From 5eb68b3e671ec25b7df8ccfb8d67ca76dfe7e84e Mon Sep 17 00:00:00 2001 From: Maru Newby Date: Thu, 20 Mar 2025 18:55:50 -0700 Subject: [PATCH] [ci] Use SHAs instead of tags for 3rd-party github actions We should be able to trust that built-in actions (actions/*) have stable tags, but for everything else a SHA should be preferred to a tag to avoid the possibility of a supply-chain attack. --- .github/actions/install-nix/action.yml | 2 +- .github/actions/run-monitored-tmpnet-cmd/action.yml | 2 +- .github/workflows/buf-push.yml | 2 +- .github/workflows/ci.yml | 4 ++-- .github/workflows/codeql-analysis.yml | 4 ++-- .github/workflows/labels.yml | 2 +- .github/workflows/publish_antithesis_images.yml | 2 +- .github/workflows/trigger-antithesis-avalanchego.yml | 2 +- .github/workflows/trigger-antithesis-xsvm.yml | 2 +- 9 files changed, 11 insertions(+), 11 deletions(-) diff --git a/.github/actions/install-nix/action.yml b/.github/actions/install-nix/action.yml index 49028a397dbb..add0d2971be6 100644 --- a/.github/actions/install-nix/action.yml +++ b/.github/actions/install-nix/action.yml @@ -10,7 +10,7 @@ inputs: runs: using: composite steps: - - uses: cachix/install-nix-action@v30 + - uses: cachix/install-nix-action@08dcb3a5e62fa31e2da3d490afc4176ef55ecd72 #v30 with: github_access_token: ${{ inputs.github_token }} - run: nix develop --command echo "dependencies installed" diff --git a/.github/actions/run-monitored-tmpnet-cmd/action.yml b/.github/actions/run-monitored-tmpnet-cmd/action.yml index cbc07af9711f..74274602b44b 100644 --- a/.github/actions/run-monitored-tmpnet-cmd/action.yml +++ b/.github/actions/run-monitored-tmpnet-cmd/action.yml @@ -45,7 +45,7 @@ runs: # - Avoid using the install-nix custom action since a relative # path wouldn't be resolveable from other repos and an absolute # path would require setting a version. - - uses: cachix/install-nix-action@v30 + - uses: cachix/install-nix-action@08dcb3a5e62fa31e2da3d490afc4176ef55ecd72 #v30 with: github_access_token: ${{ inputs.github_token }} - run: nix develop --command echo "dependencies installed" diff --git a/.github/workflows/buf-push.yml b/.github/workflows/buf-push.yml index 47fde85a1f87..b60a36b56bf5 100644 --- a/.github/workflows/buf-push.yml +++ b/.github/workflows/buf-push.yml @@ -15,7 +15,7 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 - - uses: bufbuild/buf-action@v1 + - uses: bufbuild/buf-action@2232f407651f19e7e011fe9fe1dad409ae3c2e9b #v1 with: input: "proto" # Breaking changes are managed by the rpcchainvm protocol version. diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index cf7bc2e42684..bd4f1e8c57b3 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -138,7 +138,7 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 - - uses: bufbuild/buf-action@v1 + - uses: bufbuild/buf-action@2232f407651f19e7e011fe9fe1dad409ae3c2e9b #v1 with: input: "proto" pr_comment: false @@ -155,7 +155,7 @@ jobs: steps: - uses: actions/checkout@v4 - uses: ./.github/actions/setup-go-for-project - - uses: bufbuild/buf-action@v1 + - uses: bufbuild/buf-action@2232f407651f19e7e011fe9fe1dad409ae3c2e9b #v1 with: setup_only: true version: 1.35.0 diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index 9a1446deb746..93b0add94dc4 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -47,7 +47,7 @@ jobs: # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL - uses: github/codeql-action/init@v3 + uses: github/codeql-action/init@d7eaefbfa6606a4adc96bdf7b9ba23d7fa931e69 #v3 with: languages: ${{ matrix.language }} # If you wish to specify custom queries, you can do so here or in a config file. @@ -56,4 +56,4 @@ jobs: # queries: ./path/to/local/query, your-org/your-repo/queries@main - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v3 + uses: github/codeql-action/analyze@d7eaefbfa6606a4adc96bdf7b9ba23d7fa931e69 #v3 diff --git a/.github/workflows/labels.yml b/.github/workflows/labels.yml index 5aeb70546212..0dce81d2472e 100644 --- a/.github/workflows/labels.yml +++ b/.github/workflows/labels.yml @@ -19,6 +19,6 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 - - uses: crazy-max/ghaction-github-labeler@v5 + - uses: crazy-max/ghaction-github-labeler@31674a3852a9074f2086abcf1c53839d466a47e7 #v5 with: dry-run: ${{ github.event_name == 'pull_request' }} diff --git a/.github/workflows/publish_antithesis_images.yml b/.github/workflows/publish_antithesis_images.yml index f8dbebfe4438..509a6a03b60c 100644 --- a/.github/workflows/publish_antithesis_images.yml +++ b/.github/workflows/publish_antithesis_images.yml @@ -25,7 +25,7 @@ jobs: uses: actions/checkout@v4 - name: Login to GAR - uses: docker/login-action@v3 + uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 #v3 with: registry: ${{ env.REGISTRY }} username: _json_key diff --git a/.github/workflows/trigger-antithesis-avalanchego.yml b/.github/workflows/trigger-antithesis-avalanchego.yml index 6dc37bc19e0b..43d9f76c98a2 100644 --- a/.github/workflows/trigger-antithesis-avalanchego.yml +++ b/.github/workflows/trigger-antithesis-avalanchego.yml @@ -25,7 +25,7 @@ jobs: name: Run Antithesis Avalanchego Test Setup runs-on: ubuntu-latest steps: - - uses: antithesishq/antithesis-trigger-action@v0.7 + - uses: antithesishq/antithesis-trigger-action@0843ed4168a88c305114511cd8bed2fe5ba352cb #v0.7 with: notebook_name: avalanche tenant: avalanche diff --git a/.github/workflows/trigger-antithesis-xsvm.yml b/.github/workflows/trigger-antithesis-xsvm.yml index 1413ef9f6e5d..fa4936849339 100644 --- a/.github/workflows/trigger-antithesis-xsvm.yml +++ b/.github/workflows/trigger-antithesis-xsvm.yml @@ -25,7 +25,7 @@ jobs: name: Run Antithesis XSVM Test Setup runs-on: ubuntu-latest steps: - - uses: antithesishq/antithesis-trigger-action@v0.7 + - uses: antithesishq/antithesis-trigger-action@0843ed4168a88c305114511cd8bed2fe5ba352cb #v0.7 with: notebook_name: avalanche tenant: avalanche