diff --git a/.github/workflows/__build-workflow.yaml b/.github/workflows/__build-workflow.yaml index 979f738523..897e2e5689 100644 --- a/.github/workflows/__build-workflow.yaml +++ b/.github/workflows/__build-workflow.yaml @@ -85,7 +85,7 @@ jobs: prerelease: ${{ steps.semver_parser.outputs.prerelease }} steps: - - uses: mukunku/tag-exists-action@v1.6.0 + - uses: mukunku/tag-exists-action@bdad1eaa119ce71b150b952c97351c75025c06a9 # v1.6.0 id: check-tag if: ${{ inputs.tag != '' }} name: check if tag already exists @@ -106,7 +106,7 @@ jobs: - name: Parse semver string id: semver_parser if: ${{ inputs.tag != '' }} - uses: booxmedialtd/ws-action-parse-semver@v1.4.7 + uses: booxmedialtd/ws-action-parse-semver@7784200024d6b3fc01253e617ec0168daf603de3 # v1.4.7 with: input_string: ${{ inputs.tag }} version_extractor_regex: 'v(.*)$' @@ -147,14 +147,14 @@ jobs: - name: Log in to the Container registry if: ${{ inputs.push }} - uses: docker/login-action@v3.3.0 + uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0 with: registry: ${{ inputs.registry }} username: ${{ inputs.username }} password: ${{ secrets.dockerhub-token }} - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 + uses: docker/setup-buildx-action@6524bf65af31da8d45b59e8c27de4bd072b392f5 # v3.8.0 - name: Add standard tags if: ${{ inputs.tag != '' }} @@ -173,7 +173,7 @@ jobs: - name: Docker meta id: meta - uses: docker/metadata-action@v5.6.1 + uses: docker/metadata-action@369eb591f429131d6889c46b94e711f089e6ca96 # v5.6.1 with: images: | ${{ inputs.registry }}/${{ inputs.image-name }} @@ -205,7 +205,7 @@ jobs: - name: Build image id: build - uses: docker/build-push-action@v6.10.0 + uses: docker/build-push-action@48aba3b46d1b1fec4febb7c5d0c644b249a11355 # v6.10.0 with: context: . build-contexts: ${{ inputs.additional-build-contexts }} @@ -274,7 +274,7 @@ jobs: - name: Configure Git for private repositories (this is needed by repositories that include this workflow and have other private dependencies) run: git config --global url."https://${{ secrets.gh-pat }}@github.com".insteadOf "https://github.com" - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 + uses: docker/setup-buildx-action@6524bf65af31da8d45b59e8c27de4bd072b392f5 # v3.8.0 - name: Add standard tags if: ${{ inputs.tag != '' }} @@ -293,7 +293,7 @@ jobs: - name: Docker metadata id: meta - uses: docker/metadata-action@v5.6.1 + uses: docker/metadata-action@369eb591f429131d6889c46b94e711f089e6ca96 # v5.6.1 with: images: | ${{ inputs.registry }}/${{ inputs.image-name }} @@ -310,7 +310,7 @@ jobs: - name: Log in to the Container registry if: ${{ inputs.push }} - uses: docker/login-action@v3.3.0 + uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0 with: registry: ${{ inputs.registry }} username: ${{ inputs.username }} @@ -324,7 +324,7 @@ jobs: # When building with `inputs.tag` set, `steps.meta.outputs.tags` contains multiple entries, so it cannot be used # directly in sources. Instead, the sources are constructed using the `inputs.registry`, `inputs.image-name` and # `needs.semver.outputs.fullversion`. - - uses: int128/docker-manifest-create-action@v2 + - uses: int128/docker-manifest-create-action@736aaa0f6ae97b2fb7f43e8dcef3ab47a02ea96e # v2.8.0 if: ${{ inputs.tag != '' }} with: tags: ${{ steps.meta.outputs.tags }} @@ -335,7 +335,7 @@ jobs: # When building on schedule, `steps.meta.outputs.tags` contains multiple entries, so it cannot be used # directly in sources. Instead, the sources are constructed using the `inputs.registry`, `inputs.image-name` and # the current date. - - uses: int128/docker-manifest-create-action@v2 + - uses: int128/docker-manifest-create-action@736aaa0f6ae97b2fb7f43e8dcef3ab47a02ea96e # v2.8.0 if: ${{ inputs.tag == '' && github.event_name == 'schedule' }} with: tags: ${{ steps.meta.outputs.tags }} @@ -345,7 +345,7 @@ jobs: # When building on push (e.g. on main), `steps.meta.outputs.tags` contains only a single entry, so it can be used # directly in sources. - - uses: int128/docker-manifest-create-action@v2 + - uses: int128/docker-manifest-create-action@736aaa0f6ae97b2fb7f43e8dcef3ab47a02ea96e # v2.8.0 if: ${{ inputs.tag == '' && github.event_name == 'push' }} with: tags: ${{ steps.meta.outputs.tags }} diff --git a/.github/workflows/__release-workflow.yaml b/.github/workflows/__release-workflow.yaml index 44a34a77f9..06c382caaa 100644 --- a/.github/workflows/__release-workflow.yaml +++ b/.github/workflows/__release-workflow.yaml @@ -81,7 +81,7 @@ jobs: prerelease: ${{ steps.semver_parser.outputs.prerelease }} runs-on: ubuntu-latest steps: - - uses: mukunku/tag-exists-action@v1.6.0 + - uses: mukunku/tag-exists-action@bdad1eaa119ce71b150b952c97351c75025c06a9 # v1.6.0 id: check-tag name: Check if tag already exists with: @@ -100,7 +100,7 @@ jobs: - name: Parse semver string id: semver_parser - uses: booxmedialtd/ws-action-parse-semver@v1.4.7 + uses: booxmedialtd/ws-action-parse-semver@7784200024d6b3fc01253e617ec0168daf603de3 # v1.4.7 with: input_string: ${{ inputs.tag }} version_extractor_regex: 'v(.*)$' @@ -143,7 +143,7 @@ jobs: with: go-version-file: go.mod - - uses: jdx/mise-action@v2 + - uses: jdx/mise-action@5083fe46898c414b2475087cc79da59e7da859e8 # v2.1.11 with: install: false @@ -161,7 +161,7 @@ jobs: - name: Get Kong Enterprise License if: steps.check-op-service-account-token.outputs.provided == 'true' id: get-license - uses: Kong/kong-license@master + uses: Kong/kong-license@c4decf08584f84ff8fe8e7cd3c463e0192f6111b # master in 20250107 with: # OP (1Password) token is used to fetch the Kong Enterprise License from 1Password. op-token: ${{ secrets.op-service-account-token }} @@ -201,7 +201,7 @@ jobs: with: go-version-file: go.mod - - uses: jdx/mise-action@v2 + - uses: jdx/mise-action@5083fe46898c414b2475087cc79da59e7da859e8 # v2.1.11 with: install: false @@ -219,7 +219,7 @@ jobs: - name: Get Kong Enterprise License if: steps.check-op-service-account-token.outputs.provided == 'true' id: get-license - uses: Kong/kong-license@master + uses: Kong/kong-license@c4decf08584f84ff8fe8e7cd3c463e0192f6111b # master in 20250107 with: # OP (1Password) token is used to fetch the Kong Enterprise License from 1Password. op-token: ${{ secrets.op-service-account-token }} @@ -284,7 +284,7 @@ jobs: echo "VERSION=${VERSION}" >> $GITHUB_ENV echo ${VERSION} > VERSION - - uses: jdx/mise-action@v2 + - uses: jdx/mise-action@5083fe46898c414b2475087cc79da59e7da859e8 # v2.1.11 with: install: false @@ -302,7 +302,7 @@ jobs: run: make bundle - name: GPG sign the commits - uses: crazy-max/ghaction-import-gpg@cb9bde2e2525e640591a934b1fd28eef1dcaf5e5 + uses: crazy-max/ghaction-import-gpg@cb9bde2e2525e640591a934b1fd28eef1dcaf5e5 # v6.2.0 with: gpg_private_key: ${{ secrets.gpg-private-key }} passphrase: ${{ secrets.gpg-passphrase }} @@ -317,7 +317,7 @@ jobs: # PRs will update the version file and manifests - name: Create a release PR - uses: peter-evans/create-pull-request@5e914681df9dc83aa4e4905692ca88beb2f9e91f + uses: peter-evans/create-pull-request@5e914681df9dc83aa4e4905692ca88beb2f9e91f # v7.0.6 with: token: ${{ secrets.gh-pat }} path: . diff --git a/.github/workflows/release-bot.yaml b/.github/workflows/release-bot.yaml index 0c362aff9b..2eeb610f23 100644 --- a/.github/workflows/release-bot.yaml +++ b/.github/workflows/release-bot.yaml @@ -64,13 +64,13 @@ jobs: - name: Parse semver string id: semver_parser - uses: booxmedialtd/ws-action-parse-semver@v1.4.7 + uses: booxmedialtd/ws-action-parse-semver@7784200024d6b3fc01253e617ec0168daf603de3 # v1.4.7 with: input_string: ${{ env.VERSION }} version_extractor_regex: '(.*)$' - name: check if tag already exists - uses: mukunku/tag-exists-action@v1.6.0 + uses: mukunku/tag-exists-action@bdad1eaa119ce71b150b952c97351c75025c06a9 # v1.6.0 id: tag_exists with: tag: ${{ steps.commit_parser.outputs.release_version }} @@ -88,7 +88,7 @@ jobs: if: ${{ needs.look_for_release.outputs.release_found == 'true' }} runs-on: ubuntu-latest steps: - - uses: ncipollo/release-action@v1 + - uses: ncipollo/release-action@2c591bcc8ecdcd2db72b97d6147f871fcd833ba5 # v1.14.0 with: body: | #### Download Kong Gateway Operator ${{ needs.semver.outputs.version }}: @@ -117,7 +117,7 @@ jobs: if: ${{ needs.look_for_release.outputs.release_found == 'true' && needs.semver.outputs.patch == '0' && needs.semver.outputs.prerelease == '' }} runs-on: ubuntu-latest steps: - - uses: peterjgrainger/action-create-branch@v3.0.0 + - uses: peterjgrainger/action-create-branch@10c7d268152480ae859347db45dc69086cef1d9c # v3.0.0 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} with: @@ -136,7 +136,7 @@ jobs: steps: - uses: actions/checkout@v4 - - uses: carloscastrojumo/github-cherry-pick-action@v1.0.10 + - uses: carloscastrojumo/github-cherry-pick-action@503773289f4a459069c832dc628826685b75b4b3 # v1.0.10 with: branch: main title: '[cherry-pick] ${{ needs.semver.outputs.version }} - ${{ github.sha }}' diff --git a/.github/workflows/tests.yaml b/.github/workflows/tests.yaml index a19e3494b4..05b280f5a2 100644 --- a/.github/workflows/tests.yaml +++ b/.github/workflows/tests.yaml @@ -32,7 +32,7 @@ jobs: with: go-version-file: go.mod - - uses: jdx/mise-action@v2 + - uses: jdx/mise-action@5083fe46898c414b2475087cc79da59e7da859e8 # v2.1.11 with: install: false @@ -53,7 +53,7 @@ jobs: with: go-version-file: go.mod - - uses: jdx/mise-action@v2 + - uses: jdx/mise-action@5083fe46898c414b2475087cc79da59e7da859e8 # v2.1.11 with: install: false @@ -61,7 +61,7 @@ jobs: run: make verify.manifests - name: Verify generators consistency - uses: nick-fields/retry@v3 + uses: nick-fields/retry@7152eba30c6575329ac0576536151aca5a72780e # v3.0.0 with: timeout_minutes: 3 max_attempts: 3 @@ -79,9 +79,9 @@ jobs: go-version-file: go.mod - name: Create k8s KinD Cluster - uses: helm/kind-action@v1.12.0 + uses: helm/kind-action@a1b0e391336a6ee6713a0583f8c6240d70863de3 # v1.12.0 - - uses: jdx/mise-action@v2 + - uses: jdx/mise-action@5083fe46898c414b2475087cc79da59e7da859e8 # v2.1.11 with: install: false @@ -108,9 +108,9 @@ jobs: go-version-file: go.mod - name: Create k8s KinD Cluster - uses: helm/kind-action@v1.12.0 + uses: helm/kind-action@a1b0e391336a6ee6713a0583f8c6240d70863de3 # v1.12.0 - - uses: jdx/mise-action@v2 + - uses: jdx/mise-action@5083fe46898c414b2475087cc79da59e7da859e8 # v2.1.11 with: install: false @@ -152,7 +152,7 @@ jobs: with: go-version-file: go.mod - - uses: jdx/mise-action@v2 + - uses: jdx/mise-action@5083fe46898c414b2475087cc79da59e7da859e8 # v2.1.11 with: install: false @@ -186,7 +186,7 @@ jobs: with: go-version-file: go.mod - - uses: jdx/mise-action@v2 + - uses: jdx/mise-action@5083fe46898c414b2475087cc79da59e7da859e8 # v2.1.11 with: install: false @@ -228,7 +228,7 @@ jobs: with: go-version-file: go.mod - - uses: jdx/mise-action@v2 + - uses: jdx/mise-action@5083fe46898c414b2475087cc79da59e7da859e8 # v2.1.11 with: install: false @@ -277,7 +277,7 @@ jobs: with: go-version-file: go.mod - - uses: jdx/mise-action@v2 + - uses: jdx/mise-action@5083fe46898c414b2475087cc79da59e7da859e8 # v2.1.11 with: install: false @@ -332,7 +332,7 @@ jobs: with: go-version-file: go.mod - - uses: jdx/mise-action@v2 + - uses: jdx/mise-action@5083fe46898c414b2475087cc79da59e7da859e8 # v2.1.11 with: install: false @@ -382,7 +382,7 @@ jobs: with: go-version-file: go.mod - - uses: jdx/mise-action@v2 + - uses: jdx/mise-action@5083fe46898c414b2475087cc79da59e7da859e8 # v2.1.11 with: install: false @@ -435,7 +435,7 @@ jobs: TAG: e2e-${{ github.sha }} run: make docker.build - - uses: jdx/mise-action@v2 + - uses: jdx/mise-action@5083fe46898c414b2475087cc79da59e7da859e8 # v2.1.11 with: install: false @@ -484,7 +484,7 @@ jobs: - name: Upload test results to BuildPulse for flaky test detection if: ${{ !cancelled() }} - uses: buildpulse/buildpulse-action@v0.12.0 + uses: buildpulse/buildpulse-action@d4d8e00c645a2e3db0419a43664bbcf868080234 # v0.12.0 with: account: 962416 repository: 477814940