chore: pin GHA deps, set default readonly in GHA (#3205)

Co-authored-by: odubajDT <93584209+odubajDT@users.noreply.github.com>
keptn · Mar 11, 2024 · d5d9c0c · d5d9c0c
1 parent f9eae91
commit d5d9c0c
Show file tree

Hide file tree

Showing 19 changed files with 147 additions and 79 deletions.
diff --git a/.github/workflows/CI.yaml b/.github/workflows/CI.yaml
@@ -16,6 +16,9 @@ on:
       - "mkdocs.yml"
       - ".github/actions/spelling/*"
 
+# Declare default permissions as read only.
+permissions: read-all
+
 env:
   GO_VERSION: "~1.20"
   # renovate: datasource=github-releases depName=kubernetes-sigs/controller-tools
@@ -40,11 +43,11 @@ jobs:
 
     steps:
       - name: Check out code
-        uses: actions/checkout@v4
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # pin@v4
 
       - name: Extract branch name
         id: extract_branch
-        uses: keptn/gh-action-extract-branch-name@main
+        uses: keptn/gh-action-extract-branch-name@6ca4fe061da10c66b2d7341fd1fb12962ad911b2 # pin@main
 
       - name: Get current date and time
         id: get_datetime
@@ -88,10 +91,10 @@ jobs:
             folder: "keptn-cert-manager/"
     steps:
       - name: Check out code
-        uses: actions/checkout@v4
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # pin@v4
 
       - name: Set up Go 1.x
-        uses: actions/setup-go@v5
+        uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # pin@v5
         with:
           go-version: ${{ env.GO_VERSION }}
           cache: true
@@ -103,7 +106,7 @@ jobs:
         run: make unit-test
 
       - name: Report code coverage
-        uses: codecov/codecov-action@v4
+        uses: codecov/codecov-action@54bcd8715eee62d40e33596ef5e8f0f48dbbccab # pin@v4
         with:
           flags: ${{ matrix.config.name }}
           token: ${{ secrets.CODECOV_TOKEN }}
@@ -135,21 +138,21 @@ jobs:
             folder: "keptn-cert-manager/"
     steps:
       - name: Check out code
-        uses: actions/checkout@v4
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # pin@v4
 
       - name: Cache build tools
         id: cache-build-tools
-        uses: actions/cache@v4
+        uses: actions/cache@ab5e6d0c87105b4c9c2047343972218f562e4319 # pin@v4
         with:
           path: ./${{ matrix.config.folder }}bin
           key: build-tools-${{ github.ref_name }}
 
       - name: Set up Docker Buildx
         id: buildx
-        uses: docker/setup-buildx-action@v3
+        uses: docker/setup-buildx-action@0d103c3126aa41d772a8362f6aa67afac040f80c # pin@v3
 
       - name: Build Docker Image
-        uses: docker/build-push-action@v5
+        uses: docker/build-push-action@4a13e500e55cf31b7a5d59a38ab2040ab0f42f56 # pin@v5
         with:
           context: ${{ matrix.config.folder }}
           platforms: linux/amd64,linux/arm64
@@ -169,7 +172,7 @@ jobs:
           outputs: type=oci,dest=/tmp/${{ matrix.config.name }}-image.tar
 
       - name: Upload image as artifact
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # pin@v4
         with:
           name: ${{ matrix.config.name }}-image.tar
           path: /tmp/${{ matrix.config.name }}-image.tar
@@ -185,7 +188,7 @@ jobs:
         run: echo "" > tag
 
       - name: Upload tag for tests
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # pin@v4
         with:
           name: dev-${{ env.DATETIME }}
           path: tag
@@ -244,10 +247,10 @@ jobs:
     runs-on: ubuntu-22.04
     steps:
       - name: Check out keptn repo
-        uses: actions/checkout@v4
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # pin@v4
 
       - name: Check out helm-charts repo
-        uses: actions/checkout@v4
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # pin@v4
         with:
           repository: 'keptn/lifecycle-toolkit-charts'
           path: ./helm-charts-repository
@@ -269,7 +272,7 @@ jobs:
         run: rsync -av --delete --exclude='charts/*.tgz' ./${{ matrix.config.path }}/ ./helm-charts-repository/charts/${{ matrix.config.name }}/
 
       - name: Create Pull Request
-        uses: peter-evans/create-pull-request@v6
+        uses: peter-evans/create-pull-request@a4f52f8033a6168103c2538976c07b467e8163bc # pin@v6
         with:
           token: ${{ secrets.KEPTN_BOT_TOKEN }}
           path: ./helm-charts-repository

diff --git a/.github/workflows/component-test.yml b/.github/workflows/component-test.yml
@@ -4,6 +4,10 @@ on:
     secrets:
       CODECOV_TOKEN:
         required: false
+
+# Declare default permissions as read only.
+permissions: read-all
+
 env:
   GO_VERSION: "~1.20"
 defaults:
@@ -15,10 +19,10 @@ jobs:
     runs-on: ubuntu-22.04
     steps:
       - name: Check out code
-        uses: actions/checkout@v4
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # pin@v4
 
       - name: Set up Go 1.x
-        uses: actions/setup-go@v5
+        uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # pin@v5
         with:
           go-version: ${{ env.GO_VERSION }}
           cache: true
@@ -30,7 +34,7 @@ jobs:
         run: make component-test
 
       - name: Report code coverage
-        uses: codecov/codecov-action@v4
+        uses: codecov/codecov-action@54bcd8715eee62d40e33596ef5e8f0f48dbbccab # pin@v4
         with:
           flags: component-tests
           token: ${{ secrets.CODECOV_TOKEN }}
diff --git a/.github/workflows/e2e-test.yml b/.github/workflows/e2e-test.yml
@@ -6,6 +6,10 @@ on:
         description: "Tag for the runner image"
         type: "string"
         required: true
+
+# Declare default permissions as read only.
+permissions: read-all
+
 env:
   GO_VERSION: "~1.20"
 defaults:
@@ -25,7 +29,7 @@ jobs:
             folder: "scheduler/"
     steps:
       - name: Check out code
-        uses: actions/checkout@v4
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # pin@v4
 
       - name: Setup cluster
         uses: ./.github/actions/deploy-keptn-on-cluster
@@ -43,7 +47,7 @@ jobs:
 
       - name: Upload ${{ matrix.config.name }} cluster logs
         if: always()
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # pin@v4
         with:
           name: logs-e2e-tests-${{ matrix.config.name }}
           path: .github/scripts/logs
diff --git a/.github/workflows/github-repo-stats.yml b/.github/workflows/github-repo-stats.yml
@@ -5,7 +5,11 @@ on:
     # Run this once per day, towards the end of the day for keeping the most
     # recent data point most meaningful (hours are interpreted in UTC).
     - cron: "0 23 * * *"
-  workflow_dispatch: # Allow for running this manually.
+  workflow_dispatch:
+    # Allow for running this manually.
+
+    # Declare default permissions as read only.
+permissions: read-all
 
 jobs:
   snapshot:
@@ -14,7 +18,7 @@ jobs:
     steps:
       - name: run-ghrs
         # Use latest release.
-        uses: jgehrcke/github-repo-stats@v1.4.2
+        uses: jgehrcke/github-repo-stats@306db38ad131cab2aa5f2cd3062bf6f8aa78c1aa # pin@v1.4.2
         with:
           databranch: github-repo-stats
           ghtoken: ${{ secrets.KEPTN_BOT_TOKEN }}
diff --git a/.github/workflows/golangci-lint.yml b/.github/workflows/golangci-lint.yml
@@ -15,6 +15,10 @@ on:
       - ".golangci.yml"
       - ".github/workflows/golangci-lint.yml"
       - "!docs/**"
+
+# Declare default permissions as read only.
+permissions: read-all
+
 env:
   # renovate: datasource=github-releases depName=golangci/golangci-lint
   GOLANGCI_LINT_VERSION: "v1.55.2"
@@ -37,15 +41,15 @@ jobs:
             folder: "keptn-cert-manager/"
     steps:
       - name: Check out code
-        uses: actions/checkout@v4
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # pin@v4
 
-      - uses: actions/setup-go@v5
+      - uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # pin@v5
         with:
           go-version: ${{ env.GO_VERSION }}
           check-latest: true
 
       - name: golangci-lint
-        uses: golangci/golangci-lint-action@v4
+        uses: golangci/golangci-lint-action@3cfe3a4abbb849e10058ce4af15d205b6da42804 # pin@v4
         with:
           working-directory: ${{ matrix.config.folder }}
           version: ${{ env.GOLANGCI_LINT_VERSION }}

diff --git a/.github/workflows/htmltest.yaml b/.github/workflows/htmltest.yaml
@@ -14,6 +14,9 @@ on:
     paths:
       - 'docs/**'
 
+# Declare default permissions as read only.
+permissions: read-all
+
 jobs:
   htmltest:
     # The type of runner that the job will run on
@@ -22,13 +25,13 @@ jobs:
     # Steps represent a sequence of tasks that will be executed as part of the job
     steps:
       # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # pin@v4
         with:
           submodules: true
           fetch-depth: 0
 
       - name: Cache HTMLTest packages
-        uses: actions/cache@v4
+        uses: actions/cache@ab5e6d0c87105b4c9c2047343972218f562e4319 # pin@v4
         with:
           path: |
             tmp/.htmltest

diff --git a/.github/workflows/integration-test.yml b/.github/workflows/integration-test.yml
@@ -14,6 +14,10 @@ on:
         description: "Decides whether to allow only certain namespaces"
         type: "string"
         default: allowed_ns_off
+
+# Declare default permissions as read only.
+permissions: read-all
+
 env:
   GO_VERSION: "~1.20"
 defaults:
@@ -26,7 +30,7 @@ jobs:
     runs-on: ubuntu-22.04
     steps:
       - name: Check out code
-        uses: actions/checkout@v4
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # pin@v4
 
       - name: Setup cluster
         uses: ./.github/actions/deploy-keptn-on-cluster
@@ -39,7 +43,7 @@ jobs:
         uses: ./.github/actions/deploy-prometheus-on-cluster
 
       - name: Install Chainsaw
-        uses: kyverno/action-install-chainsaw@v0.1.8
+        uses: kyverno/action-install-chainsaw@4932dd3a67eedf380e704f5c294851a2f83c638f # pin@v0.1.8
 
       - name: Run Scheduling Gates Integration Tests
         if: inputs.scheduling-gates == 'gates_on' && inputs.allowed-namespaces == 'allowed_ns_off'
@@ -63,7 +67,7 @@ jobs:
 
       - name: Upload cluster logs
         if: failure()
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # pin@v4
         with:
           name: logs-integration-tests-${{ inputs.scheduling-gates }}-${{ inputs.allowed-namespaces }}
           path: .github/scripts/logs
diff --git a/.github/workflows/load-test.yml b/.github/workflows/load-test.yml
@@ -6,6 +6,10 @@ on:
         description: "Tag for the runner images"
         type: "string"
         required: true
+
+# Declare default permissions as read only.
+permissions: read-all
+
 env:
   GO_VERSION: "~1.20"
   # renovate: datasource=github-tags depName=cloud-bulldozer/kube-burner
@@ -20,11 +24,11 @@ jobs:
     runs-on: ubuntu-22.04
     steps:
       - name: Check out code
-        uses: actions/checkout@v4
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # pin@v4
 
       - name: Cache build tools
         id: cache-build-tools
-        uses: actions/cache@v4
+        uses: actions/cache@ab5e6d0c87105b4c9c2047343972218f562e4319 # pin@v4
         with:
           path: /usr/local/bin/kube-burner
           key: kube-burner-${{ env.KUBE_BURNER_VERSION }}
@@ -53,7 +57,7 @@ jobs:
 
       - name: Upload results
         if: always()
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # pin@v4
         with:
           name: load-tests-results
           path: ./collected-metrics
@@ -65,7 +69,7 @@ jobs:
 
       - name: Upload cluster logs
         if: failure()
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # pin@v4
         with:
           name: logs-load-tests
           path: .github/scripts/logs
diff --git a/.github/workflows/markdown-checks.yaml b/.github/workflows/markdown-checks.yaml
@@ -18,6 +18,9 @@ on:
       - 'lifecycle-operator/apis/**'
       - 'metrics-operator/api/**'
 
+# Declare default permissions as read only.
+permissions: read-all
+
 env:
   GO_VERSION: "~1.20"
 
@@ -29,8 +32,8 @@ jobs:
   markdown-link-check:
     runs-on: ubuntu-22.04
     steps:
-      - uses: actions/checkout@v4
-      - uses: gaurav-nelson/github-action-markdown-link-check@v1
+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # pin@v4
+      - uses: gaurav-nelson/github-action-markdown-link-check@5c5dfc0ac2e225883c0e5f03a85311ec2830d368 # pin@v1
         with:
           config-file: '.github/mlc_config.json'
           use-verbose-mode: true
@@ -42,7 +45,7 @@ jobs:
     runs-on: ubuntu-22.04
     steps:
       - name: Check out code
-        uses: actions/checkout@v4
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # pin@v4
 
       - name: Run TOC generation
         run: |
@@ -69,10 +72,10 @@ jobs:
     runs-on: ubuntu-22.04
     steps:
       - name: Check out code
-        uses: actions/checkout@v4
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # pin@v4
 
       - name: Set up Go 1.x
-        uses: actions/setup-go@v5
+        uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # pin@v5
         with:
           go-version: ${{ env.GO_VERSION }}
           check-latest: true