From f2743e161cf96816f89d8fee36d78300d9b2eed1 Mon Sep 17 00:00:00 2001 From: Bruno Oliveira da Silva Date: Thu, 5 Jun 2025 07:44:45 -0300 Subject: [PATCH] Use pinned-dependencies for GitHub Actions (#38183) Signed-off-by: Bruno Oliveira da Silva --- .../archive-surefire-reports/action.yml | 2 +- .github/actions/build-keycloak/action.yml | 4 +- .../actions/integration-test-setup/action.yml | 2 +- .github/actions/java-setup/action.yml | 2 +- .github/actions/maven-cache/action.yml | 4 +- .github/actions/node-cache/action.yml | 2 +- .github/actions/pnpm-setup/action.yml | 2 +- .github/actions/pnpm-store-cache/action.yml | 2 +- .github/actions/upload-flaky-tests/action.yml | 4 +- .github/actions/upload-heapdumps/action.yml | 2 +- .github/workflows/aurora-delete.yml | 2 +- .github/workflows/ci.yml | 58 +++++++++---------- .github/workflows/codeql-analysis.yml | 22 +++---- .github/workflows/documentation.yml | 12 ++-- .github/workflows/guides.yml | 6 +- .github/workflows/js-ci.yml | 32 +++++----- .github/workflows/label.yml | 2 +- .github/workflows/operator-ci.yml | 22 +++---- .github/workflows/quarkus-next.yml | 2 +- .github/workflows/snyk-analysis.yml | 6 +- .github/workflows/trivy-analysis.yml | 6 +- 21 files changed, 98 insertions(+), 98 deletions(-) diff --git a/.github/actions/archive-surefire-reports/action.yml b/.github/actions/archive-surefire-reports/action.yml index 91b1c525477..ddc0acb89d9 100644 --- a/.github/actions/archive-surefire-reports/action.yml +++ b/.github/actions/archive-surefire-reports/action.yml @@ -37,7 +37,7 @@ runs: - id: upload-surefire-linux name: Upload Surefire reports if: (!cancelled() && contains(fromJSON(inputs.release-branches), github.ref) && contains(fromJSON('["push", "workflow_dispatch"]'), github.event_name)) - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 with: name: surefire-${{ inputs.job-id }} path: | diff --git a/.github/actions/build-keycloak/action.yml b/.github/actions/build-keycloak/action.yml index 0e59b1b0393..481a1f34537 100644 --- a/.github/actions/build-keycloak/action.yml +++ b/.github/actions/build-keycloak/action.yml @@ -49,7 +49,7 @@ runs: - id: upload-keycloak-maven-repository name: Upload Keycloak Maven artifacts if: inputs.upload-m2-repo == 'true' - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 with: name: m2-keycloak.tzts path: m2-keycloak.tzts @@ -58,7 +58,7 @@ runs: - id: upload-keycloak-dist name: Upload Keycloak dist if: inputs.upload-dist == 'true' - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 with: name: keycloak-dist path: quarkus/dist/target/keycloak*.tar.gz diff --git a/.github/actions/integration-test-setup/action.yml b/.github/actions/integration-test-setup/action.yml index 645c6e5805d..1a4a1521830 100644 --- a/.github/actions/integration-test-setup/action.yml +++ b/.github/actions/integration-test-setup/action.yml @@ -35,7 +35,7 @@ runs: - id: download-keycloak name: Download Keycloak Maven artifacts - uses: actions/download-artifact@v4 + uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0 with: name: m2-keycloak.tzts diff --git a/.github/actions/java-setup/action.yml b/.github/actions/java-setup/action.yml index 4b1013ec9d8..8f7f43e3c04 100644 --- a/.github/actions/java-setup/action.yml +++ b/.github/actions/java-setup/action.yml @@ -16,7 +16,7 @@ runs: steps: - id: setup-java name: Setup Java - uses: actions/setup-java@v4 + uses: actions/setup-java@c5195efecf7bdfc987ee8bae7a71cb8b11521c00 # v4.7.1 with: distribution: ${{ inputs.distribution }} java-version: ${{ inputs.java-version }} diff --git a/.github/actions/maven-cache/action.yml b/.github/actions/maven-cache/action.yml index fbfbfb2d3a7..ed4fe5115c7 100644 --- a/.github/actions/maven-cache/action.yml +++ b/.github/actions/maven-cache/action.yml @@ -19,7 +19,7 @@ runs: - id: cache-maven-repository name: Maven cache - uses: actions/cache@v4 + uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 # v4.2.3 if: inputs.create-cache-if-it-doesnt-exist == 'true' with: # Two asterisks are needed to make the follow-up exclusion work @@ -44,7 +44,7 @@ runs: - id: restore-maven-repository name: Maven cache - uses: actions/cache/restore@v4 + uses: actions/cache/restore@5a3ec84eff668545956fd18022155c47e93e2684 # v4.2.3 if: inputs.create-cache-if-it-doesnt-exist == 'false' with: # This needs to repeat the same path pattern as above to find the matching cache diff --git a/.github/actions/node-cache/action.yml b/.github/actions/node-cache/action.yml index 583a9a62c21..6c2421294cc 100644 --- a/.github/actions/node-cache/action.yml +++ b/.github/actions/node-cache/action.yml @@ -12,7 +12,7 @@ runs: echo "pnpm=$(cat js/pom.xml | grep '' | cut -d '>' -f 2 | cut -d '<' -f 1 | cut -c 1-)" >> $GITHUB_OUTPUT # Downloading Node.js often fails due to network issues, therefore we cache the artifacts downloaded by the frontend plugin. - - uses: actions/cache@v4 + - uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 # v4.2.3 id: cache-binaries name: Cache Node.js and PNPM binaries with: diff --git a/.github/actions/pnpm-setup/action.yml b/.github/actions/pnpm-setup/action.yml index a94fb68a148..6eb1853a97c 100644 --- a/.github/actions/pnpm-setup/action.yml +++ b/.github/actions/pnpm-setup/action.yml @@ -11,7 +11,7 @@ runs: using: composite steps: - name: Set up Node.js - uses: actions/setup-node@v4 + uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0 with: node-version: ${{ inputs.node-version }} check-latest: true diff --git a/.github/actions/pnpm-store-cache/action.yml b/.github/actions/pnpm-store-cache/action.yml index 3929d4824ec..374cfcac2be 100644 --- a/.github/actions/pnpm-store-cache/action.yml +++ b/.github/actions/pnpm-store-cache/action.yml @@ -9,7 +9,7 @@ runs: shell: bash run: echo "key=pnpm-store-`date -u "+%Y-%U"`" >> $GITHUB_OUTPUT - - uses: actions/cache@v4 + - uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 # v4.2.3 name: Cache PNPM store with: # See: https://pnpm.io/npmrc#store-dir diff --git a/.github/actions/upload-flaky-tests/action.yml b/.github/actions/upload-flaky-tests/action.yml index d76580b8e78..b69de078072 100644 --- a/.github/actions/upload-flaky-tests/action.yml +++ b/.github/actions/upload-flaky-tests/action.yml @@ -47,9 +47,9 @@ runs: echo "EOF" >> $GITHUB_OUTPUT fi - - uses: actions/upload-artifact@v4 + - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 if: ${{ steps.flaky-tests.outputs.flakes }} with: name: flaky-tests-${{ github.job }}-${{ join(matrix.*, '-') }} path: ${{ steps.flaky-tests.outputs.flakes }} - if-no-files-found: error \ No newline at end of file + if-no-files-found: error diff --git a/.github/actions/upload-heapdumps/action.yml b/.github/actions/upload-heapdumps/action.yml index 65c2dc54c63..c305f3d42c0 100644 --- a/.github/actions/upload-heapdumps/action.yml +++ b/.github/actions/upload-heapdumps/action.yml @@ -8,7 +8,7 @@ runs: name: Upload JVM Heapdumps # Windows runners are running into https://github.com/actions/upload-artifact/issues/240 if: runner.os != 'Windows' - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 with: name: jvm-heap-dumps path: | diff --git a/.github/workflows/aurora-delete.yml b/.github/workflows/aurora-delete.yml index db0ed1a4656..34fa4808ff5 100644 --- a/.github/workflows/aurora-delete.yml +++ b/.github/workflows/aurora-delete.yml @@ -20,7 +20,7 @@ jobs: name: Delete Aurora DB runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: Initialize AWS client run: | diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index dceb28b22be..a4831d74deb 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -41,7 +41,7 @@ jobs: contents: read pull-requests: read steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - id: conditional uses: ./.github/actions/conditional @@ -63,7 +63,7 @@ jobs: runs-on: ubuntu-latest needs: conditional steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: Build Keycloak uses: ./.github/actions/build-keycloak @@ -78,7 +78,7 @@ jobs: needs: build timeout-minutes: 30 steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - id: unit-test-setup name: Unit test setup @@ -115,7 +115,7 @@ jobs: group: [1, 2, 3, 4, 5, 6] fail-fast: false steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - id: integration-test-setup name: Integration test setup @@ -150,7 +150,7 @@ jobs: runs-on: ubuntu-latest timeout-minutes: 30 steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - id: integration-test-setup name: Integration test setup @@ -191,7 +191,7 @@ jobs: runs-on: ubuntu-latest timeout-minutes: 30 steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - id: integration-test-setup name: Integration test setup @@ -236,7 +236,7 @@ jobs: os: [ ubuntu-latest, windows-latest ] runs-on: ${{ matrix.os }} steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 # We want to download Keycloak artifacts - id: integration-test-setup @@ -288,7 +288,7 @@ jobs: env: MAVEN_OPTS: -Xmx1536m steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - id: integration-test-setup name: Integration test setup @@ -334,7 +334,7 @@ jobs: fail-fast: false runs-on: ${{ matrix.os }} steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - id: integration-test-setup name: Integration test setup @@ -386,7 +386,7 @@ jobs: timeout-minutes: 100 runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - id: integration-test-setup name: Integration test setup @@ -422,7 +422,7 @@ jobs: runs-on: ubuntu-latest timeout-minutes: 150 steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - id: integration-test-setup name: Integration test setup @@ -453,7 +453,7 @@ jobs: - name: EC2 Maven Logs if: failure() - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 with: name: store-it-mvn-logs path: .github/scripts/ansible/files @@ -469,7 +469,7 @@ jobs: variant: [ "clusterless,multi-site" ] fail-fast: false steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - id: integration-test-setup name: Integration test setup @@ -508,7 +508,7 @@ jobs: contents: read actions: write steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - id: node-cache name: Node cache @@ -605,7 +605,7 @@ jobs: - name: EC2 Maven Logs if: failure() - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 with: name: auroraDB-migration-tests-mvn-logs path: .github/scripts/ansible/files @@ -648,7 +648,7 @@ jobs: - name: EC2 Maven Logs if: failure() - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 with: name: aurora-integration-tests-mvn-logs path: .github/scripts/ansible/files @@ -681,7 +681,7 @@ jobs: db: [postgres, mysql, oracle, mssql, mariadb] fail-fast: false steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - id: integration-test-setup name: Integration test setup @@ -762,7 +762,7 @@ jobs: if: needs.conditional.outputs.ci-store == 'true' timeout-minutes: 75 steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - id: integration-test-setup name: Integration test setup @@ -796,7 +796,7 @@ jobs: env: MAVEN_OPTS: -Xmx1536m steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - id: integration-test-setup name: Integration test setup @@ -829,7 +829,7 @@ jobs: needs: build timeout-minutes: 20 steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: Fake fips run: | @@ -864,7 +864,7 @@ jobs: mode: [non-strict, strict] fail-fast: false steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: Fake fips run: | @@ -908,7 +908,7 @@ jobs: browser: [chrome, firefox] fail-fast: false steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - id: integration-test-setup name: Integration test setup @@ -953,7 +953,7 @@ jobs: - firefox fail-fast: false steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - id: integration-test-setup name: Integration test setup @@ -995,7 +995,7 @@ jobs: timeout-minutes: 30 steps: - name: checkout - uses: actions/checkout@v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - id: integration-test-setup name: Integration test setup @@ -1008,7 +1008,7 @@ jobs: - id: cache-maven-repository name: ipa-data cache - uses: actions/cache@v4 + uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 # v4.2.3 with: path: ~/ipa-data.tar key: ${{ steps.weekly-cache-key.outputs.key }} @@ -1033,7 +1033,7 @@ jobs: database: [postgres, mysql, oracle, mssql, mariadb] fail-fast: false steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - id: integration-test-setup name: Integration test setup @@ -1075,7 +1075,7 @@ jobs: needs: build timeout-minutes: 30 steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - id: integration-test-setup name: Integration test setup @@ -1091,7 +1091,7 @@ jobs: - build timeout-minutes: 30 steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - id: integration-test-setup name: Integration test setup @@ -1128,7 +1128,7 @@ jobs: - base-new-integration-tests runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - uses: ./.github/actions/status-check with: jobs: ${{ toJSON(needs) }} diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index ae0dda1a8fc..a47cb5b777e 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -37,7 +37,7 @@ jobs: contents: read pull-requests: read steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - id: conditional uses: ./.github/actions/conditional @@ -55,10 +55,10 @@ jobs: conclusion: ${{ steps.check.outputs.conclusion }} steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: Initialize CodeQL - uses: github/codeql-action/init@v3 + uses: github/codeql-action/init@ff0a06e83cb2de871e5a09832bc6a81e7276941f # v3.28.18 with: languages: java @@ -66,7 +66,7 @@ jobs: uses: ./.github/actions/build-keycloak - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v3 + uses: github/codeql-action/analyze@ff0a06e83cb2de871e5a09832bc6a81e7276941f # v3.28.18 with: wait-for-processing: true env: @@ -83,17 +83,17 @@ jobs: conclusion: ${{ steps.check.outputs.conclusion }} steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: Initialize CodeQL - uses: github/codeql-action/init@v3 + uses: github/codeql-action/init@ff0a06e83cb2de871e5a09832bc6a81e7276941f # v3.28.18 env: CODEQL_ACTION_EXTRA_OPTIONS: '{"database":{"finalize":["--no-run-unnecessary-builds"]}}' with: languages: javascript - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v3 + uses: github/codeql-action/analyze@ff0a06e83cb2de871e5a09832bc6a81e7276941f # v3.28.18 with: wait-for-processing: true env: @@ -110,17 +110,17 @@ jobs: conclusion: ${{ steps.check.outputs.conclusion }} steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: Initialize CodeQL - uses: github/codeql-action/init@v3 + uses: github/codeql-action/init@ff0a06e83cb2de871e5a09832bc6a81e7276941f # v3.28.18 env: CODEQL_ACTION_EXTRA_OPTIONS: '{"database":{"finalize":["--no-run-unnecessary-builds"]}}' with: languages: typescript - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v3 + uses: github/codeql-action/analyze@ff0a06e83cb2de871e5a09832bc6a81e7276941f # v3.28.18 with: wait-for-processing: true env: @@ -136,7 +136,7 @@ jobs: - typescript runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - uses: ./.github/actions/status-check with: jobs: ${{ toJSON(needs) }} diff --git a/.github/workflows/documentation.yml b/.github/workflows/documentation.yml index eefb15897de..58aa4ab1e23 100644 --- a/.github/workflows/documentation.yml +++ b/.github/workflows/documentation.yml @@ -35,7 +35,7 @@ jobs: contents: read pull-requests: read steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - id: conditional uses: ./.github/actions/conditional @@ -48,7 +48,7 @@ jobs: runs-on: ubuntu-latest needs: conditional steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - id: setup-java name: Setup Java @@ -66,7 +66,7 @@ jobs: - id: upload-keycloak-documentation name: Upload Keycloak documentation - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 with: name: keycloak-documentation path: docs/documentation/dist/target/*.zip @@ -78,7 +78,7 @@ jobs: runs-on: ubuntu-latest needs: conditional steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - id: setup-java name: Setup Java @@ -102,7 +102,7 @@ jobs: - build runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - uses: ./.github/actions/status-check with: - jobs: ${{ toJSON(needs) }} \ No newline at end of file + jobs: ${{ toJSON(needs) }} diff --git a/.github/workflows/guides.yml b/.github/workflows/guides.yml index d3e00625324..6a521254d6a 100644 --- a/.github/workflows/guides.yml +++ b/.github/workflows/guides.yml @@ -36,7 +36,7 @@ jobs: contents: read pull-requests: read steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - id: conditional uses: ./.github/actions/conditional @@ -50,7 +50,7 @@ jobs: runs-on: ubuntu-latest needs: conditional steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: Build Keycloak uses: ./.github/actions/build-keycloak @@ -63,7 +63,7 @@ jobs: - build runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - uses: ./.github/actions/status-check with: jobs: ${{ toJSON(needs) }} diff --git a/.github/workflows/js-ci.yml b/.github/workflows/js-ci.yml index 2366ea3a69e..f5c7a085d7d 100644 --- a/.github/workflows/js-ci.yml +++ b/.github/workflows/js-ci.yml @@ -35,7 +35,7 @@ jobs: contents: read pull-requests: read steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - id: conditional uses: ./.github/actions/conditional @@ -48,7 +48,7 @@ jobs: if: needs.conditional.outputs.js-ci == 'true' runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: Build Keycloak uses: ./.github/actions/build-keycloak @@ -58,7 +58,7 @@ jobs: mv ./quarkus/dist/target/keycloak-999.0.0-SNAPSHOT.tar.gz ./keycloak-999.0.0-SNAPSHOT.tar.gz - name: Upload Keycloak dist - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 with: name: keycloak path: keycloak-999.0.0-SNAPSHOT.tar.gz @@ -71,7 +71,7 @@ jobs: env: WORKSPACE: "@keycloak/keycloak-admin-client" steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - uses: ./.github/actions/pnpm-setup @@ -89,7 +89,7 @@ jobs: env: WORKSPACE: "@keycloak/keycloak-ui-shared" steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - uses: ./.github/actions/pnpm-setup @@ -107,7 +107,7 @@ jobs: env: WORKSPACE: "@keycloak/keycloak-account-ui" steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - uses: ./.github/actions/pnpm-setup @@ -125,7 +125,7 @@ jobs: env: WORKSPACE: keycloak-admin-ui steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - uses: ./.github/actions/pnpm-setup @@ -148,12 +148,12 @@ jobs: env: WORKSPACE: "@keycloak/keycloak-account-ui" steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - uses: ./.github/actions/pnpm-setup - name: Download Keycloak server - uses: actions/download-artifact@v4 + uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0 with: name: keycloak @@ -177,7 +177,7 @@ jobs: working-directory: js - name: Upload Playwright report - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 if: always() with: name: account-ui-playwright-report @@ -186,7 +186,7 @@ jobs: - name: Upload server logs if: always() - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 with: name: account-ui-server-log path: ~/server.log @@ -225,7 +225,7 @@ jobs: - browser: ${{ github.event_name != 'workflow_dispatch' && 'firefox' || '' }} fail-fast: false steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - uses: ./.github/actions/pnpm-setup @@ -234,7 +234,7 @@ jobs: working-directory: js - name: Download Keycloak server - uses: actions/download-artifact@v4 + uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0 with: name: keycloak @@ -260,7 +260,7 @@ jobs: working-directory: js - name: Upload Playwright report - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 if: always() with: name: admin-ui-playwright-report-${{ matrix.browser }} @@ -269,7 +269,7 @@ jobs: - name: Upload server logs if: always() - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 with: name: admin-ui-server-log-${{ matrix.browser }} path: ~/server.log @@ -288,7 +288,7 @@ jobs: - admin-ui-e2e runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - uses: ./.github/actions/status-check with: jobs: ${{ toJSON(needs) }} diff --git a/.github/workflows/label.yml b/.github/workflows/label.yml index 17ba5eb7bd4..af30c91be9f 100644 --- a/.github/workflows/label.yml +++ b/.github/workflows/label.yml @@ -13,7 +13,7 @@ jobs: permissions: issues: write # Required to add labels to Issues steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: sparse-checkout: .github/scripts - name: Add release labels on merge diff --git a/.github/workflows/operator-ci.yml b/.github/workflows/operator-ci.yml index 0f84fcc0329..04b3cf8216c 100644 --- a/.github/workflows/operator-ci.yml +++ b/.github/workflows/operator-ci.yml @@ -37,7 +37,7 @@ jobs: contents: read pull-requests: read steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - id: conditional uses: ./.github/actions/conditional @@ -50,7 +50,7 @@ jobs: runs-on: ubuntu-latest needs: conditional steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: Build Keycloak uses: ./.github/actions/build-keycloak @@ -63,7 +63,7 @@ jobs: runs-on: ubuntu-latest needs: [build] steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: Setup Java uses: ./.github/actions/java-setup @@ -80,7 +80,7 @@ jobs: matrix: suite: [slow, fast] steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: Set version id: vars @@ -90,7 +90,7 @@ jobs: uses: ./.github/actions/java-setup - name: Setup Minikube-Kubernetes - uses: manusa/actions-setup-minikube@v2.13.1 + uses: manusa/actions-setup-minikube@5d9440a1b535e8b4f541eaac559681a9022df29d # v2.13.1 with: minikube version: ${{ env.MINIKUBE_VERSION }} kubernetes version: ${{ env.KUBERNETES_VERSION }} @@ -100,7 +100,7 @@ jobs: - name: Download keycloak distribution id: download-keycloak-dist - uses: actions/download-artifact@v4 + uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0 with: name: keycloak-dist path: quarkus/container @@ -131,13 +131,13 @@ jobs: runs-on: ubuntu-latest needs: [build] steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: Setup Java uses: ./.github/actions/java-setup - name: Setup Minikube-Kubernetes - uses: manusa/actions-setup-minikube@v2.13.1 + uses: manusa/actions-setup-minikube@5d9440a1b535e8b4f541eaac559681a9022df29d # v2.13.1 with: minikube version: ${{ env.MINIKUBE_VERSION }} kubernetes version: ${{ env.KUBERNETES_VERSION }} @@ -146,7 +146,7 @@ jobs: start args: --memory=${{ env.MINIKUBE_MEMORY }} - name: Install OPM - uses: redhat-actions/openshift-tools-installer@v1 + uses: redhat-actions/openshift-tools-installer@144527c7d98999f2652264c048c7a9bd103f8a82 # v1.13.1 with: source: github opm: 1.21.0 @@ -160,7 +160,7 @@ jobs: - name: Download keycloak distribution id: download-keycloak-dist - uses: actions/download-artifact@v4 + uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0 with: name: keycloak-dist path: quarkus/container @@ -221,7 +221,7 @@ jobs: - test-olm runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - uses: ./.github/actions/status-check with: jobs: ${{ toJSON(needs) }} diff --git a/.github/workflows/quarkus-next.yml b/.github/workflows/quarkus-next.yml index 0242231a75f..532e662b83b 100644 --- a/.github/workflows/quarkus-next.yml +++ b/.github/workflows/quarkus-next.yml @@ -25,7 +25,7 @@ jobs: permissions: contents: write # Required to push changes to the repository steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: ref: main fetch-depth: 0 diff --git a/.github/workflows/snyk-analysis.yml b/.github/workflows/snyk-analysis.yml index b9eed59af91..c4c0beb00a0 100644 --- a/.github/workflows/snyk-analysis.yml +++ b/.github/workflows/snyk-analysis.yml @@ -21,7 +21,7 @@ jobs: permissions: security-events: write # Required for SARIF uploads steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: Build Keycloak uses: ./.github/actions/build-keycloak @@ -35,7 +35,7 @@ jobs: SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} - name: Upload Quarkus scanner results to GitHub - uses: github/codeql-action/upload-sarif@v3 + uses: github/codeql-action/upload-sarif@ff0a06e83cb2de871e5a09832bc6a81e7276941f # v3.28.18 continue-on-error: true with: sarif_file: quarkus-report.sarif @@ -50,7 +50,7 @@ jobs: SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} - name: Upload Operator scanner results to GitHub - uses: github/codeql-action/upload-sarif@v3 + uses: github/codeql-action/upload-sarif@ff0a06e83cb2de871e5a09832bc6a81e7276941f # v3.28.18 with: sarif_file: operator-report.sarif category: snyk-operator-report diff --git a/.github/workflows/trivy-analysis.yml b/.github/workflows/trivy-analysis.yml index bc6e7221a9c..79c337c36fb 100644 --- a/.github/workflows/trivy-analysis.yml +++ b/.github/workflows/trivy-analysis.yml @@ -24,10 +24,10 @@ jobs: security-events: write # Required for SARIF uploads steps: - name: Checkout code - uses: actions/checkout@v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: Run Trivy vulnerability scanner - uses: aquasecurity/trivy-action@0.30.0 + uses: aquasecurity/trivy-action@6c175e9c4083a92bbca2f9724c8a5e33bc2d97a5 # 0.30.0 with: image-ref: quay.io/keycloak/${{ matrix.container }}:nightly format: sarif @@ -41,7 +41,7 @@ jobs: TRIVY_JAVA_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-java-db - name: Upload Trivy scan results to GitHub Security tab - uses: github/codeql-action/upload-sarif@v3 + uses: github/codeql-action/upload-sarif@ff0a06e83cb2de871e5a09832bc6a81e7276941f # v3.28.18 with: sarif_file: trivy-results.sarif category: ${{ matrix.container }}