Skip to content

Pin SHA1 to GHA + renovate config #3655

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
rastut merged 2 commits into from
May 15, 2026
Merged

Pin SHA1 to GHA + renovate config #3655

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
679524a
Pin SHA1 to GHA + renovate config
rastut May 15, 2026
31a7601
Merge branch 'main' into pin-gha-to-sha-renovate-config
rastut May 15, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 6 additions & 0 deletions .github/renovate.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -52,6 +52,12 @@
"matchPackageNames": ["python"],
"matchCurrentVersion": "3.10.19",
"allowedVersions": "<3.11"
},
{
"matchDepTypes": [
"action"
],
"pinDigests": true
}
]
}
10 changes: 5 additions & 5 deletions .github/workflows/_build-img-nucliadb.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -52,18 +52,18 @@ jobs:

steps:
- name: Checkout repository
uses: actions/checkout@v6
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

- name: Generate a token
id: app-token
uses: actions/create-github-app-token@v3
uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3.2.0
with:
app-id: ${{ secrets.GHAPP_ID_NUCLIABOT }}
private-key: ${{ secrets.PK_GHAPP_NUCLIABOT }}
owner: nuclia

- name: Checkout tooling repository
uses: actions/checkout@v6
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
repository: nuclia/tooling
ref: main
Expand All @@ -72,14 +72,14 @@ jobs:

- name: Authenticate to Google Cloud
id: gcp-auth
uses: google-github-actions/auth@v3
uses: google-github-actions/auth@7c6bc770dae815cd3e89ee6cdf493a5fab2cc093 #v3
with:
workload_identity_provider: "${{ env.GCP_WORKLOAD_IDENTITY_PROVIDER }}"
service_account: "${{ env.GCP_SERVICE_ACCOUNT }}"
token_format: access_token

- name: Login to Google Artifact Registry
uses: docker/login-action@v4
uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 #v4.1.0
with:
registry: europe-west4-docker.pkg.dev
username: oauth2accesstoken
Expand Down
4 changes: 2 additions & 2 deletions .github/workflows/bd_sca_scanner.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19,7 +19,7 @@ jobs:
cancel-in-progress: true
steps:
- name: Checkout code
uses: actions/checkout@v6
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

- name: Calculate detect-args for BD SCA Scan
id: calculate-detect-args
Expand All @@ -32,7 +32,7 @@ jobs:

- name: Run Black Duck SCA PR Scan
id: blackduck-pr-scan
uses: blackduck-inc/black-duck-security-scan@v2
uses: blackduck-inc/black-duck-security-scan@659a0742e793a093377fab3117b0d90f23b04bfa # v2.9.0
env:
DETECT_PROJECT_NAME: nuclia-nucliadb
DETECT_PROJECT_GROUP_NAME: Nuclia
Expand Down
12 changes: 6 additions & 6 deletions .github/workflows/bump-version.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -21,36 +21,36 @@ jobs:

steps:
- name: Checkout repository
uses: actions/checkout@v6
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

- name: Generate a token
id: app-token
uses: actions/create-github-app-token@v3
uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3.2.0
with:
app-id: ${{ secrets.GHAPP_ID_NUCLIABOT }}
private-key: ${{ secrets.PK_GHAPP_NUCLIABOT }}
owner: nuclia

- uses: actions/checkout@master
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: false
fetch-depth: 0

- run: python bump.py --sem=${{ inputs.semType }}

- name: Setup Python
uses: actions/setup-python@v6
uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
with:
python-version: "3.14.2"

- name: Install uv
uses: astral-sh/setup-uv@v8.1.0
uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0

# we update the lock to reflect the newly updated versions of our packages
- name: Update uv.lock
run: uv lock

- name: Commit & Push changes
uses: actions-js/push@master
uses: actions-js/push@5a7cbd780d82c0c937b5977586e641b2fd94acc5 # v1.5
with:
github_token: ${{ steps.app-token.outputs.token }}
Loading
Loading