KAFKA-17193: Pin all external GitHub Actions to the specific git hash (#16960)

Reviewers: Chia-Ping Tsai <chia7712@gmail.com>
2024-08-23 12:37:12 +02:00 · 2024-08-23 12:37:12 +02:00 · eafb92bdce
parent a85f0a89c8
commit eafb92bdce
6 changed files with 10 additions and 10 deletions
--- a/.github/actions/setup-gradle/action.yml
+++ b/.github/actions/setup-gradle/action.yml
@ -37,7 +37,7 @@ runs:
        distribution: temurin
        java-version: ${{ inputs.java-version }}
    - name: Setup Gradle
-      uses: gradle/actions/setup-gradle@v4
+      uses: gradle/actions/setup-gradle@af1da67850ed9a4cedd57bfd976089dd991e2582 # v4.0.0
      env:
        GRADLE_BUILD_ACTION_CACHE_DEBUG_ENABLED: true
      with:
--- a/.github/workflows/docker_build_and_test.yml
+++ b/.github/workflows/docker_build_and_test.yml
@ -46,7 +46,7 @@ jobs:
      run: |
        python docker_build_test.py kafka/test -tag=test -type=${{ github.event.inputs.image_type }} -u=${{ github.event.inputs.kafka_url }}
    - name: Run CVE scan
-      uses: aquasecurity/trivy-action@master
+      uses: aquasecurity/trivy-action@6e7b7d1fd3e4fef0c5fa8cce1229c54b2c9bd0d8 # v0.24.0
      with:
        image-ref: 'kafka/test:test'
        format: 'table'
--- a/.github/workflows/docker_official_image_build_and_test.yml
+++ b/.github/workflows/docker_official_image_build_and_test.yml
@ -45,7 +45,7 @@ jobs:
      run: |
        python docker_official_image_build_test.py kafka/test -tag=test -type=${{ github.event.inputs.image_type }} -v=${{ github.event.inputs.kafka_version }}
    - name: Run CVE scan
-      uses: aquasecurity/trivy-action@master
+      uses: aquasecurity/trivy-action@6e7b7d1fd3e4fef0c5fa8cce1229c54b2c9bd0d8 # v0.24.0
      with:
        image-ref: 'kafka/test:test'
        format: 'table'
--- a/.github/workflows/docker_promote.yml
+++ b/.github/workflows/docker_promote.yml
@ -31,11 +31,11 @@ jobs:
    runs-on: ubuntu-latest
    steps:
    - name: Set up QEMU
-      uses: docker/setup-qemu-action@v3
+      uses: docker/setup-qemu-action@49b3bc8e6bdd4a60e6116a5414239cba5943d3cf # v3.2.0
    - name: Set up Docker Buildx
-      uses: docker/setup-buildx-action@v3
+      uses: docker/setup-buildx-action@988b5a0280414f521da01fcc63a27aeeb4b104db # v3.6.1
    - name: Login to Docker Hub
-      uses: docker/login-action@v3
+      uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
      with:
        username: ${{ secrets.DOCKERHUB_USER }}
        password: ${{ secrets.DOCKERHUB_TOKEN }}
--- a/.github/workflows/docker_rc_release.yml
+++ b/.github/workflows/docker_rc_release.yml
@ -47,11 +47,11 @@ jobs:
        python -m pip install --upgrade pip
        pip install -r docker/requirements.txt
    - name: Set up QEMU
-      uses: docker/setup-qemu-action@v3
+      uses: docker/setup-qemu-action@49b3bc8e6bdd4a60e6116a5414239cba5943d3cf # v3.2.0
    - name: Set up Docker Buildx
-      uses: docker/setup-buildx-action@v3
+      uses: docker/setup-buildx-action@988b5a0280414f521da01fcc63a27aeeb4b104db # v3.6.1
    - name: Login to Docker Hub
-      uses: docker/login-action@v3
+      uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
      with:
        username: ${{ secrets.DOCKERHUB_USER }}
        password: ${{ secrets.DOCKERHUB_TOKEN }}
--- a/.github/workflows/docker_scan.yml
+++ b/.github/workflows/docker_scan.yml
@ -29,7 +29,7 @@ jobs:
        supported_image_tag: ['latest', '3.7.0']
    steps:
      - name: Run CVE scan
-        uses: aquasecurity/trivy-action@master
+        uses: aquasecurity/trivy-action@6e7b7d1fd3e4fef0c5fa8cce1229c54b2c9bd0d8 # v0.24.0
        if: always()
        with:
          image-ref: apache/kafka:${{ matrix.supported_image_tag }}