public_git
/
actions-runner-controller
mirror of https://github.com/actions-runner-controller/actions-runner-controller.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

ci: pin GitHub Actions workflow actions by hash (#1422) 

as recommended in 5758364c82/docs/checks.md (pinned-dependencies)

Ref #1298
This commit is contained in:
Yusuke Kuoka 2022-05-11 19:41:30 +09:00 committed by GitHub
parent c1e5829b03
commit d01595cfbc
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
8 changed files with 53 additions and 30 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
.github/workflows/on-push-lint-charts.yml vendored
View File

@ -12,18 +12,21 @@ env:
KUBE_SCORE_VERSION: 1.10.0 KUBE_SCORE_VERSION: 1.10.0
HELM_VERSION: v3.8.0 HELM_VERSION: v3.8.0
permissions:
contents: read
jobs: jobs:
lint-test: lint-test:
runs-on: ubuntu-latest runs-on: ubuntu-latest
name: Lint Chart name: Lint Chart
steps: steps:
- name: Checkout - name: Checkout
uses: actions/checkout@v3 uses: actions/checkout@d0651293c4a5a52e711f25b41b05b2212f385d28
with: with:
fetch-depth: 0 fetch-depth: 0
- name: Set up Helm - name: Set up Helm
uses: azure/setup-helm@v2.1 uses: azure/setup-helm@217bf70cbd2e930ba2e81ba7e1de2f7faecc42ba
with: with:
version: ${{ env.HELM_VERSION }} version: ${{ env.HELM_VERSION }}
@ -44,12 +47,12 @@ jobs:
--enable-optional-test container-security-context-readonlyrootfilesystem --enable-optional-test container-security-context-readonlyrootfilesystem
# python is a requirement for the chart-testing action below (supports yamllint among other tests) # python is a requirement for the chart-testing action below (supports yamllint among other tests)
- uses: actions/setup-python@v3 - uses: actions/setup-python@98f2ad02fd48d057ee3b4d4f66525b231c3e52b6
with: with:
python-version: 3.7 python-version: 3.7
- name: Set up chart-testing - name: Set up chart-testing
uses: helm/chart-testing-action@v2.2.1 uses: helm/chart-testing-action@62a185010be4cb08459f7acb19f37927235d5cf3
- name: Run chart-testing (list-changed) - name: Run chart-testing (list-changed)
id: list-changed id: list-changed
@ -63,7 +66,7 @@ jobs:
run: ct lint --config charts/.ci/ct-config.yaml run: ct lint --config charts/.ci/ct-config.yaml
- name: Create kind cluster - name: Create kind cluster
uses: helm/kind-action@v1.2.0 uses: helm/kind-action@94729529f85113b88f4f819c17ce61382e6d8478
if: steps.list-changed.outputs.changed == 'true' if: steps.list-changed.outputs.changed == 'true'
# We need cert-manager already installed in the cluster because we assume the CRDs exist # We need cert-manager already installed in the cluster because we assume the CRDs exist

19
.github/workflows/on-push-master-publish-chart.yml vendored
View File

@ -15,6 +15,9 @@ env:
KUBE_SCORE_VERSION: 1.10.0 KUBE_SCORE_VERSION: 1.10.0
HELM_VERSION: v3.8.0 HELM_VERSION: v3.8.0
permissions:
contents: read
jobs: jobs:
lint-chart: lint-chart:
runs-on: ubuntu-latest runs-on: ubuntu-latest
@ -23,12 +26,12 @@ jobs:
publish-chart: ${{ steps.publish-chart-step.outputs.publish }} publish-chart: ${{ steps.publish-chart-step.outputs.publish }}
steps: steps:
- name: Checkout - name: Checkout
uses: actions/checkout@v3 uses: actions/checkout@d0651293c4a5a52e711f25b41b05b2212f385d28
with: with:
fetch-depth: 0 fetch-depth: 0
- name: Set up Helm - name: Set up Helm
uses: azure/setup-helm@v2.1 uses: azure/setup-helm@217bf70cbd2e930ba2e81ba7e1de2f7faecc42ba
with: with:
version: ${{ env.HELM_VERSION }} version: ${{ env.HELM_VERSION }}
@ -49,12 +52,12 @@ jobs:
--enable-optional-test container-security-context-readonlyrootfilesystem --enable-optional-test container-security-context-readonlyrootfilesystem
# python is a requirement for the chart-testing action below (supports yamllint among other tests) # python is a requirement for the chart-testing action below (supports yamllint among other tests)
- uses: actions/setup-python@v3 - uses: actions/setup-python@98f2ad02fd48d057ee3b4d4f66525b231c3e52b6
with: with:
python-version: 3.7 python-version: 3.7
- name: Set up chart-testing - name: Set up chart-testing
uses: helm/chart-testing-action@v2.2.1 uses: helm/chart-testing-action@62a185010be4cb08459f7acb19f37927235d5cf3
- name: Run chart-testing (list-changed) - name: Run chart-testing (list-changed)
id: list-changed id: list-changed
@ -68,7 +71,7 @@ jobs:
run: ct lint --config charts/.ci/ct-config.yaml run: ct lint --config charts/.ci/ct-config.yaml
- name: Create kind cluster - name: Create kind cluster
uses: helm/kind-action@v1.2.0 uses: helm/kind-action@94729529f85113b88f4f819c17ce61382e6d8478
if: steps.list-changed.outputs.changed == 'true' if: steps.list-changed.outputs.changed == 'true'
# We need cert-manager already installed in the cluster because we assume the CRDs exist # We need cert-manager already installed in the cluster because we assume the CRDs exist
@ -97,6 +100,8 @@ jobs:
fi fi
publish-chart: publish-chart:
permissions:
contents: write # for helm/chart-releaser-action to push chart release and create a release
if: needs.lint-chart.outputs.publish-chart == 'true' if: needs.lint-chart.outputs.publish-chart == 'true'
needs: lint-chart needs: lint-chart
runs-on: ubuntu-latest runs-on: ubuntu-latest
@ -104,7 +109,7 @@ jobs:
steps: steps:
- name: Checkout - name: Checkout
uses: actions/checkout@v3 uses: actions/checkout@d0651293c4a5a52e711f25b41b05b2212f385d28
with: with:
fetch-depth: 0 fetch-depth: 0
@ -114,7 +119,7 @@ jobs:
git config user.email "$GITHUB_ACTOR@users.noreply.github.com" git config user.email "$GITHUB_ACTOR@users.noreply.github.com"
- name: Run chart-releaser - name: Run chart-releaser
uses: helm/chart-releaser-action@v1.4.0 uses: helm/chart-releaser-action@fc23f249f75decd5edf254c6b4401532cef093c3
env: env:
CR_TOKEN: "${{ secrets.GITHUB_TOKEN }}" CR_TOKEN: "${{ secrets.GITHUB_TOKEN }}"

12
.github/workflows/release.yml vendored
View File

@ -16,9 +16,9 @@ jobs:
run: echo ::set-output name=sha_short::${GITHUB_SHA::7} run: echo ::set-output name=sha_short::${GITHUB_SHA::7}
- name: Checkout - name: Checkout
uses: actions/checkout@v3 uses: actions/checkout@d0651293c4a5a52e711f25b41b05b2212f385d28
- uses: actions/setup-go@v3 - uses: actions/setup-go@f6164bd8c8acb4a71fb2791a8b6c4024ff038dab
with: with:
go-version: '1.17.7' go-version: '1.17.7'
@ -42,22 +42,22 @@ jobs:
run: make github-release run: make github-release
- name: Set up QEMU - name: Set up QEMU
uses: docker/setup-qemu-action@v1 uses: docker/setup-qemu-action@27d0a4f181a40b142cce983c5393082c365d1480
- name: Set up Docker Buildx - name: Set up Docker Buildx
id: buildx id: buildx
uses: docker/setup-buildx-action@v1 uses: docker/setup-buildx-action@f211e3e9ded2d9377c8cadc4489a4e38014bc4c9
with: with:
version: latest version: latest
- name: Login to DockerHub - name: Login to DockerHub
uses: docker/login-action@v1 uses: docker/login-action@dd4fa0671be5250ee6f50aedf4cb05514abda2c7
with: with:
username: ${{ secrets.DOCKER_USER }} username: ${{ secrets.DOCKER_USER }}
password: ${{ secrets.DOCKER_ACCESS_TOKEN }} password: ${{ secrets.DOCKER_ACCESS_TOKEN }}
- name: Build and Push - name: Build and Push
uses: docker/build-push-action@v2 uses: docker/build-push-action@ac9327eae2b366085ac7f6a2d02df8aa8ead720a
with: with:
file: Dockerfile file: Dockerfile
platforms: linux/amd64,linux/arm64 platforms: linux/amd64,linux/arm64

4
.github/workflows/runners.yml vendored
View File

@ -42,7 +42,7 @@ jobs:
steps: steps:
- name: Checkout - name: Checkout
uses: actions/checkout@v3 uses: actions/checkout@d0651293c4a5a52e711f25b41b05b2212f385d28
- name: Setup Docker Environment - name: Setup Docker Environment
id: vars id: vars
@ -54,7 +54,7 @@ jobs:
ghcr_password: ${{ secrets.GITHUB_TOKEN }} ghcr_password: ${{ secrets.GITHUB_TOKEN }}
- name: Build and Push Versioned Tags - name: Build and Push Versioned Tags
uses: docker/build-push-action@v2 uses: docker/build-push-action@ac9327eae2b366085ac7f6a2d02df8aa8ead720a
with: with:
context: ./runner context: ./runner
file: ./runner/${{ matrix.dockerfile }} file: ./runner/${{ matrix.dockerfile }}

8
.github/workflows/stale.yaml vendored
View File

@ -4,11 +4,17 @@ on:
# 01:30 every day # 01:30 every day
- cron: '30 1 * * *' - cron: '30 1 * * *'
permissions:
contents: read
jobs: jobs:
stale: stale:
permissions:
issues: write # for actions/stale to close stale issues
pull-requests: write # for actions/stale to close stale PRs
runs-on: ubuntu-latest runs-on: ubuntu-latest
steps: steps:
- uses: actions/stale@v5 - uses: actions/stale@428b0ed64d74596742200dc98805bb90f39ef9f0
with: with:
stale-issue-message: 'This issue is stale because it has been open 30 days with no activity. Remove stale label or comment or this will be closed in 5 days.' stale-issue-message: 'This issue is stale because it has been open 30 days with no activity. Remove stale label or comment or this will be closed in 5 days.'
# turn off stale for both issues and PRs # turn off stale for both issues and PRs

5
.github/workflows/test-entrypoint.yaml vendored
View File

@ -9,13 +9,16 @@ on:
- 'test/entrypoint/**' - 'test/entrypoint/**'
- '!**.md' - '!**.md'
permissions:
contents: read
jobs: jobs:
test: test:
runs-on: ubuntu-latest runs-on: ubuntu-latest
name: Test entrypoint name: Test entrypoint
steps: steps:
- name: Checkout - name: Checkout
uses: actions/checkout@v3 uses: actions/checkout@d0651293c4a5a52e711f25b41b05b2212f385d28
- name: Run unit tests for entrypoint.sh - name: Run unit tests for entrypoint.sh
run: | run: |
make acceptance/runner/entrypoint make acceptance/runner/entrypoint

9
.github/workflows/test.yaml vendored
View File

@ -15,19 +15,22 @@ on:
- '**.md' - '**.md'
- '.gitignore' - '.gitignore'
permissions:
contents: read
jobs: jobs:
test: test:
runs-on: ubuntu-latest runs-on: ubuntu-latest
name: Test name: Test
steps: steps:
- name: Checkout - name: Checkout
uses: actions/checkout@v3 uses: actions/checkout@d0651293c4a5a52e711f25b41b05b2212f385d28
- uses: actions/setup-go@v3 - uses: actions/setup-go@f6164bd8c8acb4a71fb2791a8b6c4024ff038dab
with: with:
go-version: '1.17.7' go-version: '1.17.7'
check-latest: false check-latest: false
- run: go version - run: go version
- uses: actions/cache@v3 - uses: actions/cache@730dc31003a72af3c3b4bf51268c167ad4c67ad6
with: with:
path: ~/go/pkg/mod path: ~/go/pkg/mod
key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }} key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}

13
.github/workflows/wip.yml vendored
View File

@ -14,6 +14,9 @@ on:
- "**.md" - "**.md"
- ".gitignore" - ".gitignore"
permissions:
contents: read
jobs: jobs:
build: build:
runs-on: ubuntu-latest runs-on: ubuntu-latest
@ -22,19 +25,19 @@ jobs:
DOCKERHUB_USERNAME: ${{ secrets.DOCKER_USER }} DOCKERHUB_USERNAME: ${{ secrets.DOCKER_USER }}
steps: steps:
- name: Checkout - name: Checkout
uses: actions/checkout@v3 uses: actions/checkout@d0651293c4a5a52e711f25b41b05b2212f385d28
- name: Set up QEMU - name: Set up QEMU
uses: docker/setup-qemu-action@v1 uses: docker/setup-qemu-action@27d0a4f181a40b142cce983c5393082c365d1480
- name: Set up Docker Buildx - name: Set up Docker Buildx
id: buildx id: buildx
uses: docker/setup-buildx-action@v1 uses: docker/setup-buildx-action@f211e3e9ded2d9377c8cadc4489a4e38014bc4c9
with: with:
version: latest version: latest
- name: Login to DockerHub - name: Login to DockerHub
uses: docker/login-action@v1 uses: docker/login-action@dd4fa0671be5250ee6f50aedf4cb05514abda2c7
with: with:
username: ${{ secrets.DOCKER_USER }} username: ${{ secrets.DOCKER_USER }}
password: ${{ secrets.DOCKER_ACCESS_TOKEN }} password: ${{ secrets.DOCKER_ACCESS_TOKEN }}
@ -42,7 +45,7 @@ jobs:
# Considered unstable builds # Considered unstable builds
# See Issue #285, PR #286, and PR #323 for more information # See Issue #285, PR #286, and PR #323 for more information
- name: Build and Push - name: Build and Push
uses: docker/build-push-action@v2 uses: docker/build-push-action@ac9327eae2b366085ac7f6a2d02df8aa8ead720a
with: with:
file: Dockerfile file: Dockerfile
platforms: linux/amd64,linux/arm64 platforms: linux/amd64,linux/arm64