From 8c20be888117991981125713b34539d0ab3c6bf0 Mon Sep 17 00:00:00 2001 From: Walt Date: Wed, 30 Aug 2023 00:24:32 -0600 Subject: [PATCH] Pin tibdex/github-app-token action (#31115) This is a 3rd-party action with access to some moderately privileged GitHub Applications private tokens. If tibdex were compromised for any reason, we don't want to accidentally pick up an unexpected malicious update to v1. --- .github/workflows/backport.yaml | 2 +- .github/workflows/bloat.yaml | 2 +- .github/workflows/check.yaml | 2 +- .github/workflows/flaky-tests.yaml | 2 +- .github/workflows/post-release.yaml | 2 +- .github/workflows/update-ami-ids.yaml | 2 +- 6 files changed, 6 insertions(+), 6 deletions(-) diff --git a/.github/workflows/backport.yaml b/.github/workflows/backport.yaml index d55c7a1a3db86..ace01837520b5 100644 --- a/.github/workflows/backport.yaml +++ b/.github/workflows/backport.yaml @@ -22,7 +22,7 @@ jobs: steps: - name: Generate GitHub Token id: generate_token - uses: tibdex/github-app-token@v1 + uses: tibdex/github-app-token@b62528385c34dbc9f38e5f4225ac829252d1ea92 # v1.8.0 with: app_id: ${{ secrets.REVIEWERS_APP_ID }} private_key: ${{ secrets.REVIEWERS_PRIVATE_KEY }} diff --git a/.github/workflows/bloat.yaml b/.github/workflows/bloat.yaml index f7e2c4174303e..dc983060f0a75 100644 --- a/.github/workflows/bloat.yaml +++ b/.github/workflows/bloat.yaml @@ -53,7 +53,7 @@ jobs: - name: Generate GitHub Token id: generate_token - uses: tibdex/github-app-token@v1 + uses: tibdex/github-app-token@b62528385c34dbc9f38e5f4225ac829252d1ea92 # v1.8.0 with: app_id: ${{ secrets.REVIEWERS_APP_ID }} private_key: ${{ secrets.REVIEWERS_PRIVATE_KEY }} diff --git a/.github/workflows/check.yaml b/.github/workflows/check.yaml index ddb50b7a4fa3d..f1135f8ad515a 100644 --- a/.github/workflows/check.yaml +++ b/.github/workflows/check.yaml @@ -37,7 +37,7 @@ jobs: steps: - name: Generate GitHub Token id: generate_token - uses: tibdex/github-app-token@v1 + uses: tibdex/github-app-token@b62528385c34dbc9f38e5f4225ac829252d1ea92 # v1.8.0 with: app_id: ${{ secrets.REVIEWERS_APP_ID }} private_key: ${{ secrets.REVIEWERS_PRIVATE_KEY }} diff --git a/.github/workflows/flaky-tests.yaml b/.github/workflows/flaky-tests.yaml index 0827ad7695e98..bbf83fc5ec9e2 100644 --- a/.github/workflows/flaky-tests.yaml +++ b/.github/workflows/flaky-tests.yaml @@ -60,7 +60,7 @@ jobs: - name: Generate GitHub Token id: generate_token - uses: tibdex/github-app-token@v1 + uses: tibdex/github-app-token@b62528385c34dbc9f38e5f4225ac829252d1ea92 # v1.8.0 with: app_id: ${{ secrets.REVIEWERS_APP_ID }} private_key: ${{ secrets.REVIEWERS_PRIVATE_KEY }} diff --git a/.github/workflows/post-release.yaml b/.github/workflows/post-release.yaml index 3d0e02ce1b073..6ef9871a1ec72 100644 --- a/.github/workflows/post-release.yaml +++ b/.github/workflows/post-release.yaml @@ -69,7 +69,7 @@ jobs: - name: Generate Github token id: generate_token - uses: tibdex/github-app-token@v1 + uses: tibdex/github-app-token@b62528385c34dbc9f38e5f4225ac829252d1ea92 # v1.8.0 with: app_id: ${{ vars.APP_ID }} private_key: ${{ secrets.PRIVATE_KEY }} diff --git a/.github/workflows/update-ami-ids.yaml b/.github/workflows/update-ami-ids.yaml index 0ed2a1fb04a8a..cecf66dcdbb4e 100644 --- a/.github/workflows/update-ami-ids.yaml +++ b/.github/workflows/update-ami-ids.yaml @@ -29,7 +29,7 @@ jobs: steps: - name: Generate Github token id: generate_token - uses: tibdex/github-app-token@v1 + uses: tibdex/github-app-token@b62528385c34dbc9f38e5f4225ac829252d1ea92 # v1.8.0 with: app_id: ${{ vars.APP_ID }} private_key: ${{ secrets.PRIVATE_KEY }}