diff --git a/.github/dependabot.yml b/.github/dependabot.yml new file mode 100644 index 0000000..253bcb7 --- /dev/null +++ b/.github/dependabot.yml @@ -0,0 +1,6 @@ +version: 2 +updates: + - package-ecosystem: github-actions + directory: / + schedule: + interval: daily diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 135801d..dd44e43 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -17,9 +17,9 @@ jobs: - labels: [self-hosted, linux, ARM64] system: aarch64-linux steps: - - uses: actions/checkout@v4 - - uses: DeterminateSystems/nix-installer-action@v7 - - uses: DeterminateSystems/magic-nix-cache-action@v2 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + - uses: DeterminateSystems/nix-installer-action@5620eb4af6b562c53e4d4628c0b6e4f9d9ae8612 # v7 + - uses: DeterminateSystems/magic-nix-cache-action@8a218f9e264e9c3803c9a1ee1c30d8e4ab55be63 # v2 if: ${{ matrix.runs-on.system != 'aarch64-linux' }} #TODO: aarch64-linux build is crashing the runner - run: nix build .#amazonImage -L --system ${{ matrix.runs-on.system }} diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml index 8cb2cd1..c710ebe 100644 --- a/.github/workflows/deploy.yml +++ b/.github/workflows/deploy.yml @@ -9,10 +9,10 @@ jobs: deploy: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 - - uses: DeterminateSystems/nix-installer-action@v7 - - uses: DeterminateSystems/magic-nix-cache-action@v2 - - uses: aws-actions/configure-aws-credentials@v4 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + - uses: DeterminateSystems/nix-installer-action@5620eb4af6b562c53e4d4628c0b6e4f9d9ae8612 # v7 + - uses: DeterminateSystems/magic-nix-cache-action@8a218f9e264e9c3803c9a1ee1c30d8e4ab55be63 # v2 + - uses: aws-actions/configure-aws-credentials@010d0da01d0b5a38af31e9c3470dbfdabdecca3a # v4.0.1 with: role-to-assume: arn:aws:iam::686862074153:role/deploy aws-region: eu-central-1 diff --git a/.github/workflows/update-flake-lock.yml b/.github/workflows/update-flake-lock.yml index 1bd5907..5a56ce9 100644 --- a/.github/workflows/update-flake-lock.yml +++ b/.github/workflows/update-flake-lock.yml @@ -9,6 +9,6 @@ jobs: update-flake-lock: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 - - uses: DeterminateSystems/nix-installer-action@v6 - - uses: DeterminateSystems/update-flake-lock@v19 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + - uses: DeterminateSystems/nix-installer-action@bc7b19257469c8029b46f45ac99ecc11156c8b2d # v6 + - uses: DeterminateSystems/update-flake-lock@dec3bc3c9b11c3b9d547f47dfb579b91a6051603 # v19 diff --git a/.github/workflows/upload-ami.yml b/.github/workflows/upload-ami.yml index 191b1e8..190f926 100644 --- a/.github/workflows/upload-ami.yml +++ b/.github/workflows/upload-ami.yml @@ -16,14 +16,14 @@ jobs: - x86_64-linux - aarch64-linux steps: - - uses: actions/checkout@v4 - - uses: DeterminateSystems/nix-installer-action@v7 - - uses: DeterminateSystems/magic-nix-cache-action@v2 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + - uses: DeterminateSystems/nix-installer-action@5620eb4af6b562c53e4d4628c0b6e4f9d9ae8612 # v7 + - uses: DeterminateSystems/magic-nix-cache-action@8a218f9e264e9c3803c9a1ee1c30d8e4ab55be63 # v2 - name: Download AMI from Hydra run: | out=$(curl --location --silent --header 'Accept: application/json' https://hydra.nixos.org/job/nixos/release-23.11/nixos.amazonImage.${{ matrix.system }}/latest-finished | jq --raw-output '.buildoutputs.out.path') nix-store --realise $out --add-root ./result - - uses: aws-actions/configure-aws-credentials@v4 + - uses: aws-actions/configure-aws-credentials@010d0da01d0b5a38af31e9c3470dbfdabdecca3a # v4.0.1 with: role-to-assume: arn:aws:iam::686862074153:role/upload-ami aws-region: eu-central-1