michaelh/zephyr
1
0
Fork 0
Code Releases Activity

ci: pin GitHub Actions to SHAs

Browse source 
This commit updates all GitHub Actions workflows to use specific
SHAs for the actions when they're not GitHub owned (`actions/*`)
instead of using tag-based versioning since tags are mutable.

Signed-off-by: Benjamin Cabé <benjamin@zephyrproject.org>
This commit is contained in:
Benjamin Cabé 2025-03-17 12:47:25 +01:00 committed by Anas Nashif
commit e808ccf013
19 changed files with 28 additions and 28 deletions
Download patch file Download diff file Expand all files Collapse all files

2
.github/workflows/backport.yml vendored
View file

@ -24,7 +24,7 @@ jobs:
) )
steps: steps:
- name: Backport - name: Backport
uses: zephyrproject-rtos/action-backport@v2.0.3-3 uses: zephyrproject-rtos/action-backport@7e74f601d11eaca577742445e87775b5651a965f # v2.0.3-3
with: with:
github_token: ${{ secrets.ZB_GITHUB_TOKEN }} github_token: ${{ secrets.ZB_GITHUB_TOKEN }}
issue_labels: Backport issue_labels: Backport

4
.github/workflows/bsim-tests-publish.yaml vendored
View file

@ -13,12 +13,12 @@ jobs:
steps: steps:
- name: Download artifacts - name: Download artifacts
uses: dawidd6/action-download-artifact@v8 uses: dawidd6/action-download-artifact@20319c5641d495c8a52e688b7dc5fada6c3a9fbc # v8
with: with:
run_id: ${{ github.event.workflow_run.id }} run_id: ${{ github.event.workflow_run.id }}
- name: Publish BabbleSim Test Results - name: Publish BabbleSim Test Results
uses: EnricoMi/publish-unit-test-result-action@v2 uses: EnricoMi/publish-unit-test-result-action@170bf24d20d201b842d7a52403b73ed297e6645b # v2.18.0
with: with:
check_name: BabbleSim Test Results check_name: BabbleSim Test Results
comment_mode: off comment_mode: off

10
.github/workflows/bsim-tests.yaml vendored
View file

@ -91,7 +91,7 @@ jobs:
echo "ZEPHYR_SDK_INSTALL_DIR=/opt/toolchains/zephyr-sdk-$( cat SDK_VERSION )" >> $GITHUB_ENV echo "ZEPHYR_SDK_INSTALL_DIR=/opt/toolchains/zephyr-sdk-$( cat SDK_VERSION )" >> $GITHUB_ENV
- name: Check common triggering files - name: Check common triggering files
uses: tj-actions/changed-files@v45 uses: tj-actions/changed-files@2f7c5bfce28377bc069a65ba478de0a74aa0ca32 # v46.0.1
id: check-common-files id: check-common-files
with: with:
files: | files: |
@ -110,7 +110,7 @@ jobs:
modules/hal_nordic/** modules/hal_nordic/**
- name: Check if Bluethooth files changed - name: Check if Bluethooth files changed
uses: tj-actions/changed-files@v45 uses: tj-actions/changed-files@2f7c5bfce28377bc069a65ba478de0a74aa0ca32 # v46.0.1
id: check-bluetooth-files id: check-bluetooth-files
with: with:
files: | files: |
@ -119,7 +119,7 @@ jobs:
subsys/bluetooth/ subsys/bluetooth/
- name: Check if Networking files changed - name: Check if Networking files changed
uses: tj-actions/changed-files@v45 uses: tj-actions/changed-files@2f7c5bfce28377bc069a65ba478de0a74aa0ca32 # v46.0.1
id: check-networking-files id: check-networking-files
with: with:
files: | files: |
@ -132,7 +132,7 @@ jobs:
include/zephyr/net/ieee802154* include/zephyr/net/ieee802154*
- name: Check if UART files changed - name: Check if UART files changed
uses: tj-actions/changed-files@v45 uses: tj-actions/changed-files@2f7c5bfce28377bc069a65ba478de0a74aa0ca32 # v46.0.1
id: check-uart-files id: check-uart-files
with: with:
files: | files: |
@ -186,7 +186,7 @@ jobs:
junit.html junit.html
- name: Publish Unit Test Results - name: Publish Unit Test Results
uses: EnricoMi/publish-unit-test-result-action@v2 uses: EnricoMi/publish-unit-test-result-action@170bf24d20d201b842d7a52403b73ed297e6645b # v2.18.0
with: with:
check_name: Bsim Test Results check_name: Bsim Test Results
files: "junit.xml" files: "junit.xml"

2
.github/workflows/bug_snapshot.yaml vendored
View file

@ -41,7 +41,7 @@ jobs:
echo "BUGS_PICKLE_PATH=${BUGS_PICKLE_PATH}" >> ${GITHUB_ENV} echo "BUGS_PICKLE_PATH=${BUGS_PICKLE_PATH}" >> ${GITHUB_ENV}
- name: Configure AWS Credentials - name: Configure AWS Credentials
uses: aws-actions/configure-aws-credentials@v4 uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722 # v4.1.0
with: with:
aws-access-key-id: ${{ vars.AWS_BUILDS_ZEPHYR_BUG_SNAPSHOT_ACCESS_KEY_ID }} aws-access-key-id: ${{ vars.AWS_BUILDS_ZEPHYR_BUG_SNAPSHOT_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ secrets.AWS_BUILDS_ZEPHYR_BUG_SNAPSHOT_SECRET_ACCESS_KEY }} aws-secret-access-key: ${{ secrets.AWS_BUILDS_ZEPHYR_BUG_SNAPSHOT_SECRET_ACCESS_KEY }}

2
.github/workflows/codecov.yaml vendored
View file

@ -220,7 +220,7 @@ jobs:
- name: Upload coverage to Codecov - name: Upload coverage to Codecov
if: always() if: always()
uses: codecov/codecov-action@v5 uses: codecov/codecov-action@0565863a31f2c772f9f0395002a31e3f06189574 # v5.4.0
with: with:
env_vars: OS,PYTHON env_vars: OS,PYTHON
fail_ci_if_error: false fail_ci_if_error: false

2
.github/workflows/daily_test_version.yml vendored
View file

@ -17,7 +17,7 @@ jobs:
steps: steps:
- name: Configure AWS Credentials - name: Configure AWS Credentials
uses: aws-actions/configure-aws-credentials@v4 uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722 # v4.1.0
with: with:
aws-access-key-id: ${{ vars.AWS_TESTING_ACCESS_KEY_ID }} aws-access-key-id: ${{ vars.AWS_TESTING_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ secrets.AWS_TESTING_SECRET_ACCESS_KEY }} aws-secret-access-key: ${{ secrets.AWS_TESTING_SECRET_ACCESS_KEY }}

2
.github/workflows/doc-build.yml vendored
View file

@ -65,7 +65,7 @@ jobs:
git log --graph --oneline HEAD...${PR_HEAD} git log --graph --oneline HEAD...${PR_HEAD}
- name: Setup Zephyr project - name: Setup Zephyr project
uses: zephyrproject-rtos/action-zephyr-setup@v1 uses: zephyrproject-rtos/action-zephyr-setup@f7b70269a8eb01f70c8e710891e4c94972a2f6b4 # v1.0.6
with: with:
app-path: zephyr app-path: zephyr
toolchains: 'all' toolchains: 'all'

6
.github/workflows/doc-publish-pr.yml vendored
View file

@ -22,7 +22,7 @@ jobs:
steps: steps:
- name: Download artifacts - name: Download artifacts
id: download-artifacts id: download-artifacts
uses: dawidd6/action-download-artifact@v8 uses: dawidd6/action-download-artifact@20319c5641d495c8a52e688b7dc5fada6c3a9fbc # v8
with: with:
workflow: doc-build.yml workflow: doc-build.yml
run_id: ${{ github.event.workflow_run.id }} run_id: ${{ github.event.workflow_run.id }}
@ -40,7 +40,7 @@ jobs:
- name: Check PR number - name: Check PR number
if: steps.download-artifacts.outputs.found_artifact == 'true' if: steps.download-artifacts.outputs.found_artifact == 'true'
id: check-pr id: check-pr
uses: carpentries/actions/check-valid-pr@v0.14.0 uses: carpentries/actions/check-valid-pr@e27aa6c531dadd357d2aa4c9a21e90849e23e963 # v0.14.0
with: with:
pr: ${{ env.PR_NUM }} pr: ${{ env.PR_NUM }}
sha: ${{ github.event.workflow_run.head_sha }} sha: ${{ github.event.workflow_run.head_sha }}
@ -63,7 +63,7 @@ jobs:
- name: Configure AWS Credentials - name: Configure AWS Credentials
if: steps.download-artifacts.outputs.found_artifact == 'true' if: steps.download-artifacts.outputs.found_artifact == 'true'
uses: aws-actions/configure-aws-credentials@v4 uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722 # v4.1.0
with: with:
aws-access-key-id: ${{ vars.AWS_BUILDS_ZEPHYR_PR_ACCESS_KEY_ID }} aws-access-key-id: ${{ vars.AWS_BUILDS_ZEPHYR_PR_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ secrets.AWS_BUILDS_ZEPHYR_PR_SECRET_ACCESS_KEY }} aws-secret-access-key: ${{ secrets.AWS_BUILDS_ZEPHYR_PR_SECRET_ACCESS_KEY }}

4
.github/workflows/doc-publish.yml vendored
View file

@ -24,7 +24,7 @@ jobs:
steps: steps:
- name: Download artifacts - name: Download artifacts
uses: dawidd6/action-download-artifact@v8 uses: dawidd6/action-download-artifact@20319c5641d495c8a52e688b7dc5fada6c3a9fbc # v8
with: with:
workflow: doc-build.yml workflow: doc-build.yml
run_id: ${{ github.event.workflow_run.id }} run_id: ${{ github.event.workflow_run.id }}
@ -37,7 +37,7 @@ jobs:
fi fi
- name: Configure AWS Credentials - name: Configure AWS Credentials
uses: aws-actions/configure-aws-credentials@v4 uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722 # v4.1.0
with: with:
aws-access-key-id: ${{ vars.AWS_DOCS_ACCESS_KEY_ID }} aws-access-key-id: ${{ vars.AWS_DOCS_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ secrets.AWS_DOCS_SECRET_ACCESS_KEY }} aws-secret-access-key: ${{ secrets.AWS_DOCS_SECRET_ACCESS_KEY }}

2
.github/workflows/footprint-tracking.yml vendored
View file

@ -77,7 +77,7 @@ jobs:
west update 2>&1 1> west.update.log || west update 2>&1 1> west.update2.log west update 2>&1 1> west.update.log || west update 2>&1 1> west.update2.log
- name: Configure AWS Credentials - name: Configure AWS Credentials
uses: aws-actions/configure-aws-credentials@v4 uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722 # v4.1.0
with: with:
aws-access-key-id: ${{ vars.AWS_TESTING_ACCESS_KEY_ID }} aws-access-key-id: ${{ vars.AWS_TESTING_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ secrets.AWS_TESTING_SECRET_ACCESS_KEY }} aws-secret-access-key: ${{ secrets.AWS_TESTING_SECRET_ACCESS_KEY }}

2
.github/workflows/greet_first_time_contributor.yml vendored
View file

@ -13,7 +13,7 @@ jobs:
steps: steps:
- uses: actions/checkout@v4 - uses: actions/checkout@v4
- uses: zephyrproject-rtos/action-first-interaction@v1.1.1-zephyr-5 - uses: zephyrproject-rtos/action-first-interaction@7e6446f8439d8b4399169880c36a3a12b5747699 # v1.1.1-zephyr-5
with: with:
repo-token: ${{ secrets.GITHUB_TOKEN }} repo-token: ${{ secrets.GITHUB_TOKEN }}

2
.github/workflows/hello_world_multiplatform.yaml vendored
View file

@ -56,7 +56,7 @@ jobs:
python-version: 3.11 python-version: 3.11
- name: Setup Zephyr project - name: Setup Zephyr project
uses: zephyrproject-rtos/action-zephyr-setup@v1 uses: zephyrproject-rtos/action-zephyr-setup@f7b70269a8eb01f70c8e710891e4c94972a2f6b4 # v1.0.6
with: with:
app-path: zephyr app-path: zephyr
toolchains: all toolchains: all

4
.github/workflows/issue_count.yml vendored
View file

@ -27,7 +27,7 @@ jobs:
sudo apt-get update sudo apt-get update
sudo apt-get install discount sudo apt-get install discount
- uses: brcrista/summarize-issues@v4 - uses: brcrista/summarize-issues@54c549b7d38b7db39e5c6e06fd9617e12e5c3491 # v4
with: with:
title: 'Issues Report for ${{ github.repository }}' title: 'Issues Report for ${{ github.repository }}'
configPath: 'issues-report-config.json' configPath: 'issues-report-config.json'
@ -42,7 +42,7 @@ jobs:
path: ${{ env.OUTPUT_FILE_NAME }} path: ${{ env.OUTPUT_FILE_NAME }}
- name: Configure AWS Credentials - name: Configure AWS Credentials
uses: aws-actions/configure-aws-credentials@v4 uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722 # v4.1.0
with: with:
aws-access-key-id: ${{ vars.AWS_TESTING_ACCESS_KEY_ID }} aws-access-key-id: ${{ vars.AWS_TESTING_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ secrets.AWS_TESTING_SECRET_ACCESS_KEY }} aws-secret-access-key: ${{ secrets.AWS_TESTING_SECRET_ACCESS_KEY }}

2
.github/workflows/license_check.yml vendored
View file

@ -13,7 +13,7 @@ jobs:
fetch-depth: 0 fetch-depth: 0
- name: Scan the code - name: Scan the code
id: scancode id: scancode
uses: zephyrproject-rtos/action_scancode@v4 uses: zephyrproject-rtos/action_scancode@23ef91ce31cd4b954366a7b71eea47520da9b380 # v4
with: with:
directory-to-scan: 'scan/' directory-to-scan: 'scan/'
- name: Artifact Upload - name: Artifact Upload

2
.github/workflows/manifest.yml vendored
View file

@ -26,7 +26,7 @@ jobs:
west init -l . || true west init -l . || true
- name: Manifest - name: Manifest
uses: zephyrproject-rtos/action-manifest@v1.7.0 uses: zephyrproject-rtos/action-manifest@cb8f6fba6f20b5f8649bd573e80a7583a239894c # v1.7.0
with: with:
github-token: ${{ secrets.ZB_GITHUB_TOKEN }} github-token: ${{ secrets.ZB_GITHUB_TOKEN }}
manifest-path: 'west.yml' manifest-path: 'west.yml'

2
.github/workflows/release.yml vendored
View file

@ -21,7 +21,7 @@ jobs:
echo "TRIMMED_VERSION=${GITHUB_REF#refs/tags/v}" >> $GITHUB_OUTPUT echo "TRIMMED_VERSION=${GITHUB_REF#refs/tags/v}" >> $GITHUB_OUTPUT
- name: REUSE Compliance Check - name: REUSE Compliance Check
uses: fsfe/reuse-action@v5 uses: fsfe/reuse-action@bb774aa972c2a89ff34781233d275075cbddf542 # v5.0.0
with: with:
args: spdx -o zephyr-${{ steps.get_version.outputs.VERSION }}.spdx args: spdx -o zephyr-${{ steps.get_version.outputs.VERSION }}.spdx

2
.github/workflows/stale-workflow-queue-cleanup.yml vendored
View file

@ -18,7 +18,7 @@ jobs:
steps: steps:
- name: Delete stale queued workflow runs - name: Delete stale queued workflow runs
uses: MajorScruffy/delete-old-workflow-runs@v0.3.0 uses: MajorScruffy/delete-old-workflow-runs@78b5af714fefaefdf74862181c467b061782719e # v0.3.0
with: with:
repository: ${{ github.repository }} repository: ${{ github.repository }}
# Remove any workflow runs in "queued" state for more than 1 day # Remove any workflow runs in "queued" state for more than 1 day

2
.github/workflows/twister-publish.yaml vendored
View file

@ -27,7 +27,7 @@ jobs:
- name: Download Artifacts - name: Download Artifacts
id: download-artifacts id: download-artifacts
uses: dawidd6/action-download-artifact@v8 uses: dawidd6/action-download-artifact@20319c5641d495c8a52e688b7dc5fada6c3a9fbc # v8
with: with:
path: artifacts path: artifacts
workflow: twister.yml workflow: twister.yml

2
.github/workflows/twister.yaml vendored
View file

@ -247,7 +247,7 @@ jobs:
junit.xml junit.xml
- name: Publish Unit Test Results - name: Publish Unit Test Results
uses: EnricoMi/publish-unit-test-result-action@v2 uses: EnricoMi/publish-unit-test-result-action@170bf24d20d201b842d7a52403b73ed297e6645b # v2.18.0
with: with:
check_name: Unit Test Results check_name: Unit Test Results
files: "**/twister.xml" files: "**/twister.xml"