From f29de5870bba176eadb00f2c962c6a7043ab2afa Mon Sep 17 00:00:00 2001 From: Viktor Szakats Date: Fri, 3 Oct 2025 14:17:39 +0200 Subject: [PATCH] ci/GHA: show full versions next to pinned actions Closes #1695 --- .github/workflows/ci.yml | 48 ++++++++++++++-------------- .github/workflows/cifuzz.yml | 2 +- .github/workflows/codeql.yml | 4 +-- .github/workflows/openssh_server.yml | 8 ++--- 4 files changed, 31 insertions(+), 31 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 65576e61..dcf15b6b 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -25,7 +25,7 @@ jobs: runs-on: ubuntu-latest timeout-minutes: 5 steps: - - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5 + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 with: persist-credentials: false - name: 'checksrc' @@ -36,7 +36,7 @@ jobs: runs-on: ubuntu-latest timeout-minutes: 5 steps: - - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5 + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 with: persist-credentials: false @@ -53,7 +53,7 @@ jobs: - name: 'zizmor GHA' env: - GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + GH_TOKEN: '${{ secrets.GITHUB_TOKEN }}' run: | eval "$(/home/linuxbrew/.linuxbrew/bin/brew shellenv)" zizmor --pedantic .github/workflows/*.yml @@ -104,7 +104,7 @@ jobs: matrix: image: [ubuntu-latest, macos-latest, windows-2022] steps: - - uses: msys2/setup-msys2@fb197b72ce45fb24f17bf3f807a388985654d1f2 # v2 + - uses: msys2/setup-msys2@fb197b72ce45fb24f17bf3f807a388985654d1f2 # v2.29.0 if: ${{ contains(matrix.image, 'windows') }} with: msystem: mingw64 @@ -139,7 +139,7 @@ jobs: printf '%s' ~/cmake-"${OLD_CMAKE_VERSION}"-Darwin-x86_64/CMake.app/Contents/bin/cmake > ~/old-cmake-path.txt fi - - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5 + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 with: persist-credentials: false @@ -322,7 +322,7 @@ jobs: - name: 'cache mbedTLS' if: ${{ matrix.crypto == 'mbedTLS-from-source' }} - uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4 + uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0 id: cache-mbedtls with: path: ~/usr @@ -373,7 +373,7 @@ jobs: - name: 'cache BoringSSL' if: ${{ matrix.crypto == 'BoringSSL' }} - uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4 + uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0 id: cache-boringssl with: path: ~/usr @@ -395,7 +395,7 @@ jobs: - name: 'cache AWS-LC' if: ${{ matrix.crypto == 'AWS-LC' }} - uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4 + uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0 id: cache-aws-lc with: path: ~/usr @@ -412,7 +412,7 @@ jobs: - name: 'cache LibreSSL' if: ${{ matrix.crypto == 'LibreSSL' }} - uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4 + uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0 id: cache-libressl with: path: ~/usr @@ -432,7 +432,7 @@ jobs: - name: 'cache OpenSSL' if: ${{ matrix.crypto == 'OpenSSL-3-no-deprecated' }} - uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4 + uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0 id: cache-openssl with: path: ~/usr @@ -450,7 +450,7 @@ jobs: - name: 'cache OpenSSL 1.1.1' if: ${{ matrix.crypto == 'OpenSSL-111-from-source' }} - uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4 + uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0 id: cache-openssl111 with: path: ~/usr @@ -467,7 +467,7 @@ jobs: - name: 'cache OpenSSL 1.1.0' if: ${{ matrix.crypto == 'OpenSSL-110-from-source' }} - uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4 + uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0 id: cache-openssl110 with: path: ~/usr @@ -484,7 +484,7 @@ jobs: - name: 'cache OpenSSL 1.0.2' if: ${{ matrix.crypto == 'OpenSSL-102-from-source' }} - uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4 + uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0 id: cache-openssl102 with: path: ~/usr @@ -499,7 +499,7 @@ jobs: make make -j1 install_sw - - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5 + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 with: persist-credentials: false @@ -626,7 +626,7 @@ jobs: sudo apt-get -o Dpkg::Use-Pty=0 install mingw-w64 \ ${INSTALL_PACKAGES} - - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5 + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 with: persist-credentials: false @@ -692,7 +692,7 @@ jobs: site: https://mirrors.kernel.org/sourceware/cygwin/ install-dir: D:\cygwin - - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5 + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 with: persist-credentials: false @@ -775,12 +775,12 @@ jobs: MATRIX_ENV: '${{ matrix.env }}' MATRIX_TEST: '${{ matrix.test }}' steps: - - uses: msys2/setup-msys2@fb197b72ce45fb24f17bf3f807a388985654d1f2 # v2 + - uses: msys2/setup-msys2@fb197b72ce45fb24f17bf3f807a388985654d1f2 # v2.29.0 if: ${{ matrix.sys == 'msys' }} with: msystem: ${{ matrix.sys }} install: gcc ${{ matrix.build }} ${{ matrix.build == 'autotools' && 'make' || 'ninja' }} openssl-devel zlib-devel - - uses: msys2/setup-msys2@fb197b72ce45fb24f17bf3f807a388985654d1f2 # v2 + - uses: msys2/setup-msys2@fb197b72ce45fb24f17bf3f807a388985654d1f2 # v2.29.0 if: ${{ matrix.sys != 'msys' }} with: msystem: ${{ matrix.sys }} @@ -789,7 +789,7 @@ jobs: mingw-w64-${{ matrix.env }}-${{ matrix.build }} ${{ matrix.build == 'autotools' && 'make' || '' }} mingw-w64-${{ matrix.env }}-openssl - - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5 + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 with: persist-credentials: false @@ -884,7 +884,7 @@ jobs: - { arch: arm64, plat: uwp , crypto: WinCNG , wincng_ecdsa: 'ON' , log: 'OFF', shared: 'ON' , zlib: 'OFF', unity: 'OFF' } - { arch: x86 , plat: windows, crypto: WinCNG , wincng_ecdsa: 'OFF', log: 'OFF', shared: 'ON' , zlib: 'OFF', unity: 'ON' } steps: - - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5 + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 with: persist-credentials: false - name: 'configure' @@ -973,7 +973,7 @@ jobs: INSTALL_PACKAGES: ${{ matrix.build == 'autotools' && 'automake libtool' || '' }} MATRIX_INSTALL: '${{ matrix.crypto.install }}' run: brew install ${INSTALL_PACKAGES} ${MATRIX_INSTALL} - - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5 + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 with: persist-credentials: false @@ -1031,7 +1031,7 @@ jobs: matrix: arch: ['x86_64', 'arm64'] steps: - - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5 + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 with: persist-credentials: false - name: 'cmake' @@ -1063,7 +1063,7 @@ jobs: matrix: arch: ['x86_64'] steps: - - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5 + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 with: persist-credentials: false - name: 'cmake' @@ -1098,7 +1098,7 @@ jobs: matrix: arch: ['x86_64', 'arm64'] steps: - - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5 + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 with: persist-credentials: false - name: 'autotools' diff --git a/.github/workflows/cifuzz.yml b/.github/workflows/cifuzz.yml index c46ae0e0..e7acbb0b 100644 --- a/.github/workflows/cifuzz.yml +++ b/.github/workflows/cifuzz.yml @@ -33,7 +33,7 @@ jobs: dry-run: false language: c - name: 'Upload Crash' - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 if: ${{ failure() && steps.build.outcome == 'success' }} with: name: artifacts diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index f9ef8f1f..956e8f02 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -28,7 +28,7 @@ jobs: permissions: security-events: write # To create/update security events steps: - - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5 + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 with: persist-credentials: false @@ -62,7 +62,7 @@ jobs: sudo rm -f /var/lib/man-db/auto-update sudo apt-get -o Dpkg::Use-Pty=0 install zlib1g-dev libssl-dev libgcrypt-dev libmbedtls-dev libwolfssl-dev - - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5 + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 with: persist-credentials: false diff --git a/.github/workflows/openssh_server.yml b/.github/workflows/openssh_server.yml index f7ea0d9e..e8b52ae4 100644 --- a/.github/workflows/openssh_server.yml +++ b/.github/workflows/openssh_server.yml @@ -40,13 +40,13 @@ jobs: contents: read # To comply with https://docs.github.com/en/actions/tutorials/publish-packages/publish-docker-images packages: write # To create/update container steps: - - uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3 + - uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0 with: registry: ghcr.io username: ${{ github.repository_owner }} password: ${{ secrets.GITHUB_TOKEN }} - - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5 + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 with: persist-credentials: false @@ -61,7 +61,7 @@ jobs: HASH: '${{ steps.hash.outputs.hash }}' run: docker manifest inspect "ghcr.io/${GITHUB_REPOSITORY_OWNER}/ci_tests_openssh_server:${HASH}" - - uses: docker/metadata-action@c1e51972afc2121e065aed6d45c65596fe445f3f # v5 + - uses: docker/metadata-action@c1e51972afc2121e065aed6d45c65596fe445f3f # v5.8.0 if: ${{ steps.poll.outcome == 'failure' }} id: meta with: @@ -69,7 +69,7 @@ jobs: tags: | type=raw,value=${{ steps.hash.outputs.hash }} - - uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6 + - uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0 if: ${{ steps.poll.outcome == 'failure' }} with: context: ./tests/openssh_server