From c706116bf3ee1f531824d5181998c756f3c1a336 Mon Sep 17 00:00:00 2001 From: Andrea Amorosi Date: Mon, 8 May 2023 15:15:33 +0200 Subject: [PATCH] chore: pin all 3rd party actions --- .github/workflows/closed-issues-message.yml | 2 +- .github/workflows/dispatch_analytics.yml | 2 +- .github/workflows/label_pr_on_title.yml | 4 ++-- .github/workflows/make-release.yml | 4 ++-- .github/workflows/measure-packages-size.yml | 6 +++--- .github/workflows/on-merge-to-main.yml | 6 +++--- .github/workflows/on-workflows-push-pr.yml | 18 ++--------------- .github/workflows/on_opened_pr.yml | 4 ++-- .github/workflows/post-release.yml | 4 ++-- .github/workflows/publish_layer.yml | 6 +++--- .github/workflows/record_pr.yml | 6 +++--- .github/workflows/reusable-publish-docs.yml | 8 ++++---- ...sable-run-linting-check-and-unit-tests.yml | 16 +++++++-------- .../workflows/reusable_deploy_layer_stack.yml | 10 +++++----- .../workflows/reusable_export_pr_details.yml | 16 +++++++-------- .../reusable_update_layer_arn_docs.yml | 4 ++-- .github/workflows/run-e2e-tests.yml | 20 +++++++++---------- .github/workflows/stale-issues.yml | 2 +- 18 files changed, 62 insertions(+), 76 deletions(-) diff --git a/.github/workflows/closed-issues-message.yml b/.github/workflows/closed-issues-message.yml index 7169911a76..2ba272de74 100644 --- a/.github/workflows/closed-issues-message.yml +++ b/.github/workflows/closed-issues-message.yml @@ -6,7 +6,7 @@ jobs: auto_comment: runs-on: ubuntu-latest steps: - - uses: aws-actions/closed-issue-message@v1 + - uses: aws-actions/closed-issue-message@36b7048ea77bb834d16e7a7c5b5471ac767a4ca1 # v1.0.0 with: # These inputs are both required repo-token: "${{ secrets.GITHUB_TOKEN }}" diff --git a/.github/workflows/dispatch_analytics.yml b/.github/workflows/dispatch_analytics.yml index 49a276f6f6..b5bf7ea8ff 100644 --- a/.github/workflows/dispatch_analytics.yml +++ b/.github/workflows/dispatch_analytics.yml @@ -29,7 +29,7 @@ jobs: environment: analytics steps: - name: Configure AWS credentials - uses: aws-actions/configure-aws-credentials@e1e17a757e536f70e52b5a12b2e8d1d1c60e04ef + uses: aws-actions/configure-aws-credentials@e1e17a757e536f70e52b5a12b2e8d1d1c60e04ef # v2.0.0 with: aws-region: eu-central-1 role-to-assume: ${{ secrets.AWS_ANALYTICS_ROLE_ARN }} diff --git a/.github/workflows/label_pr_on_title.yml b/.github/workflows/label_pr_on_title.yml index 8037329015..f803c0c6a2 100644 --- a/.github/workflows/label_pr_on_title.yml +++ b/.github/workflows/label_pr_on_title.yml @@ -22,9 +22,9 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout repository - uses: actions/checkout@v3 + uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 - name: "Label PR based on title" - uses: actions/github-script@v6 + uses: actions/github-script@d7906e4ad0b1822421a7e6a35d5ca353c962f410 # v6.4.1 env: PR_NUMBER: ${{ needs.get_pr_details.outputs.prNumber }} PR_TITLE: ${{ needs.get_pr_details.outputs.prTitle }} diff --git a/.github/workflows/make-release.yml b/.github/workflows/make-release.yml index 895e8aa9e5..1b1cb46c08 100644 --- a/.github/workflows/make-release.yml +++ b/.github/workflows/make-release.yml @@ -13,14 +13,14 @@ jobs: RELEASE_VERSION: ${{ steps.set-release-version.outputs.RELEASE_VERSION }} steps: - name: Checkout code - uses: actions/checkout@v3 + uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 with: # Here `token` is needed to avoid incurring in error GH006 Protected Branch Update Failed, token: ${{ secrets.GH_PUBLISH_TOKEN }} # While `fetch-depth` is used to allow the workflow to later commit & push the changes. fetch-depth: 0 - name: Setup NodeJS - uses: actions/setup-node@v3 + uses: actions/setup-node@64ed1c7eab4cce3362f8c340dee64e5eaeef8f7c # v3.6.0 with: node-version: "18" cache: "npm" diff --git a/.github/workflows/measure-packages-size.yml b/.github/workflows/measure-packages-size.yml index a0795fc3f4..ff52dfeaca 100644 --- a/.github/workflows/measure-packages-size.yml +++ b/.github/workflows/measure-packages-size.yml @@ -18,16 +18,16 @@ jobs: # we need first to use the PR number to retrieve the PR SHA number. This means we need three steps to: checkout the repo, # run a custom script to get the SHA, and then finally checkout the PR branch - name: Checkout Repo - uses: actions/checkout@v3 + uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 - name: Extract PR details id: extract_PR_details - uses: actions/github-script@v6 + uses: actions/github-script@d7906e4ad0b1822421a7e6a35d5ca353c962f410 # v6.4.1 with: script: | const script = require('.github/scripts/get_pr_info.js'); await script({github, context, core}); - name: Checkout PR code - uses: actions/checkout@v3 + uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 with: ref: ${{ steps.extract_PR_details.outputs.headSHA }} - name: Packages size report diff --git a/.github/workflows/on-merge-to-main.yml b/.github/workflows/on-merge-to-main.yml index 71567ad1cb..7995d385d1 100644 --- a/.github/workflows/on-merge-to-main.yml +++ b/.github/workflows/on-merge-to-main.yml @@ -26,7 +26,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout code - uses: actions/checkout@v3 + uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 - name: Update release draft uses: release-drafter/release-drafter@569eb7ee3a85817ab916c8f8ff03a5bd96c9c83e # v5.23.0 env: @@ -35,9 +35,9 @@ jobs: needs: [get_pr_details, update-release-draft] runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 - name: "Label PR related issue for release" - uses: actions/github-script@v6 + uses: actions/github-script@d7906e4ad0b1822421a7e6a35d5ca353c962f410 # v6.4.1 env: PR_NUMBER: ${{ needs.get_pr_details.outputs.prNumber }} PR_BODY: ${{ needs.get_pr_details.outputs.prBody }} diff --git a/.github/workflows/on-workflows-push-pr.yml b/.github/workflows/on-workflows-push-pr.yml index 5b272f9357..d8642f5715 100644 --- a/.github/workflows/on-workflows-push-pr.yml +++ b/.github/workflows/on-workflows-push-pr.yml @@ -14,20 +14,6 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout code - uses: actions/checkout@v3 + uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 - name: Ensure 3rd party workflows have SHA pinned - uses: zgosalvez/github-actions-ensure-sha-pinned-actions@b9ddf6a5153efe6fb94f071c8915175afdce60fa # v2.1.0 - with: - # Trusted GitHub Actions and/or organizations - allowlist: | - aws-actions/ - actions/stale - actions/checkout - actions/github-script - actions/setup-node - actions/setup-python - actions/upload-artifact - actions/download-artifact - github/codeql-action/init - github/codeql-action/analyze - dependabot/fetch-metadata \ No newline at end of file + uses: zgosalvez/github-actions-ensure-sha-pinned-actions@21991cec25093947ff3f62e4c223df0260c39944 # v2.1.2 \ No newline at end of file diff --git a/.github/workflows/on_opened_pr.yml b/.github/workflows/on_opened_pr.yml index ff0b2bea6a..0c0b9c62b4 100644 --- a/.github/workflows/on_opened_pr.yml +++ b/.github/workflows/on_opened_pr.yml @@ -19,11 +19,11 @@ jobs: needs: get_pr_details runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 - name: "Debug workflow_run event" run: echo "${{ github }}" - name: "Ensure related issue is present" - uses: actions/github-script@v6 + uses: actions/github-script@d7906e4ad0b1822421a7e6a35d5ca353c962f410 # v6.4.1 env: PR_BODY: ${{ needs.get_pr_details.outputs.prBody }} PR_NUMBER: ${{ needs.get_pr_details.outputs.prNumber }} diff --git a/.github/workflows/post-release.yml b/.github/workflows/post-release.yml index cce883a503..7d08af4771 100644 --- a/.github/workflows/post-release.yml +++ b/.github/workflows/post-release.yml @@ -23,9 +23,9 @@ jobs: env: RELEASE_VERSION: ${{ inputs.versionNumber }} steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 - name: Update issues related to release - uses: actions/github-script@v6 + uses: actions/github-script@d7906e4ad0b1822421a7e6a35d5ca353c962f410 # v6.4.1 with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | diff --git a/.github/workflows/publish_layer.yml b/.github/workflows/publish_layer.yml index 5e17a3fc10..bf5f03cd7e 100644 --- a/.github/workflows/publish_layer.yml +++ b/.github/workflows/publish_layer.yml @@ -33,11 +33,11 @@ jobs: if: ${{ (github.event.workflow_run.conclusion == 'success') || (github.event_name == 'workflow_dispatch') }} steps: - name: checkout - uses: actions/checkout@v3 + uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 with: fetch-depth: 0 - name: Setup Node.js - uses: actions/setup-node@v3 + uses: actions/setup-node@64ed1c7eab4cce3362f8c340dee64e5eaeef8f7c # v3.6.0 with: node-version: "18" - name: Set release notes tag @@ -57,7 +57,7 @@ jobs: - name: Zip output run: zip -r cdk.out.zip layers/cdk.out - name: Archive CDK artifacts - uses: actions/upload-artifact@v3 + uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2 with: name: cdk-layer-artifact path: cdk.out.zip diff --git a/.github/workflows/record_pr.yml b/.github/workflows/record_pr.yml index 39b9ec4361..882c54e6ed 100644 --- a/.github/workflows/record_pr.yml +++ b/.github/workflows/record_pr.yml @@ -9,14 +9,14 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 - name: "Extract PR details" - uses: actions/github-script@v6 + uses: actions/github-script@d7906e4ad0b1822421a7e6a35d5ca353c962f410 # v6.4.1 with: script: | const script = require('.github/scripts/save_pr_details.js') await script({github, context, core}) - - uses: actions/upload-artifact@v3 + - uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2 with: name: pr path: pr.txt \ No newline at end of file diff --git a/.github/workflows/reusable-publish-docs.yml b/.github/workflows/reusable-publish-docs.yml index 8245a3e1eb..e24fd49a14 100644 --- a/.github/workflows/reusable-publish-docs.yml +++ b/.github/workflows/reusable-publish-docs.yml @@ -27,19 +27,19 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout code - uses: actions/checkout@v3 + uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 with: # While `fetch-depth` is used to allow the workflow to later commit & push the changes. fetch-depth: 0 - name: Setup NodeJS - uses: actions/setup-node@v3 + uses: actions/setup-node@64ed1c7eab4cce3362f8c340dee64e5eaeef8f7c # v3.6.0 with: node-version: "18" cache: "npm" - name: Setup dependencies uses: ./.github/actions/cached-node-modules - name: Set up Python - uses: actions/setup-python@v4 + uses: actions/setup-python@57ded4d7d5e986d7296eab16560982c6dd7c923b # v4.6.0 with: python-version: "3.8" - name: Install doc generation dependencies @@ -81,7 +81,7 @@ jobs: destination_dir: ${{ env.VERSION }}/api - name: Release API docs to latest if: ${{ inputs.alias == 'latest' }} - uses: peaceiris/actions-gh-pages@bd8c6b06eba6b3d25d72b7a1767993c0aeee42e7 + uses: peaceiris/actions-gh-pages@bd8c6b06eba6b3d25d72b7a1767993c0aeee42e7 # v3.9.2 with: github_token: ${{ secrets.GITHUB_TOKEN }} publish_dir: ./api diff --git a/.github/workflows/reusable-run-linting-check-and-unit-tests.yml b/.github/workflows/reusable-run-linting-check-and-unit-tests.yml index 535cf49884..8782e5999e 100644 --- a/.github/workflows/reusable-run-linting-check-and-unit-tests.yml +++ b/.github/workflows/reusable-run-linting-check-and-unit-tests.yml @@ -14,9 +14,9 @@ jobs: fail-fast: false steps: - name: Checkout code - uses: actions/checkout@v3 + uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 - name: Setup NodeJS - uses: actions/setup-node@v3 + uses: actions/setup-node@64ed1c7eab4cce3362f8c340dee64e5eaeef8f7c # v3.6.0 with: node-version: ${{ matrix.version }} cache: "npm" @@ -43,9 +43,9 @@ jobs: working-directory: examples/${{ matrix.example }} steps: - name: Checkout code - uses: actions/checkout@v3 + uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 - name: Setup NodeJS - uses: actions/setup-node@v3 + uses: actions/setup-node@64ed1c7eab4cce3362f8c340dee64e5eaeef8f7c # v3.6.0 with: node-version: 18 cache: "npm" @@ -61,9 +61,9 @@ jobs: NODE_ENV: dev steps: - name: Checkout code - uses: actions/checkout@v3 + uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 - name: Setup NodeJS - uses: actions/setup-node@v3 + uses: actions/setup-node@64ed1c7eab4cce3362f8c340dee64e5eaeef8f7c # v3.6.0 with: node-version: 18 cache: "npm" @@ -83,9 +83,9 @@ jobs: NODE_ENV: dev steps: - name: Checkout code - uses: actions/checkout@v3 + uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 - name: Setup NodeJS - uses: actions/setup-node@v3 + uses: actions/setup-node@64ed1c7eab4cce3362f8c340dee64e5eaeef8f7c # v3.6.0 with: node-version: 18 cache: "npm" diff --git a/.github/workflows/reusable_deploy_layer_stack.yml b/.github/workflows/reusable_deploy_layer_stack.yml index 27bae79314..72b9d63d44 100644 --- a/.github/workflows/reusable_deploy_layer_stack.yml +++ b/.github/workflows/reusable_deploy_layer_stack.yml @@ -60,20 +60,20 @@ jobs: ] steps: - name: checkout - uses: actions/checkout@v3 + uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 - name: aws credentials - uses: aws-actions/configure-aws-credentials@186395a8644e48f35e7b453e8a7128d9a3948296 + uses: aws-actions/configure-aws-credentials@e1e17a757e536f70e52b5a12b2e8d1d1c60e04ef # v2.0.0 with: aws-region: ${{ matrix.region }} role-to-assume: ${{ secrets.target-account-role }} - name: Setup Node.js - uses: actions/setup-node@v3 + uses: actions/setup-node@64ed1c7eab4cce3362f8c340dee64e5eaeef8f7c # v3.6.0 with: node-version: "18" - name: Setup dependencies uses: ./.github/actions/cached-node-modules - name: Download artifact - uses: actions/download-artifact@v3 + uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2 with: name: ${{ inputs.artifact-name }} - name: Unzip artifact @@ -88,7 +88,7 @@ jobs: cat cdk-layer-stack/${{ matrix.region }}-layer-version.txt - name: Save Layer ARN artifact if: ${{ inputs.stage == 'PROD' }} - uses: actions/upload-artifact@v3 + uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2 with: name: cdk-layer-stack path: ./cdk-layer-stack/* # NOTE: upload-artifact does not inherit working-directory setting. diff --git a/.github/workflows/reusable_export_pr_details.yml b/.github/workflows/reusable_export_pr_details.yml index 760ea8b8f6..7c7997db43 100644 --- a/.github/workflows/reusable_export_pr_details.yml +++ b/.github/workflows/reusable_export_pr_details.yml @@ -50,9 +50,9 @@ jobs: prIsMerged: ${{ steps.prIsMerged.outputs.prIsMerged }} steps: - name: Checkout repository # in case caller workflow doesn't checkout thus failing with file not found - uses: actions/checkout@v3 + uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 - name: "Download previously saved PR" - uses: actions/github-script@v6 + uses: actions/github-script@d7906e4ad0b1822421a7e6a35d5ca353c962f410 # v6.4.1 env: WORKFLOW_ID: ${{ inputs.record_pr_workflow_id }} # For security, we only download artifacts tied to the successful PR recording workflow @@ -68,19 +68,19 @@ jobs: # otherwise the parent caller won't see them regardless on how outputs are set. - name: "Export Pull Request Number" id: prNumber - run: echo "prNumber=$(jq -c '.number' ${FILENAME})" >> $GITHUB_OUTPUT + run: echo prNumber="$(jq -c '.number' "${FILENAME}")" >> "$GITHUB_OUTPUT" - name: "Export Pull Request Title" id: prTitle - run: echo "prTitle=$(jq -c '.pull_request.title' ${FILENAME})" >> $GITHUB_OUTPUT + run: echo prTitle="$(jq -c '.pull_request.title' "${FILENAME}")" >> "$GITHUB_OUTPUT" - name: "Export Pull Request Body" id: prBody - run: echo "prBody=$(jq -c '.pull_request.body' ${FILENAME})" >> $GITHUB_OUTPUT + run: echo prBody="$(jq -c '.pull_request.body' "${FILENAME}")" >> "$GITHUB_OUTPUT" - name: "Export Pull Request Author" id: prAuthor - run: echo "prAuthor=$(jq -c '.pull_request.user.login' ${FILENAME})" >> $GITHUB_OUTPUT + run: echo prAuthor="$(jq -c '.pull_request.user.login' "${FILENAME}")" >> "$GITHUB_OUTPUT" - name: "Export Pull Request Action" id: prAction - run: echo "prAction=$(jq -c '.action' ${FILENAME})" >> $GITHUB_OUTPUT + run: echo prAction="$(jq -c '.action' "${FILENAME}")" >> "$GITHUB_OUTPUT" - name: "Export Pull Request Merged status" id: prIsMerged - run: echo "prIsMerged=$(jq -c '.pull_request.merged' ${FILENAME})" >> $GITHUB_OUTPUT \ No newline at end of file + run: echo prIsMerged="$(jq -c '.pull_request.merged' "${FILENAME}")" >> "$GITHUB_OUTPUT" \ No newline at end of file diff --git a/.github/workflows/reusable_update_layer_arn_docs.yml b/.github/workflows/reusable_update_layer_arn_docs.yml index 5d7e383665..99fa656e9e 100644 --- a/.github/workflows/reusable_update_layer_arn_docs.yml +++ b/.github/workflows/reusable_update_layer_arn_docs.yml @@ -23,7 +23,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout repository # reusable workflows start clean, so we need to checkout again - uses: actions/checkout@v3 + uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 with: fetch-depth: 0 - name: Git client setup and refresh tip @@ -34,7 +34,7 @@ jobs: git config remote.origin.url >&- || git remote add origin https://github.com/"${origin}" # Git Detached mode (release notes) doesn't have origin git pull origin "${BRANCH}" - name: Download CDK layer artifact - uses: actions/download-artifact@v3 + uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2 with: name: cdk-layer-stack path: cdk-layer-stack/ diff --git a/.github/workflows/run-e2e-tests.yml b/.github/workflows/run-e2e-tests.yml index dd82dc89d2..8e67675b87 100644 --- a/.github/workflows/run-e2e-tests.yml +++ b/.github/workflows/run-e2e-tests.yml @@ -24,12 +24,12 @@ jobs: fail-fast: false steps: - name: Checkout Repo - uses: actions/checkout@v3 + uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 # If we pass a PR Number when triggering the workflow we will retrieve the PR info and get its headSHA - name: Extract PR details id: extract_PR_details if: ${{ inputs.prNumber != '' }} - uses: actions/github-script@v6 + uses: actions/github-script@d7906e4ad0b1822421a7e6a35d5ca353c962f410 # v6.4.1 with: script: | const script = require('.github/scripts/get_pr_info.js'); @@ -38,11 +38,11 @@ jobs: # we checkout the PR at that point in time - name: Checkout PR code if: ${{ inputs.prNumber != '' }} - uses: actions/checkout@v3 + uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 with: ref: ${{ steps.extract_PR_details.outputs.headSHA }} - name: Setup NodeJS - uses: actions/setup-node@v3 + uses: actions/setup-node@64ed1c7eab4cce3362f8c340dee64e5eaeef8f7c # v3.6.0 with: node-version: ${{ matrix.version }} - name: Setup npm @@ -52,7 +52,7 @@ jobs: # See https://github.com/npm/cli/issues/4475 to see why --foreground-scripts run: npm ci --foreground-scripts - name: Setup AWS credentials - uses: aws-actions/configure-aws-credentials@186395a8644e48f35e7b453e8a7128d9a3948296 + uses: aws-actions/configure-aws-credentials@e1e17a757e536f70e52b5a12b2e8d1d1c60e04ef # v2.0.0 with: role-to-assume: ${{ secrets.AWS_ROLE_ARN_TO_ASSUME }} aws-region: eu-west-1 @@ -73,12 +73,12 @@ jobs: version: [14, 16, 18] steps: - name: Checkout Repo - uses: actions/checkout@v3 + uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 # If we pass a PR Number when triggering the workflow we will retrieve the PR info and get its headSHA - name: Extract PR details id: extract_PR_details if: ${{ inputs.prNumber != '' }} - uses: actions/github-script@v6 + uses: actions/github-script@d7906e4ad0b1822421a7e6a35d5ca353c962f410 # v6.4.1 with: script: | const script = require('.github/scripts/get_pr_info.js'); @@ -87,18 +87,18 @@ jobs: # we checkout the PR at that point in time - name: Checkout PR code if: ${{ inputs.prNumber != '' }} - uses: actions/checkout@v3 + uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 with: ref: ${{ steps.extract_PR_details.outputs.headSHA }} - name: Setup NodeJS - uses: actions/setup-node@v3 + uses: actions/setup-node@64ed1c7eab4cce3362f8c340dee64e5eaeef8f7c # v3.6.0 with: # Always use version 18 node-version: 18 - name: Setup npm run: npm i -g npm@next-8 - name: "Configure AWS credentials" - uses: aws-actions/configure-aws-credentials@186395a8644e48f35e7b453e8a7128d9a3948296 + uses: aws-actions/configure-aws-credentials@e1e17a757e536f70e52b5a12b2e8d1d1c60e04ef # v2.0.0 with: role-to-assume: ${{ secrets.AWS_ROLE_ARN_TO_ASSUME }} aws-region: eu-west-1 diff --git a/.github/workflows/stale-issues.yml b/.github/workflows/stale-issues.yml index 79a53773aa..9e1ad6fca4 100644 --- a/.github/workflows/stale-issues.yml +++ b/.github/workflows/stale-issues.yml @@ -10,7 +10,7 @@ jobs: permissions: issues: write steps: - - uses: actions/stale@v7 + - uses: actions/stale@1160a2240286f5da8ec72b1c0816ce2481aabf84 # v8.0.0 with: repo-token: ${{ secrets.GITHUB_TOKEN }} stale-issue-message: "This issue has not received a response in 2 weeks. If you still think there is a problem, please leave a comment to avoid the issue from automatically closing."