From 73f389d7b1067be8207eb8cec1fbed6c686fbdb2 Mon Sep 17 00:00:00 2001 From: Mickael Maison Date: Thu, 22 Aug 2024 11:15:03 +0200 Subject: [PATCH] KAFKA-17193: Pin all external GitHub Actions to the specific git hash --- .github/actions/setup-gradle/action.yml | 2 +- .github/workflows/docker_build_and_test.yml | 2 +- .github/workflows/docker_official_image_build_and_test.yml | 2 +- .github/workflows/docker_promote.yml | 6 +++--- .github/workflows/docker_rc_release.yml | 6 +++--- .github/workflows/docker_scan.yml | 2 +- .github/workflows/pr.yml | 6 ++++++ 7 files changed, 16 insertions(+), 10 deletions(-) diff --git a/.github/actions/setup-gradle/action.yml b/.github/actions/setup-gradle/action.yml index 9ffdcac6a7f99..c676597f48517 100644 --- a/.github/actions/setup-gradle/action.yml +++ b/.github/actions/setup-gradle/action.yml @@ -37,7 +37,7 @@ runs: distribution: temurin java-version: ${{ inputs.java-version }} - name: Setup Gradle - uses: gradle/actions/setup-gradle@v4 + uses: gradle/actions/setup-gradle@af1da67850ed9a4cedd57bfd976089dd991e2582 # v4.0.0 env: GRADLE_BUILD_ACTION_CACHE_DEBUG_ENABLED: true with: diff --git a/.github/workflows/docker_build_and_test.yml b/.github/workflows/docker_build_and_test.yml index dc6214633f959..2618a717c7b20 100644 --- a/.github/workflows/docker_build_and_test.yml +++ b/.github/workflows/docker_build_and_test.yml @@ -46,7 +46,7 @@ jobs: run: | python docker_build_test.py kafka/test -tag=test -type=${{ github.event.inputs.image_type }} -u=${{ github.event.inputs.kafka_url }} - name: Run CVE scan - uses: aquasecurity/trivy-action@master + uses: aquasecurity/trivy-action@6e7b7d1fd3e4fef0c5fa8cce1229c54b2c9bd0d8 # v0.24.0 with: image-ref: 'kafka/test:test' format: 'table' diff --git a/.github/workflows/docker_official_image_build_and_test.yml b/.github/workflows/docker_official_image_build_and_test.yml index c3219bd8aa942..1db476de53285 100644 --- a/.github/workflows/docker_official_image_build_and_test.yml +++ b/.github/workflows/docker_official_image_build_and_test.yml @@ -45,7 +45,7 @@ jobs: run: | python docker_official_image_build_test.py kafka/test -tag=test -type=${{ github.event.inputs.image_type }} -v=${{ github.event.inputs.kafka_version }} - name: Run CVE scan - uses: aquasecurity/trivy-action@master + uses: aquasecurity/trivy-action@6e7b7d1fd3e4fef0c5fa8cce1229c54b2c9bd0d8 # v0.24.0 with: image-ref: 'kafka/test:test' format: 'table' diff --git a/.github/workflows/docker_promote.yml b/.github/workflows/docker_promote.yml index 04872f9d59d3b..d22a8458c97a7 100644 --- a/.github/workflows/docker_promote.yml +++ b/.github/workflows/docker_promote.yml @@ -31,11 +31,11 @@ jobs: runs-on: ubuntu-latest steps: - name: Set up QEMU - uses: docker/setup-qemu-action@v3 + uses: docker/setup-qemu-action@49b3bc8e6bdd4a60e6116a5414239cba5943d3cf # v3.2.0 - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 + uses: docker/setup-buildx-action@988b5a0280414f521da01fcc63a27aeeb4b104db # v3.6.1 - name: Login to Docker Hub - uses: docker/login-action@v3 + uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0 with: username: ${{ secrets.DOCKERHUB_USER }} password: ${{ secrets.DOCKERHUB_TOKEN }} diff --git a/.github/workflows/docker_rc_release.yml b/.github/workflows/docker_rc_release.yml index 3a06064d62ed6..dbca7fe23c117 100644 --- a/.github/workflows/docker_rc_release.yml +++ b/.github/workflows/docker_rc_release.yml @@ -47,11 +47,11 @@ jobs: python -m pip install --upgrade pip pip install -r docker/requirements.txt - name: Set up QEMU - uses: docker/setup-qemu-action@v3 + uses: docker/setup-qemu-action@49b3bc8e6bdd4a60e6116a5414239cba5943d3cf # v3.2.0 - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 + uses: docker/setup-buildx-action@988b5a0280414f521da01fcc63a27aeeb4b104db # v3.6.1 - name: Login to Docker Hub - uses: docker/login-action@v3 + uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0 with: username: ${{ secrets.DOCKERHUB_USER }} password: ${{ secrets.DOCKERHUB_TOKEN }} diff --git a/.github/workflows/docker_scan.yml b/.github/workflows/docker_scan.yml index 2134ef7eef4e1..b7efaa4ff95dc 100644 --- a/.github/workflows/docker_scan.yml +++ b/.github/workflows/docker_scan.yml @@ -29,7 +29,7 @@ jobs: supported_image_tag: ['latest', '3.7.0'] steps: - name: Run CVE scan - uses: aquasecurity/trivy-action@master + uses: aquasecurity/trivy-action@6e7b7d1fd3e4fef0c5fa8cce1229c54b2c9bd0d8 # v0.24.0 if: always() with: image-ref: apache/kafka:${{ matrix.supported_image_tag }} diff --git a/.github/workflows/pr.yml b/.github/workflows/pr.yml index a7e0826091a6f..f27b2eb3c7aec 100644 --- a/.github/workflows/pr.yml +++ b/.github/workflows/pr.yml @@ -84,7 +84,13 @@ jobs: with: persist-credentials: false - name: Setup Gradle +<<<<<<< HEAD uses: ./.github/actions/setup-gradle +======= + uses: gradle/actions/setup-gradle@af1da67850ed9a4cedd57bfd976089dd991e2582 # v4.0.0 + env: + GRADLE_BUILD_ACTION_CACHE_DEBUG_ENABLED: true +>>>>>>> a785503db5 (KAFKA-17193: Pin all external GitHub Actions to the specific git hash) with: java-version: ${{ matrix.java }} gradle-cache-read-only: true