michaelh/zephyr
1
0
Fork 0
Code Releases Activity

ci: pin GitHub Actions to SHAs

Browse source 
This commit updates all GitHub Actions workflows to use specific
SHAs for the actions when they're not GitHub owned (`actions/*`)
instead of using tag-based versioning since tags are mutable.

Signed-off-by: Benjamin Cabé <benjamin@zephyrproject.org>
This commit is contained in:
Benjamin Cabé 2025-03-17 12:47:25 +01:00 committed by Anas Nashif
commit e808ccf013
19 changed files with 28 additions and 28 deletions
Download patch file Download diff file Expand all files Collapse all files

2
.github/workflows/backport.yml vendored
View file

@ -24,7 +24,7 @@ jobs:
)
steps:
- name: Backport
uses: zephyrproject-rtos/action-backport@v2.0.3-3
uses: zephyrproject-rtos/action-backport@7e74f601d11eaca577742445e87775b5651a965f # v2.0.3-3
with:
github_token: ${{ secrets.ZB_GITHUB_TOKEN }}
issue_labels: Backport

4
.github/workflows/bsim-tests-publish.yaml vendored
View file

@ -13,12 +13,12 @@ jobs:
steps:
- name: Download artifacts
uses: dawidd6/action-download-artifact@v8
uses: dawidd6/action-download-artifact@20319c5641d495c8a52e688b7dc5fada6c3a9fbc # v8
with:
run_id: ${{ github.event.workflow_run.id }}
- name: Publish BabbleSim Test Results
uses: EnricoMi/publish-unit-test-result-action@v2
uses: EnricoMi/publish-unit-test-result-action@170bf24d20d201b842d7a52403b73ed297e6645b # v2.18.0
with:
check_name: BabbleSim Test Results
comment_mode: off

10
.github/workflows/bsim-tests.yaml vendored
View file

@ -91,7 +91,7 @@ jobs:
echo "ZEPHYR_SDK_INSTALL_DIR=/opt/toolchains/zephyr-sdk-$( cat SDK_VERSION )" >> $GITHUB_ENV
- name: Check common triggering files
uses: tj-actions/changed-files@v45
uses: tj-actions/changed-files@2f7c5bfce28377bc069a65ba478de0a74aa0ca32 # v46.0.1
id: check-common-files
with:
files: |
@ -110,7 +110,7 @@ jobs:
modules/hal_nordic/**
- name: Check if Bluethooth files changed
uses: tj-actions/changed-files@v45
uses: tj-actions/changed-files@2f7c5bfce28377bc069a65ba478de0a74aa0ca32 # v46.0.1
id: check-bluetooth-files
with:
files: |
@ -119,7 +119,7 @@ jobs:
subsys/bluetooth/
- name: Check if Networking files changed
uses: tj-actions/changed-files@v45
uses: tj-actions/changed-files@2f7c5bfce28377bc069a65ba478de0a74aa0ca32 # v46.0.1
id: check-networking-files
with:
files: |
@ -132,7 +132,7 @@ jobs:
include/zephyr/net/ieee802154*
- name: Check if UART files changed
uses: tj-actions/changed-files@v45
uses: tj-actions/changed-files@2f7c5bfce28377bc069a65ba478de0a74aa0ca32 # v46.0.1
id: check-uart-files
with:
files: |
@ -186,7 +186,7 @@ jobs:
junit.html
- name: Publish Unit Test Results
uses: EnricoMi/publish-unit-test-result-action@v2
uses: EnricoMi/publish-unit-test-result-action@170bf24d20d201b842d7a52403b73ed297e6645b # v2.18.0
with:
check_name: Bsim Test Results
files: "junit.xml"

2
.github/workflows/bug_snapshot.yaml vendored
View file

@ -41,7 +41,7 @@ jobs:
echo "BUGS_PICKLE_PATH=${BUGS_PICKLE_PATH}" >> ${GITHUB_ENV}
- name: Configure AWS Credentials
uses: aws-actions/configure-aws-credentials@v4
uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722 # v4.1.0
with:
aws-access-key-id: ${{ vars.AWS_BUILDS_ZEPHYR_BUG_SNAPSHOT_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ secrets.AWS_BUILDS_ZEPHYR_BUG_SNAPSHOT_SECRET_ACCESS_KEY }}

2
.github/workflows/codecov.yaml vendored
View file

@ -220,7 +220,7 @@ jobs:
- name: Upload coverage to Codecov
if: always()
uses: codecov/codecov-action@v5
uses: codecov/codecov-action@0565863a31f2c772f9f0395002a31e3f06189574 # v5.4.0
with:
env_vars: OS,PYTHON
fail_ci_if_error: false

2
.github/workflows/daily_test_version.yml vendored
View file

@ -17,7 +17,7 @@ jobs:
steps:
- name: Configure AWS Credentials
uses: aws-actions/configure-aws-credentials@v4
uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722 # v4.1.0
with:
aws-access-key-id: ${{ vars.AWS_TESTING_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ secrets.AWS_TESTING_SECRET_ACCESS_KEY }}

2
.github/workflows/doc-build.yml vendored
View file

@ -65,7 +65,7 @@ jobs:
git log --graph --oneline HEAD...${PR_HEAD}
- name: Setup Zephyr project
uses: zephyrproject-rtos/action-zephyr-setup@v1
uses: zephyrproject-rtos/action-zephyr-setup@f7b70269a8eb01f70c8e710891e4c94972a2f6b4 # v1.0.6
with:
app-path: zephyr
toolchains: 'all'

6
.github/workflows/doc-publish-pr.yml vendored
View file

@ -22,7 +22,7 @@ jobs:
steps:
- name: Download artifacts
id: download-artifacts
uses: dawidd6/action-download-artifact@v8
uses: dawidd6/action-download-artifact@20319c5641d495c8a52e688b7dc5fada6c3a9fbc # v8
with:
workflow: doc-build.yml
run_id: ${{ github.event.workflow_run.id }}
@ -40,7 +40,7 @@ jobs:
- name: Check PR number
if: steps.download-artifacts.outputs.found_artifact == 'true'
id: check-pr
uses: carpentries/actions/check-valid-pr@v0.14.0
uses: carpentries/actions/check-valid-pr@e27aa6c531dadd357d2aa4c9a21e90849e23e963 # v0.14.0
with:
pr: ${{ env.PR_NUM }}
sha: ${{ github.event.workflow_run.head_sha }}
@ -63,7 +63,7 @@ jobs:
- name: Configure AWS Credentials
if: steps.download-artifacts.outputs.found_artifact == 'true'
uses: aws-actions/configure-aws-credentials@v4
uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722 # v4.1.0
with:
aws-access-key-id: ${{ vars.AWS_BUILDS_ZEPHYR_PR_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ secrets.AWS_BUILDS_ZEPHYR_PR_SECRET_ACCESS_KEY }}

4
.github/workflows/doc-publish.yml vendored
View file

@ -24,7 +24,7 @@ jobs:
steps:
- name: Download artifacts
uses: dawidd6/action-download-artifact@v8
uses: dawidd6/action-download-artifact@20319c5641d495c8a52e688b7dc5fada6c3a9fbc # v8
with:
workflow: doc-build.yml
run_id: ${{ github.event.workflow_run.id }}
@ -37,7 +37,7 @@ jobs:
fi
- name: Configure AWS Credentials
uses: aws-actions/configure-aws-credentials@v4
uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722 # v4.1.0
with:
aws-access-key-id: ${{ vars.AWS_DOCS_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ secrets.AWS_DOCS_SECRET_ACCESS_KEY }}

2
.github/workflows/footprint-tracking.yml vendored
View file

@ -77,7 +77,7 @@ jobs:
west update 2>&1 1> west.update.log || west update 2>&1 1> west.update2.log
- name: Configure AWS Credentials
uses: aws-actions/configure-aws-credentials@v4
uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722 # v4.1.0
with:
aws-access-key-id: ${{ vars.AWS_TESTING_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ secrets.AWS_TESTING_SECRET_ACCESS_KEY }}

2
.github/workflows/greet_first_time_contributor.yml vendored
View file

@ -13,7 +13,7 @@ jobs:
steps:
- uses: actions/checkout@v4
- uses: zephyrproject-rtos/action-first-interaction@v1.1.1-zephyr-5
- uses: zephyrproject-rtos/action-first-interaction@7e6446f8439d8b4399169880c36a3a12b5747699 # v1.1.1-zephyr-5
with:
repo-token: ${{ secrets.GITHUB_TOKEN }}

2
.github/workflows/hello_world_multiplatform.yaml vendored
View file

@ -56,7 +56,7 @@ jobs:
python-version: 3.11
- name: Setup Zephyr project
uses: zephyrproject-rtos/action-zephyr-setup@v1
uses: zephyrproject-rtos/action-zephyr-setup@f7b70269a8eb01f70c8e710891e4c94972a2f6b4 # v1.0.6
with:
app-path: zephyr
toolchains: all

4
.github/workflows/issue_count.yml vendored
View file

@ -27,7 +27,7 @@ jobs:
sudo apt-get update
sudo apt-get install discount
- uses: brcrista/summarize-issues@v4
- uses: brcrista/summarize-issues@54c549b7d38b7db39e5c6e06fd9617e12e5c3491 # v4
with:
title: 'Issues Report for ${{ github.repository }}'
configPath: 'issues-report-config.json'
@ -42,7 +42,7 @@ jobs:
path: ${{ env.OUTPUT_FILE_NAME }}
- name: Configure AWS Credentials
uses: aws-actions/configure-aws-credentials@v4
uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722 # v4.1.0
with:
aws-access-key-id: ${{ vars.AWS_TESTING_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ secrets.AWS_TESTING_SECRET_ACCESS_KEY }}

2
.github/workflows/license_check.yml vendored
View file

@ -13,7 +13,7 @@ jobs:
fetch-depth: 0
- name: Scan the code
id: scancode
uses: zephyrproject-rtos/action_scancode@v4
uses: zephyrproject-rtos/action_scancode@23ef91ce31cd4b954366a7b71eea47520da9b380 # v4
with:
directory-to-scan: 'scan/'
- name: Artifact Upload

2
.github/workflows/manifest.yml vendored
View file

@ -26,7 +26,7 @@ jobs:
west init -l . || true
- name: Manifest
uses: zephyrproject-rtos/action-manifest@v1.7.0
uses: zephyrproject-rtos/action-manifest@cb8f6fba6f20b5f8649bd573e80a7583a239894c # v1.7.0
with:
github-token: ${{ secrets.ZB_GITHUB_TOKEN }}
manifest-path: 'west.yml'

2
.github/workflows/release.yml vendored
View file

@ -21,7 +21,7 @@ jobs:
echo "TRIMMED_VERSION=${GITHUB_REF#refs/tags/v}" >> $GITHUB_OUTPUT
- name: REUSE Compliance Check
uses: fsfe/reuse-action@v5
uses: fsfe/reuse-action@bb774aa972c2a89ff34781233d275075cbddf542 # v5.0.0
with:
args: spdx -o zephyr-${{ steps.get_version.outputs.VERSION }}.spdx

2
.github/workflows/stale-workflow-queue-cleanup.yml vendored
View file

@ -18,7 +18,7 @@ jobs:
steps:
- name: Delete stale queued workflow runs
uses: MajorScruffy/delete-old-workflow-runs@v0.3.0
uses: MajorScruffy/delete-old-workflow-runs@78b5af714fefaefdf74862181c467b061782719e # v0.3.0
with:
repository: ${{ github.repository }}
# Remove any workflow runs in "queued" state for more than 1 day

2
.github/workflows/twister-publish.yaml vendored
View file

@ -27,7 +27,7 @@ jobs:
- name: Download Artifacts
id: download-artifacts
uses: dawidd6/action-download-artifact@v8
uses: dawidd6/action-download-artifact@20319c5641d495c8a52e688b7dc5fada6c3a9fbc # v8
with:
path: artifacts
workflow: twister.yml

2
.github/workflows/twister.yaml vendored
View file

@ -247,7 +247,7 @@ jobs:
junit.xml
- name: Publish Unit Test Results
uses: EnricoMi/publish-unit-test-result-action@v2
uses: EnricoMi/publish-unit-test-result-action@170bf24d20d201b842d7a52403b73ed297e6645b # v2.18.0
with:
check_name: Unit Test Results
files: "**/twister.xml"