Skip to content

Commit 5ec20d2

Browse files
thpiercethpierce
committed
Pin GitHub Action references to commit SHAs
1 parent a975ccb commit 5ec20d2

4 files changed

Lines changed: 51 additions & 26 deletions

File tree

.github/workflows/IntegrationTesting.yaml

Lines changed: 18 additions & 18 deletions
Original file line numberDiff line numberDiff line change
@@ -15,18 +15,18 @@ jobs:
1515

1616
steps:
1717
- name: Pull in source code from aws-xray-sdk-python Github repository
18-
uses: actions/checkout@v3
18+
uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 #v3.6.0
1919

2020
- name: Setup python
21-
uses: actions/setup-python@v4
21+
uses: actions/setup-python@7f4fc3e22c37d6ff65e88745f38bd3157c663f7c #v4.9.1
2222
with:
2323
python-version: '3.8'
2424

2525
- name: Build X-Ray Python SDK
2626
run: python setup.py sdist
2727

2828
- name: Upload SDK build artifact
29-
uses: actions/upload-artifact@v4
29+
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 #v4.6.2
3030
with:
3131
name: sdk-build-artifact
3232
path: .
@@ -37,15 +37,15 @@ jobs:
3737
runs-on: ubuntu-latest
3838

3939
steps:
40-
- uses: actions/checkout@v3
40+
- uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 #v3.6.0
4141

4242
- name: Setup python
43-
uses: actions/setup-python@v4
43+
uses: actions/setup-python@7f4fc3e22c37d6ff65e88745f38bd3157c663f7c #v4.9.1
4444
with:
4545
python-version: '3.8'
4646

4747
- name: Download X-Ray SDK build artifact
48-
uses: actions/download-artifact@v4
48+
uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 #v4.3.0
4949
with:
5050
name: sdk-build-artifact
5151
path: ./sample-apps/flask
@@ -59,7 +59,7 @@ jobs:
5959
working-directory: ./sample-apps/flask
6060

6161
- name: Upload WebApp with X-Ray SDK build artifact
62-
uses: actions/upload-artifact@v4
62+
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 #v4.6.2
6363
with:
6464
name: sdk-flask-build-artifact
6565
path: ./sample-apps/flask/deploy.zip
@@ -71,24 +71,24 @@ jobs:
7171

7272
steps:
7373
- name: Checkout X-Ray SDK to get terraform source
74-
uses: actions/checkout@v3
74+
uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 #v3.6.0
7575

7676
- name: Download WebApp with X-Ray SDK build artifact
77-
uses: actions/download-artifact@v4
77+
uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 #v4.3.0
7878
with:
7979
name: sdk-flask-build-artifact
8080

8181
- name: Copy deployment package to terraform directory
8282
run: cp deploy.zip ./terraform
8383

8484
- name: Configure AWS Credentials
85-
uses: aws-actions/configure-aws-credentials@v4
85+
uses: aws-actions/configure-aws-credentials@7474bc4690e29a8392af63c5b98e7449536d5c3a #v4.3.1
8686
with:
8787
role-to-assume: ${{ secrets.AWS_INTEG_TEST_ROLE_ARN }}
8888
aws-region: us-west-2
8989

9090
- name: Setup Terraform
91-
uses: hashicorp/setup-terraform@v2
91+
uses: hashicorp/setup-terraform@633666f66e0061ca3b725c73b2ec20cd13a8fdd1 #v2.0.3
9292

9393
- name: Terraform Init
9494
run: terraform init
@@ -112,7 +112,7 @@ jobs:
112112
working-directory: ./terraform
113113

114114
- name: Upload terraform state files for destorying resources
115-
uses: actions/upload-artifact@v4
115+
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 #v4.6.2
116116
with:
117117
name: terraform-state-artifact
118118
path: ./terraform
@@ -123,19 +123,19 @@ jobs:
123123
runs-on: ubuntu-latest
124124

125125
steps:
126-
- uses: actions/setup-java@v3
126+
- uses: actions/setup-java@17f84c3641ba7b8f6deff6309fc4c864478f5d62 #v3.14.1
127127
with:
128128
distribution: 'zulu'
129129
java-version: 14
130130

131131
- name: Configure AWS Credentials
132-
uses: aws-actions/configure-aws-credentials@v4
132+
uses: aws-actions/configure-aws-credentials@7474bc4690e29a8392af63c5b98e7449536d5c3a #v4.3.1
133133
with:
134134
role-to-assume: ${{ secrets.AWS_INTEG_TEST_ROLE_ARN }}
135135
aws-region: us-west-2
136136

137137
- name: Checkout test framework
138-
uses: actions/checkout@v3
138+
uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 #v3.6.0
139139
with:
140140
repository: aws-observability/aws-otel-test-framework
141141
ref: terraform
@@ -151,18 +151,18 @@ jobs:
151151

152152
steps:
153153
- name: Download terraform state artifact
154-
uses: actions/download-artifact@v4
154+
uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 #v4.3.0
155155
with:
156156
name: terraform-state-artifact
157157

158158
- name: Configure AWS Credentials
159-
uses: aws-actions/configure-aws-credentials@v4
159+
uses: aws-actions/configure-aws-credentials@7474bc4690e29a8392af63c5b98e7449536d5c3a #v4.3.1
160160
with:
161161
role-to-assume: ${{ secrets.AWS_INTEG_TEST_ROLE_ARN }}
162162
aws-region: us-west-2
163163

164164
- name: Setup Terraform
165-
uses: hashicorp/setup-terraform@v2
165+
uses: hashicorp/setup-terraform@633666f66e0061ca3b725c73b2ec20cd13a8fdd1 #v2.0.3
166166

167167
- name: Terraform Init
168168
run: terraform init

.github/workflows/Release.yaml

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -14,11 +14,11 @@ jobs:
1414
runs-on: ubuntu-latest
1515
steps:
1616
- name: Checkout master branch
17-
uses: actions/checkout@v3
17+
uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 #v3.6.0
1818

1919
- name: Create Release
2020
id: create_release
21-
uses: actions/create-release@v1
21+
uses: actions/create-release@0cb9c9b65d5d1901c1f53e5e66eaf4afd303e70e #v1.1.4
2222
env:
2323
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
2424
with:

.github/workflows/UnitTesting.yaml

Lines changed: 28 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -29,7 +29,7 @@ jobs:
2929
testenv: [core, ext]
3030
steps:
3131
- name: Checkout repo
32-
uses: actions/checkout@v3
32+
uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 #v3.6.0
3333

3434
- name: Start MySQL
3535
if: ${{ matrix.testenv == 'ext' }}
@@ -41,7 +41,7 @@ jobs:
4141
mysql -e "GRANT ALL PRIVILEGES ON test_dburl.* TO test_dburl_user@localhost;" -u${{ env.DB_USER }} -p${{ env.DB_PASSWORD }}
4242
mysql -e "FLUSH PRIVILEGES;" -u${{ env.DB_USER }} -p${{ env.DB_PASSWORD }}
4343
- name: Setup Python
44-
uses: actions/setup-python@v4
44+
uses: actions/setup-python@7f4fc3e22c37d6ff65e88745f38bd3157c663f7c #v4.9.1
4545
with:
4646
python-version: ${{ env[matrix.python-version] }}
4747

@@ -50,7 +50,7 @@ jobs:
5050

5151
- name: Cache tox environment
5252
# Preserves .tox directory between runs for faster installs
53-
uses: actions/cache@v3
53+
uses: actions/cache@6f8efc29b200d32929f49075959781ed54ec270c #v3.5.0
5454
with:
5555
path: |
5656
.tox
@@ -60,3 +60,28 @@ jobs:
6060
- name: Run tox
6161
run: |
6262
tox -f ${{ matrix.python-version }}-${{ matrix.testenv }}
63+
64+
static-code-checks:
65+
runs-on: ubuntu-latest
66+
steps:
67+
68+
- uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 #5.0.0
69+
with:
70+
fetch-depth: 0
71+
- name: Check for versioned GitHub actions
72+
if: always()
73+
run: |
74+
# Get changed GitHub workflow/action files
75+
CHANGED_FILES=$(git diff --name-only origin/${{ github.base_ref }}..HEAD | grep -E "^\.github/(workflows|actions)/.*\.ya?ml$" || true)
76+
77+
if [ -n "$CHANGED_FILES" ]; then
78+
# Check for any versioned actions, excluding comments and this validation script
79+
VIOLATIONS=$(grep -Hn "uses:.*@v" $CHANGED_FILES | grep -v "grep.*uses:.*@v" | grep -v "#.*@v" || true)
80+
if [ -n "$VIOLATIONS" ]; then
81+
echo "Found versioned GitHub actions. Use commit SHAs instead:"
82+
echo "$VIOLATIONS"
83+
exit 1
84+
fi
85+
fi
86+
87+
echo "No versioned actions found in changed files"

.github/workflows/continuous-monitoring.yml

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -14,15 +14,15 @@ jobs:
1414
runs-on: ubuntu-latest
1515
steps:
1616
- name: Checkout Repository
17-
uses: actions/checkout@v3
17+
uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 #v3.6.0
1818

1919
- name: Configure AWS Credentials
20-
uses: aws-actions/configure-aws-credentials@v4
20+
uses: aws-actions/configure-aws-credentials@7474bc4690e29a8392af63c5b98e7449536d5c3a #v4.3.1
2121
with:
2222
role-to-assume: ${{ secrets.AWS_INTEG_TEST_ROLE_ARN }}
2323
aws-region: us-east-1
2424

25-
- uses: actions/setup-python@v4
25+
- uses: actions/setup-python@7f4fc3e22c37d6ff65e88745f38bd3157c663f7c #v4.9.1
2626
with:
2727
python-version: '3.x'
2828

0 commit comments

Comments
 (0)