diff --git a/.github/workflows/build-and-push-fleetctl-docker.yml b/.github/workflows/build-and-push-fleetctl-docker.yml index 47d0cd75d9..8da7ad968e 100644 --- a/.github/workflows/build-and-push-fleetctl-docker.yml +++ b/.github/workflows/build-and-push-fleetctl-docker.yml @@ -56,7 +56,7 @@ jobs: - name: Push To quay.io id: push-to-quay - uses: redhat-actions/push-to-registry@v2 + uses: redhat-actions/push-to-registry@9986a6552bc4571882a4a67e016b17361412b4df # v2.7.1 with: image: fleetdm/fleetctl tags: ${{ inputs.image_tag }} diff --git a/.github/workflows/deploy-fleet-website.yml b/.github/workflows/deploy-fleet-website.yml index b4f1b6ed5e..f13f39616b 100644 --- a/.github/workflows/deploy-fleet-website.yml +++ b/.github/workflows/deploy-fleet-website.yml @@ -54,7 +54,7 @@ jobs: # Install the right version of Go for the Golang child process that we are currently using for CSR signing - name: Set up Go - uses: actions/setup-go@v3 + uses: actions/setup-go@6edd4406fa81c3da01a34fa6f6343087c207a568 # v3.5.0 with: go-version: 1.19 diff --git a/.github/workflows/dogfood-deploy.yml b/.github/workflows/dogfood-deploy.yml index 5f3cf4986c..3c838e53d2 100644 --- a/.github/workflows/dogfood-deploy.yml +++ b/.github/workflows/dogfood-deploy.yml @@ -49,11 +49,11 @@ jobs: - id: fail-on-main run: "false" if: ${{ github.ref == 'main' }} - - uses: aws-actions/configure-aws-credentials@v1 + - uses: aws-actions/configure-aws-credentials@67fbcbb121271f7775d2e7715933280b06314838 # v1.7.0 with: role-to-assume: ${{env.AWS_IAM_ROLE}} aws-region: ${{ env.AWS_REGION }} - - uses: hashicorp/setup-terraform@v2 + - uses: hashicorp/setup-terraform@633666f66e0061ca3b725c73b2ec20cd13a8fdd1 # v2.0.3 with: terraform_version: 1.0.4 terraform_wrapper: false diff --git a/.github/workflows/goreleaser-fleet.yaml b/.github/workflows/goreleaser-fleet.yaml index 2d91bd75ba..393eda53a7 100644 --- a/.github/workflows/goreleaser-fleet.yaml +++ b/.github/workflows/goreleaser-fleet.yaml @@ -64,7 +64,7 @@ jobs: - name: Push To quay.io id: push-to-quay - uses: redhat-actions/push-to-registry@v2 + uses: redhat-actions/push-to-registry@9986a6552bc4571882a4a67e016b17361412b4df # v2.7.1 with: image: fleetdm/fleet tags: ${{ steps.docker.outputs.TAG }} diff --git a/.github/workflows/goreleaser-snapshot-fleet.yaml b/.github/workflows/goreleaser-snapshot-fleet.yaml index 84ab28dc05..00fb10d694 100644 --- a/.github/workflows/goreleaser-snapshot-fleet.yaml +++ b/.github/workflows/goreleaser-snapshot-fleet.yaml @@ -65,7 +65,7 @@ jobs: - name: Push To quay.io id: push-to-quay - uses: redhat-actions/push-to-registry@v2 + uses: redhat-actions/push-to-registry@9986a6552bc4571882a4a67e016b17361412b4df # v2.7.1 with: image: fleetdm/fleet tags: ${{ steps.docker.outputs.TAG }} diff --git a/.github/workflows/tfvalidate.yml b/.github/workflows/tfvalidate.yml index 18f875ae5c..331564b63b 100644 --- a/.github/workflows/tfvalidate.yml +++ b/.github/workflows/tfvalidate.yml @@ -34,7 +34,7 @@ jobs: uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b - name: Install terraform - uses: hashicorp/setup-terraform@v2.0.0 + uses: hashicorp/setup-terraform@17d4c9b8043b238f6f35641cdd8433da1e6f3867 # v2.0.0 with: terraform_version: 1.3.0 diff --git a/.github/workflows/trivy_scan.yml b/.github/workflows/trivy_scan.yml index 7c41d726dc..bbfa763f42 100644 --- a/.github/workflows/trivy_scan.yml +++ b/.github/workflows/trivy_scan.yml @@ -9,10 +9,10 @@ jobs: runs-on: ubuntu-20.04 steps: - name: Checkout code - uses: actions/checkout@v3 + uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0 - name: Run Trivy vulnerability scanner in repo mode - uses: aquasecurity/trivy-action@master + uses: aquasecurity/trivy-action@8bd2f9fbda2109502356ff8a6a89da55b1ead252 # master with: scan-type: 'fs' ignore-unfixed: true @@ -24,6 +24,6 @@ jobs: security-checks: 'vuln' - name: Upload Trivy scan results to GitHub Security tab - uses: github/codeql-action/upload-sarif@v2 + uses: github/codeql-action/upload-sarif@32dc499307d133bb5085bae78498c0ac2cf762d5 # v2.2.5 with: sarif_file: 'trivy-results.sarif'