plumbing icon indicating copy to clipboard operation
plumbing copied to clipboard
verified publisher icon tektoncd

Pin GitHub actions by sha

Open vdemeester opened this issue 2 months ago β€’ 1 comments

As a best practice, we should pin actions we use by commit SHA. This is the case for some workflows in the organization but not all. This issue is there to track updating those workflow and enable this settings.

Note: with dependabot, it doesn't require too much to update those as dependabot knows how to update.

  • [x] List workflows that are not using full commit SHA
  • [ ] Update them
  • [ ] Enable that setting
Image

vdemeester avatar Oct 06 '25 08:10 vdemeester

The following workflows have at least 1 action not using the full commit SHA / image digest:

  • [x] tektoncd/catalog chatops_retest.yaml https://github.com/tektoncd/catalog/pull/1353
  • [x] tektoncd/catalog ci.yaml https://github.com/tektoncd/catalog/pull/1353
  • [x] tektoncd/catalog slash.yml https://github.com/tektoncd/catalog/pull/1353
  • [x] tektoncd/catlin chatops_retest.yaml https://github.com/tektoncd/catlin/pull/71
  • [x] tektoncd/catlin slash.yml https://github.com/tektoncd/catlin/pull/71
  • [x] tektoncd/chains lint.yaml https://github.com/tektoncd/chains/pull/1453
  • [x] tektoncd/chains test-on-microshift.yaml https://github.com/tektoncd/chains/pull/1453
  • [x] tektoncd/chains codeql.yml https://github.com/tektoncd/chains/pull/1453
  • [x] tektoncd/chains reusable-e2e.yaml https://github.com/tektoncd/chains/pull/1453
  • [x] tektoncd/cli e2e-matrix.yml https://github.com/tektoncd/cli/pull/2620
  • [x] tektoncd/hub ci.yaml https://github.com/tektoncd/hub/pull/2606
  • [x] tektoncd/hub goa-gen-dependabot.yml https://github.com/tektoncd/hub/pull/2606
  • [x] tektoncd/hub golangci-lint.yaml https://github.com/tektoncd/hub/pull/2606
  • [x] tektoncd/infra terraform-lint.yaml https://github.com/tektoncd/infra/pull/67
  • [x] tektoncd/mcp-server chatops_retest.yaml https://github.com/tektoncd/mcp-server/pull/83
  • [x] tektoncd/mcp-server slash.yml https://github.com/tektoncd/mcp-server/pull/83
  • [x] tektoncd/operator ci.yaml https://github.com/tektoncd/operator/pull/2917
  • [x] tektoncd/operator update-tektoncd-task-versions.yml https://github.com/tektoncd/operator/pull/2917
  • [x] tektoncd/operator bump-payload-on-main.yaml https://github.com/tektoncd/operator/pull/2917
  • [x] tektoncd/operator bump-payload-on-releases.yaml https://github.com/tektoncd/operator/pull/2917
  • [x] tektoncd/operator chatops_retest.yaml https://github.com/tektoncd/operator/pull/2917
  • [x] tektoncd/operator codeql-analysis.yml https://github.com/tektoncd/operator/pull/2917
  • [x] tektoncd/operator e2e-matrix.yml https://github.com/tektoncd/operator/pull/2917
  • [x] tektoncd/operator helm-release.yaml https://github.com/tektoncd/operator/pull/2917
  • [x] tektoncd/operator slash.yml https://github.com/tektoncd/operator/pull/2917
  • [x] tektoncd/pipeline ci.yaml https://github.com/tektoncd/pipeline/pull/9061
  • [x] tektoncd/pipeline chatops_retest.yaml https://github.com/tektoncd/pipeline/pull/9061
  • [x] tektoncd/pipeline e2e-matrix.yml https://github.com/tektoncd/pipeline/pull/9061
  • [x] tektoncd/pipeline labels.yaml https://github.com/tektoncd/pipeline/pull/9061
  • [x] tektoncd/pipeline nightly-builds.yaml https://github.com/tektoncd/pipeline/pull/9061
  • [x] tektoncd/pipeline slash.yml https://github.com/tektoncd/pipeline/pull/9061
  • [x] tektoncd/plumbing images.yaml https://github.com/tektoncd/plumbing/pull/2881
  • [x] tektoncd/pruner reusable-e2e.yaml https://github.com/tektoncd/pruner/pull/13
  • [x] tektoncd/pruner build_and_publish.yaml https://github.com/tektoncd/pruner/pull/13
  • [x] tektoncd/pruner codeql.yml https://github.com/tektoncd/pruner/pull/13
  • [x] tektoncd/results golangci-lint.yaml https://github.com/tektoncd/results/pull/1129
  • [x] tektoncd/results presubmit-ci.yaml https://github.com/tektoncd/results/pull/1129
  • [x] tektoncd/results codeql.yml https://github.com/tektoncd/results/pull/1129
  • [x] tektoncd/triggers golangci-lint.yaml https://github.com/tektoncd/triggers/pull/1893
  • [x] tektoncd/triggers codeql-analysis.yml https://github.com/tektoncd/triggers/pull/1893
  • [x] tektoncd/website ruff.yml https://github.com/tektoncd/website/pull/679

AlanGreene avatar Oct 07 '25 20:10 AlanGreene

@vdemeester All actions are now pinned by sha so you should be able to enable the setting to enforce it 🀞

AlanGreene avatar Nov 04 '25 12:11 AlanGreene

Let's goooooo !!! I will enable this and let's see if anything.. is having problems. cc @afrittoli πŸ‘ΌπŸΌ

vdemeester avatar Nov 04 '25 14:11 vdemeester

I think this is done now and can be closed. Feel free to reopen if I've missed anything or there's more to do here.

AlanGreene avatar Nov 19 '25 13:11 AlanGreene