From 06d7f0cec7edad8b4bdbffbd4e2bc60f46e05f5b Mon Sep 17 00:00:00 2001 From: Florencio Cano Gabarda Date: Thu, 7 May 2026 11:13:30 +0200 Subject: [PATCH] chore(ci): pin all GitHub Actions to SHA digests Replace all mutable version tag references across 23 workflow files with immutable SHA digests. Retains the version tag as an inline comment for human readability and because it's a Dependabot requirement. Pinning to immutable SHAs eliminates the risk of a compromised or reassigned upstream tag injecting malicious code into CI runs. Pinned actions: - actions/checkout@v6 => de0fac2e4500dabe0009e67214ff5f5447ce83dd - actions/checkout@v4 => 34e114876b0b11c390a56381ad16ebd13914f8d5 - actions/github-script@v9 => 373c709c69115d41ff229c7e5df9f8788daa9553 - actions/setup-node@v6 => 48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e - docker/login-action@v4 => 4907a6ddec9925e35a0a9e82d7399ccc52663121 - actions/upload-artifact@v7 => 043fb46d1a93c77aae656e7c1c64a875d1fc6a0a - actions/download-artifact@v4 => d3f86a106a0bac45b974a628896c90dbdf5c8093 - softprops/action-gh-release@v2 => 3bb12739c298aeb8a4eeaf626c5b8d85266b0e65 - actions/attest@v4 => 281a49d4cbb0a72c9575a50d18f6deb515a11deb Dependabot will keep these pins current via the github-actions ecosystem config added in #1188. Signed-off-by: Florencio Cano Gabarda Co-authored-by: Cursor --- .github/workflows/branch-checks.yml | 12 ++--- .github/workflows/branch-docs.yml | 4 +- .github/workflows/branch-e2e.yml | 2 +- .github/workflows/ci-image.yml | 6 +-- .github/workflows/deb-package.yml | 10 ++--- .github/workflows/docker-build.yml | 4 +- .github/workflows/driver-vm-linux.yml | 10 ++--- .github/workflows/driver-vm-macos.yml | 16 +++---- .github/workflows/e2e-gpu-test.yaml | 2 +- .github/workflows/e2e-test.yml | 2 +- .github/workflows/issue-triage.yml | 4 +- .github/workflows/release-auto-tag.yml | 2 +- .github/workflows/release-dev.yml | 54 +++++++++++------------ .github/workflows/release-tag.yml | 58 ++++++++++++------------- .github/workflows/release-vm-kernel.yml | 26 +++++------ .github/workflows/rpm-package.yml | 4 +- .github/workflows/rust-native-build.yml | 4 +- .github/workflows/test-gpu.yml | 2 +- .github/workflows/vouch-check.yml | 4 +- .github/workflows/vouch-command.yml | 2 +- 20 files changed, 114 insertions(+), 114 deletions(-) diff --git a/.github/workflows/branch-checks.yml b/.github/workflows/branch-checks.yml index f7bc6ad1f..54084fddd 100644 --- a/.github/workflows/branch-checks.yml +++ b/.github/workflows/branch-checks.yml @@ -30,7 +30,7 @@ jobs: outputs: should_run: ${{ steps.gate.outputs.should_run }} steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - id: gate uses: ./.github/actions/pr-gate @@ -46,7 +46,7 @@ jobs: username: ${{ github.actor }} password: ${{ secrets.GITHUB_TOKEN }} steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - name: Mark workspace as safe for git run: git config --global --add safe.directory "$GITHUB_WORKSPACE" @@ -70,7 +70,7 @@ jobs: username: ${{ github.actor }} password: ${{ secrets.GITHUB_TOKEN }} steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - name: Install tools run: mise install --locked @@ -95,7 +95,7 @@ jobs: username: ${{ github.actor }} password: ${{ secrets.GITHUB_TOKEN }} steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - name: Install tools run: mise install --locked @@ -148,7 +148,7 @@ jobs: username: ${{ github.actor }} password: ${{ secrets.GITHUB_TOKEN }} steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - name: Install tools run: mise install --locked @@ -173,7 +173,7 @@ jobs: username: ${{ github.actor }} password: ${{ secrets.GITHUB_TOKEN }} steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - name: Install tools run: mise install --locked diff --git a/.github/workflows/branch-docs.yml b/.github/workflows/branch-docs.yml index 1368bc775..3b2a4099e 100644 --- a/.github/workflows/branch-docs.yml +++ b/.github/workflows/branch-docs.yml @@ -19,7 +19,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout repository - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - name: Check Fern preview availability id: fern-preview @@ -34,7 +34,7 @@ jobs: fi - name: Setup Node.js - uses: actions/setup-node@v6 + uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6 with: node-version: "24" diff --git a/.github/workflows/branch-e2e.yml b/.github/workflows/branch-e2e.yml index 3d8dd5928..49f9ddb03 100644 --- a/.github/workflows/branch-e2e.yml +++ b/.github/workflows/branch-e2e.yml @@ -18,7 +18,7 @@ jobs: outputs: should_run: ${{ steps.gate.outputs.should_run }} steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - id: gate uses: ./.github/actions/pr-gate with: diff --git a/.github/workflows/ci-image.yml b/.github/workflows/ci-image.yml index 327ce0733..f0e7caef3 100644 --- a/.github/workflows/ci-image.yml +++ b/.github/workflows/ci-image.yml @@ -35,10 +35,10 @@ jobs: runs-on: ${{ matrix.runner }} timeout-minutes: 60 steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - name: Log in to GitHub Container Registry - uses: docker/login-action@v4 + uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4 with: registry: ${{ env.REGISTRY }} username: ${{ github.actor }} @@ -91,7 +91,7 @@ jobs: timeout-minutes: 10 steps: - name: Log in to GitHub Container Registry - uses: docker/login-action@v4 + uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4 with: registry: ${{ env.REGISTRY }} username: ${{ github.actor }} diff --git a/.github/workflows/deb-package.yml b/.github/workflows/deb-package.yml index 72628a23a..6ae6127a4 100644 --- a/.github/workflows/deb-package.yml +++ b/.github/workflows/deb-package.yml @@ -42,24 +42,24 @@ jobs: username: ${{ github.actor }} password: ${{ secrets.GITHUB_TOKEN }} steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: ref: ${{ inputs['checkout-ref'] }} - name: Download CLI artifact - uses: actions/download-artifact@v4 + uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4 with: name: cli-linux-${{ matrix.arch }} path: package-input/ - name: Download gateway artifact - uses: actions/download-artifact@v4 + uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4 with: name: gateway-binary-linux-${{ matrix.arch }} path: package-input/ - name: Download VM driver artifact - uses: actions/download-artifact@v4 + uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4 with: name: driver-vm-linux-${{ matrix.arch }} path: package-input/ @@ -85,7 +85,7 @@ jobs: tasks/scripts/package-deb.sh - name: Upload Debian package artifact - uses: actions/upload-artifact@v7 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7 with: name: deb-linux-${{ matrix.arch }} path: artifacts/*.deb diff --git a/.github/workflows/docker-build.yml b/.github/workflows/docker-build.yml index 450d6b5c5..e997c6fb9 100644 --- a/.github/workflows/docker-build.yml +++ b/.github/workflows/docker-build.yml @@ -186,7 +186,7 @@ jobs: DOCKER_PUSH: ${{ inputs.push && '1' || '0' }} DOCKER_PLATFORM: ${{ matrix.platform }} steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: ref: ${{ inputs['checkout-ref'] || github.sha }} fetch-depth: 0 @@ -207,7 +207,7 @@ jobs: buildkitd-config: /etc/buildkit/buildkitd.toml - name: Download Rust binary artifact - uses: actions/download-artifact@v4 + uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4 with: name: ${{ needs.resolve.outputs.artifact_prefix }}-linux-${{ matrix.arch }} path: prebuilt-rust-binary diff --git a/.github/workflows/driver-vm-linux.yml b/.github/workflows/driver-vm-linux.yml index 8ad4073ca..9e63b3aa2 100644 --- a/.github/workflows/driver-vm-linux.yml +++ b/.github/workflows/driver-vm-linux.yml @@ -32,7 +32,7 @@ jobs: username: ${{ github.actor }} password: ${{ secrets.GITHUB_TOKEN }} steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: ref: ${{ inputs['checkout-ref'] }} @@ -66,7 +66,7 @@ jobs: done - name: Upload runtime artifacts - uses: actions/upload-artifact@v7 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7 with: name: vm-driver-kernel-runtime-tarballs path: runtime-artifacts/vm-runtime-*.tar.zst @@ -100,7 +100,7 @@ jobs: MISE_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} OPENSHELL_IMAGE_TAG: ${{ inputs['image-tag'] }} steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: ref: ${{ inputs['checkout-ref'] }} fetch-depth: 0 @@ -125,7 +125,7 @@ jobs: run: apt-get update && apt-get install -y --no-install-recommends zstd && rm -rf /var/lib/apt/lists/* - name: Download kernel runtime tarball - uses: actions/download-artifact@v4 + uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4 with: name: vm-driver-kernel-runtime-tarballs path: runtime-download/ @@ -188,7 +188,7 @@ jobs: -C target/release openshell-driver-vm - name: Upload artifact - uses: actions/upload-artifact@v7 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7 with: name: driver-vm-linux-${{ matrix.arch }} path: artifacts/*.tar.gz diff --git a/.github/workflows/driver-vm-macos.yml b/.github/workflows/driver-vm-macos.yml index 915e007c9..5618d3731 100644 --- a/.github/workflows/driver-vm-macos.yml +++ b/.github/workflows/driver-vm-macos.yml @@ -32,7 +32,7 @@ jobs: username: ${{ github.actor }} password: ${{ secrets.GITHUB_TOKEN }} steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: ref: ${{ inputs['checkout-ref'] }} @@ -60,7 +60,7 @@ jobs: run: test -f runtime-artifacts/vm-runtime-darwin-aarch64.tar.zst - name: Upload runtime artifact - uses: actions/upload-artifact@v7 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7 with: name: vm-driver-macos-kernel-runtime-tarball path: runtime-artifacts/vm-runtime-darwin-aarch64.tar.zst @@ -79,7 +79,7 @@ jobs: MISE_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} OPENSHELL_IMAGE_TAG: ${{ inputs['image-tag'] }} steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: ref: ${{ inputs['checkout-ref'] }} fetch-depth: 0 @@ -113,7 +113,7 @@ jobs: run: mise x -- sccache --show-stats - name: Upload supervisor bundle - uses: actions/upload-artifact@v7 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7 with: name: driver-vm-supervisor-arm64 path: target/vm-runtime-compressed/openshell-sandbox.zst @@ -135,7 +135,7 @@ jobs: env: MISE_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: ref: ${{ inputs['checkout-ref'] }} fetch-depth: 0 @@ -156,7 +156,7 @@ jobs: run: apt-get update && apt-get install -y --no-install-recommends zstd && rm -rf /var/lib/apt/lists/* - name: Download kernel runtime tarball - uses: actions/download-artifact@v4 + uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4 with: name: vm-driver-macos-kernel-runtime-tarball path: runtime-download/ @@ -171,7 +171,7 @@ jobs: tasks/scripts/vm/compress-vm-runtime.sh - name: Download bundled supervisor - uses: actions/download-artifact@v4 + uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4 with: name: driver-vm-supervisor-arm64 path: target/vm-runtime-compressed-macos/ @@ -214,7 +214,7 @@ jobs: ls -lh artifacts/ - name: Upload artifact - uses: actions/upload-artifact@v7 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7 with: name: driver-vm-macos path: artifacts/*.tar.gz diff --git a/.github/workflows/e2e-gpu-test.yaml b/.github/workflows/e2e-gpu-test.yaml index 0004bcbe2..78cd7e4d1 100644 --- a/.github/workflows/e2e-gpu-test.yaml +++ b/.github/workflows/e2e-gpu-test.yaml @@ -55,7 +55,7 @@ jobs: # probe below and by the e2e tests in e2e/rust/tests/gpu_device_selection.rs. OPENSHELL_E2E_GPU_PROBE_IMAGE: "nvcr.io/nvidia/base/ubuntu:noble-20251013" steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - name: Log in to GHCR run: echo "${{ secrets.GITHUB_TOKEN }}" | docker login ghcr.io -u "${{ github.actor }}" --password-stdin diff --git a/.github/workflows/e2e-test.yml b/.github/workflows/e2e-test.yml index db8010d0f..aabddee96 100644 --- a/.github/workflows/e2e-test.yml +++ b/.github/workflows/e2e-test.yml @@ -58,7 +58,7 @@ jobs: OPENSHELL_REGISTRY_USERNAME: ${{ github.actor }} OPENSHELL_REGISTRY_PASSWORD: ${{ secrets.GITHUB_TOKEN }} steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: ref: ${{ inputs['checkout-ref'] || github.sha }} diff --git a/.github/workflows/issue-triage.yml b/.github/workflows/issue-triage.yml index b59d8ba34..4aa3d6697 100644 --- a/.github/workflows/issue-triage.yml +++ b/.github/workflows/issue-triage.yml @@ -14,7 +14,7 @@ jobs: steps: - name: Check contributor permissions id: contributor - uses: actions/github-script@v9 + uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9 with: result-encoding: string script: | @@ -46,7 +46,7 @@ jobs: - name: Add triage label if: steps.contributor.outputs.result == 'true' - uses: actions/github-script@v9 + uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9 with: script: | await github.rest.issues.addLabels({ diff --git a/.github/workflows/release-auto-tag.yml b/.github/workflows/release-auto-tag.yml index f89c506d7..2b10a5b6e 100644 --- a/.github/workflows/release-auto-tag.yml +++ b/.github/workflows/release-auto-tag.yml @@ -20,7 +20,7 @@ jobs: create-tag: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: fetch-depth: 0 diff --git a/.github/workflows/release-dev.yml b/.github/workflows/release-dev.yml index f1df71b3f..94c950772 100644 --- a/.github/workflows/release-dev.yml +++ b/.github/workflows/release-dev.yml @@ -33,7 +33,7 @@ jobs: rpm_version: ${{ steps.v.outputs.rpm_version }} rpm_release: ${{ steps.v.outputs.rpm_release }} steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: fetch-depth: 0 @@ -123,7 +123,7 @@ jobs: MISE_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} OPENSHELL_IMAGE_TAG: dev steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: fetch-depth: 0 @@ -147,7 +147,7 @@ jobs: ls -la ${{ matrix.output_path }} - name: Upload wheel artifacts - uses: actions/upload-artifact@v7 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7 with: name: python-wheels-${{ matrix.artifact }} path: ${{ matrix.output_path }} @@ -170,7 +170,7 @@ jobs: MISE_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} OPENSHELL_IMAGE_TAG: dev steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: fetch-depth: 0 @@ -193,7 +193,7 @@ jobs: ls -la target/wheels/*.whl - name: Upload wheel artifacts - uses: actions/upload-artifact@v7 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7 with: name: python-wheels-macos path: target/wheels/*.whl @@ -231,7 +231,7 @@ jobs: MISE_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} OPENSHELL_IMAGE_TAG: dev steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: fetch-depth: 0 @@ -307,7 +307,7 @@ jobs: ls -lh artifacts/ - name: Upload artifact - uses: actions/upload-artifact@v7 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7 with: name: cli-linux-${{ matrix.arch }} path: artifacts/*.tar.gz @@ -332,7 +332,7 @@ jobs: env: MISE_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: fetch-depth: 0 @@ -369,7 +369,7 @@ jobs: ls -lh artifacts/ - name: Upload artifact - uses: actions/upload-artifact@v7 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7 with: name: cli-macos path: artifacts/*.tar.gz @@ -401,7 +401,7 @@ jobs: env: MISE_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: fetch-depth: 0 @@ -454,7 +454,7 @@ jobs: ls -lh artifacts/ - name: Upload artifact - uses: actions/upload-artifact@v7 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7 with: name: gateway-binary-linux-${{ matrix.arch }} path: artifacts/*.tar.gz @@ -479,7 +479,7 @@ jobs: env: MISE_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: fetch-depth: 0 @@ -521,7 +521,7 @@ jobs: ls -lh artifacts/ - name: Upload artifact - uses: actions/upload-artifact@v7 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7 with: name: gateway-binary-macos path: artifacts/*.tar.gz @@ -553,7 +553,7 @@ jobs: env: MISE_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: fetch-depth: 0 @@ -604,7 +604,7 @@ jobs: ls -lh artifacts/ - name: Upload artifact - uses: actions/upload-artifact@v7 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7 with: name: supervisor-binary-linux-${{ matrix.arch }} path: artifacts/*.tar.gz @@ -666,52 +666,52 @@ jobs: outputs: wheel_filenames: ${{ steps.wheel_filenames.outputs.wheel_filenames }} steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - name: Download all CLI artifacts - uses: actions/download-artifact@v4 + uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4 with: pattern: cli-* path: release/ merge-multiple: true - name: Download gateway binary artifacts - uses: actions/download-artifact@v4 + uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4 with: pattern: gateway-binary-* path: release/ merge-multiple: true - name: Download supervisor binary artifacts - uses: actions/download-artifact@v4 + uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4 with: pattern: supervisor-binary-* path: release/ merge-multiple: true - name: Download VM driver artifacts - uses: actions/download-artifact@v4 + uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4 with: pattern: driver-vm-* path: release/ merge-multiple: true - name: Download wheel artifacts - uses: actions/download-artifact@v4 + uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4 with: pattern: python-wheels-* path: release/ merge-multiple: true - name: Download Debian package artifacts - uses: actions/download-artifact@v4 + uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4 with: pattern: deb-linux-* path: release/ merge-multiple: true - name: Download RPM package artifacts - uses: actions/download-artifact@v4 + uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4 with: pattern: rpm-linux-* path: release/ @@ -785,7 +785,7 @@ jobs: cat release/openshell.rb - name: Attest VM driver artifacts - uses: actions/attest@v4 + uses: actions/attest@59d89421af93a897026c735860bf21b6eb4f7b26 # v4 with: subject-path: | release/openshell-driver-vm-x86_64-unknown-linux-gnu.tar.gz @@ -793,7 +793,7 @@ jobs: release/openshell-driver-vm-aarch64-apple-darwin.tar.gz - name: Prune managed assets from dev release - uses: actions/github-script@v9 + uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9 with: script: | const [owner, repo] = process.env.GITHUB_REPOSITORY.split('/'); @@ -848,7 +848,7 @@ jobs: git push --force origin dev - name: Create / update GitHub Release - uses: softprops/action-gh-release@v2 + uses: softprops/action-gh-release@3bb12739c298aeb8a4eeaf626c5b8d85266b0e65 # v2 with: name: OpenShell Development Build prerelease: true @@ -894,7 +894,7 @@ jobs: permissions: packages: write steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - uses: ./.github/actions/release-helm-oci with: diff --git a/.github/workflows/release-tag.yml b/.github/workflows/release-tag.yml index 18bf74db5..d6039bdf8 100644 --- a/.github/workflows/release-tag.yml +++ b/.github/workflows/release-tag.yml @@ -48,7 +48,7 @@ jobs: # Commit resolved from RELEASE_TAG, used for image tags and downstream metadata source_sha: ${{ steps.v.outputs.source_sha }} steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: ref: ${{ inputs.tag || github.ref }} fetch-depth: 0 @@ -152,7 +152,7 @@ jobs: MISE_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} OPENSHELL_IMAGE_TAG: ${{ needs.compute-versions.outputs.semver }} steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: ref: ${{ inputs.tag || github.ref }} fetch-depth: 0 @@ -177,7 +177,7 @@ jobs: ls -la ${{ matrix.output_path }} - name: Upload wheel artifacts - uses: actions/upload-artifact@v7 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7 with: name: python-wheels-${{ matrix.artifact }} path: ${{ matrix.output_path }} @@ -200,7 +200,7 @@ jobs: MISE_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} OPENSHELL_IMAGE_TAG: ${{ needs.compute-versions.outputs.semver }} steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: ref: ${{ inputs.tag || github.ref }} fetch-depth: 0 @@ -224,7 +224,7 @@ jobs: ls -la target/wheels/*.whl - name: Upload wheel artifacts - uses: actions/upload-artifact@v7 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7 with: name: python-wheels-macos path: target/wheels/*.whl @@ -262,7 +262,7 @@ jobs: MISE_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} OPENSHELL_IMAGE_TAG: ${{ needs.compute-versions.outputs.semver }} steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: ref: ${{ inputs.tag || github.ref }} fetch-depth: 0 @@ -339,7 +339,7 @@ jobs: ls -lh artifacts/ - name: Upload artifact - uses: actions/upload-artifact@v7 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7 with: name: cli-linux-${{ matrix.arch }} path: artifacts/*.tar.gz @@ -364,7 +364,7 @@ jobs: env: MISE_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: ref: ${{ inputs.tag || github.ref }} fetch-depth: 0 @@ -402,7 +402,7 @@ jobs: ls -lh artifacts/ - name: Upload artifact - uses: actions/upload-artifact@v7 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7 with: name: cli-macos path: artifacts/*.tar.gz @@ -434,7 +434,7 @@ jobs: env: MISE_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: ref: ${{ inputs.tag || github.ref }} fetch-depth: 0 @@ -488,7 +488,7 @@ jobs: ls -lh artifacts/ - name: Upload artifact - uses: actions/upload-artifact@v7 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7 with: name: gateway-binary-linux-${{ matrix.arch }} path: artifacts/*.tar.gz @@ -520,7 +520,7 @@ jobs: env: MISE_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: ref: ${{ inputs.tag || github.ref }} fetch-depth: 0 @@ -572,7 +572,7 @@ jobs: ls -lh artifacts/ - name: Upload artifact - uses: actions/upload-artifact@v7 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7 with: name: supervisor-binary-linux-${{ matrix.arch }} path: artifacts/*.tar.gz @@ -597,7 +597,7 @@ jobs: env: MISE_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: ref: ${{ inputs.tag || github.ref }} fetch-depth: 0 @@ -640,7 +640,7 @@ jobs: ls -lh artifacts/ - name: Upload artifact - uses: actions/upload-artifact@v7 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7 with: name: gateway-binary-macos path: artifacts/*.tar.gz @@ -702,54 +702,54 @@ jobs: outputs: wheel_filenames: ${{ steps.wheel_filenames.outputs.wheel_filenames }} steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: ref: ${{ inputs.tag || github.ref }} - name: Download all CLI artifacts - uses: actions/download-artifact@v4 + uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4 with: pattern: cli-* path: release/ merge-multiple: true - name: Download gateway binary artifacts - uses: actions/download-artifact@v4 + uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4 with: pattern: gateway-binary-* path: release/ merge-multiple: true - name: Download supervisor binary artifacts - uses: actions/download-artifact@v4 + uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4 with: pattern: supervisor-binary-* path: release/ merge-multiple: true - name: Download VM driver artifacts - uses: actions/download-artifact@v4 + uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4 with: pattern: driver-vm-* path: release/ merge-multiple: true - name: Download wheel artifacts - uses: actions/download-artifact@v4 + uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4 with: pattern: python-wheels-* path: release/ merge-multiple: true - name: Download Debian package artifacts - uses: actions/download-artifact@v4 + uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4 with: pattern: deb-linux-* path: release/ merge-multiple: true - name: Download RPM package artifacts - uses: actions/download-artifact@v4 + uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4 with: pattern: rpm-linux-* path: release/ @@ -798,7 +798,7 @@ jobs: cat release/openshell.rb - name: Attest VM driver artifacts - uses: actions/attest@v4 + uses: actions/attest@59d89421af93a897026c735860bf21b6eb4f7b26 # v4 with: subject-path: | release/openshell-driver-vm-x86_64-unknown-linux-gnu.tar.gz @@ -806,7 +806,7 @@ jobs: release/openshell-driver-vm-aarch64-apple-darwin.tar.gz - name: Prune removed VM checksum asset - uses: actions/github-script@v9 + uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9 with: script: | const [owner, repo] = process.env.GITHUB_REPOSITORY.split('/'); @@ -828,7 +828,7 @@ jobs: } - name: Create GitHub Release - uses: softprops/action-gh-release@v2 + uses: softprops/action-gh-release@3bb12739c298aeb8a4eeaf626c5b8d85266b0e65 # v2 with: name: OpenShell ${{ env.RELEASE_TAG }} prerelease: false @@ -869,12 +869,12 @@ jobs: runs-on: ubuntu-latest timeout-minutes: 15 steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: ref: ${{ inputs.tag || github.ref }} - name: Setup Node.js - uses: actions/setup-node@v6 + uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6 with: node-version: "24" @@ -897,7 +897,7 @@ jobs: permissions: packages: write steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: ref: ${{ inputs.tag || github.ref }} diff --git a/.github/workflows/release-vm-kernel.yml b/.github/workflows/release-vm-kernel.yml index abd7a633c..d94bfe399 100644 --- a/.github/workflows/release-vm-kernel.yml +++ b/.github/workflows/release-vm-kernel.yml @@ -47,7 +47,7 @@ jobs: env: MISE_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - name: Mark workspace safe for git run: git config --global --add safe.directory "$GITHUB_WORKSPACE" @@ -63,7 +63,7 @@ jobs: --output artifacts/vm-runtime-linux-aarch64.tar.zst - name: Upload runtime artifact - uses: actions/upload-artifact@v7 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7 with: name: vm-runtime-linux-arm64 path: artifacts/vm-runtime-linux-aarch64.tar.zst @@ -73,7 +73,7 @@ jobs: # the aarch64 Linux kernel as a byte array — it is OS-agnostic and can # be compiled into a .dylib by Apple's cc without rebuilding the kernel. - name: Upload kernel.c for macOS build - uses: actions/upload-artifact@v7 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7 with: name: kernel-c-arm64 path: | @@ -97,7 +97,7 @@ jobs: env: MISE_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - name: Mark workspace safe for git run: git config --global --add safe.directory "$GITHUB_WORKSPACE" @@ -113,7 +113,7 @@ jobs: --output artifacts/vm-runtime-linux-x86_64.tar.zst - name: Upload artifact - uses: actions/upload-artifact@v7 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7 with: name: vm-runtime-linux-amd64 path: artifacts/vm-runtime-linux-x86_64.tar.zst @@ -130,7 +130,7 @@ jobs: env: RUSTC_WRAPPER: "" steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - name: Install dependencies run: | @@ -140,7 +140,7 @@ jobs: brew install lld dtc xz - name: Download pre-built kernel.c - uses: actions/download-artifact@v4 + uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4 with: name: kernel-c-arm64 path: target/kernel-artifact @@ -156,7 +156,7 @@ jobs: --output artifacts/vm-runtime-darwin-aarch64.tar.zst - name: Upload artifact - uses: actions/upload-artifact@v7 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7 with: name: vm-runtime-macos-arm64 path: artifacts/vm-runtime-darwin-aarch64.tar.zst @@ -176,17 +176,17 @@ jobs: attestations: write artifact-metadata: write steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - name: Download all runtime artifacts - uses: actions/download-artifact@v4 + uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4 with: pattern: vm-runtime-* path: release/ merge-multiple: true - name: Attest VM runtime artifacts - uses: actions/attest@v4 + uses: actions/attest@59d89421af93a897026c735860bf21b6eb4f7b26 # v4 with: subject-path: | release/vm-runtime-linux-aarch64.tar.zst @@ -201,7 +201,7 @@ jobs: git push --force origin vm-runtime - name: Prune stale runtime assets from vm-runtime release - uses: actions/github-script@v9 + uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9 with: script: | const [owner, repo] = process.env.GITHUB_REPOSITORY.split('/'); @@ -224,7 +224,7 @@ jobs: } - name: Create / update vm-runtime GitHub Release - uses: softprops/action-gh-release@v2 + uses: softprops/action-gh-release@3bb12739c298aeb8a4eeaf626c5b8d85266b0e65 # v2 with: name: OpenShell VM Runtime prerelease: true diff --git a/.github/workflows/rpm-package.yml b/.github/workflows/rpm-package.yml index e0607c3ff..e96b19958 100644 --- a/.github/workflows/rpm-package.yml +++ b/.github/workflows/rpm-package.yml @@ -54,7 +54,7 @@ jobs: pandoc python3-devel git-core \ cargo-rpm-macros - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: ref: ${{ inputs.checkout-ref }} fetch-depth: 0 @@ -87,7 +87,7 @@ jobs: ls -lah artifacts/ - name: Upload RPM artifacts - uses: actions/upload-artifact@v7 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7 with: name: rpm-linux-${{ matrix.arch }} path: artifacts/*.rpm diff --git a/.github/workflows/rust-native-build.yml b/.github/workflows/rust-native-build.yml index edb1bfb7a..1086ee5e8 100644 --- a/.github/workflows/rust-native-build.yml +++ b/.github/workflows/rust-native-build.yml @@ -84,7 +84,7 @@ jobs: username: ${{ github.actor }} password: ${{ secrets.GITHUB_TOKEN }} steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: ref: ${{ inputs['checkout-ref'] || github.sha }} fetch-depth: 0 @@ -247,7 +247,7 @@ jobs: ls -lh "$STAGE/" - name: Upload artifact - uses: actions/upload-artifact@v7 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7 with: name: ${{ inputs['artifact-name'] != '' && inputs['artifact-name'] || format('rust-binary-{0}-linux-{1}', inputs.component, inputs.arch) }} path: prebuilt-binaries/${{ inputs.arch }}/${{ steps.target.outputs.binary }} diff --git a/.github/workflows/test-gpu.yml b/.github/workflows/test-gpu.yml index 37fdcbb94..4d62ccefd 100644 --- a/.github/workflows/test-gpu.yml +++ b/.github/workflows/test-gpu.yml @@ -19,7 +19,7 @@ jobs: outputs: should_run: ${{ steps.gate.outputs.should_run }} steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - id: gate uses: ./.github/actions/pr-gate with: diff --git a/.github/workflows/vouch-check.yml b/.github/workflows/vouch-check.yml index db7a540eb..2eeeb949f 100644 --- a/.github/workflows/vouch-check.yml +++ b/.github/workflows/vouch-check.yml @@ -18,7 +18,7 @@ jobs: - name: Check org membership id: org-check if: env.ORG_READ_TOKEN != '' - uses: actions/github-script@v9 + uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9 with: github-token: ${{ secrets.ORG_READ_TOKEN }} result-encoding: string @@ -42,7 +42,7 @@ jobs: - name: Check if contributor is vouched if: steps.org-check.outputs.result != 'skip' - uses: actions/github-script@v9 + uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9 with: script: | const author = context.payload.pull_request.user.login; diff --git a/.github/workflows/vouch-command.yml b/.github/workflows/vouch-command.yml index 309a4ae36..366dd6a0e 100644 --- a/.github/workflows/vouch-command.yml +++ b/.github/workflows/vouch-command.yml @@ -20,7 +20,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Process /vouch command - uses: actions/github-script@v9 + uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9 with: script: | const commenter = context.payload.comment.user.login;