diff --git a/.github/actions/genprotos/action.yml b/.github/actions/genprotos/action.yml index 84bc29d001..84dfd540f0 100644 --- a/.github/actions/genprotos/action.yml +++ b/.github/actions/genprotos/action.yml @@ -3,10 +3,10 @@ description: 'Install buf with local plugins, generate protos and cache' runs: using: "composite" steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 - name: check cache id: cache - uses: ubicloud/cache@v4 + uses: ubicloud/cache@0a97811d53629b143a56b3c2b1f729fd11719ef7 # v4 with: path: | ./flow/generated/protos @@ -15,7 +15,7 @@ runs: key: ${{ runner.os }}-build-genprotos-${{ hashFiles('buf.gen.yaml', './protos/peers.proto', './protos/flow.proto', './protos/route.proto') }} - if: steps.cache.outputs.cache-hit != 'true' - uses: bufbuild/buf-action@v1 + uses: bufbuild/buf-action@3fb70352251376e958c4c2c92c3818de82a71c2b # v1 with: setup_only: true github_token: ${{ github.token }} diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 5dbbb4ee97..5c86636ae9 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -30,7 +30,7 @@ jobs: --health-timeout 5s --health-retries 5 steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 - name: generate or hydrate protos uses: ./.github/actions/genprotos @@ -42,7 +42,7 @@ jobs: - name: setup gcp service account id: gcp-service-account - uses: jsdaniell/create-json@v1.2.3 + uses: jsdaniell/create-json@b8e77fa01397ca39cc4a6198cc29a3be5481afef # v1.2.3 with: name: "bq_service_account.json" json: ${{ secrets.GCP_GH_CI_PKEY }} @@ -50,13 +50,13 @@ jobs: - name: setup snowflake credentials id: sf-credentials - uses: jsdaniell/create-json@v1.2.3 + uses: jsdaniell/create-json@b8e77fa01397ca39cc4a6198cc29a3be5481afef # v1.2.3 with: name: "snowflake_creds.json" json: ${{ secrets.SNOWFLAKE_GH_CI_PKEY }} dir: "nexus/server/tests/assets/" - - uses: ubicloud/rust-cache@v2 + - uses: ubicloud/rust-cache@69587b2b3f26e8938580c44a643d265ed12f3119 # v2 with: workspaces: nexus diff --git a/.github/workflows/cleanup.yml b/.github/workflows/cleanup.yml index 5897eae7fd..9471872f6b 100644 --- a/.github/workflows/cleanup.yml +++ b/.github/workflows/cleanup.yml @@ -10,9 +10,9 @@ jobs: timeout-minutes: 60 steps: - name: checkout sources - uses: actions/checkout@v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 - - uses: ubicloud/setup-go@v5 + - uses: ubicloud/setup-go@35680fe0723d4a9309d4b1ac1c67e0d46eac5f24 # v5 with: go-version: '1.23.0' cache-dependency-path: e2e_cleanup/go.sum @@ -24,28 +24,28 @@ jobs: - name: setup gcp service account id: gcp-service-account - uses: jsdaniell/create-json@v1.2.3 + uses: jsdaniell/create-json@b8e77fa01397ca39cc4a6198cc29a3be5481afef # v1.2.3 with: name: "bq_service_account.json" json: ${{ secrets.GCP_GH_CI_PKEY }} - name: setup snowflake credentials id: sf-credentials - uses: jsdaniell/create-json@v1.2.3 + uses: jsdaniell/create-json@b8e77fa01397ca39cc4a6198cc29a3be5481afef # v1.2.3 with: name: "snowflake_creds.json" json: ${{ secrets.SNOWFLAKE_GH_CI_PKEY }} - name: setup S3 credentials id: s3-credentials - uses: jsdaniell/create-json@v1.2.3 + uses: jsdaniell/create-json@b8e77fa01397ca39cc4a6198cc29a3be5481afef # v1.2.3 with: name: "s3_creds.json" json: ${{ secrets.S3_CREDS }} - name: setup GCS credentials id: gcs-credentials - uses: jsdaniell/create-json@v1.2.3 + uses: jsdaniell/create-json@b8e77fa01397ca39cc4a6198cc29a3be5481afef # v1.2.3 with: name: "gcs_creds.json" json: ${{ secrets.GCS_CREDS }} diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index 5de1d92c40..303066f119 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -34,7 +34,7 @@ jobs: build-mode: none steps: - name: Checkout repository - uses: actions/checkout@v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 - name: generate or hydrate protos uses: ./.github/actions/genprotos @@ -47,12 +47,12 @@ jobs: # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL - uses: github/codeql-action/init@v3 + uses: github/codeql-action/init@ea9e4e37992a54ee68a9622e985e60c8e8f12d9f # v3 with: languages: ${{ matrix.language }} build-mode: ${{ matrix.build-mode }} - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v3 + uses: github/codeql-action/analyze@ea9e4e37992a54ee68a9622e985e60c8e8f12d9f # v3 with: category: "/language:${{matrix.language}}" diff --git a/.github/workflows/customer-docker.yml b/.github/workflows/customer-docker.yml index 8278ec3d27..67145512af 100644 --- a/.github/workflows/customer-docker.yml +++ b/.github/workflows/customer-docker.yml @@ -18,15 +18,15 @@ jobs: contents: read packages: write steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 - name: generate or hydrate protos uses: ./.github/actions/genprotos - - uses: depot/setup-action@v1 + - uses: depot/setup-action@b0b1ea4f69e92ebf5dea3f8713a1b0c37b2126a5 # v1 - name: Login to GitHub Container Registry - uses: docker/login-action@v3 + uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3 with: registry: ghcr.io username: ${{github.actor}} @@ -42,7 +42,7 @@ jobs: echo "branch=$(echo $GITHUB_REF | sed -e 's/.*customer-//')" >> $GITHUB_OUTPUT - name: Build (optionally publish) PeerDB Images - uses: depot/bake-action@v1 + uses: depot/bake-action@143e50b965398f1f5dc8463be7dde6f62b9e9c21 # v1 with: token: ${{ secrets.DEPOT_TOKEN }} files: ./docker-bake.hcl diff --git a/.github/workflows/dev-docker.yml b/.github/workflows/dev-docker.yml index 6011ec4ab4..275ad28b77 100644 --- a/.github/workflows/dev-docker.yml +++ b/.github/workflows/dev-docker.yml @@ -17,15 +17,15 @@ jobs: contents: read packages: write steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 - name: generate or hydrate protos uses: ./.github/actions/genprotos - - uses: depot/setup-action@v1 + - uses: depot/setup-action@b0b1ea4f69e92ebf5dea3f8713a1b0c37b2126a5 # v1 - name: Login to GitHub Container Registry - uses: docker/login-action@v3 + uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3 with: registry: ghcr.io username: ${{github.actor}} @@ -36,7 +36,7 @@ jobs: run: echo "sha_short=$(git rev-parse --short HEAD)" >> $GITHUB_OUTPUT - name: Build (optionally publish) PeerDB Images - uses: depot/bake-action@v1 + uses: depot/bake-action@143e50b965398f1f5dc8463be7dde6f62b9e9c21 # v1 with: token: ${{ secrets.DEPOT_TOKEN }} files: ./docker-bake.hcl diff --git a/.github/workflows/flow-api-client.yml b/.github/workflows/flow-api-client.yml index 046b377db7..5e373b2d66 100644 --- a/.github/workflows/flow-api-client.yml +++ b/.github/workflows/flow-api-client.yml @@ -9,7 +9,7 @@ jobs: permissions: contents: write steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 - name: generate or hydrate protos uses: ./.github/actions/genprotos diff --git a/.github/workflows/flow.yml b/.github/workflows/flow.yml index d3168e96d8..e794512a04 100644 --- a/.github/workflows/flow.yml +++ b/.github/workflows/flow.yml @@ -25,7 +25,7 @@ jobs: POSTGRES_DB: postgres POSTGRES_INITDB_ARGS: --locale=C.UTF-8 elasticsearch: - image: elasticsearch:8.13.0 + image: elasticsearch:8.16.0@sha256:a411f7c17549209c5839b69f929de00bd91f1e2dcf08b65d5f41b122eae17f5e ports: - 9200:9200 env: @@ -33,7 +33,7 @@ jobs: xpack.security.enabled: false xpack.security.enrollment.enabled: false minio: - image: bitnami/minio:2024.11.7 + image: bitnami/minio:2024.11.7@sha256:9f2d9c45006a2ada1bc485e1393291ce7d54ae1a46260dd491381a4eb8b2fd47 ports: - 9999:9999 env: @@ -44,12 +44,12 @@ jobs: MINIO_DEFAULT_BUCKETS: peerdb steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 - name: generate or hydrate protos uses: ./.github/actions/genprotos - - uses: ubicloud/setup-go@v5 + - uses: ubicloud/setup-go@35680fe0723d4a9309d4b1ac1c67e0d46eac5f24 # v5 with: go-version: '1.23.0' cache-dependency-path: flow/go.sum @@ -64,35 +64,35 @@ jobs: - name: setup gcp service account id: gcp-service-account - uses: jsdaniell/create-json@v1.2.3 + uses: jsdaniell/create-json@b8e77fa01397ca39cc4a6198cc29a3be5481afef # v1.2.3 with: name: "bq_service_account.json" json: ${{ secrets.GCP_GH_CI_PKEY }} - name: setup snowflake credentials id: sf-credentials - uses: jsdaniell/create-json@v1.2.3 + uses: jsdaniell/create-json@b8e77fa01397ca39cc4a6198cc29a3be5481afef # v1.2.3 with: name: "snowflake_creds.json" json: ${{ secrets.SNOWFLAKE_GH_CI_PKEY }} - name: setup S3 credentials id: s3-credentials - uses: jsdaniell/create-json@v1.2.3 + uses: jsdaniell/create-json@b8e77fa01397ca39cc4a6198cc29a3be5481afef # v1.2.3 with: name: "s3_creds.json" json: ${{ secrets.S3_CREDS }} - name: setup GCS credentials id: gcs-credentials - uses: jsdaniell/create-json@v1.2.3 + uses: jsdaniell/create-json@b8e77fa01397ca39cc4a6198cc29a3be5481afef # v1.2.3 with: name: "gcs_creds.json" json: ${{ secrets.GCS_CREDS }} - name: setup Eventhubs credentials id: eventhubs-credentials - uses: jsdaniell/create-json@v1.2.3 + uses: jsdaniell/create-json@b8e77fa01397ca39cc4a6198cc29a3be5481afef # v1.2.3 with: name: "eh_creds.json" json: ${{ secrets.EH_CREDS }} @@ -110,11 +110,11 @@ jobs: PGPASSWORD: postgres - name: start redpanda - uses: redpanda-data/github-action@v0.1.4 + uses: redpanda-data/github-action@c68af8edc420b987e871615ca40b3a5dd70eb5b1 # v0.1.4 with: version: "latest" - - uses: ubicloud/cache@v4 + - uses: ubicloud/cache@0a97811d53629b143a56b3c2b1f729fd11719ef7 # v4 id: cache-clickhouse with: path: ./clickhouse @@ -130,7 +130,7 @@ jobs: ./clickhouse server & - name: Install Temporal CLI - uses: temporalio/setup-temporal@v0 + uses: temporalio/setup-temporal@1059a504f87e7fa2f385e3fa40d1aa7e62f1c6ca # v0 - name: run tests run: | diff --git a/.github/workflows/golang-lint.yml b/.github/workflows/golang-lint.yml index aadcfa7a57..2289eeae17 100644 --- a/.github/workflows/golang-lint.yml +++ b/.github/workflows/golang-lint.yml @@ -13,7 +13,7 @@ jobs: name: lint runs-on: [ubicloud-standard-4-ubuntu-2204-arm] steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 - name: generate or hydrate protos uses: ./.github/actions/genprotos @@ -22,12 +22,12 @@ jobs: run: | sudo apt-get update sudo apt-get install libgeos-dev - - uses: ubicloud/setup-go@v5 + - uses: ubicloud/setup-go@35680fe0723d4a9309d4b1ac1c67e0d46eac5f24 # v5 with: go-version: '1.23.0' cache: false - name: golangci-lint - uses: golangci/golangci-lint-action@v6 + uses: golangci/golangci-lint-action@971e284b6050e8a5849b72094c50ab08da042db8 # v6 with: version: v1.61 working-directory: ./flow diff --git a/.github/workflows/rust-lint.yml b/.github/workflows/rust-lint.yml index b9e43c1a24..c4e2782f1c 100644 --- a/.github/workflows/rust-lint.yml +++ b/.github/workflows/rust-lint.yml @@ -16,7 +16,7 @@ jobs: runner: [ubicloud-standard-4-ubuntu-2204-arm] runs-on: ${{ matrix.runner }} steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 - name: generate or hydrate protos uses: ./.github/actions/genprotos diff --git a/.github/workflows/stable-docker.yml b/.github/workflows/stable-docker.yml index 9eabbcfb28..0056a7d9c3 100644 --- a/.github/workflows/stable-docker.yml +++ b/.github/workflows/stable-docker.yml @@ -15,22 +15,22 @@ jobs: contents: read packages: write steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 - name: generate or hydrate protos uses: ./.github/actions/genprotos - - uses: depot/setup-action@v1 + - uses: depot/setup-action@b0b1ea4f69e92ebf5dea3f8713a1b0c37b2126a5 # v1 - name: Login to GitHub Container Registry - uses: docker/login-action@v3 + uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3 with: registry: ghcr.io username: ${{github.actor}} password: ${{secrets.GITHUB_TOKEN}} - name: Build (optionally publish) PeerDB Images - uses: depot/bake-action@v1 + uses: depot/bake-action@143e50b965398f1f5dc8463be7dde6f62b9e9c21 # v1 with: token: ${{ secrets.DEPOT_TOKEN }} files: ./docker-bake.hcl diff --git a/.github/workflows/ui-build.yml b/.github/workflows/ui-build.yml index feea1ffda5..7915445feb 100644 --- a/.github/workflows/ui-build.yml +++ b/.github/workflows/ui-build.yml @@ -16,7 +16,7 @@ jobs: runs-on: ${{ matrix.runner }} steps: - name: checkout - uses: actions/checkout@v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 - name: generate or hydrate protos uses: ./.github/actions/genprotos diff --git a/.github/workflows/ui-lint.yml b/.github/workflows/ui-lint.yml index 31e2340ffb..6fb1f2b827 100644 --- a/.github/workflows/ui-lint.yml +++ b/.github/workflows/ui-lint.yml @@ -20,7 +20,7 @@ jobs: runs-on: ${{ matrix.runner }} steps: - name: checkout - uses: actions/checkout@v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 - name: generate or hydrate protos uses: ./.github/actions/genprotos @@ -30,7 +30,7 @@ jobs: run: npm ci - name: lint - uses: wearerequired/lint-action@v2 + uses: wearerequired/lint-action@548d8a7c4b04d3553d32ed5b6e91eb171e10e7bb # v2 with: eslint: true prettier: true