Skip to content

Commit

Permalink
enh(chore): github actions hardening (#4780)
Browse files Browse the repository at this point in the history
  • Loading branch information
@sc979
sc979 authored Dec 20, 2023
1 parent 633a974 commit 1fa45a6
Show file tree
Hide file tree
Showing 28 changed files with 127 additions and 118 deletions.
4 changes: 2 additions & 2 deletions .github/actions/deb-delivery-legacy/action.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -24,13 +24,13 @@ runs:
using: "composite"
steps:
- name: Use cache DEB files
uses: actions/cache/restore@v3
uses: actions/cache/restore@704facf57e6136b1bc63b828d79edcd491f0ee84 # v3.3.2
with:
path: ./*.deb
key: ${{ inputs.cache_key }}
fail-on-cache-miss: true

- uses: jfrog/setup-jfrog-cli@v3
- uses: jfrog/setup-jfrog-cli@901bb9632db90821c2d3f076012bdeaf66598555 # v3.4.1
env:
JF_URL: https://centreon.jfrog.io
JF_ACCESS_TOKEN: ${{ inputs.artifactory_token }}
Expand Down
4 changes: 2 additions & 2 deletions .github/actions/deb-delivery/action.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -25,13 +25,13 @@ runs:
shell: bash

- name: Use cache DEB files
uses: actions/cache/restore@v3
uses: actions/cache/restore@704facf57e6136b1bc63b828d79edcd491f0ee84 # v3.3.2
with:
path: ./*.deb
key: ${{ inputs.cache_key }}
fail-on-cache-miss: true

- uses: jfrog/setup-jfrog-cli@v3
- uses: jfrog/setup-jfrog-cli@901bb9632db90821c2d3f076012bdeaf66598555 # v3.4.1
env:
JF_URL: https://centreon.jfrog.io
JF_ACCESS_TOKEN: ${{ inputs.artifactory_token }}
Expand Down
4 changes: 2 additions & 2 deletions .github/actions/package-nfpm/action.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -105,15 +105,15 @@ runs:
shell: bash

- name: Cache packages
uses: actions/cache/save@v3
uses: actions/cache/save@704facf57e6136b1bc63b828d79edcd491f0ee84 # v3.3.2
with:
path: ./*.${{ inputs.package_extension }}
key: ${{ inputs.cache_key }}

# Update if condition to true to get packages as artifacts
- if: ${{ false }}
name: Upload package artifacts
uses: actions/upload-artifact@v3
uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
with:
name: packages-${{ inputs.distrib }}
path: ./*.${{ inputs.package_extension}}
Expand Down
4 changes: 2 additions & 2 deletions .github/actions/package/action.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -72,14 +72,14 @@ runs:
shell: bash

- name: Upload package artifacts
uses: actions/upload-artifact@v3
uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
with:
name: packages-${{ inputs.distrib }}
path: ./*.${{ inputs.package_extension }}
retention-days: 1

- name: Cache packages
uses: actions/cache/save@v3
uses: actions/cache/save@704facf57e6136b1bc63b828d79edcd491f0ee84 # v3.3.2
with:
path: ./*.${{ inputs.package_extension }}
key: ${{ inputs.cache_key }}
2 changes: 1 addition & 1 deletion .github/actions/promote-to-stable/action.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -17,7 +17,7 @@ inputs:
runs:
using: "composite"
steps:
- uses: jfrog/setup-jfrog-cli@v3
- uses: jfrog/setup-jfrog-cli@901bb9632db90821c2d3f076012bdeaf66598555 # v3.4.1
env:
JF_URL: https://centreon.jfrog.io
JF_ACCESS_TOKEN: ${{ inputs.artifactory_token }}
Expand Down
4 changes: 2 additions & 2 deletions .github/actions/rpm-delivery-legacy/action.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -24,13 +24,13 @@ runs:
using: "composite"
steps:
- name: Use cache RPM files
uses: actions/cache/restore@v3
uses: actions/cache/restore@704facf57e6136b1bc63b828d79edcd491f0ee84 # v3.3.2
with:
path: ./*.rpm
key: ${{ inputs.cache_key }}
fail-on-cache-miss: true

- uses: jfrog/setup-jfrog-cli@v3
- uses: jfrog/setup-jfrog-cli@901bb9632db90821c2d3f076012bdeaf66598555 # v3.4.1
env:
JF_URL: https://centreon.jfrog.io
JF_ACCESS_TOKEN: ${{ inputs.artifactory_token }}
Expand Down
4 changes: 2 additions & 2 deletions .github/actions/rpm-delivery/action.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -25,13 +25,13 @@ runs:
shell: bash

- name: Use cache RPM files
uses: actions/cache/restore@v3
uses: actions/cache/restore@704facf57e6136b1bc63b828d79edcd491f0ee84 # v3.3.2
with:
path: ./*.rpm
key: ${{ inputs.cache_key }}
fail-on-cache-miss: true

- uses: jfrog/setup-jfrog-cli@v3
- uses: jfrog/setup-jfrog-cli@901bb9632db90821c2d3f076012bdeaf66598555 # v3.4.1
env:
JF_URL: https://centreon.jfrog.io
JF_ACCESS_TOKEN: ${{ inputs.artifactory_token }}
Expand Down
2 changes: 1 addition & 1 deletion .github/actions/runner-docker/action.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -29,7 +29,7 @@ runs:
using: "composite"
steps:
- name: Login to Registry (via runner)
uses: docker/login-action@v2
uses: docker/login-action@465a07811f14bebb1938fbed4728c6a1ff8901fc # v2.2.0
with:
registry: ${{ inputs.registry_url }}
username: ${{ inputs.registry_username }}
Expand Down
9 changes: 9 additions & 0 deletions .github/dependabot.yml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,9 @@
version: 2
updates:
- package-ecosystem: github-actions
directory: '/'
schedule:
interval: weekly
open-pull-requests-limit: 10
labels:
- 'pr: dependencies'
4 changes: 2 additions & 2 deletions .github/workflows/actionlint.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -19,7 +19,7 @@ jobs:
runs-on: ubuntu-22.04
steps:
- name: Checkout sources
uses: actions/checkout@v4
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1

- name: Download actionlint
id: get_actionlint
Expand All @@ -40,7 +40,7 @@ jobs:
runs-on: ubuntu-22.04
steps:
- name: Checkout sources
uses: actions/checkout@v4
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1

- name: Install Yaml
run: |
Expand Down
6 changes: 3 additions & 3 deletions .github/workflows/connector-vmware.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -51,7 +51,7 @@ jobs:

steps:
- name: Checkout sources
uses: actions/checkout@v4
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1

- name: Package
uses: ./.github/actions/package
Expand Down Expand Up @@ -80,7 +80,7 @@ jobs:

steps:
- name: Checkout sources
uses: actions/checkout@v4
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1

- name: Delivery
uses: ./.github/actions/rpm-delivery
Expand All @@ -104,7 +104,7 @@ jobs:

steps:
- name: Checkout sources
uses: actions/checkout@v4
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1

- name: Delivery
uses: ./.github/actions/deb-delivery
Expand Down
10 changes: 5 additions & 5 deletions .github/workflows/docker-builder-packaging-plugins.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -42,25 +42,25 @@ jobs:

steps:
- name: Checkout sources
uses: actions/checkout@v4
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1

- name: Login to Registry
uses: docker/login-action@v2
uses: docker/login-action@465a07811f14bebb1938fbed4728c6a1ff8901fc # v2.2.0
with:
registry: ${{ vars.DOCKER_INTERNAL_REGISTRY_URL }}
username: ${{ secrets.DOCKER_REGISTRY_ID }}
password: ${{ secrets.DOCKER_REGISTRY_PASSWD }}

- name: Login to proxy registry
uses: docker/login-action@v2
uses: docker/login-action@465a07811f14bebb1938fbed4728c6a1ff8901fc # v2.2.0
with:
registry: ${{ vars.DOCKER_PROXY_REGISTRY_URL }}
username: ${{ secrets.DOCKER_REGISTRY_ID }}
password: ${{ secrets.DOCKER_REGISTRY_PASSWD }}

- uses: docker/setup-buildx-action@v2
- uses: docker/setup-buildx-action@885d1462b80bc1c1c7f0b00334ad271f09369c55 # v2.10.0

- uses: docker/build-push-action@v3
- uses: docker/build-push-action@1104d471370f9806843c095c1db02b5a90c5f8b6 # v3.3.1
with:
file: .github/docker/Dockerfile.${{ matrix.dockerfile }}
context: .
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/get-environment.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -25,7 +25,7 @@ jobs:

steps:
- name: Checkout sources
uses: actions/checkout@v4
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1

- id: get_environment
run: |
Expand Down
6 changes: 3 additions & 3 deletions .github/workflows/nrpe.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -49,7 +49,7 @@ jobs:

steps:
- name: Checkout sources
uses: actions/checkout@v4
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1

- name: Download nrpe sources
run: |
Expand Down Expand Up @@ -118,7 +118,7 @@ jobs:

steps:
- name: Checkout sources
uses: actions/checkout@v4
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1

- name: Delivery
uses: ./.github/actions/rpm-delivery
Expand All @@ -140,7 +140,7 @@ jobs:

steps:
- name: Checkout sources
uses: actions/checkout@v4
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1

- name: Delivery
uses: ./.github/actions/deb-delivery
Expand Down
20 changes: 10 additions & 10 deletions .github/workflows/perl-cpan-libraries.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -162,7 +162,7 @@ jobs:
password: ${{ secrets.DOCKER_REGISTRY_PASSWD }}

steps:
- uses: actions/checkout@v4
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1

- if: ${{ contains(matrix.build_distribs, matrix.distrib) && matrix.package_extension == 'rpm' }}
run: |
Expand Down Expand Up @@ -255,7 +255,7 @@ jobs:
DEB_BUILD_OPTIONS="nocheck nodocs notest" dh-make-perl make --build $PACKAGE_VERSION --cpan ${{ matrix.name }}
shell: bash

- uses: actions/upload-artifact@v3
- uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
with:
name: packages-${{ matrix.package_extension }}-${{ matrix.distrib }}
path: ./*.${{ matrix.package_extension }}
Expand All @@ -280,9 +280,9 @@ jobs:
- run: apt-get install -y zstd
shell: bash

- uses: actions/checkout@v4
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1

- uses: actions/download-artifact@v3
- uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
with:
name: packages-rpm-${{ matrix.distrib }}
path: ./
Expand All @@ -293,7 +293,7 @@ jobs:
- run: rpmsign --addsign ./*.rpm
shell: bash

- uses: actions/cache@v3
- uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84 # v3.3.2
with:
path: ./*.rpm
key: ${{ github.sha }}-${{ github.run_id }}-rpm-${{ matrix.distrib }}
Expand All @@ -302,12 +302,12 @@ jobs:
needs: [package]
runs-on: ubuntu-22.04
steps:
- uses: actions/download-artifact@v3
- uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
with:
name: packages-deb-bullseye
path: ./

- uses: actions/cache@v3
- uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84 # v3.3.2
with:
path: ./*.deb
key: ${{ github.sha }}-${{ github.run_id }}-deb-bullseye
Expand All @@ -323,7 +323,7 @@ jobs:

steps:
- name: Checkout sources
uses: actions/checkout@v4
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1

- name: Delivery
uses: ./.github/actions/rpm-delivery
Expand All @@ -345,7 +345,7 @@ jobs:

steps:
- name: Checkout sources
uses: actions/checkout@v4
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1

- name: Delivery
uses: ./.github/actions/deb-delivery
Expand All @@ -366,7 +366,7 @@ jobs:

steps:
- name: Checkout sources
uses: actions/checkout@v4
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1

- name: Promote ${{ matrix.distrib }} to stable
uses: ./.github/actions/promote-to-stable
Expand Down
10 changes: 5 additions & 5 deletions .github/workflows/perl-crypt-argon2.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -64,7 +64,7 @@ jobs:

steps:
- name: Checkout sources
uses: actions/checkout@v4
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1

- name: Install locally Crypt::Argon2
run: |
Expand Down Expand Up @@ -118,7 +118,7 @@ jobs:
# set condition to true if artifacts are needed
- if: ${{ false }}
name: Upload package artifacts
uses: actions/upload-artifact@v3
uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
with:
name: packages-${{ matrix.distrib }}-${{ matrix.arch }}
path: ./*.${{ matrix.package_extension}}
Expand All @@ -137,7 +137,7 @@ jobs:

steps:
- name: Checkout sources
uses: actions/checkout@v4
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1

- name: Delivery
uses: ./.github/actions/rpm-delivery
Expand Down Expand Up @@ -165,7 +165,7 @@ jobs:

steps:
- name: Checkout sources
uses: actions/checkout@v4
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1

- name: Delivery
uses: ./.github/actions/deb-delivery
Expand Down Expand Up @@ -194,7 +194,7 @@ jobs:

steps:
- name: Checkout sources
uses: actions/checkout@v4
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1

- name: Promote ${{ matrix.distrib }} ${{ matrix.arch }} to stable
uses: ./.github/actions/promote-to-stable
Expand Down
Loading

0 comments on commit 1fa45a6

Please sign in to comment.