From cb9439557d9c83e95ead0d64537346f9719737e7 Mon Sep 17 00:00:00 2001 From: Simon Deziel Date: Thu, 10 Oct 2024 11:41:27 -0400 Subject: [PATCH 1/7] github: pin redhat-plumbers-in-action/differential-shellcheck@v5 Signed-off-by: Simon Deziel --- .github/workflows/tests.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml index 14fbb26cafd6..08a76ed0b554 100644 --- a/.github/workflows/tests.yml +++ b/.github/workflows/tests.yml @@ -55,7 +55,7 @@ jobs: # useful feedback in the PR through github-code-scanning bot - id: ShellCheck name: Differential ShellCheck - uses: redhat-plumbers-in-action/differential-shellcheck@v5 + uses: redhat-plumbers-in-action/differential-shellcheck@cc6721c45a8800cc666de45493545a07a638d121 # v5.4.0 with: token: ${{ secrets.GITHUB_TOKEN }} strict-check-on-push: true From 882d57d2b413ee55986da493827c87ef512134d8 Mon Sep 17 00:00:00 2001 From: Simon Deziel Date: Thu, 10 Oct 2024 11:46:06 -0400 Subject: [PATCH 2/7] github: pin github/codeql-action@v3 Signed-off-by: Simon Deziel --- .github/workflows/codeql.yml | 6 +++--- .github/workflows/security.yml | 4 ++-- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index b5fd32fdbbe5..eed792261875 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -59,7 +59,7 @@ jobs: # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL - uses: github/codeql-action/init@v3 + uses: github/codeql-action/init@c36620d31ac7c881962c3d9dd939c40ec9434f2b # v3.26.12 with: languages: ${{ matrix.language }} # If you wish to specify custom queries, you can do so here or in a config file. @@ -73,7 +73,7 @@ jobs: # Autobuild attempts to build any compiled languages (C/C++, C#, Go, Java, or Swift). # If this step fails, then you should remove it and run the build manually (see below) - name: Autobuild - uses: github/codeql-action/autobuild@v3 + uses: github/codeql-action/autobuild@c36620d31ac7c881962c3d9dd939c40ec9434f2b # v3.26.12 # ℹī¸ Command-line programs to run using the OS shell. # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun @@ -86,6 +86,6 @@ jobs: # ./location_of_script_within_repo/buildscript.sh - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v3 + uses: github/codeql-action/analyze@c36620d31ac7c881962c3d9dd939c40ec9434f2b # v3.26.12 with: category: "/language:${{matrix.language}}" diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml index 38a7d41cd7d6..a1cc4cec4a9e 100644 --- a/.github/workflows/security.yml +++ b/.github/workflows/security.yml @@ -53,7 +53,7 @@ jobs: key: trivy-cache-${{ github.run_id }} - name: Upload Trivy scan results to GitHub Security tab - uses: github/codeql-action/upload-sarif@v3 + uses: github/codeql-action/upload-sarif@c36620d31ac7c881962c3d9dd939c40ec9434f2b # v3.26.12 with: sarif_file: "trivy-lxd-repo-scan-results.sarif" sha: ${{ github.sha }} @@ -109,7 +109,7 @@ jobs: mv tmp.json ${{ matrix.version }}-stable.sarif - name: Upload Trivy scan results to GitHub Security tab - uses: github/codeql-action/upload-sarif@v3 + uses: github/codeql-action/upload-sarif@c36620d31ac7c881962c3d9dd939c40ec9434f2b # v3.26.12 with: sarif_file: "${{ matrix.version }}-stable.sarif" sha: ${{ github.sha }} From 638a9f9b7ee964ae5ec7f678893869aeebe6dbae Mon Sep 17 00:00:00 2001 From: Simon Deziel Date: Thu, 10 Oct 2024 11:48:55 -0400 Subject: [PATCH 3/7] github: pin canonical/has-signed-canonical-cla@main Signed-off-by: Simon Deziel --- .github/workflows/commits.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/commits.yml b/.github/workflows/commits.yml index 91965090decd..9ae79c56a10a 100644 --- a/.github/workflows/commits.yml +++ b/.github/workflows/commits.yml @@ -33,4 +33,4 @@ jobs: exit 1 - name: Check if CLA signed - uses: canonical/has-signed-canonical-cla@main + uses: canonical/has-signed-canonical-cla@046337b42822b7868ad62970988929c79f9c1d40 # 1.2.3 From ba46b9f23846cc78806c097ce0d9f86e387af3ed Mon Sep 17 00:00:00 2001 From: Simon Deziel Date: Thu, 10 Oct 2024 11:50:04 -0400 Subject: [PATCH 4/7] github: run commits job with ubuntu-latest Signed-off-by: Simon Deziel --- .github/workflows/commits.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/commits.yml b/.github/workflows/commits.yml index 9ae79c56a10a..75c935eedd30 100644 --- a/.github/workflows/commits.yml +++ b/.github/workflows/commits.yml @@ -12,7 +12,7 @@ permissions: jobs: commits: name: Branch target and CLA - runs-on: ubuntu-22.04 + runs-on: ubuntu-latest steps: - name: Check branch target env: From a592ca4a55b3e3e6b90b3bdd775028209525bd25 Mon Sep 17 00:00:00 2001 From: Simon Deziel Date: Thu, 10 Oct 2024 11:51:28 -0400 Subject: [PATCH 5/7] github: pin tiobe/tics-github-action@v3 Signed-off-by: Simon Deziel --- .github/workflows/tests.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml index 08a76ed0b554..cd583772f286 100644 --- a/.github/workflows/tests.yml +++ b/.github/workflows/tests.yml @@ -406,7 +406,7 @@ jobs: gocov-xml < "${GOCOVERDIR}"/coverage.json > "${GOCOVERDIR}"/coverage-go.xml - name: Run TICS - uses: tiobe/tics-github-action@v3 + uses: tiobe/tics-github-action@d18bbcecfe7c96a6e3499bffc6792c4e8e9428a6 # v3.2.0 with: mode: qserver project: LXD From a95a51e805de521e5baed57c576c6768f31e9f2d Mon Sep 17 00:00:00 2001 From: Simon Deziel Date: Thu, 10 Oct 2024 11:52:30 -0400 Subject: [PATCH 6/7] github: pin get-woke/woke-action@v0 Signed-off-by: Simon Deziel --- .github/workflows/tests.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml index cd583772f286..b54ec3c7a625 100644 --- a/.github/workflows/tests.yml +++ b/.github/workflows/tests.yml @@ -549,7 +549,7 @@ jobs: make doc-spellcheck - name: Run inclusive naming checker - uses: get-woke/woke-action@v0 + uses: get-woke/woke-action@b2ec032c4a2c912142b38a6a453ad62017813ed0 # v0 with: fail-on-error: true woke-args: "*.md **/*.md -c https://github.com/canonical/Inclusive-naming/raw/main/config.yml" From 1b458aa95010ef00f212e13cea5ede0055603901 Mon Sep 17 00:00:00 2001 From: Simon Deziel Date: Thu, 10 Oct 2024 11:53:16 -0400 Subject: [PATCH 7/7] github: pin iamfj/action-label-notification@v1.0.0 Signed-off-by: Simon Deziel --- .github/workflows/triage.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/triage.yml b/.github/workflows/triage.yml index 2208228dfea0..f51c832e284b 100644 --- a/.github/workflows/triage.yml +++ b/.github/workflows/triage.yml @@ -32,7 +32,7 @@ jobs: steps: - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 - name: Notify - uses: iamfj/action-label-notification@v1.0.0 + uses: iamfj/action-label-notification@4e60f368a1f941089eeda54fdeb120f3f49ff66c # v1.0.0 with: token: ${{ secrets.GITHUB_TOKEN }} mapping: >