From fb34708717506c2be2787f940e31876e7963550f Mon Sep 17 00:00:00 2001 From: Daniel Wagner Date: Thu, 26 Feb 2026 15:13:21 +0000 Subject: [PATCH] build: pin all GitHub Actions to SHA of latest release version Replace mutable version tags (e.g. @v6) with the commit SHA of the latest release in each major version series, keeping the tag as a trailing comment for readability. This prevents a compromised or moved tag from silently changing what code executes in CI. While at it, replace the unmaintained mosteo-actions/docker-run action with a direct docker run command. Signed-off-by: Daniel Wagner --- .github/workflows/build.yml | 43 +++++++++----------- .github/workflows/checkpatch.yml | 4 +- .github/workflows/codeql.yml | 8 ++-- .github/workflows/coverage.yml | 4 +- .github/workflows/coverity.yml | 4 +- .github/workflows/docs.yaml | 2 +- .github/workflows/libnvme-release-python.yml | 16 ++++---- .github/workflows/libnvme-release.yml | 4 +- .github/workflows/release.yml | 4 +- .github/workflows/run-nightly-tests.yml | 2 +- .github/workflows/upload.yml | 12 +++--- 11 files changed, 50 insertions(+), 53 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 812063b289..bc9d1a036c 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -19,13 +19,13 @@ jobs: container: image: ghcr.io/linux-nvme/debian.python:latest steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Mark repo as safe for git run: git config --global --add safe.directory "$GITHUB_WORKSPACE" - name: build run: | scripts/build.sh -b ${{ matrix.buildtype }} -c ${{ matrix.compiler }} -x - - uses: actions/upload-artifact@v6 + - uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0 name: upload logs if: failure() with: @@ -42,13 +42,13 @@ jobs: container: image: ghcr.io/linux-nvme/debian.python:latest steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Mark repo as safe for git run: git config --global --add safe.directory "$GITHUB_WORKSPACE" - name: build run: | scripts/build.sh -b ${{ matrix.buildtype }} -c ${{ matrix.compiler }} -x libnvme - - uses: actions/upload-artifact@v6 + - uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0 name: upload logs if: failure() with: @@ -65,27 +65,24 @@ jobs: - arch: s390x - arch: ppc64le steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: enable foreign arch - uses: docker/setup-qemu-action@v3 + uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130 # v3.7.0 - name: Login to GitHub Container Registry - uses: docker/login-action@v3 + uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0 with: registry: ghcr.io username: ${{ github.actor }} password: ${{ secrets.GITHUB_TOKEN }} - name: compile and run unit tests - uses: mosteo-actions/docker-run@v2 - with: - image: ghcr.io/linux-nvme/ubuntu-cross-${{ matrix.arch }}:latest - guest-dir: /build - host-dir: ${{ github.workspace }} - command: | - git config --global --add safe.directory /build - scripts/build.sh -b release -c gcc -t ${{ matrix.arch }} cross - params: "--platform linux/amd64" - pull-params: "--platform linux/amd64" - - uses: actions/upload-artifact@v6 + run: | + docker run --rm \ + --platform linux/amd64 \ + -v "${{ github.workspace }}:/build" \ + -w /build \ + ghcr.io/linux-nvme/ubuntu-cross-${{ matrix.arch }}:latest \ + sh -c "git config --global --add safe.directory /build && scripts/build.sh -b release -c gcc -t ${{ matrix.arch }} cross" + - uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0 name: upload logs if: failure() with: @@ -100,13 +97,13 @@ jobs: image: ghcr.io/linux-nvme/debian:latest if: github.ref == 'refs/heads/master' steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Mark repo as safe for git run: git config --global --add safe.directory "$GITHUB_WORKSPACE" - name: build run: | scripts/build.sh -b release -c gcc fallback - - uses: actions/upload-artifact@v6 + - uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0 if: failure() with: name: log files @@ -119,7 +116,7 @@ jobs: container: image: ghcr.io/linux-nvme/debian:latest steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Mark repo as safe for git run: git config --global --add safe.directory "$GITHUB_WORKSPACE" - name: build @@ -132,7 +129,7 @@ jobs: container: image: ghcr.io/linux-nvme/debian:latest steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Mark repo as safe for git run: git config --global --add safe.directory "$GITHUB_WORKSPACE" - name: build @@ -145,7 +142,7 @@ jobs: container: image: ghcr.io/linux-nvme/debian:latest steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Mark repo as safe for git run: git config --global --add safe.directory "$GITHUB_WORKSPACE" - name: build diff --git a/.github/workflows/checkpatch.yml b/.github/workflows/checkpatch.yml index 36fe9cea84..3253f6e83a 100644 --- a/.github/workflows/checkpatch.yml +++ b/.github/workflows/checkpatch.yml @@ -7,9 +7,9 @@ jobs: steps: - name: 'Calculate PR commits + 1' run: echo "PR_FETCH_DEPTH=$(( ${{ github.event.pull_request.commits }} + 1 ))" >> $GITHUB_ENV - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: ref: ${{ github.event.pull_request.head.sha }} fetch-depth: 0 - name: Run checkpatch review - uses: webispy/checkpatch-action@v9 + uses: webispy/checkpatch-action@58374fe5bb03358b23d3d6871e2ff290ce77fcd2 # v9 diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index d4b70b5b7c..8b328e948f 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -39,7 +39,7 @@ jobs: steps: - name: Checkout repository - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Mark repo as safe for git run: git config --global --add safe.directory "$GITHUB_WORKSPACE" @@ -52,13 +52,13 @@ jobs: # Initializes the CodeQL tools for scanning. - if: matrix.language == 'c-cpp' name: Initialize CodeQL C - uses: github/codeql-action/init@v4 + uses: github/codeql-action/init@89a39a4e59826350b863aa6b6252a07ad50cf83e # v4.32.4 with: languages: 'c-cpp' - if: matrix.language == 'python' name: Initialize CodeQL Python - uses: github/codeql-action/init@v4 + uses: github/codeql-action/init@89a39a4e59826350b863aa6b6252a07ad50cf83e # v4.32.4 with: languages: 'python' config-file: ./.github/codeql/codeql-config.yml @@ -69,6 +69,6 @@ jobs: ninja -C .build - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v4 + uses: github/codeql-action/analyze@89a39a4e59826350b863aa6b6252a07ad50cf83e # v4.32.4 with: category: "/language:${{matrix.language}}" diff --git a/.github/workflows/coverage.yml b/.github/workflows/coverage.yml index 8db680bdb6..3f6dc138eb 100644 --- a/.github/workflows/coverage.yml +++ b/.github/workflows/coverage.yml @@ -14,13 +14,13 @@ jobs: container: image: ghcr.io/linux-nvme/debian.python:latest steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Mark repo as safe for git run: git config --global --add safe.directory "$GITHUB_WORKSPACE" - name: build run: | scripts/build.sh coverage - - uses: codecov/codecov-action@v5 + - uses: codecov/codecov-action@671740ac38dd9b0130fbe1cec585b89eea48d3de # v5.5.2 with: token: ${{ secrets.CODECOV_TOKEN }} fail_ci_if_error: false diff --git a/.github/workflows/coverity.yml b/.github/workflows/coverity.yml index cd3cf07251..3bbcf764cd 100644 --- a/.github/workflows/coverity.yml +++ b/.github/workflows/coverity.yml @@ -20,7 +20,7 @@ jobs: container: image: ghcr.io/linux-nvme/debian.python:latest steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: ref: ${{ github.event.inputs.ref || github.ref }} fetch-depth: 0 @@ -67,7 +67,7 @@ jobs: --form description="Automated Coverity Scan from ${{ github.event_name }}" \ https://scan.coverity.com/builds?project=linux-nvme%2Fnvme-cli - - uses: actions/upload-artifact@v5 + - uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0 name: upload coverity artifacts if: failure() with: diff --git a/.github/workflows/docs.yaml b/.github/workflows/docs.yaml index e08532a586..465f4e13e1 100644 --- a/.github/workflows/docs.yaml +++ b/.github/workflows/docs.yaml @@ -20,7 +20,7 @@ jobs: container: image: ghcr.io/linux-nvme/debian:latest steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Mark repo as safe for git run: git config --global --add safe.directory "$GITHUB_WORKSPACE" - name: build diff --git a/.github/workflows/libnvme-release-python.yml b/.github/workflows/libnvme-release-python.yml index a426c216a1..f6fec38fda 100644 --- a/.github/workflows/libnvme-release-python.yml +++ b/.github/workflows/libnvme-release-python.yml @@ -21,7 +21,7 @@ jobs: container: image: ghcr.io/linux-nvme/debian.python:latest steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Allow workspace run: | @@ -35,7 +35,7 @@ jobs: run: | pipx run twine check dist/*.tar.gz - - uses: actions/upload-artifact@v6 + - uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0 with: path: dist/*.tar.gz retention-days: 5 @@ -49,7 +49,7 @@ jobs: image: ghcr.io/linux-nvme/debian.python:latest steps: - name: Check out repository (with tags) - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: fetch-depth: 0 # Required for `git describe` @@ -93,7 +93,7 @@ jobs: run: | pipx run twine check dist/*.tar.gz - - uses: actions/upload-artifact@v6 + - uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0 with: name: test_pypi path: dist/*.tar.gz @@ -109,13 +109,13 @@ jobs: id-token: write if: github.repository == 'linux-nvme/nvme-cli' steps: - - uses: actions/download-artifact@v7 + - uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0 with: name: test_pypi path: dist - name: Publish package to TestPyPI - uses: pypa/gh-action-pypi-publish@v1.13.0 + uses: pypa/gh-action-pypi-publish@ed0c53931b1dc9bd32cbe73a98c7f6766f8a527e # v1.13.0 with: repository-url: https://test.pypi.org/legacy/ @@ -137,12 +137,12 @@ jobs: fi - name: Download artifiact - uses: actions/download-artifact@v7 + uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0 if: steps.check-tag.outputs.match == 'true' with: name: artifact path: dist - name: Publish package to PyPI - uses: pypa/gh-action-pypi-publish@v1.13.0 + uses: pypa/gh-action-pypi-publish@ed0c53931b1dc9bd32cbe73a98c7f6766f8a527e # v1.13.0 if: steps.check-tag.outputs.match == 'true' diff --git a/.github/workflows/libnvme-release.yml b/.github/workflows/libnvme-release.yml index 9a87819799..e7a93ca957 100644 --- a/.github/workflows/libnvme-release.yml +++ b/.github/workflows/libnvme-release.yml @@ -14,9 +14,9 @@ jobs: permissions: contents: write steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Mark repo as safe for git run: git config --global --add safe.directory "$GITHUB_WORKSPACE" - - uses: ncipollo/release-action@v1 + - uses: ncipollo/release-action@b7eabc95ff50cbeeedec83973935c8f306dfcd0b # v1.20.0 with: token: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 81b89b9714..ed67280f76 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -14,9 +14,9 @@ jobs: permissions: contents: write steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Mark repo as safe for git run: git config --global --add safe.directory "$GITHUB_WORKSPACE" - - uses: ncipollo/release-action@v1 + - uses: ncipollo/release-action@b7eabc95ff50cbeeedec83973935c8f306dfcd0b # v1.20.0 with: token: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/run-nightly-tests.yml b/.github/workflows/run-nightly-tests.yml index 14bf54c19f..d2f21a4a22 100644 --- a/.github/workflows/run-nightly-tests.yml +++ b/.github/workflows/run-nightly-tests.yml @@ -11,7 +11,7 @@ jobs: if: ${{ github.event_name == 'workflow_dispatch' || github.repository == 'linux-nvme/nvme-cli' }} runs-on: arc-vm-nvme-cli steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: repository: "linux-blktests/blktests-ci" #We don't have to build the kernel here, as we have a cron job running on diff --git a/.github/workflows/upload.yml b/.github/workflows/upload.yml index 8db1e55e28..48cc75b02b 100644 --- a/.github/workflows/upload.yml +++ b/.github/workflows/upload.yml @@ -15,7 +15,7 @@ jobs: outputs: VERSION: ${{ steps.build.outputs.VERSION }} steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: fetch-depth: 0 @@ -37,7 +37,7 @@ jobs: cp .build-ci/nvme "upload/nvme-cli-${VERSION}-x86_64" fi - - uses: actions/upload-artifact@v6 + - uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0 name: upload artifacts to github with: name: nvme-cli @@ -49,13 +49,13 @@ jobs: needs: build-static if: ${{ github.event_name == 'push' || github.event_name == 'release' }} steps: - - uses: actions/download-artifact@v7 + - uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0 with: name: nvme-cli path: upload - name: FTP Deployer - uses: sand4rt/ftp-deployer@v1.8 + uses: sand4rt/ftp-deployer@518beaad91d1b18fd55a69321de7ed89080d2ae3 # v1.8 with: sftp: true host: ${{ secrets.SFTP_SERVER }} @@ -76,12 +76,12 @@ jobs: VERSION: ${{ needs.build-static.outputs.VERSION }} if: ${{ github.event_name == 'release' }} steps: - - uses: actions/download-artifact@v7 + - uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0 with: name: nvme-cli path: upload - name: upload versioned binary - uses: actions/upload-release-asset@v1 + uses: actions/upload-release-asset@e8f9f06c4b078e705bd2ea027f0926603fc9b4d5 # v1.0.2 with: upload_url: ${{ github.event.release.upload_url }} asset_path: upload/nvme-cli-${{ env.VERSION }}-x86_64