${{ matrix.os }} path: _packages/**/* diff --git a/.github/workflows/check_deps_integrity.yaml b/.github/workflows/check_deps_integrity.yaml index 5b83ab063..30d788500 100644 --- a/.github/workflows/check_deps_integrity.yaml +++ b/.github/workflows/check_deps_integrity.yaml @@ -15,7 +15,7 @@ jobs: runs-on: ${{ endsWith(github.repository, '/emqx') && 'ubuntu-22.04' || fromJSON('["self-hosted","ephemeral","linux","x64"]') }} container: ${{ inputs.builder }} steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - run: git config --global --add safe.directory "$GITHUB_WORKSPACE" - run: make ensure-rebar3 - run: ./scripts/check-deps-integrity.escript @@ -36,7 +36,7 @@ jobs: MIX_ENV: emqx-enterprise PROFILE: emqx-enterprise - name: Upload produced lock files - uses: actions/upload-artifact@v3 + uses: actions/upload-artifact@c7d193f32edcb7bfad88892161225aeda64e9392 # v4.0.0 if: failure() with: name: produced_lock_files diff --git a/.github/workflows/codeql.yaml b/.github/workflows/codeql.yaml index 17aacedfb..accdbe657 100644 --- a/.github/workflows/codeql.yaml +++ b/.github/workflows/codeql.yaml @@ -29,7 +29,7 @@ jobs: steps: - name: Checkout repository - uses: actions/checkout@v3 + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: ref: ${{ github.event.inputs.ref }} diff --git a/.github/workflows/green_master.yaml b/.github/workflows/green_master.yaml index 0d938f6cd..ed239cf93 100644 --- a/.github/workflows/green_master.yaml +++ b/.github/workflows/green_master.yaml @@ -22,7 +22,7 @@ jobs: checks: read actions: write steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: ref: ${{ github.event.inputs.ref || 'master' }} diff --git a/.github/workflows/performance_test.yaml b/.github/workflows/performance_test.yaml index d2b0f75a2..ede8abf07 100644 --- a/.github/workflows/performance_test.yaml +++ b/.github/workflows/performance_test.yaml @@ -32,7 +32,7 @@ jobs: PACKAGE_FILE: ${{ steps.package_file.outputs.PACKAGE_FILE }} steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: fetch-depth: 0 ref: ${{ github.event.inputs.ref }} @@ -52,7 +52,7 @@ jobs: id: package_file run: | echo "PACKAGE_FILE=$(find _packages/emqx -name 'emqx-*.deb' | head -n 1 | xargs basename)" >> $GITHUB_OUTPUT - - uses: actions/upload-artifact@v3 + - uses: actions/upload-artifact@c7d193f32edcb7bfad88892161225aeda64e9392 # v4.0.0 with: name: emqx-ubuntu20.04 path: _packages/emqx/${{ steps.package_file.outputs.PACKAGE_FILE }} @@ -66,23 +66,23 @@ jobs: steps: - name: Configure AWS Credentials - uses: aws-actions/configure-aws-credentials@v2 + uses: aws-actions/configure-aws-credentials@010d0da01d0b5a38af31e9c3470dbfdabdecca3a # v4.0.1 with: aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_PERF_TEST }} aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY_PERF_TEST }} aws-region: eu-west-1 - name: Checkout tf-emqx-performance-test - uses: actions/checkout@v3 + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: repository: emqx/tf-emqx-performance-test path: tf-emqx-performance-test ref: v0.2.3 - - uses: actions/download-artifact@v3 + - uses: actions/download-artifact@6b208ae046db98c579e8a3aa621ab581ff575935 # v4.1.1 with: name: emqx-ubuntu20.04 path: tf-emqx-performance-test/ - name: Setup Terraform - uses: hashicorp/setup-terraform@v2 + uses: hashicorp/setup-terraform@a1502cd9e758c50496cc9ac5308c4843bcd56d36 # v3.0.0 with: terraform_wrapper: false - name: run scenario @@ -105,7 +105,7 @@ jobs: terraform destroy -auto-approve aws s3 sync --exclude '*' --include '*.tar.gz' s3://$TF_VAR_s3_bucket_name/$TF_VAR_bench_id . - name: Send notification to Slack - uses: slackapi/slack-github-action@v1.24.0 + uses: slackapi/slack-github-action@e28cf165c92ffef168d23c5c9000cffc8a25e117 # v1.24.0 with: payload-file-path: "./tf-emqx-performance-test/slack-payload.json" - name: terraform destroy @@ -113,13 +113,13 @@ jobs: working-directory: ./tf-emqx-performance-test run: | terraform destroy -auto-approve - - uses: actions/upload-artifact@v3 + - uses: actions/upload-artifact@c7d193f32edcb7bfad88892161225aeda64e9392 # v4.0.0 if: success() with: name: metrics path: | "./tf-emqx-performance-test/*.tar.gz" - - uses: actions/upload-artifact@v3 + - uses: actions/upload-artifact@c7d193f32edcb7bfad88892161225aeda64e9392 # v4.0.0 if: failure() with: name: terraform @@ -137,23 +137,23 @@ jobs: steps: - name: Configure AWS Credentials - uses: aws-actions/configure-aws-credentials@v2 + uses: aws-actions/configure-aws-credentials@010d0da01d0b5a38af31e9c3470dbfdabdecca3a # v4.0.1 with: aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_PERF_TEST }} aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY_PERF_TEST }} aws-region: eu-west-1 - name: Checkout tf-emqx-performance-test - uses: actions/checkout@v3 + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: repository: emqx/tf-emqx-performance-test path: tf-emqx-performance-test ref: v0.2.3 - - uses: actions/download-artifact@v3 + - uses: actions/download-artifact@6b208ae046db98c579e8a3aa621ab581ff575935 # v4.1.1 with: name: emqx-ubuntu20.04 path: tf-emqx-performance-test/ - name: Setup Terraform - uses: hashicorp/setup-terraform@v2 + uses: hashicorp/setup-terraform@a1502cd9e758c50496cc9ac5308c4843bcd56d36 # v3.0.0 with: terraform_wrapper: false - name: run scenario @@ -176,7 +176,7 @@ jobs: terraform destroy -auto-approve aws s3 sync --exclude '*' --include '*.tar.gz' s3://$TF_VAR_s3_bucket_name/$TF_VAR_bench_id . - name: Send notification to Slack - uses: slackapi/slack-github-action@v1.24.0 + uses: slackapi/slack-github-action@e28cf165c92ffef168d23c5c9000cffc8a25e117 # v1.24.0 with: payload-file-path: "./tf-emqx-performance-test/slack-payload.json" - name: terraform destroy @@ -184,13 +184,13 @@ jobs: working-directory: ./tf-emqx-performance-test run: | terraform destroy -auto-approve - - uses: actions/upload-artifact@v3 + - uses: actions/upload-artifact@c7d193f32edcb7bfad88892161225aeda64e9392 # v4.0.0 if: success() with: name: metrics path: | "./tf-emqx-performance-test/*.tar.gz" - - uses: actions/upload-artifact@v3 + - uses: actions/upload-artifact@c7d193f32edcb7bfad88892161225aeda64e9392 # v4.0.0 if: failure() with: name: terraform @@ -209,23 +209,23 @@ jobs: steps: - name: Configure AWS Credentials - uses: aws-actions/configure-aws-credentials@v2 + uses: aws-actions/configure-aws-credentials@010d0da01d0b5a38af31e9c3470dbfdabdecca3a # v4.0.1 with: aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_PERF_TEST }} aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY_PERF_TEST }} aws-region: eu-west-1 - name: Checkout tf-emqx-performance-test - uses: actions/checkout@v3 + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: repository: emqx/tf-emqx-performance-test path: tf-emqx-performance-test ref: v0.2.3 - - uses: actions/download-artifact@v3 + - uses: actions/download-artifact@6b208ae046db98c579e8a3aa621ab581ff575935 # v4.1.1 with: name: emqx-ubuntu20.04 path: tf-emqx-performance-test/ - name: Setup Terraform - uses: hashicorp/setup-terraform@v2 + uses: hashicorp/setup-terraform@a1502cd9e758c50496cc9ac5308c4843bcd56d36 # v3.0.0 with: terraform_wrapper: false - name: run scenario @@ -249,7 +249,7 @@ jobs: terraform destroy -auto-approve aws s3 sync --exclude '*' --include '*.tar.gz' s3://$TF_VAR_s3_bucket_name/$TF_VAR_bench_id . - name: Send notification to Slack - uses: slackapi/slack-github-action@v1.24.0 + uses: slackapi/slack-github-action@e28cf165c92ffef168d23c5c9000cffc8a25e117 # v1.24.0 with: payload-file-path: "./tf-emqx-performance-test/slack-payload.json" - name: terraform destroy @@ -257,13 +257,13 @@ jobs: working-directory: ./tf-emqx-performance-test run: | terraform destroy -auto-approve - - uses: actions/upload-artifact@v3 + - uses: actions/upload-artifact@c7d193f32edcb7bfad88892161225aeda64e9392 # v4.0.0 if: success() with: name: metrics path: | "./tf-emqx-performance-test/*.tar.gz" - - uses: actions/upload-artifact@v3 + - uses: actions/upload-artifact@c7d193f32edcb7bfad88892161225aeda64e9392 # v4.0.0 if: failure() with: name: terraform @@ -283,23 +283,23 @@ jobs: steps: - name: Configure AWS Credentials - uses: aws-actions/configure-aws-credentials@v2 + uses: aws-actions/configure-aws-credentials@010d0da01d0b5a38af31e9c3470dbfdabdecca3a # v4.0.1 with: aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_PERF_TEST }} aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY_PERF_TEST }} aws-region: eu-west-1 - name: Checkout tf-emqx-performance-test - uses: actions/checkout@v3 + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: repository: emqx/tf-emqx-performance-test path: tf-emqx-performance-test ref: v0.2.3 - - uses: actions/download-artifact@v3 + - uses: actions/download-artifact@6b208ae046db98c579e8a3aa621ab581ff575935 # v4.1.1 with: name: emqx-ubuntu20.04 path: tf-emqx-performance-test/ - name: Setup Terraform - uses: hashicorp/setup-terraform@v2 + uses: hashicorp/setup-terraform@a1502cd9e758c50496cc9ac5308c4843bcd56d36 # v3.0.0 with: terraform_wrapper: false - name: run scenario @@ -322,7 +322,7 @@ jobs: terraform destroy -auto-approve aws s3 sync --exclude '*' --include '*.tar.gz' s3://$TF_VAR_s3_bucket_name/$TF_VAR_bench_id . - name: Send notification to Slack - uses: slackapi/slack-github-action@v1.24.0 + uses: slackapi/slack-github-action@e28cf165c92ffef168d23c5c9000cffc8a25e117 # v1.24.0 with: payload-file-path: "./tf-emqx-performance-test/slack-payload.json" - name: terraform destroy @@ -330,13 +330,13 @@ jobs: working-directory: ./tf-emqx-performance-test run: | terraform destroy -auto-approve - - uses: actions/upload-artifact@v3 + - uses: actions/upload-artifact@c7d193f32edcb7bfad88892161225aeda64e9392 # v4.0.0 if: success() with: name: metrics path: | "./tf-emqx-performance-test/*.tar.gz" - - uses: actions/upload-artifact@v3 + - uses: actions/upload-artifact@c7d193f32edcb7bfad88892161225aeda64e9392 # v4.0.0 if: failure() with: name: terraform diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index 4a0d0403f..2f441af88 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -31,12 +31,12 @@ jobs: strategy: fail-fast: false steps: - - uses: aws-actions/configure-aws-credentials@v2 + - uses: aws-actions/configure-aws-credentials@010d0da01d0b5a38af31e9c3470dbfdabdecca3a # v4.0.1 with: aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} aws-region: ${{ secrets.AWS_DEFAULT_REGION }} - - uses: actions/checkout@v3 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: ref: ${{ github.event.inputs.tag }} - name: Detect profile @@ -132,7 +132,7 @@ jobs: checks: write actions: write steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - name: trigger re-run of app versions check on open PRs shell: bash env: diff --git a/.github/workflows/run_conf_tests.yaml b/.github/workflows/run_conf_tests.yaml index fc12787a8..5580ad520 100644 --- a/.github/workflows/run_conf_tests.yaml +++ b/.github/workflows/run_conf_tests.yaml @@ -25,7 +25,7 @@ jobs: - emqx - emqx-enterprise steps: - - uses: actions/download-artifact@v3 + - uses: actions/download-artifact@6b208ae046db98c579e8a3aa621ab581ff575935 # v4.1.1 with: name: ${{ matrix.profile }} - name: extract artifact @@ -40,7 +40,7 @@ jobs: if: failure() run: | cat _build/${{ matrix.profile }}/rel/emqx/logs/erlang.log.* - - uses: actions/upload-artifact@v3 + - uses: actions/upload-artifact@c7d193f32edcb7bfad88892161225aeda64e9392 # v4.0.0 if: failure() with: name: logs-${{ matrix.profile }} diff --git a/.github/workflows/run_docker_tests.yaml b/.github/workflows/run_docker_tests.yaml index a36806e9e..9315ac815 100644 --- a/.github/workflows/run_docker_tests.yaml +++ b/.github/workflows/run_docker_tests.yaml @@ -36,8 +36,8 @@ jobs: EMQX_IMAGE_OLD_VERSION_TAG: ${{ matrix.profile[1] }} steps: - - uses: actions/checkout@v3 - - uses: actions/download-artifact@v3 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + - uses: actions/download-artifact@6b208ae046db98c579e8a3aa621ab581ff575935 # v4.1.1 with: name: ${{ env.EMQX_NAME }}-docker path: /tmp @@ -83,8 +83,8 @@ jobs: - mnesia - rlog steps: - - uses: actions/checkout@v3 - - uses: actions/download-artifact@v3 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + - uses: actions/download-artifact@6b208ae046db98c579e8a3aa621ab581ff575935 # v4.1.1 with: name: ${{ env.EMQX_NAME }}-docker path: /tmp diff --git a/.github/workflows/run_emqx_app_tests.yaml b/.github/workflows/run_emqx_app_tests.yaml index 88e8e951a..f7c645aeb 100644 --- a/.github/workflows/run_emqx_app_tests.yaml +++ b/.github/workflows/run_emqx_app_tests.yaml @@ -36,7 +36,7 @@ jobs: shell: bash steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: fetch-depth: 0 - name: run @@ -58,7 +58,7 @@ jobs: ./rebar3 eunit -v --name 'eunit@127.0.0.1' ./rebar3 as standalone_test ct --name 'test@127.0.0.1' -v --readable=true ./rebar3 proper -d test/props - - uses: actions/upload-artifact@v3 + - uses: actions/upload-artifact@c7d193f32edcb7bfad88892161225aeda64e9392 # v4.0.0 if: failure() with: name: logs-emqx-app-tests diff --git a/.github/workflows/run_helm_tests.yaml b/.github/workflows/run_helm_tests.yaml index e191100c4..e9ea3184f 100644 --- a/.github/workflows/run_helm_tests.yaml +++ b/.github/workflows/run_helm_tests.yaml @@ -42,10 +42,10 @@ jobs: - ssl1.3 - ssl1.2 steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: path: source - - uses: actions/download-artifact@v3 + - uses: actions/download-artifact@6b208ae046db98c579e8a3aa621ab581ff575935 # v4.1.1 with: name: "${{ env.EMQX_NAME }}-docker" path: /tmp @@ -165,7 +165,7 @@ jobs: fi sleep 1; done - - uses: actions/checkout@v3 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: repository: emqx/paho.mqtt.testing ref: develop-5.0 diff --git a/.github/workflows/run_jmeter_tests.yaml b/.github/workflows/run_jmeter_tests.yaml index 0f22c6e84..e46a0b98e 100644 --- a/.github/workflows/run_jmeter_tests.yaml +++ b/.github/workflows/run_jmeter_tests.yaml @@ -7,13 +7,16 @@ on: required: true type: string +permissions: + contents: read + jobs: jmeter_artifact: runs-on: ${{ endsWith(github.repository, '/emqx') && 'ubuntu-22.04' || fromJSON('["self-hosted","ephemeral","linux","x64"]') }} steps: - name: Cache Jmeter id: cache-jmeter - uses: actions/cache@v3 + uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84 # v3.3.2 with: path: /tmp/apache-jmeter.tgz key: apache-jmeter-5.4.3.tgz @@ -32,7 +35,7 @@ jobs: else wget --no-verbose --no-check-certificate -O /tmp/apache-jmeter.tgz $ARCHIVE_URL fi - - uses: actions/upload-artifact@v3 + - uses: actions/upload-artifact@c7d193f32edcb7bfad88892161225aeda64e9392 # v4.0.0 with: name: apache-jmeter.tgz path: /tmp/apache-jmeter.tgz @@ -52,7 +55,7 @@ jobs: needs: jmeter_artifact steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - uses: ./.github/actions/prepare-jmeter with: version-emqx: ${{ inputs.version-emqx }} @@ -83,7 +86,7 @@ jobs: echo "check logs failed" exit 1 fi - - uses: actions/upload-artifact@v3 + - uses: actions/upload-artifact@c7d193f32edcb7bfad88892161225aeda64e9392 # v4.0.0 if: always() with: name: jmeter_logs @@ -108,7 +111,7 @@ jobs: needs: jmeter_artifact steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - uses: ./.github/actions/prepare-jmeter with: version-emqx: ${{ inputs.version-emqx }} @@ -150,7 +153,7 @@ jobs: if: failure() run: | docker compose -f .ci/docker-compose-file/docker-compose-emqx-cluster.yaml logs --no-color > ./jmeter_logs/emqx.log - - uses: actions/upload-artifact@v3 + - uses: actions/upload-artifact@c7d193f32edcb7bfad88892161225aeda64e9392 # v4.0.0 if: always() with: name: jmeter_logs @@ -172,7 +175,7 @@ jobs: needs: jmeter_artifact steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - uses: ./.github/actions/prepare-jmeter with: version-emqx: ${{ inputs.version-emqx }} @@ -210,7 +213,7 @@ jobs: echo "check logs failed" exit 1 fi - - uses: actions/upload-artifact@v3 + - uses: actions/upload-artifact@c7d193f32edcb7bfad88892161225aeda64e9392 # v4.0.0 if: always() with: name: jmeter_logs @@ -228,7 +231,7 @@ jobs: needs: jmeter_artifact steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - uses: ./.github/actions/prepare-jmeter with: version-emqx: ${{ inputs.version-emqx }} @@ -262,7 +265,7 @@ jobs: echo "check logs failed" exit 1 fi - - uses: actions/upload-artifact@v3 + - uses: actions/upload-artifact@c7d193f32edcb7bfad88892161225aeda64e9392 # v4.0.0 if: always() with: name: jmeter_logs @@ -281,7 +284,7 @@ jobs: needs: jmeter_artifact steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - uses: ./.github/actions/prepare-jmeter with: version-emqx: ${{ inputs.version-emqx }} @@ -306,7 +309,7 @@ jobs: echo "check logs failed" exit 1 fi - - uses: actions/upload-artifact@v3 + - uses: actions/upload-artifact@c7d193f32edcb7bfad88892161225aeda64e9392 # v4.0.0 if: always() with: name: jmeter_logs diff --git a/.github/workflows/run_relup_tests.yaml b/.github/workflows/run_relup_tests.yaml index 09638f51a..a93cee416 100644 --- a/.github/workflows/run_relup_tests.yaml +++ b/.github/workflows/run_relup_tests.yaml @@ -25,7 +25,7 @@ jobs: run: shell: bash steps: - - uses: actions/download-artifact@v3 + - uses: actions/download-artifact@6b208ae046db98c579e8a3aa621ab581ff575935 # v4.1.1 with: name: emqx-enterprise - name: extract artifact @@ -45,7 +45,7 @@ jobs: run: | export PROFILE='emqx-enterprise' make emqx-enterprise-tgz - - uses: actions/upload-artifact@v3 + - uses: actions/upload-artifact@c7d193f32edcb7bfad88892161225aeda64e9392 # v4.0.0 name: Upload built emqx and test scenario with: name: emqx_built @@ -72,10 +72,10 @@ jobs: run: shell: bash steps: - - uses: erlef/setup-beam@v1.16.0 + - uses: erlef/setup-beam@a34c98fd51e370b4d4981854aba1eb817ce4e483 # v1.17.0 with: otp-version: 26.2.1 - - uses: actions/checkout@v3 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: repository: hawk/lux ref: lux-2.8.1 @@ -88,7 +88,7 @@ jobs: ./configure make echo "$(pwd)/bin" >> $GITHUB_PATH - - uses: actions/download-artifact@v3 + - uses: actions/download-artifact@6b208ae046db98c579e8a3aa621ab581ff575935 # v4.1.1 name: Download built emqx and test scenario with: name: emqx_built @@ -111,7 +111,7 @@ jobs: docker logs node2.emqx.io | tee lux_logs/emqx2.log exit 1 fi - - uses: actions/upload-artifact@v3 + - uses: actions/upload-artifact@c7d193f32edcb7bfad88892161225aeda64e9392 # v4.0.0 name: Save debug data if: failure() with: diff --git a/.github/workflows/run_test_cases.yaml b/.github/workflows/run_test_cases.yaml index 788b992c7..0df6fa0f0 100644 --- a/.github/workflows/run_test_cases.yaml +++ b/.github/workflows/run_test_cases.yaml @@ -20,6 +20,9 @@ on: required: true type: string +permissions: + contents: read + env: IS_CI: "yes" @@ -38,7 +41,7 @@ jobs: container: "ghcr.io/emqx/emqx-builder/${{ matrix.builder }}:${{ matrix.elixir }}-${{ matrix.otp }}-ubuntu22.04" steps: - - uses: actions/download-artifact@v3 + - uses: actions/download-artifact@6b208ae046db98c579e8a3aa621ab581ff575935 # v4.1.1 with: name: ${{ matrix.profile }} - name: extract artifact @@ -61,7 +64,7 @@ jobs: CT_COVER_EXPORT_PREFIX: ${{ matrix.profile }}-${{ matrix.otp }} run: make proper - - uses: actions/upload-artifact@v3 + - uses: actions/upload-artifact@c7d193f32edcb7bfad88892161225aeda64e9392 # v4.0.0 with: name: coverdata path: _build/test/cover @@ -80,7 +83,7 @@ jobs: shell: bash steps: - - uses: actions/download-artifact@v3 + - uses: actions/download-artifact@6b208ae046db98c579e8a3aa621ab581ff575935 # v4.1.1 with: name: ${{ matrix.profile }} - name: extract artifact @@ -105,7 +108,7 @@ jobs: ENABLE_COVER_COMPILE: 1 CT_COVER_EXPORT_PREFIX: ${{ matrix.profile }}-${{ matrix.otp }}-sg${{ matrix.suitegroup }} run: ./scripts/ct/run.sh --ci --app ${{ matrix.app }} - - uses: actions/upload-artifact@v3 + - uses: actions/upload-artifact@c7d193f32edcb7bfad88892161225aeda64e9392 # v4.0.0 with: name: coverdata path: _build/test/cover @@ -113,7 +116,7 @@ jobs: - name: compress logs if: failure() run: tar -czf logs.tar.gz _build/test/logs - - uses: actions/upload-artifact@v3 + - uses: actions/upload-artifact@c7d193f32edcb7bfad88892161225aeda64e9392 # v4.0.0 if: failure() with: name: logs-${{ matrix.profile }}-${{ matrix.prefix }}-${{ matrix.otp }}-sg${{ matrix.suitegroup }} @@ -134,7 +137,7 @@ jobs: shell: bash steps: - - uses: actions/download-artifact@v3 + - uses: actions/download-artifact@6b208ae046db98c579e8a3aa621ab581ff575935 # v4.1.1 with: name: ${{ matrix.profile }} - name: extract artifact @@ -151,7 +154,7 @@ jobs: CT_COVER_EXPORT_PREFIX: ${{ matrix.profile }}-${{ matrix.otp }}-sg${{ matrix.suitegroup }} run: | make "${{ matrix.app }}-ct" - - uses: actions/upload-artifact@v3 + - uses: actions/upload-artifact@c7d193f32edcb7bfad88892161225aeda64e9392 # v4.0.0 with: name: coverdata path: _build/test/cover @@ -160,7 +163,7 @@ jobs: - name: compress logs if: failure() run: tar -czf logs.tar.gz _build/test/logs - - uses: actions/upload-artifact@v3 + - uses: actions/upload-artifact@c7d193f32edcb7bfad88892161225aeda64e9392 # v4.0.0 if: failure() with: name: logs-${{ matrix.profile }}-${{ matrix.prefix }}-${{ matrix.otp }}-sg${{ matrix.suitegroup }} @@ -191,7 +194,7 @@ jobs: profile: - emqx-enterprise steps: - - uses: actions/download-artifact@v3 + - uses: actions/download-artifact@6b208ae046db98c579e8a3aa621ab581ff575935 # v4.1.1 with: name: ${{ matrix.profile }} - name: extract artifact @@ -199,7 +202,7 @@ jobs: unzip -o -q ${{ matrix.profile }}.zip git config --global --add safe.directory "$GITHUB_WORKSPACE" - - uses: actions/download-artifact@v3 + - uses: actions/download-artifact@6b208ae046db98c579e8a3aa621ab581ff575935 # v4.1.1 name: download coverdata with: name: coverdata diff --git a/.github/workflows/scorecard.yaml b/.github/workflows/scorecard.yaml index 29f6610ce..228dafe20 100644 --- a/.github/workflows/scorecard.yaml +++ b/.github/workflows/scorecard.yaml @@ -23,12 +23,12 @@ jobs: steps: - name: "Checkout code" - uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0 + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: persist-credentials: false - name: "Run analysis" - uses: ossf/scorecard-action@483ef80eb98fb506c348f7d62e28055e49fe2398 # v2.3.0 + uses: ossf/scorecard-action@0864cf19026789058feabb7e87baa5f140aac736 # v2.3.1 with: results_file: results.sarif results_format: sarif @@ -38,7 +38,7 @@ jobs: publish_results: true - name: "Upload artifact" - uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3 + uses: actions/upload-artifact@c7d193f32edcb7bfad88892161225aeda64e9392 # v4.0.0 with: name: SARIF file path: results.sarif diff --git a/.github/workflows/spellcheck.yaml b/.github/workflows/spellcheck.yaml index 4fecadd31..e03a89c50 100644 --- a/.github/workflows/spellcheck.yaml +++ b/.github/workflows/spellcheck.yaml @@ -19,7 +19,7 @@ jobs: - emqx-enterprise runs-on: ${{ endsWith(github.repository, '/emqx') && 'ubuntu-22.04' || fromJSON('["self-hosted","ephemeral","linux","x64"]') }} steps: - - uses: actions/download-artifact@v3 + - uses: actions/download-artifact@6b208ae046db98c579e8a3aa621ab581ff575935 # v4.1.1 with: name: "${{ matrix.profile }}_schema_dump" path: /tmp/ diff --git a/.github/workflows/stale.yaml b/.github/workflows/stale.yaml index 5dcb4a5fa..11afc7415 100644 --- a/.github/workflows/stale.yaml +++ b/.github/workflows/stale.yaml @@ -21,7 +21,7 @@ jobs: steps: - name: Close Stale Issues - uses: actions/stale@v6 + uses: actions/stale@28ca1036281a5e5922ead5184a1bbf96e5fc984e # v9.0.0 with: days-before-stale: 7 days-before-close: 7 diff --git a/.github/workflows/static_checks.yaml b/.github/workflows/static_checks.yaml index 29c8384a0..a092210c8 100644 --- a/.github/workflows/static_checks.yaml +++ b/.github/workflows/static_checks.yaml @@ -30,14 +30,14 @@ jobs: include: ${{ fromJson(inputs.ct-matrix) }} container: "ghcr.io/emqx/emqx-builder/${{ matrix.builder }}:${{ matrix.elixir }}-${{ matrix.otp }}-ubuntu22.04" steps: - - uses: actions/download-artifact@v3 + - uses: actions/download-artifact@6b208ae046db98c579e8a3aa621ab581ff575935 # v4.1.1 with: name: ${{ matrix.profile }} - name: extract artifact run: | unzip -o -q ${{ matrix.profile }}.zip git config --global --add safe.directory "$GITHUB_WORKSPACE" - - uses: actions/cache@v3 + - uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84 # v3.3.2 with: path: "emqx_dialyzer_${{ matrix.otp }}_plt" key: rebar3-dialyzer-plt-${{ matrix.profile }}-${{ matrix.otp }}-${{ hashFiles('rebar.*', 'apps/*/rebar.*') }} diff --git a/.github/workflows/upload-helm-charts.yaml b/.github/workflows/upload-helm-charts.yaml index 44261d137..2fb26b412 100644 --- a/.github/workflows/upload-helm-charts.yaml +++ b/.github/workflows/upload-helm-charts.yaml @@ -9,18 +9,21 @@ on: type: string required: true +permissions: + contents: read + jobs: upload: runs-on: ubuntu-22.04 strategy: fail-fast: false steps: - - uses: aws-actions/configure-aws-credentials@v2 + - uses: aws-actions/configure-aws-credentials@010d0da01d0b5a38af31e9c3470dbfdabdecca3a # v4.0.1 with: aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} aws-region: ${{ secrets.AWS_DEFAULT_REGION }} - - uses: actions/checkout@v3 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: ref: ${{ github.event.inputs.tag }} - name: Detect profile diff --git a/scripts/bump-actions-versions.sh b/scripts/bump-actions-versions.sh new file mode 100755 index 000000000..61731fe2b --- /dev/null +++ b/scripts/bump-actions-versions.sh @@ -0,0 +1,21 @@ +#!/usr/bin/env bash + +set -euo pipefail + +actions=( 'actions/checkout' 'actions/cache' 'actions/stale' 'actions/upload-artifact' 'actions/download-artifact' 'aws-actions/configure-aws-credentials' 'ossf/scorecard-action' 'erlef/setup-beam' 'slackapi/slack-github-action' 'hashicorp/setup-terraform' 'docker/login-action' 'docker/setup-buildx-action' 'docker/setup-qemu-action' ) +for a in "${actions[@]}"; do + # shellcheck disable=SC2086 + TAG=$(curl -sSfL -H "Authorization: token $GITHUB_TOKEN" https://api.github.com/repos/$a/releases/latest | jq -r '.tag_name') + # shellcheck disable=SC2086 + TAG_OBJECT=$(curl -sSfL -H "Authorization: token $GITHUB_TOKEN" https://api.github.com/repos/$a/git/ref/tags/$TAG) + if [ "$(echo "${TAG_OBJECT}" | jq -r '.object.type')" = "commit" ]; then + COMMIT_SHA=$(echo "${TAG_OBJECT}" | jq -r '.object.sha') + else + TAG_SHA=$(echo "${TAG_OBJECT}" | jq -r '.object.sha') + # shellcheck disable=SC2086 + COMMIT_SHA=$(curl -sSfL -H "Authorization: token $GITHUB_TOKEN" https://api.github.com/repos/$a/git/tags/$TAG_SHA | jq -r '.object.sha') + fi + echo "Bumping $a to $TAG ($COMMIT_SHA)" + sed -i.bak -e "s|uses: $a.*$|uses: $a@$COMMIT_SHA # $TAG|g" .github/workflows/*.yaml + rm .github/workflows/*.bak +done