From 68fc72fcc6cc03fedcd97ed78aac0516ea33347c Mon Sep 17 00:00:00 2001 From: Oleksii Syniakov <1282756+osyniakov@users.noreply.github.com> Date: Tue, 21 Oct 2025 09:50:44 +0200 Subject: [PATCH] Pin GitHubAction dependencies. See quickwit-oss#5937 --- .github/workflows/cbench.yml | 10 ++++----- .github/workflows/ci.yml | 22 +++++++++---------- .github/workflows/coverage.yml | 10 ++++----- .github/workflows/dependency.yml | 4 ++-- .github/workflows/publish_cross_images.yml | 4 ++-- .github/workflows/publish_docker_images.yml | 22 +++++++++---------- .github/workflows/publish_lambda_packages.yml | 4 ++-- .../workflows/publish_nightly_packages.yml | 4 ++-- .../workflows/publish_release_packages.yml | 4 ++-- .github/workflows/ui-ci.yml | 6 ++--- 10 files changed, 45 insertions(+), 45 deletions(-) diff --git a/.github/workflows/cbench.yml b/.github/workflows/cbench.yml index 6a966489274..43fd0b5e065 100644 --- a/.github/workflows/cbench.yml +++ b/.github/workflows/cbench.yml @@ -40,7 +40,7 @@ jobs: run: | echo 'users=["ddelemeny", "fmassot", "fulmicoton", "guilload", "PSeitz", "rdettai", "trinity-1686a"]' >> $GITHUB_OUTPUT - - uses: actions/checkout@v5 + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 if: contains(fromJSON(steps.authorized-users.outputs.users), github.actor) && github.event_name == 'pull_request_target' name: Checkout quickwit (pull request commit) with: @@ -48,7 +48,7 @@ jobs: ref: ${{ github.event.pull_request.head.sha }} path: ./quickwit - - uses: actions/checkout@v5 + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 if: contains(fromJSON(steps.authorized-users.outputs.users), github.actor) && github.event_name != 'pull_request_target' name: Checkout quickwit with: @@ -57,7 +57,7 @@ jobs: path: ./quickwit - name: Checkout benchmarking code - uses: actions/checkout@v5 + uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 if: contains(fromJSON(steps.authorized-users.outputs.users), github.actor) with: repository: quickwit-oss/benchmarks @@ -68,7 +68,7 @@ jobs: run: rustup update stable - name: Install protoc - uses: taiki-e/install-action@v2 + uses: taiki-e/install-action@80466ef8efa80486cdfbddf929453a4f3565c791 # v2.62.34 with: tool: protoc @@ -103,7 +103,7 @@ jobs: run: | echo "::error title=User not allowed to run the benchmark::User must be in list ${{ steps.authorized-users.outputs.users }}" - name: Add a PR comment with comparison results - uses: actions/github-script@v8 + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 if: contains(fromJSON(steps.authorized-users.outputs.users), github.actor) && github.event_name == 'pull_request_target' # Inspired from: https://github.com/actions/github-script/blob/60a0d83039c74a4aee543508d2ffcb1c3799cdea/.github/workflows/pull-request-test.yml with: diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 41de4779f43..9f7a3ad697d 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -45,10 +45,10 @@ jobs: --health-timeout 5s --health-retries 5 steps: - - uses: actions/checkout@v5 + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 - name: Install Ubuntu packages run: sudo apt-get -y install protobuf-compiler python3 - - uses: dorny/paths-filter@v3 + - uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v3.0.2 id: modified with: filters: | @@ -68,13 +68,13 @@ jobs: run: rustup show active-toolchain || rustup toolchain install working-directory: ./quickwit - name: Setup cache - uses: Swatinem/rust-cache@v2 + uses: Swatinem/rust-cache@98c8021b550208e191a6a3145459bfc9fb29c4c0 # v2.8.0 if: steps.modified.outputs.rust_src == 'true' with: workspaces: "./quickwit -> target" - name: Install nextest if: always() && steps.modified.outputs.rust_src == 'true' - uses: taiki-e/cache-cargo-install-action@v2 + uses: taiki-e/cache-cargo-install-action@7447f04c51f2ba27ca35e7f1e28fab848c5b3ba7 # v2.3.1 with: tool: cargo-nextest - name: cargo nextest @@ -99,8 +99,8 @@ jobs: runs-on: "ubuntu-latest" timeout-minutes: 20 steps: - - uses: actions/checkout@v5 - - uses: dorny/paths-filter@v3 + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + - uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v3.0.2 id: modified with: filters: | @@ -124,12 +124,12 @@ jobs: working-directory: ./quickwit - name: Setup cache if: steps.modified.outputs.rust_src == 'true' - uses: Swatinem/rust-cache@v2 + uses: Swatinem/rust-cache@98c8021b550208e191a6a3145459bfc9fb29c4c0 # v2.8.0 with: workspaces: "./quickwit -> target" - name: Install cargo deny if: always() && steps.modified.outputs.rust_src == 'true' - uses: taiki-e/cache-cargo-install-action@v2 + uses: taiki-e/cache-cargo-install-action@7447f04c51f2ba27ca35e7f1e28fab848c5b3ba7 # v2.3.1 with: # 0.18 requires rustc 1.85 tool: cargo-deny@0.17.0 @@ -158,12 +158,12 @@ jobs: name: Check Datadog third-party license file runs-on: ubuntu-latest steps: - - uses: actions/checkout@v5 + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 - name: Install Rust toolchain - uses: dtolnay/rust-toolchain@stable + uses: dtolnay/rust-toolchain@5d458579430fc14a04a08a1e7d3694f545e91ce6 # stable - name: Cache cargo tools - uses: actions/cache@v4 + uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0 with: path: ~/.cargo/bin key: ${{ runner.os }}-cargo-tools-${{ hashFiles('**/Cargo.lock') }} diff --git a/.github/workflows/coverage.yml b/.github/workflows/coverage.yml index 82609e14590..70c81c0f94f 100644 --- a/.github/workflows/coverage.yml +++ b/.github/workflows/coverage.yml @@ -103,7 +103,7 @@ jobs: PUBSUB_PROJECT1: "quickwit-emulator,emulator_topic:emulator_subscription" steps: - - uses: actions/checkout@v5 + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 - name: Install lib libsasl2 run: | @@ -111,7 +111,7 @@ jobs: sudo apt install libsasl2-dev sudo apt install libsasl2-2 - - uses: actions/cache@v4 + - uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0 with: path: | ~/.cargo/git @@ -145,7 +145,7 @@ jobs: run: rustup update stable - name: Install cargo-llvm-cov, cargo-nextest, and protoc - uses: taiki-e/install-action@v2 + uses: taiki-e/install-action@80466ef8efa80486cdfbddf929453a4f3565c791 # v2.62.34 with: tool: cargo-llvm-cov,nextest,protoc @@ -160,7 +160,7 @@ jobs: working-directory: ./quickwit - name: Upload coverage to Codecov - uses: codecov/codecov-action@v5 + uses: codecov/codecov-action@5a1091511ad55cbe89839c7260b706298ca349f7 # v5.5.1 with: token: ${{ secrets.CODECOV_TOKEN }} # not required for public repos files: ./quickwit/lcov.info @@ -172,7 +172,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Send Message - uses: sarisia/actions-status-discord@v1 + uses: sarisia/actions-status-discord@11a0bfe3b50977e38aa2bd4a4ebd296415e83c19 # v1.15.4 with: webhook: ${{ secrets.DISCORD_WEBHOOK }} nodetail: true diff --git a/.github/workflows/dependency.yml b/.github/workflows/dependency.yml index b6712648b9d..7160b818f07 100644 --- a/.github/workflows/dependency.yml +++ b/.github/workflows/dependency.yml @@ -14,9 +14,9 @@ jobs: runs-on: ubuntu-latest steps: - name: "Checkout Repository" - uses: actions/checkout@v5 + uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 - name: "Dependency Review" - uses: actions/dependency-review-action@v4 + uses: actions/dependency-review-action@45529485b5eb76184ced07362d2331fd9d26f03f # v4.8.1 with: # This is an minor vuln on the rsa crate, used for # google storage. diff --git a/.github/workflows/publish_cross_images.yml b/.github/workflows/publish_cross_images.yml index ca1817103ac..436f7781621 100644 --- a/.github/workflows/publish_cross_images.yml +++ b/.github/workflows/publish_cross_images.yml @@ -16,9 +16,9 @@ jobs: name: production steps: - name: Check out the repo - uses: actions/checkout@v5 + uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 - name: Log in to Docker Hub - uses: docker/login-action@v3 + uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0 with: username: ${{ secrets.DOCKERHUB_USERNAME }} password: ${{ secrets.DOCKERHUB_ACCESS_TOKEN }} diff --git a/.github/workflows/publish_docker_images.yml b/.github/workflows/publish_docker_images.yml index 927ed923696..6dda6654946 100644 --- a/.github/workflows/publish_docker_images.yml +++ b/.github/workflows/publish_docker_images.yml @@ -31,23 +31,23 @@ jobs: name: production steps: - name: Checkout - uses: actions/checkout@v5 + uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 - name: Login to Docker Hub - uses: docker/login-action@v3 + uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0 with: username: ${{ secrets.DOCKERHUB_USERNAME }} password: ${{ secrets.DOCKERHUB_ACCESS_TOKEN }} - name: Set up QEMU - uses: docker/setup-qemu-action@v3 + uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v3.6.0 - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 + uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1 - name: Docker meta id: meta - uses: docker/metadata-action@v5 + uses: docker/metadata-action@c1e51972afc2121e065aed6d45c65596fe445f3f # v5.8.0 with: images: | ${{ env.REGISTRY_IMAGE }} @@ -69,7 +69,7 @@ jobs: fi - name: Build and push image - uses: docker/build-push-action@v6 + uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0 id: build with: context: . @@ -89,7 +89,7 @@ jobs: touch "/tmp/digests/${digest#sha256:}" - name: Upload digest - uses: actions/upload-artifact@v4.6.2 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 with: name: digest-${{ matrix.platform_suffix }} path: /tmp/digests/* @@ -102,18 +102,18 @@ jobs: environment: production steps: - name: Download digests - uses: actions/download-artifact@v5.0.0 + uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5.0.0 with: pattern: digest-* path: /tmp/digests merge-multiple: true - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 + uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1 - name: Docker meta id: meta - uses: docker/metadata-action@v5 + uses: docker/metadata-action@c1e51972afc2121e065aed6d45c65596fe445f3f # v5.8.0 with: images: ${{ env.REGISTRY_IMAGE }} flavor: | @@ -126,7 +126,7 @@ jobs: type=semver,pattern={{version}},suffix=-slim-bookworm type=ref,event=tag - name: Login to Docker Hub - uses: docker/login-action@v3 + uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0 with: username: ${{ secrets.DOCKERHUB_USERNAME }} password: ${{ secrets.DOCKERHUB_ACCESS_TOKEN }} diff --git a/.github/workflows/publish_lambda_packages.yml b/.github/workflows/publish_lambda_packages.yml index 01ed5ea70b7..2bac00871d2 100644 --- a/.github/workflows/publish_lambda_packages.yml +++ b/.github/workflows/publish_lambda_packages.yml @@ -10,7 +10,7 @@ jobs: name: Build Quickwit Lambdas runs-on: ubuntu-latest steps: - - uses: actions/checkout@v5 + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 - name: Install Ubuntu packages run: sudo apt-get -y install protobuf-compiler python3 python3-pip - name: Install rustup @@ -44,7 +44,7 @@ jobs: echo "INDEXER_PACKAGE_LOCATION=./distribution/lambda/$(make indexer-package-path)" >> $GITHUB_ENV working-directory: ./distribution/lambda - name: Upload Lambda archives - uses: quickwit-inc/upload-to-github-release@v1 + uses: quickwit-inc/upload-to-github-release@98857380fc282f8075a62c6af230fe92bd93aff8 # v1.3.2 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} with: diff --git a/.github/workflows/publish_nightly_packages.yml b/.github/workflows/publish_nightly_packages.yml index 5c47886d33a..f64b54ee993 100644 --- a/.github/workflows/publish_nightly_packages.yml +++ b/.github/workflows/publish_nightly_packages.yml @@ -14,7 +14,7 @@ jobs: matrix: target: [x86_64-apple-darwin, aarch64-apple-darwin] steps: - - uses: actions/checkout@v5 + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 - uses: ./.github/actions/cargo-build-macos-binary with: target: ${{ matrix.target }} @@ -28,7 +28,7 @@ jobs: name: Build ${{ matrix.target }} runs-on: ubuntu-latest steps: - - uses: actions/checkout@v5 + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 - uses: ./.github/actions/cross-build-binary with: target: ${{ matrix.target }} diff --git a/.github/workflows/publish_release_packages.yml b/.github/workflows/publish_release_packages.yml index 0f6f8af3996..f04afda33a0 100644 --- a/.github/workflows/publish_release_packages.yml +++ b/.github/workflows/publish_release_packages.yml @@ -14,7 +14,7 @@ jobs: target: [x86_64-apple-darwin, aarch64-apple-darwin] steps: - - uses: actions/checkout@v5 + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 - name: Extract asset version run: echo "ASSET_VERSION=${GITHUB_REF/refs\/tags\//}" >> $GITHUB_ENV - uses: ./.github/actions/cargo-build-macos-binary @@ -30,7 +30,7 @@ jobs: name: Build ${{ matrix.target }} runs-on: ubuntu-latest steps: - - uses: actions/checkout@v5 + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 - name: Extract asset version run: echo "ASSET_VERSION=${GITHUB_REF/refs\/tags\//}" >> $GITHUB_ENV - uses: ./.github/actions/cross-build-binary diff --git a/.github/workflows/ui-ci.yml b/.github/workflows/ui-ci.yml index 5c6e9d68e14..1313b96dee1 100644 --- a/.github/workflows/ui-ci.yml +++ b/.github/workflows/ui-ci.yml @@ -58,8 +58,8 @@ jobs: RUSTDOCFLAGS: -Dwarnings -Arustdoc::private_intra_doc_links QW_TEST_DATABASE_URL: postgres://quickwit-dev:quickwit-dev@postgres:5432/quickwit-metastore-dev steps: - - uses: actions/checkout@v5 - - uses: actions/setup-node@v5 + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + - uses: actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444 # v5.0.0 with: node-version: 20 cache: "yarn" @@ -71,7 +71,7 @@ jobs: working-directory: ./quickwit - name: Setup Rust cache if: matrix.task.name == 'Cypress run' - uses: Swatinem/rust-cache@v2 + uses: Swatinem/rust-cache@98c8021b550208e191a6a3145459bfc9fb29c4c0 # v2.8.0 with: workspaces: "./quickwit -> target" - name: ${{ matrix.task.name }}