Skip to content

Commit 9e86c9d

Browse files
kruskallxrmx
andauthored
ci: pin actions to specific commits (#2236)
replace mutable tag with commit hash to improve security and reproducibility Co-authored-by: Riccardo Magliocchetti <[email protected]>
1 parent 54baff8 commit 9e86c9d

16 files changed

+57
-57
lines changed

.github/actions/build-distribution/action.yml

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -6,15 +6,15 @@ description: Run the build distribution
66
runs:
77
using: "composite"
88
steps:
9-
- uses: actions/setup-python@v5
9+
- uses: actions/setup-python@42375524e23c412d93fb67b49958b491fce71c38 # v5
1010
with:
1111
python-version: "3.10"
1212

1313
- name: Build lambda layer zip
1414
run: ./dev-utils/make-distribution.sh
1515
shell: bash
1616

17-
- uses: actions/upload-artifact@v4
17+
- uses: actions/upload-artifact@4cec3d8aa04e39d1a68397de0c4cd6fb9dce8ec1 # v4
1818
with:
1919
name: build-distribution
2020
path: ./build/

.github/actions/packages/action.yml

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -6,7 +6,7 @@ description: Run the packages
66
runs:
77
using: "composite"
88
steps:
9-
- uses: actions/setup-python@v5
9+
- uses: actions/setup-python@42375524e23c412d93fb67b49958b491fce71c38 # v5
1010
with:
1111
python-version: "3.10"
1212
- name: Override the version if there is no tag release.
@@ -19,7 +19,7 @@ runs:
1919
run: ./dev-utils/make-packages.sh
2020
shell: bash
2121
- name: Upload Packages
22-
uses: actions/upload-artifact@v4
22+
uses: actions/upload-artifact@4cec3d8aa04e39d1a68397de0c4cd6fb9dce8ec1 # v4
2323
with:
2424
name: packages
2525
path: |

.github/workflows/docs-build.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -9,7 +9,7 @@ on:
99

1010
jobs:
1111
docs-preview:
12-
uses: elastic/docs-builder/.github/workflows/preview-build.yml@main
12+
uses: elastic/docs-builder/.github/workflows/preview-build.yml@99b12f8bf7a82107ffcf59dacd199d00a965e9db # main
1313
with:
1414
path-pattern: docs/**
1515
permissions:

.github/workflows/docs-cleanup.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -7,7 +7,7 @@ on:
77

88
jobs:
99
docs-preview:
10-
uses: elastic/docs-builder/.github/workflows/preview-cleanup.yml@main
10+
uses: elastic/docs-builder/.github/workflows/preview-cleanup.yml@99b12f8bf7a82107ffcf59dacd199d00a965e9db # main
1111
permissions:
1212
contents: none
1313
id-token: write

.github/workflows/labeler.yml

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -26,18 +26,18 @@ jobs:
2626
"members": "read"
2727
}
2828
- name: Add agent-python label
29-
uses: actions-ecosystem/action-add-labels@v1
29+
uses: actions-ecosystem/action-add-labels@18f1af5e3544586314bbe15c0273249c770b2daf # v1
3030
with:
3131
labels: agent-python
3232
- id: is_elastic_member
33-
uses: elastic/oblt-actions/github/is-member-of@v1
33+
uses: elastic/oblt-actions/github/is-member-of@31e93d1dfb82adc106fc7820f505db1afefe43b1 # v1
3434
with:
3535
github-org: "elastic"
3636
github-user: ${{ github.actor }}
3737
github-token: ${{ steps.get_token.outputs.token }}
3838
- name: Add community and triage labels
3939
if: contains(steps.is_elastic_member.outputs.result, 'false') && github.actor != 'dependabot[bot]' && github.actor != 'elastic-observability-automation[bot]'
40-
uses: actions-ecosystem/action-add-labels@v1
40+
uses: actions-ecosystem/action-add-labels@18f1af5e3544586314bbe15c0273249c770b2daf # v1
4141
with:
4242
labels: |
4343
community

.github/workflows/matrix-command.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -21,7 +21,7 @@ jobs:
2121
pull-requests: write
2222
steps:
2323
- name: Is comment allowed?
24-
uses: actions/github-script@v7
24+
uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7
2525
with:
2626
script: |
2727
const actorPermission = (await github.rest.repos.getCollaboratorPermissionLevel({

.github/workflows/microbenchmark.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -19,7 +19,7 @@ jobs:
1919
timeout-minutes: 5
2020
steps:
2121
- name: Run microbenchmark
22-
uses: elastic/oblt-actions/buildkite/run@v1
22+
uses: elastic/oblt-actions/buildkite/run@31e93d1dfb82adc106fc7820f505db1afefe43b1 # v1
2323
with:
2424
pipeline: "apm-agent-microbenchmark"
2525
token: ${{ secrets.BUILDKITE_TOKEN }}

.github/workflows/packages.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -20,5 +20,5 @@ jobs:
2020
build:
2121
runs-on: ubuntu-latest
2222
steps:
23-
- uses: actions/checkout@v4
23+
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
2424
- uses: ./.github/actions/packages

.github/workflows/pre-commit.yml

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -12,6 +12,6 @@ jobs:
1212
pre-commit:
1313
runs-on: ubuntu-latest
1414
steps:
15-
- uses: actions/checkout@v4
16-
- uses: actions/setup-python@v5
17-
- uses: pre-commit/[email protected]
15+
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
16+
- uses: actions/setup-python@42375524e23c412d93fb67b49958b491fce71c38 # v5
17+
- uses: pre-commit/action@2c7b3805fd2a0fd8c1884dcaebf91fc102a13ecd # v3.0.1

.github/workflows/release.yml

Lines changed: 14 additions & 14 deletions
Original file line numberDiff line numberDiff line change
@@ -24,7 +24,7 @@ jobs:
2424
contents: write
2525
runs-on: ubuntu-latest
2626
steps:
27-
- uses: actions/checkout@v4
27+
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
2828
- uses: ./.github/actions/packages
2929
- name: generate build provenance
3030
uses: actions/attest-build-provenance@c074443f1aee8d4aeeae555aebba3282517141b2 # v2.2.3
@@ -40,8 +40,8 @@ jobs:
4040
permissions:
4141
id-token: write # IMPORTANT: this permission is mandatory for trusted publishing
4242
steps:
43-
- uses: actions/checkout@v4
44-
- uses: actions/download-artifact@v4
43+
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
44+
- uses: actions/download-artifact@cc203385981b70ca67e1cc392babf9cc229d5806 # v4
4545
with:
4646
name: packages
4747
path: dist
@@ -63,7 +63,7 @@ jobs:
6363
contents: write
6464
runs-on: ubuntu-latest
6565
steps:
66-
- uses: actions/checkout@v4
66+
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
6767
- uses: ./.github/actions/build-distribution
6868
- name: generate build provenance
6969
uses: actions/attest-build-provenance@c074443f1aee8d4aeeae555aebba3282517141b2 # v2.2.3
@@ -78,12 +78,12 @@ jobs:
7878
- build-distribution
7979
runs-on: ubuntu-latest
8080
steps:
81-
- uses: actions/checkout@v4
82-
- uses: actions/download-artifact@v4
81+
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
82+
- uses: actions/download-artifact@cc203385981b70ca67e1cc392babf9cc229d5806 # v4
8383
with:
8484
name: build-distribution
8585
path: ./build
86-
- uses: elastic/oblt-actions/aws/auth@v1
86+
- uses: elastic/oblt-actions/aws/auth@31e93d1dfb82adc106fc7820f505db1afefe43b1 # v1
8787
with:
8888
aws-account-id: "267093732750"
8989
- name: Publish lambda layers to AWS
@@ -94,7 +94,7 @@ jobs:
9494
VERSION=${VERSION//./-}
9595
9696
ELASTIC_LAYER_NAME="elastic-apm-python-${VERSION}" .ci/publish-aws.sh
97-
- uses: actions/upload-artifact@v4
97+
- uses: actions/upload-artifact@4cec3d8aa04e39d1a68397de0c4cd6fb9dce8ec1 # v4
9898
if: startsWith(github.ref, 'refs/tags')
9999
with:
100100
name: arn-file
@@ -116,7 +116,7 @@ jobs:
116116
env:
117117
DOCKER_IMAGE_NAME: docker.elastic.co/observability/apm-agent-python
118118
steps:
119-
- uses: actions/checkout@v4
119+
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
120120

121121
- name: Set up Docker Buildx
122122
uses: docker/setup-buildx-action@b5ca514318bd6ebac0fb2aedd5d36ec1b5c232a2 # v3.10.0
@@ -128,7 +128,7 @@ jobs:
128128
username: ${{ secrets.ELASTIC_DOCKER_USERNAME }}
129129
password: ${{ secrets.ELASTIC_DOCKER_PASSWORD }}
130130

131-
- uses: actions/download-artifact@v4
131+
- uses: actions/download-artifact@cc203385981b70ca67e1cc392babf9cc229d5806 # v4
132132
with:
133133
name: build-distribution
134134
path: ./build
@@ -172,8 +172,8 @@ jobs:
172172
if: startsWith(github.ref, 'refs/tags')
173173
runs-on: ubuntu-latest
174174
steps:
175-
- uses: actions/checkout@v4
176-
- uses: actions/download-artifact@v4
175+
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
176+
- uses: actions/download-artifact@cc203385981b70ca67e1cc392babf9cc229d5806 # v4
177177
with:
178178
name: arn-file
179179
- name: Create GitHub Draft Release
@@ -196,11 +196,11 @@ jobs:
196196
- github-draft
197197
steps:
198198
- id: check
199-
uses: elastic/oblt-actions/check-dependent-jobs@v1
199+
uses: elastic/oblt-actions/check-dependent-jobs@31e93d1dfb82adc106fc7820f505db1afefe43b1 # v1
200200
with:
201201
jobs: ${{ toJSON(needs) }}
202202
- if: startsWith(github.ref, 'refs/tags')
203-
uses: elastic/oblt-actions/slack/notify-result@v1
203+
uses: elastic/oblt-actions/slack/notify-result@31e93d1dfb82adc106fc7820f505db1afefe43b1 # v1
204204
with:
205205
bot-token: ${{ secrets.SLACK_BOT_TOKEN }}
206206
channel-id: "#apm-agent-python"

.github/workflows/run-matrix.yml

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -21,20 +21,20 @@ jobs:
2121
matrix:
2222
include: ${{ fromJSON(inputs.include) }}
2323
steps:
24-
- uses: actions/checkout@v4
24+
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
2525
- name: Run tests
2626
run: ./tests/scripts/docker/run_tests.sh ${{ matrix.version }} ${{ matrix.framework }}
2727
env:
2828
LOCALSTACK_VOLUME_DIR: localstack_data
2929
- if: success() || failure()
3030
name: Upload JUnit Test Results
31-
uses: actions/upload-artifact@v4
31+
uses: actions/upload-artifact@4cec3d8aa04e39d1a68397de0c4cd6fb9dce8ec1 # v4
3232
with:
3333
name: test-results-${{ matrix.framework }}-${{ matrix.version }}
3434
path: "**/*-python-agent-junit.xml"
3535
- if: success() || failure()
3636
name: Upload Coverage Reports
37-
uses: actions/upload-artifact@v4
37+
uses: actions/upload-artifact@4cec3d8aa04e39d1a68397de0c4cd6fb9dce8ec1 # v4
3838
with:
3939
name: coverage-reports-${{ matrix.framework }}-${{ matrix.version }}
4040
path: "**/.coverage*"

.github/workflows/test-docs.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -36,7 +36,7 @@ jobs:
3636
ENDOFFILE
3737
- if: success() || failure()
3838
name: Upload JUnit Test Results
39-
uses: actions/upload-artifact@v4
39+
uses: actions/upload-artifact@4cec3d8aa04e39d1a68397de0c4cd6fb9dce8ec1 # v4
4040
with:
4141
name: test-results-docs
4242
path: "docs-python-agent-junit.xml"

.github/workflows/test-fips.yml

Lines changed: 5 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -16,9 +16,9 @@ jobs:
1616
outputs:
1717
matrix: ${{ steps.generate.outputs.matrix }}
1818
steps:
19-
- uses: actions/checkout@v4
19+
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
2020
- id: generate
21-
uses: elastic/oblt-actions/version-framework@v1
21+
uses: elastic/oblt-actions/version-framework@31e93d1dfb82adc106fc7820f505db1afefe43b1 # v1
2222
with:
2323
versions-file: .ci/.matrix_python_fips.yml
2424
frameworks-file: .ci/.matrix_framework_fips.yml
@@ -40,7 +40,7 @@ jobs:
4040
max-parallel: 10
4141
matrix: ${{ fromJSON(needs.create-matrix.outputs.matrix) }}
4242
steps:
43-
- uses: actions/checkout@v4
43+
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
4444
- name: check that python has fips mode enabled
4545
run: |
4646
python3 -c 'import _hashlib; assert _hashlib.get_fips_mode() == 1'
@@ -57,12 +57,12 @@ jobs:
5757
needs: test-fips
5858
steps:
5959
- id: check
60-
uses: elastic/oblt-actions/check-dependent-jobs@v1
60+
uses: elastic/oblt-actions/check-dependent-jobs@31e93d1dfb82adc106fc7820f505db1afefe43b1 # v1
6161
with:
6262
jobs: ${{ toJSON(needs) }}
6363
- name: Notify in Slack
6464
if: steps.check.outputs.status == 'failure'
65-
uses: elastic/oblt-actions/slack/notify-result@v1
65+
uses: elastic/oblt-actions/slack/notify-result@31e93d1dfb82adc106fc7820f505db1afefe43b1 # v1
6666
with:
6767
bot-token: ${{ secrets.SLACK_BOT_TOKEN }}
6868
status: ${{ steps.check.outputs.status }}

.github/workflows/test-reporter.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -17,7 +17,7 @@ jobs:
1717
report:
1818
runs-on: ubuntu-latest
1919
steps:
20-
- uses: elastic/oblt-actions/test-report@v1
20+
- uses: elastic/oblt-actions/test-report@31e93d1dfb82adc106fc7820f505db1afefe43b1 # v1
2121
with:
2222
artifact: /test-results(.*)/
2323
name: 'Test Report $1'

.github/workflows/test.yml

Lines changed: 14 additions & 14 deletions
Original file line numberDiff line numberDiff line change
@@ -37,7 +37,7 @@ jobs:
3737
build-distribution:
3838
runs-on: ubuntu-latest
3939
steps:
40-
- uses: actions/checkout@v4
40+
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
4141
- uses: ./.github/actions/build-distribution
4242

4343

@@ -48,11 +48,11 @@ jobs:
4848
data: ${{ steps.split.outputs.data }}
4949
chunks: ${{ steps.split.outputs.chunks }}
5050
steps:
51-
- uses: actions/checkout@v4
51+
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
5252
with:
5353
ref: ${{ inputs.ref || github.ref }}
5454
- id: generate
55-
uses: elastic/oblt-actions/version-framework@v1
55+
uses: elastic/oblt-actions/version-framework@31e93d1dfb82adc106fc7820f505db1afefe43b1 # v1
5656
with:
5757
# Use .ci/.matrix_python_full.yml if it's a scheduled workflow, otherwise use .ci/.matrix_python.yml
5858
versions-file: .ci/.matrix_python${{ (github.event_name == 'schedule' || github.event_name == 'push' || inputs.full-matrix) && '_full' || '' }}.yml
@@ -131,10 +131,10 @@ jobs:
131131
FRAMEWORK: ${{ matrix.framework }}
132132
ASYNCIO: ${{ matrix.asyncio }}
133133
steps:
134-
- uses: actions/checkout@v4
134+
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
135135
with:
136136
ref: ${{ inputs.ref || github.ref }}
137-
- uses: actions/setup-python@v5
137+
- uses: actions/setup-python@42375524e23c412d93fb67b49958b491fce71c38 # v5
138138
with:
139139
python-version: ${{ matrix.version }}
140140
cache: pip
@@ -145,14 +145,14 @@ jobs:
145145
run: .\scripts\run-tests.bat
146146
- if: success() || failure()
147147
name: Upload JUnit Test Results
148-
uses: actions/upload-artifact@v4
148+
uses: actions/upload-artifact@4cec3d8aa04e39d1a68397de0c4cd6fb9dce8ec1 # v4
149149
with:
150150
name: test-results-${{ matrix.framework }}-${{ matrix.version }}-asyncio-${{ matrix.asyncio }}
151151
path: "**/*-python-agent-junit.xml"
152152
retention-days: 1
153153
- if: success() || failure()
154154
name: Upload Coverage Reports
155-
uses: actions/upload-artifact@v4
155+
uses: actions/upload-artifact@4cec3d8aa04e39d1a68397de0c4cd6fb9dce8ec1 # v4
156156
with:
157157
name: coverage-reports-${{ matrix.framework }}-${{ matrix.version }}-asyncio-${{ matrix.asyncio }}
158158
path: "**/.coverage*"
@@ -171,12 +171,12 @@ jobs:
171171
- windows
172172
steps:
173173
- id: check
174-
uses: elastic/oblt-actions/check-dependent-jobs@v1
174+
uses: elastic/oblt-actions/check-dependent-jobs@31e93d1dfb82adc106fc7820f505db1afefe43b1 # v1
175175
with:
176176
jobs: ${{ toJSON(needs) }}
177177
- run: ${{ steps.check.outputs.is-success }}
178178
- if: failure() && (github.event_name == 'schedule' || github.event_name == 'push')
179-
uses: elastic/oblt-actions/slack/notify-result@v1
179+
uses: elastic/oblt-actions/slack/notify-result@31e93d1dfb82adc106fc7820f505db1afefe43b1 # v1
180180
with:
181181
bot-token: ${{ secrets.SLACK_BOT_TOKEN }}
182182
status: ${{ steps.check.outputs.status }}
@@ -188,18 +188,18 @@ jobs:
188188
runs-on: ubuntu-latest
189189

190190
steps:
191-
- uses: actions/checkout@v4
191+
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
192192
with:
193193
ref: ${{ inputs.ref || github.ref }}
194194

195-
- uses: actions/setup-python@v5
195+
- uses: actions/setup-python@42375524e23c412d93fb67b49958b491fce71c38 # v5
196196
with:
197197
# Use latest Python, so it understands all syntax.
198198
python-version: 3.11
199199

200200
- run: python -Im pip install --upgrade coverage[toml]
201201

202-
- uses: actions/download-artifact@v4
202+
- uses: actions/download-artifact@cc203385981b70ca67e1cc392babf9cc229d5806 # v4
203203
with:
204204
pattern: coverage-reports-*
205205
merge-multiple: true
@@ -216,10 +216,10 @@ jobs:
216216
python -Im coverage report --fail-under=84
217217
218218
- name: Upload HTML report
219-
uses: actions/upload-artifact@v4
219+
uses: actions/upload-artifact@4cec3d8aa04e39d1a68397de0c4cd6fb9dce8ec1 # v4
220220
with:
221221
name: html-coverage-report
222222
path: htmlcov
223-
- uses: geekyeggo/delete-artifact@f275313e70c08f6120db482d7a6b98377786765b # 5.1.0
223+
- uses: geekyeggo/delete-artifact@f275313e70c08f6120db482d7a6b98377786765b # v5.1.0
224224
with:
225225
name: coverage-reports-*

0 commit comments

Comments
 (0)