From 030f876ebda18910b72fb2d8d9cbd543e1105630 Mon Sep 17 00:00:00 2001 From: janiussyafiq Date: Thu, 5 Feb 2026 03:59:18 +0000 Subject: [PATCH] ci: pin GitHub Actions to SHAs for security --- .github/workflows/build.yml | 8 ++++---- .github/workflows/check-changelog.yml | 2 +- .github/workflows/cli.yml | 4 ++-- .github/workflows/close-unresponded.yml | 2 +- .github/workflows/code-lint.yml | 4 ++-- .github/workflows/doc-lint.yml | 6 +++--- .github/workflows/docker-standalone.yml | 2 +- .github/workflows/kubernetes-ci.yml | 2 +- .github/workflows/license-checker.yml | 4 ++-- .github/workflows/link-check.yml | 4 ++-- .github/workflows/lint.yml | 6 +++--- .github/workflows/push-dev-image-on-commit.yml | 8 ++++---- .github/workflows/redhat-ci.yaml | 6 +++--- .github/workflows/semantic.yml | 2 +- .github/workflows/source-install.yml | 4 ++-- .github/workflows/stale.yml | 2 +- .github/workflows/tars-ci.yml | 2 +- .github/workflows/update-labels.yml | 6 +++--- 18 files changed, 37 insertions(+), 37 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index f8dc0040de05..847bc9d6fa23 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -42,17 +42,17 @@ jobs: steps: - name: Check out code - uses: actions/checkout@v5 + uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 with: submodules: recursive - name: Setup Go - uses: actions/setup-go@v5 + uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5 with: go-version: "1.17" - name: Cache deps - uses: actions/cache@v5 + uses: actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5 env: cache-name: cache-deps with: @@ -97,7 +97,7 @@ jobs: - name: Cache images id: cache-images - uses: actions/cache@v5 + uses: actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5 env: cache-name: cache-apisix-docker-images with: diff --git a/.github/workflows/check-changelog.yml b/.github/workflows/check-changelog.yml index f33abfb2271a..223ad2170efc 100644 --- a/.github/workflows/check-changelog.yml +++ b/.github/workflows/check-changelog.yml @@ -14,7 +14,7 @@ jobs: check-changelog: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v5 + - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 with: fetch-depth: 0 diff --git a/.github/workflows/cli.yml b/.github/workflows/cli.yml index 82dcd8025459..a3899584fd55 100644 --- a/.github/workflows/cli.yml +++ b/.github/workflows/cli.yml @@ -38,12 +38,12 @@ jobs: steps: - name: Check out code - uses: actions/checkout@v5 + uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 with: submodules: recursive - name: Cache deps - uses: actions/cache@v5 + uses: actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5 env: cache-name: cache-deps with: diff --git a/.github/workflows/close-unresponded.yml b/.github/workflows/close-unresponded.yml index 9508af7ded1c..587ebc0abbf6 100644 --- a/.github/workflows/close-unresponded.yml +++ b/.github/workflows/close-unresponded.yml @@ -18,7 +18,7 @@ jobs: steps: - name: Prune Stale - uses: actions/stale@v8 + uses: actions/stale@1160a2240286f5da8ec72b1c0816ce2481aabf84 # v8 with: days-before-issue-stale: 60 days-before-issue-close: 3 diff --git a/.github/workflows/code-lint.yml b/.github/workflows/code-lint.yml index dec6154fa4a9..cac1ca23504d 100644 --- a/.github/workflows/code-lint.yml +++ b/.github/workflows/code-lint.yml @@ -15,7 +15,7 @@ jobs: runs-on: ubuntu-latest timeout-minutes: 10 steps: - - uses: actions/checkout@v5 + - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 - name: Install run: | . ./ci/common.sh @@ -37,7 +37,7 @@ jobs: timeout-minutes: 5 steps: - name: Checkout code - uses: actions/checkout@v5 + uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 - name: Shellcheck code run: | diff --git a/.github/workflows/doc-lint.yml b/.github/workflows/doc-lint.yml index e21247ffdaeb..8bd14a8a818a 100644 --- a/.github/workflows/doc-lint.yml +++ b/.github/workflows/doc-lint.yml @@ -22,9 +22,9 @@ jobs: runs-on: ubuntu-latest timeout-minutes: 1 steps: - - uses: actions/checkout@v5 + - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 - name: 🚀 Use Node.js - uses: actions/setup-node@v6.2.0 + uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6.2.0 with: node-version: "12.x" - run: npm install -g markdownlint-cli@0.25.0 @@ -49,7 +49,7 @@ jobs: runs-on: ubuntu-latest timeout-minutes: 1 steps: - - uses: actions/checkout@v5 + - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 with: submodules: recursive - name: Check Chinese copywriting diff --git a/.github/workflows/docker-standalone.yml b/.github/workflows/docker-standalone.yml index a048ee36e55a..9f34650e51e6 100644 --- a/.github/workflows/docker-standalone.yml +++ b/.github/workflows/docker-standalone.yml @@ -32,7 +32,7 @@ jobs: steps: - name: Check out code - uses: actions/checkout@v5 + uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 - name: Build APISIX Dashboard run: | diff --git a/.github/workflows/kubernetes-ci.yml b/.github/workflows/kubernetes-ci.yml index d916de6fe899..c9933cbab52c 100644 --- a/.github/workflows/kubernetes-ci.yml +++ b/.github/workflows/kubernetes-ci.yml @@ -37,7 +37,7 @@ jobs: steps: - name: Check out code - uses: actions/checkout@v5 + uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 with: submodules: recursive diff --git a/.github/workflows/license-checker.yml b/.github/workflows/license-checker.yml index b963779dd8e3..7350f8b85c27 100644 --- a/.github/workflows/license-checker.yml +++ b/.github/workflows/license-checker.yml @@ -30,8 +30,8 @@ jobs: timeout-minutes: 3 steps: - - uses: actions/checkout@v5 + - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 - name: Check License Header - uses: apache/skywalking-eyes@v0.8.0 + uses: apache/skywalking-eyes@61275cc80d0798a405cb070f7d3a8aaf7cf2c2c1 # v0.8.0 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/link-check.yml b/.github/workflows/link-check.yml index cf38109d3fba..29596dc7536f 100644 --- a/.github/workflows/link-check.yml +++ b/.github/workflows/link-check.yml @@ -32,14 +32,14 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@v5 + uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 - name: Get script run: | wget https://raw.githubusercontent.com/xuruidong/markdown-link-checker/main/link_checker.py - name: Setup python - uses: actions/setup-python@v6 + uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6 with: python-version: '3.9' diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml index ade1a68db341..29053cea614a 100644 --- a/.github/workflows/lint.yml +++ b/.github/workflows/lint.yml @@ -11,7 +11,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Check out code. - uses: actions/checkout@v5 + uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 - name: spell check run: | pip install codespell==2.1.0 @@ -30,10 +30,10 @@ jobs: steps: - name: Check out code - uses: actions/checkout@v5 + uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 - name: Setup Nodejs env - uses: actions/setup-node@v6.2.0 + uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6.2.0 with: node-version: '12' diff --git a/.github/workflows/push-dev-image-on-commit.yml b/.github/workflows/push-dev-image-on-commit.yml index 471df059c950..439c96f758c3 100644 --- a/.github/workflows/push-dev-image-on-commit.yml +++ b/.github/workflows/push-dev-image-on-commit.yml @@ -30,7 +30,7 @@ jobs: steps: - name: Check out the repo - uses: actions/checkout@v5 + uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 - name: Build APISIX Dashboard run: | @@ -80,7 +80,7 @@ jobs: - name: Login to Docker Hub if: github.ref == 'refs/heads/master' - uses: docker/login-action@v3 + uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3 with: username: ${{ secrets.DOCKERHUB_USER }} password: ${{ secrets.DOCKERHUB_TOKEN }} @@ -96,13 +96,13 @@ jobs: runs-on: ubuntu-latest steps: - name: Login to Docker Hub - uses: docker/login-action@v3 + uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3 with: username: ${{ secrets.DOCKERHUB_USER }} password: ${{ secrets.DOCKERHUB_TOKEN }} - name: Check out the repo - uses: actions/checkout@v5 + uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 - name: Merge architecture-specific tags run: | diff --git a/.github/workflows/redhat-ci.yaml b/.github/workflows/redhat-ci.yaml index 9304c5dd3e5d..f6de3a125f9f 100644 --- a/.github/workflows/redhat-ci.yaml +++ b/.github/workflows/redhat-ci.yaml @@ -31,12 +31,12 @@ jobs: steps: - name: Check out code - uses: actions/checkout@v5 + uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 with: submodules: recursive - name: Cache deps - uses: actions/cache@v5 + uses: actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5 env: cache-name: cache-deps with: @@ -122,7 +122,7 @@ jobs: - name: Cache images id: cache-images - uses: actions/cache@v5 + uses: actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5 env: cache-name: cache-apisix-docker-images with: diff --git a/.github/workflows/semantic.yml b/.github/workflows/semantic.yml index a9bb4785fd26..90d2ae9c3777 100644 --- a/.github/workflows/semantic.yml +++ b/.github/workflows/semantic.yml @@ -13,7 +13,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Check out repository code - uses: actions/checkout@v5 + uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 with: submodules: recursive - uses: ./.github/actions/action-semantic-pull-request diff --git a/.github/workflows/source-install.yml b/.github/workflows/source-install.yml index 9ff7c4768560..c32575d86d5e 100644 --- a/.github/workflows/source-install.yml +++ b/.github/workflows/source-install.yml @@ -48,12 +48,12 @@ jobs: steps: - name: Check out code - uses: actions/checkout@v5 + uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 with: submodules: recursive - name: Cache deps - uses: actions/cache@v5 + uses: actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5 env: cache-name: cache-deps with: diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml index 3bd686e6f124..4eb0b4a666d5 100644 --- a/.github/workflows/stale.yml +++ b/.github/workflows/stale.yml @@ -19,7 +19,7 @@ jobs: steps: - name: Prune Stale - uses: actions/stale@v8 + uses: actions/stale@1160a2240286f5da8ec72b1c0816ce2481aabf84 # v8 with: days-before-issue-stale: 350 days-before-issue-close: 14 diff --git a/.github/workflows/tars-ci.yml b/.github/workflows/tars-ci.yml index 0c7b43f476cb..0901e01333fa 100644 --- a/.github/workflows/tars-ci.yml +++ b/.github/workflows/tars-ci.yml @@ -37,7 +37,7 @@ jobs: steps: - name: Check out code - uses: actions/checkout@v5 + uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 with: submodules: recursive diff --git a/.github/workflows/update-labels.yml b/.github/workflows/update-labels.yml index bc974d9e35d0..00ef1cec85f1 100644 --- a/.github/workflows/update-labels.yml +++ b/.github/workflows/update-labels.yml @@ -15,7 +15,7 @@ jobs: runs-on: ubuntu-latest steps: - name: update labels when user responds - uses: actions/github-script@v7 + uses: actions/github-script@f28e40c7f34bde8b3046d885e986cb6290c5673b # v7 with: script: | github.rest.issues.addLabels({ @@ -36,7 +36,7 @@ jobs: runs-on: ubuntu-latest steps: - name: update label when user responds - uses: actions/github-script@v7 + uses: actions/github-script@f28e40c7f34bde8b3046d885e986cb6290c5673b # v7 with: script: | github.rest.issues.addLabels({ @@ -51,7 +51,7 @@ jobs: runs-on: ubuntu-latest steps: - name: update label when user responds - uses: actions/github-script@v7 + uses: actions/github-script@f28e40c7f34bde8b3046d885e986cb6290c5673b # v7 with: script: | github.rest.issues.addLabels({