From 1af944e48bb13e3050956d063d118a20b4daba6b Mon Sep 17 00:00:00 2001 From: kranurag7 <81210977+kranurag7@users.noreply.github.com> Date: Tue, 30 Jul 2024 14:27:21 +0530 Subject: [PATCH] fix helm chart publish workflow (#220) uses SHAs for pinning third party action workflows. Signed-off-by: kranurag7 <81210977+kranurag7@users.noreply.github.com> Co-authored-by: Matt Ray --- .github/workflows/helm-test.yml | 10 +++++----- .github/workflows/publish.yml | 13 +++++++------ .github/workflows/stale.yml | 2 +- 3 files changed, 13 insertions(+), 12 deletions(-) diff --git a/.github/workflows/helm-test.yml b/.github/workflows/helm-test.yml index d12bdb6..2e3fa00 100644 --- a/.github/workflows/helm-test.yml +++ b/.github/workflows/helm-test.yml @@ -18,21 +18,21 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4 with: fetch-depth: 0 - - uses: azure/setup-helm@v3 + - uses: azure/setup-helm@5119fcb9089d432beecbf79bb2c7915207344b78 # v3 with: version: 'v3.15.2' - - uses: actions/setup-python@v4 + - uses: actions/setup-python@65d7f2d534ac1bc67fcd62888c5f4f3d2cb2b236 # v4 with: python-version: '3.9' check-latest: true - name: Set up chart-testing - uses: helm/chart-testing-action@v2.6.1 + uses: helm/chart-testing-action@e6669bcd63d7cb57cb4380c33043eebe5d111992 # v2.6.1 - name: List changed charts id: list-changed @@ -49,7 +49,7 @@ jobs: run: ct lint --debug --config ./.github/configs/ct.yaml --lint-conf ./.github/configs/lintconf.yaml - name: Create kind cluster - uses: helm/kind-action@v1.10.0 + uses: helm/kind-action@0025e74a8c7512023d06dc019c617aa3cf561fde # v1.10.0 if: steps.list-changed.outputs.changed == 'true' - name: Run chart-testing (install) diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml index fa40946..c9d7eff 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/publish.yml @@ -18,12 +18,12 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4 with: fetch-depth: 0 - name: Install Helm - uses: azure/setup-helm@v3 + uses: azure/setup-helm@5119fcb9089d432beecbf79bb2c7915207344b78 # v3 - name: Configure Git run: | @@ -39,20 +39,21 @@ jobs: run: | helm-docs . - name: Login to GHCR - uses: docker/login-action@v3 + uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3 with: registry: ghcr.io username: ${ GITHUB_REPOSITORY_OWNER } password: ${{ secrets.GITHUB_TOKEN }} - name: Run chart-releaser - uses: helm/chart-releaser-action@1.6.0 + uses: helm/chart-releaser-action@a917fd15b20e8b64b94d9158ad54cd6345335584 # v1.6.0 with: charts_dir: charts config: './.github/configs/cr.yaml' env: CR_TOKEN: '${{ secrets.GITHUB_TOKEN }}' CR_RELEASE_NAME_TEMPLATE: '{{ .Version }}-helm' - - uses: sigstore/cosign-installer@3.5.0 + + - uses: sigstore/cosign-installer@59acb6260d9c0ba8f4a2f9d9b48431a222b68e20 # v3.5.0 - name: Push chart to GHCR env: COSIGN_EXPERIMENTAL: 1 @@ -65,7 +66,7 @@ jobs: helm push "${pkg}" oci://ghcr.io/"${GITHUB_REPOSITORY_OWNER}"/charts |& tee .digest cosign sign $(cat .digest | awk -F "[, ]+" '/Pushed/{print $NF}') done - - uses: oras-project/setup-oras@v1 + - uses: oras-project/setup-oras@ca28077386065e263c03428f4ae0c09024817c93 # v1 with: version: 1.2.0 - name: Push chart to GHCR diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml index 275414c..05712a3 100644 --- a/.github/workflows/stale.yml +++ b/.github/workflows/stale.yml @@ -7,7 +7,7 @@ jobs: stale: runs-on: ubuntu-latest steps: - - uses: actions/stale@v8 + - uses: actions/stale@1160a2240286f5da8ec72b1c0816ce2481aabf84 # v8 with: stale-issue-message: 'This issue has been marked as stale because it has been open for 180 days with no activity. Please remove the stale label or comment or this issue will be closed in 5 days.' close-issue-message: 'This issue was closed because it has been inactive for 185 days with no activity.'