From ca58f9f25e1bfc93bb8df86e7055b23e896f7a25 Mon Sep 17 00:00:00 2001 From: Fede Barcelona Date: Tue, 9 Jun 2026 12:10:04 +0200 Subject: [PATCH] ci: pin GitHub Actions to commit SHAs and add pinact --- .github/workflows/publish.yaml | 40 +++++++++++++------------- .github/workflows/pull-request-ci.yaml | 28 +++++++++--------- .github/workflows/stale.yml | 2 +- flake.nix | 5 ++-- justfile | 1 + 5 files changed, 39 insertions(+), 37 deletions(-) diff --git a/.github/workflows/publish.yaml b/.github/workflows/publish.yaml index c15ebb4..6acdd45 100644 --- a/.github/workflows/publish.yaml +++ b/.github/workflows/publish.yaml @@ -19,7 +19,7 @@ jobs: new-version: ${{ steps.check.outputs.new_version }} steps: - name: Checkout repository - uses: actions/checkout@v5 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 with: fetch-tags: true fetch-depth: 0 @@ -74,17 +74,17 @@ jobs: nix_package: sysdig-mcp-server-image-aarch64 steps: - name: Check out the repo - uses: actions/checkout@v5 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - name: Install Nix # Pinned to v21 commit SHA for supply-chain safety. # To update: git ls-remote https://github.com/DeterminateSystems/nix-installer-action.git - uses: DeterminateSystems/nix-installer-action@c5a866b6ab867e88becbed4467b93592bce69f8a # v21 + uses: DeterminateSystems/nix-installer-action@ef8a148080ab6020fd15196c2084a2eea5ff2d25 # v22 - name: Enable Nix cache # Pinned to v13 commit SHA for supply-chain safety. # To update: git ls-remote https://github.com/DeterminateSystems/magic-nix-cache-action.git - uses: DeterminateSystems/magic-nix-cache-action@565684385bcd71bad329742eefe8d12f2e765b39 # v13 + uses: DeterminateSystems/magic-nix-cache-action@908b263ff629f4cc17666315b7fd3ec127c6244d # v14 with: use-flakehub: false @@ -97,10 +97,10 @@ jobs: echo "FROM base" > /tmp/Dockerfile.push - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 + uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5 # v4.1.0 - name: Log in to GitHub Container Registry - uses: docker/login-action@v3 + uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4.2.0 with: registry: ghcr.io username: ${{ github.actor }} @@ -108,7 +108,7 @@ jobs: - name: Push image by digest id: push - uses: docker/build-push-action@v6 + uses: docker/build-push-action@f9f3042f7e2789586610d6e8b85c8f03e5195baf # v7.2.0 with: file: /tmp/Dockerfile.push build-contexts: | @@ -124,7 +124,7 @@ jobs: touch "/tmp/digests/${digest#sha256:}" - name: Upload digest - uses: actions/upload-artifact@v5 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 with: name: digests-${{ matrix.arch }} path: /tmp/digests/* @@ -142,17 +142,17 @@ jobs: REGISTRY: ghcr.io/sysdiglabs/sysdig-mcp-server steps: - name: Download digests - uses: actions/download-artifact@v6 + uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 with: path: /tmp/digests pattern: digests-* merge-multiple: true - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 + uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5 # v4.1.0 - name: Log in to GitHub Container Registry - uses: docker/login-action@v3 + uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4.2.0 with: registry: ghcr.io username: ${{ github.actor }} @@ -197,17 +197,17 @@ jobs: - { goos: windows, goarch: "386", ext: zip } steps: - name: Check out the repo - uses: actions/checkout@v5 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - name: Install Nix # Pinned to v21 commit SHA for supply-chain safety. # To update: git ls-remote https://github.com/DeterminateSystems/nix-installer-action.git - uses: DeterminateSystems/nix-installer-action@c5a866b6ab867e88becbed4467b93592bce69f8a # v21 + uses: DeterminateSystems/nix-installer-action@ef8a148080ab6020fd15196c2084a2eea5ff2d25 # v22 - name: Enable Nix cache # Pinned to v13 commit SHA for supply-chain safety. # To update: git ls-remote https://github.com/DeterminateSystems/magic-nix-cache-action.git - uses: DeterminateSystems/magic-nix-cache-action@565684385bcd71bad329742eefe8d12f2e765b39 # v13 + uses: DeterminateSystems/magic-nix-cache-action@908b263ff629f4cc17666315b7fd3ec127c6244d # v14 with: use-flakehub: false @@ -226,7 +226,7 @@ jobs: fi - name: Upload artifact - uses: actions/upload-artifact@v5 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 with: name: binary-${{ matrix.goos }}-${{ matrix.goarch }} path: sysdig-mcp-server_${{ matrix.goos }}-${{ matrix.goarch }}.${{ matrix.ext }} @@ -241,7 +241,7 @@ jobs: permissions: contents: write # Required for release creation steps: - - uses: actions/checkout@v5 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 with: fetch-depth: 0 fetch-tags: true @@ -249,12 +249,12 @@ jobs: - name: Install Nix # Pinned to v21 commit SHA for supply-chain safety. # To update: git ls-remote https://github.com/DeterminateSystems/nix-installer-action.git - uses: DeterminateSystems/nix-installer-action@c5a866b6ab867e88becbed4467b93592bce69f8a # v21 + uses: DeterminateSystems/nix-installer-action@ef8a148080ab6020fd15196c2084a2eea5ff2d25 # v22 - name: Enable Nix cache # Pinned to v13 commit SHA for supply-chain safety. # To update: git ls-remote https://github.com/DeterminateSystems/magic-nix-cache-action.git - uses: DeterminateSystems/magic-nix-cache-action@565684385bcd71bad329742eefe8d12f2e765b39 # v13 + uses: DeterminateSystems/magic-nix-cache-action@908b263ff629f4cc17666315b7fd3ec127c6244d # v14 with: use-flakehub: false @@ -268,7 +268,7 @@ jobs: run: git-chglog -c .github/git-chglog/config.yml -o RELEASE_CHANGELOG.md $(git describe --tags $(git rev-list --tags --max-count=1)) - name: Download binary artifacts - uses: actions/download-artifact@v6 + uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 with: path: /tmp/binaries pattern: binary-* @@ -279,7 +279,7 @@ jobs: run: sha256sum * > checksums.txt - name: Create release - uses: softprops/action-gh-release@v2 + uses: softprops/action-gh-release@b4309332981a82ec1c5618f44dd2e27cc8bfbfda # v3.0.0 with: name: ${{ needs.get-newer-version.outputs.new-version }} tag_name: ${{ needs.get-newer-version.outputs.new-version }} diff --git a/.github/workflows/pull-request-ci.yaml b/.github/workflows/pull-request-ci.yaml index 1e4aa79..19b9f25 100644 --- a/.github/workflows/pull-request-ci.yaml +++ b/.github/workflows/pull-request-ci.yaml @@ -22,17 +22,17 @@ jobs: shell: nix develop --command bash {0} steps: - name: Check out the repo - uses: actions/checkout@v5 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - name: Install Nix # Pinned to v21 commit SHA for supply-chain safety. # To update: git ls-remote https://github.com/DeterminateSystems/nix-installer-action.git - uses: DeterminateSystems/nix-installer-action@c5a866b6ab867e88becbed4467b93592bce69f8a # v21 + uses: DeterminateSystems/nix-installer-action@ef8a148080ab6020fd15196c2084a2eea5ff2d25 # v22 - name: Enable Nix cache # Pinned to v13 commit SHA for supply-chain safety. # To update: git ls-remote https://github.com/DeterminateSystems/magic-nix-cache-action.git - uses: DeterminateSystems/magic-nix-cache-action@565684385bcd71bad329742eefe8d12f2e765b39 # v13 + uses: DeterminateSystems/magic-nix-cache-action@908b263ff629f4cc17666315b7fd3ec127c6244d # v14 with: use-flakehub: false @@ -67,7 +67,7 @@ jobs: nix_package: sysdig-mcp-server-image-aarch64 steps: - name: Check out the repo - uses: actions/checkout@v5 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 with: ref: ${{ github.sha }} fetch-depth: "0" @@ -75,12 +75,12 @@ jobs: - name: Install Nix # Pinned to v21 commit SHA for supply-chain safety. # To update: git ls-remote https://github.com/DeterminateSystems/nix-installer-action.git - uses: DeterminateSystems/nix-installer-action@c5a866b6ab867e88becbed4467b93592bce69f8a # v21 + uses: DeterminateSystems/nix-installer-action@ef8a148080ab6020fd15196c2084a2eea5ff2d25 # v22 - name: Enable Nix cache # Pinned to v13 commit SHA for supply-chain safety. # To update: git ls-remote https://github.com/DeterminateSystems/magic-nix-cache-action.git - uses: DeterminateSystems/magic-nix-cache-action@565684385bcd71bad329742eefe8d12f2e765b39 # v13 + uses: DeterminateSystems/magic-nix-cache-action@908b263ff629f4cc17666315b7fd3ec127c6244d # v14 with: use-flakehub: false @@ -98,7 +98,7 @@ jobs: run: docker run --rm "${{ steps.load.outputs.image_tag }}" --help | grep "Sysdig MCP Server" - name: Scan Docker image - uses: sysdiglabs/scan-action@v6 + uses: sysdiglabs/scan-action@607e6bc13f737906e66e81d98e74a69cf356af08 # v6.3.6 with: image-tag: ${{ steps.load.outputs.image_tag }} sysdig-secure-token: ${{ secrets.SECURE_ENV_MON_API_KEY }} @@ -112,10 +112,10 @@ jobs: echo "FROM base" > /tmp/Dockerfile.push - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 + uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5 # v4.1.0 - name: Log in to GitHub Container Registry - uses: docker/login-action@v3 + uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4.2.0 with: registry: ghcr.io username: ${{ github.actor }} @@ -123,7 +123,7 @@ jobs: - name: Push image by digest id: push - uses: docker/build-push-action@v6 + uses: docker/build-push-action@f9f3042f7e2789586610d6e8b85c8f03e5195baf # v7.2.0 with: file: /tmp/Dockerfile.push build-contexts: | @@ -139,7 +139,7 @@ jobs: touch "/tmp/digests/${digest#sha256:}" - name: Upload digest - uses: actions/upload-artifact@v5 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 with: name: digests-${{ matrix.arch }} path: /tmp/digests/* @@ -158,17 +158,17 @@ jobs: REGISTRY: ghcr.io/sysdiglabs/sysdig-mcp-server steps: - name: Download digests - uses: actions/download-artifact@v6 + uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 with: path: /tmp/digests pattern: digests-* merge-multiple: true - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 + uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5 # v4.1.0 - name: Log in to GitHub Container Registry - uses: docker/login-action@v3 + uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4.2.0 with: registry: ghcr.io username: ${{ github.actor }} diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml index aade114..2a60c0e 100644 --- a/.github/workflows/stale.yml +++ b/.github/workflows/stale.yml @@ -11,7 +11,7 @@ jobs: issues: write pull-requests: write steps: - - uses: actions/stale@v9 + - uses: actions/stale@eb5cf3af3ac0a1aa4c9c45633dd1ae542a27a899 # v10.3.0 with: stale-issue-message: 'This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 7 days' stale-pr-message: 'This PR is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 7 days' diff --git a/flake.nix b/flake.nix index b50ae00..acbedfc 100644 --- a/flake.nix +++ b/flake.nix @@ -52,15 +52,16 @@ packages = [ ginkgo go_1_26 - govulncheck gofumpt golangci-lint + govulncheck just mockgen nix-prefetch-docker + pinact pre-commit - skopeo sd + skopeo ]; shellHook = '' pre-commit install diff --git a/justfile b/justfile index b2f8b21..796e0f6 100644 --- a/justfile +++ b/justfile @@ -39,6 +39,7 @@ update: nix develop --command go get -u -t -v ./... nix develop --command go mod tidy nix develop --command just rehash-package-nix + nix develop --command pinact run -u nix develop --command pre-commit autoupdate nix develop --command just update-base-images