From 8e143b9e4284dce0e42740052881e156c5c11336 Mon Sep 17 00:00:00 2001 From: Luca Guerra Date: Fri, 29 Sep 2023 16:42:24 +0000 Subject: [PATCH] chore(gha): pin actions with hash, add TODO for upgrades Signed-off-by: Luca Guerra --- .github/workflows/codeql.yaml | 6 +++--- .github/workflows/codespell.yml | 2 +- .../workflows/engine-version-weakcheck.yaml | 4 ++-- .github/workflows/release.yaml | 2 +- .github/workflows/reusable_build_docker.yaml | 2 +- .../workflows/reusable_build_packages.yaml | 19 ++++++++++--------- .../workflows/reusable_publish_docker.yaml | 10 +++++----- .../workflows/reusable_publish_packages.yaml | 16 ++++++++-------- .github/workflows/reusable_test_packages.yaml | 6 +++--- .github/workflows/staticanalysis.yaml | 2 +- 10 files changed, 35 insertions(+), 34 deletions(-) diff --git a/.github/workflows/codeql.yaml b/.github/workflows/codeql.yaml index d1e69882e27..d877a0c2dc5 100644 --- a/.github/workflows/codeql.yaml +++ b/.github/workflows/codeql.yaml @@ -36,13 +36,13 @@ jobs: steps: - name: Checkout repository - uses: actions/checkout@v3 + uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0 with: fetch-depth: 0 # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL - uses: github/codeql-action/init@v2 + uses: github/codeql-action/init@ddccb873888234080b77e9bc2d4764d5ccaaccf9 # v2.21.9 with: languages: ${{ matrix.language }} # If you wish to specify custom queries, you can do so here or in a config file. @@ -72,4 +72,4 @@ jobs: popd - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v2 + uses: github/codeql-action/analyze@ddccb873888234080b77e9bc2d4764d5ccaaccf9 # v2.21.9 diff --git a/.github/workflows/codespell.yml b/.github/workflows/codespell.yml index d6df95add86..fb986c11c64 100644 --- a/.github/workflows/codespell.yml +++ b/.github/workflows/codespell.yml @@ -6,7 +6,7 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0 - - uses: codespell-project/actions-codespell@master + - uses: codespell-project/actions-codespell@94259cd8be02ad2903ba34a22d9c13de21a74461 # v2.0 with: skip: .git ignore_words_file: .codespellignore diff --git a/.github/workflows/engine-version-weakcheck.yaml b/.github/workflows/engine-version-weakcheck.yaml index d0fdfe14fc2..64103bf7aed 100644 --- a/.github/workflows/engine-version-weakcheck.yaml +++ b/.github/workflows/engine-version-weakcheck.yaml @@ -16,7 +16,7 @@ jobs: engine_version_changed: ${{ steps.filter.outputs.engine_version }} steps: - uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0 - - uses: dorny/paths-filter@v2 + - uses: dorny/paths-filter@4512585405083f25c027a35db413c2b3b9006d50 # v2.11.1 id: filter with: filters: | @@ -31,7 +31,7 @@ jobs: if: needs.paths-filter.outputs.engine_version_changed == 'false' steps: - name: Check driver Falco engine version - uses: mshick/add-pr-comment@v2 + uses: mshick/add-pr-comment@7c0890544fb33b0bdd2e59467fbacb62e028a096 # v2.8.1 with: message: | This PR may bring feature or behavior changes in the Falco engine and may require the engine version to be bumped. diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index 6fe3cbeb316..a90c849907c 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -161,7 +161,7 @@ jobs: echo "#### Release Manager @${{ github.event.release.author.login }}" >> release-body.md - name: Release - uses: softprops/action-gh-release@v1 + uses: softprops/action-gh-release@de2c0eb89ae2a093876385947365aca7b0e5f844 # v0.1.15 with: body_path: ./release-body.md tag_name: ${{ github.event.release.tag_name }} diff --git a/.github/workflows/reusable_build_docker.yaml b/.github/workflows/reusable_build_docker.yaml index eca7e4ef06d..0526d27f4f5 100644 --- a/.github/workflows/reusable_build_docker.yaml +++ b/.github/workflows/reusable_build_docker.yaml @@ -87,7 +87,7 @@ jobs: docker save docker.io/falcosecurity/falco-driver-loader-legacy:${{ inputs.arch }}-${{ inputs.tag }} --output /tmp/falco-driver-loader-legacy-${{ inputs.arch }}.tar - name: Upload images tarballs - uses: actions/upload-artifact@v3 + uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3 with: name: falco-images path: /tmp/falco-*.tar diff --git a/.github/workflows/reusable_build_packages.yaml b/.github/workflows/reusable_build_packages.yaml index f390a0388c7..958e824e2b3 100644 --- a/.github/workflows/reusable_build_packages.yaml +++ b/.github/workflows/reusable_build_packages.yaml @@ -32,7 +32,7 @@ jobs: make ProbeSkeleton -j6 - name: Upload skeleton - uses: actions/upload-artifact@v3 + uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3 with: name: bpf_probe_${{ inputs.arch }}.skel.h path: skeleton-build/skel_dir/bpf_probe.skel.h @@ -53,10 +53,11 @@ jobs: yum install -y wget git make m4 rpm-build perl-IPC-Cmd - name: Checkout - uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0 + # It is not possible to upgrade the checkout action to versions >= v4.0.0 because of incompatibilities with centos 7's libc. + uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 - name: Download skeleton - uses: actions/download-artifact@v3 + uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2 with: name: bpf_probe_${{ inputs.arch }}.skel.h path: /tmp @@ -97,21 +98,21 @@ jobs: make package - name: Upload Falco tar.gz package - uses: actions/upload-artifact@v3 + uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3 with: name: falco-${{ inputs.version }}-${{ inputs.arch }}.tar.gz path: | ${{ github.workspace }}/build/falco-*.tar.gz - name: Upload Falco deb package - uses: actions/upload-artifact@v3 + uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3 with: name: falco-${{ inputs.version }}-${{ inputs.arch }}.deb path: | ${{ github.workspace }}/build/falco-*.deb - name: Upload Falco rpm package - uses: actions/upload-artifact@v3 + uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3 with: name: falco-${{ inputs.version }}-${{ inputs.arch }}.rpm path: | @@ -154,7 +155,7 @@ jobs: mv falco-${{ inputs.version }}-x86_64.tar.gz falco-${{ inputs.version }}-static-x86_64.tar.gz - name: Upload Falco static package - uses: actions/upload-artifact@v3 + uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3 with: name: falco-${{ inputs.version }}-static-x86_64.tar.gz path: | @@ -171,7 +172,7 @@ jobs: sudo DEBIAN_FRONTEND=noninteractive apt install cmake build-essential git emscripten -y - name: Select node version - uses: actions/setup-node@v3 + uses: actions/setup-node@5e21ff4d9bc1a8cf6de233a3057d20ec6b3fb69d # v3.8.1 with: node-version: 14 @@ -210,7 +211,7 @@ jobs: emmake make -j6 package - name: Upload Falco WASM package - uses: actions/upload-artifact@v3 + uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3 with: name: falco-${{ inputs.version }}-wasm.tar.gz path: | diff --git a/.github/workflows/reusable_publish_docker.yaml b/.github/workflows/reusable_publish_docker.yaml index e43e4cfd3f6..3010f00f40b 100644 --- a/.github/workflows/reusable_publish_docker.yaml +++ b/.github/workflows/reusable_publish_docker.yaml @@ -26,10 +26,10 @@ jobs: runs-on: ubuntu-latest steps: - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v2 + uses: docker/setup-buildx-action@v2 # TODO needs to be updated - name: Download images tarballs - uses: actions/download-artifact@v3 + uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2 with: name: falco-images path: /tmp/falco-images @@ -39,7 +39,7 @@ jobs: for img in /tmp/falco-images/falco-*.tar; do docker load --input $img; done - name: Login to Docker Hub - uses: docker/login-action@v2 + uses: docker/login-action@v2 # TODO needs to be updated with: username: ${{ secrets.DOCKERHUB_USER }} password: ${{ secrets.DOCKERHUB_SECRET }} @@ -57,7 +57,7 @@ jobs: registry-type: public - name: Setup Crane - uses: imjasonh/setup-crane@v0.3 + uses: imjasonh/setup-crane@00c9e93efa4e1138c9a7a5c594acd6c75a2fbf0c # v0.3 with: version: v0.15.1 @@ -76,7 +76,7 @@ jobs: docker push docker.io/falcosecurity/falco-driver-loader-legacy:x86_64-${{ inputs.tag }} - name: Create no-driver manifest on Docker Hub - uses: Noelware/docker-manifest-action@0.3.1 + uses: Noelware/docker-manifest-action@0.3.1 # TODO needs to be updated (it might have cosign integration!) with: inputs: docker.io/falcosecurity/falco-no-driver:${{ inputs.tag }} images: docker.io/falcosecurity/falco-no-driver:aarch64-${{ inputs.tag }},docker.io/falcosecurity/falco-no-driver:x86_64-${{ inputs.tag }} diff --git a/.github/workflows/reusable_publish_packages.yaml b/.github/workflows/reusable_publish_packages.yaml index fdd85a32fa6..fc247f73f94 100644 --- a/.github/workflows/reusable_publish_packages.yaml +++ b/.github/workflows/reusable_publish_packages.yaml @@ -38,37 +38,37 @@ jobs: # Configure AWS role; see https://github.com/falcosecurity/test-infra/pull/1102 # Note: master CI can only push dev packages as we have 2 different roles for master and release. - name: Configure AWS credentials - uses: aws-actions/configure-aws-credentials@v2 + uses: aws-actions/configure-aws-credentials@v2 # TODO needs to be updated with: role-to-assume: "arn:aws:iam::292999226676:role/github_actions-falco${{ inputs.bucket_suffix }}-s3" aws-region: ${{ env.AWS_S3_REGION }} - name: Download RPM x86_64 - uses: actions/download-artifact@v3 + uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2 with: name: falco-${{ inputs.version }}-x86_64.rpm path: /tmp/falco-build-rpm - name: Download RPM aarch64 - uses: actions/download-artifact@v3 + uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2 with: name: falco-${{ inputs.version }}-aarch64.rpm path: /tmp/falco-build-rpm - name: Download binary x86_64 - uses: actions/download-artifact@v3 + uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2 with: name: falco-${{ inputs.version }}-x86_64.tar.gz path: /tmp/falco-build-bin - name: Download binary aarch64 - uses: actions/download-artifact@v3 + uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2 with: name: falco-${{ inputs.version }}-aarch64.tar.gz path: /tmp/falco-build-bin - name: Download static binary x86_64 - uses: actions/download-artifact@v3 + uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2 with: name: falco-${{ inputs.version }}-static-x86_64.tar.gz path: /tmp/falco-build-bin-static @@ -128,13 +128,13 @@ jobs: aws-region: ${{ env.AWS_S3_REGION }} - name: Download deb x86_64 - uses: actions/download-artifact@v3 + uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2 with: name: falco-${{ inputs.version }}-x86_64.deb path: /tmp/falco-build-deb - name: Download deb aarch64 - uses: actions/download-artifact@v3 + uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2 with: name: falco-${{ inputs.version }}-aarch64.deb path: /tmp/falco-build-deb diff --git a/.github/workflows/reusable_test_packages.yaml b/.github/workflows/reusable_test_packages.yaml index 8196349d238..8013f36d1dd 100644 --- a/.github/workflows/reusable_test_packages.yaml +++ b/.github/workflows/reusable_test_packages.yaml @@ -28,12 +28,12 @@ jobs: submodules: 'true' - name: Setup Go - uses: actions/setup-go@v3 + uses: actions/setup-go@v3 # TODO needs to be updated with: go-version: '>=1.17.0' - name: Download binary - uses: actions/download-artifact@v3 + uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2 with: name: falco-${{ inputs.version }}${{ inputs.static && '-static' || '' }}-${{ inputs.arch }}.tar.gz @@ -84,7 +84,7 @@ jobs: - name: Test Summary if: always() # run this even if previous step fails - uses: test-summary/action@v2 + uses: test-summary/action@62bc5c68de2a6a0d02039763b8c754569df99e3f # v2.1 with: paths: "submodules/falcosecurity-testing/report.xml" show: "fail" diff --git a/.github/workflows/staticanalysis.yaml b/.github/workflows/staticanalysis.yaml index 7050ceeb9cd..1186c9e0bd6 100644 --- a/.github/workflows/staticanalysis.yaml +++ b/.github/workflows/staticanalysis.yaml @@ -25,7 +25,7 @@ jobs: make -j4 cppcheck_htmlreport - name: Upload reports ⬆️ - uses: actions/upload-artifact@v3 + uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3 with: name: static-analysis-reports path: ./build/static-analysis-reports