diff --git a/.github/workflows/build-coder.yml b/.github/workflows/build-coder.yml index 87f4bea..13dd38e 100644 --- a/.github/workflows/build-coder.yml +++ b/.github/workflows/build-coder.yml @@ -32,17 +32,17 @@ jobs: IMAGE: ghcr.io/defilantech/llmkube-foreman-agent-coder LOCAL: ghcr.io/defilantech/llmkube-foreman-agent-coder:ci-${{ github.sha }} steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 # arm64 leg builds under emulation. The Dockerfile cross-compiles every Go # binary in the $BUILDPLATFORM stage and downloads prebuilt helm / # golangci-lint, so QEMU only assembles the arm64 image layers (fast) -- # it never runs the Go compiler interpreted. - name: Set up QEMU (arm64 emulation) - uses: docker/setup-qemu-action@v3 + uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130 # v3.7.0 - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 + uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0 # On a coder-v tag push, build against that LLMKube release # (LLMKUBE_REF=v) so the ref is taken from the tag and can never @@ -59,7 +59,7 @@ jobs: # Native amd64 build, loaded locally so the smoke runs the real image. - name: Build (amd64, load for smoke) - uses: docker/build-push-action@v6 + uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6.19.2 with: context: coder platforms: linux/amd64 @@ -73,14 +73,14 @@ jobs: run: ./scripts/coder-smoke.sh "${{ env.LOCAL }}" - name: Generate SBOM - uses: anchore/sbom-action@v0 + uses: anchore/sbom-action@e22c389904149dbc22b58101806040fa8d37a610 # v0.24.0 with: image: ${{ env.LOCAL }} format: spdx-json output-file: sbom.spdx.json - name: Upload SBOM artifact - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 with: name: sbom-coder-${{ github.sha }} path: sbom.spdx.json @@ -90,7 +90,7 @@ jobs: # pull_request. --- - name: Log in to GHCR if: github.event_name != 'pull_request' - uses: docker/login-action@v3 + uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0 with: registry: ghcr.io username: ${{ github.actor }} @@ -102,7 +102,7 @@ jobs: # candidate SHAs. type=match only emits on tag refs; harmless on branch/PR. - name: Derive image tags id: meta - uses: docker/metadata-action@v5 + uses: docker/metadata-action@c299e40c65443455700f0fdfc63efafe5b349051 # v5.10.0 with: images: ${{ env.IMAGE }} tags: | @@ -117,7 +117,7 @@ jobs: # refs; the digest below is the multi-arch index digest. - name: Build multi-arch (build-only validates arm64 on PRs; push on trusted refs) id: push - uses: docker/build-push-action@v6 + uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6.19.2 with: context: coder platforms: linux/amd64,linux/arm64 @@ -136,7 +136,7 @@ jobs: - name: Attest build provenance if: github.event_name != 'pull_request' - uses: actions/attest-build-provenance@v2 + uses: actions/attest-build-provenance@e8998f949152b193b063cb0ec769d69d929409be # v2.4.0 with: subject-name: ${{ env.IMAGE }} subject-digest: ${{ steps.push.outputs.digest }} diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index d2caf68..a0c4a03 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -49,7 +49,7 @@ jobs: IMAGE: ${{ matrix.image }} LOCAL: ${{ matrix.image }}:ci-${{ github.sha }} steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 # vulkan-shaders-gen forks a compiler per shader and is memory-heavy; # the default hosted-runner memory left it failing to fork on a fresh @@ -67,10 +67,10 @@ jobs: free -h - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 + uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0 - name: Build image (load locally for the gate) - uses: docker/build-push-action@v6 + uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6.19.2 with: context: vulkan target: ${{ matrix.target }} @@ -83,14 +83,14 @@ jobs: run: ./scripts/tier1-gate.sh "${{ env.LOCAL }}" - name: Generate SBOM - uses: anchore/sbom-action@v0 + uses: anchore/sbom-action@e22c389904149dbc22b58101806040fa8d37a610 # v0.24.0 with: image: ${{ env.LOCAL }} format: spdx-json output-file: sbom.spdx.json - name: Upload SBOM artifact - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 with: name: sbom-${{ matrix.target }}-${{ github.sha }} path: sbom.spdx.json @@ -102,7 +102,7 @@ jobs: # signature before anything consumes it (proposal 697, Tier-2 gate). --- - name: Log in to GHCR if: github.event_name != 'pull_request' - uses: docker/login-action@v3 + uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0 with: registry: ghcr.io username: ${{ github.actor }} @@ -120,7 +120,7 @@ jobs: - name: Attest build provenance if: github.event_name != 'pull_request' - uses: actions/attest-build-provenance@v2 + uses: actions/attest-build-provenance@e8998f949152b193b063cb0ec769d69d929409be # v2.4.0 with: subject-name: ${{ env.IMAGE }} subject-digest: ${{ env.DIGEST }} diff --git a/.github/workflows/dco.yml b/.github/workflows/dco.yml index 82e1ac6..29c2eae 100644 --- a/.github/workflows/dco.yml +++ b/.github/workflows/dco.yml @@ -11,7 +11,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 with: fetch-depth: 0 ref: ${{ github.event.pull_request.head.sha }}