From bf5c094f3c9af19f11dc586777c91577b84f71b5 Mon Sep 17 00:00:00 2001 From: Benjamin Wang Date: Mon, 12 Dec 2022 16:12:23 +0800 Subject: [PATCH] secure the github workflow https://app.stepsecurity.io/secureworkflow/etcd-io/etcd/tests.yaml/main?enable=pin 1. Copy the existing yaml file and paste into the textbox, 2. Click "SECURE WORKFLOW" 3. Copy the manifest from the textbox and paste into etcd repo. Signed-off-by: Benjamin Wang --- .github/workflows/build.yaml | 4 ++-- .github/workflows/codeql-analysis.yml | 8 ++++---- .github/workflows/contrib.yaml | 4 ++-- .github/workflows/coverage.yaml | 4 ++-- .github/workflows/e2e.yaml | 4 ++-- .github/workflows/functional.yaml | 4 ++-- .github/workflows/fuzzing.yaml | 6 +++--- .github/workflows/govuln.yaml | 4 ++-- .github/workflows/grpcproxy.yaml | 4 ++-- .github/workflows/linearizability-nightly.yaml | 6 +++--- .github/workflows/linearizability.yaml | 6 +++--- .github/workflows/measure-test-flakiness.yaml | 2 +- .github/workflows/release.yaml | 4 ++-- .github/workflows/static-analysis.yaml | 8 ++++---- .github/workflows/tests.yaml | 6 +++--- 15 files changed, 37 insertions(+), 37 deletions(-) diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index 3b62c733e..b88fe9af9 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -19,8 +19,8 @@ jobs: - linux-ppc64le - linux-s390x steps: - - uses: actions/checkout@v2 - - uses: actions/setup-go@v2 + - uses: actions/checkout@e2f20e631ae6d7dd3b768f56a5d2af784dd54791 # v2.5.0 + - uses: actions/setup-go@bfdd3570ce990073878bf10f6b2d79082de49492 # v2.2.0 with: go-version: "1.19.4" - env: diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index e4e082f38..9a3dd9481 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -41,11 +41,11 @@ jobs: steps: - name: Checkout repository - uses: actions/checkout@v2 + uses: actions/checkout@e2f20e631ae6d7dd3b768f56a5d2af784dd54791 # v2.5.0 # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL - uses: github/codeql-action/init@v2 + uses: github/codeql-action/init@a669cc5936cc5e1b6a362ec1ff9e410dc570d190 # v2.1.36 with: languages: ${{ matrix.language }} # If you wish to specify custom queries, you can do so here or in a config file. @@ -56,7 +56,7 @@ jobs: # Autobuild attempts to build any compiled languages (C/C++, C#, or Java). # If this step fails, then you should remove it and run the build manually (see below) - name: Autobuild - uses: github/codeql-action/autobuild@v2 + uses: github/codeql-action/autobuild@a669cc5936cc5e1b6a362ec1ff9e410dc570d190 # v2.1.36 # ℹī¸ Command-line programs to run using the OS shell. # 📚 https://git.io/JvXDl @@ -70,4 +70,4 @@ jobs: # make release - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v2 + uses: github/codeql-action/analyze@a669cc5936cc5e1b6a362ec1ff9e410dc570d190 # v2.1.36 diff --git a/.github/workflows/contrib.yaml b/.github/workflows/contrib.yaml index 367baa678..627b120c0 100644 --- a/.github/workflows/contrib.yaml +++ b/.github/workflows/contrib.yaml @@ -5,8 +5,8 @@ jobs: test: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v2 - - uses: actions/setup-go@v2 + - uses: actions/checkout@e2f20e631ae6d7dd3b768f56a5d2af784dd54791 # v2.5.0 + - uses: actions/setup-go@bfdd3570ce990073878bf10f6b2d79082de49492 # v2.2.0 with: go-version: "1.19.4" - run: make -C contrib/mixin tools test diff --git a/.github/workflows/coverage.yaml b/.github/workflows/coverage.yaml index c11daf523..05c61d8ca 100644 --- a/.github/workflows/coverage.yaml +++ b/.github/workflows/coverage.yaml @@ -10,8 +10,8 @@ jobs: target: - linux-amd64-coverage steps: - - uses: actions/checkout@v2 - - uses: actions/setup-go@v2 + - uses: actions/checkout@e2f20e631ae6d7dd3b768f56a5d2af784dd54791 # v2.5.0 + - uses: actions/setup-go@bfdd3570ce990073878bf10f6b2d79082de49492 # v2.2.0 with: go-version: "1.19.4" - env: diff --git a/.github/workflows/e2e.yaml b/.github/workflows/e2e.yaml index 25a665707..42285919b 100644 --- a/.github/workflows/e2e.yaml +++ b/.github/workflows/e2e.yaml @@ -11,8 +11,8 @@ jobs: - linux-amd64-e2e - linux-386-e2e steps: - - uses: actions/checkout@v2 - - uses: actions/setup-go@v2 + - uses: actions/checkout@e2f20e631ae6d7dd3b768f56a5d2af784dd54791 # v2.5.0 + - uses: actions/setup-go@bfdd3570ce990073878bf10f6b2d79082de49492 # v2.2.0 with: go-version: "1.19.4" - run: date diff --git a/.github/workflows/functional.yaml b/.github/workflows/functional.yaml index 16fbebda7..18b3e0b36 100644 --- a/.github/workflows/functional.yaml +++ b/.github/workflows/functional.yaml @@ -10,8 +10,8 @@ jobs: target: - linux-amd64-functional steps: - - uses: actions/checkout@v2 - - uses: actions/setup-go@v2 + - uses: actions/checkout@e2f20e631ae6d7dd3b768f56a5d2af784dd54791 # v2.5.0 + - uses: actions/setup-go@bfdd3570ce990073878bf10f6b2d79082de49492 # v2.2.0 with: go-version: "1.19.4" - run: date diff --git a/.github/workflows/fuzzing.yaml b/.github/workflows/fuzzing.yaml index bc80bc20b..9287f50b4 100644 --- a/.github/workflows/fuzzing.yaml +++ b/.github/workflows/fuzzing.yaml @@ -9,12 +9,12 @@ jobs: env: TARGET_PATH: ./server/etcdserver/api/v3rpc steps: - - uses: actions/checkout@v2 - - uses: actions/setup-go@v2 + - uses: actions/checkout@e2f20e631ae6d7dd3b768f56a5d2af784dd54791 # v2.5.0 + - uses: actions/setup-go@bfdd3570ce990073878bf10f6b2d79082de49492 # v2.2.0 with: go-version: "1.19.4" - run: GOARCH=amd64 CPU=4 make fuzz - - uses: actions/upload-artifact@v2 + - uses: actions/upload-artifact@82c141cc518b40d92cc801eee768e7aafc9c2fa2 # v2.3.1 if: failure() with: path: "${{env.TARGET_PATH}}/testdata/fuzz/**/*" diff --git a/.github/workflows/govuln.yaml b/.github/workflows/govuln.yaml index 6229ae2be..cb21d4152 100644 --- a/.github/workflows/govuln.yaml +++ b/.github/workflows/govuln.yaml @@ -5,8 +5,8 @@ jobs: test: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v2 - - uses: actions/setup-go@v2 + - uses: actions/checkout@e2f20e631ae6d7dd3b768f56a5d2af784dd54791 # v2.5.0 + - uses: actions/setup-go@bfdd3570ce990073878bf10f6b2d79082de49492 # v2.2.0 with: go-version: "1.19.4" - run: date diff --git a/.github/workflows/grpcproxy.yaml b/.github/workflows/grpcproxy.yaml index ccaa627d3..7c3398c6c 100644 --- a/.github/workflows/grpcproxy.yaml +++ b/.github/workflows/grpcproxy.yaml @@ -11,8 +11,8 @@ jobs: - linux-amd64-grpcproxy-integration - linux-amd64-grpcproxy-e2e steps: - - uses: actions/checkout@v2 - - uses: actions/setup-go@v2 + - uses: actions/checkout@e2f20e631ae6d7dd3b768f56a5d2af784dd54791 # v2.5.0 + - uses: actions/setup-go@bfdd3570ce990073878bf10f6b2d79082de49492 # v2.2.0 with: go-version: "1.19.4" - run: date diff --git a/.github/workflows/linearizability-nightly.yaml b/.github/workflows/linearizability-nightly.yaml index 0b1208b40..03c36c0b8 100644 --- a/.github/workflows/linearizability-nightly.yaml +++ b/.github/workflows/linearizability-nightly.yaml @@ -9,8 +9,8 @@ jobs: # GHA has a maximum amount of 6h execution time, we try to get done within 3h timeout-minutes: 180 steps: - - uses: actions/checkout@v2 - - uses: actions/setup-go@v2 + - uses: actions/checkout@e2f20e631ae6d7dd3b768f56a5d2af784dd54791 # v2.5.0 + - uses: actions/setup-go@bfdd3570ce990073878bf10f6b2d79082de49492 # v2.2.0 with: go-version: "1.19.4" - run: | @@ -19,7 +19,7 @@ jobs: mkdir -p /tmp/linearizability cat server/etcdserver/raft.fail.go EXPECT_DEBUG=true GO_TEST_FLAGS='-v --count 500 --failfast --run TestLinearizability --timeout=170m' RESULTS_DIR=/tmp/linearizability make test-linearizability - - uses: actions/upload-artifact@v2 + - uses: actions/upload-artifact@82c141cc518b40d92cc801eee768e7aafc9c2fa2 # v2.3.1 if: always() with: path: /tmp/linearizability/* diff --git a/.github/workflows/linearizability.yaml b/.github/workflows/linearizability.yaml index a275a8c20..d6e34d8ac 100644 --- a/.github/workflows/linearizability.yaml +++ b/.github/workflows/linearizability.yaml @@ -5,8 +5,8 @@ jobs: test: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v2 - - uses: actions/setup-go@v2 + - uses: actions/checkout@e2f20e631ae6d7dd3b768f56a5d2af784dd54791 # v2.5.0 + - uses: actions/setup-go@bfdd3570ce990073878bf10f6b2d79082de49492 # v2.2.0 with: go-version: "1.19.4" - run: | @@ -15,7 +15,7 @@ jobs: mkdir -p /tmp/linearizability cat server/etcdserver/raft.fail.go EXPECT_DEBUG=true GO_TEST_FLAGS='-v --count 60 --failfast --run TestLinearizability' RESULTS_DIR=/tmp/linearizability make test-linearizability - - uses: actions/upload-artifact@v2 + - uses: actions/upload-artifact@82c141cc518b40d92cc801eee768e7aafc9c2fa2 # v2.3.1 if: always() with: path: /tmp/linearizability/* diff --git a/.github/workflows/measure-test-flakiness.yaml b/.github/workflows/measure-test-flakiness.yaml index 1867d193e..7aafd5f2c 100644 --- a/.github/workflows/measure-test-flakiness.yaml +++ b/.github/workflows/measure-test-flakiness.yaml @@ -11,7 +11,7 @@ jobs: name: Measure Test Flakiness runs-on: ubuntu-latest steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@e2f20e631ae6d7dd3b768f56a5d2af784dd54791 # v2.5.0 - run: "./scripts/measure-test-flakiness.sh" env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index 2feceb091..505b2cde0 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -5,8 +5,8 @@ jobs: main: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v2 - - uses: actions/setup-go@v2 + - uses: actions/checkout@e2f20e631ae6d7dd3b768f56a5d2af784dd54791 # v2.5.0 + - uses: actions/setup-go@bfdd3570ce990073878bf10f6b2d79082de49492 # v2.2.0 with: go-version: "1.19.4" - run: | diff --git a/.github/workflows/static-analysis.yaml b/.github/workflows/static-analysis.yaml index 0d65934b8..e2ca8fc22 100644 --- a/.github/workflows/static-analysis.yaml +++ b/.github/workflows/static-analysis.yaml @@ -5,16 +5,16 @@ jobs: run: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v2 - - uses: actions/setup-go@v2 + - uses: actions/checkout@e2f20e631ae6d7dd3b768f56a5d2af784dd54791 # v2.5.0 + - uses: actions/setup-go@bfdd3570ce990073878bf10f6b2d79082de49492 # v2.2.0 with: go-version: "1.19.4" - name: golangci-lint - uses: golangci/golangci-lint-action@v3 + uses: golangci/golangci-lint-action@07db5389c99593f11ad7b44463c2d4233066a9b1 # v3.3.0 with: version: v1.49.0 - name: protoc - uses: arduino/setup-protoc@v1 + uses: arduino/setup-protoc@64c0c85d18e984422218383b81c52f8b077404d3 # v1.1.2 with: version: '3.14.0' - run: make verify diff --git a/.github/workflows/tests.yaml b/.github/workflows/tests.yaml index 7aa77b528..b0c2aa5cd 100644 --- a/.github/workflows/tests.yaml +++ b/.github/workflows/tests.yaml @@ -14,8 +14,8 @@ jobs: - linux-amd64-unit-4-cpu-race - linux-386-unit-1-cpu steps: - - uses: actions/checkout@v2 - - uses: actions/setup-go@v2 + - uses: actions/checkout@e2f20e631ae6d7dd3b768f56a5d2af784dd54791 # v2.5.0 + - uses: actions/setup-go@bfdd3570ce990073878bf10f6b2d79082de49492 # v2.2.0 with: go-version: "1.19.4" - run: date @@ -45,7 +45,7 @@ jobs: exit 1 ;; esac - - uses: actions/upload-artifact@v2 + - uses: actions/upload-artifact@82c141cc518b40d92cc801eee768e7aafc9c2fa2 # v2.3.1 if: always() with: path: ./**/junit_*.xml