diff options
| author | Victor Engmark <victor@engmark.name> | 2023-11-28 16:28:58 +1300 |
|---|---|---|
| committer | Jörg Thalheim <Mic92@users.noreply.github.com> | 2023-11-29 09:51:22 +0100 |
| commit | 4177297b141a3a8a8985dcb7dfb53550b95d3e8f (patch) | |
| tree | 4eedabde0d840433b038c9897f8c2a15c3751e58 /.github | |
| parent | 789f7281f096e9f9b42dbfd567d25a931f3fc14a (diff) | |
| download | nixlib-4177297b141a3a8a8985dcb7dfb53550b95d3e8f.tar nixlib-4177297b141a3a8a8985dcb7dfb53550b95d3e8f.tar.gz nixlib-4177297b141a3a8a8985dcb7dfb53550b95d3e8f.tar.bz2 nixlib-4177297b141a3a8a8985dcb7dfb53550b95d3e8f.tar.lz nixlib-4177297b141a3a8a8985dcb7dfb53550b95d3e8f.tar.xz nixlib-4177297b141a3a8a8985dcb7dfb53550b95d3e8f.tar.zst nixlib-4177297b141a3a8a8985dcb7dfb53550b95d3e8f.zip | |
ci: pin third party actions
For reproducibility.
Command:
```shell
for file in .github/workflows/*.y*ml; do
npx pin-github-action --comment=' {ref}' "$file"
done
```
Then had to manually replace all the versions with accurate specifiers
(for example, "v4" → "v4.1.1" in case of `actions/checkout`).
Diffstat (limited to '.github')
| -rw-r--r-- | .github/workflows/backport.yml | 4 | ||||
| -rw-r--r-- | .github/workflows/basic-eval.yml | 6 | ||||
| -rw-r--r-- | .github/workflows/check-by-name.yml | 5 | ||||
| -rw-r--r-- | .github/workflows/check-maintainers-sorted.yaml | 4 | ||||
| -rw-r--r-- | .github/workflows/editorconfig.yml | 4 | ||||
| -rw-r--r-- | .github/workflows/labels.yml | 2 | ||||
| -rw-r--r-- | .github/workflows/manual-nixos.yml | 6 | ||||
| -rw-r--r-- | .github/workflows/manual-nixpkgs.yml | 6 | ||||
| -rw-r--r-- | .github/workflows/periodic-merge-24h.yml | 6 | ||||
| -rw-r--r-- | .github/workflows/periodic-merge-6h.yml | 6 | ||||
| -rw-r--r-- | .github/workflows/update-terraform-providers.yml | 6 |
11 files changed, 27 insertions, 28 deletions
diff --git a/.github/workflows/backport.yml b/.github/workflows/backport.yml index 9343e29d5963..c49eeac5a20b 100644 --- a/.github/workflows/backport.yml +++ b/.github/workflows/backport.yml @@ -20,11 +20,11 @@ jobs: if: github.repository_owner == 'NixOS' && github.event.pull_request.merged == true && (github.event_name != 'labeled' || startsWith('backport', github.event.label.name)) runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: ref: ${{ github.event.pull_request.head.sha }} - name: Create backport PRs - uses: korthout/backport-action@v2.1.1 + uses: korthout/backport-action@08bafb375e6e9a9a2b53a744b987e5d81a133191 # v2.1.1 with: # Config README: https://github.com/korthout/backport-action#backport-action copy_labels_pattern: 'severity:\ssecurity' diff --git a/.github/workflows/basic-eval.yml b/.github/workflows/basic-eval.yml index 9eb5efabc373..ecd3a601ba02 100644 --- a/.github/workflows/basic-eval.yml +++ b/.github/workflows/basic-eval.yml @@ -18,9 +18,9 @@ jobs: runs-on: ubuntu-latest # we don't limit this action to only NixOS repo since the checks are cheap and useful developer feedback steps: - - uses: actions/checkout@v4 - - uses: cachix/install-nix-action@v23 - - uses: cachix/cachix-action@v12 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + - uses: cachix/install-nix-action@6a9a9e84a173d90b3ffb42c5ddaf9ea033fad011 # v24 + - uses: cachix/cachix-action@6a9a34cdd93d0ae4b4b59fd678660efb08109f2f # v13 with: # This cache is for the nixpkgs repo checks and should not be trusted or used elsewhere. name: nixpkgs-ci diff --git a/.github/workflows/check-by-name.yml b/.github/workflows/check-by-name.yml index b0282cdbc769..22700e0f6d44 100644 --- a/.github/workflows/check-by-name.yml +++ b/.github/workflows/check-by-name.yml @@ -49,7 +49,7 @@ jobs: exit 1 fi echo "mergedSha=$mergedSha" >> "$GITHUB_ENV" - - uses: actions/checkout@v4 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: # pull_request_target checks out the base branch by default ref: ${{ env.mergedSha }} @@ -61,7 +61,7 @@ jobs: echo "baseSha=$(git rev-parse HEAD^1)" >> "$GITHUB_ENV" echo "headSha=$(git rev-parse HEAD^2)" >> "$GITHUB_ENV" - - uses: cachix/install-nix-action@v23 + - uses: cachix/install-nix-action@6a9a9e84a173d90b3ffb42c5ddaf9ea033fad011 # v24 - name: Determining channel to use for dependencies run: | echo "Determining the preferred channel to use for PR base branch $GITHUB_BASE_REF" @@ -176,4 +176,3 @@ jobs: } >> "$GITHUB_STEP_SUMMARY" exit "$exitCode" - diff --git a/.github/workflows/check-maintainers-sorted.yaml b/.github/workflows/check-maintainers-sorted.yaml index d399951f65df..543edfeb9f5d 100644 --- a/.github/workflows/check-maintainers-sorted.yaml +++ b/.github/workflows/check-maintainers-sorted.yaml @@ -12,11 +12,11 @@ jobs: runs-on: ubuntu-latest if: github.repository_owner == 'NixOS' steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: # pull_request_target checks out the base branch by default ref: refs/pull/${{ github.event.pull_request.number }}/merge - - uses: cachix/install-nix-action@v23 + - uses: cachix/install-nix-action@6a9a9e84a173d90b3ffb42c5ddaf9ea033fad011 # v24 with: # explicitly enable sandbox extra_nix_config: sandbox = true diff --git a/.github/workflows/editorconfig.yml b/.github/workflows/editorconfig.yml index b5c3c7fd95cd..36180b9aa5d6 100644 --- a/.github/workflows/editorconfig.yml +++ b/.github/workflows/editorconfig.yml @@ -24,11 +24,11 @@ jobs: - name: print list of changed files run: | cat "$HOME/changed_files" - - uses: actions/checkout@v4 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: # pull_request_target checks out the base branch by default ref: refs/pull/${{ github.event.pull_request.number }}/merge - - uses: cachix/install-nix-action@v23 + - uses: cachix/install-nix-action@6a9a9e84a173d90b3ffb42c5ddaf9ea033fad011 # v24 with: # nixpkgs commit is pinned so that it doesn't break # editorconfig-checker 2.4.0 diff --git a/.github/workflows/labels.yml b/.github/workflows/labels.yml index 35f5f24ce309..4dc690e88bbc 100644 --- a/.github/workflows/labels.yml +++ b/.github/workflows/labels.yml @@ -18,7 +18,7 @@ jobs: runs-on: ubuntu-latest if: "github.repository_owner == 'NixOS' && !contains(github.event.pull_request.title, '[skip treewide]')" steps: - - uses: actions/labeler@v4 + - uses: actions/labeler@ac9175f8a1f3625fd0d4fb234536d26811351594 # v4.3.0 with: repo-token: ${{ secrets.GITHUB_TOKEN }} sync-labels: true diff --git a/.github/workflows/manual-nixos.yml b/.github/workflows/manual-nixos.yml index 6be47caf278d..2b21568b556a 100644 --- a/.github/workflows/manual-nixos.yml +++ b/.github/workflows/manual-nixos.yml @@ -14,15 +14,15 @@ jobs: runs-on: ubuntu-latest if: github.repository_owner == 'NixOS' steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: # pull_request_target checks out the base branch by default ref: refs/pull/${{ github.event.pull_request.number }}/merge - - uses: cachix/install-nix-action@v23 + - uses: cachix/install-nix-action@6a9a9e84a173d90b3ffb42c5ddaf9ea033fad011 # v24 with: # explicitly enable sandbox extra_nix_config: sandbox = true - - uses: cachix/cachix-action@v12 + - uses: cachix/cachix-action@6a9a34cdd93d0ae4b4b59fd678660efb08109f2f # v13 with: # This cache is for the nixpkgs repo checks and should not be trusted or used elsewhere. name: nixpkgs-ci diff --git a/.github/workflows/manual-nixpkgs.yml b/.github/workflows/manual-nixpkgs.yml index f148aee076d5..23c97eafe779 100644 --- a/.github/workflows/manual-nixpkgs.yml +++ b/.github/workflows/manual-nixpkgs.yml @@ -15,15 +15,15 @@ jobs: runs-on: ubuntu-latest if: github.repository_owner == 'NixOS' steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: # pull_request_target checks out the base branch by default ref: refs/pull/${{ github.event.pull_request.number }}/merge - - uses: cachix/install-nix-action@v23 + - uses: cachix/install-nix-action@6a9a9e84a173d90b3ffb42c5ddaf9ea033fad011 # v24 with: # explicitly enable sandbox extra_nix_config: sandbox = true - - uses: cachix/cachix-action@v12 + - uses: cachix/cachix-action@6a9a34cdd93d0ae4b4b59fd678660efb08109f2f # v13 with: # This cache is for the nixpkgs repo checks and should not be trusted or used elsewhere. name: nixpkgs-ci diff --git a/.github/workflows/periodic-merge-24h.yml b/.github/workflows/periodic-merge-24h.yml index f56b3a0a5594..308d9057859e 100644 --- a/.github/workflows/periodic-merge-24h.yml +++ b/.github/workflows/periodic-merge-24h.yml @@ -44,10 +44,10 @@ jobs: into: staging-23.11 name: ${{ matrix.pairs.from }} → ${{ matrix.pairs.into }} steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - name: ${{ matrix.pairs.from }} → ${{ matrix.pairs.into }} - uses: devmasx/merge-branch@1.4.0 + uses: devmasx/merge-branch@854d3ac71ed1e9deb668e0074781b81fdd6e771f # 1.4.0 with: type: now from_branch: ${{ matrix.pairs.from }} @@ -55,7 +55,7 @@ jobs: github_token: ${{ secrets.GITHUB_TOKEN }} - name: Comment on failure - uses: peter-evans/create-or-update-comment@v3 + uses: peter-evans/create-or-update-comment@23ff15729ef2fc348714a3bb66d2f655ca9066f2 # v3.1.0 if: ${{ failure() }} with: issue-number: 105153 diff --git a/.github/workflows/periodic-merge-6h.yml b/.github/workflows/periodic-merge-6h.yml index 687c1b99adb2..5d5f86db48f5 100644 --- a/.github/workflows/periodic-merge-6h.yml +++ b/.github/workflows/periodic-merge-6h.yml @@ -38,10 +38,10 @@ jobs: into: staging name: ${{ matrix.pairs.from }} → ${{ matrix.pairs.into }} steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - name: ${{ matrix.pairs.from }} → ${{ matrix.pairs.into }} - uses: devmasx/merge-branch@1.4.0 + uses: devmasx/merge-branch@854d3ac71ed1e9deb668e0074781b81fdd6e771f # 1.4.0 with: type: now from_branch: ${{ matrix.pairs.from }} @@ -49,7 +49,7 @@ jobs: github_token: ${{ secrets.GITHUB_TOKEN }} - name: Comment on failure - uses: peter-evans/create-or-update-comment@v3 + uses: peter-evans/create-or-update-comment@23ff15729ef2fc348714a3bb66d2f655ca9066f2 # v3.1.0 if: ${{ failure() }} with: issue-number: 105153 diff --git a/.github/workflows/update-terraform-providers.yml b/.github/workflows/update-terraform-providers.yml index 5aa1693bc9b3..c1a0e711ed07 100644 --- a/.github/workflows/update-terraform-providers.yml +++ b/.github/workflows/update-terraform-providers.yml @@ -16,8 +16,8 @@ jobs: if: github.repository_owner == 'NixOS' && github.ref == 'refs/heads/master' # ensure workflow_dispatch only runs on master runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 - - uses: cachix/install-nix-action@v23 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + - uses: cachix/install-nix-action@6a9a9e84a173d90b3ffb42c5ddaf9ea033fad011 # v24 with: nix_path: nixpkgs=channel:nixpkgs-unstable - name: setup @@ -46,7 +46,7 @@ jobs: run: | git clean -f - name: create PR - uses: peter-evans/create-pull-request@v5 + uses: peter-evans/create-pull-request@153407881ec5c347639a548ade7d8ad1d6740e38 # v5.0.2 with: body: | Automatic update by [update-terraform-providers](https://github.com/NixOS/nixpkgs/blob/master/.github/workflows/update-terraform-providers.yml) action. |