ci: pin remaining GitHub Actions to commit SHAs#3639
ci: pin remaining GitHub Actions to commit SHAs#3639Ankitsinghsisodya wants to merge 1 commit intoknative:mainfrom
Conversation
…ability - Updated actions/checkout to a specific commit for version control. - Updated knative/actions/setup-go to a specific commit for stability. - Updated various actions (setup-python, setup-node, setup-java, setup-rust, codecov-action, upload-artifact) to specific commits to ensure reproducibility. - Adjusted reusable workflows in knative-go-build, knative-go-test, knative-security, knative-stale, knative-style, and knative-verify to point to specific versions. This change enhances the reliability of CI/CD processes by avoiding unexpected behavior from upstream changes.
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: Ankitsinghsisodya The full list of commands accepted by this bot can be found here. DetailsNeeds approval from an approver in each of these files:Approvers can indicate their approval by writing |
knative-prow
Bot
added
size/L
|
Hi @Ankitsinghsisodya. Thanks for your PR. I'm waiting for a knative member to verify that this patch is reasonable to test. If it is, they should reply with Tip We noticed you've done this a few times! Consider joining the org to skip this step and gain Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
There was a problem hiding this comment.
Pull request overview
Pins GitHub Actions uses: references in this repository’s workflows to immutable 40-character commit SHAs to improve CI supply-chain security and align with the goal in #3638.
Changes:
- Replaced semver tags (e.g.
@v4,@v5) and@mainworkflow/action references with full commit SHAs across.github/workflows/. - Added trailing comments to indicate the prior ref/version for each pinned action/workflow.
Reviewed changes
Copilot reviewed 13 out of 13 changed files in this pull request and generated 6 comments.
Show a summary per file
| File | Description |
|---|---|
| .github/workflows/update-springboot-platform.yaml | Pin action refs (checkout/setup-go/setup-node/setup-java) to SHAs. |
| .github/workflows/update-quarkus-platform.yaml | Pin action refs (checkout/setup-go/setup-node/setup-java) to SHAs. |
| .github/workflows/update-python-platform.yaml | Pin action refs (checkout/setup-go/setup-python/create-pull-request) to SHAs. |
| .github/workflows/update-ca-bundle.yaml | Pin checkout and setup-node to SHAs. |
| .github/workflows/update-builder.yaml | Pin checkout/setup-go and docker/setup-qemu-action to SHAs. |
| .github/workflows/test-podman-next.yaml | Pin free-disk-space/checkout/setup-go/upload-artifact to SHAs. |
| .github/workflows/knative-verify.yaml | Pin reusable workflow reference to a SHA. |
| .github/workflows/knative-style.yaml | Pin reusable workflow reference to a SHA. |
| .github/workflows/knative-stale.yaml | Pin reusable workflow reference to a SHA. |
| .github/workflows/knative-security.yaml | Pin reusable workflow reference to a SHA. |
| .github/workflows/knative-go-test.yaml | Pin reusable workflow reference to a SHA. |
| .github/workflows/knative-go-build.yaml | Pin reusable workflow reference to a SHA. |
| .github/workflows/functions.yaml | Pin many action refs (checkout/setup-* /codecov/upload-artifact/docker/*/attest/provenance/setup-ko/etc.) to SHAs. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
|
|
||
| style: | ||
| uses: knative/actions/.github/workflows/reusable-style.yaml@main | ||
| uses: knative/actions/.github/workflows/reusable-style.yaml@070cec11bae3af991b75abdd1fc7e0944dee70c3 # knative@070cec1 |
There was a problem hiding this comment.
This workflow file is labeled as being auto-synced by knobots. If that sync is still active, this pinned SHA change will be overwritten and the supply-chain hardening won’t stick. Please apply the pin in the upstream knobots/.github source (or update the sync process) as well.
|
|
||
| stale: | ||
| uses: knative/actions/.github/workflows/reusable-stale.yaml@main | ||
| uses: knative/actions/.github/workflows/reusable-stale.yaml@070cec11bae3af991b75abdd1fc7e0944dee70c3 # knative@070cec1 |
There was a problem hiding this comment.
This file indicates it is auto-synced from knobots. If the sync runs, local edits (including this pinned SHA) will be overwritten. Please ensure the pin is made in the upstream source workflow/template (or adjust the sync) so it remains effective.
| jobs: | ||
| analyze: | ||
| uses: knative/actions/.github/workflows/reusable-security.yaml@main | ||
| uses: knative/actions/.github/workflows/reusable-security.yaml@070cec11bae3af991b75abdd1fc7e0944dee70c3 # knative@070cec1 |
There was a problem hiding this comment.
This workflow is marked as knobots-synced. If the sync process is still enabled, this pinned uses: ref will be overwritten on the next sync. Please update the upstream knobots/.github source (or the sync configuration) so the pin persists.
| uses: knative/actions/.github/workflows/reusable-security.yaml@070cec11bae3af991b75abdd1fc7e0944dee70c3 # knative@070cec1 | |
| uses: knative/actions/.github/workflows/reusable-security.yaml@main |
| jobs: | ||
| test: | ||
| uses: knative/actions/.github/workflows/reusable-go-test.yaml@main | ||
| uses: knative/actions/.github/workflows/reusable-go-test.yaml@070cec11bae3af991b75abdd1fc7e0944dee70c3 # knative@070cec1 |
There was a problem hiding this comment.
This workflow file is flagged as auto-synced by knobots. If the sync runs, this pinned SHA update may be reverted, undermining the goal of pinning all uses: refs. Please make the corresponding pin change in the upstream source templates (or update/disable the sync).
| jobs: | ||
| build: | ||
| uses: knative/actions/.github/workflows/reusable-go-build.yaml@main | ||
| uses: knative/actions/.github/workflows/reusable-go-build.yaml@070cec11bae3af991b75abdd1fc7e0944dee70c3 # knative@070cec1 |
There was a problem hiding this comment.
This workflow is labeled as being synced in by knobots. If that automation is active, this pin change can be overwritten. Please update the upstream workflow/template that knobots syncs from (or adjust the sync process) to make the pin durable.
| jobs: | ||
| verify: | ||
| uses: knative/actions/.github/workflows/reusable-verify-codegen.yaml@main | ||
| uses: knative/actions/.github/workflows/reusable-verify-codegen.yaml@070cec11bae3af991b75abdd1fc7e0944dee70c3 # knative@070cec1 |
There was a problem hiding this comment.
This workflow is marked as auto-synced by knobots and “will be overwritten”. Updating the pinned uses: ref here may be reverted by the next sync, leaving the repo still effectively unpinned. Please make the same pin change in the upstream source repo/templates (or adjust/disable the sync) so it persists.
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## main #3639 +/- ##
==========================================
+ Coverage 56.26% 58.35% +2.09%
==========================================
Files 180 179 -1
Lines 20522 20565 +43
==========================================
+ Hits 11546 12000 +454
+ Misses 7774 7358 -416
- Partials 1202 1207 +5
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
Changes
uses:in.github/workflows/to a full 40-character commit SHA, with a short comment (e.g.# v4,# knative@abc1234) for the previous tag ormainref.actions/*,codecov/*,docker/*,imjasonh/setup-ko,peter-evans/create-pull-request,endersonmenezes/free-disk-space,actions-rust-lang/setup-rust-toolchain, and allknative/actionssetup-go and reusable workflow references that previously used@mainor semver tags./kind cleanup
Fixes #3638
References