From e304212664c0e617a956ba06f2a2c5a8288aaec8 Mon Sep 17 00:00:00 2001 From: Florencio Cano Gabarda Date: Thu, 7 May 2026 11:13:30 +0200 Subject: [PATCH] chore(ci): pin all GitHub Actions to SHA digests Replace all mutable version tag references across 23 workflow files with immutable SHA digests. Retains the version tag as an inline comment for human readability and because it's a Dependabot requirement. Pinning to immutable SHAs eliminates the risk of a compromised or reassigned upstream tag injecting malicious code into CI runs. Pinned actions: - actions/checkout@v6 => de0fac2e4500dabe0009e67214ff5f5447ce83dd - actions/checkout@v4 => 34e114876b0b11c390a56381ad16ebd13914f8d5 - actions/github-script@v9 => 373c709c69115d41ff229c7e5df9f8788daa9553 - actions/setup-node@v6 => 48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e - docker/login-action@v4 => 4907a6ddec9925e35a0a9e82d7399ccc52663121 - actions/upload-artifact@v7 => 043fb46d1a93c77aae656e7c1c64a875d1fc6a0a - actions/download-artifact@v4 => d3f86a106a0bac45b974a628896c90dbdf5c8093 - softprops/action-gh-release@v2 => 3bb12739c298aeb8a4eeaf626c5b8d85266b0e65 - actions/attest@v4 => 281a49d4cbb0a72c9575a50d18f6deb515a11deb Dependabot will keep these pins current via the github-actions ecosystem config added in #1188. Signed-off-by: Florencio Cano Gabarda Co-authored-by: Cursor --- .github/workflows/branch-checks.yml | 12 ++-- .github/workflows/branch-docs.yml | 4 +- .github/workflows/branch-e2e.yml | 2 +- .github/workflows/ci-image.yml | 6 +- .github/workflows/deb-package.yml | 10 ++-- .github/workflows/docker-build.yml | 4 +- .github/workflows/driver-vm-linux.yml | 10 ++-- .github/workflows/driver-vm-macos.yml | 16 ++--- .github/workflows/e2e-gpu-test.yaml | 2 +- .github/workflows/e2e-test.yml | 2 +- .github/workflows/issue-triage.yml | 4 +- .github/workflows/release-auto-tag.yml | 2 +- .github/workflows/release-canary.yml | 2 +- .github/workflows/release-dev.yml | 54 ++++++++--------- .github/workflows/release-tag.yml | 58 +++++++++---------- .github/workflows/release-vm-kernel.yml | 26 ++++----- .github/workflows/rpm-package.yml | 4 +- .../workflows/shadow-rust-native-build.yml | 4 +- .github/workflows/shadow-shared-cpu-spike.yml | 2 +- .github/workflows/test-gpu.yml | 2 +- .github/workflows/test-install.yml | 2 +- .github/workflows/vouch-check.yml | 4 +- .github/workflows/vouch-command.yml | 2 +- 23 files changed, 117 insertions(+), 117 deletions(-) diff --git a/.github/workflows/branch-checks.yml b/.github/workflows/branch-checks.yml index abbcef423..b863741b0 100644 --- a/.github/workflows/branch-checks.yml +++ b/.github/workflows/branch-checks.yml @@ -30,7 +30,7 @@ jobs: outputs: should_run: ${{ steps.gate.outputs.should_run }} steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - id: gate uses: ./.github/actions/pr-gate @@ -46,7 +46,7 @@ jobs: username: ${{ github.actor }} password: ${{ secrets.GITHUB_TOKEN }} steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - name: Mark workspace as safe for git run: git config --global --add safe.directory "$GITHUB_WORKSPACE" @@ -70,7 +70,7 @@ jobs: username: ${{ github.actor }} password: ${{ secrets.GITHUB_TOKEN }} steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - name: Install tools run: mise install --locked @@ -95,7 +95,7 @@ jobs: username: ${{ github.actor }} password: ${{ secrets.GITHUB_TOKEN }} steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - name: Install tools run: mise install --locked @@ -148,7 +148,7 @@ jobs: username: ${{ github.actor }} password: ${{ secrets.GITHUB_TOKEN }} steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - name: Install tools run: mise install --locked @@ -173,7 +173,7 @@ jobs: username: ${{ github.actor }} password: ${{ secrets.GITHUB_TOKEN }} steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - name: Install tools run: mise install --locked diff --git a/.github/workflows/branch-docs.yml b/.github/workflows/branch-docs.yml index 1368bc775..3b2a4099e 100644 --- a/.github/workflows/branch-docs.yml +++ b/.github/workflows/branch-docs.yml @@ -19,7 +19,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout repository - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - name: Check Fern preview availability id: fern-preview @@ -34,7 +34,7 @@ jobs: fi - name: Setup Node.js - uses: actions/setup-node@v6 + uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6 with: node-version: "24" diff --git a/.github/workflows/branch-e2e.yml b/.github/workflows/branch-e2e.yml index 3d8dd5928..49f9ddb03 100644 --- a/.github/workflows/branch-e2e.yml +++ b/.github/workflows/branch-e2e.yml @@ -18,7 +18,7 @@ jobs: outputs: should_run: ${{ steps.gate.outputs.should_run }} steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - id: gate uses: ./.github/actions/pr-gate with: diff --git a/.github/workflows/ci-image.yml b/.github/workflows/ci-image.yml index db98022d5..4e594ea37 100644 --- a/.github/workflows/ci-image.yml +++ b/.github/workflows/ci-image.yml @@ -35,10 +35,10 @@ jobs: runs-on: ${{ matrix.runner }} timeout-minutes: 60 steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - name: Log in to GitHub Container Registry - uses: docker/login-action@v4 + uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4 with: registry: ${{ env.REGISTRY }} username: ${{ github.actor }} @@ -92,7 +92,7 @@ jobs: timeout-minutes: 10 steps: - name: Log in to GitHub Container Registry - uses: docker/login-action@v4 + uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4 with: registry: ${{ env.REGISTRY }} username: ${{ github.actor }} diff --git a/.github/workflows/deb-package.yml b/.github/workflows/deb-package.yml index 72628a23a..6ae6127a4 100644 --- a/.github/workflows/deb-package.yml +++ b/.github/workflows/deb-package.yml @@ -42,24 +42,24 @@ jobs: username: ${{ github.actor }} password: ${{ secrets.GITHUB_TOKEN }} steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: ref: ${{ inputs['checkout-ref'] }} - name: Download CLI artifact - uses: actions/download-artifact@v4 + uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4 with: name: cli-linux-${{ matrix.arch }} path: package-input/ - name: Download gateway artifact - uses: actions/download-artifact@v4 + uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4 with: name: gateway-binary-linux-${{ matrix.arch }} path: package-input/ - name: Download VM driver artifact - uses: actions/download-artifact@v4 + uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4 with: name: driver-vm-linux-${{ matrix.arch }} path: package-input/ @@ -85,7 +85,7 @@ jobs: tasks/scripts/package-deb.sh - name: Upload Debian package artifact - uses: actions/upload-artifact@v7 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7 with: name: deb-linux-${{ matrix.arch }} path: artifacts/*.deb diff --git a/.github/workflows/docker-build.yml b/.github/workflows/docker-build.yml index 3b3aa1cb8..24342470d 100644 --- a/.github/workflows/docker-build.yml +++ b/.github/workflows/docker-build.yml @@ -179,7 +179,7 @@ jobs: DOCKER_PUSH: ${{ inputs.push && '1' || '0' }} DOCKER_PLATFORM: ${{ matrix.platform }} steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: fetch-depth: 0 @@ -200,7 +200,7 @@ jobs: buildkitd-config: /etc/buildkit/buildkitd.toml - name: Download Rust binary artifact - uses: actions/download-artifact@v4 + uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4 with: name: ${{ needs.resolve.outputs.artifact_prefix }}-linux-${{ matrix.arch }} path: prebuilt-rust-binary diff --git a/.github/workflows/driver-vm-linux.yml b/.github/workflows/driver-vm-linux.yml index 42632c5d1..53cdb6587 100644 --- a/.github/workflows/driver-vm-linux.yml +++ b/.github/workflows/driver-vm-linux.yml @@ -32,7 +32,7 @@ jobs: username: ${{ github.actor }} password: ${{ secrets.GITHUB_TOKEN }} steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: ref: ${{ inputs['checkout-ref'] }} @@ -66,7 +66,7 @@ jobs: done - name: Upload runtime artifacts - uses: actions/upload-artifact@v7 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7 with: name: vm-driver-kernel-runtime-tarballs path: runtime-artifacts/vm-runtime-*.tar.zst @@ -100,7 +100,7 @@ jobs: MISE_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} OPENSHELL_IMAGE_TAG: ${{ inputs['image-tag'] }} steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: ref: ${{ inputs['checkout-ref'] }} fetch-depth: 0 @@ -125,7 +125,7 @@ jobs: run: apt-get update && apt-get install -y --no-install-recommends zstd && rm -rf /var/lib/apt/lists/* - name: Download kernel runtime tarball - uses: actions/download-artifact@v4 + uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4 with: name: vm-driver-kernel-runtime-tarballs path: runtime-download/ @@ -202,7 +202,7 @@ jobs: -C target/release openshell-driver-vm - name: Upload artifact - uses: actions/upload-artifact@v7 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7 with: name: driver-vm-linux-${{ matrix.arch }} path: artifacts/*.tar.gz diff --git a/.github/workflows/driver-vm-macos.yml b/.github/workflows/driver-vm-macos.yml index 5b2bac927..fb09ddd03 100644 --- a/.github/workflows/driver-vm-macos.yml +++ b/.github/workflows/driver-vm-macos.yml @@ -32,7 +32,7 @@ jobs: username: ${{ github.actor }} password: ${{ secrets.GITHUB_TOKEN }} steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: ref: ${{ inputs['checkout-ref'] }} @@ -60,7 +60,7 @@ jobs: run: test -f runtime-artifacts/vm-runtime-darwin-aarch64.tar.zst - name: Upload runtime artifact - uses: actions/upload-artifact@v7 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7 with: name: vm-driver-macos-kernel-runtime-tarball path: runtime-artifacts/vm-runtime-darwin-aarch64.tar.zst @@ -79,7 +79,7 @@ jobs: MISE_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} OPENSHELL_IMAGE_TAG: ${{ inputs['image-tag'] }} steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: ref: ${{ inputs['checkout-ref'] }} fetch-depth: 0 @@ -113,7 +113,7 @@ jobs: run: mise x -- sccache --show-stats - name: Upload supervisor bundle - uses: actions/upload-artifact@v7 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7 with: name: driver-vm-supervisor-arm64 path: target/vm-runtime-compressed/openshell-sandbox.zst @@ -135,7 +135,7 @@ jobs: env: MISE_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: ref: ${{ inputs['checkout-ref'] }} fetch-depth: 0 @@ -158,7 +158,7 @@ jobs: run: apt-get update && apt-get install -y --no-install-recommends zstd && rm -rf /var/lib/apt/lists/* - name: Download kernel runtime tarball - uses: actions/download-artifact@v4 + uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4 with: name: vm-driver-macos-kernel-runtime-tarball path: runtime-download/ @@ -187,7 +187,7 @@ jobs: ls -lah "$COMPRESSED_DIR" - name: Download bundled supervisor - uses: actions/download-artifact@v4 + uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4 with: name: driver-vm-supervisor-arm64 path: target/vm-runtime-compressed-macos/ @@ -230,7 +230,7 @@ jobs: ls -lh artifacts/ - name: Upload artifact - uses: actions/upload-artifact@v7 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7 with: name: driver-vm-macos path: artifacts/*.tar.gz diff --git a/.github/workflows/e2e-gpu-test.yaml b/.github/workflows/e2e-gpu-test.yaml index 6a296f5e3..2e4a5a4fc 100644 --- a/.github/workflows/e2e-gpu-test.yaml +++ b/.github/workflows/e2e-gpu-test.yaml @@ -55,7 +55,7 @@ jobs: OPENSHELL_REGISTRY_PASSWORD: ${{ secrets.GITHUB_TOKEN }} OPENSHELL_GATEWAY: ${{ matrix.cluster }} steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - name: Log in to GHCR run: echo "${{ secrets.GITHUB_TOKEN }}" | docker login ghcr.io -u "${{ github.actor }}" --password-stdin diff --git a/.github/workflows/e2e-test.yml b/.github/workflows/e2e-test.yml index e8e03799e..022b957ad 100644 --- a/.github/workflows/e2e-test.yml +++ b/.github/workflows/e2e-test.yml @@ -53,7 +53,7 @@ jobs: OPENSHELL_REGISTRY_USERNAME: ${{ github.actor }} OPENSHELL_REGISTRY_PASSWORD: ${{ secrets.GITHUB_TOKEN }} steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - name: Install OS test dependencies if: matrix.apt_packages != '' diff --git a/.github/workflows/issue-triage.yml b/.github/workflows/issue-triage.yml index b59d8ba34..5aec0a15e 100644 --- a/.github/workflows/issue-triage.yml +++ b/.github/workflows/issue-triage.yml @@ -14,7 +14,7 @@ jobs: steps: - name: Check contributor permissions id: contributor - uses: actions/github-script@v9 + uses: actions/github-script@373c709c69115d41ff229c7e5df9f8788daa9553 # v9 with: result-encoding: string script: | @@ -46,7 +46,7 @@ jobs: - name: Add triage label if: steps.contributor.outputs.result == 'true' - uses: actions/github-script@v9 + uses: actions/github-script@373c709c69115d41ff229c7e5df9f8788daa9553 # v9 with: script: | await github.rest.issues.addLabels({ diff --git a/.github/workflows/release-auto-tag.yml b/.github/workflows/release-auto-tag.yml index f89c506d7..2b10a5b6e 100644 --- a/.github/workflows/release-auto-tag.yml +++ b/.github/workflows/release-auto-tag.yml @@ -20,7 +20,7 @@ jobs: create-tag: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: fetch-depth: 0 diff --git a/.github/workflows/release-canary.yml b/.github/workflows/release-canary.yml index 8f7284aab..be8a1c3a2 100644 --- a/.github/workflows/release-canary.yml +++ b/.github/workflows/release-canary.yml @@ -177,7 +177,7 @@ jobs: # to advertise a reachable address instead. OPENSHELL_GATEWAY_HOST: host.docker.internal steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - name: Determine release tag id: release diff --git a/.github/workflows/release-dev.yml b/.github/workflows/release-dev.yml index dfafc43e1..3c85a8eee 100644 --- a/.github/workflows/release-dev.yml +++ b/.github/workflows/release-dev.yml @@ -33,7 +33,7 @@ jobs: rpm_version: ${{ steps.v.outputs.rpm_version }} rpm_release: ${{ steps.v.outputs.rpm_release }} steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: fetch-depth: 0 @@ -130,7 +130,7 @@ jobs: MISE_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} OPENSHELL_IMAGE_TAG: dev steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: fetch-depth: 0 @@ -154,7 +154,7 @@ jobs: ls -la ${{ matrix.output_path }} - name: Upload wheel artifacts - uses: actions/upload-artifact@v7 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7 with: name: python-wheels-${{ matrix.artifact }} path: ${{ matrix.output_path }} @@ -177,7 +177,7 @@ jobs: MISE_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} OPENSHELL_IMAGE_TAG: dev steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: fetch-depth: 0 @@ -202,7 +202,7 @@ jobs: ls -la target/wheels/*.whl - name: Upload wheel artifacts - uses: actions/upload-artifact@v7 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7 with: name: python-wheels-macos path: target/wheels/*.whl @@ -240,7 +240,7 @@ jobs: MISE_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} OPENSHELL_IMAGE_TAG: dev steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: fetch-depth: 0 @@ -316,7 +316,7 @@ jobs: ls -lh artifacts/ - name: Upload artifact - uses: actions/upload-artifact@v7 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7 with: name: cli-linux-${{ matrix.arch }} path: artifacts/*.tar.gz @@ -341,7 +341,7 @@ jobs: env: MISE_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: fetch-depth: 0 @@ -380,7 +380,7 @@ jobs: ls -lh artifacts/ - name: Upload artifact - uses: actions/upload-artifact@v7 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7 with: name: cli-macos path: artifacts/*.tar.gz @@ -412,7 +412,7 @@ jobs: env: MISE_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: fetch-depth: 0 @@ -463,7 +463,7 @@ jobs: ls -lh artifacts/ - name: Upload artifact - uses: actions/upload-artifact@v7 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7 with: name: gateway-binary-linux-${{ matrix.arch }} path: artifacts/*.tar.gz @@ -488,7 +488,7 @@ jobs: env: MISE_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: fetch-depth: 0 @@ -531,7 +531,7 @@ jobs: ls -lh artifacts/ - name: Upload artifact - uses: actions/upload-artifact@v7 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7 with: name: gateway-binary-macos path: artifacts/*.tar.gz @@ -563,7 +563,7 @@ jobs: env: MISE_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: fetch-depth: 0 @@ -614,7 +614,7 @@ jobs: ls -lh artifacts/ - name: Upload artifact - uses: actions/upload-artifact@v7 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7 with: name: supervisor-binary-linux-${{ matrix.arch }} path: artifacts/*.tar.gz @@ -676,52 +676,52 @@ jobs: outputs: wheel_filenames: ${{ steps.wheel_filenames.outputs.wheel_filenames }} steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - name: Download all CLI artifacts - uses: actions/download-artifact@v4 + uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4 with: pattern: cli-* path: release/ merge-multiple: true - name: Download gateway binary artifacts - uses: actions/download-artifact@v4 + uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4 with: pattern: gateway-binary-* path: release/ merge-multiple: true - name: Download supervisor binary artifacts - uses: actions/download-artifact@v4 + uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4 with: pattern: supervisor-binary-* path: release/ merge-multiple: true - name: Download VM driver artifacts - uses: actions/download-artifact@v4 + uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4 with: pattern: driver-vm-* path: release/ merge-multiple: true - name: Download wheel artifacts - uses: actions/download-artifact@v4 + uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4 with: pattern: python-wheels-* path: release/ merge-multiple: true - name: Download Debian package artifacts - uses: actions/download-artifact@v4 + uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4 with: pattern: deb-linux-* path: release/ merge-multiple: true - name: Download RPM package artifacts - uses: actions/download-artifact@v4 + uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4 with: pattern: rpm-linux-* path: release/ @@ -795,7 +795,7 @@ jobs: cat release/openshell.rb - name: Attest VM driver artifacts - uses: actions/attest@v4 + uses: actions/attest@281a49d4cbb0a72c9575a50d18f6deb515a11deb # v4 with: subject-path: | release/openshell-driver-vm-x86_64-unknown-linux-gnu.tar.gz @@ -803,7 +803,7 @@ jobs: release/openshell-driver-vm-aarch64-apple-darwin.tar.gz - name: Prune managed assets from dev release - uses: actions/github-script@v9 + uses: actions/github-script@373c709c69115d41ff229c7e5df9f8788daa9553 # v9 with: script: | const [owner, repo] = process.env.GITHUB_REPOSITORY.split('/'); @@ -858,7 +858,7 @@ jobs: git push --force origin dev - name: Create / update GitHub Release - uses: softprops/action-gh-release@v2 + uses: softprops/action-gh-release@3bb12739c298aeb8a4eeaf626c5b8d85266b0e65 # v2 with: name: OpenShell Development Build prerelease: true @@ -904,7 +904,7 @@ jobs: permissions: packages: write steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - uses: ./.github/actions/release-helm-oci with: diff --git a/.github/workflows/release-tag.yml b/.github/workflows/release-tag.yml index 8a3aa7ae5..1f4e0bace 100644 --- a/.github/workflows/release-tag.yml +++ b/.github/workflows/release-tag.yml @@ -46,7 +46,7 @@ jobs: # Semver without 'v' prefix (e.g. 0.6.0), used for image tags and release body semver: ${{ steps.v.outputs.semver }} steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: ref: ${{ inputs.tag || github.ref }} fetch-depth: 0 @@ -150,7 +150,7 @@ jobs: MISE_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} OPENSHELL_IMAGE_TAG: ${{ needs.compute-versions.outputs.semver }} steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: ref: ${{ inputs.tag || github.ref }} fetch-depth: 0 @@ -175,7 +175,7 @@ jobs: ls -la ${{ matrix.output_path }} - name: Upload wheel artifacts - uses: actions/upload-artifact@v7 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7 with: name: python-wheels-${{ matrix.artifact }} path: ${{ matrix.output_path }} @@ -198,7 +198,7 @@ jobs: MISE_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} OPENSHELL_IMAGE_TAG: ${{ needs.compute-versions.outputs.semver }} steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: ref: ${{ inputs.tag || github.ref }} fetch-depth: 0 @@ -224,7 +224,7 @@ jobs: ls -la target/wheels/*.whl - name: Upload wheel artifacts - uses: actions/upload-artifact@v7 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7 with: name: python-wheels-macos path: target/wheels/*.whl @@ -262,7 +262,7 @@ jobs: MISE_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} OPENSHELL_IMAGE_TAG: ${{ needs.compute-versions.outputs.semver }} steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: ref: ${{ inputs.tag || github.ref }} fetch-depth: 0 @@ -339,7 +339,7 @@ jobs: ls -lh artifacts/ - name: Upload artifact - uses: actions/upload-artifact@v7 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7 with: name: cli-linux-${{ matrix.arch }} path: artifacts/*.tar.gz @@ -364,7 +364,7 @@ jobs: env: MISE_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: ref: ${{ inputs.tag || github.ref }} fetch-depth: 0 @@ -404,7 +404,7 @@ jobs: ls -lh artifacts/ - name: Upload artifact - uses: actions/upload-artifact@v7 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7 with: name: cli-macos path: artifacts/*.tar.gz @@ -436,7 +436,7 @@ jobs: env: MISE_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: ref: ${{ inputs.tag || github.ref }} fetch-depth: 0 @@ -488,7 +488,7 @@ jobs: ls -lh artifacts/ - name: Upload artifact - uses: actions/upload-artifact@v7 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7 with: name: gateway-binary-linux-${{ matrix.arch }} path: artifacts/*.tar.gz @@ -520,7 +520,7 @@ jobs: env: MISE_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: ref: ${{ inputs.tag || github.ref }} fetch-depth: 0 @@ -572,7 +572,7 @@ jobs: ls -lh artifacts/ - name: Upload artifact - uses: actions/upload-artifact@v7 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7 with: name: supervisor-binary-linux-${{ matrix.arch }} path: artifacts/*.tar.gz @@ -597,7 +597,7 @@ jobs: env: MISE_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: ref: ${{ inputs.tag || github.ref }} fetch-depth: 0 @@ -641,7 +641,7 @@ jobs: ls -lh artifacts/ - name: Upload artifact - uses: actions/upload-artifact@v7 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7 with: name: gateway-binary-macos path: artifacts/*.tar.gz @@ -703,54 +703,54 @@ jobs: outputs: wheel_filenames: ${{ steps.wheel_filenames.outputs.wheel_filenames }} steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: ref: ${{ inputs.tag || github.ref }} - name: Download all CLI artifacts - uses: actions/download-artifact@v4 + uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4 with: pattern: cli-* path: release/ merge-multiple: true - name: Download gateway binary artifacts - uses: actions/download-artifact@v4 + uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4 with: pattern: gateway-binary-* path: release/ merge-multiple: true - name: Download supervisor binary artifacts - uses: actions/download-artifact@v4 + uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4 with: pattern: supervisor-binary-* path: release/ merge-multiple: true - name: Download VM driver artifacts - uses: actions/download-artifact@v4 + uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4 with: pattern: driver-vm-* path: release/ merge-multiple: true - name: Download wheel artifacts - uses: actions/download-artifact@v4 + uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4 with: pattern: python-wheels-* path: release/ merge-multiple: true - name: Download Debian package artifacts - uses: actions/download-artifact@v4 + uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4 with: pattern: deb-linux-* path: release/ merge-multiple: true - name: Download RPM package artifacts - uses: actions/download-artifact@v4 + uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4 with: pattern: rpm-linux-* path: release/ @@ -799,7 +799,7 @@ jobs: cat release/openshell.rb - name: Attest VM driver artifacts - uses: actions/attest@v4 + uses: actions/attest@281a49d4cbb0a72c9575a50d18f6deb515a11deb # v4 with: subject-path: | release/openshell-driver-vm-x86_64-unknown-linux-gnu.tar.gz @@ -807,7 +807,7 @@ jobs: release/openshell-driver-vm-aarch64-apple-darwin.tar.gz - name: Prune removed VM checksum asset - uses: actions/github-script@v9 + uses: actions/github-script@373c709c69115d41ff229c7e5df9f8788daa9553 # v9 with: script: | const [owner, repo] = process.env.GITHUB_REPOSITORY.split('/'); @@ -829,7 +829,7 @@ jobs: } - name: Create GitHub Release - uses: softprops/action-gh-release@v2 + uses: softprops/action-gh-release@3bb12739c298aeb8a4eeaf626c5b8d85266b0e65 # v2 with: name: OpenShell ${{ env.RELEASE_TAG }} prerelease: false @@ -870,12 +870,12 @@ jobs: runs-on: ubuntu-latest timeout-minutes: 15 steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: ref: ${{ inputs.tag || github.ref }} - name: Setup Node.js - uses: actions/setup-node@v6 + uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6 with: node-version: "24" @@ -898,7 +898,7 @@ jobs: permissions: packages: write steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: ref: ${{ inputs.tag || github.ref }} diff --git a/.github/workflows/release-vm-kernel.yml b/.github/workflows/release-vm-kernel.yml index 5216a79c7..a7ae20475 100644 --- a/.github/workflows/release-vm-kernel.yml +++ b/.github/workflows/release-vm-kernel.yml @@ -47,7 +47,7 @@ jobs: env: MISE_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - name: Mark workspace safe for git run: git config --global --add safe.directory "$GITHUB_WORKSPACE" @@ -63,7 +63,7 @@ jobs: --output artifacts/vm-runtime-linux-aarch64.tar.zst - name: Upload runtime artifact - uses: actions/upload-artifact@v7 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7 with: name: vm-runtime-linux-arm64 path: artifacts/vm-runtime-linux-aarch64.tar.zst @@ -73,7 +73,7 @@ jobs: # the aarch64 Linux kernel as a byte array — it is OS-agnostic and can # be compiled into a .dylib by Apple's cc without rebuilding the kernel. - name: Upload kernel.c for macOS build - uses: actions/upload-artifact@v7 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7 with: name: kernel-c-arm64 path: | @@ -97,7 +97,7 @@ jobs: env: MISE_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - name: Mark workspace safe for git run: git config --global --add safe.directory "$GITHUB_WORKSPACE" @@ -113,7 +113,7 @@ jobs: --output artifacts/vm-runtime-linux-x86_64.tar.zst - name: Upload artifact - uses: actions/upload-artifact@v7 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7 with: name: vm-runtime-linux-amd64 path: artifacts/vm-runtime-linux-x86_64.tar.zst @@ -130,7 +130,7 @@ jobs: env: RUSTC_WRAPPER: "" steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - name: Install dependencies run: | @@ -140,7 +140,7 @@ jobs: brew install lld dtc xz - name: Download pre-built kernel.c - uses: actions/download-artifact@v4 + uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4 with: name: kernel-c-arm64 path: target/kernel-artifact @@ -156,7 +156,7 @@ jobs: --output artifacts/vm-runtime-darwin-aarch64.tar.zst - name: Upload artifact - uses: actions/upload-artifact@v7 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7 with: name: vm-runtime-macos-arm64 path: artifacts/vm-runtime-darwin-aarch64.tar.zst @@ -176,17 +176,17 @@ jobs: attestations: write artifact-metadata: write steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - name: Download all runtime artifacts - uses: actions/download-artifact@v4 + uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4 with: pattern: vm-runtime-* path: release/ merge-multiple: true - name: Attest VM runtime artifacts - uses: actions/attest@v4 + uses: actions/attest@281a49d4cbb0a72c9575a50d18f6deb515a11deb # v4 with: subject-path: | release/vm-runtime-linux-aarch64.tar.zst @@ -201,7 +201,7 @@ jobs: git push --force origin vm-runtime - name: Prune stale runtime assets from vm-runtime release - uses: actions/github-script@v9 + uses: actions/github-script@373c709c69115d41ff229c7e5df9f8788daa9553 # v9 with: script: | const [owner, repo] = process.env.GITHUB_REPOSITORY.split('/'); @@ -224,7 +224,7 @@ jobs: } - name: Create / update vm-runtime GitHub Release - uses: softprops/action-gh-release@v2 + uses: softprops/action-gh-release@3bb12739c298aeb8a4eeaf626c5b8d85266b0e65 # v2 with: name: OpenShell VM Runtime prerelease: true diff --git a/.github/workflows/rpm-package.yml b/.github/workflows/rpm-package.yml index e0607c3ff..e96b19958 100644 --- a/.github/workflows/rpm-package.yml +++ b/.github/workflows/rpm-package.yml @@ -54,7 +54,7 @@ jobs: pandoc python3-devel git-core \ cargo-rpm-macros - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: ref: ${{ inputs.checkout-ref }} fetch-depth: 0 @@ -87,7 +87,7 @@ jobs: ls -lah artifacts/ - name: Upload RPM artifacts - uses: actions/upload-artifact@v7 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7 with: name: rpm-linux-${{ matrix.arch }} path: artifacts/*.rpm diff --git a/.github/workflows/shadow-rust-native-build.yml b/.github/workflows/shadow-rust-native-build.yml index 245167a52..e948817a4 100644 --- a/.github/workflows/shadow-rust-native-build.yml +++ b/.github/workflows/shadow-rust-native-build.yml @@ -111,7 +111,7 @@ jobs: username: ${{ github.actor }} password: ${{ secrets.GITHUB_TOKEN }} steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: fetch-depth: 0 @@ -235,7 +235,7 @@ jobs: ls -lh "$STAGE/" - name: Upload artifact - uses: actions/upload-artifact@v7 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7 with: name: ${{ inputs['artifact-name'] != '' && inputs['artifact-name'] || format('rust-binary-{0}-linux-{1}', inputs.component, inputs.arch) }} path: prebuilt-binaries/${{ inputs.arch }}/${{ steps.target.outputs.binary }} diff --git a/.github/workflows/shadow-shared-cpu-spike.yml b/.github/workflows/shadow-shared-cpu-spike.yml index 5a072c8e1..f3f8e06f0 100644 --- a/.github/workflows/shadow-shared-cpu-spike.yml +++ b/.github/workflows/shadow-shared-cpu-spike.yml @@ -46,7 +46,7 @@ jobs: password: ${{ secrets.GITHUB_TOKEN }} timeout-minutes: 60 steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - name: Install tools run: mise install diff --git a/.github/workflows/test-gpu.yml b/.github/workflows/test-gpu.yml index 4721c9750..5597ed915 100644 --- a/.github/workflows/test-gpu.yml +++ b/.github/workflows/test-gpu.yml @@ -19,7 +19,7 @@ jobs: outputs: should_run: ${{ steps.gate.outputs.should_run }} steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - id: gate uses: ./.github/actions/pr-gate with: diff --git a/.github/workflows/test-install.yml b/.github/workflows/test-install.yml index 06b1e007f..f53fb63d4 100644 --- a/.github/workflows/test-install.yml +++ b/.github/workflows/test-install.yml @@ -41,7 +41,7 @@ jobs: install: fish steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - name: Install ${{ matrix.shell }} if: matrix.install diff --git a/.github/workflows/vouch-check.yml b/.github/workflows/vouch-check.yml index db7a540eb..287dd0a32 100644 --- a/.github/workflows/vouch-check.yml +++ b/.github/workflows/vouch-check.yml @@ -18,7 +18,7 @@ jobs: - name: Check org membership id: org-check if: env.ORG_READ_TOKEN != '' - uses: actions/github-script@v9 + uses: actions/github-script@373c709c69115d41ff229c7e5df9f8788daa9553 # v9 with: github-token: ${{ secrets.ORG_READ_TOKEN }} result-encoding: string @@ -42,7 +42,7 @@ jobs: - name: Check if contributor is vouched if: steps.org-check.outputs.result != 'skip' - uses: actions/github-script@v9 + uses: actions/github-script@373c709c69115d41ff229c7e5df9f8788daa9553 # v9 with: script: | const author = context.payload.pull_request.user.login; diff --git a/.github/workflows/vouch-command.yml b/.github/workflows/vouch-command.yml index 309a4ae36..e047e759f 100644 --- a/.github/workflows/vouch-command.yml +++ b/.github/workflows/vouch-command.yml @@ -20,7 +20,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Process /vouch command - uses: actions/github-script@v9 + uses: actions/github-script@373c709c69115d41ff229c7e5df9f8788daa9553 # v9 with: script: | const commenter = context.payload.comment.user.login;