Skip to content

Commit

Permalink
apacheGH-36898: [CI] Hashpin Sensitive GitHub Actions (apache#37676)
Browse files Browse the repository at this point in the history
### Rationale for this change

Explained on issue apache#36898

### What changes are included in this PR?

For security reasons, it hashpins the calls for github actions that are called with sensitive permission (usually `pull-requests: write`) or with secrets used on the same context. I'm not hashpinning every action call because the tag-pinning flexibility can be useful if used with caution, e.g. in testing environment.

### Are these changes tested?

Not tested, but the changes on this PR shouldn't change any comportment of the CI, as we'd still be using the exact same version, but pinned differently.

### Are there any user-facing changes?

No
* Closes: apache#36898

Authored-by: Diogo Teles Sant'Anna <diogoteles@google.com>
Signed-off-by: Jacob Wujciak-Jens <jacob@wujciak.de>
  • Loading branch information
diogoteles08 authored and JerAguilon committed Oct 25, 2023
1 parent 62d0b47 commit a8be7dd
Show file tree
Hide file tree
Showing 19 changed files with 80 additions and 80 deletions.
20 changes: 10 additions & 10 deletions .github/workflows/comment_bot.yml
Original file line number Diff line number Diff line change
Expand Up @@ -35,13 +35,13 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Checkout Arrow
uses: actions/checkout@v4
uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0
with:
path: arrow
# fetch the tags for version number generation
fetch-depth: 0
- name: Set up Python
uses: actions/setup-python@v4
uses: actions/setup-python@61a6322f88396a6271a6ee3565807d608ecaddd1 # v4.7.0
with:
python-version: 3.8
- name: Install Archery and Crossbow dependencies
Expand All @@ -60,8 +60,8 @@ jobs:
if: startsWith(github.event.comment.body, '@github-actions autotune')
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: r-lib/actions/pr-fetch@v2
- uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0
- uses: r-lib/actions/pr-fetch@11a22a908006c25fe054c4ef0ac0436b1de3edbe # v2.6.4
with:
repo-token: ${{ secrets.GITHUB_TOKEN }}
- name: See what is different
Expand Down Expand Up @@ -121,7 +121,7 @@ jobs:
--clang_format_binary=clang-format-${CLANG_TOOLS} \
--exclude_glob=cpp/build-support/lint_exclusions.txt \
--source_dir=r/src --quiet --fix
- uses: r-lib/actions/setup-r@v2
- uses: r-lib/actions/setup-r@11a22a908006c25fe054c4ef0ac0436b1de3edbe # v2.6.4
if: env.R_DOCS == 'true' || env.R_CODE == 'true' || endsWith(github.event.comment.body, 'everything')
- name: Update R docs
if: env.R_DOCS == 'true' || endsWith(github.event.comment.body, 'everything')
Expand Down Expand Up @@ -149,7 +149,7 @@ jobs:
git config user.name "$(git log -1 --pretty=format:%an)"
git config user.email "$(git log -1 --pretty=format:%ae)"
git commit -a -m 'Autoformat/render all the things [automated commit]' || echo "No changes to commit"
- uses: r-lib/actions/pr-push@v2
- uses: r-lib/actions/pr-push@11a22a908006c25fe054c4ef0ac0436b1de3edbe # v2.6.4
with:
repo-token: ${{ secrets.GITHUB_TOKEN }}

Expand All @@ -158,8 +158,8 @@ jobs:
if: startsWith(github.event.comment.body, '@github-actions rebase')
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: r-lib/actions/pr-fetch@v2
- uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0
- uses: r-lib/actions/pr-fetch@11a22a908006c25fe054c4ef0ac0436b1de3edbe # v2.6.4
with:
repo-token: ${{ secrets.GITHUB_TOKEN }}
- name: Rebase on ${{ github.repository }} default branch
Expand All @@ -170,7 +170,7 @@ jobs:
git remote add upstream https://github.com/${{ github.repository }}
git fetch --unshallow upstream ${{ github.event.repository.default_branch }}
git rebase upstream/${{ github.event.repository.default_branch }}
- uses: r-lib/actions/pr-push@v2
- uses: r-lib/actions/pr-push@11a22a908006c25fe054c4ef0ac0436b1de3edbe # v2.6.4
with:
repo-token: ${{ secrets.GITHUB_TOKEN }}
args: "--force"
Expand All @@ -182,7 +182,7 @@ jobs:
if: github.event.comment.body == 'take'
runs-on: ubuntu-latest
steps:
- uses: actions/github-script@v6
- uses: actions/github-script@d7906e4ad0b1822421a7e6a35d5ca353c962f410 # v6.4.1
with:
github-token: ${{ secrets.GITHUB_TOKEN }}
script: |
Expand Down
4 changes: 2 additions & 2 deletions .github/workflows/cpp.yml
Original file line number Diff line number Diff line change
Expand Up @@ -96,12 +96,12 @@ jobs:
UBUNTU: ${{ matrix.ubuntu }}
steps:
- name: Checkout Arrow
uses: actions/checkout@v4
uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0
with:
fetch-depth: 0
submodules: recursive
- name: Cache Docker Volumes
uses: actions/cache@v3
uses: actions/cache@88522ab9f39a2ea568f7027eddc7d8d8bc9d59c8 # v3.3.1
with:
path: .docker
key: ${{ matrix.image }}-${{ hashFiles('cpp/**') }}
Expand Down
12 changes: 6 additions & 6 deletions .github/workflows/dev.yml
Original file line number Diff line number Diff line change
Expand Up @@ -37,11 +37,11 @@ jobs:
if: ${{ !contains(github.event.pull_request.title, 'WIP') }}
steps:
- name: Checkout Arrow
uses: actions/checkout@v4
uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0
with:
fetch-depth: 0
- name: Setup Python
uses: actions/setup-python@v4
uses: actions/setup-python@61a6322f88396a6271a6ee3565807d608ecaddd1 # v4.7.0
with:
python-version: 3.8
- name: Setup Archery
Expand Down Expand Up @@ -84,19 +84,19 @@ jobs:
GIT_COMMITTER_EMAIL: "github-actions[bot]@users.noreply.github.com"
steps:
- name: Checkout Arrow
uses: actions/checkout@v4
uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0
with:
fetch-depth: 0
- name: Install Python
uses: actions/setup-python@v4
uses: actions/setup-python@61a6322f88396a6271a6ee3565807d608ecaddd1 # v4.7.0
with:
python-version: '3.8'
- name: Install Ruby
uses: ruby/setup-ruby@v1
uses: ruby/setup-ruby@250fcd6a742febb1123a77a841497ccaa8b9e939 # v1.152.0
with:
ruby-version: '2.7'
- name: Install .NET
uses: actions/setup-dotnet@v3
uses: actions/setup-dotnet@3447fd6a9f9e57506b15f895c5b76d3b197dc7c2 # v3.2.0
with:
dotnet-version: '7.0.x'
- name: Install Dependencies
Expand Down
10 changes: 5 additions & 5 deletions .github/workflows/dev_pr.yml
Original file line number Diff line number Diff line change
Expand Up @@ -43,7 +43,7 @@ jobs:
name: Process
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0
with:
repository: apache/arrow
ref: main
Expand All @@ -53,7 +53,7 @@ jobs:
if: |
(github.event.action == 'opened' ||
github.event.action == 'edited')
uses: actions/github-script@v6
uses: actions/github-script@d7906e4ad0b1822421a7e6a35d5ca353c962f410 # v6.4.1
with:
github-token: ${{ secrets.GITHUB_TOKEN }}
script: |
Expand All @@ -64,7 +64,7 @@ jobs:
if: |
(github.event.action == 'opened' ||
github.event.action == 'edited')
uses: actions/github-script@v6
uses: actions/github-script@d7906e4ad0b1822421a7e6a35d5ca353c962f410 # v6.4.1
with:
github-token: ${{ secrets.GITHUB_TOKEN }}
script: |
Expand All @@ -75,7 +75,7 @@ jobs:
if: |
(github.event.action == 'opened' ||
github.event.action == 'edited')
uses: actions/github-script@v6
uses: actions/github-script@d7906e4ad0b1822421a7e6a35d5ca353c962f410 # v6.4.1
with:
debug: true
github-token: ${{ secrets.GITHUB_TOKEN }}
Expand All @@ -87,7 +87,7 @@ jobs:
if: |
(github.event.action == 'opened' ||
github.event.action == 'synchronize')
uses: actions/labeler@v4
uses: actions/labeler@ac9175f8a1f3625fd0d4fb234536d26811351594 # v4.3.0
with:
repo-token: ${{ secrets.GITHUB_TOKEN }}
configuration-path: .github/workflows/dev_pr/labeler.yml
Expand Down
6 changes: 3 additions & 3 deletions .github/workflows/docs.yml
Original file line number Diff line number Diff line change
Expand Up @@ -38,20 +38,20 @@ jobs:
UBUNTU: "22.04"
steps:
- name: Checkout Arrow
uses: actions/checkout@v4
uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0
with:
fetch-depth: 0
- name: Free up disk space
run: |
ci/scripts/util_free_space.sh
- name: Cache Docker Volumes
uses: actions/cache@v3
uses: actions/cache@88522ab9f39a2ea568f7027eddc7d8d8bc9d59c8 # v3.3.1
with:
path: .docker
key: ubuntu-docs-${{ hashFiles('cpp/**') }}
restore-keys: ubuntu-docs-
- name: Setup Python
uses: actions/setup-python@v4
uses: actions/setup-python@61a6322f88396a6271a6ee3565807d608ecaddd1 # v4.7.0
with:
python-version: 3.8
- name: Setup Archery
Expand Down
6 changes: 3 additions & 3 deletions .github/workflows/docs_light.yml
Original file line number Diff line number Diff line change
Expand Up @@ -47,17 +47,17 @@ jobs:
PYTHON: "3.9"
steps:
- name: Checkout Arrow
uses: actions/checkout@v4
uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0
with:
fetch-depth: 0
- name: Cache Docker Volumes
uses: actions/cache@v3
uses: actions/cache@88522ab9f39a2ea568f7027eddc7d8d8bc9d59c8 # v3.3.1
with:
path: .docker
key: conda-docs-${{ hashFiles('cpp/**') }}
restore-keys: conda-docs-
- name: Setup Python
uses: actions/setup-python@v4
uses: actions/setup-python@61a6322f88396a6271a6ee3565807d608ecaddd1 # v4.7.0
with:
python-version: 3.8
- name: Setup Archery
Expand Down
22 changes: 11 additions & 11 deletions .github/workflows/go.yml
Original file line number Diff line number Diff line change
Expand Up @@ -73,7 +73,7 @@ jobs:
GO: ${{ matrix.go }}
steps:
- name: Checkout Arrow
uses: actions/checkout@v4
uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0
with:
fetch-depth: 0
submodules: recursive
Expand Down Expand Up @@ -106,7 +106,7 @@ jobs:
github.event_name == 'push' &&
github.repository == 'apache/arrow' &&
github.ref_name == 'main'
uses: actions/setup-go@v4
uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0
with:
go-version: ${{ matrix.go }}
cache: true
Expand Down Expand Up @@ -162,12 +162,12 @@ jobs:
GO: ${{ matrix.go }}
steps:
- name: Checkout Arrow
uses: actions/checkout@v4
uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0
with:
fetch-depth: 0
submodules: recursive
- name: Setup Python
uses: actions/setup-python@v4
uses: actions/setup-python@61a6322f88396a6271a6ee3565807d608ecaddd1 # v4.7.0
with:
python-version: 3.8
- name: Setup Archery
Expand Down Expand Up @@ -203,11 +203,11 @@ jobs:
GO: ${{ matrix.go }}
steps:
- name: Checkout Arrow
uses: actions/checkout@v4
uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0
with:
fetch-depth: 0
- name: Setup Python
uses: actions/setup-python@v4
uses: actions/setup-python@61a6322f88396a6271a6ee3565807d608ecaddd1 # v4.7.0
with:
python-version: 3.8
- name: Setup Archery
Expand Down Expand Up @@ -240,12 +240,12 @@ jobs:
go: [1.19, '1.20']
steps:
- name: Checkout Arrow
uses: actions/checkout@v4
uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0
with:
fetch-depth: 0
submodules: recursive
- name: Install go
uses: actions/setup-go@v4
uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0
with:
go-version: ${{ matrix.go }}
cache: true
Expand Down Expand Up @@ -273,12 +273,12 @@ jobs:
go: [1.19, '1.20']
steps:
- name: Checkout Arrow
uses: actions/checkout@v4
uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0
with:
fetch-depth: 0
submodules: recursive
- name: Install go
uses: actions/setup-go@v4
uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0
with:
go-version: ${{ matrix.go }}
cache: true
Expand All @@ -299,7 +299,7 @@ jobs:
github.event_name == 'push' &&
github.repository == 'apache/arrow' &&
github.ref_name == 'main'
uses: actions/setup-python@v4
uses: actions/setup-python@61a6322f88396a6271a6ee3565807d608ecaddd1 # v4.7.0
with:
python-version: '3.10'
- name: Run Benchmarks
Expand Down
8 changes: 4 additions & 4 deletions .github/workflows/integration.yml
Original file line number Diff line number Diff line change
Expand Up @@ -62,26 +62,26 @@ jobs:
timeout-minutes: 60
steps:
- name: Checkout Arrow
uses: actions/checkout@v4
uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0
with:
fetch-depth: 0
submodules: recursive
- name: Checkout Arrow Rust
uses: actions/checkout@v4
uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0
with:
repository: apache/arrow-rs
path: rust
- name: Free up disk space
run: |
ci/scripts/util_free_space.sh
- name: Cache Docker Volumes
uses: actions/cache@v3
uses: actions/cache@88522ab9f39a2ea568f7027eddc7d8d8bc9d59c8 # v3.3.1
with:
path: .docker
key: conda-${{ hashFiles('cpp/**') }}
restore-keys: conda-
- name: Setup Python
uses: actions/setup-python@v4
uses: actions/setup-python@61a6322f88396a6271a6ee3565807d608ecaddd1 # v4.7.0
with:
python-version: 3.8
- name: Setup Archery
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/issue_bot.yml
Original file line number Diff line number Diff line change
Expand Up @@ -33,7 +33,7 @@ jobs:
if: github.event.issue.pull_request == null
runs-on: ubuntu-latest
steps:
- uses: actions/github-script@v6
- uses: actions/github-script@d7906e4ad0b1822421a7e6a35d5ca353c962f410 # v6.4.1
with:
script: |
let split_body = context.payload.issue.body.split('### Component(s)');
Expand Down
6 changes: 3 additions & 3 deletions .github/workflows/java.yml
Original file line number Diff line number Diff line change
Expand Up @@ -80,18 +80,18 @@ jobs:
MAVEN: ${{ matrix.maven }}
steps:
- name: Checkout Arrow
uses: actions/checkout@v4
uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0
with:
fetch-depth: 0
submodules: recursive
- name: Cache Docker Volumes
uses: actions/cache@v3
uses: actions/cache@88522ab9f39a2ea568f7027eddc7d8d8bc9d59c8 # v3.3.1
with:
path: .docker
key: maven-${{ hashFiles('java/**') }}
restore-keys: maven-
- name: Setup Python
uses: actions/setup-python@v4
uses: actions/setup-python@61a6322f88396a6271a6ee3565807d608ecaddd1 # v4.7.0
with:
python-version: 3.8
- name: Setup Archery
Expand Down
Loading

0 comments on commit a8be7dd

Please sign in to comment.