From d84d5ce424f6316c688e833ce426737410d42f27 Mon Sep 17 00:00:00 2001 From: Bob Callaway Date: Thu, 13 Jan 2022 08:39:30 -0500 Subject: [PATCH] pin github actions by digest instead of tag (#323) Signed-off-by: Bob Callaway --- .github/workflows/codeql-analysis.yml | 12 +++++++----- .github/workflows/main.yml | 6 +++--- .github/workflows/verify-k8s.yml | 22 +++++++++++++--------- .github/workflows/verify.yml | 22 ++++++++++++++-------- Dockerfile | 6 +++--- Dockerfile.ctfe_init | 2 +- 6 files changed, 41 insertions(+), 29 deletions(-) diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index bb04b63e9..7d50d9023 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -14,7 +14,7 @@ # limitations under the License. # https://docs.github.com/en/free-pro-team@latest/github/finding-security-vulnerabilities-and-errors-in-your-code/configuring-code-scanning#changing-the-languages-that-are-analyzed -name: "CodeQL" +name: CodeQL on: push: branches: [ main ] @@ -35,14 +35,16 @@ jobs: language: [ 'go' ] steps: - name: Checkout repository - uses: actions/checkout@v2.4.0 + uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 #v2.4.0 # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL - uses: github/codeql-action/init@v1 + uses: github/codeql-action/init@300c8b6dcbaf905eb250b06113e2e62c340a2d20 #v1.0.27 with: languages: ${{ matrix.language }} + - name: Autobuild - uses: github/codeql-action/autobuild@v1 + uses: github/codeql-action/autobuild@300c8b6dcbaf905eb250b06113e2e62c340a2d20 #v1.0.27 + - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v1 + uses: github/codeql-action/analyze@300c8b6dcbaf905eb250b06113e2e62c340a2d20 #v1.0.27 diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 43090ceec..9f885d849 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -26,10 +26,10 @@ jobs: runs-on: ubuntu-20.04 steps: - - uses: actions/checkout@v2.4.0 + - uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 #v2.4.0 - name: Extract version of Go to use - run: echo "GOVERSION=$(cat Dockerfile|grep golang | awk ' { print $2 } ' | sed -r 's/^.*://g'| uniq)" >> $GITHUB_ENV - - uses: actions/setup-go@v2 + run: echo "GOVERSION=$(cat Dockerfile|grep golang | awk ' { print $2 } ' | cut -d '@' -f 1 | cut -d ':' -f 2 | uniq)" >> $GITHUB_ENV + - uses: actions/setup-go@424fc82d43fa5a37540bae62709ddcc23d9520d4 #v2.1.5 with: go-version: ${{ env.GOVERSION }} diff --git a/.github/workflows/verify-k8s.yml b/.github/workflows/verify-k8s.yml index 62d9fabcc..1483c9d2a 100644 --- a/.github/workflows/verify-k8s.yml +++ b/.github/workflows/verify-k8s.yml @@ -22,12 +22,14 @@ jobs: name: k8s manifest check runs-on: ubuntu-latest steps: - - uses: actions/checkout@v2.4.0 - - uses: actions/setup-go@v2 + - uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 #v2.4.0 + - name: Extract version of Go to use + run: echo "GOVERSION=$(cat Dockerfile|grep golang | awk ' { print $2 } ' | cut -d '@' -f 1 | cut -d ':' -f 2 | uniq)" >> $GITHUB_ENV + - uses: actions/setup-go@424fc82d43fa5a37540bae62709ddcc23d9520d4 #v2.1.5 with: - go-version: 1.16.x + go-version: ${{ env.GOVERSION }} - name: Install kubeval - run: go get github.com/instrumenta/kubeval + run: go get github.com/instrumenta/kubeval@v0.16.1 - run: kubeval config/*.yaml verify-k8s-deployment: @@ -58,12 +60,14 @@ jobs: GIT_VERSION: test steps: - - uses: actions/checkout@v2.4.0 - - uses: actions/setup-go@v2 + - uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 #v2.4.0 + - name: Extract version of Go to use + run: echo "GOVERSION=$(cat Dockerfile|grep golang | awk ' { print $2 } ' | cut -d '@' -f 1 | cut -d ':' -f 2 | uniq)" >> $GITHUB_ENV + - uses: actions/setup-go@424fc82d43fa5a37540bae62709ddcc23d9520d4 #v2.1.5 with: - go-version: 1.16.x + go-version: ${{ env.GOVERSION }} - - uses: imjasonh/setup-ko@v0.4 + - uses: imjasonh/setup-ko@2c3450ca27f6e6f2b02e72a40f2163c281a1f675 #v0.4 - name: Install KinD run: | @@ -287,7 +291,7 @@ jobs: - name: Upload artifacts if: ${{ always() }} - uses: actions/upload-artifact@v2 + uses: actions/upload-artifact@82c141cc518b40d92cc801eee768e7aafc9c2fa2 #v2.3.1 with: name: logs path: /tmp/logs diff --git a/.github/workflows/verify.yml b/.github/workflows/verify.yml index fbfcb38b4..22894f13e 100644 --- a/.github/workflows/verify.yml +++ b/.github/workflows/verify.yml @@ -22,12 +22,14 @@ jobs: name: license boilerplate check runs-on: ubuntu-latest steps: - - uses: actions/checkout@v2.4.0 - - uses: actions/setup-go@v2 + - uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 #v2.4.0 + - name: Extract version of Go to use + run: echo "GOVERSION=$(cat Dockerfile|grep golang | awk ' { print $2 } ' | cut -d '@' -f 1 | cut -d ':' -f 2 | uniq)" >> $GITHUB_ENV + - uses: actions/setup-go@424fc82d43fa5a37540bae62709ddcc23d9520d4 #v2.1.5 with: - go-version: '1.16' + go-version: ${{ env.GOVERSION }} - name: Install addlicense - run: go install github.com/google/addlicense@latest + run: go install github.com/google/addlicense@v1.0.0 - name: Check license headers run: | set -e @@ -38,11 +40,11 @@ jobs: name: lint runs-on: ubuntu-latest steps: - - uses: actions/checkout@v2.4.0 + - uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 #v2.4.0 - name: deps run: sudo apt-get update && sudo apt-get install -yq libpcsclite-dev - name: golangci-lint - uses: golangci/golangci-lint-action@v2.5.2 + uses: golangci/golangci-lint-action@5c56cd6c9dc07901af25baab6f2b0d9f3b7c3018 #v2.5.2 timeout-minutes: 5 with: # Required: the version of golangci-lint is required and must be specified without patch version: we always use the latest patch version. @@ -52,8 +54,12 @@ jobs: name: lint runs-on: ubuntu-latest steps: - - uses: actions/checkout@v2.4.0 - - uses: actions/setup-go@v2 + - uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 #v2.4.0 + - name: Extract version of Go to use + run: echo "GOVERSION=$(cat Dockerfile|grep golang | awk ' { print $2 } ' | cut -d '@' -f 1 | cut -d ':' -f 2 | uniq)" >> $GITHUB_ENV + - uses: actions/setup-go@424fc82d43fa5a37540bae62709ddcc23d9520d4 #v2.1.5 + with: + go-version: ${{ env.GOVERSION }} - name: check-config run: | set -e diff --git a/Dockerfile b/Dockerfile index f69e1353b..b2dc50332 100644 --- a/Dockerfile +++ b/Dockerfile @@ -13,7 +13,7 @@ # See the License for the specific language governing permissions and # limitations under the License. -FROM golang:1.17.6 AS builder +FROM golang:1.17.6@sha256:8c0269dfae137ae9756875400aa949203fbe3b67bdb000a57d8b3e9213a3798d AS builder ENV APP_ROOT=/opt/app-root ENV GOPATH=$APP_ROOT @@ -28,7 +28,7 @@ RUN go build -o server main.go RUN CGO_ENABLED=1 go build -gcflags "all=-N -l" -o server_debug main.go # Multi-Stage production build -FROM golang:1.17.6 as deploy +FROM golang:1.17.6@sha256:8c0269dfae137ae9756875400aa949203fbe3b67bdb000a57d8b3e9213a3798d as deploy # Retrieve the binary from the previous stage COPY --from=builder /opt/app-root/src/server /usr/local/bin/fulcio-server @@ -37,7 +37,7 @@ ENTRYPOINT ["/usr/local/bin/fulcio-server", "serve"] # debug compile options & debugger FROM deploy as debug -RUN go install github.com/go-delve/delve/cmd/dlv@latest +RUN go install github.com/go-delve/delve/cmd/dlv@v1.8.0 # overwrite server and include debugger COPY --from=builder /opt/app-root/src/server_debug /usr/local/bin/fulcio-server diff --git a/Dockerfile.ctfe_init b/Dockerfile.ctfe_init index d7d4907fd..e3948614b 100644 --- a/Dockerfile.ctfe_init +++ b/Dockerfile.ctfe_init @@ -13,7 +13,7 @@ # See the License for the specific language governing permissions and # limitations under the License. -FROM golang:1.17.6 AS builder +FROM golang:1.17.6@sha256:8c0269dfae137ae9756875400aa949203fbe3b67bdb000a57d8b3e9213a3798d AS builder WORKDIR /root/