diff --git a/.github/workflows/beta.yml b/.github/workflows/beta.yml index 1a5ec0ddaba..5cd9fc0b5e9 100644 --- a/.github/workflows/beta.yml +++ b/.github/workflows/beta.yml @@ -23,7 +23,7 @@ jobs: - 6379:6379 steps: - - uses: actions/checkout@v6.0.2 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: submodules: recursive diff --git a/.github/workflows/build_binary.yml b/.github/workflows/build_binary.yml index 1932c08295c..4b198d78657 100644 --- a/.github/workflows/build_binary.yml +++ b/.github/workflows/build_binary.yml @@ -26,7 +26,7 @@ jobs: apt-get update apt-get install -y --no-install-recommends git ca-certificates gcc libc6-dev curl make zip - - uses: actions/checkout@v6.0.2 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: submodules: recursive @@ -50,7 +50,7 @@ jobs: zip relay-Linux-x86_64-debug.zip relay.debug mv relay relay-Linux-x86_64 - - uses: actions/upload-artifact@v7 + - uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 with: name: artifact-linux path: target/release/relay-Linux-x86_64* @@ -66,7 +66,7 @@ jobs: runs-on: ubuntu-22.04-arm steps: - - uses: actions/checkout@v6.0.2 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: submodules: recursive @@ -85,7 +85,7 @@ jobs: zip relay-Linux-aarch64-debug.zip relay.debug mv relay relay-Linux-aarch64 - - uses: actions/upload-artifact@v7 + - uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 with: name: artifact-linux-aarch64 path: target/release/relay-Linux-aarch64* @@ -100,7 +100,7 @@ jobs: runs-on: macos-14 steps: - - uses: actions/checkout@v6.0.2 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: submodules: recursive @@ -118,7 +118,7 @@ jobs: mv relay relay-Darwin-x86_64 zip -r relay-Darwin-x86_64-dsym.zip relay.dSYM - - uses: actions/upload-artifact@v7 + - uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 with: name: artifact-macos path: target/release/relay-Darwin-x86_64* @@ -133,7 +133,7 @@ jobs: runs-on: windows-2022 steps: - - uses: actions/checkout@v6.0.2 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: submodules: recursive @@ -150,7 +150,7 @@ jobs: 7z a relay-Windows-x86_64-pdb.zip relay.pdb mv relay.exe relay-Windows-x86_64.exe - - uses: actions/upload-artifact@v7 + - uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 with: name: artifact-windows path: target/release/relay-Windows-x86_64* @@ -167,7 +167,7 @@ jobs: # there cannot be mutliple upload-artifacts with the same name, in a sha's workflow runs. # However in this case it is fine because this only runs on release/** branches, # and the other runs on release-library/** branches. - - uses: actions/upload-artifact/merge@v7 + - uses: actions/upload-artifact/merge@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 with: # Craft expects release assets to be a single artifact named after the sha. name: ${{ github.sha }} diff --git a/.github/workflows/build_library.yml b/.github/workflows/build_library.yml index 4f76feccefa..52789b064a5 100644 --- a/.github/workflows/build_library.yml +++ b/.github/workflows/build_library.yml @@ -28,7 +28,7 @@ jobs: }')[matrix.build-arch] }} steps: - - uses: actions/checkout@v6.0.2 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: submodules: recursive @@ -37,7 +37,7 @@ jobs: env: TARGET: ${{ matrix.build-arch }} - - uses: actions/setup-python@v6 + - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6 - name: Verify Wheel run: | @@ -48,7 +48,7 @@ jobs: python tools/verify_wheel.py dist/*.whl working-directory: py - - uses: actions/upload-artifact@v7 + - uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 with: name: artifact-linux-${{ matrix.build-arch }} path: py/dist/* @@ -70,7 +70,7 @@ jobs: runs-on: macos-14 steps: - - uses: actions/checkout@v6.0.2 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: submodules: recursive @@ -104,7 +104,7 @@ jobs: # consumed by cargo and setup.py to obtain the target dir CARGO_BUILD_TARGET: ${{ matrix.target }} - - uses: actions/upload-artifact@v7 + - uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 with: name: artifact-macos-${{ matrix.py-platform }} path: py/dist/* @@ -117,7 +117,7 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v6.0.2 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: submodules: recursive @@ -136,7 +136,7 @@ jobs: run: python setup.py sdist working-directory: py - - uses: actions/upload-artifact@v7 + - uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 with: name: artifact-sdist path: py/dist/* @@ -153,7 +153,7 @@ jobs: # there cannot be mutliple upload-artifacts with the same name, in a sha's workflow runs. # However in this case it is fine because this only runs on release-library/** branches, # and the other runs on release/** branches. - - uses: actions/upload-artifact/merge@v7 + - uses: actions/upload-artifact/merge@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 with: # Craft expects release assets to be a single artifact named after the sha. name: ${{ github.sha }} diff --git a/.github/workflows/changelog.yml b/.github/workflows/changelog.yml index a2cfa7c0286..729f1e2b6b9 100644 --- a/.github/workflows/changelog.yml +++ b/.github/workflows/changelog.yml @@ -9,7 +9,7 @@ jobs: name: Changelogs runs-on: ubuntu-latest steps: - - uses: actions/checkout@v6.0.2 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index a3043ae6111..d758f2ce056 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -35,7 +35,7 @@ jobs: sudo apt-get update sudo apt-get install -y libcurl4-openssl-dev - - uses: actions/checkout@v6.0.2 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: submodules: recursive @@ -50,7 +50,7 @@ jobs: - name: Setup SSH agent if: env.SSH_PRIVATE_KEY != '' - uses: webfactory/ssh-agent@v0.9.0 + uses: webfactory/ssh-agent@dc588b651fe13675774614f8e6a936a468676387 # v0.9.0 with: ssh-private-key: ${{ env.SSH_PRIVATE_KEY }} @@ -59,7 +59,7 @@ jobs: rustup toolchain install stable --profile minimal --no-self-update rustup component add clippy rustfmt rust-docs --toolchain stable - - uses: swatinem/rust-cache@v2 + - uses: swatinem/rust-cache@42dc69e1aa15d09112580998cf2ef0119e2e91ae # v2 with: key: ${{ github.job }} @@ -107,14 +107,14 @@ jobs: sudo apt-get update sudo apt-get install -y libcurl4-openssl-dev - - uses: actions/checkout@v6.0.2 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: submodules: recursive - name: Install Rust Toolchain run: rustup toolchain install stable --profile minimal --component clippy --no-self-update - - uses: swatinem/rust-cache@v2 + - uses: swatinem/rust-cache@42dc69e1aa15d09112580998cf2ef0119e2e91ae # v2 with: key: ${{ github.job }} @@ -128,7 +128,7 @@ jobs: outputs: devservices-files-changed: ${{ steps.changes.outputs.devservices-files-changed }} steps: - - uses: actions/checkout@v6.0.2 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - uses: dorny/paths-filter@fbd0ab8f3e69293af611ebaee6363fc25e6d187d # v4.0.1 name: Check for file changes id: changes @@ -157,21 +157,21 @@ jobs: if: "!startsWith(github.ref, 'refs/heads/release-library/')" steps: - - uses: actions/checkout@v6.0.2 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: submodules: recursive - name: Setup SSH agent if: env.SSH_PRIVATE_KEY != '' # Windows needs an older versino of the ssh agent: https://github.com/webfactory/ssh-agent/pull/17 - uses: webfactory/ssh-agent@v0.7.0 + uses: webfactory/ssh-agent@836c84ec59a0e7bc0eabc79988384eb567561ee2 # v0.7.0 with: ssh-private-key: ${{ env.SSH_PRIVATE_KEY }} - name: Install Rust Toolchain run: rustup toolchain install stable --profile minimal --no-self-update - - uses: swatinem/rust-cache@v2 + - uses: swatinem/rust-cache@42dc69e1aa15d09112580998cf2ef0119e2e91ae # v2 with: key: ${{ github.job }} @@ -219,20 +219,20 @@ jobs: ghcr.io/getsentry/objectstore:nightly \ run - - uses: actions/checkout@v6.0.2 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: submodules: recursive - name: Setup SSH agent if: env.SSH_PRIVATE_KEY != '' - uses: webfactory/ssh-agent@v0.9.0 + uses: webfactory/ssh-agent@dc588b651fe13675774614f8e6a936a468676387 # v0.9.0 with: ssh-private-key: ${{ env.SSH_PRIVATE_KEY }} - name: Install Rust Toolchain run: rustup toolchain install stable --profile minimal --no-self-update - - uses: swatinem/rust-cache@v2 + - uses: swatinem/rust-cache@42dc69e1aa15d09112580998cf2ef0119e2e91ae # v2 with: key: ${{ github.job }} @@ -250,14 +250,14 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v6.0.2 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: submodules: recursive - name: Install Rust Toolchain run: rustup toolchain install stable --profile minimal --no-self-update - - uses: swatinem/rust-cache@v2 + - uses: swatinem/rust-cache@42dc69e1aa15d09112580998cf2ef0119e2e91ae # v2 with: key: ${{ github.job }} @@ -365,12 +365,12 @@ jobs: run: | curl -sL https://sentry.io/get-cli/ | bash - - uses: actions/checkout@v6.0.2 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: submodules: recursive - - uses: dtolnay/rust-toolchain@stable - - uses: swatinem/rust-cache@v2 + - uses: dtolnay/rust-toolchain@631a55b12751854ce901bb631d5902ceb48146f7 # stable + - uses: swatinem/rust-cache@42dc69e1aa15d09112580998cf2ef0119e2e91ae # v2 with: key: "${{ github.job }}-${{ matrix.target }}-${{ matrix.image_name }}" @@ -393,7 +393,7 @@ jobs: cp "${RELAY_BIN}"{,-debug.zip,.src.zip} "artifacts/${DOCKER_PLATFORM}" - name: Upload Artifacts - uses: actions/upload-artifact@v7 + uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 with: retention-days: 1 name: ${{ matrix.image_name }}@${{ matrix.target }} @@ -441,17 +441,17 @@ jobs: run: | curl -sL https://sentry.io/get-cli/ | bash - - uses: actions/checkout@v6.0.2 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: submodules: recursive - - uses: dtolnay/rust-toolchain@stable + - uses: dtolnay/rust-toolchain@631a55b12751854ce901bb631d5902ceb48146f7 # stable - - uses: swatinem/rust-cache@v2 + - uses: swatinem/rust-cache@42dc69e1aa15d09112580998cf2ef0119e2e91ae # v2 with: key: "${{ github.job }}-${{ matrix.target }}-${{ matrix.image_name }}" - - uses: webfactory/ssh-agent@v0.9.0 + - uses: webfactory/ssh-agent@dc588b651fe13675774614f8e6a936a468676387 # v0.9.0 with: ssh-private-key: ${{ secrets.SSH_PRIVATE_KEY }} @@ -479,7 +479,7 @@ jobs: done - name: Upload Artifacts - uses: actions/upload-artifact@v7 + uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 with: retention-days: 1 name: internal-${{ matrix.image_name }}@${{ matrix.target }} @@ -506,12 +506,12 @@ jobs: REVISION: "${{ github.event.pull_request.head.sha || github.sha }}" steps: - - uses: actions/checkout@v6.0.2 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - - uses: docker/setup-qemu-action@v4 - - uses: docker/setup-buildx-action@v4 + - uses: docker/setup-qemu-action@ce360397dd3f832beb865e1373c09c0e9f86d70a # v4 + - uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4 - - uses: actions/download-artifact@v8 + - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8 with: pattern: "${{ matrix.image_name }}@*" merge-multiple: true @@ -543,7 +543,7 @@ jobs: - name: Upload docker image if: "github.event.pull_request.head.repo.fork || github.actor == 'dependabot[bot]'" - uses: actions/upload-artifact@v7 + uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 with: retention-days: 1 name: ${{ matrix.image_name }}-docker-image @@ -572,15 +572,15 @@ jobs: if: "!startsWith(github.ref, 'refs/heads/release-library/') && !github.event.pull_request.head.repo.fork && github.actor != 'dependabot[bot]' && needs.build-setup.outputs.full_ci == 'true'" steps: - - uses: actions/checkout@v6.0.2 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - - uses: docker/setup-qemu-action@v4 - - uses: docker/setup-buildx-action@v4 + - uses: docker/setup-qemu-action@ce360397dd3f832beb865e1373c09c0e9f86d70a # v4 + - uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4 # Logic taken from: publish-to-gcr - name: Google Auth id: auth - uses: google-github-actions/auth@v3 + uses: google-github-actions/auth@7c6bc770dae815cd3e89ee6cdf493a5fab2cc093 # v3 with: workload_identity_provider: projects/868781662168/locations/global/workloadIdentityPools/prod-github/providers/github-oidc-pool service_account: gha-gcr-push@sac-prod-sa.iam.gserviceaccount.com @@ -590,7 +590,7 @@ jobs: gcloud auth configure-docker us-central1-docker.pkg.dev # Logic taken from: build-docker - - uses: actions/download-artifact@v8 + - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8 with: pattern: "internal-${{ matrix.image_name }}@*" merge-multiple: true @@ -647,13 +647,13 @@ jobs: steps: - name: Google Auth id: auth - uses: google-github-actions/auth@v3 + uses: google-github-actions/auth@7c6bc770dae815cd3e89ee6cdf493a5fab2cc093 # v3 with: workload_identity_provider: projects/868781662168/locations/global/workloadIdentityPools/prod-github/providers/github-oidc-pool service_account: gha-gcr-push@sac-prod-sa.iam.gserviceaccount.com - name: "Set up Cloud SDK" - uses: "google-github-actions/setup-gcloud@v3" + uses: google-github-actions/setup-gcloud@aa5489c8933f4cc7a4f7d45035b3b1440c9c10db # v3 with: # https://github.com/google-github-actions/auth#authenticating-via-workload-identity-federation # You must use the Cloud SDK version 390.0.0 or later to authenticate the bq and gsutil tools. @@ -694,7 +694,7 @@ jobs: steps: - name: Google Auth id: auth - uses: google-github-actions/auth@v3 + uses: google-github-actions/auth@7c6bc770dae815cd3e89ee6cdf493a5fab2cc093 # v3 with: workload_identity_provider: projects/868781662168/locations/global/workloadIdentityPools/prod-github/providers/github-oidc-pool service_account: gha-gcr-push@sac-prod-sa.iam.gserviceaccount.com @@ -704,13 +704,13 @@ jobs: gcloud auth configure-docker us-central1-docker.pkg.dev - name: "Set up Cloud SDK" - uses: "google-github-actions/setup-gcloud@v3" + uses: google-github-actions/setup-gcloud@aa5489c8933f4cc7a4f7d45035b3b1440c9c10db # v3 with: # https://github.com/google-github-actions/auth#authenticating-via-workload-identity-federation # You must use the Cloud SDK version 390.0.0 or later to authenticate the bq and gsutil tools. version: ">= 390.0.0" - - uses: actions/download-artifact@v8 + - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8 with: pattern: "internal-${{ matrix.image_name }}@*" merge-multiple: true @@ -786,21 +786,21 @@ jobs: ghcr.io/getsentry/objectstore:nightly \ run - - uses: actions/checkout@v6.0.2 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: submodules: recursive - name: Install Rust Toolchain run: rustup toolchain install stable --profile minimal --no-self-update - - uses: swatinem/rust-cache@v2 + - uses: swatinem/rust-cache@42dc69e1aa15d09112580998cf2ef0119e2e91ae # v2 with: key: ${{ github.job }} cache-on-failure: "true" - name: Setup SSH agent if: env.SSH_PRIVATE_KEY != '' - uses: webfactory/ssh-agent@v0.9.0 + uses: webfactory/ssh-agent@dc588b651fe13675774614f8e6a936a468676387 # v0.9.0 with: ssh-private-key: ${{ env.SSH_PRIVATE_KEY }} @@ -835,7 +835,7 @@ jobs: steps: # Checkout Sentry and run integration tests against latest Relay - name: Checkout Sentry - uses: actions/checkout@v6.0.2 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: repository: getsentry/sentry path: sentry @@ -859,7 +859,7 @@ jobs: - name: Download Docker Image if: "github.event.pull_request.head.repo.fork || github.actor == 'dependabot[bot]'" - uses: actions/download-artifact@v8 + uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8 with: name: relay-docker-image @@ -887,7 +887,7 @@ jobs: steps: - name: Run Sentry self-hosted e2e CI - uses: getsentry/self-hosted@master + uses: getsentry/self-hosted@871c182cb0a99dc1fad72cc7ce7889b514b0c5f0 # master with: project_name: relay image_url: ghcr.io/getsentry/relay:${{ github.event.pull_request.head.sha || github.sha }} @@ -905,7 +905,7 @@ jobs: needs: devservices-files-changed if: needs.devservices-files-changed.outputs.devservices-files-changed == 'true' steps: - - uses: actions/checkout@v6.0.2 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 name: Checkout repository - name: Get devservices version diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml index f60983fa4a6..9a6402cf37e 100644 --- a/.github/workflows/deploy.yml +++ b/.github/workflows/deploy.yml @@ -24,14 +24,14 @@ jobs: sudo apt-get update sudo apt-get install -y libcurl4-openssl-dev - - uses: actions/checkout@v6.0.2 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: submodules: recursive - name: Install Rust Toolchain run: rustup toolchain install stable --profile minimal --component rust-docs --no-self-update - - uses: swatinem/rust-cache@v2 + - uses: swatinem/rust-cache@42dc69e1aa15d09112580998cf2ef0119e2e91ae # v2 with: key: ${{ github.job }} @@ -44,7 +44,7 @@ jobs: - name: Deploy if: github.ref == 'refs/heads/master' - uses: peaceiris/actions-gh-pages@v4 + uses: peaceiris/actions-gh-pages@e9c66a37f080288a11235e32cbe2dc5fb3a679cc # v4 with: github_token: ${{ secrets.GITHUB_TOKEN }} publish_dir: target/doc @@ -54,12 +54,12 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v6.0.2 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Install Rust Toolchain run: rustup toolchain install stable --profile minimal --no-self-update - - uses: swatinem/rust-cache@v2 + - uses: swatinem/rust-cache@42dc69e1aa15d09112580998cf2ef0119e2e91ae # v2 with: key: ${{ github.job }} diff --git a/.github/workflows/enforce-license-compliance.yml b/.github/workflows/enforce-license-compliance.yml index 39301174f65..a9bf6de3d24 100644 --- a/.github/workflows/enforce-license-compliance.yml +++ b/.github/workflows/enforce-license-compliance.yml @@ -16,6 +16,6 @@ jobs: runs-on: ubuntu-latest steps: - name: "Enforce License Compliance" - uses: getsentry/action-enforce-license-compliance@main + uses: getsentry/action-enforce-license-compliance@48236a773346cb6552a7bda1ee370d2797365d87 # main with: fossa_api_key: ${{ secrets.FOSSA_API_KEY }} diff --git a/.github/workflows/release_binary.yml b/.github/workflows/release_binary.yml index 4be5d2bc11f..d41165e87df 100644 --- a/.github/workflows/release_binary.yml +++ b/.github/workflows/release_binary.yml @@ -28,13 +28,13 @@ jobs: app-id: ${{ vars.SENTRY_RELEASE_BOT_CLIENT_ID }} private-key: ${{ secrets.SENTRY_RELEASE_BOT_PRIVATE_KEY }} - - uses: actions/checkout@v6.0.2 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: token: ${{ steps.token.outputs.token }} fetch-depth: 0 - name: Prepare release - uses: getsentry/action-prepare-release@v1 + uses: getsentry/action-prepare-release@c8e1c2009ab08259029170132c384f03c1064c0e # v1 env: GITHUB_TOKEN: ${{ steps.token.outputs.token }} with: diff --git a/.github/workflows/release_library.yml b/.github/workflows/release_library.yml index 7384e5591ec..eb9cc132347 100644 --- a/.github/workflows/release_library.yml +++ b/.github/workflows/release_library.yml @@ -23,13 +23,13 @@ jobs: app-id: ${{ vars.SENTRY_RELEASE_BOT_CLIENT_ID }} private-key: ${{ secrets.SENTRY_RELEASE_BOT_PRIVATE_KEY }} - - uses: actions/checkout@v6.0.2 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: token: ${{ steps.token.outputs.token }} fetch-depth: 0 - name: Prepare release - uses: getsentry/action-prepare-release@v1 + uses: getsentry/action-prepare-release@c8e1c2009ab08259029170132c384f03c1064c0e # v1 env: GITHUB_TOKEN: ${{ steps.token.outputs.token }} with: diff --git a/.github/workflows/validate-pipelines.yml b/.github/workflows/validate-pipelines.yml index 627824158db..99ac295f97e 100644 --- a/.github/workflows/validate-pipelines.yml +++ b/.github/workflows/validate-pipelines.yml @@ -17,7 +17,7 @@ jobs: outputs: gocd: ${{ steps.changes.outputs.gocd }} steps: - - uses: actions/checkout@v6.0.2 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Check for relevant file changes uses: getsentry/paths-filter@4512585405083f25c027a35db413c2b3b9006d50 # v2.11.1 id: changes @@ -39,21 +39,21 @@ jobs: id-token: "write" steps: - - uses: actions/checkout@v6.0.2 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - id: 'auth' - uses: google-github-actions/auth@v3 + uses: google-github-actions/auth@7c6bc770dae815cd3e89ee6cdf493a5fab2cc093 # v3 with: workload_identity_provider: 'projects/868781662168/locations/global/workloadIdentityPools/prod-github/providers/github-oidc-pool' service_account: 'gha-gocd-api@sac-prod-sa.iam.gserviceaccount.com' token_format: 'id_token' id_token_audience: '610575311308-9bsjtgqg4jm01mt058rncpopujgk3627.apps.googleusercontent.com' id_token_include_email: true - - uses: getsentry/action-gocd-jsonnet@v1 + - uses: getsentry/action-gocd-jsonnet@2a32414fa9e58a46d1afea9cbfa7b77a928678e2 # v1 with: jb-install: true jsonnet-dir: gocd/templates generated-dir: gocd/generated-pipelines - - uses: getsentry/action-validate-gocd-pipelines@v1 + - uses: getsentry/action-validate-gocd-pipelines@80fde540c1403d52e17783368930fa28bd93447f # v1 with: configrepo: relay__master gocd_access_token: ${{ secrets.GOCD_ACCESS_TOKEN }}