diff --git a/.github/actions/bot/action.yaml b/.github/actions/bot/action.yaml index dfb471a30..c462781cd 100644 --- a/.github/actions/bot/action.yaml +++ b/.github/actions/bot/action.yaml @@ -3,8 +3,8 @@ description: "🤖 beep boop" runs: using: "composite" steps: - - uses: "actions/checkout@v3" - - uses: "actions/github-script@v6" + - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # 4.1.7 + - uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # 7.0.1 with: script: | const crypto = require('crypto'); diff --git a/.github/actions/ci/build/action.yaml b/.github/actions/ci/build/action.yaml index b860d0ccd..5f7dcccfb 100644 --- a/.github/actions/ci/build/action.yaml +++ b/.github/actions/ci/build/action.yaml @@ -21,7 +21,7 @@ outputs: runs: using: "composite" steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # 4.1.7 with: ref: ${{ inputs.git_sha }} - id: build @@ -31,7 +31,7 @@ runs: AMI_NAME="amazon-eks-node-${{ inputs.os_distro }}-${{ inputs.k8s_version }}-${{ inputs.build_id }}" make k8s=${{ inputs.k8s_version }} os_distro=${{ inputs.os_distro }} ami_name=${AMI_NAME} ${{ inputs.additional_arguments }} echo "ami_id=$(jq -r .builds[0].artifact_id "${AMI_NAME}-manifest.json" | cut -d ':' -f 2)" >> $GITHUB_OUTPUT - - uses: actions/upload-artifact@v3 + - uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # 4.3.3 with: name: version-info path: "*-version-info.json" diff --git a/.github/workflows/bot-trigger.yaml b/.github/workflows/bot-trigger.yaml index 20f609161..1fca0abd7 100644 --- a/.github/workflows/bot-trigger.yaml +++ b/.github/workflows/bot-trigger.yaml @@ -10,5 +10,5 @@ jobs: runs-on: ubuntu-latest permissions: write-all steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # 4.1.7 - uses: ./.github/actions/bot diff --git a/.github/workflows/ci-auto.yaml b/.github/workflows/ci-auto.yaml index dbaf0666a..2bfe409b4 100644 --- a/.github/workflows/ci-auto.yaml +++ b/.github/workflows/ci-auto.yaml @@ -9,37 +9,37 @@ jobs: lint: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # 4.1.7 - run: echo "$(go env GOPATH)/bin" >> $GITHUB_PATH - run: go install mvdan.cc/sh/v3/cmd/shfmt@latest - run: make lint templates-test: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # 4.1.7 - run: make test nodeadm-build: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # 4.1.7 - run: cd nodeadm && make build nodeadm-check-generate: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # 4.1.7 - run: hack/nodeadm-check-generate.sh nodeadm-check-vendor: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # 4.1.7 - run: hack/nodeadm-check-vendor.sh nodeadm-test: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # 4.1.7 - run: cd nodeadm && make test nodeadm-test-e2e: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # 4.1.7 - run: cd nodeadm && make test-e2e diff --git a/.github/workflows/ci-manual.yaml b/.github/workflows/ci-manual.yaml index b620c827b..4e8d13e3a 100644 --- a/.github/workflows/ci-manual.yaml +++ b/.github/workflows/ci-manual.yaml @@ -64,7 +64,7 @@ jobs: needs: - setup steps: - - uses: actions/github-script@v7 + - uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # 7.0.1 with: script: | github.rest.issues.createComment({ @@ -95,10 +95,10 @@ jobs: - os_distro: al2023 k8s_version: 1.22 steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # 4.1.7 with: ref: 'main' - - uses: aws-actions/configure-aws-credentials@v4 + - uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # 4.0.2 with: aws-region: ${{ secrets.AWS_REGION }} role-to-assume: ${{ secrets.AWS_ROLE_ARN_CI }} @@ -130,7 +130,7 @@ jobs: - setup - kubernetes-versions steps: - - uses: actions/github-script@v7 + - uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # 7.0.1 with: script: | const { data } = await github.rest.actions.listJobsForWorkflowRun({ diff --git a/.github/workflows/dependency-review.yaml b/.github/workflows/dependency-review.yaml index 7d3a75f22..8261f62da 100644 --- a/.github/workflows/dependency-review.yaml +++ b/.github/workflows/dependency-review.yaml @@ -9,13 +9,13 @@ jobs: dependency-review: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 - - uses: actions/dependency-review-action@v4 + - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # 4.1.7 + - uses: actions/dependency-review-action@72eb03d02c7872a771aacd928f3123ac62ad6d3a # 4.3.3 gosec: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 - - uses: actions/setup-go@v5 + - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # 4.1.7 + - uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # 5.0.1 with: go-version-file: 'nodeadm/go.mod' - run: go install github.com/securego/gosec/v2/cmd/gosec@latest @@ -24,8 +24,8 @@ jobs: govulncheck: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 - - uses: golang/govulncheck-action@v1 + - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # 4.1.7 + - uses: golang/govulncheck-action@dd0578b371c987f96d1185abb54344b44352bd58 # 1.0.3 with: work-dir: ./nodeadm go-version-file: nodeadm/go.mod diff --git a/.github/workflows/deploy-docs.yaml b/.github/workflows/deploy-docs.yaml index 4a2410cc2..302a6962d 100644 --- a/.github/workflows/deploy-docs.yaml +++ b/.github/workflows/deploy-docs.yaml @@ -10,6 +10,6 @@ jobs: contents: write runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # 4.1.7 - run: pip install mkdocs mkdocs-material - run: mkdocs gh-deploy --strict --no-history --force diff --git a/.github/workflows/janitor.yaml b/.github/workflows/janitor.yaml index 2a5c1651a..e13b722ff 100644 --- a/.github/workflows/janitor.yaml +++ b/.github/workflows/janitor.yaml @@ -13,8 +13,8 @@ jobs: if: github.repository == 'awslabs/amazon-eks-ami' runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 - - uses: aws-actions/configure-aws-credentials@v4 + - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # 4.1.7 + - uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # 4.0.2 with: aws-region: ${{ secrets.AWS_REGION }} role-to-assume: ${{ secrets.AWS_ROLE_ARN_JANITOR }} @@ -26,8 +26,8 @@ jobs: if: github.repository == 'awslabs/amazon-eks-ami' runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 - - uses: aws-actions/configure-aws-credentials@v4 + - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # 4.1.7 + - uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # 4.0.2 with: aws-region: ${{ secrets.AWS_REGION }} role-to-assume: ${{ secrets.AWS_ROLE_ARN_JANITOR }} diff --git a/.github/workflows/sync-eni-max-pods.yaml b/.github/workflows/sync-eni-max-pods.yaml index 8a1209f58..35908233e 100644 --- a/.github/workflows/sync-eni-max-pods.yaml +++ b/.github/workflows/sync-eni-max-pods.yaml @@ -14,16 +14,16 @@ jobs: if: github.repository == 'awslabs/amazon-eks-ami' runs-on: ubuntu-latest steps: - - uses: aws-actions/configure-aws-credentials@v4 + - uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # 4.0.2 with: aws-region: ${{ secrets.AWS_REGION }} role-to-assume: ${{ secrets.AWS_ROLE_ARN_SYNC_ENI_MAX_PODS }} - - uses: actions/checkout@v4 + - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # 4.1.7 with: repository: awslabs/amazon-eks-ami ref: refs/heads/main path: amazon-eks-ami/ - - uses: actions/checkout@v4 + - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # 4.1.7 with: repository: aws/amazon-vpc-cni-k8s ref: refs/heads/master @@ -35,7 +35,7 @@ jobs: make generate-limits cp misc/eni-max-pods.txt ../amazon-eks-ami/templates/shared/runtime/eni-max-pods.txt cp misc/eni-max-pods.txt ../amazon-eks-ami/nodeadm/internal/kubelet/eni-max-pods.txt - - uses: peter-evans/create-pull-request@v6 + - uses: peter-evans/create-pull-request@6d6857d36972b65feb161a90e484f2984215f83e # 6.0.5 with: branch: update-eni-max-pods path: amazon-eks-ami/ diff --git a/.github/workflows/sync-to-codecommit.yaml b/.github/workflows/sync-to-codecommit.yaml index f2f77169f..d7ec7f2db 100644 --- a/.github/workflows/sync-to-codecommit.yaml +++ b/.github/workflows/sync-to-codecommit.yaml @@ -14,11 +14,11 @@ jobs: id-token: write contents: read steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # 4.1.7 with: # fetch complete history fetch-depth: 0 - - uses: aws-actions/configure-aws-credentials@v4 + - uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # 4.0.2 with: aws-region: ${{ secrets.AWS_REGION }} role-to-assume: ${{ secrets.AWS_ROLE_ARN_SYNC_TO_CODECOMMIT }} diff --git a/.github/workflows/update-changelog.yaml b/.github/workflows/update-changelog.yaml index 0e4b3e56d..f2621b02a 100644 --- a/.github/workflows/update-changelog.yaml +++ b/.github/workflows/update-changelog.yaml @@ -21,12 +21,12 @@ jobs: needs: - setup steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # 4.1.7 with: repository: awslabs/amazon-eks-ami ref: refs/heads/main path: amazon-eks-ami/ - - uses: actions/github-script@v7 + - uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # 7.0.1 with: script: | const fs = require('fs'); @@ -47,7 +47,7 @@ jobs: // if the release notes are modified in the GitHub web editor, trailing spaces can be added accidentally updatedChangelog = updatedChangelog.split('\n').map(s => s.replace(/\s+$/, '')).join('\n'); fs.writeFileSync(changelogPath, updatedChangelog); - - uses: peter-evans/create-pull-request@v6 + - uses: peter-evans/create-pull-request@6d6857d36972b65feb161a90e484f2984215f83e # 6.0.5 with: branch: update-changelog path: amazon-eks-ami/ diff --git a/.github/workflows/update-dependency.yaml b/.github/workflows/update-dependency.yaml index 093b1624a..d20806e9d 100644 --- a/.github/workflows/update-dependency.yaml +++ b/.github/workflows/update-dependency.yaml @@ -17,8 +17,8 @@ jobs: contents: write pull-requests: write steps: - - uses: actions/checkout@v4 - - uses: actions/setup-go@v5 + - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # 4.1.7 + - uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # 5.0.1 with: go-version-file: 'nodeadm/go.mod' - name: Update Nodeadm Dependencies @@ -31,7 +31,7 @@ jobs: echo 'EOF' >> $GITHUB_OUTPUT - name: Create PR if: ${{ steps.update_deps.outputs.changes != '' }} - uses: peter-evans/create-pull-request@v6 + uses: peter-evans/create-pull-request@6d6857d36972b65feb161a90e484f2984215f83e # 6.0.5 with: title: 'Update dependencies' commit-message: Update dependencies