diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index 13467ee7f..9fccd6589 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -25,11 +25,11 @@ jobs: steps: - name: Checkout repository - uses: actions/checkout@v6.0.2 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL - uses: github/codeql-action/init@v4 + uses: github/codeql-action/init@b1bff81932f5cdfc8695c7752dcee935dcd061c8 # v4.33.0 with: languages: ${{ matrix.language }} # If you wish to specify custom queries, you can do so here or in a config file. @@ -38,7 +38,7 @@ jobs: # queries: ./path/to/local/query, your-org/your-repo/queries@main - name: Autobuild - uses: github/codeql-action/autobuild@v4 + uses: github/codeql-action/autobuild@b1bff81932f5cdfc8695c7752dcee935dcd061c8 # v4.33.0 - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v4 + uses: github/codeql-action/analyze@b1bff81932f5cdfc8695c7752dcee935dcd061c8 # v4.33.0 diff --git a/.github/workflows/publish-serverless-init-to-ghcr.yml b/.github/workflows/publish-serverless-init-to-ghcr.yml index d4fe2ac13..d5bc2e963 100644 --- a/.github/workflows/publish-serverless-init-to-ghcr.yml +++ b/.github/workflows/publish-serverless-init-to-ghcr.yml @@ -43,7 +43,7 @@ jobs: crane version - name: Login to GHCR - uses: docker/login-action@v4 + uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0 with: registry: ghcr.io username: ${{ github.actor }} diff --git a/.github/workflows/release-serverless-init.yml b/.github/workflows/release-serverless-init.yml index 7a4195fa4..9a0ddfbce 100644 --- a/.github/workflows/release-serverless-init.yml +++ b/.github/workflows/release-serverless-init.yml @@ -45,9 +45,9 @@ jobs: ] name: "Release Serverless Init (isAlpine: ${{ matrix.arrays.isAlpine }})" steps: - - uses: actions/checkout@v6.0.2 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - - uses: actions/checkout@v6.0.2 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: repository: DataDog/datadog-agent ref: ${{ github.event.inputs.agentBranch }} @@ -66,7 +66,7 @@ jobs: image: tonistiigi/binfmt:qemu-v10.1.3 - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v4 + uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0 - name: Build binaries working-directory: ./scripts @@ -87,7 +87,7 @@ jobs: cp ./scripts/serverless_init_dotnet.sh ./scripts/bin/ - name: Login to GHCR - uses: docker/login-action@v4 + uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0 with: registry: ${{ env.REGISTRY }} username: ${{ github.actor }} @@ -95,7 +95,7 @@ jobs: - name: Build and push id: docker_build - uses: docker/build-push-action@v7 + uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7.0.0 with: context: ./scripts file: ./scripts/${{ matrix.arrays.dockerFile }} @@ -106,7 +106,7 @@ jobs: - name: Build and push latest id: docker_build_latest - uses: docker/build-push-action@v7 + uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7.0.0 if: ${{ github.event.inputs.latestTag == 'yes' }} with: context: ./scripts diff --git a/.github/workflows/rs_ci.yml b/.github/workflows/rs_ci.yml index 8be49d3f7..cd260c61b 100644 --- a/.github/workflows/rs_ci.yml +++ b/.github/workflows/rs_ci.yml @@ -18,7 +18,7 @@ jobs: runs-on: ubuntu-22.04 timeout-minutes: 3 steps: - - uses: styfle/cancel-workflow-action@0.13.1 + - uses: styfle/cancel-workflow-action@d07a454dad7609a92316b57b23c9ccfd4f59af66 # v0.13.1 with: access_token: ${{ secrets.GITHUB_TOKEN }} all_but_latest: true # can cancel workflows scheduled later @@ -31,7 +31,7 @@ jobs: SCCACHE_GHA_ENABLED: "true" RUSTC_WRAPPER: "sccache" steps: - - uses: actions/checkout@v6.0.2 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 # Install protobuf compiler for linux. The versions bundled with Ubuntu # 20.04 and 22.04 are too old -- our messages require protobuf >= 3.15 -- @@ -44,10 +44,10 @@ jobs: unzip "protoc-${{ env.PB_VERSION }}-${{ env.PB_TARGET }}.zip" -d "$HOME/.local" export PATH="$PATH:$HOME/.local/bin" - - uses: actions-rust-lang/setup-rust-toolchain@v1.15.3 + - uses: actions-rust-lang/setup-rust-toolchain@a0b538fa0b742a6aa35d6e2c169b4bd06d225a98 # v1.15.3 with: cache: false - - uses: mozilla-actions/sccache-action@v0.0.9 + - uses: mozilla-actions/sccache-action@7d986dd989559c6ecdb630a3fd2557667be217ad # v0.0.9 - working-directory: bottlecap run: cargo check --workspace @@ -59,7 +59,7 @@ jobs: SCCACHE_GHA_ENABLED: "true" RUSTC_WRAPPER: "sccache" steps: - - uses: actions/checkout@v6.0.2 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 # Install protobuf compiler for linux. The versions bundled with Ubuntu # 20.04 and 22.04 are too old -- our messages require protobuf >= 3.15 -- @@ -72,11 +72,11 @@ jobs: unzip "protoc-${{ env.PB_VERSION }}-${{ env.PB_TARGET }}.zip" -d "$HOME/.local" export PATH="$PATH:$HOME/.local/bin" - - uses: actions-rust-lang/setup-rust-toolchain@v1.15.3 + - uses: actions-rust-lang/setup-rust-toolchain@a0b538fa0b742a6aa35d6e2c169b4bd06d225a98 # v1.15.3 with: components: clippy cache: false - - uses: mozilla-actions/sccache-action@v0.0.9 + - uses: mozilla-actions/sccache-action@7d986dd989559c6ecdb630a3fd2557667be217ad # v0.0.9 # We need to do these separately because the fips feature is incompatible with the default feature. - working-directory: bottlecap run: cargo clippy --workspace --all-targets --features default @@ -91,7 +91,7 @@ jobs: SCCACHE_GHA_ENABLED: "true" RUSTC_WRAPPER: "sccache" steps: - - uses: actions/checkout@v6.0.2 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 # Install protobuf compiler for linux. The versions bundled with Ubuntu # 20.04 and 22.04 are too old -- our messages require protobuf >= 3.15 -- @@ -104,10 +104,10 @@ jobs: unzip "protoc-${{ env.PB_VERSION }}-${{ env.PB_TARGET }}.zip" -d "$HOME/.local" export PATH="$PATH:$HOME/.local/bin" - - uses: actions-rust-lang/setup-rust-toolchain@v1.15.3 + - uses: actions-rust-lang/setup-rust-toolchain@a0b538fa0b742a6aa35d6e2c169b4bd06d225a98 # v1.15.3 with: cache: false - - uses: mozilla-actions/sccache-action@v0.0.9 + - uses: mozilla-actions/sccache-action@7d986dd989559c6ecdb630a3fd2557667be217ad # v0.0.9 - working-directory: bottlecap run: cargo build --all @@ -119,7 +119,7 @@ jobs: SCCACHE_GHA_ENABLED: "true" RUSTC_WRAPPER: "sccache" steps: - - uses: actions/checkout@v6.0.2 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 # Install protobuf compiler for linux. The versions bundled with Ubuntu # 20.04 and 22.04 are too old -- our messages require protobuf >= 3.15 -- @@ -132,13 +132,13 @@ jobs: unzip "protoc-${{ env.PB_VERSION }}-${{ env.PB_TARGET }}.zip" -d "$HOME/.local" export PATH="$PATH:$HOME/.local/bin" - - uses: actions-rust-lang/setup-rust-toolchain@v1.15.3 + - uses: actions-rust-lang/setup-rust-toolchain@a0b538fa0b742a6aa35d6e2c169b4bd06d225a98 # v1.15.3 with: cache: false - - uses: taiki-e/install-action@v2 + - uses: taiki-e/install-action@cbb1dcaa26e1459e2876c39f61c1e22a1258aac5 # v2.68.33 with: tool: nextest@0.9 - - uses: mozilla-actions/sccache-action@v0.0.9 + - uses: mozilla-actions/sccache-action@7d986dd989559c6ecdb630a3fd2557667be217ad # v0.0.9 - working-directory: bottlecap run: cargo nextest run --workspace @@ -149,8 +149,8 @@ jobs: matrix: os: [ubuntu-22.04, macos-latest] steps: - - uses: actions/checkout@v6.0.2 - - uses: actions-rust-lang/setup-rust-toolchain@v1.15.3 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions-rust-lang/setup-rust-toolchain@a0b538fa0b742a6aa35d6e2c169b4bd06d225a98 # v1.15.3 with: components: rustfmt cache: false @@ -163,7 +163,7 @@ jobs: name: "Valid LICENSE-3rdparty.csv" steps: - name: Checkout sources - uses: actions/checkout@v6.0.2 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - run: cargo install dd-rust-license-tool --locked - run: dd-rust-license-tool check working-directory: bottlecap @@ -176,7 +176,7 @@ jobs: checks: write steps: - name: Checkout repository - uses: actions/checkout@v6.0.2 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Scan Rust dependencies with cargo-audit uses: rustsec/audit-check@69366f33c96575abad1ee0dba8212993eecbe998 # v2.0.0 with: diff --git a/.github/workflows/test-qemu-versions.yml b/.github/workflows/test-qemu-versions.yml index 387cd95de..5bda19306 100644 --- a/.github/workflows/test-qemu-versions.yml +++ b/.github/workflows/test-qemu-versions.yml @@ -83,7 +83,7 @@ jobs: - "tonistiigi/binfmt:qemu-v7.0.0-28" name: "QEMU ${{ matrix.qemu_image }}" steps: - - uses: actions/checkout@v6.0.2 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Set up QEMU uses: docker/setup-qemu-action@ce360397dd3f832beb865e1373c09c0e9f86d70a #v4.0.0 @@ -94,7 +94,7 @@ jobs: run: docker run --rm --privileged ${{ matrix.qemu_image }} --version - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v4 + uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0 # Simple docker run tests — catches deterministically broken versions # (v9.2.0 and v8.1.5 consistently fail here; v8.1.4 is flaky).