ci: pin GitHub Actions workflow actions by hash (#1422)

as recommended in 5758364c82/docs/checks.md (pinned-dependencies) Ref #1298
2025-12-27 03:58:08 +08:00 · 2022-05-11 19:41:30 +09:00
parent c1e5829b03
commit d01595cfbc
8 changed files with 53 additions and 30 deletions
--- a/.github/workflows/on-push-master-publish-chart.yml
+++ b/.github/workflows/on-push-master-publish-chart.yml
@@ -15,6 +15,9 @@ env:
  KUBE_SCORE_VERSION: 1.10.0
  HELM_VERSION: v3.8.0

+permissions:
+  contents: read
+
 jobs:
  lint-chart:
    runs-on: ubuntu-latest
@@ -23,12 +26,12 @@ jobs:
      publish-chart: ${{ steps.publish-chart-step.outputs.publish }}
    steps:
      - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@d0651293c4a5a52e711f25b41b05b2212f385d28
        with:
          fetch-depth: 0

      - name: Set up Helm
-        uses: azure/setup-helm@v2.1
+        uses: azure/setup-helm@217bf70cbd2e930ba2e81ba7e1de2f7faecc42ba
        with:
          version: ${{ env.HELM_VERSION }}

@@ -49,12 +52,12 @@ jobs:
              --enable-optional-test container-security-context-readonlyrootfilesystem

      # python is a requirement for the chart-testing action below (supports yamllint among other tests)
-      - uses: actions/setup-python@v3
+      - uses: actions/setup-python@98f2ad02fd48d057ee3b4d4f66525b231c3e52b6
        with:
          python-version: 3.7

      - name: Set up chart-testing
-        uses: helm/chart-testing-action@v2.2.1
+        uses: helm/chart-testing-action@62a185010be4cb08459f7acb19f37927235d5cf3

      - name: Run chart-testing (list-changed)
        id: list-changed
@@ -68,7 +71,7 @@ jobs:
        run: ct lint --config charts/.ci/ct-config.yaml

      - name: Create kind cluster
-        uses: helm/kind-action@v1.2.0
+        uses: helm/kind-action@94729529f85113b88f4f819c17ce61382e6d8478
        if: steps.list-changed.outputs.changed == 'true'

      # We need cert-manager already installed in the cluster because we assume the CRDs exist
@@ -97,6 +100,8 @@ jobs:
          fi

  publish-chart:
+    permissions:
+      contents: write  # for helm/chart-releaser-action to push chart release and create a release
    if: needs.lint-chart.outputs.publish-chart == 'true'
    needs: lint-chart
    runs-on: ubuntu-latest
@@ -104,7 +109,7 @@ jobs:

    steps:
      - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@d0651293c4a5a52e711f25b41b05b2212f385d28
        with:
          fetch-depth: 0

@@ -114,7 +119,7 @@ jobs:
          git config user.email "$GITHUB_ACTOR@users.noreply.github.com"

      - name: Run chart-releaser
-        uses: helm/chart-releaser-action@v1.4.0
+        uses: helm/chart-releaser-action@fc23f249f75decd5edf254c6b4401532cef093c3
        env:
          CR_TOKEN: "${{ secrets.GITHUB_TOKEN }}"