From bc1a9ad0a05a3737b6469595924f05495f0983be Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Bj=C3=B6rn=20Svensson?= Date: Fri, 28 Jun 2024 09:02:17 +0200 Subject: [PATCH] Pin Github Action versions in CI (#34) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Pin the Github Actions we use in CI to a release hash according to secure software development best practices, recommended by the Open Source Security Foundation (OpenSSF). When developing a CI workflow, it's common to version-pin dependencies (i.e. actions/checkout@v4). However, version tags are mutable, so a malicious attacker could overwrite a version tag to point to a malicious or vulnerable commit instead. Pinning workflow dependencies by hash ensures the dependency is immutable and its behavior is guaranteed. See details: https://github.com/ossf/scorecard/blob/main/docs/checks.md#pinned-dependencies Signed-off-by: Björn Svensson --- .github/workflows/build.yml | 17 +++++++++-------- .github/workflows/ci.yml | 12 ++++++------ .github/workflows/coverity.yml | 2 +- .github/workflows/db-compatibility.yml | 4 ++-- .github/workflows/release-drafter.yml | 2 +- .github/workflows/spellcheck.yml | 4 ++-- .github/workflows/test.yml | 6 +++--- 7 files changed, 24 insertions(+), 23 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 7f204046..b7833106 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -6,7 +6,7 @@ jobs: name: Ubuntu runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - name: Install dependencies run: | @@ -47,7 +47,8 @@ jobs: runs-on: ubuntu-latest container: centos:7 steps: - - uses: actions/checkout@v3 + # CentOS 7 uses an older glibc, only v3 of actions/checkout can be used. + - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 - name: Install dependencies run: | @@ -90,7 +91,7 @@ jobs: runs-on: ubuntu-latest container: rockylinux:8 steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - name: Install dependencies run: | @@ -134,7 +135,7 @@ jobs: runs-on: ubuntu-latest name: FreeBSD steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - name: Build in FreeBSD uses: vmactions/freebsd-vm@f8be330398166d1eb0601f01353839d4052367b2 # v1.0.7 @@ -148,7 +149,7 @@ jobs: name: macOS runs-on: macos-latest steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - name: Install dependencies run: | @@ -167,13 +168,13 @@ jobs: name: Windows runs-on: windows-latest steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - name: Install dependencies run: | choco install -y ninja memurai-developer - - uses: ilammy/msvc-dev-cmd@v1 + - uses: ilammy/msvc-dev-cmd@0b201ec74fa43914dc39ae48a89fd1d8cb592756 # v1.13.0 - name: Build library run: | mkdir build && cd build @@ -185,7 +186,7 @@ jobs: run: .\tests\client_test.exe - name: Install Cygwin Action - uses: cygwin/cygwin-install-action@v2 + uses: cygwin/cygwin-install-action@006ad0b0946ca6d0a3ea2d4437677fa767392401 # v4 with: packages: make git gcc-core diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 578ed705..7023c43a 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -10,7 +10,7 @@ jobs: name: Run static checkers runs-on: ubuntu-latest steps: - - uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5 + - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - name: Run clang-format style check (.c and .h) uses: jidicula/clang-format-action@c74383674bf5f7c69f60ce562019c1c94bc1421a # v4.13.0 @@ -51,7 +51,7 @@ jobs: run: | git clone --depth 1 --branch 7.2.5 https://github.com/valkey-io/valkey.git cd valkey && BUILD_TLS=yes make install - - uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5 + - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - name: Create build folder run: cmake -E make_directory build - name: Generate makefiles @@ -80,7 +80,7 @@ jobs: name: Installation tests runs-on: ubuntu-latest steps: - - uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5 + - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - name: Prepare uses: awalsh128/cache-apt-pkgs-action@a6c3917cc929dd0345bfb2d3feaf9101823370ad # v1.4.2 with: @@ -117,7 +117,7 @@ jobs: - name: Prepare run: | brew install cmake ninja openssl - - uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5 + - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - name: Build run: | mkdir build && cd build @@ -128,7 +128,7 @@ jobs: name: Windows runs-on: windows-latest steps: - - uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5 + - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - uses: ilammy/msvc-dev-cmd@0b201ec74fa43914dc39ae48a89fd1d8cb592756 # v1.13.0 - name: Prepare run: | @@ -144,7 +144,7 @@ jobs: name: Windows (MinGW64) runs-on: windows-latest steps: - - uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5 + - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - name: Set up MinGW uses: msys2/setup-msys2@d0e80f58dffbc64f6a3a1f43527d469b4fc7b6c8 # v2.23.0 with: diff --git a/.github/workflows/coverity.yml b/.github/workflows/coverity.yml index 335164a9..d1728476 100644 --- a/.github/workflows/coverity.yml +++ b/.github/workflows/coverity.yml @@ -14,7 +14,7 @@ jobs: steps: - name: Checkout repository - uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5 + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 with: fetch-depth: 1 diff --git a/.github/workflows/db-compatibility.yml b/.github/workflows/db-compatibility.yml index a39dbd6b..8a43e822 100644 --- a/.github/workflows/db-compatibility.yml +++ b/.github/workflows/db-compatibility.yml @@ -24,7 +24,7 @@ jobs: run: | git clone --depth 1 --branch ${{ matrix.valkey-version }} https://github.com/valkey-io/valkey.git cd valkey && BUILD_TLS=yes make install - - uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5 + - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - name: Create build folder run: cmake -E make_directory build - name: Generate makefiles @@ -72,7 +72,7 @@ jobs: run: | git clone --depth 1 --branch ${{ matrix.redis-version }} https://github.com/redis/redis.git cd redis && BUILD_TLS=yes make install - - uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5 + - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - name: Create build folder run: cmake -E make_directory build diff --git a/.github/workflows/release-drafter.yml b/.github/workflows/release-drafter.yml index ec2d88bf..632d060e 100644 --- a/.github/workflows/release-drafter.yml +++ b/.github/workflows/release-drafter.yml @@ -11,7 +11,7 @@ jobs: runs-on: ubuntu-latest steps: # Drafts your next Release notes as Pull Requests are merged into "master" - - uses: release-drafter/release-drafter@v5 + - uses: release-drafter/release-drafter@3f0f87098bd6b5c5b9a36d49c41d998ea58f9348 # v6.0.0 with: # (Optional) specify config name to use, relative to .github/. Default: release-drafter.yml config-name: release-drafter-config.yml diff --git a/.github/workflows/spellcheck.yml b/.github/workflows/spellcheck.yml index e1528415..e2f162da 100644 --- a/.github/workflows/spellcheck.yml +++ b/.github/workflows/spellcheck.yml @@ -6,9 +6,9 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@v3 + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - name: Check Spelling - uses: rojopolis/spellcheck-github-actions@0.33.1 + uses: rojopolis/spellcheck-github-actions@d354a4dc525c8067555c7481b60416cedb0060ff # 0.38.0 with: config_path: .github/spellcheck-settings.yml task_name: Markdown diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index b0023a06..136aaec6 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -13,7 +13,7 @@ jobs: steps: - name: Install prerequisites run: sudo apt-get update && sudo apt-get install -y libev-dev libevent-dev libglib2.0-dev libssl-dev valgrind - - uses: actions/checkout@v3 + - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - name: Run make run: make all examples - name: Run unittests @@ -30,7 +30,7 @@ jobs: steps: - name: Install prerequisites run: sudo apt-get update && sudo apt-get install gcc-multilib - - uses: actions/checkout@v3 + - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - name: Run make run: make 32bit - name: Run unittests @@ -58,7 +58,7 @@ jobs: - name: Install platform toolset if: matrix.toolset run: sudo apt-get install -y gcc-${{matrix.toolset}} - - uses: actions/checkout@v3 + - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - name: Run make run: make all env: