workflow: pin actions with sha's

And update sha's once a week.

Signed-off-by: Tuomas Katila <[email protected]>

Author: tkatila

.github/dependabot.yml

@@ -12,5 +12,6 @@ updates:
   - package-ecosystem: "github-actions"
     directory: "/"
     schedule:
-      # Check for updates to GitHub Actions every weekday
-      interval: "daily"
+      # Check for updates to GitHub Actions every week on Sunday
+      interval: "weekly"
+      day: "sunday"

.github/workflows/lib-build.yaml

@@ -45,8 +45,8 @@ jobs:
           - dlb-libdlb-demo
         builder: [buildah, docker]
     steps:
-      - uses: actions/checkout@v4
-      - uses: actions/setup-go@v5
+      - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4
+      - uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5
         with:
           go-version-file: go.mod
           check-latest: true

.github/workflows/lib-codeql.yaml

@@ -18,19 +18,18 @@ jobs:
 
     steps:
     - name: Checkout repository
-      uses: actions/checkout@v4
-
-    - uses: actions/setup-go@v5
+      uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4
+    - uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5
       with:
         go-version-file: go.mod
         check-latest: true
 
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@v3
+      uses: github/codeql-action/init@71ace48453080e924b22589f0c397bedde464d78 # v3
       with:
         languages: 'go'
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@v3
+      uses: github/codeql-action/analyze@71ace48453080e924b22589f0c397bedde464d78 # v3
       with:
         category: "/language:go"

.github/workflows/lib-e2e.yaml

@@ -67,7 +67,7 @@ jobs:
       IMAGES: ${{ join(matrix.images, ' ') }}
 
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4
         with:
           fetch-depth: 0
       - name: Describe test environment

.github/workflows/lib-publish.yaml

@@ -42,8 +42,8 @@ jobs:
           - crypto-perf
           - opae-nlb-demo
     steps:
-      - uses: actions/checkout@v4
-      - uses: actions/setup-go@v5
+      - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4
+      - uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5
         with:
           go-version-file: go.mod
           check-latest: true
@@ -54,7 +54,7 @@ jobs:
         run: |
           REG=intel/ make ${IMAGE_NAME} BUILDER=docker
       - name: Trivy scan for image
-        uses: aquasecurity/trivy-action@master
+        uses: aquasecurity/trivy-action@fd25fed6972e341ff0007ddb61f77e88103953c2 # 0.21.0
         with:
           scan-type: image
           image-ref: intel/${{ matrix.image }}:${{ inputs.image_tag }}
@@ -64,7 +64,7 @@ jobs:
         if: ${{ !contains(fromJson(env.no_base_check), matrix.image) }}
         run: IMG=intel/${{ matrix.image }}:${{ inputs.image_tag }} make test-image-base-layer BUILDER=docker
       - name: Login
-        uses: docker/login-action@v3
+        uses: docker/login-action@0d4c9c5ea7693da7b068278f7b52bda2a190a446 # v3
         with:
           username: ${{ secrets.DOCKERHUB_USER }}
           password: ${{ secrets.DOCKERHUB_PASS }}

.github/workflows/lib-scorecard.yaml

@@ -16,18 +16,16 @@ jobs:
       id-token: write
 
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4
         with:
           persist-credentials: false
-
       - name: "Analyze project"
-        uses: ossf/[email protected]
+        uses: ossf/scorecard-action@e4c423540e964e15ccadc56558705ba15136265c # v2.3.3
         with:
           results_file: results.sarif
           results_format: sarif
           publish_results: true
-
       - name: "Upload results to security"
-        uses: github/codeql-action/upload-sarif@v3
+        uses: github/codeql-action/upload-sarif@71ace48453080e924b22589f0c397bedde464d78 # v3
         with:
           sarif_file: results.sarif

.github/workflows/lib-trivy.yaml

@@ -30,10 +30,9 @@ jobs:
     runs-on: ubuntu-22.04
     steps:
     - name: Checkout
-      uses: actions/checkout@v4
-
+      uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4
     - name: Run Trivy in config mode for deployments
-      uses: aquasecurity/trivy-action@master
+      uses: aquasecurity/trivy-action@fd25fed6972e341ff0007ddb61f77e88103953c2 # 0.21.0
       with:
         scan-type: config
         scan-ref: deployments/
@@ -49,10 +48,9 @@ jobs:
     runs-on: ubuntu-22.04
     steps:
     - name: Checkout
-      uses: actions/checkout@v4
-
+      uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4
     - name: Run Trivy in config mode for dockerfiles
-      uses: aquasecurity/trivy-action@master
+      uses: aquasecurity/trivy-action@fd25fed6972e341ff0007ddb61f77e88103953c2 # 0.21.0
       with:
         scan-type: config
         scan-ref: build/docker/
@@ -64,10 +62,9 @@ jobs:
     name: Scan licenses
     steps:
     - name: Checkout
-      uses: actions/checkout@v4
-
+      uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4
     - name: Run Trivy in fs mode
-      uses: aquasecurity/trivy-action@master
+      uses: aquasecurity/trivy-action@fd25fed6972e341ff0007ddb61f77e88103953c2 # 0.21.0
       with:
         scan-type: fs
         scan-ref: .
@@ -78,53 +75,47 @@ jobs:
   trivy-scan-vulns:
     permissions:
       security-events: write
-
     runs-on: ubuntu-22.04
     name: Scan vulnerabilities
     steps:
     - name: Checkout
-      uses: actions/checkout@v4
-
+      uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4
     - name: Run Trivy in fs mode
       continue-on-error: true
-      uses: aquasecurity/trivy-action@master
+      uses: aquasecurity/trivy-action@fd25fed6972e341ff0007ddb61f77e88103953c2 # 0.21.0
       with:
         scan-type: fs
         scan-ref: .
         exit-code: 1
         list-all-pkgs: true
         format: json
         output: trivy-report.json
-
     - name: Show report in human-readable format
-      uses: aquasecurity/trivy-action@master
+      uses: aquasecurity/trivy-action@fd25fed6972e341ff0007ddb61f77e88103953c2 # 0.21.0
       with:
         scan-type: convert
         vuln-type: ''
         severity: ''
         image-ref: trivy-report.json
         format: table
-
     - name: Convert report to sarif
       if: ${{ inputs.upload-to-github-security-tab }}
-      uses: aquasecurity/trivy-action@master
+      uses: aquasecurity/trivy-action@fd25fed6972e341ff0007ddb61f77e88103953c2 # 0.21.0
       with:
         scan-type: convert
         vuln-type: ''
         severity: ''
         image-ref: trivy-report.json
         format: sarif
         output: trivy-report.sarif
-
     - name: Upload sarif report to GitHub Security tab
       if: ${{ inputs.upload-to-github-security-tab }}
-      uses: github/codeql-action/upload-sarif@v3
+      uses: github/codeql-action/upload-sarif@71ace48453080e924b22589f0c397bedde464d78 # v3
       with:
-       sarif_file: trivy-report.sarif
-
+        sarif_file: trivy-report.sarif
     - name: Convert report to csv
       if: ${{ inputs.export-csv }}
-      uses: aquasecurity/trivy-action@master
+      uses: aquasecurity/trivy-action@fd25fed6972e341ff0007ddb61f77e88103953c2 # 0.21.0
       with:
         scan-type: convert
         vuln-type: ''
@@ -133,10 +124,9 @@ jobs:
         format: template
         template: "@.github/workflows/template/trivy-csv.tpl"
         output: trivy-report.csv
-
     - name: Upload CSV report as an artifact
       if: ${{ inputs.export-csv }}
-      uses: actions/upload-artifact@v4
+      uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4
       with:
         name: trivy-report
-        path: trivy-report.csv
+        path: trivy-report.csv

.github/workflows/lib-validate.yaml

@@ -14,7 +14,7 @@ jobs:
       run: |
         sudo apt-get update
         sudo apt-get install -y python3-venv
-    - uses: actions/checkout@v4
+    - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4
       with:
         fetch-depth: 0
     - name: Set up doc directory
@@ -28,30 +28,28 @@ jobs:
         rm -rf _work/venv
         make vhtml
         mv _build/html/* $HOME/output/
-
   golangci:
     permissions:
-      pull-requests: read  # for golangci/golangci-lint-action to fetch pull requests
+      pull-requests: read # for golangci/golangci-lint-action to fetch pull requests
     name: lint
     runs-on: ubuntu-22.04
     steps:
-      - uses: actions/checkout@v4
-      - uses: actions/setup-go@v5
+      - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4
+      - uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5
         with:
           go-version-file: go.mod
           check-latest: true
       - name: golangci-lint
-        uses: golangci/golangci-lint-action@v6
+        uses: golangci/golangci-lint-action@a4f60bb28d35aeee14e6880718e0c85ff1882e64 # v6
         with:
           version: v1.57.2
           args: -v --timeout 5m
-
   build:
     name: Build and check device plugins
     runs-on: ubuntu-22.04
     steps:
-      - uses: actions/checkout@v4
-      - uses: actions/setup-go@v5
+      - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4
+      - uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5
         with:
           go-version-file: go.mod
           check-latest: true
@@ -63,7 +61,6 @@ jobs:
       - run: make check-github-actions
       #- name: Codecov report
       #  run: bash <(curl -s https://codecov.io/bash)
-
   envtest:
     name: Test APIs using envtest
     runs-on: ubuntu-22.04
@@ -74,8 +71,8 @@ jobs:
           - 1.29.x
           - 1.30.x
     steps:
-      - uses: actions/checkout@v4
-      - uses: actions/setup-go@v5
+      - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4
+      - uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5
         with:
           go-version-file: go.mod
           check-latest: true

.github/workflows/publish.yml

@@ -15,15 +15,15 @@ jobs:
   build:
 
     permissions:
-      contents: write  # for Git to git push
+      contents: write # for Git to git push
     runs-on: ubuntu-22.04
 
     steps:
     - name: Install dependencies
       run: |
         sudo apt-get update
         sudo apt-get install -y python3-venv git
-    - uses: actions/checkout@v4
+    - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4
       with:
         fetch-depth: 0
         ref: main
@@ -44,7 +44,7 @@ jobs:
         rm -rf _work/venv
         make vhtml
         mv _build/html/* $HOME/output/
-    - uses: actions/checkout@v4
+    - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4
       with:
         fetch-depth: 0
         ref: release-0.28
@@ -55,7 +55,7 @@ jobs:
         rm -rf _work/venv
         make vhtml
         mv _build/html $HOME/output/0.28
-    - uses: actions/checkout@v4
+    - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4
       with:
         fetch-depth: 0
         ref: release-0.29
@@ -66,7 +66,7 @@ jobs:
         rm -rf _work/venv
         make vhtml
         mv _build/html $HOME/output/0.29
-    - uses: actions/checkout@v4
+    - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4
       with:
         fetch-depth: 0
         ref: release-0.30