Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix(ci): pin github actions per commit-sha #25291

Merged
merged 3 commits into from
May 6, 2024
Merged

fix(ci): pin github actions per commit-sha #25291

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
6fe0a5c
fix(ci): pin github actions per commit-sha
chouetz Apr 30, 2024
781af22
fix the labeler configuration according to bump on v5
chouetz May 2, 2024
e578c2b
revert codeql to 3.24.10 as 3.25 requires a new version of cli
chouetz May 2, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion .github/workflows/add_milestone.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,7 +18,7 @@ jobs:
GH_REPO: ${{ github.repository }}
steps:
- name: Checkout datadog-agent repository
uses: actions/checkout@v4
uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Would it make sense to have a centralized file where these version->hash maps are kept? Maybe we can also inject those as values into the build scripts? Without something like that, verification of proper hash value use becomes extremely had to maintain and review.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'll check if we can do this. It could remove some redundancy even if the updates are normally handled automatically by dependabot (so mitigates a little bit the maintenance complexity, wdyt?)

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fully agree with Srdjan on this !

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I really disagree with the single file approach, we know in advance it will never be maintained and upgrades will never be made. Keeping the format easy for dependabot to do the upgrades on its own should be the main priority IMO.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@paulcacheux Hmm - that's a fair point. Any other alternatives to make this both dependabot and human easily digestible/maintainable without using the old tags? I'm afraid with hashes approach, nobody will actually check these in updates and something might slip by.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We still have the associated tag in the comment for human-readable format. Would you prefer having a link to the release on the corresponding github repo?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@chouetz That may be a good compromise though a link to the repo at that tag release would be better I think since the hash can easily be compared.


- name: Get repo current milestone
id: current-milestone
Expand Down
4 changes: 2 additions & 2 deletions .github/workflows/backport-pr.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19,12 +19,12 @@ jobs:
)
)
steps:
- uses: actions/create-github-app-token@v1
- uses: actions/create-github-app-token@7bfa3a4717ef143a604ee0a99d859b8886a96d00 # v1.9.3
id: app-token
with:
app-id: ${{ vars.DD_GITHUB_TOKEN_GENERATOR_APP_ID }}
private-key: ${{ secrets.DD_GITHUB_TOKEN_GENERATOR_PRIVATE_KEY }}
- uses: tibdex/backport@v2
- uses: tibdex/backport@9565281eda0731b1d20c4025c43339fb0a23812e # v2.0.4
with:
label_pattern: "^backport/(?<base>([^ ]+))$"
labels_template: "<%= JSON.stringify([...labels, 'backport', 'bot']) %>"
Expand Down
10 changes: 5 additions & 5 deletions .github/workflows/buildimages-update.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -28,7 +28,7 @@ jobs:

steps:
- name: Checkout branch
uses: actions/checkout@v4
uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
with:
ref: ${{ github.head_ref }}

Expand All @@ -43,19 +43,19 @@ jobs:
fi

- name: Checkout branch
uses: actions/checkout@v4
uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
if: ${{ steps.branch_fetch.outputs.RESULT == 'true' }}
with:
ref: ${{ inputs.branch }}

- name: Setup Python and pip
uses: actions/setup-python@v5
uses: actions/setup-python@82c7e631bb3cdc910f68e0081d67478d79c6982d # v5.1.0
with:
# use Python < 3.12 so that distutil is still available by default
python-version: 3.11
cache: "pip"

- uses: actions/setup-go@v5
- uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
with:
# use the go version from the input, not from the .go-version file
# in case it's a Go update PR
Expand Down Expand Up @@ -83,7 +83,7 @@ jobs:
echo 'MESSAGE=Update Go version to ${{ inputs.go_version }}' >> $GITHUB_OUTPUT
fi

- uses: stefanzweifel/git-auto-commit-action@v5
- uses: stefanzweifel/git-auto-commit-action@8621497c8c39c72f3e2a999a26b4ca1b5058a842 # v5.0.1
id: autocommit
with:
commit_message: ${{ steps.update_build_images.outputs.MESSAGE }}
Expand Down
10 changes: 5 additions & 5 deletions .github/workflows/codeql-analysis.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19,12 +19,12 @@ jobs:

steps:
- name: Checkout repository
uses: actions/checkout@v4
uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
with:
fetch-depth: 0

- name: Setup Python3
uses: actions/setup-python@v5
uses: actions/setup-python@82c7e631bb3cdc910f68e0081d67478d79c6982d # v5.1.0
with:
python-version: "3.11.8"
cache: "pip"
Expand All @@ -37,12 +37,12 @@ jobs:
echo "CGO_LDFLAGS= -L${GITHUB_WORKSPACE}/rtloader/build/rtloader -ldl " >> $GITHUB_ENV
echo "CGO_CFLAGS= -I${GITHUB_WORKSPACE}/rtloader/include -I${GITHUB_WORKSPACE}/rtloader/common " >> $GITHUB_ENV

- uses: actions/setup-go@v5
- uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
with:
go-version-file: ".go-version"

- name: Initialize CodeQL
uses: github/codeql-action/init@v3.24.10
uses: github/codeql-action/init@d39d31e687223d841ef683f52467bd88e9b21c14 # v3.25.3
with:
languages: ${{ matrix.language }}
setup-python-dependencies: false
Expand All @@ -61,4 +61,4 @@ jobs:
invoke agent.build --build-exclude=systemd

- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@v3.24.10
uses: github/codeql-action/analyze@d39d31e687223d841ef683f52467bd88e9b21c14 # v3.25.3
6 changes: 3 additions & 3 deletions .github/workflows/create_rc_pr.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -12,12 +12,12 @@ jobs:

steps:
- name: Checkout repository
uses: actions/checkout@v4
uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
with:
fetch-depth: 0

- name: Install python
uses: actions/setup-python@v5
uses: actions/setup-python@82c7e631bb3cdc910f68e0081d67478d79c6982d # v5.1.0
with:
python-version: 3.11
cache: "pip"
Expand All @@ -33,7 +33,7 @@ jobs:
echo "RELEASE_BRANCH=$(inv -e release.get-active-release-branch)" >> $GITHUB_ENV

- name: Checkout release branch
uses: actions/checkout@v4
uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
with:
ref: ${{ env.RELEASE_BRANCH }}
fetch-depth: 0
Expand Down
12 changes: 6 additions & 6 deletions .github/workflows/cws-btfhub-sync.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -26,25 +26,25 @@ jobs:
docker rmi $(docker image ls -aq) >/dev/null 2>&1

- name: Checkout datadog-agent repository
uses: actions/checkout@v4
uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I would much rather we don't use comments with the version here since it will get out of sync if we merge a dependabot PR updating the sha

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If I believe this I think it will be synced

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Oh that's amazing !

with:
ref: ${{ inputs.base_branch || 'main' }}

- name: Checkout btfhub-archive repository
uses: actions/checkout@v4
uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
with:
repository: DataDog/btfhub-archive
path: dev/dist/archive

- name: Install python
uses: actions/setup-python@v5
uses: actions/setup-python@82c7e631bb3cdc910f68e0081d67478d79c6982d # v5.1.0
with:
python-version: '3.9'
cache: 'pip'
- run: pip install -r requirements.txt

- name: Install go
uses: actions/setup-go@v5
uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
with:
go-version-file: '.go-version'

Expand All @@ -61,7 +61,7 @@ jobs:
run: |
inv -e security-agent.generate-btfhub-constants --archive-path=./dev/dist/archive ${{ inputs.force_refresh && '--force-refresh' || '' }}

- uses: stefanzweifel/git-auto-commit-action@v5
- uses: stefanzweifel/git-auto-commit-action@8621497c8c39c72f3e2a999a26b4ca1b5058a842 # v5.0.1
id: commit-creator
with:
commit_message: "CWS: sync BTFhub constants"
Expand All @@ -71,7 +71,7 @@ jobs:
skip_checkout: true

- name: Create Pull Request
uses: actions/github-script@v7
uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
if: steps.commit-creator.outputs.changes_detected == 'true'
with:
script: |
Expand Down
10 changes: 5 additions & 5 deletions .github/workflows/docs-dev.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -21,13 +21,13 @@ jobs:
runs-on: ubuntu-latest

steps:
- uses: actions/checkout@v4
- uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
with:
# Fetch all history for applying timestamps to every page
fetch-depth: 0

- name: Set up Python
uses: actions/setup-python@v5
uses: actions/setup-python@82c7e631bb3cdc910f68e0081d67478d79c6982d # v5.1.0
with:
python-version: '3.12'

Expand All @@ -45,7 +45,7 @@ jobs:
- name: Build documentation
run: invoke docs.build

- uses: actions/upload-artifact@v4
- uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
with:
name: documentation
path: site
Expand All @@ -58,12 +58,12 @@ jobs:
- build

steps:
- uses: actions/download-artifact@v4
- uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7
with:
name: documentation
path: site

- uses: peaceiris/actions-gh-pages@v3
- uses: peaceiris/actions-gh-pages@4f9cc6602d3f66b9c108549d475ec49e8ef4d45e # v4.0.0
with:
github_token: ${{ secrets.GITHUB_TOKEN }}
publish_dir: site
Expand Down
6 changes: 3 additions & 3 deletions .github/workflows/go-update-commenter.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -12,7 +12,7 @@ jobs:
runs-on: ubuntu-latest
steps:
# get the Go version of the target branch
- uses: actions/checkout@v4
- uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
with:
ref: ${{ github.base_ref }}
- name: Get former Go version
Expand All @@ -21,7 +21,7 @@ jobs:
echo version="$(cat .go-version)" >> $GITHUB_OUTPUT

# get the Go version of the PR branch
- uses: actions/checkout@v4
- uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
- name: Get current Go version
id: new_go_version
run: |
Expand Down Expand Up @@ -50,7 +50,7 @@ jobs:
} >> $GITHUB_OUTPUT

# and display it
- uses: actions/github-script@v7
- uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
env:
# We need to store the output in an environment variable and not use it directly in the createComment,
# as it will likely not be a valid JS string (eg. if it contains a quote character)
Expand Down
8 changes: 4 additions & 4 deletions .github/workflows/go_mod_tidy.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -16,7 +16,7 @@ jobs:
if: ${{ github.event_name == 'workflow_dispatch' || (github.event_name == 'pull_request' && github.actor == 'dependabot[bot]' && contains(github.event.pull_request.labels.*.name, 'dependencies-go')) }}
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
with:
ref: ${{ github.head_ref }}
- name: Checkout PR
Expand All @@ -26,11 +26,11 @@ jobs:
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- name: Install go
uses: actions/setup-go@v5
uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
with:
go-version-file: ".go-version"
- name: Install python
uses: actions/setup-python@v5
uses: actions/setup-python@82c7e631bb3cdc910f68e0081d67478d79c6982d # v5.1.0
with:
python-version: "3.9.12"
cache: "pip"
Expand All @@ -46,7 +46,7 @@ jobs:
- name: Update mocks
if: ${{ github.event_name == 'workflow_dispatch' || !contains(github.event.pull_request.labels.*.name, 'dependencies-go-tools') }}
run: inv -e security-agent.gen-mocks # generate both security agent and process mocks
- uses: stefanzweifel/git-auto-commit-action@v5
- uses: stefanzweifel/git-auto-commit-action@8621497c8c39c72f3e2a999a26b4ca1b5058a842 # v5.0.1
id: autocommit
with:
commit_message: Auto-generate go.sum and LICENSE-3rdparty.csv changes
Expand Down
4 changes: 2 additions & 2 deletions .github/workflows/gohai.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -30,8 +30,8 @@ jobs:
go-file: [.go-version, pkg/gohai/go.mod]
runs-on: ${{ matrix.os }}
steps:
- uses: actions/checkout@v4
- uses: actions/setup-go@v5
- uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
- uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
with:
go-version-file: ${{ matrix.go-file }}
- name: Test
Expand Down
8 changes: 4 additions & 4 deletions .github/workflows/label-analysis.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19,9 +19,9 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Checkout repository
uses: actions/checkout@v4
uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
- name: Setup python
uses: actions/setup-python@v5
uses: actions/setup-python@82c7e631bb3cdc910f68e0081d67478d79c6982d # v5.1.0
with:
python-version: 3.11
cache: 'pip'
Expand All @@ -35,11 +35,11 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Checkout repository
uses: actions/checkout@v4
uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
with:
fetch-depth: 0
- name: Setup python
uses: actions/setup-python@v5
uses: actions/setup-python@82c7e631bb3cdc910f68e0081d67478d79c6982d # v5.1.0
with:
python-version: 3.11
cache: 'pip'
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/labeler.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -13,7 +13,7 @@ jobs:
pull-requests: write
runs-on: ubuntu-latest
steps:
- uses: actions/labeler@v4
- uses: actions/labeler@8558fd74291d67161a8a78ce36a881fa63b766a9 # v5.0.0
with:
repo-token: "${{ secrets.GITHUB_TOKEN }}"
configuration-path: .github/labeler.yml
Expand Down
4 changes: 2 additions & 2 deletions .github/workflows/markdown-lint-check.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,8 +7,8 @@ jobs:
markdown-link-check:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: gaurav-nelson/github-action-markdown-link-check@v1
- uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
- uses: gaurav-nelson/github-action-markdown-link-check@d53a906aa6b22b8979d33bc86170567e619495ec # v1.0.15
with:
use-quiet-mode: yes
config-file: .markdown-link-check
Expand Down
Loading
Loading