From bc16e69ad27533bffbf2bbaf329b453b909ef33e Mon Sep 17 00:00:00 2001 From: heitorlessa Date: Fri, 5 May 2023 11:55:28 +0200 Subject: [PATCH 01/12] chore(ci): remove auto-merge workflow --- .github/workflows/auto-merge.yml | 39 -------------------------------- 1 file changed, 39 deletions(-) delete mode 100644 .github/workflows/auto-merge.yml diff --git a/.github/workflows/auto-merge.yml b/.github/workflows/auto-merge.yml deleted file mode 100644 index b2a3d23bd9b..00000000000 --- a/.github/workflows/auto-merge.yml +++ /dev/null @@ -1,39 +0,0 @@ -name: auto-merge - -on: - pull_request: - types: [opened, edited, synchronize] - -permissions: - contents: write - -jobs: - dependabot: - runs-on: ubuntu-latest - if: ${{ github.actor == 'dependabot[bot]' }} - steps: - - name: Dependabot metadata - id: metadata - uses: dependabot/fetch-metadata@v1.4.0 - with: - github-token: "${{ secrets.GITHUB_TOKEN }}" - - name: Enable auto-merge for mypy-boto3 stubs Dependabot PRs - if: ${{ contains(steps.metadata.outputs.dependency-names, 'mypy-boto3') && steps.metadata.outputs.update-type != 'version-update:semver-major' }} - run: gh pr merge --auto --squash "$PR_URL" - env: - PR_URL: ${{github.event.pull_request.html_url}} - GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}} - # Maintenance: Experiment with literal array (toJSON('["dep1", "dep2"]')) to ease extending it - - name: Enable auto-merge for CDK Construct Lambda Layer Dependabot PRs - if: ${{ contains(steps.metadata.outputs.dependency-names, 'cdk-lambda-powertools-python-layer') && steps.metadata.outputs.update-type != 'version-update:semver-major' }} - run: gh pr merge --auto --squash "$PR_URL" - env: - PR_URL: ${{github.event.pull_request.html_url}} - GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}} - # Maintenance: Revisit if CDK Constructs make breaking changes like CDK v1 - - name: Enable auto-merge for CDK Lib Construct - if: ${{ contains(steps.metadata.outputs.dependency-names, 'aws-cdk-lib') && steps.metadata.outputs.update-type != 'version-update:semver-major' }} - run: gh pr merge --auto --squash "$PR_URL" - env: - PR_URL: ${{github.event.pull_request.html_url}} - GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}} From 77e780a7cbff066f0188eafafb27558a90fc3d5c Mon Sep 17 00:00:00 2001 From: heitorlessa Date: Fri, 5 May 2023 12:39:41 +0200 Subject: [PATCH 02/12] chore(ci): pin actions/checkout --- .github/workflows/codeql-analysis.yml | 2 +- .github/workflows/label_pr_on_title.yml | 2 +- .github/workflows/on_label_added.yml | 2 +- .github/workflows/on_merged_pr.yml | 2 +- .github/workflows/on_opened_pr.yml | 4 ++-- .github/workflows/publish_v2_layer.yml | 2 +- .github/workflows/python_build.yml | 2 +- .github/workflows/record_pr.yml | 2 +- .github/workflows/release.yml | 6 +++--- .../workflows/reusable_deploy_v2_layer_stack.yml | 2 +- .github/workflows/reusable_deploy_v2_sar.yml | 2 +- .github/workflows/reusable_export_pr_details.yml | 14 +++++++------- .github/workflows/reusable_publish_changelog.yml | 2 +- .github/workflows/reusable_publish_docs.yml | 2 +- .../reusable_update_v2_layer_arn_docs.yml | 2 +- .github/workflows/run-e2e-tests.yml | 2 +- .github/workflows/secure_workflows.yml | 3 +-- 17 files changed, 26 insertions(+), 27 deletions(-) diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index d70a5c024e7..c55d37892db 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -23,7 +23,7 @@ jobs: steps: - name: Checkout repository - uses: actions/checkout@v3 + uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL diff --git a/.github/workflows/label_pr_on_title.yml b/.github/workflows/label_pr_on_title.yml index 3815a49e9bd..5308a1a6eb4 100644 --- a/.github/workflows/label_pr_on_title.yml +++ b/.github/workflows/label_pr_on_title.yml @@ -22,7 +22,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout repository - uses: actions/checkout@v3 + uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 - name: "Label PR based on title" uses: actions/github-script@v6 env: diff --git a/.github/workflows/on_label_added.yml b/.github/workflows/on_label_added.yml index e9180d8010a..47225531005 100644 --- a/.github/workflows/on_label_added.yml +++ b/.github/workflows/on_label_added.yml @@ -23,7 +23,7 @@ jobs: issues: write pull-requests: write steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 # Maintenance: Persist state per PR as an artifact to avoid spam on label add - name: "Suggest split large Pull Request" uses: actions/github-script@v6 diff --git a/.github/workflows/on_merged_pr.yml b/.github/workflows/on_merged_pr.yml index cd97e1c306e..7f986ef839f 100644 --- a/.github/workflows/on_merged_pr.yml +++ b/.github/workflows/on_merged_pr.yml @@ -20,7 +20,7 @@ jobs: runs-on: ubuntu-latest if: needs.get_pr_details.outputs.prIsMerged == 'true' steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 - name: "Label PR related issue for release" uses: actions/github-script@v6 env: diff --git a/.github/workflows/on_opened_pr.yml b/.github/workflows/on_opened_pr.yml index 043ff9628cd..d1e8c0b237d 100644 --- a/.github/workflows/on_opened_pr.yml +++ b/.github/workflows/on_opened_pr.yml @@ -19,7 +19,7 @@ jobs: needs: get_pr_details runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 - name: "Ensure related issue is present" uses: actions/github-script@v6 env: @@ -36,7 +36,7 @@ jobs: needs: get_pr_details runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 - name: "Ensure acknowledgement section is present" uses: actions/github-script@v6 env: diff --git a/.github/workflows/publish_v2_layer.yml b/.github/workflows/publish_v2_layer.yml index 8d8a8c34aae..e5081906d18 100644 --- a/.github/workflows/publish_v2_layer.yml +++ b/.github/workflows/publish_v2_layer.yml @@ -38,7 +38,7 @@ jobs: working-directory: ./layer steps: - name: checkout - uses: actions/checkout@v3 + uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 with: fetch-depth: 0 - name: Install poetry diff --git a/.github/workflows/python_build.yml b/.github/workflows/python_build.yml index 5daf9d5c2d3..091175b020e 100644 --- a/.github/workflows/python_build.yml +++ b/.github/workflows/python_build.yml @@ -32,7 +32,7 @@ jobs: env: PYTHON: "${{ matrix.python-version }}" steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 - name: Install poetry run: pipx install poetry - name: Set up Python ${{ matrix.python-version }} diff --git a/.github/workflows/record_pr.yml b/.github/workflows/record_pr.yml index b1638ad8865..0d368993cae 100644 --- a/.github/workflows/record_pr.yml +++ b/.github/workflows/record_pr.yml @@ -9,7 +9,7 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 - name: "Extract PR details" uses: actions/github-script@v6 with: diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 8d965a4af4c..5aac17498ca 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -57,7 +57,7 @@ jobs: env: RELEASE_TAG_VERSION: ${{ inputs.version_to_publish }} steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 with: fetch-depth: 0 - name: Install poetry @@ -124,7 +124,7 @@ jobs: env: RELEASE_VERSION: ${{ needs.build.outputs.RELEASE_VERSION }} steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 - name: Restore release artifact from cache id: restore-release-build uses: actions/cache/restore@88522ab9f39a2ea568f7027eddc7d8d8bc9d59c8 # v3.3.1 @@ -174,7 +174,7 @@ jobs: env: RELEASE_VERSION: ${{ needs.build.outputs.RELEASE_VERSION }} steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 - name: Close issues related to this release uses: actions/github-script@v6 with: diff --git a/.github/workflows/reusable_deploy_v2_layer_stack.yml b/.github/workflows/reusable_deploy_v2_layer_stack.yml index 5af5d6385d0..360a39b1202 100644 --- a/.github/workflows/reusable_deploy_v2_layer_stack.yml +++ b/.github/workflows/reusable_deploy_v2_layer_stack.yml @@ -93,7 +93,7 @@ jobs: has_arm64_support: "true" steps: - name: checkout - uses: actions/checkout@v3 + uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 - name: Install poetry run: pipx install poetry - name: aws credentials diff --git a/.github/workflows/reusable_deploy_v2_sar.yml b/.github/workflows/reusable_deploy_v2_sar.yml index b9416c5f94d..8526e797adc 100644 --- a/.github/workflows/reusable_deploy_v2_sar.yml +++ b/.github/workflows/reusable_deploy_v2_sar.yml @@ -48,7 +48,7 @@ jobs: architecture: ["x86_64", "arm64"] steps: - name: Checkout - uses: actions/checkout@v3 + uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 - name: AWS credentials uses: aws-actions/configure-aws-credentials@e1e17a757e536f70e52b5a12b2e8d1d1c60e04ef with: diff --git a/.github/workflows/reusable_export_pr_details.yml b/.github/workflows/reusable_export_pr_details.yml index 2a1b45331d1..8ece6f352cf 100644 --- a/.github/workflows/reusable_export_pr_details.yml +++ b/.github/workflows/reusable_export_pr_details.yml @@ -53,7 +53,7 @@ jobs: prIsMerged: ${{ steps.prIsMerged.outputs.prIsMerged }} steps: - name: Checkout repository # in case caller workflow doesn't checkout thus failing with file not found - uses: actions/checkout@v3 + uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 - name: "Download previously saved PR" uses: actions/github-script@v6 env: @@ -71,19 +71,19 @@ jobs: # otherwise the parent caller won't see them regardless on how outputs are set. - name: "Export Pull Request Number" id: prNumber - run: echo "prNumber=$(jq -c '.number' ${FILENAME})" >> $GITHUB_OUTPUT + run: echo prNumber="$(jq -c '.number' "${FILENAME}")" >> "$GITHUB_OUTPUT" - name: "Export Pull Request Title" id: prTitle - run: echo "prTitle=$(jq -c '.pull_request.title' ${FILENAME})" >> $GITHUB_OUTPUT + run: echo prTitle="$(jq -c '.pull_request.title' "${FILENAME}")" >> "$GITHUB_OUTPUT" - name: "Export Pull Request Body" id: prBody - run: echo "prBody=$(jq -c '.pull_request.body' ${FILENAME})" >> $GITHUB_OUTPUT + run: echo prBody="$(jq -c '.pull_request.body' "${FILENAME}")" >> "$GITHUB_OUTPUT" - name: "Export Pull Request Author" id: prAuthor - run: echo "prAuthor=$(jq -c '.pull_request.user.login' ${FILENAME})" >> $GITHUB_OUTPUT + run: echo prAuthor="$(jq -c '.pull_request.user.login' "${FILENAME}")" >> "$GITHUB_OUTPUT" - name: "Export Pull Request Action" id: prAction - run: echo "prAction=$(jq -c '.action' ${FILENAME})" >> $GITHUB_OUTPUT + run: echo prAction="$(jq -c '.action' "${FILENAME}")" >> "$GITHUB_OUTPUT" - name: "Export Pull Request Merged status" id: prIsMerged - run: echo "prIsMerged=$(jq -c '.pull_request.merged' ${FILENAME})" >> $GITHUB_OUTPUT + run: echo prIsMerged="$(jq -c '.pull_request.merged' "${FILENAME}")" >> "$GITHUB_OUTPUT" diff --git a/.github/workflows/reusable_publish_changelog.yml b/.github/workflows/reusable_publish_changelog.yml index 30e49b98ae5..2e038eae924 100644 --- a/.github/workflows/reusable_publish_changelog.yml +++ b/.github/workflows/reusable_publish_changelog.yml @@ -18,7 +18,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout repository # reusable workflows start clean, so we need to checkout again - uses: actions/checkout@v3 + uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 with: fetch-depth: 0 - name: Git client setup and refresh tip diff --git a/.github/workflows/reusable_publish_docs.yml b/.github/workflows/reusable_publish_docs.yml index 9be91b212bf..a63a836e498 100644 --- a/.github/workflows/reusable_publish_docs.yml +++ b/.github/workflows/reusable_publish_docs.yml @@ -33,7 +33,7 @@ jobs: group: on-docs-rebuild runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 with: fetch-depth: 0 - name: Install poetry diff --git a/.github/workflows/reusable_update_v2_layer_arn_docs.yml b/.github/workflows/reusable_update_v2_layer_arn_docs.yml index 142d0a32e75..34fb712cd63 100644 --- a/.github/workflows/reusable_update_v2_layer_arn_docs.yml +++ b/.github/workflows/reusable_update_v2_layer_arn_docs.yml @@ -23,7 +23,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout repository # reusable workflows start clean, so we need to checkout again - uses: actions/checkout@v3 + uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 with: fetch-depth: 0 - name: Git client setup and refresh tip diff --git a/.github/workflows/run-e2e-tests.yml b/.github/workflows/run-e2e-tests.yml index 2f7b2f494ea..687e27ad984 100644 --- a/.github/workflows/run-e2e-tests.yml +++ b/.github/workflows/run-e2e-tests.yml @@ -34,7 +34,7 @@ jobs: if: ${{ github.actor != 'dependabot[bot]' }} steps: - name: "Checkout" - uses: actions/checkout@v3 + uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 - name: Install poetry run: pipx install poetry - name: "Use Python" diff --git a/.github/workflows/secure_workflows.yml b/.github/workflows/secure_workflows.yml index b1b5cfc0c46..47f9bbd3d58 100644 --- a/.github/workflows/secure_workflows.yml +++ b/.github/workflows/secure_workflows.yml @@ -14,14 +14,13 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout code - uses: actions/checkout@v3 + uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 - name: Ensure 3rd party workflows have SHA pinned uses: zgosalvez/github-actions-ensure-sha-pinned-actions@21991cec25093947ff3f62e4c223df0260c39944 # v2.1.2 with: # Trusted GitHub Actions and/or organizations allowlist: | aws-actions/ - actions/checkout actions/github-script actions/setup-node actions/setup-python From 4ad3c43a9bd27bbee43821d37d41d60312442854 Mon Sep 17 00:00:00 2001 From: heitorlessa Date: Fri, 5 May 2023 12:41:37 +0200 Subject: [PATCH 03/12] chore(ci): pin actions/github-script --- .github/workflows/label_pr_on_title.yml | 2 +- .github/workflows/on_label_added.yml | 2 +- .github/workflows/on_merged_pr.yml | 2 +- .github/workflows/on_opened_pr.yml | 4 ++-- .github/workflows/record_pr.yml | 2 +- .github/workflows/release.yml | 2 +- .github/workflows/reusable_export_pr_details.yml | 2 +- .github/workflows/secure_workflows.yml | 1 - 8 files changed, 8 insertions(+), 9 deletions(-) diff --git a/.github/workflows/label_pr_on_title.yml b/.github/workflows/label_pr_on_title.yml index 5308a1a6eb4..0183cb1155d 100644 --- a/.github/workflows/label_pr_on_title.yml +++ b/.github/workflows/label_pr_on_title.yml @@ -24,7 +24,7 @@ jobs: - name: Checkout repository uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 - name: "Label PR based on title" - uses: actions/github-script@v6 + uses: actions/github-script@d7906e4ad0b1822421a7e6a35d5ca353c962f410 # v6.4.1 env: PR_NUMBER: ${{ needs.get_pr_details.outputs.prNumber }} PR_TITLE: ${{ needs.get_pr_details.outputs.prTitle }} diff --git a/.github/workflows/on_label_added.yml b/.github/workflows/on_label_added.yml index 47225531005..88ca45439bd 100644 --- a/.github/workflows/on_label_added.yml +++ b/.github/workflows/on_label_added.yml @@ -26,7 +26,7 @@ jobs: - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 # Maintenance: Persist state per PR as an artifact to avoid spam on label add - name: "Suggest split large Pull Request" - uses: actions/github-script@v6 + uses: actions/github-script@d7906e4ad0b1822421a7e6a35d5ca353c962f410 # v6.4.1 env: PR_NUMBER: ${{ needs.get_pr_details.outputs.prNumber }} PR_ACTION: ${{ needs.get_pr_details.outputs.prAction }} diff --git a/.github/workflows/on_merged_pr.yml b/.github/workflows/on_merged_pr.yml index 7f986ef839f..a4e8bf6d28d 100644 --- a/.github/workflows/on_merged_pr.yml +++ b/.github/workflows/on_merged_pr.yml @@ -22,7 +22,7 @@ jobs: steps: - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 - name: "Label PR related issue for release" - uses: actions/github-script@v6 + uses: actions/github-script@d7906e4ad0b1822421a7e6a35d5ca353c962f410 # v6.4.1 env: PR_NUMBER: ${{ needs.get_pr_details.outputs.prNumber }} PR_BODY: ${{ needs.get_pr_details.outputs.prBody }} diff --git a/.github/workflows/on_opened_pr.yml b/.github/workflows/on_opened_pr.yml index d1e8c0b237d..58f580e13af 100644 --- a/.github/workflows/on_opened_pr.yml +++ b/.github/workflows/on_opened_pr.yml @@ -21,7 +21,7 @@ jobs: steps: - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 - name: "Ensure related issue is present" - uses: actions/github-script@v6 + uses: actions/github-script@d7906e4ad0b1822421a7e6a35d5ca353c962f410 # v6.4.1 env: PR_BODY: ${{ needs.get_pr_details.outputs.prBody }} PR_NUMBER: ${{ needs.get_pr_details.outputs.prNumber }} @@ -38,7 +38,7 @@ jobs: steps: - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 - name: "Ensure acknowledgement section is present" - uses: actions/github-script@v6 + uses: actions/github-script@d7906e4ad0b1822421a7e6a35d5ca353c962f410 # v6.4.1 env: PR_BODY: ${{ needs.get_pr_details.outputs.prBody }} PR_NUMBER: ${{ needs.get_pr_details.outputs.prNumber }} diff --git a/.github/workflows/record_pr.yml b/.github/workflows/record_pr.yml index 0d368993cae..0484b98157a 100644 --- a/.github/workflows/record_pr.yml +++ b/.github/workflows/record_pr.yml @@ -11,7 +11,7 @@ jobs: steps: - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 - name: "Extract PR details" - uses: actions/github-script@v6 + uses: actions/github-script@d7906e4ad0b1822421a7e6a35d5ca353c962f410 # v6.4.1 with: script: | const script = require('.github/scripts/save_pr_details.js') diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 5aac17498ca..5d99ec26c9d 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -176,7 +176,7 @@ jobs: steps: - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 - name: Close issues related to this release - uses: actions/github-script@v6 + uses: actions/github-script@d7906e4ad0b1822421a7e6a35d5ca353c962f410 # v6.4.1 with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | diff --git a/.github/workflows/reusable_export_pr_details.yml b/.github/workflows/reusable_export_pr_details.yml index 8ece6f352cf..39ce20672c6 100644 --- a/.github/workflows/reusable_export_pr_details.yml +++ b/.github/workflows/reusable_export_pr_details.yml @@ -55,7 +55,7 @@ jobs: - name: Checkout repository # in case caller workflow doesn't checkout thus failing with file not found uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 - name: "Download previously saved PR" - uses: actions/github-script@v6 + uses: actions/github-script@d7906e4ad0b1822421a7e6a35d5ca353c962f410 # v6.4.1 env: WORKFLOW_ID: ${{ inputs.record_pr_workflow_id }} # For security, we only download artifacts tied to the successful PR recording workflow diff --git a/.github/workflows/secure_workflows.yml b/.github/workflows/secure_workflows.yml index 47f9bbd3d58..615048867e9 100644 --- a/.github/workflows/secure_workflows.yml +++ b/.github/workflows/secure_workflows.yml @@ -21,7 +21,6 @@ jobs: # Trusted GitHub Actions and/or organizations allowlist: | aws-actions/ - actions/github-script actions/setup-node actions/setup-python actions/upload-artifact From 8c7e383e131703835526900cde5af7866c783ad2 Mon Sep 17 00:00:00 2001 From: heitorlessa Date: Fri, 5 May 2023 12:47:20 +0200 Subject: [PATCH 04/12] chore(ci): pin actions/setup-node --- .github/workflows/publish_v2_layer.yml | 2 +- .github/workflows/reusable_deploy_v2_layer_stack.yml | 2 +- .github/workflows/reusable_deploy_v2_sar.yml | 2 +- .github/workflows/run-e2e-tests.yml | 2 +- .github/workflows/secure_workflows.yml | 1 - 5 files changed, 4 insertions(+), 5 deletions(-) diff --git a/.github/workflows/publish_v2_layer.yml b/.github/workflows/publish_v2_layer.yml index e5081906d18..43acda2c6ec 100644 --- a/.github/workflows/publish_v2_layer.yml +++ b/.github/workflows/publish_v2_layer.yml @@ -44,7 +44,7 @@ jobs: - name: Install poetry run: pipx install poetry - name: Setup Node.js - uses: actions/setup-node@v3 + uses: actions/setup-node@64ed1c7eab4cce3362f8c340dee64e5eaeef8f7c # v3.6.0 with: node-version: "16.12" - name: Setup python diff --git a/.github/workflows/reusable_deploy_v2_layer_stack.yml b/.github/workflows/reusable_deploy_v2_layer_stack.yml index 360a39b1202..a27768564b3 100644 --- a/.github/workflows/reusable_deploy_v2_layer_stack.yml +++ b/.github/workflows/reusable_deploy_v2_layer_stack.yml @@ -102,7 +102,7 @@ jobs: aws-region: ${{ matrix.region }} role-to-assume: ${{ secrets.AWS_LAYERS_ROLE_ARN }} - name: Setup Node.js - uses: actions/setup-node@v3 + uses: actions/setup-node@64ed1c7eab4cce3362f8c340dee64e5eaeef8f7c # v3.6.0 with: node-version: "16.12" - name: Setup python diff --git a/.github/workflows/reusable_deploy_v2_sar.yml b/.github/workflows/reusable_deploy_v2_sar.yml index 8526e797adc..ce578836d26 100644 --- a/.github/workflows/reusable_deploy_v2_sar.yml +++ b/.github/workflows/reusable_deploy_v2_sar.yml @@ -65,7 +65,7 @@ jobs: aws-region: ${{ env.AWS_REGION }} role-to-assume: ${{ secrets.AWS_SAR_V2_ROLE_ARN }} - name: Setup Node.js - uses: actions/setup-node@v3 + uses: actions/setup-node@64ed1c7eab4cce3362f8c340dee64e5eaeef8f7c # v3.6.0 with: node-version: ${{ env.NODE_VERSION }} - name: Download artifact diff --git a/.github/workflows/run-e2e-tests.yml b/.github/workflows/run-e2e-tests.yml index 687e27ad984..94f2579d69c 100644 --- a/.github/workflows/run-e2e-tests.yml +++ b/.github/workflows/run-e2e-tests.yml @@ -44,7 +44,7 @@ jobs: architecture: "x64" cache: "poetry" - name: Setup Node.js - uses: actions/setup-node@v3 + uses: actions/setup-node@64ed1c7eab4cce3362f8c340dee64e5eaeef8f7c # v3.6.0 with: node-version: "16.12" - name: Install CDK CLI diff --git a/.github/workflows/secure_workflows.yml b/.github/workflows/secure_workflows.yml index 615048867e9..c7cea06b73b 100644 --- a/.github/workflows/secure_workflows.yml +++ b/.github/workflows/secure_workflows.yml @@ -21,7 +21,6 @@ jobs: # Trusted GitHub Actions and/or organizations allowlist: | aws-actions/ - actions/setup-node actions/setup-python actions/upload-artifact actions/download-artifact From 49a85c83070da28c663f048f341e93b50c88e9a6 Mon Sep 17 00:00:00 2001 From: heitorlessa Date: Fri, 5 May 2023 12:48:12 +0200 Subject: [PATCH 05/12] chore(ci): pin actions/setup-python --- .github/workflows/publish_v2_layer.yml | 2 +- .github/workflows/python_build.yml | 2 +- .github/workflows/release.yml | 2 +- .github/workflows/reusable_deploy_v2_layer_stack.yml | 2 +- .github/workflows/reusable_publish_docs.yml | 2 +- .github/workflows/run-e2e-tests.yml | 2 +- .github/workflows/secure_workflows.yml | 1 - 7 files changed, 6 insertions(+), 7 deletions(-) diff --git a/.github/workflows/publish_v2_layer.yml b/.github/workflows/publish_v2_layer.yml index 43acda2c6ec..93b31da85ca 100644 --- a/.github/workflows/publish_v2_layer.yml +++ b/.github/workflows/publish_v2_layer.yml @@ -48,7 +48,7 @@ jobs: with: node-version: "16.12" - name: Setup python - uses: actions/setup-python@v4 + uses: actions/setup-python@57ded4d7d5e986d7296eab16560982c6dd7c923b # v4.6.0 with: python-version: "3.10" cache: "pip" diff --git a/.github/workflows/python_build.yml b/.github/workflows/python_build.yml index 091175b020e..9a6706caed9 100644 --- a/.github/workflows/python_build.yml +++ b/.github/workflows/python_build.yml @@ -36,7 +36,7 @@ jobs: - name: Install poetry run: pipx install poetry - name: Set up Python ${{ matrix.python-version }} - uses: actions/setup-python@v4 + uses: actions/setup-python@57ded4d7d5e986d7296eab16560982c6dd7c923b # v4.6.0 with: python-version: ${{ matrix.python-version }} cache: "poetry" diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 5d99ec26c9d..38aadc4d873 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -63,7 +63,7 @@ jobs: - name: Install poetry run: pipx install poetry - name: Set up Python - uses: actions/setup-python@v4 + uses: actions/setup-python@57ded4d7d5e986d7296eab16560982c6dd7c923b # v4.6.0 with: python-version: "3.10" cache: "poetry" diff --git a/.github/workflows/reusable_deploy_v2_layer_stack.yml b/.github/workflows/reusable_deploy_v2_layer_stack.yml index a27768564b3..ada06db81d7 100644 --- a/.github/workflows/reusable_deploy_v2_layer_stack.yml +++ b/.github/workflows/reusable_deploy_v2_layer_stack.yml @@ -106,7 +106,7 @@ jobs: with: node-version: "16.12" - name: Setup python - uses: actions/setup-python@v4 + uses: actions/setup-python@57ded4d7d5e986d7296eab16560982c6dd7c923b # v4.6.0 with: python-version: "3.10" cache: "pip" diff --git a/.github/workflows/reusable_publish_docs.yml b/.github/workflows/reusable_publish_docs.yml index a63a836e498..9359229230f 100644 --- a/.github/workflows/reusable_publish_docs.yml +++ b/.github/workflows/reusable_publish_docs.yml @@ -39,7 +39,7 @@ jobs: - name: Install poetry run: pipx install poetry - name: Set up Python - uses: actions/setup-python@v4 + uses: actions/setup-python@57ded4d7d5e986d7296eab16560982c6dd7c923b # v4.6.0 with: python-version: "3.10" cache: "poetry" diff --git a/.github/workflows/run-e2e-tests.yml b/.github/workflows/run-e2e-tests.yml index 94f2579d69c..dee413a272a 100644 --- a/.github/workflows/run-e2e-tests.yml +++ b/.github/workflows/run-e2e-tests.yml @@ -38,7 +38,7 @@ jobs: - name: Install poetry run: pipx install poetry - name: "Use Python" - uses: actions/setup-python@v4 + uses: actions/setup-python@57ded4d7d5e986d7296eab16560982c6dd7c923b # v4.6.0 with: python-version: ${{ matrix.version }} architecture: "x64" diff --git a/.github/workflows/secure_workflows.yml b/.github/workflows/secure_workflows.yml index c7cea06b73b..d0f40bda97b 100644 --- a/.github/workflows/secure_workflows.yml +++ b/.github/workflows/secure_workflows.yml @@ -21,7 +21,6 @@ jobs: # Trusted GitHub Actions and/or organizations allowlist: | aws-actions/ - actions/setup-python actions/upload-artifact actions/download-artifact github/codeql-action/init From 67e6a6c5f0c217c39feb8f07a9ca74bdc42750ae Mon Sep 17 00:00:00 2001 From: heitorlessa Date: Fri, 5 May 2023 12:49:23 +0200 Subject: [PATCH 06/12] chore(ci): pin actions/upload-artifact --- .github/workflows/publish_v2_layer.yml | 2 +- .github/workflows/record_pr.yml | 2 +- .github/workflows/reusable_deploy_v2_layer_stack.yml | 2 +- .github/workflows/secure_workflows.yml | 1 - 4 files changed, 3 insertions(+), 4 deletions(-) diff --git a/.github/workflows/publish_v2_layer.yml b/.github/workflows/publish_v2_layer.yml index 93b31da85ca..7820678e813 100644 --- a/.github/workflows/publish_v2_layer.yml +++ b/.github/workflows/publish_v2_layer.yml @@ -80,7 +80,7 @@ jobs: - name: zip output run: zip -r cdk.out.zip cdk.out - name: Archive CDK artifacts - uses: actions/upload-artifact@v3 + uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2 with: name: cdk-layer-artefact path: layer/cdk.out.zip diff --git a/.github/workflows/record_pr.yml b/.github/workflows/record_pr.yml index 0484b98157a..20cd93b897f 100644 --- a/.github/workflows/record_pr.yml +++ b/.github/workflows/record_pr.yml @@ -16,7 +16,7 @@ jobs: script: | const script = require('.github/scripts/save_pr_details.js') await script({github, context, core}) - - uses: actions/upload-artifact@v3 + - uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2 with: name: pr path: pr.txt diff --git a/.github/workflows/reusable_deploy_v2_layer_stack.yml b/.github/workflows/reusable_deploy_v2_layer_stack.yml index ada06db81d7..586c5705a5d 100644 --- a/.github/workflows/reusable_deploy_v2_layer_stack.yml +++ b/.github/workflows/reusable_deploy_v2_layer_stack.yml @@ -141,7 +141,7 @@ jobs: cat cdk-layer-stack/${{ matrix.region }}-layer-version.txt - name: Save Layer ARN artifact if: ${{ inputs.stage == 'PROD' }} - uses: actions/upload-artifact@v3 + uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2 with: name: cdk-layer-stack path: ./layer/cdk-layer-stack/* # NOTE: upload-artifact does not inherit working-directory setting. diff --git a/.github/workflows/secure_workflows.yml b/.github/workflows/secure_workflows.yml index d0f40bda97b..144f587bbc5 100644 --- a/.github/workflows/secure_workflows.yml +++ b/.github/workflows/secure_workflows.yml @@ -21,7 +21,6 @@ jobs: # Trusted GitHub Actions and/or organizations allowlist: | aws-actions/ - actions/upload-artifact actions/download-artifact github/codeql-action/init github/codeql-action/analyze From c2739594dda596ce92b7ba1a38c90550c030bce9 Mon Sep 17 00:00:00 2001 From: heitorlessa Date: Fri, 5 May 2023 12:57:14 +0200 Subject: [PATCH 07/12] chore(ci): pin actions/download-artifact Signed-off-by: heitorlessa --- .github/workflows/reusable_deploy_v2_layer_stack.yml | 2 +- .github/workflows/reusable_deploy_v2_sar.yml | 2 +- .github/workflows/reusable_update_v2_layer_arn_docs.yml | 2 +- .github/workflows/secure_workflows.yml | 1 - 4 files changed, 3 insertions(+), 4 deletions(-) diff --git a/.github/workflows/reusable_deploy_v2_layer_stack.yml b/.github/workflows/reusable_deploy_v2_layer_stack.yml index 586c5705a5d..6ce00cb6367 100644 --- a/.github/workflows/reusable_deploy_v2_layer_stack.yml +++ b/.github/workflows/reusable_deploy_v2_layer_stack.yml @@ -124,7 +124,7 @@ jobs: - name: install deps run: poetry install - name: Download artifact - uses: actions/download-artifact@v3 + uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2 with: name: ${{ inputs.artefact-name }} path: layer diff --git a/.github/workflows/reusable_deploy_v2_sar.yml b/.github/workflows/reusable_deploy_v2_sar.yml index ce578836d26..de8b9826b38 100644 --- a/.github/workflows/reusable_deploy_v2_sar.yml +++ b/.github/workflows/reusable_deploy_v2_sar.yml @@ -69,7 +69,7 @@ jobs: with: node-version: ${{ env.NODE_VERSION }} - name: Download artifact - uses: actions/download-artifact@v3 + uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2 with: name: ${{ inputs.artefact-name }} - name: Unzip artefact diff --git a/.github/workflows/reusable_update_v2_layer_arn_docs.yml b/.github/workflows/reusable_update_v2_layer_arn_docs.yml index 34fb712cd63..5fbf6814dcd 100644 --- a/.github/workflows/reusable_update_v2_layer_arn_docs.yml +++ b/.github/workflows/reusable_update_v2_layer_arn_docs.yml @@ -34,7 +34,7 @@ jobs: git config remote.origin.url >&- || git remote add origin https://github.com/"${origin}" # Git Detached mode (release notes) doesn't have origin git pull origin "${BRANCH}" - name: Download CDK layer artifact - uses: actions/download-artifact@v3 + uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2 with: name: cdk-layer-stack path: cdk-layer-stack/ diff --git a/.github/workflows/secure_workflows.yml b/.github/workflows/secure_workflows.yml index 144f587bbc5..9a7d46178b4 100644 --- a/.github/workflows/secure_workflows.yml +++ b/.github/workflows/secure_workflows.yml @@ -21,7 +21,6 @@ jobs: # Trusted GitHub Actions and/or organizations allowlist: | aws-actions/ - actions/download-artifact github/codeql-action/init github/codeql-action/analyze dependabot/fetch-metadata From bfd556fe716ee879a9981763b7f8b4e16723ffcf Mon Sep 17 00:00:00 2001 From: heitorlessa Date: Fri, 5 May 2023 12:57:37 +0200 Subject: [PATCH 08/12] chore(ci): pin actions/codeql-action Signed-off-by: heitorlessa --- .github/workflows/codeql-analysis.yml | 4 ++-- .github/workflows/secure_workflows.yml | 2 -- 2 files changed, 2 insertions(+), 4 deletions(-) diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index c55d37892db..e7a46fda7a2 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -27,7 +27,7 @@ jobs: # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL - uses: github/codeql-action/init@v2 + uses: github/codeql-action/init@f31a31c052207cc13b328d6295c5b728bb49568c # v2.13.1@v2 with: languages: ${{ matrix.language }} # If you wish to specify custom queries, you can do so here or in a config file. @@ -36,4 +36,4 @@ jobs: # queries: ./path/to/local/query, your-org/your-repo/queries@main - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v2 + uses: github/codeql-action/analyze@f31a31c052207cc13b328d6295c5b728bb49568c # v2.13.1@v2 diff --git a/.github/workflows/secure_workflows.yml b/.github/workflows/secure_workflows.yml index 9a7d46178b4..9ed91635120 100644 --- a/.github/workflows/secure_workflows.yml +++ b/.github/workflows/secure_workflows.yml @@ -21,6 +21,4 @@ jobs: # Trusted GitHub Actions and/or organizations allowlist: | aws-actions/ - github/codeql-action/init - github/codeql-action/analyze dependabot/fetch-metadata From 0e6a77584987aea29e2ad024f6c52945e4e630f6 Mon Sep 17 00:00:00 2001 From: heitorlessa Date: Fri, 5 May 2023 12:58:01 +0200 Subject: [PATCH 09/12] chore(ci): remove dependabot-metadata action Signed-off-by: heitorlessa --- .github/workflows/secure_workflows.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/secure_workflows.yml b/.github/workflows/secure_workflows.yml index 9ed91635120..e044829c12f 100644 --- a/.github/workflows/secure_workflows.yml +++ b/.github/workflows/secure_workflows.yml @@ -21,4 +21,3 @@ jobs: # Trusted GitHub Actions and/or organizations allowlist: | aws-actions/ - dependabot/fetch-metadata From 8e27b760d71831c50046bf7c73b73068bdba2688 Mon Sep 17 00:00:00 2001 From: heitorlessa Date: Fri, 5 May 2023 13:02:18 +0200 Subject: [PATCH 10/12] chore(ci): pin aws-actions --- .github/workflows/dispatch_analytics.yml | 2 +- .github/workflows/on_closed_issues.yml | 2 +- .github/workflows/reusable_deploy_v2_layer_stack.yml | 2 +- .github/workflows/reusable_deploy_v2_sar.yml | 4 ++-- .github/workflows/run-e2e-tests.yml | 2 +- .github/workflows/secure_workflows.yml | 4 ---- 6 files changed, 6 insertions(+), 10 deletions(-) diff --git a/.github/workflows/dispatch_analytics.yml b/.github/workflows/dispatch_analytics.yml index 49a276f6f61..b5bf7ea8ff5 100644 --- a/.github/workflows/dispatch_analytics.yml +++ b/.github/workflows/dispatch_analytics.yml @@ -29,7 +29,7 @@ jobs: environment: analytics steps: - name: Configure AWS credentials - uses: aws-actions/configure-aws-credentials@e1e17a757e536f70e52b5a12b2e8d1d1c60e04ef + uses: aws-actions/configure-aws-credentials@e1e17a757e536f70e52b5a12b2e8d1d1c60e04ef # v2.0.0 with: aws-region: eu-central-1 role-to-assume: ${{ secrets.AWS_ANALYTICS_ROLE_ARN }} diff --git a/.github/workflows/on_closed_issues.yml b/.github/workflows/on_closed_issues.yml index ca815e4c07f..dfe854c5fbe 100644 --- a/.github/workflows/on_closed_issues.yml +++ b/.github/workflows/on_closed_issues.yml @@ -6,7 +6,7 @@ jobs: auto_comment: runs-on: ubuntu-latest steps: - - uses: aws-actions/closed-issue-message@v1 + - uses: aws-actions/closed-issue-message@8b6324312193476beecf11f8e8539d73a3553bf4 with: repo-token: "${{ secrets.GITHUB_TOKEN }}" message: | diff --git a/.github/workflows/reusable_deploy_v2_layer_stack.yml b/.github/workflows/reusable_deploy_v2_layer_stack.yml index 6ce00cb6367..912849c2e2c 100644 --- a/.github/workflows/reusable_deploy_v2_layer_stack.yml +++ b/.github/workflows/reusable_deploy_v2_layer_stack.yml @@ -97,7 +97,7 @@ jobs: - name: Install poetry run: pipx install poetry - name: aws credentials - uses: aws-actions/configure-aws-credentials@e1e17a757e536f70e52b5a12b2e8d1d1c60e04ef + uses: aws-actions/configure-aws-credentials@e1e17a757e536f70e52b5a12b2e8d1d1c60e04ef # v2.0.0 with: aws-region: ${{ matrix.region }} role-to-assume: ${{ secrets.AWS_LAYERS_ROLE_ARN }} diff --git a/.github/workflows/reusable_deploy_v2_sar.yml b/.github/workflows/reusable_deploy_v2_sar.yml index de8b9826b38..4ca28543f24 100644 --- a/.github/workflows/reusable_deploy_v2_sar.yml +++ b/.github/workflows/reusable_deploy_v2_sar.yml @@ -50,12 +50,12 @@ jobs: - name: Checkout uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 - name: AWS credentials - uses: aws-actions/configure-aws-credentials@e1e17a757e536f70e52b5a12b2e8d1d1c60e04ef + uses: aws-actions/configure-aws-credentials@e1e17a757e536f70e52b5a12b2e8d1d1c60e04ef # v2.0.0 with: aws-region: ${{ env.AWS_REGION }} role-to-assume: ${{ secrets.AWS_LAYERS_ROLE_ARN }} - name: AWS credentials SAR role - uses: aws-actions/configure-aws-credentials@e1e17a757e536f70e52b5a12b2e8d1d1c60e04ef + uses: aws-actions/configure-aws-credentials@e1e17a757e536f70e52b5a12b2e8d1d1c60e04ef # v2.0.0 id: aws-credentials-sar-role with: aws-access-key-id: ${{ env.AWS_ACCESS_KEY_ID }} diff --git a/.github/workflows/run-e2e-tests.yml b/.github/workflows/run-e2e-tests.yml index dee413a272a..e3305114555 100644 --- a/.github/workflows/run-e2e-tests.yml +++ b/.github/workflows/run-e2e-tests.yml @@ -54,7 +54,7 @@ jobs: - name: Install dependencies run: make dev - name: Configure AWS credentials - uses: aws-actions/configure-aws-credentials@e1e17a757e536f70e52b5a12b2e8d1d1c60e04ef + uses: aws-actions/configure-aws-credentials@e1e17a757e536f70e52b5a12b2e8d1d1c60e04ef # v2.0.0 with: role-to-assume: ${{ secrets.AWS_TEST_ROLE_ARN }} aws-region: ${{ env.AWS_DEFAULT_REGION }} diff --git a/.github/workflows/secure_workflows.yml b/.github/workflows/secure_workflows.yml index e044829c12f..dc7f766b29a 100644 --- a/.github/workflows/secure_workflows.yml +++ b/.github/workflows/secure_workflows.yml @@ -17,7 +17,3 @@ jobs: uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 - name: Ensure 3rd party workflows have SHA pinned uses: zgosalvez/github-actions-ensure-sha-pinned-actions@21991cec25093947ff3f62e4c223df0260c39944 # v2.1.2 - with: - # Trusted GitHub Actions and/or organizations - allowlist: | - aws-actions/ From b09854b0204fcdd008a35ad8421042d904210423 Mon Sep 17 00:00:00 2001 From: Heitor Lessa Date: Fri, 5 May 2023 15:33:22 +0200 Subject: [PATCH 11/12] chore: leandro feedback Co-authored-by: Leandro Damascena Signed-off-by: Heitor Lessa --- .github/workflows/codeql-analysis.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index e7a46fda7a2..2ed6823fa7f 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -27,7 +27,7 @@ jobs: # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL - uses: github/codeql-action/init@f31a31c052207cc13b328d6295c5b728bb49568c # v2.13.1@v2 + uses: github/codeql-action/init@f31a31c052207cc13b328d6295c5b728bb49568c # v2.13.1 with: languages: ${{ matrix.language }} # If you wish to specify custom queries, you can do so here or in a config file. From 0e0dedcb037fbf93548aae301ada2fa487a3d7fb Mon Sep 17 00:00:00 2001 From: Heitor Lessa Date: Fri, 5 May 2023 15:33:28 +0200 Subject: [PATCH 12/12] chore: leandro feedback Co-authored-by: Leandro Damascena Signed-off-by: Heitor Lessa --- .github/workflows/codeql-analysis.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index 2ed6823fa7f..31561d013ad 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -36,4 +36,4 @@ jobs: # queries: ./path/to/local/query, your-org/your-repo/queries@main - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@f31a31c052207cc13b328d6295c5b728bb49568c # v2.13.1@v2 + uses: github/codeql-action/analyze@f31a31c052207cc13b328d6295c5b728bb49568c # v2.13.1