From 96f266ce5e633b9e299181d242a738d303d39424 Mon Sep 17 00:00:00 2001 From: Moritz Date: Wed, 25 Jan 2023 17:34:28 +0100 Subject: [PATCH] ci: pin GitHub Actions versions (#1295) --- .github/workflows/build.yml | 14 +++++++------- .github/workflows/changelog.yml | 6 +++--- .github/workflows/publish.yml | 5 ++--- .github/workflows/tag.yml | 4 ++-- .github/workflows/tests.yml | 14 +++++++------- 5 files changed, 21 insertions(+), 22 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 52be6841..e5f3821d 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -28,12 +28,12 @@ jobs: asset_name: macos steps: - name: Checkout capa - uses: actions/checkout@v3 + uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0 with: submodules: true # using Python 3.8 to support running across multiple operating systems including Windows 7 - name: Set up Python 3.8 - uses: actions/setup-python@v4 + uses: actions/setup-python@d27e3f3d7c64b4bbf8e4abfb9b63b83e846e0435 # v4.5.0 with: python-version: 3.8 - if: matrix.os == 'ubuntu-18.04' @@ -50,7 +50,7 @@ jobs: run: dist/capa "tests/data/499c2a85f6e8142c3f48d4251c9c7cd6.raw32" - name: Does it run (ELF)? run: dist/capa "tests/data/7351f8a40c5450557b24622417fc478d.elf_" - - uses: actions/upload-artifact@v3 + - uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2 with: name: ${{ matrix.asset_name }} path: dist/${{ matrix.artifact_name }} @@ -74,11 +74,11 @@ jobs: asset_name: windows steps: - name: Download ${{ matrix.asset_name }} - uses: actions/download-artifact@v3 + uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2 with: name: ${{ matrix.asset_name }} - name: Set executable flag - if: matrix.os != 'windows-2022' + if: matrix.os != 'windows-2022' run: chmod +x ${{ matrix.artifact_name }} - name: Run capa run: ./${{ matrix.artifact_name }} -h @@ -100,7 +100,7 @@ jobs: artifact_name: capa steps: - name: Download ${{ matrix.asset_name }} - uses: actions/download-artifact@v3 + uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2 with: name: ${{ matrix.asset_name }} - name: Set executable flag @@ -110,7 +110,7 @@ jobs: - name: Zip ${{ matrix.artifact_name }} into ${{ env.zip_name }} run: zip ${{ env.zip_name }} ${{ matrix.artifact_name }} - name: Upload ${{ env.zip_name }} to GH Release - uses: svenstaro/upload-release-action@v2 + uses: svenstaro/upload-release-action@2728235f7dc9ff598bd86ce3c274b74f802d2208 # v2 with: repo_token: ${{ secrets.GITHUB_TOKEN}} file: ${{ env.zip_name }} diff --git a/.github/workflows/changelog.yml b/.github/workflows/changelog.yml index b68845f7..6390e184 100644 --- a/.github/workflows/changelog.yml +++ b/.github/workflows/changelog.yml @@ -17,7 +17,7 @@ jobs: steps: - name: Get changed files id: files - uses: Ana06/get-changed-files@v2.2.0 + uses: Ana06/get-changed-files@e0c398b7065a8d84700c471b6afc4116d1ba4e96 # v2.2.0 - name: check changelog updated id: changelog_updated env: @@ -27,14 +27,14 @@ jobs: echo $FILES | grep -qF 'CHANGELOG.md' || echo $PR_BODY | grep -qiF "$NO_CHANGELOG" - name: Reject pull request if no CHANGELOG update if: ${{ always() && steps.changelog_updated.outcome == 'failure' }} - uses: Ana06/automatic-pull-request-review@v0.1.0 + uses: Ana06/automatic-pull-request-review@0cf4e8a17ba79344ed3fdd7fed6dd0311d08a9d4 # v0.1.0 with: repo-token: ${{ secrets.GITHUB_TOKEN }} event: REQUEST_CHANGES body: "Please add bug fixes, new features, breaking changes and anything else you think is worthwhile mentioning to the `master (unreleased)` section of CHANGELOG.md. If no CHANGELOG update is needed add the following to the PR description: `${{ env.NO_CHANGELOG }}`" allow_duplicate: false - name: Dismiss previous review if CHANGELOG update - uses: Ana06/automatic-pull-request-review@v0.1.0 + uses: Ana06/automatic-pull-request-review@0cf4e8a17ba79344ed3fdd7fed6dd0311d08a9d4 # v0.1.0 with: repo-token: ${{ secrets.GITHUB_TOKEN }} event: DISMISS diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml index 65278522..520e0894 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/publish.yml @@ -11,9 +11,9 @@ jobs: deploy: runs-on: ubuntu-20.04 steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0 - name: Set up Python - uses: actions/setup-python@v4 + uses: actions/setup-python@d27e3f3d7c64b4bbf8e4abfb9b63b83e846e0435 # v4.5.0 with: python-version: '3.7' - name: Install dependencies @@ -27,4 +27,3 @@ jobs: run: | python setup.py sdist bdist_wheel twine upload --skip-existing dist/* - diff --git a/.github/workflows/tag.yml b/.github/workflows/tag.yml index 744ea207..87bf8f45 100644 --- a/.github/workflows/tag.yml +++ b/.github/workflows/tag.yml @@ -10,7 +10,7 @@ jobs: runs-on: ubuntu-20.04 steps: - name: Checkout capa-rules - uses: actions/checkout@v3 + uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0 with: repository: mandiant/capa-rules token: ${{ secrets.CAPA_TOKEN }} @@ -23,7 +23,7 @@ jobs: git tag $name -m "https://github.com/mandiant/capa/releases/$name" # TODO update branch name-major=${name%%.*} - name: Push tag to capa-rules - uses: ad-m/github-push-action@master + uses: ad-m/github-push-action@0fafdd62b84042d49ec0cb92d9cac7f7ce4ec79e # master with: repository: mandiant/capa-rules github_token: ${{ secrets.CAPA_TOKEN }} diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml index 6678e0aa..e60eb4e5 100644 --- a/.github/workflows/tests.yml +++ b/.github/workflows/tests.yml @@ -15,7 +15,7 @@ jobs: runs-on: ubuntu-20.04 steps: - name: Checkout capa - uses: actions/checkout@v3 + uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0 # The sync GH action in capa-rules relies on a single '- *$' in the CHANGELOG file - name: Ensure CHANGELOG has '- *$' run: | @@ -26,9 +26,9 @@ jobs: runs-on: ubuntu-20.04 steps: - name: Checkout capa - uses: actions/checkout@v3 + uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0 - name: Set up Python 3.8 - uses: actions/setup-python@v4 + uses: actions/setup-python@d27e3f3d7c64b4bbf8e4abfb9b63b83e846e0435 # v4.5.0 with: python-version: "3.8" - name: Install dependencies @@ -46,11 +46,11 @@ jobs: runs-on: ubuntu-20.04 steps: - name: Checkout capa with submodules - uses: actions/checkout@v3 + uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0 with: submodules: recursive - name: Set up Python 3.8 - uses: actions/setup-python@v4 + uses: actions/setup-python@d27e3f3d7c64b4bbf8e4abfb9b63b83e846e0435 # v4.5.0 with: python-version: "3.8" - name: Install capa @@ -76,11 +76,11 @@ jobs: python-version: "3.9" steps: - name: Checkout capa with submodules - uses: actions/checkout@v3 + uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0 with: submodules: recursive - name: Set up Python ${{ matrix.python-version }} - uses: actions/setup-python@v4 + uses: actions/setup-python@d27e3f3d7c64b4bbf8e4abfb9b63b83e846e0435 # v4.5.0 with: python-version: ${{ matrix.python-version }} - name: Install pyyaml