pin scorecard workflow depepdencies by hash (#456)

ossf · May 14, 2021 · 6367cc4 · 6367cc4
1 parent 6437c93
commit 6367cc4
Show file tree

Hide file tree

Showing 8 changed files with 24 additions and 25 deletions.
diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
@@ -49,11 +49,11 @@ jobs:
 
     steps:
     - name: Checkout repository
-      uses: actions/[email protected]
+      uses: actions/checkout@5a4ac9002d0be2fb38bd78e4b4dbde5606d7042f # v2.3.4
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@v1
+      uses: github/codeql-action/init@cb5810848de15b695cd9ef3b559dd178c43c7df3 # v1
       with:
         languages: ${{ matrix.language }}
         # If you wish to specify custom queries, you can do so here or in a config file.
@@ -64,7 +64,7 @@ jobs:
     # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
     # If this step fails, then you should remove it and run the build manually (see below)
     - name: Autobuild
-      uses: github/codeql-action/autobuild@v1
+      uses: github/codeql-action/autobuild@cb5810848de15b695cd9ef3b559dd178c43c7df3 # v1
 
     # ℹ️ Command-line programs to run using the OS shell.
     # 📚 https://git.io/JvXDl
@@ -78,4 +78,4 @@ jobs:
     #   make release
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@v1
+      uses: github/codeql-action/analyze@cb5810848de15b695cd9ef3b559dd178c43c7df3 # v1
diff --git a/.github/workflows/gitcache-docker.yaml b/.github/workflows/gitcache-docker.yaml
@@ -33,7 +33,7 @@ jobs:
     if: github.event_name == 'push'
 
     steps:
-      - uses: actions/[email protected]
+      - uses: actions/checkout@5a4ac9002d0be2fb38bd78e4b4dbde5606d7042f # v2.3.4
 
       - name: Build image
         run: DOCKER_BUILDKIT=1 docker build . --file ./gitcache/Dockerfile --tag $IMAGE_NAME

diff --git a/.github/workflows/goreleaser.yaml b/.github/workflows/goreleaser.yaml
@@ -25,24 +25,24 @@ jobs:
     steps:
       -
         name: Checkout
-        uses: actions/[email protected]
+        uses: actions/checkout@5a4ac9002d0be2fb38bd78e4b4dbde5606d7042f # v2.3.4
         with:
           fetch-depth: 0
       -
         name: Set up Go
-        uses: actions/setup-go@v2
+        uses: actions/setup-go@37335c7bb261b353407cff977110895fa0b4f7d8 # v2.1.3
         with:
           go-version: 1.16
       -
         name: Import GPG key
         id: import_gpg
-        uses: crazy-max/ghaction-import-gpg@v3
+        uses: crazy-max/ghaction-import-gpg@b0793c0060c97f4ef0efbac949d476c6499b7775 # v3.1.0
         with:
           gpg-private-key: ${{ secrets.GPG_PRIVATE_KEY }}
           passphrase: ${{ secrets.PASSPHRASE }}
       -
         name: Run GoReleaser
-        uses: goreleaser/[email protected]
+        uses: goreleaser/goreleaser-action@5e15885530fb01d81d1f24e8a6f54ebbd0fed7eb # v2.5.0
         with:
           version: latest
           args: release --rm-dist

diff --git a/.github/workflows/integration.yml b/.github/workflows/integration.yml
@@ -50,22 +50,21 @@ jobs:
 
       - name: pull_request actions/checkout
         if: github.event_name == 'pull_request'
-        uses: actions/[email protected]
+        uses: actions/checkout@5a4ac9002d0be2fb38bd78e4b4dbde5606d7042f # v2.3.4
 
       - name: pull_request actions/checkout
         if: github.event_name == 'repository_dispatch'
-        uses: actions/[email protected]
+        uses: actions/checkout@5a4ac9002d0be2fb38bd78e4b4dbde5606d7042f # v2.3.4
         with:
           ref: 'refs/pull/${{ github.event.client_payload.pull_request.number }}/merge'
 
       - name: setup-go
-        uses: actions/setup-go@v2
+        uses: actions/setup-go@37335c7bb261b353407cff977110895fa0b4f7d8 # v2.1.3
         with:
           go-version: '1.16'
 
       - name: Set up Cloud SDK
-        # https://github.com/google-github-actions/setup-gcloud/releases/tag/v0.2.1
-        uses: google-github-actions/setup-gcloud@daadedc81d5f9d3c06d2c92f49202a3cc2b919ba
+        uses: google-github-actions/setup-gcloud@daadedc81d5f9d3c06d2c92f49202a3cc2b919ba # v0.2.1
         with:
           project_id: ${{ secrets.GCP_PROJECT_ID }}
           service_account_key: ${{ secrets.GCRTOKEN }}
@@ -110,7 +109,7 @@ jobs:
 
       - name: find comment
         if: ${{ always() }}
-        uses: peter-evans/[email protected]
+        uses: peter-evans/find-comment@309ce798ba1c3627e3809dd68c694a29ef048fe2 # v1.2.0
         id: fc
         with:
           issue-number: ${{ github.event.pull_request.number || github.event.client_payload.pull_request.number }}
@@ -119,15 +118,15 @@ jobs:
 
       - name: create or update comment
         if: (${{ always() }})
-        uses: peter-evans/[email protected]
+        uses: peter-evans/create-or-update-comment@a35cf36e5301d70b76f316e867e7788a55a31dae # v1.4.5
         with:
           issue-number: ${{ github.event.pull_request.number || github.event.client_payload.pull_request.number }}
           comment-id: ${{ steps.fc.outputs.comment-id }}
           body: |
             Integration tests ${{ job.status }} for [${{ github.event.client_payload.slash_command.args.named.sha || github.event.pull_request.head.sha }}](https://github.com/ossf/scorecard/actions/runs/${{ github.run_id }})
 
       - name: set fork job status
-        uses: actions/[email protected]
+        uses: actions/github-script@a3e7071a34d7e1f219a8a4de9a5e0a34d1ee1293 # v4.0.2
         if: ${{ always() }}
         id: update-check-run
         env:

diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
@@ -22,24 +22,24 @@ jobs:
     if: github.event_name == 'push' || github.event.pull_request.head.repo.full_name != github.repository
     steps:
       - name: Clone the code
-        uses: actions/[email protected]
+        uses: actions/checkout@5a4ac9002d0be2fb38bd78e4b4dbde5606d7042f # v2.3.4
         with:
           fetch-depth: 0
       - name: Setup Go
-        uses: actions/setup-go@v2
+        uses: actions/setup-go@37335c7bb261b353407cff977110895fa0b4f7d8 # v2.1.3
         with:
           go-version: '^1.16'
       - name: Run presubmit tests
         run: make all
-      - uses: codecov/[email protected]
+      - uses: codecov/codecov-action@a1ed4b322b4b38cb846afb5a0ebfa17086917d27 # v1.5.0
         with:
           files: e2e/e2e.coverprofile,pkg/pkg.coverprofile,checks/checks.coverprofile
   license-check:
     name: license boilerplate check
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/[email protected]
-      - uses: actions/setup-go@v2
+      - uses: actions/checkout@5a4ac9002d0be2fb38bd78e4b4dbde5606d7042f # v2.3.4
+      - uses: actions/setup-go@37335c7bb261b353407cff977110895fa0b4f7d8 # v2.1.3
         with:
           go-version: '1.16'
       - name: Install addlicense

diff --git a/.github/workflows/ok-to-test.yml b/.github/workflows/ok-to-test.yml
@@ -26,7 +26,7 @@ jobs:
     if: ${{ github.event.issue.pull_request }}
     steps:
     - name: Slash Command Dispatch
-      uses: peter-evans/[email protected]
+      uses: peter-evans/slash-command-dispatch@72ab5a2e417e454aa8e89c43b28e36fe331e00a5 # v2.1.3
       env:
         TOKEN: ${{ steps.generate_token.outputs.token }}
       with:

diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml
@@ -21,7 +21,7 @@ jobs:
   stale:
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/[email protected]
+    - uses: actions/stale@3b3c3f03cd4d8e2b61e179ef744a0d20efbe90b4 # v3.0.18
       with:
         repo-token: ${{ secrets.GITHUB_TOKEN }}
         stale-issue-message: 'Stale issue message'

diff --git a/.github/workflows/verify.yml b/.github/workflows/verify.yml
@@ -23,6 +23,6 @@ jobs:
     steps:
     - name: Verifier action
       id: verifier
-      uses: kubernetes-sigs/[email protected]
+      uses: kubernetes-sigs/kubebuilder-release-tools@4777888c377a26956f1831d5b9207eea1fa3bf29 # v0.1.1
       with:
         github_token: ${{ secrets.GITHUB_TOKEN }}