ci: Pin actions

2025-07-03 08:37:03 +02:00 · 2025-04-18 11:11:50 +02:00 · 2025-04-18 11:11:50 +02:00 · 8f66d48e6e
commit 8f66d48e6e
parent b3dd7419ee
6 changed files with 44 additions and 44 deletions
--- a/.github/workflows/chart-release-steps.yaml
+++ b/.github/workflows/chart-release-steps.yaml
@ -57,18 +57,18 @@ jobs:
      # Setup
      # ----------------------------
      - name: Checkout source branch
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
          path: src
      - name: Install Helm
-        uses: azure/setup-helm@v4
+        uses: azure/setup-helm@b9e51907a09c216f16ebe8536097933489208112 # v4.3.0
        with:
          version: ${{ inputs.helmVersion }}
      - name: Login to OCI Registry
        if: ${{ inputs.publishToOciRegistry }}
-        uses: docker/login-action@v3
+        uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
        with:
          registry: ghcr.io
          username: ${{ github.actor }}
@ -79,7 +79,7 @@ jobs:
      # ----------------------------
      - name: Get chart details
        id: chart-details
-        uses: bjw-s/helm-charts-actions/get-chart-details@main
+        uses: bjw-s-labs/helm-charts-actions/get-chart-details@main
        with:
          path: src/charts/${{ inputs.chart }}
          validateChartYaml: true
@ -96,7 +96,7 @@ jobs:
      - name: Format changelog
        id: format-changelog
-        uses: actions/github-script@v7
+        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
        with:
          script: |
            let input = '${{ steps.chart-details.outputs.changes }}';
@ -128,7 +128,7 @@ jobs:
      # Package Helm chart
      # ----------------------------
      - name: Dereference JSON schema before packaging
-        uses: bjw-s/helm-charts-actions/dereference-json-schema@main
+        uses: bjw-s-labs/helm-charts-actions/dereference-json-schema@main
        with:
          schemaFile: "src/charts/${{ inputs.chart }}/values.schema.json"
          outputFile: "src/charts/${{ inputs.chart }}/values.schema.json"
@ -149,7 +149,7 @@ jobs:
      # Add chart to GitHub Pages
      # ----------------------------
      - name: Checkout gh-pages branch
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        if: ${{ inputs.publishToGhPages }}
        with:
          path: gh-pages
@ -183,7 +183,7 @@ jobs:
      - name: Commit Changes
        if: ${{ inputs.publishToGhPages }}
-        uses: stefanzweifel/git-auto-commit-action@v5
+        uses: stefanzweifel/git-auto-commit-action@e348103e9026cc0eee72ae06630dbe30c8bf7a79 # v5.1.0
        with:
          commit_message: "feat: Add Chart package ${{ steps.chart-folder.outputs.chart_folder }}/${{ steps.chart-details.outputs.name }}-${{ steps.chart-details.outputs.version }}"
          repository: gh-pages
@ -205,13 +205,13 @@ jobs:
      # ----------------------------
      - name: Create tag
        if: ${{ inputs.createGithubRelease }}
-        uses: EndBug/latest-tag@latest
+        uses: EndBug/latest-tag@c24a76ea69bf06f7f0e43a48b61c2b51b99d6c42 # latest
        with:
          ref: ${{ steps.chart-details.outputs.name }}-${{ steps.chart-details.outputs.version }}
          git-directory: src
      - name: Create release for tag
-        uses: ncipollo/release-action@v1
+        uses: ncipollo/release-action@440c8c1cb0ed28b9f43e4d1d670870f059653174 # v1.16.0
        if: ${{ inputs.createGithubRelease }}
        with:
          allowUpdates: true
@ -223,7 +223,7 @@ jobs:
      # ----------------------------
      - name: Install Cosign
        if: ${{ inputs.publishToOciRegistry }}
-        uses: sigstore/cosign-installer@v3.8.0
+        uses: sigstore/cosign-installer@d7d6bc7722e3daa8354c50bcb52f4837da5e9b6a # v3.8.1
      - name: Push Helm charts to OCI registry
        if: ${{ inputs.publishToOciRegistry }}
--- a/.github/workflows/charts-lint.yaml
+++ b/.github/workflows/charts-lint.yaml
@ -32,19 +32,19 @@ jobs:
    runs-on: ubuntu-22.04
    steps:
      - name: Checkout pull request branch
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
          path: pull
      - name: Checkout default branch
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
          ref: "${{ github.event.repository.default_branch }}"
          path: default
      - name: Get chart details for PR
        id: chart-details-pr
-        uses: bjw-s/helm-charts-actions/get-chart-details@main
+        uses: bjw-s-labs/helm-charts-actions/get-chart-details@main
        with:
          path: pull/charts/${{ matrix.chart }}
          validateChartYaml: true
@ -52,7 +52,7 @@ jobs:
      - name: Get chart details for default branch
        id: chart-details-default
-        uses: bjw-s/helm-charts-actions/get-chart-details@main
+        uses: bjw-s-labs/helm-charts-actions/get-chart-details@main
        with:
          path: default/charts/${{ matrix.chart }}
          allowChartToNotExist: true
@ -61,14 +61,14 @@ jobs:
      # - name: Check version update
      #   if: ${{ steps.chart-details-pr.outputs.version == steps.chart-details-default.outputs.version }}
-      #   uses: actions/github-script@v7
+      #   uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
      #   with:
      #     script: |
      #       core.setFailed("Chart version has not been updated for ${{ matrix.chart }}");
      # - name: Check changelog update
      #   if: ${{ steps.chart-details-pr.outputs.changes == steps.chart-details-default.outputs.changes }}
-      #   uses: actions/github-script@v7
+      #   uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
      #   with:
      #     script: |
      #       core.setFailed("Changelog has not been updated for ${{ matrix.chart }}");
@ -100,17 +100,17 @@ jobs:
    runs-on: ubuntu-22.04
    steps:
      - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
      - name: Install Kubernetes tools
-        uses: yokawasa/action-setup-kube-tools@v0.11.2
+        uses: yokawasa/action-setup-kube-tools@9e25a4277af127b60011c95b6ed2da7e3b3613b1 # v0.11.2
        with:
          setup-tools: |
            helmv3
          helm: "${{ inputs.helmVersion }}"
      - name: Set up chart-testing
-        uses: helm/chart-testing-action@v2.7.0
+        uses: helm/chart-testing-action@0d28d3144d3a25ea2cc349d6e59901c4ff469b3b # v2.7.0
      - name: Dereference JSON schema
        uses: bjw-s/helm-charts-actions/dereference-json-schema@main
--- a/.github/workflows/charts-release.yaml
+++ b/.github/workflows/charts-release.yaml
@ -29,7 +29,7 @@ jobs:
      # Setup
      # ----------------------------
      - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
          fetch-depth: 0
@ -42,7 +42,7 @@ jobs:
      - name: Get changed library charts
        id: changed-library-charts
        if: ${{ github.event_name != 'workflow_dispatch' }}
-        uses: tj-actions/changed-files@v45
+        uses: tj-actions/changed-files@ed68ef82c095e0d48ec87eccea555d944a631a4c # v46.0.5
        with:
          matrix: true
          path: charts
@ -54,7 +54,7 @@ jobs:
      - name: Get changed charts
        id: changed-charts
        if: ${{ github.event_name != 'workflow_dispatch' }}
-        uses: tj-actions/changed-files@v45
+        uses: tj-actions/changed-files@ed68ef82c095e0d48ec87eccea555d944a631a4c # v46.0.5
        with:
          matrix: true
          path: charts
@ -66,7 +66,7 @@ jobs:
      - name: Get specified charts
        id: specified-charts
        if: ${{ github.event_name == 'workflow_dispatch' }}
-        uses: actions/github-script@v7
+        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
        with:
          script: |
            const fs = require('fs');
@ -105,7 +105,7 @@ jobs:
      - name: Filter out excluded charts
        id: filtered-charts
-        uses: actions/github-script@v7
+        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
        with:
          script: |
            let libraryChartsInput = ${{ github.event_name == 'workflow_dispatch' && steps.specified-charts.outputs.libraryChartsToRelease || steps.changed-library-charts.outputs.all_changed_files }};
--- a/.github/workflows/charts-test.yaml
+++ b/.github/workflows/charts-test.yaml
@ -35,7 +35,7 @@ jobs:
      fail-fast: false
    steps:
      - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
      - name: Validate prerequisite folders
        working-directory: "charts/${{ matrix.chart }}"
@ -47,7 +47,7 @@ jobs:
          fi
      - name: Install Kubernetes tools
-        uses: yokawasa/action-setup-kube-tools@v0.11.2
+        uses: yokawasa/action-setup-kube-tools@9e25a4277af127b60011c95b6ed2da7e3b3613b1 # v0.11.2
        with:
          setup-tools: |
            helmv3
@ -55,7 +55,7 @@ jobs:
          helm: "${{ inputs.helmVersion }}"
          kubectl: "${{ matrix.k8s_version }}"
-      - uses: actions/setup-python@v5
+      - uses: actions/setup-python@8d9ed9ac5c53483de85588cdf95a591a75ab9f55 # v5.5.0
        with:
          python-version: "3.11"
@ -63,7 +63,7 @@ jobs:
        uses: helm/chart-testing-action@v2.6.1
      - name: Create k3d cluster
-        uses: nolar/setup-k3d-k3s@v1
+        uses: nolar/setup-k3d-k3s@293b8e5822a20bc0d5bcdd4826f1a665e72aba96 # v1.0.9
        with:
          version: ${{ matrix.k8s_version }}
@ -123,7 +123,7 @@ jobs:
      fail-fast: false
    steps:
      - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
      - name: Validate prerequisite folders
        working-directory: "charts/${{ matrix.chart }}"
@ -135,14 +135,14 @@ jobs:
          fi
      - name: Install Kubernetes tools
-        uses: yokawasa/action-setup-kube-tools@v0.11.2
+        uses: yokawasa/action-setup-kube-tools@9e25a4277af127b60011c95b6ed2da7e3b3613b1 # v0.11.2
        with:
          setup-tools: |
            helmv3
          helm: "${{ inputs.helmVersion }}"
      - name: Dereference JSON schema
-        uses: bjw-s/helm-charts-actions/dereference-json-schema@main
+        uses: bjw-s-labs/helm-charts-actions/dereference-json-schema@main
        with:
          schemaFile: "charts/${{ matrix.chart }}/values.schema.json"
          outputFile: "charts/${{ matrix.chart }}/values.schema.json"
--- a/.github/workflows/docs-release.yaml
+++ b/.github/workflows/docs-release.yaml
@ -20,20 +20,20 @@ jobs:
    concurrency:
      group: ${{ github.workflow }}-${{ github.ref }}
    steps:
-      - name: "Generate Short Lived OAuth App Token (ghs_*)"
+      - name: Generate Token
-        uses: actions/create-github-app-token@v1.10.4
+        uses: actions/create-github-app-token@3ff1caaa28b64c9cc276ce0a02e2ff584f3900c5 # v2.0.2
        id: app-token
        with:
          app-id: "${{ secrets.BJWS_APP_ID }}"
          private-key: "${{ secrets.BJWS_APP_PRIVATE_KEY }}"
      - name: Checkout main branch
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
          token: ${{ steps.app-token.outputs.token }}
          fetch-depth: 0
-      - uses: actions/setup-python@v5
+      - uses: actions/setup-python@8d9ed9ac5c53483de85588cdf95a591a75ab9f55 # v5.5.0
        with:
          python-version: 3.x
@ -44,7 +44,7 @@ jobs:
        run: mkdocs build -f .ci/mkdocs/mkdocs.yml
      - name: Deploy
-        uses: peaceiris/actions-gh-pages@v4.0.0
+        uses: peaceiris/actions-gh-pages@4f9cc6602d3f66b9c108549d475ec49e8ef4d45e # v4.0.0
        if: ${{ github.ref == 'refs/heads/main' }}
        with:
          github_token: ${{ steps.app-token.outputs.token }}
--- a/.github/workflows/pr-validate.yaml
+++ b/.github/workflows/pr-validate.yaml
@ -23,7 +23,7 @@ jobs:
      chartsToInstall: ${{ steps.charts-to-install.outputs.filteredCharts }}
    steps:
      - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
          fetch-depth: 0
@ -35,11 +35,11 @@ jobs:
      - name: Get all added or modified files
        id: added-modified-files
-        uses: tj-actions/changed-files@v45
+        uses: tj-actions/changed-files@ed68ef82c095e0d48ec87eccea555d944a631a4c # v46.0.5
      - name: Get changed charts
        id: changed-charts
-        uses: tj-actions/changed-files@v45
+        uses: tj-actions/changed-files@ed68ef82c095e0d48ec87eccea555d944a631a4c # v46.0.5
        with:
          matrix: true
          path: charts
@ -48,7 +48,7 @@ jobs:
      - name: Determine charts to lint
        id: charts-to-lint
-        uses: actions/github-script@v7
+        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
        with:
          script: |
            var changedCharts = ${{ steps.changed-charts.outputs.all_changed_files }};
@ -58,7 +58,7 @@ jobs:
      - name: Determine charts to install
        id: charts-to-install
-        uses: actions/github-script@v7
+        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
        with:
          script: |
            var changedCharts = ${{ steps.changed-charts.outputs.all_changed_files }};
@ -73,10 +73,10 @@ jobs:
      - prepare
    steps:
      - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
      - name: Run against changes
-        uses: pre-commit/action@v3.0.1
+        uses: pre-commit/action@2c7b3805fd2a0fd8c1884dcaebf91fc102a13ecd # v3.0.1
        with:
          extra_args: --files ${{ needs.prepare.outputs.addedOrModifiedFiles }} --config .ci/pre-commit/config.yaml