diff --git a/.github/workflows/beta.yml b/.github/workflows/beta.yml index 1a5ec0ddaba..5cd9fc0b5e9 100644 --- a/.github/workflows/beta.yml +++ b/.github/workflows/beta.yml @@ -23,7 +23,7 @@ jobs: - 6379:6379 steps: - - uses: actions/checkout@v6.0.2 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: submodules: recursive diff --git a/.github/workflows/build_binary.yml b/.github/workflows/build_binary.yml index 1932c08295c..4b198d78657 100644 --- a/.github/workflows/build_binary.yml +++ b/.github/workflows/build_binary.yml @@ -26,7 +26,7 @@ jobs: apt-get update apt-get install -y --no-install-recommends git ca-certificates gcc libc6-dev curl make zip - - uses: actions/checkout@v6.0.2 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: submodules: recursive @@ -50,7 +50,7 @@ jobs: zip relay-Linux-x86_64-debug.zip relay.debug mv relay relay-Linux-x86_64 - - uses: actions/upload-artifact@v7 + - uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 with: name: artifact-linux path: target/release/relay-Linux-x86_64* @@ -66,7 +66,7 @@ jobs: runs-on: ubuntu-22.04-arm steps: - - uses: actions/checkout@v6.0.2 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: submodules: recursive @@ -85,7 +85,7 @@ jobs: zip relay-Linux-aarch64-debug.zip relay.debug mv relay relay-Linux-aarch64 - - uses: actions/upload-artifact@v7 + - uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 with: name: artifact-linux-aarch64 path: target/release/relay-Linux-aarch64* @@ -100,7 +100,7 @@ jobs: runs-on: macos-14 steps: - - uses: actions/checkout@v6.0.2 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: submodules: recursive @@ -118,7 +118,7 @@ jobs: mv relay relay-Darwin-x86_64 zip -r relay-Darwin-x86_64-dsym.zip relay.dSYM - - uses: actions/upload-artifact@v7 + - uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 with: name: artifact-macos path: target/release/relay-Darwin-x86_64* @@ -133,7 +133,7 @@ jobs: runs-on: windows-2022 steps: - - uses: actions/checkout@v6.0.2 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: submodules: recursive @@ -150,7 +150,7 @@ jobs: 7z a relay-Windows-x86_64-pdb.zip relay.pdb mv relay.exe relay-Windows-x86_64.exe - - uses: actions/upload-artifact@v7 + - uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 with: name: artifact-windows path: target/release/relay-Windows-x86_64* @@ -167,7 +167,7 @@ jobs: # there cannot be mutliple upload-artifacts with the same name, in a sha's workflow runs. # However in this case it is fine because this only runs on release/** branches, # and the other runs on release-library/** branches. - - uses: actions/upload-artifact/merge@v7 + - uses: actions/upload-artifact/merge@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 with: # Craft expects release assets to be a single artifact named after the sha. name: ${{ github.sha }} diff --git a/.github/workflows/build_library.yml b/.github/workflows/build_library.yml index 4f76feccefa..52789b064a5 100644 --- a/.github/workflows/build_library.yml +++ b/.github/workflows/build_library.yml @@ -28,7 +28,7 @@ jobs: }')[matrix.build-arch] }} steps: - - uses: actions/checkout@v6.0.2 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: submodules: recursive @@ -37,7 +37,7 @@ jobs: env: TARGET: ${{ matrix.build-arch }} - - uses: actions/setup-python@v6 + - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6 - name: Verify Wheel run: | @@ -48,7 +48,7 @@ jobs: python tools/verify_wheel.py dist/*.whl working-directory: py - - uses: actions/upload-artifact@v7 + - uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 with: name: artifact-linux-${{ matrix.build-arch }} path: py/dist/* @@ -70,7 +70,7 @@ jobs: runs-on: macos-14 steps: - - uses: actions/checkout@v6.0.2 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: submodules: recursive @@ -104,7 +104,7 @@ jobs: # consumed by cargo and setup.py to obtain the target dir CARGO_BUILD_TARGET: ${{ matrix.target }} - - uses: actions/upload-artifact@v7 + - uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 with: name: artifact-macos-${{ matrix.py-platform }} path: py/dist/* @@ -117,7 +117,7 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v6.0.2 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: submodules: recursive @@ -136,7 +136,7 @@ jobs: run: python setup.py sdist working-directory: py - - uses: actions/upload-artifact@v7 + - uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 with: name: artifact-sdist path: py/dist/* @@ -153,7 +153,7 @@ jobs: # there cannot be mutliple upload-artifacts with the same name, in a sha's workflow runs. # However in this case it is fine because this only runs on release-library/** branches, # and the other runs on release/** branches. - - uses: actions/upload-artifact/merge@v7 + - uses: actions/upload-artifact/merge@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 with: # Craft expects release assets to be a single artifact named after the sha. name: ${{ github.sha }} diff --git a/.github/workflows/changelog.yml b/.github/workflows/changelog.yml index c3f45fc3625..f79a8ba19cf 100644 --- a/.github/workflows/changelog.yml +++ b/.github/workflows/changelog.yml @@ -13,7 +13,7 @@ jobs: name: Changelogs runs-on: ubuntu-latest steps: - - uses: actions/checkout@v6.0.2 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 6eb7ad80c35..c8f2784c371 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -35,7 +35,7 @@ jobs: sudo apt-get update sudo apt-get install -y libcurl4-openssl-dev - - uses: actions/checkout@v6.0.2 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: submodules: recursive @@ -50,7 +50,7 @@ jobs: - name: Setup SSH agent if: env.SSH_PRIVATE_KEY != '' - uses: webfactory/ssh-agent@v0.10.0 + uses: webfactory/ssh-agent@e83874834305fe9a4a2997156cb26c5de65a8555 # v0.10.0 with: ssh-private-key: ${{ env.SSH_PRIVATE_KEY }} @@ -59,7 +59,7 @@ jobs: rustup toolchain install stable --profile minimal --no-self-update rustup component add clippy rustfmt rust-docs --toolchain stable - - uses: swatinem/rust-cache@v2 + - uses: swatinem/rust-cache@42dc69e1aa15d09112580998cf2ef0119e2e91ae # v2 with: key: ${{ github.job }} @@ -107,14 +107,14 @@ jobs: sudo apt-get update sudo apt-get install -y libcurl4-openssl-dev - - uses: actions/checkout@v6.0.2 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: submodules: recursive - name: Install Rust Toolchain run: rustup toolchain install stable --profile minimal --component clippy --no-self-update - - uses: swatinem/rust-cache@v2 + - uses: swatinem/rust-cache@42dc69e1aa15d09112580998cf2ef0119e2e91ae # v2 with: key: ${{ github.job }} @@ -128,7 +128,7 @@ jobs: outputs: devservices-files-changed: ${{ steps.changes.outputs.devservices-files-changed }} steps: - - uses: actions/checkout@v6.0.2 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - uses: dorny/paths-filter@fbd0ab8f3e69293af611ebaee6363fc25e6d187d # v4.0.1 name: Check for file changes id: changes @@ -157,20 +157,20 @@ jobs: if: "!startsWith(github.ref, 'refs/heads/release-library/')" steps: - - uses: actions/checkout@v6.0.2 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: submodules: recursive - name: Setup SSH agent if: env.SSH_PRIVATE_KEY != '' - uses: webfactory/ssh-agent@v0.10.0 + uses: webfactory/ssh-agent@e83874834305fe9a4a2997156cb26c5de65a8555 # v0.10.0 with: ssh-private-key: ${{ env.SSH_PRIVATE_KEY }} - name: Install Rust Toolchain run: rustup toolchain install stable --profile minimal --no-self-update - - uses: swatinem/rust-cache@v2 + - uses: swatinem/rust-cache@42dc69e1aa15d09112580998cf2ef0119e2e91ae # v2 with: key: ${{ github.job }} @@ -218,20 +218,20 @@ jobs: ghcr.io/getsentry/objectstore:nightly \ run - - uses: actions/checkout@v6.0.2 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: submodules: recursive - name: Setup SSH agent if: env.SSH_PRIVATE_KEY != '' - uses: webfactory/ssh-agent@v0.10.0 + uses: webfactory/ssh-agent@e83874834305fe9a4a2997156cb26c5de65a8555 # v0.10.0 with: ssh-private-key: ${{ env.SSH_PRIVATE_KEY }} - name: Install Rust Toolchain run: rustup toolchain install stable --profile minimal --no-self-update - - uses: swatinem/rust-cache@v2 + - uses: swatinem/rust-cache@42dc69e1aa15d09112580998cf2ef0119e2e91ae # v2 with: key: ${{ github.job }} @@ -249,14 +249,14 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v6.0.2 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: submodules: recursive - name: Install Rust Toolchain run: rustup toolchain install stable --profile minimal --no-self-update - - uses: swatinem/rust-cache@v2 + - uses: swatinem/rust-cache@42dc69e1aa15d09112580998cf2ef0119e2e91ae # v2 with: key: ${{ github.job }} @@ -364,12 +364,12 @@ jobs: run: | curl -sL https://sentry.io/get-cli/ | bash - - uses: actions/checkout@v6.0.2 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: submodules: recursive - - uses: dtolnay/rust-toolchain@stable - - uses: swatinem/rust-cache@v2 + - uses: dtolnay/rust-toolchain@631a55b12751854ce901bb631d5902ceb48146f7 # stable + - uses: swatinem/rust-cache@42dc69e1aa15d09112580998cf2ef0119e2e91ae # v2 with: key: "${{ github.job }}-${{ matrix.target }}-${{ matrix.image_name }}" @@ -392,7 +392,7 @@ jobs: cp "${RELAY_BIN}"{,-debug.zip,.src.zip} "artifacts/${DOCKER_PLATFORM}" - name: Upload Artifacts - uses: actions/upload-artifact@v7 + uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 with: retention-days: 1 name: ${{ matrix.image_name }}@${{ matrix.target }} @@ -440,17 +440,17 @@ jobs: run: | curl -sL https://sentry.io/get-cli/ | bash - - uses: actions/checkout@v6.0.2 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: submodules: recursive - - uses: dtolnay/rust-toolchain@stable + - uses: dtolnay/rust-toolchain@631a55b12751854ce901bb631d5902ceb48146f7 # stable - - uses: swatinem/rust-cache@v2 + - uses: swatinem/rust-cache@42dc69e1aa15d09112580998cf2ef0119e2e91ae # v2 with: key: "${{ github.job }}-${{ matrix.target }}-${{ matrix.image_name }}" - - uses: webfactory/ssh-agent@v0.10.0 + - uses: webfactory/ssh-agent@e83874834305fe9a4a2997156cb26c5de65a8555 # v0.10.0 with: ssh-private-key: ${{ secrets.SSH_PRIVATE_KEY }} @@ -478,7 +478,7 @@ jobs: done - name: Upload Artifacts - uses: actions/upload-artifact@v7 + uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 with: retention-days: 1 name: internal-${{ matrix.image_name }}@${{ matrix.target }} @@ -505,12 +505,12 @@ jobs: REVISION: "${{ github.event.pull_request.head.sha || github.sha }}" steps: - - uses: actions/checkout@v6.0.2 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - - uses: docker/setup-qemu-action@v4 - - uses: docker/setup-buildx-action@v4 + - uses: docker/setup-qemu-action@ce360397dd3f832beb865e1373c09c0e9f86d70a # v4 + - uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4 - - uses: actions/download-artifact@v8 + - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8 with: pattern: "${{ matrix.image_name }}@*" merge-multiple: true @@ -542,7 +542,7 @@ jobs: - name: Upload docker image if: "github.event.pull_request.head.repo.fork || github.actor == 'dependabot[bot]'" - uses: actions/upload-artifact@v7 + uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 with: retention-days: 1 name: ${{ matrix.image_name }}-docker-image @@ -571,15 +571,15 @@ jobs: if: "!startsWith(github.ref, 'refs/heads/release-library/') && !github.event.pull_request.head.repo.fork && github.actor != 'dependabot[bot]' && needs.build-setup.outputs.full_ci == 'true'" steps: - - uses: actions/checkout@v6.0.2 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - - uses: docker/setup-qemu-action@v4 - - uses: docker/setup-buildx-action@v4 + - uses: docker/setup-qemu-action@ce360397dd3f832beb865e1373c09c0e9f86d70a # v4 + - uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4 # Logic taken from: publish-to-gcr - name: Google Auth id: auth - uses: google-github-actions/auth@v3 + uses: google-github-actions/auth@7c6bc770dae815cd3e89ee6cdf493a5fab2cc093 # v3 with: workload_identity_provider: projects/868781662168/locations/global/workloadIdentityPools/prod-github/providers/github-oidc-pool service_account: gha-gcr-push@sac-prod-sa.iam.gserviceaccount.com @@ -589,7 +589,7 @@ jobs: gcloud auth configure-docker us-central1-docker.pkg.dev # Logic taken from: build-docker - - uses: actions/download-artifact@v8 + - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8 with: pattern: "internal-${{ matrix.image_name }}@*" merge-multiple: true @@ -646,13 +646,13 @@ jobs: steps: - name: Google Auth id: auth - uses: google-github-actions/auth@v3 + uses: google-github-actions/auth@7c6bc770dae815cd3e89ee6cdf493a5fab2cc093 # v3 with: workload_identity_provider: projects/868781662168/locations/global/workloadIdentityPools/prod-github/providers/github-oidc-pool service_account: gha-gcr-push@sac-prod-sa.iam.gserviceaccount.com - name: "Set up Cloud SDK" - uses: "google-github-actions/setup-gcloud@v3" + uses: google-github-actions/setup-gcloud@aa5489c8933f4cc7a4f7d45035b3b1440c9c10db # v3 with: # https://github.com/google-github-actions/auth#authenticating-via-workload-identity-federation # You must use the Cloud SDK version 390.0.0 or later to authenticate the bq and gsutil tools. @@ -693,7 +693,7 @@ jobs: steps: - name: Google Auth id: auth - uses: google-github-actions/auth@v3 + uses: google-github-actions/auth@7c6bc770dae815cd3e89ee6cdf493a5fab2cc093 # v3 with: workload_identity_provider: projects/868781662168/locations/global/workloadIdentityPools/prod-github/providers/github-oidc-pool service_account: gha-gcr-push@sac-prod-sa.iam.gserviceaccount.com @@ -703,13 +703,13 @@ jobs: gcloud auth configure-docker us-central1-docker.pkg.dev - name: "Set up Cloud SDK" - uses: "google-github-actions/setup-gcloud@v3" + uses: google-github-actions/setup-gcloud@aa5489c8933f4cc7a4f7d45035b3b1440c9c10db # v3 with: # https://github.com/google-github-actions/auth#authenticating-via-workload-identity-federation # You must use the Cloud SDK version 390.0.0 or later to authenticate the bq and gsutil tools. version: ">= 390.0.0" - - uses: actions/download-artifact@v8 + - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8 with: pattern: "internal-${{ matrix.image_name }}@*" merge-multiple: true @@ -785,21 +785,21 @@ jobs: ghcr.io/getsentry/objectstore:nightly \ run - - uses: actions/checkout@v6.0.2 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: submodules: recursive - name: Install Rust Toolchain run: rustup toolchain install stable --profile minimal --no-self-update - - uses: swatinem/rust-cache@v2 + - uses: swatinem/rust-cache@42dc69e1aa15d09112580998cf2ef0119e2e91ae # v2 with: key: ${{ github.job }} cache-on-failure: "true" - name: Setup SSH agent if: env.SSH_PRIVATE_KEY != '' - uses: webfactory/ssh-agent@v0.10.0 + uses: webfactory/ssh-agent@e83874834305fe9a4a2997156cb26c5de65a8555 # v0.10.0 with: ssh-private-key: ${{ env.SSH_PRIVATE_KEY }} @@ -834,7 +834,7 @@ jobs: steps: # Checkout Sentry and run integration tests against latest Relay - name: Checkout Sentry - uses: actions/checkout@v6.0.2 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: repository: getsentry/sentry path: sentry @@ -858,7 +858,7 @@ jobs: - name: Download Docker Image if: "github.event.pull_request.head.repo.fork || github.actor == 'dependabot[bot]'" - uses: actions/download-artifact@v8 + uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8 with: name: relay-docker-image @@ -886,7 +886,7 @@ jobs: steps: - name: Run Sentry self-hosted e2e CI - uses: getsentry/self-hosted@master + uses: getsentry/self-hosted@master # can't be pinned (drift), also trusted with: project_name: relay image_url: ghcr.io/getsentry/relay:${{ github.event.pull_request.head.sha || github.sha }} @@ -904,7 +904,7 @@ jobs: needs: devservices-files-changed if: needs.devservices-files-changed.outputs.devservices-files-changed == 'true' steps: - - uses: actions/checkout@v6.0.2 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 name: Checkout repository - name: Get devservices version diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml index dd479c89753..5b46d89d9cd 100644 --- a/.github/workflows/deploy.yml +++ b/.github/workflows/deploy.yml @@ -28,14 +28,14 @@ jobs: sudo apt-get update sudo apt-get install -y libcurl4-openssl-dev - - uses: actions/checkout@v6.0.2 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: submodules: recursive - name: Install Rust Toolchain run: rustup toolchain install stable --profile minimal --component rust-docs --no-self-update - - uses: swatinem/rust-cache@v2 + - uses: swatinem/rust-cache@42dc69e1aa15d09112580998cf2ef0119e2e91ae # v2 with: key: ${{ github.job }} @@ -48,7 +48,7 @@ jobs: - name: Deploy if: github.ref == 'refs/heads/master' - uses: peaceiris/actions-gh-pages@v4 + uses: peaceiris/actions-gh-pages@e9c66a37f080288a11235e32cbe2dc5fb3a679cc # v4 with: github_token: ${{ secrets.GITHUB_TOKEN }} publish_dir: target/doc @@ -58,12 +58,12 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v6.0.2 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Install Rust Toolchain run: rustup toolchain install stable --profile minimal --no-self-update - - uses: swatinem/rust-cache@v2 + - uses: swatinem/rust-cache@42dc69e1aa15d09112580998cf2ef0119e2e91ae # v2 with: key: ${{ github.job }} diff --git a/.github/workflows/enforce-license-compliance.yml b/.github/workflows/enforce-license-compliance.yml index 46f9c13c11d..d9278b0094f 100644 --- a/.github/workflows/enforce-license-compliance.yml +++ b/.github/workflows/enforce-license-compliance.yml @@ -20,6 +20,6 @@ jobs: runs-on: ubuntu-latest steps: - name: "Enforce License Compliance" - uses: getsentry/action-enforce-license-compliance@main + uses: getsentry/action-enforce-license-compliance@48236a773346cb6552a7bda1ee370d2797365d87 # main with: fossa_api_key: ${{ secrets.FOSSA_API_KEY }} diff --git a/.github/workflows/release_binary.yml b/.github/workflows/release_binary.yml index efc0d914227..969d1e0ce74 100644 --- a/.github/workflows/release_binary.yml +++ b/.github/workflows/release_binary.yml @@ -28,13 +28,13 @@ jobs: app-id: ${{ vars.SENTRY_RELEASE_BOT_CLIENT_ID }} private-key: ${{ secrets.SENTRY_RELEASE_BOT_PRIVATE_KEY }} - - uses: actions/checkout@v6.0.2 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: token: ${{ steps.token.outputs.token }} fetch-depth: 0 - name: Prepare release - uses: getsentry/action-prepare-release@v1 + uses: getsentry/action-prepare-release@c8e1c2009ab08259029170132c384f03c1064c0e # v1 env: GITHUB_TOKEN: ${{ steps.token.outputs.token }} with: diff --git a/.github/workflows/release_library.yml b/.github/workflows/release_library.yml index 3d2bdcb9175..df80631dd44 100644 --- a/.github/workflows/release_library.yml +++ b/.github/workflows/release_library.yml @@ -23,13 +23,13 @@ jobs: app-id: ${{ vars.SENTRY_RELEASE_BOT_CLIENT_ID }} private-key: ${{ secrets.SENTRY_RELEASE_BOT_PRIVATE_KEY }} - - uses: actions/checkout@v6.0.2 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: token: ${{ steps.token.outputs.token }} fetch-depth: 0 - name: Prepare release - uses: getsentry/action-prepare-release@v1 + uses: getsentry/action-prepare-release@c8e1c2009ab08259029170132c384f03c1064c0e # v1 env: GITHUB_TOKEN: ${{ steps.token.outputs.token }} with: diff --git a/.github/workflows/validate-pipelines.yml b/.github/workflows/validate-pipelines.yml index f70cc7562a9..a8ba74e0cf7 100644 --- a/.github/workflows/validate-pipelines.yml +++ b/.github/workflows/validate-pipelines.yml @@ -21,7 +21,7 @@ jobs: outputs: gocd: ${{ steps.changes.outputs.gocd }} steps: - - uses: actions/checkout@v6.0.2 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Check for relevant file changes uses: getsentry/paths-filter@4512585405083f25c027a35db413c2b3b9006d50 # v2.11.1 id: changes @@ -43,21 +43,21 @@ jobs: id-token: "write" steps: - - uses: actions/checkout@v6.0.2 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - id: 'auth' - uses: google-github-actions/auth@v3 + uses: google-github-actions/auth@7c6bc770dae815cd3e89ee6cdf493a5fab2cc093 # v3 with: workload_identity_provider: 'projects/868781662168/locations/global/workloadIdentityPools/prod-github/providers/github-oidc-pool' service_account: 'gha-gocd-api@sac-prod-sa.iam.gserviceaccount.com' token_format: 'id_token' id_token_audience: '610575311308-9bsjtgqg4jm01mt058rncpopujgk3627.apps.googleusercontent.com' id_token_include_email: true - - uses: getsentry/action-gocd-jsonnet@v1 + - uses: getsentry/action-gocd-jsonnet@2a32414fa9e58a46d1afea9cbfa7b77a928678e2 # v1 with: jb-install: true jsonnet-dir: gocd/templates generated-dir: gocd/generated-pipelines - - uses: getsentry/action-validate-gocd-pipelines@v1 + - uses: getsentry/action-validate-gocd-pipelines@80fde540c1403d52e17783368930fa28bd93447f # v1 with: configrepo: relay__master gocd_access_token: ${{ secrets.GOCD_ACCESS_TOKEN }}