Skip to content

Commit d2f484b

Browse files
bschwedlerbschwedler
authored
Merge pull request #443 from posit-dev/security/sha-pinning-and-zizmor
Pin actions to SHAs and add zizmor CI
2 parents 7f85416 + 1406831 commit d2f484b

8 files changed

Lines changed: 75 additions & 51 deletions

File tree

.github/workflows/bakery-build-native.yml

Lines changed: 20 additions & 20 deletions
Original file line numberDiff line numberDiff line change
@@ -93,7 +93,7 @@ jobs:
9393

9494
steps:
9595
- name: Checkout
96-
uses: actions/checkout@v6
96+
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
9797

9898
- name: Install
9999
uses: "posit-dev/images-shared/setup-bakery@main"
@@ -131,7 +131,7 @@ jobs:
131131

132132
steps:
133133
- name: Checkout
134-
uses: actions/checkout@v6
134+
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
135135

136136
- name: Setup bakery
137137
uses: "posit-dev/images-shared/setup-bakery@main"
@@ -142,7 +142,7 @@ jobs:
142142
uses: "posit-dev/images-shared/setup-goss@ci-native-multiplatform"
143143

144144
- name: Set up Docker
145-
uses: docker/setup-docker-action@v5
145+
uses: docker/setup-docker-action@1a6edb0ba9ac496f6850236981f15d8f9a82254d # v5.0.0
146146
with:
147147
daemon-config: |
148148
{
@@ -151,10 +151,10 @@ jobs:
151151
}
152152
}
153153
- name: Setup docker buildx
154-
uses: docker/setup-buildx-action@v4
154+
uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
155155

156156
- name: Setup ORAS CLI
157-
uses: oras-project/setup-oras@v2
157+
uses: oras-project/setup-oras@38de303aac69abb66f3e6255b7198bff35f323e3 # v2.0.0
158158

159159
# Since secrets cannot be referenced in an `if` condition directly,
160160
# this step sets an output that we can reference later.
@@ -168,30 +168,30 @@ jobs:
168168
echo "ecr=$HAS_AWS_ROLE" >> $GITHUB_OUTPUT
169169
170170
- name: Login to GitHub Container Registry
171-
uses: docker/login-action@v4
171+
uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
172172
with:
173173
registry: ghcr.io
174174
username: ${{ github.actor }}
175175
password: ${{ secrets.GITHUB_TOKEN }}
176176

177177
- name: Login to Docker Hub
178178
if: ${{ inputs.push && steps.filter-steps.outputs.docker-hub == 'true' }}
179-
uses: docker/login-action@v4
179+
uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
180180
with:
181181
username: "posit"
182182
password: ${{ secrets.DOCKER_HUB_ACCESS_TOKEN }}
183183

184184
- name: Configure AWS Credentials
185185
if: ${{ inputs.push && steps.filter-steps.outputs.ecr == 'true' }}
186-
uses: aws-actions/configure-aws-credentials@v6
186+
uses: aws-actions/configure-aws-credentials@ec61189d14ec14c8efccab744f656cffd0e33f37 # v6.1.0
187187
with:
188188
role-to-assume: ${{ secrets.AWS_ROLE }}
189189
aws-region: ${{ inputs.aws-region }}
190190
role-session-name: gha-bakery-build
191191

192192
- name: Login to Amazon ECR
193193
if: ${{ inputs.push && steps.filter-steps.outputs.ecr == 'true' }}
194-
uses: aws-actions/amazon-ecr-login@v2
194+
uses: aws-actions/amazon-ecr-login@f2e9fc6c2b355c1890b65e6f6f0e2ac3e6e22f78 # v2.1.2
195195

196196
- name: Normalize platform
197197
id: normalize-platform
@@ -248,7 +248,7 @@ jobs:
248248
--metadata-file "./${IMAGE_NAME}-${IMAGE_VERSION}-${NORMALIZED_PLATFORM}-metadata.json" \
249249
--context "$CONTEXT"
250250
- name: Upload Metadata
251-
uses: actions/upload-artifact@v7
251+
uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
252252
with:
253253
name: "${{ matrix.img.image }}-${{ matrix.img.version }}-${{ steps.normalize-platform.outputs.platform }}-metadata"
254254
path: "./${{ matrix.img.image }}-${{ matrix.img.version }}-${{ steps.normalize-platform.outputs.platform }}-metadata.json"
@@ -270,15 +270,15 @@ jobs:
270270

271271
steps:
272272
- name: Checkout
273-
uses: actions/checkout@v6
273+
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
274274

275275
- name: Setup bakery
276276
uses: "posit-dev/images-shared/setup-bakery@main"
277277
with:
278278
version: ${{ inputs.version }}
279279

280280
- name: Set up Docker
281-
uses: docker/setup-docker-action@v5
281+
uses: docker/setup-docker-action@1a6edb0ba9ac496f6850236981f15d8f9a82254d # v5.0.0
282282
with:
283283
daemon-config: |
284284
{
@@ -299,39 +299,39 @@ jobs:
299299
echo "ecr=$HAS_AWS_ROLE" >> $GITHUB_OUTPUT
300300
301301
- name: Login to GitHub Container Registry
302-
uses: docker/login-action@v4
302+
uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
303303
with:
304304
registry: ghcr.io
305305
username: ${{ github.actor }}
306306
password: ${{ secrets.GITHUB_TOKEN }}
307307

308308
- name: Login to Docker Hub
309309
if: ${{ inputs.push && steps.filter-steps.outputs.docker-hub == 'true' }}
310-
uses: docker/login-action@v4
310+
uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
311311
with:
312312
username: "posit"
313313
password: ${{ secrets.DOCKER_HUB_ACCESS_TOKEN }}
314314

315315
- name: Configure AWS Credentials
316316
if: ${{ inputs.push && steps.filter-steps.outputs.ecr == 'true' }}
317-
uses: aws-actions/configure-aws-credentials@v6
317+
uses: aws-actions/configure-aws-credentials@ec61189d14ec14c8efccab744f656cffd0e33f37 # v6.1.0
318318
with:
319319
role-to-assume: ${{ secrets.AWS_ROLE }}
320320
aws-region: ${{ inputs.aws-region }}
321321
role-session-name: gha-bakery-build
322322

323323
- name: Login to Amazon ECR
324324
if: ${{ inputs.push && steps.filter-steps.outputs.ecr == 'true' }}
325-
uses: aws-actions/amazon-ecr-login@v2
325+
uses: aws-actions/amazon-ecr-login@f2e9fc6c2b355c1890b65e6f6f0e2ac3e6e22f78 # v2.1.2
326326

327327
- name: Setup docker buildx
328-
uses: docker/setup-buildx-action@v4
328+
uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
329329

330330
- name: Setup ORAS CLI
331-
uses: oras-project/setup-oras@v2
331+
uses: oras-project/setup-oras@38de303aac69abb66f3e6255b7198bff35f323e3 # v2.0.0
332332

333333
- name: Download Metadata
334-
uses: actions/download-artifact@v8
334+
uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
335335
with:
336336
pattern: "${{ matrix.img.image }}-${{ matrix.img.version }}-*-metadata"
337337
merge-multiple: true
@@ -365,7 +365,7 @@ jobs:
365365

366366
steps:
367367
- name: Checkout
368-
uses: actions/checkout@v6
368+
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
369369

370370
- name: Setup bakery
371371
uses: "posit-dev/images-shared/setup-bakery@main"

.github/workflows/bakery-build.yml

Lines changed: 9 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -83,7 +83,7 @@ jobs:
8383

8484
steps:
8585
- name: Checkout
86-
uses: actions/checkout@v6
86+
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
8787

8888
- name: Install
8989
uses: "posit-dev/images-shared/setup-bakery@main"
@@ -113,7 +113,7 @@ jobs:
113113

114114
steps:
115115
- name: Checkout
116-
uses: actions/checkout@v6
116+
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
117117

118118
- name: Setup bakery
119119
uses: "posit-dev/images-shared/setup-bakery@main"
@@ -124,7 +124,7 @@ jobs:
124124
uses: "posit-dev/images-shared/setup-goss@main"
125125

126126
- name: Setup QEMU
127-
uses: docker/setup-qemu-action@v4
127+
uses: docker/setup-qemu-action@ce360397dd3f832beb865e1373c09c0e9f86d70a # v4.0.0
128128

129129
# Since secrets cannot be referenced in an `if` condition directly,
130130
# this step sets an output that we can reference later.
@@ -138,33 +138,33 @@ jobs:
138138
echo "ecr=$HAS_AWS_ROLE" >> $GITHUB_OUTPUT
139139
140140
- name: Login to GitHub Container Registry
141-
uses: docker/login-action@v4
141+
uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
142142
with:
143143
registry: ghcr.io
144144
username: ${{ github.actor }}
145145
password: ${{ secrets.GITHUB_TOKEN }}
146146

147147
- name: Login to Docker Hub
148148
if: ${{ inputs.push && steps.filter-steps.outputs.docker-hub == 'true' }}
149-
uses: docker/login-action@v4
149+
uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
150150
with:
151151
username: "posit"
152152
password: ${{ secrets.DOCKER_HUB_ACCESS_TOKEN }}
153153

154154
- name: Configure AWS Credentials
155155
if: ${{ inputs.push && steps.filter-steps.outputs.ecr == 'true' }}
156-
uses: aws-actions/configure-aws-credentials@v6
156+
uses: aws-actions/configure-aws-credentials@ec61189d14ec14c8efccab744f656cffd0e33f37 # v6.1.0
157157
with:
158158
role-to-assume: ${{ secrets.AWS_ROLE }}
159159
aws-region: ${{ inputs.aws-region }}
160160
role-session-name: gha-bakery-build
161161

162162
- name: Login to Amazon ECR
163163
if: ${{ inputs.push && steps.filter-steps.outputs.ecr == 'true' }}
164-
uses: aws-actions/amazon-ecr-login@v2
164+
uses: aws-actions/amazon-ecr-login@f2e9fc6c2b355c1890b65e6f6f0e2ac3e6e22f78 # v2.1.2
165165

166166
- name: Setup docker buildx
167-
uses: docker/setup-buildx-action@v4
167+
uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
168168

169169
- name: Build
170170
env:
@@ -236,7 +236,7 @@ jobs:
236236

237237
steps:
238238
- name: Checkout
239-
uses: actions/checkout@v6
239+
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
240240

241241
- name: Setup bakery
242242
uses: "posit-dev/images-shared/setup-bakery@main"

.github/workflows/ci.yml

Lines changed: 26 additions & 11 deletions
Original file line numberDiff line numberDiff line change
@@ -29,9 +29,10 @@ jobs:
2929
- bakery
3030
- bakery-native
3131
- release
32+
- zizmor
3233

3334
steps:
34-
- uses: re-actors/alls-green@release/v1
35+
- uses: re-actors/alls-green@05ac9388f0aebcb5727afa17fcccfecd6f8ec5fe # v1.2.2
3536
with:
3637
jobs: ${{ toJSON(needs) }}
3738

@@ -44,7 +45,7 @@ jobs:
4445
runs-on: ubuntu-latest-8x
4546
steps:
4647
- name: Checkout
47-
uses: actions/checkout@v6
48+
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
4849
with:
4950
fetch-depth: 0
5051
fetch-tags: true
@@ -53,7 +54,7 @@ jobs:
5354
uses: ./setup-goss
5455

5556
- name: Set up Docker
56-
uses: docker/setup-docker-action@v5
57+
uses: docker/setup-docker-action@1a6edb0ba9ac496f6850236981f15d8f9a82254d # v5.0.0
5758
with:
5859
daemon-config: |
5960
{
@@ -63,26 +64,27 @@ jobs:
6364
}
6465
6566
- name: Setup QEMU
66-
uses: docker/setup-qemu-action@v4
67+
uses: docker/setup-qemu-action@ce360397dd3f832beb865e1373c09c0e9f86d70a # v4.0.0
6768
with:
6869
platforms: linux/amd64,linux/arm64
6970

7071
- name: Setup docker buildx
71-
uses: docker/setup-buildx-action@v4
72+
uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
7273

7374
- name: Setup hadolint
7475
uses: ./setup-hadolint
7576

7677
- name: Setup ORAS CLI
77-
uses: oras-project/setup-oras@v2
78+
uses: oras-project/setup-oras@38de303aac69abb66f3e6255b7198bff35f323e3 # v2.0.0
7879

7980
- name: Add tools/ to path
8081
run: echo "${GITHUB_WORKSPACE}/tools" >> $GITHUB_PATH
8182

8283
- name: Setup uv
83-
uses: astral-sh/setup-uv@v7
84+
uses: astral-sh/setup-uv@37802adc94f370d6bfd71619e3f0bf239e1f3b78 # v7.6.0
8485
with:
8586
python-version-file: "posit-bakery/pyproject.toml"
87+
enable-cache: false
8688

8789
- name: Install dependencies
8890
working-directory: ./posit-bakery
@@ -113,7 +115,7 @@ jobs:
113115
always()
114116
&& github.actor != 'dependabot[bot]'
115117
&& github.event.pull_request.head.repo.fork != true
116-
uses: EnricoMi/publish-unit-test-result-action@v2
118+
uses: EnricoMi/publish-unit-test-result-action@c950f6fb443cb5af20a377fd0dfaa78838901040 # v2.23.0
117119
with:
118120
files: ./posit-bakery/results.xml
119121

@@ -142,6 +144,18 @@ jobs:
142144
dev-versions: include
143145

144146

147+
zizmor:
148+
name: Zizmor
149+
runs-on: ubuntu-latest
150+
permissions:
151+
contents: read
152+
security-events: write
153+
steps:
154+
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
155+
with:
156+
persist-credentials: false
157+
- uses: zizmorcore/zizmor-action@71321a20a9ded102f6e9ce5718a2fcec2c4f70d8 # v0.5.2
158+
145159
with-macros-clean-caches:
146160
name: Clean Caches (with-macros suite)
147161
permissions:
@@ -190,15 +204,16 @@ jobs:
190204

191205
steps:
192206
- name: Checkout
193-
uses: actions/checkout@v6
207+
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
194208
with:
195209
fetch-depth: 0
196210
fetch-tags: true
197211

198212
- name: Setup uv
199-
uses: astral-sh/setup-uv@v7
213+
uses: astral-sh/setup-uv@37802adc94f370d6bfd71619e3f0bf239e1f3b78 # v7.6.0
200214
with:
201215
python-version-file: "posit-bakery/pyproject.toml"
216+
enable-cache: false
202217

203218
- name: Install dependencies
204219
working-directory: ./posit-bakery
@@ -212,7 +227,7 @@ jobs:
212227
213228
- name: Upload snapshot artifacts
214229
if: github.event_name == 'pull_request'
215-
uses: actions/upload-artifact@v7
230+
uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
216231
with:
217232
name: bakery-snapshot-pr${{ github.event.pull_request.number }}
218233
path: ./posit-bakery/dist

.github/workflows/clean.yml

Lines changed: 4 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -83,15 +83,15 @@ jobs:
8383
steps:
8484

8585
- name: Checkout
86-
uses: actions/checkout@v6
86+
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
8787

8888
- name: Setup bakery
8989
uses: "posit-dev/images-shared/setup-bakery@main"
9090
with:
9191
version: ${{ inputs.version }}
9292

9393
- name: Login to GitHub Container Registry
94-
uses: docker/login-action@v4
94+
uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
9595
with:
9696
registry: ghcr.io
9797
username: ${{ github.actor }}
@@ -129,15 +129,15 @@ jobs:
129129
steps:
130130

131131
- name: Checkout
132-
uses: actions/checkout@v6
132+
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
133133

134134
- name: Setup bakery
135135
uses: "posit-dev/images-shared/setup-bakery@main"
136136
with:
137137
version: ${{ inputs.version }}
138138

139139
- name: Login to GitHub Container Registry
140-
uses: docker/login-action@v4
140+
uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
141141
with:
142142
registry: ghcr.io
143143
username: ${{ github.actor }}

0 commit comments

Comments
 (0)