From 63191b40a3ffe22f9d0cc459fa69ad676a65ccbb Mon Sep 17 00:00:00 2001 From: Divya Madala Date: Thu, 21 May 2026 14:48:55 -0700 Subject: [PATCH] Pin GitHub Actions to commit SHAs for supply chain security Signed-off-by: Divya Madala --- .github/workflows/backport.yml | 4 +-- .../compatibility-data-prepper-api.yml | 4 +-- .../workflows/create-documentation-issue.yml | 6 ++--- .../data-prepper-aws-secrets-e2e-tests.yml | 6 ++--- ...kafka-backward-compatibility-e2e-tests.yml | 2 +- ...ytics-raw-span-compatibility-e2e-tests.yml | 2 +- ...per-trace-analytics-raw-span-e2e-tests.yml | 2 +- ...tics-raw-span-peer-forwarder-e2e-tests.yml | 4 +-- ...-trace-analytics-service-map-e2e-tests.yml | 2 +- .github/workflows/dco.yml | 4 +-- .github/workflows/delete_backport_branch.yml | 4 +-- .github/workflows/e2e-tests-log-analytics.yml | 2 +- .../workflows/e2e-tests-peer-forwarder.yml | 2 +- .../workflows/examples-trace-analytics.yml | 4 +-- .github/workflows/gradle-build-src.yml | 8 +++--- .github/workflows/gradle.yml | 10 +++---- .../kafka-plugin-integration-tests.yml | 10 +++---- .../kinesis-source-integration-tests.yml | 12 ++++----- .github/workflows/license-header-check.yml | 6 ++--- .github/workflows/license-header-comment.yml | 4 +-- .github/workflows/maven-publish-snapshot.yml | 6 ++--- ...arch-sink-opendistro-integration-tests.yml | 8 +++--- ...arch-sink-opensearch-integration-tests.yml | 12 ++++----- .../workflows/performance-test-compile.yml | 2 +- .github/workflows/release-prepare-branch.yml | 6 ++--- .github/workflows/release.yml | 26 +++++++++---------- .../workflows/staging-resources-cdk-check.yml | 4 +-- .../workflows/testing-resources-cdk-check.yml | 4 +-- .github/workflows/third-party-generate.yml | 6 ++--- 29 files changed, 86 insertions(+), 86 deletions(-) diff --git a/.github/workflows/backport.yml b/.github/workflows/backport.yml index cc046cc5a3..ba9804cd77 100644 --- a/.github/workflows/backport.yml +++ b/.github/workflows/backport.yml @@ -15,14 +15,14 @@ jobs: steps: - name: GitHub App token id: github_app_token - uses: tibdex/github-app-token@v1.5.0 + uses: tibdex/github-app-token@1901dc7d52169e70c27a8da37aef0d423e2867a2 # v1.5.0 with: app_id: ${{ secrets.APP_ID }} private_key: ${{ secrets.APP_PRIVATE_KEY }} installation_id: 22958780 - name: Backport - uses: VachaShah/backport@v1.1.4 + uses: VachaShah/backport@28c49d91ceec57d7c9f625f1031c1a4d637251f5 # v1.1.4 with: github_token: ${{ steps.github_app_token.outputs.token }} branch_name: backport/backport-${{ github.event.number }} \ No newline at end of file diff --git a/.github/workflows/compatibility-data-prepper-api.yml b/.github/workflows/compatibility-data-prepper-api.yml index 395f73696a..09a407506d 100644 --- a/.github/workflows/compatibility-data-prepper-api.yml +++ b/.github/workflows/compatibility-data-prepper-api.yml @@ -33,7 +33,7 @@ jobs: distribution: temurin - name: Checkout Data Prepper - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - name: Set up Gradle uses: gradle/actions/setup-gradle@50e97c2cd7a37755bbfafc9c5b7cafaece252f6e # v6.1.0 @@ -49,7 +49,7 @@ jobs: - name: Upload Compatibility Report if: failure() - uses: actions/upload-artifact@v7 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7 with: name: library-compatibility-report path: ${{ github.workspace }}/data-prepper-api/build/reports/library-compatibility/report.html diff --git a/.github/workflows/create-documentation-issue.yml b/.github/workflows/create-documentation-issue.yml index b1e1c3318d..a90eb3cab5 100644 --- a/.github/workflows/create-documentation-issue.yml +++ b/.github/workflows/create-documentation-issue.yml @@ -14,14 +14,14 @@ jobs: steps: - name: GitHub App token id: github_app_token - uses: tibdex/github-app-token@v1.5.0 + uses: tibdex/github-app-token@1901dc7d52169e70c27a8da37aef0d423e2867a2 # v1.5.0 with: app_id: ${{ secrets.APP_ID }} private_key: ${{ secrets.APP_PRIVATE_KEY }} installation_id: 22958780 - name: Checkout code - uses: actions/checkout@v2 + uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 # v2 - name: Edit the issue template run: | @@ -29,7 +29,7 @@ jobs: - name: Create Issue From File id: create-issue - uses: peter-evans/create-issue-from-file@v4 + uses: peter-evans/create-issue-from-file@433e51abf769039ee20ba1293a088ca19d573b7f # v4 with: title: Add documentation related to new feature content-filepath: ./ci/documentation/issue.md diff --git a/.github/workflows/data-prepper-aws-secrets-e2e-tests.yml b/.github/workflows/data-prepper-aws-secrets-e2e-tests.yml index 5ecf47732a..c60bcebee6 100644 --- a/.github/workflows/data-prepper-aws-secrets-e2e-tests.yml +++ b/.github/workflows/data-prepper-aws-secrets-e2e-tests.yml @@ -24,12 +24,12 @@ jobs: runs-on: ubuntu-latest steps: - name: Git clone the repository - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 with: ref: ${{ github.event.pull_request.head.sha }} - name: configure aws credentials id: creds - uses: aws-actions/configure-aws-credentials@v5 + uses: aws-actions/configure-aws-credentials@61815dcd50bd041e203e49132bacad1fd04d2708 # v5 with: role-to-assume: ${{ secrets.TEST_IAM_ROLE_ARN }} aws-region: ${{ secrets.TEST_REGION }} @@ -50,7 +50,7 @@ jobs: java-version: 11 distribution: temurin - name: Checkout Data Prepper - uses: actions/checkout@v2 + uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 # v2 - name: Set up Gradle uses: gradle/actions/setup-gradle@50e97c2cd7a37755bbfafc9c5b7cafaece252f6e # v6.1.0 with: diff --git a/.github/workflows/data-prepper-kafka-backward-compatibility-e2e-tests.yml b/.github/workflows/data-prepper-kafka-backward-compatibility-e2e-tests.yml index cdab5d4153..9a881b14d8 100644 --- a/.github/workflows/data-prepper-kafka-backward-compatibility-e2e-tests.yml +++ b/.github/workflows/data-prepper-kafka-backward-compatibility-e2e-tests.yml @@ -25,7 +25,7 @@ jobs: java-version: 11 distribution: temurin - name: Checkout Data Prepper - uses: actions/checkout@v2 + uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 # v2 - name: Set up Gradle uses: gradle/actions/setup-gradle@50e97c2cd7a37755bbfafc9c5b7cafaece252f6e # v6.1.0 with: diff --git a/.github/workflows/data-prepper-trace-analytics-raw-span-compatibility-e2e-tests.yml b/.github/workflows/data-prepper-trace-analytics-raw-span-compatibility-e2e-tests.yml index 92c4054192..9f9c2cdf6e 100644 --- a/.github/workflows/data-prepper-trace-analytics-raw-span-compatibility-e2e-tests.yml +++ b/.github/workflows/data-prepper-trace-analytics-raw-span-compatibility-e2e-tests.yml @@ -25,7 +25,7 @@ jobs: java-version: 11 distribution: temurin - name: Checkout Data Prepper - uses: actions/checkout@v2 + uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 # v2 - name: Set up Gradle uses: gradle/actions/setup-gradle@50e97c2cd7a37755bbfafc9c5b7cafaece252f6e # v6.1.0 with: diff --git a/.github/workflows/data-prepper-trace-analytics-raw-span-e2e-tests.yml b/.github/workflows/data-prepper-trace-analytics-raw-span-e2e-tests.yml index 035ab5a5a2..189c83cdd1 100644 --- a/.github/workflows/data-prepper-trace-analytics-raw-span-e2e-tests.yml +++ b/.github/workflows/data-prepper-trace-analytics-raw-span-e2e-tests.yml @@ -26,7 +26,7 @@ jobs: java-version: 11 distribution: temurin - name: Checkout Data Prepper - uses: actions/checkout@v2 + uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 # v2 - name: Set up Gradle uses: gradle/actions/setup-gradle@50e97c2cd7a37755bbfafc9c5b7cafaece252f6e # v6.1.0 with: diff --git a/.github/workflows/data-prepper-trace-analytics-raw-span-peer-forwarder-e2e-tests.yml b/.github/workflows/data-prepper-trace-analytics-raw-span-peer-forwarder-e2e-tests.yml index 6cfa58614c..3982d4d189 100644 --- a/.github/workflows/data-prepper-trace-analytics-raw-span-peer-forwarder-e2e-tests.yml +++ b/.github/workflows/data-prepper-trace-analytics-raw-span-peer-forwarder-e2e-tests.yml @@ -25,7 +25,7 @@ jobs: java-version: 11 distribution: temurin - name: Checkout Data Prepper - uses: actions/checkout@v2 + uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 # v2 - name: Set up Gradle uses: gradle/actions/setup-gradle@50e97c2cd7a37755bbfafc9c5b7cafaece252f6e # v6.1.0 with: @@ -34,7 +34,7 @@ jobs: run: ./gradlew -PendToEndJavaVersion=${{ matrix.java }} :e2e-test:trace:rawSpanPeerForwarderEndToEndTest - name: Upload test results if: always() - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4 with: name: raw-span-peer-forwarder-e2e-results-java-${{ matrix.java }} path: '**/test-results/**/*.xml' diff --git a/.github/workflows/data-prepper-trace-analytics-service-map-e2e-tests.yml b/.github/workflows/data-prepper-trace-analytics-service-map-e2e-tests.yml index 7911e16aae..cdd840562b 100644 --- a/.github/workflows/data-prepper-trace-analytics-service-map-e2e-tests.yml +++ b/.github/workflows/data-prepper-trace-analytics-service-map-e2e-tests.yml @@ -25,7 +25,7 @@ jobs: java-version: 11 distribution: temurin - name: Checkout Data Prepper - uses: actions/checkout@v2 + uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 # v2 - name: Set up Gradle uses: gradle/actions/setup-gradle@50e97c2cd7a37755bbfafc9c5b7cafaece252f6e # v6.1.0 with: diff --git a/.github/workflows/dco.yml b/.github/workflows/dco.yml index cf30ea89dc..4b1bb710eb 100644 --- a/.github/workflows/dco.yml +++ b/.github/workflows/dco.yml @@ -9,10 +9,10 @@ jobs: steps: - name: Get PR Commits id: 'get-pr-commits' - uses: tim-actions/get-pr-commits@v1.1.0 + uses: tim-actions/get-pr-commits@55b867b9b28954e6f5c1a0fe2f729dc926c306d0 # v1.1.0 with: token: ${{ secrets.GITHUB_TOKEN }} - name: DCO Check - uses: tim-actions/dco@v1.1.0 + uses: tim-actions/dco@f2279e6e62d5a7d9115b0cb8e837b777b1b02e21 # v1.1.0 with: commits: ${{ steps.get-pr-commits.outputs.commits }} diff --git a/.github/workflows/delete_backport_branch.yml b/.github/workflows/delete_backport_branch.yml index 5881df9279..658de42374 100644 --- a/.github/workflows/delete_backport_branch.yml +++ b/.github/workflows/delete_backport_branch.yml @@ -10,6 +10,6 @@ jobs: if: startsWith(github.event.pull_request.head.ref,'backport/') steps: - name: Delete merged branch - uses: SvanBoxel/delete-merged-branch@main + uses: SvanBoxel/delete-merged-branch@2b5b058e3db41a3328fd9a6a58fd4c2545a14353 #main env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} \ No newline at end of file + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/e2e-tests-log-analytics.yml b/.github/workflows/e2e-tests-log-analytics.yml index 92f408549f..dd07cc50c7 100644 --- a/.github/workflows/e2e-tests-log-analytics.yml +++ b/.github/workflows/e2e-tests-log-analytics.yml @@ -27,7 +27,7 @@ jobs: distribution: temurin java-version: 11 - name: Checkout Data Prepper - uses: actions/checkout@v2 + uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 # v2 - name: Set up Gradle uses: gradle/actions/setup-gradle@50e97c2cd7a37755bbfafc9c5b7cafaece252f6e # v6.1.0 with: diff --git a/.github/workflows/e2e-tests-peer-forwarder.yml b/.github/workflows/e2e-tests-peer-forwarder.yml index 4758abb160..603aac36f3 100644 --- a/.github/workflows/e2e-tests-peer-forwarder.yml +++ b/.github/workflows/e2e-tests-peer-forwarder.yml @@ -27,7 +27,7 @@ jobs: distribution: temurin java-version: 11 - name: Checkout Data Prepper - uses: actions/checkout@v2 + uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 # v2 - name: Set up Gradle uses: gradle/actions/setup-gradle@50e97c2cd7a37755bbfafc9c5b7cafaece252f6e # v6.1.0 with: diff --git a/.github/workflows/examples-trace-analytics.yml b/.github/workflows/examples-trace-analytics.yml index 73fb81a97a..017dfcbc93 100644 --- a/.github/workflows/examples-trace-analytics.yml +++ b/.github/workflows/examples-trace-analytics.yml @@ -24,7 +24,7 @@ jobs: steps: - name: Checkout Data Prepper - uses: actions/checkout@v2 + uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 # v2 - name: Build Sample App working-directory: examples/trace-analytics-sample-app @@ -41,7 +41,7 @@ jobs: distribution: temurin - name: Checkout Data Prepper - uses: actions/checkout@v2 + uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 # v2 - name: Set up Gradle uses: gradle/actions/setup-gradle@50e97c2cd7a37755bbfafc9c5b7cafaece252f6e # v6.1.0 diff --git a/.github/workflows/gradle-build-src.yml b/.github/workflows/gradle-build-src.yml index 88bb95608b..b4a64b1257 100644 --- a/.github/workflows/gradle-build-src.yml +++ b/.github/workflows/gradle-build-src.yml @@ -38,7 +38,7 @@ jobs: distribution: temurin - name: Checkout Data Prepper - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - name: Set up Gradle uses: gradle/actions/setup-gradle@50e97c2cd7a37755bbfafc9c5b7cafaece252f6e # v6.1.0 with: @@ -47,7 +47,7 @@ jobs: run: ./gradlew -p buildSrc check - name: Upload Unit Test Results if: always() - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4 with: name: data-prepper-test-results-java-${{ matrix.java }} path: '**/test-results/**/*.xml' @@ -60,11 +60,11 @@ jobs: steps: - name: Download Artifacts - uses: actions/download-artifact@v4 + uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4 with: path: test-results - name: Publish Unit Test Results - uses: EnricoMi/publish-unit-test-result-action@v1 + uses: EnricoMi/publish-unit-test-result-action@b9f6c61d965bcaa18acc02d6daf706373a448f02 # v1 with: files: "test-results/**/*.xml" diff --git a/.github/workflows/gradle.yml b/.github/workflows/gradle.yml index 7324221958..140a75d13c 100644 --- a/.github/workflows/gradle.yml +++ b/.github/workflows/gradle.yml @@ -24,7 +24,7 @@ jobs: java-version: ${{ matrix.java }} distribution: temurin - name: Checkout Data Prepper - uses: actions/checkout@v2 + uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 # v2 - name: Set up Gradle uses: gradle/actions/setup-gradle@50e97c2cd7a37755bbfafc9c5b7cafaece252f6e # v6.1.0 with: @@ -33,12 +33,12 @@ jobs: run: ./gradlew --parallel --max-workers 2 build - name: Upload Unit Test Results if: always() - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4 with: name: data-prepper-test-results-java-${{ matrix.java }} path: '**/test-results/**/*.xml' - name: Upload Coverage Report - uses: codecov/codecov-action@v1 + uses: codecov/codecov-action@29386c70ef20e286228c72b668a06fd0e8399192 # v1 - name: Generate Javadocs run: ./gradlew --parallel javadoc @@ -50,11 +50,11 @@ jobs: steps: - name: Download Artifacts - uses: actions/download-artifact@v4 + uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4 with: path: test-results - name: Publish Unit Test Results - uses: EnricoMi/publish-unit-test-result-action@v1 + uses: EnricoMi/publish-unit-test-result-action@b9f6c61d965bcaa18acc02d6daf706373a448f02 # v1 with: files: "test-results/**/*.xml" diff --git a/.github/workflows/kafka-plugin-integration-tests.yml b/.github/workflows/kafka-plugin-integration-tests.yml index 12ce9630de..fcb2c9f773 100644 --- a/.github/workflows/kafka-plugin-integration-tests.yml +++ b/.github/workflows/kafka-plugin-integration-tests.yml @@ -36,7 +36,7 @@ jobs: java-version: ${{ matrix.java }} distribution: temurin - name: Checkout Data Prepper - uses: actions/checkout@v2 + uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 # v2 - name: Set up Gradle uses: gradle/actions/setup-gradle@50e97c2cd7a37755bbfafc9c5b7cafaece252f6e # v6.1.0 with: @@ -53,7 +53,7 @@ jobs: - name: Configure AWS credentials id: aws-credentials - uses: aws-actions/configure-aws-credentials@v4 + uses: aws-actions/configure-aws-credentials@7474bc4690e29a8392af63c5b98e7449536d5c3a # v4 with: role-to-assume: ${{ secrets.TEST_IAM_ROLE_ARN }} aws-region: ${{ secrets.TEST_REGION }} @@ -76,7 +76,7 @@ jobs: - name: Upload Unit Test Results if: always() - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4 with: name: data-prepper-kafka-integration-tests-kafka-${{ matrix.kafka }}-java-${{ matrix.java }} path: '**/test-results/**/*.xml' @@ -89,11 +89,11 @@ jobs: steps: - name: Download Artifacts - uses: actions/download-artifact@v4 + uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4 with: path: test-results - name: Publish Unit Test Results - uses: EnricoMi/publish-unit-test-result-action@v1 + uses: EnricoMi/publish-unit-test-result-action@b9f6c61d965bcaa18acc02d6daf706373a448f02 # v1 with: files: "test-results/**/*.xml" diff --git a/.github/workflows/kinesis-source-integration-tests.yml b/.github/workflows/kinesis-source-integration-tests.yml index 709f94ca7d..e01b713037 100644 --- a/.github/workflows/kinesis-source-integration-tests.yml +++ b/.github/workflows/kinesis-source-integration-tests.yml @@ -24,13 +24,13 @@ jobs: steps: - name: Git clone the repository - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 with: ref: ${{ github.event.pull_request.head.sha }} - name: configure aws credentials id: creds - uses: aws-actions/configure-aws-credentials@v5 + uses: aws-actions/configure-aws-credentials@61815dcd50bd041e203e49132bacad1fd04d2708 # v5 with: role-to-assume: ${{ secrets.TEST_IAM_ROLE_ARN }} aws-region: ${{ secrets.TEST_REGION }} @@ -49,7 +49,7 @@ jobs: distribution: temurin - name: Checkout Data Prepper - uses: actions/checkout@v2 + uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 # v2 - name: Set up Gradle uses: gradle/actions/setup-gradle@50e97c2cd7a37755bbfafc9c5b7cafaece252f6e # v6.1.0 @@ -62,7 +62,7 @@ jobs: -Dtests.kinesis.source.aws.region=us-east-1 --tests KinesisSourceIT - name: Upload Unit Test Results if: always() - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4 with: name: data-prepper-kinesis-source-integration-tests-java-${{ matrix.java }} path: '**/test-results/**/*.xml' @@ -75,11 +75,11 @@ jobs: steps: - name: Download Artifacts - uses: actions/download-artifact@v4 + uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4 with: path: test-results - name: Publish Unit Test Results - uses: EnricoMi/publish-unit-test-result-action@v1 + uses: EnricoMi/publish-unit-test-result-action@b9f6c61d965bcaa18acc02d6daf706373a448f02 # v1 with: files: "test-results/**/*.xml" \ No newline at end of file diff --git a/.github/workflows/license-header-check.yml b/.github/workflows/license-header-check.yml index db74a68f64..95b92d958a 100644 --- a/.github/workflows/license-header-check.yml +++ b/.github/workflows/license-header-check.yml @@ -23,12 +23,12 @@ jobs: steps: - name: Checkout code - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: fetch-depth: 0 - name: Setup Python - uses: actions/setup-python@v6 + uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6 with: python-version: '3.14' @@ -43,7 +43,7 @@ jobs: - name: Upload results if: always() - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4 with: name: license-check-results path: | diff --git a/.github/workflows/license-header-comment.yml b/.github/workflows/license-header-comment.yml index efea14b001..706997d268 100644 --- a/.github/workflows/license-header-comment.yml +++ b/.github/workflows/license-header-comment.yml @@ -28,7 +28,7 @@ jobs: steps: - name: Download results - uses: actions/download-artifact@v4 + uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4 with: name: license-check-results run-id: ${{ github.event.workflow_run.id }} @@ -39,7 +39,7 @@ jobs: run: echo "number=$(cat pr_number.txt)" >> "$GITHUB_OUTPUT" - name: Comment on PR - uses: actions/github-script@v8 + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | const fs = require('fs'); diff --git a/.github/workflows/maven-publish-snapshot.yml b/.github/workflows/maven-publish-snapshot.yml index e0204bab7b..908bd41156 100644 --- a/.github/workflows/maven-publish-snapshot.yml +++ b/.github/workflows/maven-publish-snapshot.yml @@ -21,7 +21,7 @@ jobs: java-version: 11 - name: Checkout Data Prepper - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 - name: Set up Gradle uses: gradle/actions/setup-gradle@50e97c2cd7a37755bbfafc9c5b7cafaece252f6e # v6.1.0 @@ -29,7 +29,7 @@ jobs: add-job-summary: on-failure - name: Load secret - uses: 1password/load-secrets-action@v2 + uses: 1password/load-secrets-action@581a835fb51b8e7ec56b71cf2ffddd7e68bb25e0 # v2 with: # Export loaded secrets as environment variables export-env: true @@ -39,7 +39,7 @@ jobs: MAVEN_SNAPSHOTS_S3_ROLE: op://opensearch-infra-secrets/maven-snapshots-s3/role - name: Configure AWS credentials - uses: aws-actions/configure-aws-credentials@v5 + uses: aws-actions/configure-aws-credentials@61815dcd50bd041e203e49132bacad1fd04d2708 # v5 with: role-to-assume: ${{ env.MAVEN_SNAPSHOTS_S3_ROLE }} aws-region: us-east-1 diff --git a/.github/workflows/opensearch-sink-opendistro-integration-tests.yml b/.github/workflows/opensearch-sink-opendistro-integration-tests.yml index 91de7aac19..1960ff42bd 100644 --- a/.github/workflows/opensearch-sink-opendistro-integration-tests.yml +++ b/.github/workflows/opensearch-sink-opendistro-integration-tests.yml @@ -39,7 +39,7 @@ jobs: java-version: ${{ matrix.java }} - name: Checkout Data Prepper - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - name: Set up Gradle uses: gradle/actions/setup-gradle@50e97c2cd7a37755bbfafc9c5b7cafaece252f6e # v6.1.0 @@ -59,7 +59,7 @@ jobs: ./gradlew :data-prepper-plugins:opensearch:integrationTest -Dtests.opensearch.host=localhost:9200 -Dtests.opensearch.user=admin -Dtests.opensearch.password=admin -Dtests.opensearch.bundle=true -Dtests.opensearch.version=opendistro:${{ matrix.opendistro }} - name: Upload Unit Test Results if: always() - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4 with: name: data-prepper-opensearch-integration-tests-opendistro-${{ matrix.opendistro }}-java-${{ matrix.java }} path: '**/test-results/**/*.xml' @@ -72,11 +72,11 @@ jobs: steps: - name: Download Artifacts - uses: actions/download-artifact@v4 + uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4 with: path: test-results - name: Publish Unit Test Results - uses: EnricoMi/publish-unit-test-result-action@v1 + uses: EnricoMi/publish-unit-test-result-action@b9f6c61d965bcaa18acc02d6daf706373a448f02 # v1 with: files: "test-results/**/*.xml" diff --git a/.github/workflows/opensearch-sink-opensearch-integration-tests.yml b/.github/workflows/opensearch-sink-opensearch-integration-tests.yml index 5bd77ac2ac..2de03dcb82 100644 --- a/.github/workflows/opensearch-sink-opensearch-integration-tests.yml +++ b/.github/workflows/opensearch-sink-opensearch-integration-tests.yml @@ -61,7 +61,7 @@ jobs: java-version: ${{ matrix.java }} - name: Checkout Data Prepper - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - name: Set up Gradle uses: gradle/actions/setup-gradle@50e97c2cd7a37755bbfafc9c5b7cafaece252f6e # v6.1.0 @@ -88,7 +88,7 @@ jobs: ./gradlew :data-prepper-plugins:opensearch:integrationTest -Dtests.opensearch.host=localhost:9200 -Dtests.opensearch.user=admin -Dtests.opensearch.password="$PASSWORD" -Dtests.opensearch.bundle=true -Dtests.opensearch.version=opensearch:${{ matrix.opensearch }} - name: Upload Unit Test Results if: always() - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4 with: name: data-prepper-opensearch-integration-tests-opensearch-${{ matrix.opensearch }}-java-${{ matrix.java }} path: '**/test-results/**/*.xml' @@ -113,7 +113,7 @@ jobs: java-version: ${{ matrix.java }} - name: Checkout Data Prepper - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - name: Set up Gradle uses: gradle/actions/setup-gradle@50e97c2cd7a37755bbfafc9c5b7cafaece252f6e # v6.1.0 @@ -198,7 +198,7 @@ jobs: - name: Upload Test Results if: always() - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4 with: name: data-prepper-opensearch-mtls-integration-tests-${{ matrix.opensearch }}-java-${{ matrix.java }} path: '**/test-results/**/*.xml' @@ -211,11 +211,11 @@ jobs: steps: - name: Download Artifacts - uses: actions/download-artifact@v4 + uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4 with: path: test-results - name: Publish Unit Test Results - uses: EnricoMi/publish-unit-test-result-action@v1 + uses: EnricoMi/publish-unit-test-result-action@b9f6c61d965bcaa18acc02d6daf706373a448f02 # v1 with: files: "test-results/**/*.xml" diff --git a/.github/workflows/performance-test-compile.yml b/.github/workflows/performance-test-compile.yml index dfd8ab9063..e9badd21a2 100644 --- a/.github/workflows/performance-test-compile.yml +++ b/.github/workflows/performance-test-compile.yml @@ -30,7 +30,7 @@ jobs: java-version: ${{ matrix.java }} distribution: temurin - name: Checkout Data Prepper - uses: actions/checkout@v2 + uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 # v2 - name: Set up Gradle uses: gradle/actions/setup-gradle@50e97c2cd7a37755bbfafc9c5b7cafaece252f6e # v6.1.0 with: diff --git a/.github/workflows/release-prepare-branch.yml b/.github/workflows/release-prepare-branch.yml index e496dbed2a..1f669eecd4 100644 --- a/.github/workflows/release-prepare-branch.yml +++ b/.github/workflows/release-prepare-branch.yml @@ -26,7 +26,7 @@ jobs: steps: - name: Checkout Data Prepper - uses: actions/checkout@v2 + uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 # v2 - name: Validate release branch id: validate_branch @@ -93,14 +93,14 @@ jobs: - name: GitHub App token id: github_app_token - uses: tibdex/github-app-token@v2 + uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a # v2 with: app_id: ${{ secrets.APP_ID }} private_key: ${{ secrets.APP_PRIVATE_KEY }} - name: Create Pull Request id: create_pr - uses: peter-evans/create-pull-request@v6 + uses: peter-evans/create-pull-request@c5a7806660adbe173f04e3e038b0ccdcd758773c # v6 with: token: ${{ steps.github_app_token.outputs.token }} add-paths: | diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index cbe77b71fd..ce089c22ab 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -41,7 +41,7 @@ jobs: java-version: 11 distribution: temurin - name: Checkout Data Prepper - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - name: Set up Gradle uses: gradle/actions/setup-gradle@50e97c2cd7a37755bbfafc9c5b7cafaece252f6e # v6.1.0 with: @@ -52,7 +52,7 @@ jobs: run: ./gradlew --parallel --max-workers 2 build - name: Configure AWS Credentials - uses: aws-actions/configure-aws-credentials@v6 + uses: aws-actions/configure-aws-credentials@d979d5b3a71173a29b74b5b88418bfda9437d885 # v6 with: role-to-assume: ${{ secrets.RELEASE_IAM_ROLE }} aws-region: us-east-1 @@ -71,7 +71,7 @@ jobs: - name: Log into Amazon ECR Public id: login-ecr - uses: docker/login-action@v4 + uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4 with: registry: public.ecr.aws env: @@ -90,7 +90,7 @@ jobs: steps: - name: Checkout Data Prepper - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - name: Get Version run: grep '^version=' gradle.properties >> $GITHUB_ENV @@ -119,7 +119,7 @@ jobs: steps: - name: Checkout Data Prepper - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - name: Get Version run: grep '^version=' gradle.properties >> $GITHUB_ENV @@ -144,7 +144,7 @@ jobs: steps: - name: Checkout Data Prepper - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - name: Get Version id: get_version run: | @@ -155,7 +155,7 @@ jobs: id: get_approvers run: | echo "approvers=$(cat .github/CODEOWNERS | grep @ | tr -d '* ' | sed 's/@/,/g' | sed 's/,//1')" >> $GITHUB_OUTPUT - - uses: trstringer/manual-approval@v1 + - uses: trstringer/manual-approval@74d99dff7380e3e4b122d4ededcbca2b6ce59367 # v1 with: secret: ${{ github.TOKEN }} approvers: ${{ steps.get_approvers.outputs.approvers }} @@ -182,7 +182,7 @@ jobs: echo 'release_latest_tag: ${{ github.event.inputs.release-latest-tag }}' >> release-description.yaml - name: Create tag - uses: actions/github-script@v6 + uses: actions/github-script@d7906e4ad0b1822421a7e6a35d5ca353c962f410 # v6 with: github-token: ${{ github.TOKEN }} script: | @@ -194,7 +194,7 @@ jobs: }) - name: Draft release - uses: softprops/action-gh-release@v1 + uses: softprops/action-gh-release@de2c0eb89ae2a093876385947365aca7b0e5f844 # v1 with: draft: true name: '${{ env.version }}' @@ -208,7 +208,7 @@ jobs: steps: - name: Checkout Data Prepper - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: fetch-depth: 0 persist-credentials: false @@ -217,7 +217,7 @@ jobs: run: git fetch origin --tags - name: Setup Node.js - uses: actions/setup-node@v4 + uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4 with: node-version: 22 @@ -229,13 +229,13 @@ jobs: - name: GitHub App token id: github_app_token - uses: tibdex/github-app-token@v2 + uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a # v2 with: app_id: ${{ secrets.APP_ID }} private_key: ${{ secrets.APP_PRIVATE_KEY }} - name: Create Pull Request - uses: peter-evans/create-pull-request@v6 + uses: peter-evans/create-pull-request@c5a7806660adbe173f04e3e038b0ccdcd758773c # v6 with: token: ${{ steps.github_app_token.outputs.token }} add-paths: | diff --git a/.github/workflows/staging-resources-cdk-check.yml b/.github/workflows/staging-resources-cdk-check.yml index 61c2230eb3..aebbc71f86 100644 --- a/.github/workflows/staging-resources-cdk-check.yml +++ b/.github/workflows/staging-resources-cdk-check.yml @@ -22,12 +22,12 @@ jobs: working-directory: ./release/staging-resources-cdk steps: - name: Set up Node.js - uses: actions/setup-node@v2 + uses: actions/setup-node@7c12f8017d5436eb855f1ed4399f037a36fbd9e8 # v2 with: node-version: '16' - name: Checkout Data Prepper - uses: actions/checkout@v2 + uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 # v2 - name: Install NPM Dependencies run: npm install diff --git a/.github/workflows/testing-resources-cdk-check.yml b/.github/workflows/testing-resources-cdk-check.yml index bc030a85c7..93b7357292 100644 --- a/.github/workflows/testing-resources-cdk-check.yml +++ b/.github/workflows/testing-resources-cdk-check.yml @@ -19,12 +19,12 @@ jobs: working-directory: ./testing/aws-testing-cdk steps: - name: Set up Node.js - uses: actions/setup-node@v2 + uses: actions/setup-node@7c12f8017d5436eb855f1ed4399f037a36fbd9e8 # v2 with: node-version: '18' - name: Checkout Data Prepper - uses: actions/checkout@v2 + uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 # v2 - name: Install NPM Dependencies run: npm install diff --git a/.github/workflows/third-party-generate.yml b/.github/workflows/third-party-generate.yml index 02c09c7287..0285974370 100644 --- a/.github/workflows/third-party-generate.yml +++ b/.github/workflows/third-party-generate.yml @@ -17,7 +17,7 @@ jobs: java-version: 11 distribution: temurin - name: Checkout Data Prepper - uses: actions/checkout@v2 + uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 # v2 - name: Set up Gradle uses: gradle/actions/setup-gradle@50e97c2cd7a37755bbfafc9c5b7cafaece252f6e # v6.1.0 with: @@ -33,13 +33,13 @@ jobs: - name: GitHub App token id: github_app_token - uses: tibdex/github-app-token@v1.5.0 + uses: tibdex/github-app-token@1901dc7d52169e70c27a8da37aef0d423e2867a2 # v1.5.0 with: app_id: ${{ secrets.APP_ID }} private_key: ${{ secrets.APP_PRIVATE_KEY }} - name: Create Pull Request - uses: peter-evans/create-pull-request@v4 + uses: peter-evans/create-pull-request@38e0b6e68b4c852a5500a94740f0e535e0d7ba54 # v4 with: token: ${{ steps.github_app_token.outputs.token }} add-paths: THIRD-PARTY