Skip to content

Commit fd1e262

Browse files
skylenetskylenet
authored
chore(ci): update GitHub Actions to use pinned hashes (#921)
This PR updates GitHub Actions to use pinned commit hashes for better security.
1 parent a9058f5 commit fd1e262

6 files changed

Lines changed: 18 additions & 18 deletions

File tree

.github/actions/docker-login/action.yaml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -24,7 +24,7 @@ runs:
2424
2525
- name: Login to Docker Hub
2626
if: env.AUTH_EXISTS == 'true'
27-
uses: docker/login-action@v3
27+
uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3
2828
with:
2929
username: ${{ inputs.username }}
3030
password: ${{ inputs.password }}

.github/workflows/check-typos.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -10,7 +10,7 @@ jobs:
1010
runs-on: ubuntu-latest
1111
steps:
1212
- name: Checkout repository
13-
uses: actions/checkout@v4
13+
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
1414

1515
- name: Check for typos
1616
uses: crate-ci/typos@11ca4583f2f3f74c7e7785c0ecb20fe2c99a4308 # v1.29.5

.github/workflows/conventional-pr-title-checker.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -17,6 +17,6 @@ jobs:
1717
title_check:
1818
runs-on: self-hosted-ghr-size-s-x64
1919
steps:
20-
- uses: amannn/action-semantic-pull-request@v5
20+
- uses: amannn/action-semantic-pull-request@0723387faaf9b38adef4775cd42cfd5155ed6017 # v5
2121
env:
2222
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/nightly.yml

Lines changed: 5 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -11,7 +11,7 @@ jobs:
1111
outputs:
1212
matrix: ${{ steps.set-matrix.outputs.matrix }}
1313
steps:
14-
- uses: actions/checkout@v4
14+
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
1515
- id: set-matrix
1616
# List all yaml files in the .github/tests directory, except for the k8s.yaml file
1717
run: echo "matrix=$(ls ./.github/tests/*.yaml | grep -vE 'k8s.yaml$' | jq -R -s -c 'split("\n")[:-1]')" >> $GITHUB_OUTPUT
@@ -25,7 +25,7 @@ jobs:
2525
continue-on-error: true
2626
steps:
2727
- name: Checkout Repository
28-
uses: actions/checkout@v4
28+
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
2929
- uses: ./.github/actions/docker-login
3030
with:
3131
username: ethpandaops
@@ -54,7 +54,7 @@ jobs:
5454
5555
- name: Notify
5656
if: (cancelled() || failure()) && env.discord_webhook_set == 'true'
57-
uses: nobrayner/discord-webhook@v1
57+
uses: nobrayner/discord-webhook@2f38abc8877c7e8d2b0ded0cfd9599632014279f # v1
5858
with:
5959
description: "The nightly test for ${{matrix.file_name}} on ethereum-package has failed find it here ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}"
6060
github-token: ${{ secrets.github_token }}
@@ -64,13 +64,13 @@ jobs:
6464
runs-on: ubuntu-latest
6565
steps:
6666
- name: Checkout Repository
67-
uses: actions/checkout@v4
67+
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
6868
- uses: ./.github/actions/docker-login
6969
with:
7070
username: ethpandaops
7171
password: ${{ secrets.DOCKER_PASSWORD }}
7272
- name: Kurtosis Assertoor GitHub Action
73-
uses: ethpandaops/kurtosis-assertoor-github-action@v1
73+
uses: ethpandaops/kurtosis-assertoor-github-action@5932604b244dbd2ddb811516b516a9094f4d2c2f # v1
7474
with:
7575
kurtosis_extra_args: "--image-download always --non-blocking-tasks --verbosity DETAILED"
7676
ethereum_package_branch: ""

.github/workflows/per-pr.yml

Lines changed: 6 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -12,7 +12,7 @@ jobs:
1212
runs-on: ubuntu-latest
1313
steps:
1414
- name: Checkout Repository
15-
uses: actions/checkout@v4
15+
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
1616
- uses: ./.github/actions/docker-login
1717
with:
1818
username: ethpandaops
@@ -39,7 +39,7 @@ jobs:
3939
runs-on: ubuntu-latest
4040
steps:
4141
- name: Checkout Repository
42-
uses: actions/checkout@v4
42+
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
4343
- uses: ./.github/actions/docker-login
4444
with:
4545
username: ethpandaops
@@ -54,7 +54,7 @@ jobs:
5454
runs-on: self-hosted-ghr-size-s-x64
5555
steps:
5656
- name: Checkout Repository
57-
uses: actions/checkout@v4
57+
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
5858
- name: Setup Kurtosis
5959
uses: ./.github/actions/kurtosis-install
6060
- name: Kurtosis Lint
@@ -65,13 +65,13 @@ jobs:
6565
timeout-minutes: 30
6666
steps:
6767
- name: Checkout Repository
68-
uses: actions/checkout@v4
68+
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
6969
- uses: ./.github/actions/docker-login
7070
with:
7171
username: ethpandaops
7272
password: ${{ secrets.DOCKER_PASSWORD }}
7373
- name: Kurtosis Assertoor GitHub Action
74-
uses: ethpandaops/kurtosis-assertoor-github-action@v1
74+
uses: ethpandaops/kurtosis-assertoor-github-action@5932604b244dbd2ddb811516b516a9094f4d2c2f # v1
7575
with:
7676
ethereum_package_url: "."
7777
ethereum_package_branch: ""
@@ -80,7 +80,7 @@ jobs:
8080
# runs-on: ubuntu-latest
8181
# steps:
8282
# - name: Checkout Repository
83-
# uses: actions/checkout@v4
83+
# uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
8484
# - name: Setup Kurtosis
8585
# uses: ./.github/actions/kurtosis-install
8686
# - name: Run L1

.github/workflows/run-k8s.yml

Lines changed: 4 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -20,11 +20,11 @@ jobs:
2020
runs-on: ubuntu-latest
2121
steps:
2222
- name: Checkout Repository
23-
uses: actions/checkout@v4
23+
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
2424

2525
- name: Setup minikube
2626
id: minikube
27-
uses: medyagh/setup-minikube@latest
27+
uses: medyagh/setup-minikube@cea33675329b799adccc9526aa5daccc26cd5052 # latest
2828

2929
- name: Get kubeconfig
3030
id: kubeconfig
@@ -36,7 +36,7 @@ jobs:
3636
# run kurtosis test and assertoor
3737
- name: Run kurtosis testnet
3838
id: testnet
39-
uses: ethpandaops/kurtosis-assertoor-github-action@v1
39+
uses: ethpandaops/kurtosis-assertoor-github-action@5932604b244dbd2ddb811516b516a9094f4d2c2f # v1
4040
with:
4141
kurtosis_extra_args: "--image-download always --non-blocking-tasks --verbosity DETAILED"
4242
kurtosis_backend: "kubernetes"
@@ -62,7 +62,7 @@ jobs:
6262
6363
- name: Notify
6464
if: (cancelled() || failure()) && env.discord_webhook_set == 'true'
65-
uses: Ilshidur/action-discord@master
65+
uses: Ilshidur/action-discord@08d9328877d6954120eef2b07abbc79249bb6210 # master
6666
env:
6767
DISCORD_WEBHOOK: ${{ secrets.DISCORD_WEBHOOK }}
6868
with:

0 commit comments

Comments
 (0)