From e98f628d34a0d340e464aa2da1359c5e0bb31603 Mon Sep 17 00:00:00 2001 From: Alexander Brandes Date: Thu, 2 Mar 2023 12:30:14 +0100 Subject: [PATCH] Pin GH actions to SHA to avoid mutable refs (#3973) --- .../workflows/announce-release-on-discord.yml | 3 +-- .github/workflows/build-pr.yml | 8 +++----- .github/workflows/build.yml | 8 +++----- .github/workflows/codeql.yml | 17 +++++------------ .github/workflows/release-drafter.yml | 6 ++---- 5 files changed, 14 insertions(+), 28 deletions(-) diff --git a/.github/workflows/announce-release-on-discord.yml b/.github/workflows/announce-release-on-discord.yml index 4e0eeef84..717c8ca0f 100644 --- a/.github/workflows/announce-release-on-discord.yml +++ b/.github/workflows/announce-release-on-discord.yml @@ -2,7 +2,6 @@ name: Announce release on discord on: release: types: [published] - jobs: send_announcement: runs-on: ubuntu-latest @@ -12,7 +11,7 @@ jobs: DISCORD_WEBHOOK: ${{ secrets.DISCORD_WEBHOOK }} DISCORD_USERNAME: PlotSquared Release DISCORD_AVATAR: https://raw.githubusercontent.com/IntellectualSites/Assets/main/plugins/PlotSquared/PlotSquared.png - uses: Ilshidur/action-discord@0.3.2 + uses: Ilshidur/action-discord@0c4b27844ba47cb1c7bee539c8eead5284ce9fa9 # ratchet:Ilshidur/action-discord@0.3.2 with: args: | "<@&525015541815967744> <@&679322738552471574> <@&699293353862496266>" diff --git a/.github/workflows/build-pr.yml b/.github/workflows/build-pr.yml index b1ffd45a4..6ec60c0b1 100644 --- a/.github/workflows/build-pr.yml +++ b/.github/workflows/build-pr.yml @@ -1,19 +1,17 @@ name: Build PR - -on: [ pull_request ] - +on: [pull_request] jobs: build_pr: if: github.repository_owner == 'IntellectualSites' runs-on: ${{ matrix.os }} strategy: matrix: - os: [ ubuntu-latest, windows-latest, macos-latest ] + os: [ubuntu-latest, windows-latest, macos-latest] steps: - name: Checkout Repository uses: actions/checkout@v3 - name: Validate Gradle Wrapper - uses: gradle/wrapper-validation-action@v1 + uses: gradle/wrapper-validation-action@55e685c48d84285a5b0418cd094606e199cca3b6 # v1 - name: Setup Java uses: actions/setup-java@v3 with: diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index d7d6fa81c..22bbf5b7b 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -1,10 +1,8 @@ name: build - on: push: branches: - v6 - jobs: build: if: github.repository_owner == 'IntellectualSites' @@ -13,7 +11,7 @@ jobs: - name: Checkout Repository uses: actions/checkout@v3 - name: Validate Gradle Wrapper - uses: gradle/wrapper-validation-action@v1 + uses: gradle/wrapper-validation-action@55e685c48d84285a5b0418cd094606e199cca3b6 # v1 - name: Setup Java uses: actions/setup-java@v3 with: @@ -45,7 +43,7 @@ jobs: ORG_GRADLE_PROJECT_sonatypePassword: ${{ secrets.SONATYPE_PASSWORD }} - name: Publish core javadoc if: ${{ runner.os == 'Linux' && env.STATUS == 'release' && github.event_name == 'push' && github.ref == 'refs/heads/v6'}} - uses: cpina/github-action-push-to-another-repository@main + uses: cpina/github-action-push-to-another-repository@0a14457bb28b04dfa1652e0ffdfda866d2845c73 # main env: SSH_DEPLOY_KEY: ${{ secrets.SSH_DEPLOY_KEY }} with: @@ -57,7 +55,7 @@ jobs: target-directory: core - name: Publish bukkit javadoc if: ${{ runner.os == 'Linux' && env.STATUS == 'release' && github.event_name == 'push' && github.ref == 'refs/heads/v6'}} - uses: cpina/github-action-push-to-another-repository@main + uses: cpina/github-action-push-to-another-repository@0a14457bb28b04dfa1652e0ffdfda866d2845c73 # main env: SSH_DEPLOY_KEY: ${{ secrets.SSH_DEPLOY_KEY }} with: diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 625a76a13..7ead4f468 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -1,10 +1,8 @@ name: "CodeQL" - on: pull_request: # The branches below must be a subset of the branches above - branches: [ v6 ] - + branches: [v6] jobs: analyze: name: Analyze @@ -13,23 +11,18 @@ jobs: actions: read contents: read security-events: write - strategy: fail-fast: false matrix: - language: [ 'java' ] - + language: ['java'] steps: - name: Checkout repository uses: actions/checkout@v3 - - name: Initialize CodeQL - uses: github/codeql-action/init@v2 + uses: github/codeql-action/init@32dc499307d133bb5085bae78498c0ac2cf762d5 # v2 with: languages: ${{ matrix.language }} - - name: Autobuild - uses: github/codeql-action/autobuild@v2 - + uses: github/codeql-action/autobuild@32dc499307d133bb5085bae78498c0ac2cf762d5 # v2 - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v2 + uses: github/codeql-action/analyze@32dc499307d133bb5085bae78498c0ac2cf762d5 # v2 diff --git a/.github/workflows/release-drafter.yml b/.github/workflows/release-drafter.yml index 6fa4b5347..35dd31ae2 100644 --- a/.github/workflows/release-drafter.yml +++ b/.github/workflows/release-drafter.yml @@ -1,14 +1,12 @@ name: draft release - on: push: branches: - v6 pull_request: - types: [ opened, reopened, synchronize ] + types: [opened, reopened, synchronize] pull_request_target: - types: [ opened, reopened, synchronize ] - + types: [opened, reopened, synchronize] jobs: update_release_draft: if: ${{ github.event_name != 'pull_request' || github.repository != github.event.pull_request.head.repo.full_name }}