From aa38d8ba60d181a97b275cd6ecce455aec27e34f Mon Sep 17 00:00:00 2001 From: Joshua Li Date: Mon, 23 Mar 2026 12:59:02 -0700 Subject: [PATCH] chore: pin GitHub Actions to full-length commit SHAs --- .github/workflows/admin-sourcemaps.yml | 6 +-- .github/workflows/bump-version.yml | 2 +- .github/workflows/ci.yml | 62 ++++++++++++------------ .github/workflows/codeql-analysis.yml | 8 +-- .github/workflows/ddl-changes.yml | 6 +-- .github/workflows/dependency-review.yml | 4 +- .github/workflows/docs-pr.yml | 2 +- .github/workflows/docs.yml | 6 +-- .github/workflows/image.yml | 16 +++--- .github/workflows/labeler.yml | 2 +- .github/workflows/release.yml | 6 +-- .github/workflows/validate-pipelines.yml | 10 ++-- 12 files changed, 65 insertions(+), 65 deletions(-) diff --git a/.github/workflows/admin-sourcemaps.yml b/.github/workflows/admin-sourcemaps.yml index d34365f7b9d..d70724f4582 100644 --- a/.github/workflows/admin-sourcemaps.yml +++ b/.github/workflows/admin-sourcemaps.yml @@ -9,12 +9,12 @@ jobs: env: SENTRY_AUTH_TOKEN: ${{ secrets.SNUBA_SENTRY_SOURCEMAP_KEY }} steps: - - uses: actions/checkout@v6.0.2 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 name: Checkout code - - uses: actions/setup-python@v6 + - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6 with: python-version: 3.8 - - uses: actions/setup-node@v6 + - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6 with: node-version-file: snuba/admin/package.json - name: Build admin sourcemaps diff --git a/.github/workflows/bump-version.yml b/.github/workflows/bump-version.yml index 6969349ce1f..0414969e60c 100644 --- a/.github/workflows/bump-version.yml +++ b/.github/workflows/bump-version.yml @@ -29,7 +29,7 @@ jobs: bump-version: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v6.0.2 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: token: ${{ secrets.GETSENTRY_BOT_REVERT_TOKEN }} - uses: astral-sh/setup-uv@5a095e7a2014a4212f075830d4f7277575a9d098 # v7.3.1 diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index ed0c7d55294..75114c7f9cc 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -15,7 +15,7 @@ jobs: api_changes: ${{ steps.changes.outputs.api_changes }} devservices_changes: ${{ steps.changes.outputs.devservices_changes }} steps: - - uses: actions/checkout@v6.0.2 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Check for backend file changes uses: getsentry/paths-filter@66f7f1844185eb7fb6738ea4ea59d74bb99199e5 # v2 @@ -29,7 +29,7 @@ jobs: runs-on: ubuntu-latest timeout-minutes: 5 steps: - - uses: actions/checkout@v6.0.2 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 name: Checkout code - uses: astral-sh/setup-uv@5a095e7a2014a4212f075830d4f7277575a9d098 # v7.3.1 @@ -49,7 +49,7 @@ jobs: runs-on: ubuntu-latest timeout-minutes: 10 steps: - - uses: actions/checkout@v6.0.2 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 name: Checkout code - name: Internal github app token id: token @@ -71,7 +71,7 @@ jobs: # NOTE: can't pass --only-dev yet since we're missing some mypy stub packages install-cmd: uv sync --frozen --active - - uses: actions/cache@v5 + - uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5 with: path: ~/.cache/pre-commit key: cache-epoch-1|${{ env.pythonLocation }}|${{ hashFiles('.pre-commit-config.yaml', 'uv.lock') }} @@ -79,7 +79,7 @@ jobs: - name: Setup pre-commit run: pre-commit install-hooks - - uses: getsentry/paths-filter@v2 + - uses: getsentry/paths-filter@66f7f1844185eb7fb6738ea4ea59d74bb99199e5 # v2 id: files with: # Enable listing of files matching each filter. @@ -106,7 +106,7 @@ jobs: # If working tree is dirty, commit and update if we have a token - name: Apply any pre-commit fixed files if: steps.token.outcome == 'success' && github.ref != 'refs/heads/master' && always() - uses: getsentry/action-github-commit@v2.1.0 + uses: getsentry/action-github-commit@5972d5f578ad77306063449e718c0c2a6fbc4ae1 # v2.1.0 with: github-token: ${{ steps.token.outputs.token }} @@ -115,13 +115,13 @@ jobs: runs-on: ubuntu-latest timeout-minutes: 10 steps: - - uses: actions/checkout@v6.0.2 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 name: Checkout code - name: Install protoc - uses: arduino/setup-protoc@v3 + uses: arduino/setup-protoc@c65c819552d16ad3c9b72d9dfd5ba5237b9c906b # v3 with: repo-token: ${{ secrets.GITHUB_TOKEN }} - - uses: dtolnay/rust-toolchain@stable + - uses: dtolnay/rust-toolchain@631a55b12751854ce901bb631d5902ceb48146f7 # stable with: components: rustfmt - name: Run linter @@ -133,7 +133,7 @@ jobs: runs-on: ubuntu-latest timeout-minutes: 10 steps: - - uses: actions/checkout@v6.0.2 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 name: Checkout code - uses: astral-sh/setup-uv@5a095e7a2014a4212f075830d4f7277575a9d098 # v7.3.1 @@ -159,7 +159,7 @@ jobs: branch: ${{ steps.branch.outputs.branch }} steps: - name: Checkout code - uses: actions/checkout@v6.0.2 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Get branch name id: branch @@ -184,7 +184,7 @@ jobs: # otherwise third-party contributors would have to provide a working, # authenticated GHCR, which seems impossible to ensure in the general # case. - uses: actions/upload-artifact@v7 + uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 with: name: snuba-ci path: /tmp/snuba-ci.tar @@ -196,11 +196,11 @@ jobs: timeout-minutes: 15 steps: - name: Checkout code - uses: actions/checkout@v6.0.2 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Restore Docker dependency image cache id: cache-restore - uses: actions/cache/restore@v5 + uses: actions/cache/restore@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5 with: path: /tmp/docker-deps key: docker-deps-${{ hashFiles('docker-compose.gcb.yml') }}-${{ github.run_id }} @@ -233,7 +233,7 @@ jobs: - name: Save Docker dependency image cache if: steps.load-pull.outputs.pulled == '1' - uses: actions/cache/save@v5 + uses: actions/cache/save@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5 with: path: /tmp/docker-deps key: docker-deps-${{ hashFiles('docker-compose.gcb.yml') }}-${{ github.run_id }} @@ -254,10 +254,10 @@ jobs: ] steps: - name: Checkout code - uses: actions/checkout@v6.0.2 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Download snuba-ci image from artifacts - uses: actions/download-artifact@v8 + uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8 with: name: snuba-ci path: /tmp @@ -268,7 +268,7 @@ jobs: docker image ls -a - name: Restore Docker dependency image cache - uses: actions/cache/restore@v5 + uses: actions/cache/restore@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5 with: path: /tmp/docker-deps key: docker-deps-${{ hashFiles('docker-compose.gcb.yml') }}-${{ github.run_id }} @@ -318,7 +318,7 @@ jobs: - name: Upload test results to Codecov if: ${{ !cancelled() }} - uses: codecov/test-results-action@v1 + uses: codecov/test-results-action@0fa95f0e1eeaafde2c782583b36b28ad0d8c77d3 # v1 with: token: ${{ secrets.CODECOV_TOKEN }} @@ -331,9 +331,9 @@ jobs: name: Front end tests for snuba admin runs-on: ubuntu-latest steps: - - uses: actions/checkout@v6.0.2 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 name: Checkout code - - uses: volta-cli/action@v4 + - uses: volta-cli/action@5c175f92dea6f48441c436471e6479dbc192e194 # v4 - name: Set up and run tests through yarn run: cd snuba/admin && yarn install && yarn run test --coverage - name: Upload to codecov @@ -355,10 +355,10 @@ jobs: steps: - name: Checkout code - uses: actions/checkout@v6.0.2 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Download snuba-ci image from artifacts - uses: actions/download-artifact@v8 + uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8 with: name: snuba-ci path: /tmp @@ -369,7 +369,7 @@ jobs: docker image ls -a - name: Checkout sentry - uses: actions/checkout@v6.0.2 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: repository: getsentry/sentry path: sentry @@ -460,10 +460,10 @@ jobs: steps: - name: Checkout code - uses: actions/checkout@v6.0.2 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Download snuba-ci image from artifacts - uses: actions/download-artifact@v8 + uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8 with: name: snuba-ci path: /tmp @@ -474,7 +474,7 @@ jobs: docker image ls -a - name: Restore Docker dependency image cache - uses: actions/cache/restore@v5 + uses: actions/cache/restore@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5 with: path: /tmp/docker-deps key: docker-deps-${{ hashFiles('docker-compose.gcb.yml') }}-${{ github.run_id }} @@ -517,13 +517,13 @@ jobs: timeout-minutes: 15 steps: - name: Checkout code - uses: actions/checkout@v6.0.2 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 + uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3 - name: Build distroless image - uses: docker/build-push-action@v6 + uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6 with: context: . target: application-distroless @@ -560,7 +560,7 @@ jobs: needs: files-changed if: ${{ needs.files-changed.outputs.devservices_changes == 'true' }} steps: - - uses: actions/checkout@v6.0.2 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 name: Checkout repository - name: Get devservices version diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index f0de27117f2..1c21155fb40 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -33,11 +33,11 @@ jobs: steps: - name: Checkout repository - uses: actions/checkout@v6.0.2 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL - uses: github/codeql-action/init@v4 + uses: github/codeql-action/init@256d634097be96e792d6764f9edaefc4320557b1 # v4 with: config-file: ./.github/codeql/codeql-config.yml languages: ${{ matrix.language }} @@ -49,7 +49,7 @@ jobs: # Autobuild attempts to build any compiled languages (C/C++, C#, or Java). # If this step fails, then you should remove it and run the build manually (see below) - name: Autobuild - uses: github/codeql-action/autobuild@v4 + uses: github/codeql-action/autobuild@256d634097be96e792d6764f9edaefc4320557b1 # v4 # ℹī¸ Command-line programs to run using the OS shell. # 📚 https://git.io/JvXDl @@ -63,4 +63,4 @@ jobs: # make release - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v4 + uses: github/codeql-action/analyze@256d634097be96e792d6764f9edaefc4320557b1 # v4 diff --git a/.github/workflows/ddl-changes.yml b/.github/workflows/ddl-changes.yml index d92959c6619..c27a8d7d65e 100644 --- a/.github/workflows/ddl-changes.yml +++ b/.github/workflows/ddl-changes.yml @@ -10,12 +10,12 @@ jobs: runs-on: ubuntu-latest timeout-minutes: 5 steps: - - uses: actions/checkout@v6.0.2 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 name: Checkout master for diffing with: ref: master fetch-depth: 200 - - uses: actions/checkout@v6.0.2 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 name: Checkout HEAD of code that may have migration changes with: clean: false @@ -36,7 +36,7 @@ jobs: run: | SNUBA_SETTINGS=test_distributed python scripts/ddl-changes.py - name: Generate SQL for migration - uses: getsentry/action-migrations@v1.2.2 + uses: getsentry/action-migrations@5ca775d9f0cfef6f2557ac8a7e8c744bcb4e7078 # v1.2.2 env: SNUBA_SETTINGS: test_distributed with: diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml index 269aea763f1..bbf7fdd6537 100644 --- a/.github/workflows/dependency-review.yml +++ b/.github/workflows/dependency-review.yml @@ -11,9 +11,9 @@ jobs: runs-on: ubuntu-latest steps: - name: "Checkout Repository" - uses: actions/checkout@v6.0.2 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Dependency Review - uses: actions/dependency-review-action@v4 + uses: actions/dependency-review-action@2031cfc080254a8a887f58cffee85186f0e49e48 # v4 with: # Possible values: "critical", "high", "moderate", "low" fail-on-severity: high diff --git a/.github/workflows/docs-pr.yml b/.github/workflows/docs-pr.yml index 329fd435d01..dfd731adce0 100644 --- a/.github/workflows/docs-pr.yml +++ b/.github/workflows/docs-pr.yml @@ -8,7 +8,7 @@ jobs: name: Sphinx runs-on: ubuntu-latest steps: - - uses: actions/checkout@v6.0.2 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - uses: astral-sh/setup-uv@5a095e7a2014a4212f075830d4f7277575a9d098 # v7.3.1 with: diff --git a/.github/workflows/docs.yml b/.github/workflows/docs.yml index 229fd2e97b3..3242c53d795 100644 --- a/.github/workflows/docs.yml +++ b/.github/workflows/docs.yml @@ -10,7 +10,7 @@ jobs: name: Sphinx runs-on: ubuntu-latest steps: - - uses: actions/checkout@v6.0.2 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - uses: astral-sh/setup-uv@5a095e7a2014a4212f075830d4f7277575a9d098 # v7.3.1 with: @@ -31,7 +31,7 @@ jobs: run: | make snubadocs - - uses: peaceiris/actions-gh-pages@v4.0.0 + - uses: peaceiris/actions-gh-pages@47f197a2200bb9de68ba5f48fad1c088eb1c4a32 # v4.0.0 name: Publish to GitHub Pages with: github_token: ${{ secrets.GITHUB_TOKEN }} @@ -39,7 +39,7 @@ jobs: force_orphan: true - name: Archive Docs - uses: actions/upload-artifact@v7 + uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 with: name: docs path: docs/build diff --git a/.github/workflows/image.yml b/.github/workflows/image.yml index ce6e049679d..6f21fe2fe17 100644 --- a/.github/workflows/image.yml +++ b/.github/workflows/image.yml @@ -21,7 +21,7 @@ jobs: packages: write if: github.repository_owner == 'getsentry' steps: - - uses: actions/checkout@v6.0.2 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - uses: getsentry/action-build-and-push-images@8fc75e483c09a68721f2c8951292ee17f8821766 with: image_name: 'snuba' @@ -40,7 +40,7 @@ jobs: id-token: write if: ${{ github.ref_name == 'master' }} steps: - - uses: actions/checkout@v6.0.2 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - uses: getsentry/action-build-and-push-images@8fc75e483c09a68721f2c8951292ee17f8821766 with: image_name: 'snuba' @@ -70,7 +70,7 @@ jobs: packages: write if: github.repository_owner == 'getsentry' steps: - - uses: actions/checkout@v6.0.2 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - uses: getsentry/action-build-and-push-images@8fc75e483c09a68721f2c8951292ee17f8821766 with: image_name: 'snuba' @@ -98,7 +98,7 @@ jobs: packages: write if: github.repository_owner == 'getsentry' steps: - - uses: actions/checkout@v6.0.2 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - uses: getsentry/action-build-and-push-images@8fc75e483c09a68721f2c8951292ee17f8821766 with: image_name: 'snuba' @@ -124,7 +124,7 @@ jobs: GHCR_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 + uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3 - name: Create multiplatform manifests run: | @@ -148,7 +148,7 @@ jobs: GHCR_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 + uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3 - name: Create distroless multiplatform manifests run: | @@ -172,7 +172,7 @@ jobs: GHCR_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 + uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3 - name: Create debug multiplatform manifests run: | @@ -189,7 +189,7 @@ jobs: steps: - name: Run Sentry self-hosted e2e CI - uses: getsentry/self-hosted@master + uses: getsentry/self-hosted@871c182cb0a99dc1fad72cc7ce7889b514b0c5f0 # master with: project_name: snuba image_url: ghcr.io/getsentry/snuba:${{ github.sha }} diff --git a/.github/workflows/labeler.yml b/.github/workflows/labeler.yml index 178ba299670..dad5a32b4aa 100644 --- a/.github/workflows/labeler.yml +++ b/.github/workflows/labeler.yml @@ -9,6 +9,6 @@ jobs: pull-requests: write runs-on: ubuntu-latest steps: - - uses: actions/labeler@v6 + - uses: actions/labeler@634933edcd8ababfe52f92936142cc22ac488b1b # v6 with: repo-token: "${{ secrets.GITHUB_TOKEN }}" diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 9a528282424..212512defcd 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -23,16 +23,16 @@ jobs: steps: - name: Get auth token id: token - uses: actions/create-github-app-token@v2 + uses: actions/create-github-app-token@fee1f7d63c2ff003460e3d139729b119787bc349 # v2 with: app-id: ${{ vars.SENTRY_RELEASE_BOT_CLIENT_ID }} private-key: ${{ secrets.SENTRY_RELEASE_BOT_PRIVATE_KEY }} - - uses: actions/checkout@v6.0.2 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: token: ${{ steps.token.outputs.token }} fetch-depth: 0 - name: Prepare release - uses: getsentry/craft@v2 + uses: getsentry/craft@f4889d04564e47311038ecb6b910fef6b6cf1363 # v2 env: GITHUB_TOKEN: ${{ steps.token.outputs.token }} with: diff --git a/.github/workflows/validate-pipelines.yml b/.github/workflows/validate-pipelines.yml index b396ddbb3e5..16c27b4098e 100644 --- a/.github/workflows/validate-pipelines.yml +++ b/.github/workflows/validate-pipelines.yml @@ -17,7 +17,7 @@ jobs: outputs: gocd: ${{ steps.changes.outputs.gocd }} steps: - - uses: actions/checkout@v6.0.2 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Check for relevant file changes uses: getsentry/paths-filter@4512585405083f25c027a35db413c2b3b9006d50 # v2.11.1 id: changes @@ -39,21 +39,21 @@ jobs: id-token: "write" steps: - - uses: actions/checkout@v6.0.2 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - id: 'auth' - uses: google-github-actions/auth@v3 + uses: google-github-actions/auth@7c6bc770dae815cd3e89ee6cdf493a5fab2cc093 # v3 with: workload_identity_provider: 'projects/868781662168/locations/global/workloadIdentityPools/prod-github/providers/github-oidc-pool' service_account: 'gha-gocd-api@sac-prod-sa.iam.gserviceaccount.com' token_format: 'id_token' id_token_audience: '610575311308-9bsjtgqg4jm01mt058rncpopujgk3627.apps.googleusercontent.com' id_token_include_email: true - - uses: getsentry/action-gocd-jsonnet@v1.1.1 + - uses: getsentry/action-gocd-jsonnet@2a32414fa9e58a46d1afea9cbfa7b77a928678e2 # v1.1.1 with: jb-install: true jsonnet-dir: gocd/templates generated-dir: gocd/generated-pipelines - - uses: getsentry/action-validate-gocd-pipelines@v1 + - uses: getsentry/action-validate-gocd-pipelines@80fde540c1403d52e17783368930fa28bd93447f # v1 with: configrepo: snuba__master gocd_access_token: ${{ secrets.GOCD_ACCESS_TOKEN }}