Skip to content

Commit 51bece3

Browse files
authored
Pin GitHub Actions to commit SHAs (#5464)
Signed-off-by: Divya Madala <divyaasm@amazon.com>
1 parent 572a2cd commit 51bece3

19 files changed

Lines changed: 75 additions & 75 deletions

.github/workflows/analytics-engine-compat.yml

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -15,7 +15,7 @@ on:
1515

1616
jobs:
1717
Get-CI-Image-Tag:
18-
uses: opensearch-project/opensearch-build/.github/workflows/get-ci-image-tag.yml@main
18+
uses: opensearch-project/opensearch-build/.github/workflows/get-ci-image-tag.yml@c2498b758c08fb7bc48476509a5fc1b8dd5f7493 # main
1919
with:
2020
product: opensearch
2121

@@ -30,10 +30,10 @@ jobs:
3030
- name: Run start commands
3131
run: ${{ needs.Get-CI-Image-Tag.outputs.ci-image-start-command }}
3232

33-
- uses: actions/checkout@v4
33+
- uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
3434

3535
- name: Set up JDK 25
36-
uses: actions/setup-java@v4
36+
uses: actions/setup-java@c1e323688fd81a25caa38c78aa6df2d33d3e20d9 # v4
3737
with:
3838
distribution: 'temurin'
3939
java-version: 25

.github/workflows/backport.yml

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -16,14 +16,14 @@ jobs:
1616
steps:
1717
- name: GitHub App token
1818
id: github_app_token
19-
uses: tibdex/github-app-token@v1.5.0
19+
uses: tibdex/github-app-token@1901dc7d52169e70c27a8da37aef0d423e2867a2 # v1.5.0
2020
with:
2121
app_id: ${{ secrets.APP_ID }}
2222
private_key: ${{ secrets.APP_PRIVATE_KEY }}
2323
installation_id: 22958780
2424

2525
- name: Backport
26-
uses: VachaShah/backport@v2.2.0
26+
uses: VachaShah/backport@142d3b8a8c70dc54db515e653e5ed3c3fac64100 # v2.2.0
2727
with:
2828
github_token: ${{ steps.github_app_token.outputs.token }}
2929
head_template: backport/backport-<%= number %>-to-<%= base %>

.github/workflows/codeql-analysis.yml

Lines changed: 5 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -27,17 +27,17 @@ jobs:
2727

2828
steps:
2929
- name: Checkout repository
30-
uses: actions/checkout@v3
30+
uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3
3131
- name: Set up JDK 21
32-
uses: actions/setup-java@v3
32+
uses: actions/setup-java@17f84c3641ba7b8f6deff6309fc4c864478f5d62 # v3
3333
with:
3434
distribution: temurin
3535
java-version: 21
3636
- name: Initialize CodeQL
37-
uses: github/codeql-action/init@v2
37+
uses: github/codeql-action/init@b8d3b6e8af63cde30bdc382c0bc28114f4346c88 # v2
3838
with:
3939
languages: ${{ matrix.language }}
4040
- name: Autobuild
41-
uses: github/codeql-action/autobuild@v2
41+
uses: github/codeql-action/autobuild@b8d3b6e8af63cde30bdc382c0bc28114f4346c88 # v2
4242
- name: Perform CodeQL Analysis
43-
uses: github/codeql-action/analyze@v2
43+
uses: github/codeql-action/analyze@b8d3b6e8af63cde30bdc382c0bc28114f4346c88 # v2

.github/workflows/delete_backport_branch.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -12,7 +12,7 @@ jobs:
1212
if: startsWith(github.event.pull_request.head.ref,'backport/') || startsWith(github.event.pull_request.head.ref,'release-chores/')
1313
steps:
1414
- name: Delete merged branch
15-
uses: actions/github-script@v7
15+
uses: actions/github-script@f28e40c7f34bde8b3046d885e986cb6290c5673b # v7
1616
with:
1717
script: |
1818
github.rest.git.deleteRef({

.github/workflows/draft-release-notes-workflow.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -14,7 +14,7 @@ jobs:
1414
steps:
1515
# Drafts your next Release notes as Pull Requests are merged into "develop"
1616
- name: Update draft release notes
17-
uses: release-drafter/release-drafter@v5
17+
uses: release-drafter/release-drafter@09c613e259eb8d4e7c81c2cb00618eb5fc4575a7 # v5
1818
with:
1919
config-name: draft-release-notes-config.yml
2020
tag: (None)

.github/workflows/enforce-labels.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -7,7 +7,7 @@ jobs:
77
enforce-label:
88
runs-on: ubuntu-latest
99
steps:
10-
- uses: yogevbd/enforce-label-action@2.1.0
10+
- uses: yogevbd/enforce-label-action@8d1e1709b1011e6d90400a0e6cf7c0b77aa5efeb # 2.1.0
1111
with:
1212
REQUIRED_LABELS_ANY: "breaking,feature,enhancement,bugFix,infrastructure,dependencies,documentation,maintenance,skip-changelog,testing,security fix"
1313
REQUIRED_LABELS_ANY_DESCRIPTION: "A release label is required: ['breaking', 'bugFix', 'dependencies', 'documentation', 'enhancement', 'feature', 'infrastructure', 'maintenance', 'skip-changelog', 'testing', 'security fix']"

.github/workflows/integ-tests-with-security.yml

Lines changed: 7 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -13,7 +13,7 @@ on:
1313

1414
jobs:
1515
Get-CI-Image-Tag:
16-
uses: opensearch-project/opensearch-build/.github/workflows/get-ci-image-tag.yml@main
16+
uses: opensearch-project/opensearch-build/.github/workflows/get-ci-image-tag.yml@c2498b758c08fb7bc48476509a5fc1b8dd5f7493 # main
1717
with:
1818
product: opensearch
1919

@@ -34,10 +34,10 @@ jobs:
3434
- name: Run start commands
3535
run: ${{ needs.Get-CI-Image-Tag.outputs.ci-image-start-command }}
3636

37-
- uses: actions/checkout@v4
37+
- uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
3838

3939
- name: Set up JDK ${{ matrix.java }}
40-
uses: actions/setup-java@v4
40+
uses: actions/setup-java@c1e323688fd81a25caa38c78aa6df2d33d3e20d9 # v4
4141
with:
4242
distribution: 'temurin'
4343
java-version: ${{ matrix.java }}
@@ -49,7 +49,7 @@ jobs:
4949
5050
- name: Upload test reports
5151
if: ${{ always() }}
52-
uses: actions/upload-artifact@v4
52+
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4
5353
continue-on-error: true
5454
with:
5555
name: test-reports-${{ matrix.os }}-${{ matrix.java }}
@@ -68,10 +68,10 @@ jobs:
6868
runs-on: ${{ matrix.os }}
6969

7070
steps:
71-
- uses: actions/checkout@v4
71+
- uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
7272

7373
- name: Set up JDK ${{ matrix.java }}
74-
uses: actions/setup-java@v4
74+
uses: actions/setup-java@c1e323688fd81a25caa38c78aa6df2d33d3e20d9 # v4
7575
with:
7676
distribution: 'temurin'
7777
java-version: ${{ matrix.java }}
@@ -81,7 +81,7 @@ jobs:
8181

8282
- name: Upload test reports
8383
if: ${{ always() }}
84-
uses: actions/upload-artifact@v4
84+
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4
8585
continue-on-error: true
8686
with:
8787
name: test-reports-${{ matrix.os }}-${{ matrix.java }}

.github/workflows/issue-dedupe.yml

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -23,7 +23,7 @@ on:
2323
jobs:
2424
detect:
2525
if: (github.event_name == 'issues' && github.event.issue.user.type != 'Bot') || (github.event_name == 'workflow_dispatch' && inputs.job == 'detect')
26-
uses: opensearch-project/opensearch-build/.github/workflows/issue-dedupe-detect.yml@main
26+
uses: opensearch-project/opensearch-build/.github/workflows/issue-dedupe-detect.yml@c2498b758c08fb7bc48476509a5fc1b8dd5f7493 # main
2727
permissions:
2828
contents: read
2929
issues: write
@@ -36,7 +36,7 @@ jobs:
3636

3737
auto-close:
3838
if: github.event_name == 'schedule' || (github.event_name == 'workflow_dispatch' && inputs.job == 'auto-close')
39-
uses: opensearch-project/opensearch-build/.github/workflows/issue-dedupe-autoclose.yml@main
39+
uses: opensearch-project/opensearch-build/.github/workflows/issue-dedupe-autoclose.yml@c2498b758c08fb7bc48476509a5fc1b8dd5f7493 # main
4040
permissions:
4141
issues: write
4242
with:

.github/workflows/link-checker.yml

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -13,10 +13,10 @@ jobs:
1313
runs-on: ubuntu-latest
1414

1515
steps:
16-
- uses: actions/checkout@v3
16+
- uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3
1717
- name: lychee Link Checker
1818
id: lychee
19-
uses: lycheeverse/lychee-action@master
19+
uses: lycheeverse/lychee-action@6da1d14f3a43098a294b7696d93d938aa8d20fc0 # master
2020
with:
2121
args: --accept=200,403,429,999 "./**/*.html" "./**/*.md" "./**/*.txt" --exclude "https://aws.oss.sonatype.*|https://ci.opensearch.*|https://central.sonatype.*|http://localhost.*|https://localhost|https://odfe-node1:9200/|https://community.tableau.com/docs/DOC-17978|.*family.zzz|opensearch*|.*@amazon.com|.*email.com|.*@github.com|http://timestamp.verisign.com/scripts/timstamp.dll"
2222
env:

.github/workflows/maven-publish-modules.yml

Lines changed: 4 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -23,13 +23,13 @@ jobs:
2323
contents: write
2424

2525
steps:
26-
- uses: actions/setup-java@v3
26+
- uses: actions/setup-java@17f84c3641ba7b8f6deff6309fc4c864478f5d62 # v3
2727
with:
2828
distribution: temurin # Temurin is a distribution of adoptium
2929
java-version: 21
30-
- uses: actions/checkout@v3
30+
- uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3
3131
- name: Load secret
32-
uses: 1password/load-secrets-action@v2
32+
uses: 1password/load-secrets-action@581a835fb51b8e7ec56b71cf2ffddd7e68bb25e0 # v2
3333
with:
3434
# Export loaded secrets as environment variables
3535
export-env: true
@@ -38,7 +38,7 @@ jobs:
3838
MAVEN_SNAPSHOTS_S3_REPO: op://opensearch-infra-secrets/maven-snapshots-s3/repo
3939
MAVEN_SNAPSHOTS_S3_ROLE: op://opensearch-infra-secrets/maven-snapshots-s3/role
4040
- name: Configure AWS credentials
41-
uses: aws-actions/configure-aws-credentials@v5
41+
uses: aws-actions/configure-aws-credentials@61815dcd50bd041e203e49132bacad1fd04d2708 # v5
4242
with:
4343
role-to-assume: ${{ env.MAVEN_SNAPSHOTS_S3_ROLE }}
4444
aws-region: us-east-1

0 commit comments

Comments
 (0)