From 35cc08c140abca5da84b36f3db8d0eb7fc537a93 Mon Sep 17 00:00:00 2001 From: Roy Dahan Date: Wed, 10 Jun 2026 18:11:49 +0300 Subject: [PATCH] ci: pin GitHub Actions to commit SHAs Pin all external GitHub Actions to full commit SHAs to reduce supply chain attack surface. Upgrade outdated actions to their latest versions. Reference: https://github.com/scylladb/scylladb/pull/29421 --- .github/workflows/dep-lic-scan.yaml | 2 +- .github/workflows/snyk-cli-scan.yml | 4 +-- .github/workflows/tests@v1.yml | 38 ++++++++++++++--------------- 3 files changed, 22 insertions(+), 22 deletions(-) diff --git a/.github/workflows/dep-lic-scan.yaml b/.github/workflows/dep-lic-scan.yaml index afb197bf137..267fcdd0121 100644 --- a/.github/workflows/dep-lic-scan.yaml +++ b/.github/workflows/dep-lic-scan.yaml @@ -14,7 +14,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Check out code - uses: actions/checkout@v2 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - name: Install Fossa CLI run: | curl -H 'Cache-Control: no-cache' https://raw.githubusercontent.com/fossas/fossa-cli/master/install-latest.sh | bash -s -- -b . diff --git a/.github/workflows/snyk-cli-scan.yml b/.github/workflows/snyk-cli-scan.yml index 50d303a128b..c2db6e247aa 100644 --- a/.github/workflows/snyk-cli-scan.yml +++ b/.github/workflows/snyk-cli-scan.yml @@ -15,13 +15,13 @@ jobs: runs-on: ubuntu-latest steps: - name: Git checkout - uses: actions/checkout@v3 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - name: prepare for snyk scan uses: datastax/shared-github-actions/actions/snyk-prepare@main - name: Set up JDK 8 - uses: actions/setup-java@v3 + uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5.2.0 with: distribution: 'temurin' java-version: '8' diff --git a/.github/workflows/tests@v1.yml b/.github/workflows/tests@v1.yml index a716c4220fc..41be8ac28c1 100644 --- a/.github/workflows/tests@v1.yml +++ b/.github/workflows/tests@v1.yml @@ -20,10 +20,10 @@ jobs: steps: - name: Checkout source - uses: actions/checkout@v2 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - name: Set up JDK ${{ matrix.java-version }} - uses: actions/setup-java@v2 + uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5.2.0 with: java-version: ${{ matrix.java-version }} distribution: 'adopt' @@ -43,10 +43,10 @@ jobs: steps: - name: Checkout source - uses: actions/checkout@v2 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - name: Set up JDK ${{ matrix.java-version }} - uses: actions/setup-java@v2 + uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5.2.0 with: java-version: ${{ matrix.java-version }} distribution: 'adopt' @@ -62,10 +62,10 @@ jobs: steps: - name: Checkout source - uses: actions/checkout@v2 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - name: Set up JDK 8 - uses: actions/setup-java@v2 + uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5.2.0 with: java-version: '8' distribution: 'adopt' @@ -80,7 +80,7 @@ jobs: mkdir unit cp --parents ./**/target/*-reports/*.xml unit/ - name: Upload test results - uses: actions/upload-artifact@v2 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 if: success() || failure() with: name: test-results @@ -93,10 +93,10 @@ jobs: steps: - name: Checkout source - uses: actions/checkout@v2 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - name: Setup Python 3 - uses: actions/setup-python@v2 + uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 with: python-version: '3.x' @@ -123,16 +123,16 @@ jobs: steps: - name: Checkout source - uses: actions/checkout@v2 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - name: Set up JDK 8 - uses: actions/setup-java@v2 + uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5.2.0 with: java-version: '8' distribution: 'adopt' - name: Setup Python 3 - uses: actions/setup-python@v2 + uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 with: python-version: '3.x' @@ -149,14 +149,14 @@ jobs: mkdir cassandra-${{ matrix.cassandra-version }} cp --parents ./**/target/*-reports/*.xml cassandra-${{ matrix.cassandra-version }}/ - name: Upload test results - uses: actions/upload-artifact@v2 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 if: success() || failure() with: name: test-results path: "*/**/target/*-reports/*.xml" - name: Upload CCM logs - uses: actions/upload-artifact@v2 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 if: ${{ failure() }} with: name: ccm-logs-cassandra-${{ matrix.cassandra-version }} @@ -175,16 +175,16 @@ jobs: steps: - name: Checkout source - uses: actions/checkout@v2 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - name: Set up JDK 8 - uses: actions/setup-java@v2 + uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5.2.0 with: java-version: '8' distribution: 'adopt' - name: Setup Python 3 - uses: actions/setup-python@v2 + uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 with: python-version: '3.x' @@ -202,14 +202,14 @@ jobs: mkdir scylla-${{ matrix.scylla-version }} cp --parents ./**/target/*-reports/*.xml scylla-${{ matrix.scylla-version }}/ - name: Upload test results - uses: actions/upload-artifact@v2 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 if: success() || failure() with: name: test-results path: "*/**/target/*-reports/*.xml" - name: Upload CCM logs - uses: actions/upload-artifact@v2 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 if: ${{ failure() }} with: name: ccm-logs-scylla-${{ matrix.scylla-version }}