Skip to content

Commit ba7d8c0

Browse files
committed
Pin GitHub Actions to commit SHAs
Signed-off-by: Ritvi Bhatt <ribhatt@amazon.com>
1 parent 9da0962 commit ba7d8c0

7 files changed

Lines changed: 29 additions & 29 deletions

.github/workflows/backport.yml

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -16,14 +16,14 @@ jobs:
1616
steps:
1717
- name: GitHub App token
1818
id: github_app_token
19-
uses: tibdex/github-app-token@v1.5.0
19+
uses: tibdex/github-app-token@1901dc7d52169e70c27a8da37aef0d423e2867a2 # v1.5.0
2020
with:
2121
app_id: ${{ secrets.APP_ID }}
2222
private_key: ${{ secrets.APP_PRIVATE_KEY }}
2323
installation_id: 22958780
2424

2525
- name: Backport
26-
uses: VachaShah/backport@v2.2.0
26+
uses: VachaShah/backport@142d3b8a8c70dc54db515e653e5ed3c3fac64100 # v2.2.0
2727
with:
2828
github_token: ${{ steps.github_app_token.outputs.token }}
2929
head_template: backport/backport-<%= number %>-to-<%= base %>

.github/workflows/codeql-analysis.yml

Lines changed: 4 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -26,13 +26,13 @@ jobs:
2626

2727
steps:
2828
- name: Checkout repository
29-
uses: actions/checkout@v4
29+
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
3030

3131
- name: Initialize CodeQL
32-
uses: github/codeql-action/init@v2
32+
uses: github/codeql-action/init@b8d3b6e8af63cde30bdc382c0bc28114f4346c88 # v2
3333
with:
3434
languages: ${{ matrix.language }}
3535
- name: Autobuild
36-
uses: github/codeql-action/autobuild@v2
36+
uses: github/codeql-action/autobuild@b8d3b6e8af63cde30bdc382c0bc28114f4346c88 # v2
3737
- name: Perform CodeQL Analysis
38-
uses: github/codeql-action/analyze@v2
38+
uses: github/codeql-action/analyze@b8d3b6e8af63cde30bdc382c0bc28114f4346c88 # v2

.github/workflows/draft-release-notes-workflow.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -14,7 +14,7 @@ jobs:
1414
steps:
1515
# Drafts your next Release notes as Pull Requests are merged into "develop"
1616
- name: Update draft release notes
17-
uses: release-drafter/release-drafter@v5
17+
uses: release-drafter/release-drafter@09c613e259eb8d4e7c81c2cb00618eb5fc4575a7 # v5
1818
with:
1919
config-name: draft-release-notes-config.yml
2020
tag: (None)

.github/workflows/integ-tests-with-security.yml

Lines changed: 7 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -11,7 +11,7 @@ on:
1111

1212
jobs:
1313
Get-CI-Image-Tag:
14-
uses: opensearch-project/opensearch-build/.github/workflows/get-ci-image-tag.yml@main
14+
uses: opensearch-project/opensearch-build/.github/workflows/get-ci-image-tag.yml@c2498b758c08fb7bc48476509a5fc1b8dd5f7493 # main
1515
with:
1616
product: opensearch
1717

@@ -32,10 +32,10 @@ jobs:
3232
- name: Run start commands
3333
run: ${{ needs.Get-CI-Image-Tag.outputs.ci-image-start-command }}
3434

35-
- uses: actions/checkout@v4
35+
- uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
3636

3737
- name: Set up JDK ${{ matrix.java }}
38-
uses: actions/setup-java@v4
38+
uses: actions/setup-java@c1e323688fd81a25caa38c78aa6df2d33d3e20d9 # v4
3939
with:
4040
distribution: 'temurin'
4141
java-version: ${{ matrix.java }}
@@ -47,7 +47,7 @@ jobs:
4747
4848
- name: Upload test reports
4949
if: ${{ always() }}
50-
uses: actions/upload-artifact@v4
50+
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4
5151
continue-on-error: true
5252
with:
5353
name: test-reports-${{ matrix.os }}-${{ matrix.java }}
@@ -66,10 +66,10 @@ jobs:
6666
runs-on: ${{ matrix.os }}
6767

6868
steps:
69-
- uses: actions/checkout@v4
69+
- uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
7070

7171
- name: Set up JDK ${{ matrix.java }}
72-
uses: actions/setup-java@v4
72+
uses: actions/setup-java@c1e323688fd81a25caa38c78aa6df2d33d3e20d9 # v4
7373
with:
7474
distribution: 'temurin'
7575
java-version: ${{ matrix.java }}
@@ -79,7 +79,7 @@ jobs:
7979

8080
- name: Upload test reports
8181
if: ${{ always() }}
82-
uses: actions/upload-artifact@v4
82+
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4
8383
continue-on-error: true
8484
with:
8585
name: test-reports-${{ matrix.os }}-${{ matrix.java }}

.github/workflows/link-checker.yml

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -13,10 +13,10 @@ jobs:
1313
runs-on: ubuntu-latest
1414

1515
steps:
16-
- uses: actions/checkout@v4
16+
- uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
1717
- name: lychee Link Checker
1818
id: lychee
19-
uses: lycheeverse/lychee-action@master
19+
uses: lycheeverse/lychee-action@6da1d14f3a43098a294b7696d93d938aa8d20fc0 # master
2020
with:
2121
args: --accept=200,403,429,999 "./**/*.html" "./**/*.md" "./**/*.txt" --exclude "https://aws.oss.sonatype.*|https://central.sonatype.*|http://localhost.*|https://localhost|https://odfe-node1:9200/|https://community.tableau.com/docs/DOC-17978|.*family.zzz|opensearch*|.*@amazon.com|.*email.com|.*@github.com|http://timestamp.verisign.com/scripts/timstamp.dll"
2222
env:

.github/workflows/maven-publish.yml

Lines changed: 4 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -20,13 +20,13 @@ jobs:
2020
contents: write
2121

2222
steps:
23-
- uses: actions/setup-java@v4
23+
- uses: actions/setup-java@17f84c3641ba7b8f6deff6309fc4c864478f5d62 # v3
2424
with:
2525
distribution: temurin # Temurin is a distribution of adoptium
2626
java-version: 11
27-
- uses: actions/checkout@v4
27+
- uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
2828
- name: Load secret
29-
uses: 1password/load-secrets-action@v2
29+
uses: 1password/load-secrets-action@581a835fb51b8e7ec56b71cf2ffddd7e68bb25e0 # v2
3030
with:
3131
# Export loaded secrets as environment variables
3232
export-env: true
@@ -35,7 +35,7 @@ jobs:
3535
MAVEN_SNAPSHOTS_S3_REPO: op://opensearch-infra-secrets/maven-snapshots-s3/repo
3636
MAVEN_SNAPSHOTS_S3_ROLE: op://opensearch-infra-secrets/maven-snapshots-s3/role
3737
- name: Configure AWS credentials
38-
uses: aws-actions/configure-aws-credentials@v5
38+
uses: aws-actions/configure-aws-credentials@61815dcd50bd041e203e49132bacad1fd04d2708 # v5
3939
with:
4040
role-to-assume: ${{ env.MAVEN_SNAPSHOTS_S3_ROLE }}
4141
aws-region: us-east-1

.github/workflows/sql-test-and-build-workflow.yml

Lines changed: 9 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -19,7 +19,7 @@ on:
1919

2020
jobs:
2121
Get-CI-Image-Tag:
22-
uses: opensearch-project/opensearch-build/.github/workflows/get-ci-image-tag.yml@main
22+
uses: opensearch-project/opensearch-build/.github/workflows/get-ci-image-tag.yml@c2498b758c08fb7bc48476509a5fc1b8dd5f7493 # main
2323
with:
2424
product: opensearch
2525

@@ -44,10 +44,10 @@ jobs:
4444
- name: Run start commands
4545
run: ${{ needs.Get-CI-Image-Tag.outputs.ci-image-start-command }}
4646

47-
- uses: actions/checkout@v4
47+
- uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
4848

4949
- name: Set up JDK ${{ matrix.java }}
50-
uses: actions/setup-java@v4
50+
uses: actions/setup-java@c1e323688fd81a25caa38c78aa6df2d33d3e20d9 # v4
5151
with:
5252
distribution: 'temurin'
5353
java-version: ${{ matrix.java }}
@@ -70,20 +70,20 @@ jobs:
7070
# This step uses the codecov-action Github action: https://github.com/codecov/codecov-action
7171
- name: Upload SQL Coverage Report
7272
if: always()
73-
uses: codecov/codecov-action@v4
73+
uses: codecov/codecov-action@b9fd7d16f6d7d1b5d2bec1a2887e65ceed900238 # v4
7474
with:
7575
flags: sql-engine
7676
token: ${{ secrets.CODECOV_TOKEN }}
7777

7878
- name: Upload Artifacts
79-
uses: actions/upload-artifact@v4
79+
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4
8080
with:
8181
name: opensearch-sql-ubuntu-latest-${{ matrix.java }}
8282
path: opensearch-sql-builds
8383

8484
- name: Upload test reports
8585
if: always()
86-
uses: actions/upload-artifact@v4
86+
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4
8787
continue-on-error: true
8888
with:
8989
name: test-reports-ubuntu-latest-${{ matrix.java }}
@@ -113,10 +113,10 @@ jobs:
113113
runs-on: ${{ matrix.entry.os }}
114114

115115
steps:
116-
- uses: actions/checkout@v4
116+
- uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
117117

118118
- name: Set up JDK ${{ matrix.java }}
119-
uses: actions/setup-java@v4
119+
uses: actions/setup-java@1e323688fd81a25caa38c78aa6df2d33d3e20d9 # v4
120120
with:
121121
distribution: 'temurin'
122122
java-version: ${{ matrix.entry.java }}
@@ -130,7 +130,7 @@ jobs:
130130
cp -r ./plugin/build/distributions/*.zip opensearch-sql-builds/
131131
132132
- name: Upload Artifacts
133-
uses: actions/upload-artifact@v4
133+
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4
134134
with:
135135
name: opensearch-sql-${{ matrix.entry.os }}-${{ matrix.entry.java }}
136136
path: opensearch-sql-builds

0 commit comments

Comments
 (0)