From 8c3c6c3841dd7491b1e2e782e19ec40535500110 Mon Sep 17 00:00:00 2001 From: David Arthur Date: Thu, 10 Oct 2024 16:20:49 -0400 Subject: [PATCH] KAFKA-17193: Pin all external GitHub Actions to the specific git hash (#16960) (#17461) Co-authored-by: Mickael Maison Reviewers: Chia-Ping Tsai , Colin P. McCabe --- .github/workflows/docker_build_and_test.yml | 2 +- .github/workflows/docker_official_image_build_and_test.yml | 2 +- .github/workflows/docker_promote.yml | 6 +++--- .github/workflows/docker_rc_release.yml | 6 +++--- .github/workflows/docker_scan.yml | 2 +- 5 files changed, 9 insertions(+), 9 deletions(-) diff --git a/.github/workflows/docker_build_and_test.yml b/.github/workflows/docker_build_and_test.yml index dc6214633f959..2618a717c7b20 100644 --- a/.github/workflows/docker_build_and_test.yml +++ b/.github/workflows/docker_build_and_test.yml @@ -46,7 +46,7 @@ jobs: run: | python docker_build_test.py kafka/test -tag=test -type=${{ github.event.inputs.image_type }} -u=${{ github.event.inputs.kafka_url }} - name: Run CVE scan - uses: aquasecurity/trivy-action@master + uses: aquasecurity/trivy-action@6e7b7d1fd3e4fef0c5fa8cce1229c54b2c9bd0d8 # v0.24.0 with: image-ref: 'kafka/test:test' format: 'table' diff --git a/.github/workflows/docker_official_image_build_and_test.yml b/.github/workflows/docker_official_image_build_and_test.yml index c3219bd8aa942..1db476de53285 100644 --- a/.github/workflows/docker_official_image_build_and_test.yml +++ b/.github/workflows/docker_official_image_build_and_test.yml @@ -45,7 +45,7 @@ jobs: run: | python docker_official_image_build_test.py kafka/test -tag=test -type=${{ github.event.inputs.image_type }} -v=${{ github.event.inputs.kafka_version }} - name: Run CVE scan - uses: aquasecurity/trivy-action@master + uses: aquasecurity/trivy-action@6e7b7d1fd3e4fef0c5fa8cce1229c54b2c9bd0d8 # v0.24.0 with: image-ref: 'kafka/test:test' format: 'table' diff --git a/.github/workflows/docker_promote.yml b/.github/workflows/docker_promote.yml index 04872f9d59d3b..d22a8458c97a7 100644 --- a/.github/workflows/docker_promote.yml +++ b/.github/workflows/docker_promote.yml @@ -31,11 +31,11 @@ jobs: runs-on: ubuntu-latest steps: - name: Set up QEMU - uses: docker/setup-qemu-action@v3 + uses: docker/setup-qemu-action@49b3bc8e6bdd4a60e6116a5414239cba5943d3cf # v3.2.0 - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 + uses: docker/setup-buildx-action@988b5a0280414f521da01fcc63a27aeeb4b104db # v3.6.1 - name: Login to Docker Hub - uses: docker/login-action@v3 + uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0 with: username: ${{ secrets.DOCKERHUB_USER }} password: ${{ secrets.DOCKERHUB_TOKEN }} diff --git a/.github/workflows/docker_rc_release.yml b/.github/workflows/docker_rc_release.yml index 3a06064d62ed6..dbca7fe23c117 100644 --- a/.github/workflows/docker_rc_release.yml +++ b/.github/workflows/docker_rc_release.yml @@ -47,11 +47,11 @@ jobs: python -m pip install --upgrade pip pip install -r docker/requirements.txt - name: Set up QEMU - uses: docker/setup-qemu-action@v3 + uses: docker/setup-qemu-action@49b3bc8e6bdd4a60e6116a5414239cba5943d3cf # v3.2.0 - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 + uses: docker/setup-buildx-action@988b5a0280414f521da01fcc63a27aeeb4b104db # v3.6.1 - name: Login to Docker Hub - uses: docker/login-action@v3 + uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0 with: username: ${{ secrets.DOCKERHUB_USER }} password: ${{ secrets.DOCKERHUB_TOKEN }} diff --git a/.github/workflows/docker_scan.yml b/.github/workflows/docker_scan.yml index 2134ef7eef4e1..b7efaa4ff95dc 100644 --- a/.github/workflows/docker_scan.yml +++ b/.github/workflows/docker_scan.yml @@ -29,7 +29,7 @@ jobs: supported_image_tag: ['latest', '3.7.0'] steps: - name: Run CVE scan - uses: aquasecurity/trivy-action@master + uses: aquasecurity/trivy-action@6e7b7d1fd3e4fef0c5fa8cce1229c54b2c9bd0d8 # v0.24.0 if: always() with: image-ref: apache/kafka:${{ matrix.supported_image_tag }}