Merge pull request #6886 from thaJeztah/pin_actions

vvoland · web-flow · commit 9637f1b3648f · 2026-03-25T15:22:16.000+01:00
ci: pin actions to digests
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -7,3 +7,5 @@ updates:
     labels:
       - "area/testing"
       - "status/2-code-review"
+    cooldown:
+      default-days: 7
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -35,7 +35,7 @@ jobs:
     steps:
       -
         name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
       -
         name: Create matrix
         id: platforms
@@ -63,10 +63,10 @@ jobs:
     steps:
       -
         name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v4
+        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4
       -
         name: Build
-        uses: docker/bake-action@v7
+        uses: docker/bake-action@82490499d2e5613fcead7e128237ef0b0ea210f7 # v7
         with:
           targets: ${{ matrix.target }}
           set: |
@@ -88,7 +88,7 @@ jobs:
           fi
       -
         name: Upload artifacts
-        uses: actions/upload-artifact@v7
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7
         with:
           name: ${{ env.ARTIFACT_NAME }}
           path: /tmp/out/*
@@ -101,20 +101,20 @@ jobs:
       -
         name: Login to DockerHub
         if: github.event_name != 'pull_request'
-        uses: docker/login-action@v4
+        uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4
         with:
           username: ${{ secrets.DOCKERHUB_CLIBIN_USERNAME }}
           password: ${{ secrets.DOCKERHUB_CLIBIN_TOKEN }}
       -
         name: Set up QEMU
-        uses: docker/setup-qemu-action@v4
+        uses: docker/setup-qemu-action@ce360397dd3f832beb865e1373c09c0e9f86d70a # v4
       -
         name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v4
+        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4
       -
         name: Docker meta
         id: meta
-        uses: docker/metadata-action@v6
+        uses: docker/metadata-action@030e881283bb7a6894de51c315a6bfe6a94e05cf # v6
         with:
           images: dockereng/cli-bin
           tags: |
@@ -125,7 +125,7 @@ jobs:
             type=semver,pattern={{major}}.{{minor}}
       -
         name: Build and push image
-        uses: docker/bake-action@v7
+        uses: docker/bake-action@82490499d2e5613fcead7e128237ef0b0ea210f7 # v7
         with:
           files: |
             ./docker-bake.hcl
@@ -143,7 +143,7 @@ jobs:
     steps:
       -
         name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
       -
         name: Create matrix
         id: platforms
@@ -165,10 +165,10 @@ jobs:
     steps:
       -
         name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v4
+        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4
       -
         name: Build
-        uses: docker/bake-action@v7
+        uses: docker/bake-action@82490499d2e5613fcead7e128237ef0b0ea210f7 # v7
         with:
           targets: plugins-cross
           set: |
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
@@ -46,7 +46,7 @@ jobs:
     steps:
       -
         name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
         with:
           fetch-depth: 2
       # CodeQL 2.16.4's auto-build added support for multi-module repositories,
@@ -61,19 +61,20 @@ jobs:
           ln -s vendor.sum go.sum
       -
         name: Update Go
-        uses: actions/setup-go@v6
+        uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6
         with:
           go-version: "1.25.8"
+          cache: false
       -
         name: Initialize CodeQL
-        uses: github/codeql-action/init@v4
+        uses: github/codeql-action/init@38697555549f1db7851b81482ff19f1fa5c4fedc # v4.34.1
         with:
           languages: go
       -
         name: Autobuild
-        uses: github/codeql-action/autobuild@v4
+        uses: github/codeql-action/autobuild@38697555549f1db7851b81482ff19f1fa5c4fedc # v4.34.1
       -
         name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@v4
+        uses: github/codeql-action/analyze@38697555549f1db7851b81482ff19f1fa5c4fedc # v4.34.1
         with:
           category: "/language:go"
diff --git a/.github/workflows/e2e.yml b/.github/workflows/e2e.yml
@@ -44,7 +44,7 @@ jobs:
     steps:
       -
         name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
       -
         name: Update daemon.json
         run: |
@@ -63,7 +63,7 @@ jobs:
           docker info
       -
         name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v4
+        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4
       -
         name: Run ${{ matrix.target }}
         run: |
@@ -74,7 +74,7 @@ jobs:
           TESTFLAGS: -coverprofile=/tmp/coverage/coverage.txt
       -
         name: Send to Codecov
-        uses: codecov/codecov-action@v5
+        uses: codecov/codecov-action@1af58845a975a7985b0beb0cbe6fbbb71a41dbad # v5
         with:
           files: ./build/coverage/coverage.txt
           token: ${{ secrets.CODECOV_TOKEN }}
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
@@ -30,15 +30,15 @@ jobs:
     steps:
       -
         name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v4
+        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4
       -
         name: Test
-        uses: docker/bake-action@v7
+        uses: docker/bake-action@82490499d2e5613fcead7e128237ef0b0ea210f7 # v7
         with:
           targets: test-coverage
       -
         name: Send to Codecov
-        uses: codecov/codecov-action@v5
+        uses: codecov/codecov-action@1af58845a975a7985b0beb0cbe6fbbb71a41dbad # v5
         with:
           files: ./build/coverage/coverage.txt
           token: ${{ secrets.CODECOV_TOKEN }}
@@ -60,14 +60,15 @@ jobs:
     steps:
       -
         name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
         with:
           path: ${{ env.GOPATH }}/src/github.com/docker/cli
       -
         name: Set up Go
-        uses: actions/setup-go@v6
+        uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6
         with:
           go-version: "1.25.8"
+          cache: false
       -
         name: Test
         run: |
@@ -80,7 +81,7 @@ jobs:
         shell: bash
       -
         name: Send to Codecov
-        uses: codecov/codecov-action@v5
+        uses: codecov/codecov-action@1af58845a975a7985b0beb0cbe6fbbb71a41dbad # v5
         with:
           files: /tmp/coverage.txt
           working-directory: ${{ env.GOPATH }}/src/github.com/docker/cli
diff --git a/.github/workflows/validate.yml b/.github/workflows/validate.yml
@@ -38,7 +38,7 @@ jobs:
     steps:
       -
         name: Run
-        uses: docker/bake-action@v7
+        uses: docker/bake-action@82490499d2e5613fcead7e128237ef0b0ea210f7 # v7
         with:
           targets: ${{ matrix.target }}
 
@@ -48,7 +48,7 @@ jobs:
     steps:
       -
         name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
       -
         name: Generate
         shell: 'script --return --quiet --command "bash {0}"'
@@ -74,7 +74,7 @@ jobs:
     steps:
       -
         name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
       -
         name: Run
         shell: 'script --return --quiet --command "bash {0}"'

Original file line number	Diff line number	Diff line change
`@@ -44,7 +44,7 @@ jobs:`
`44`	`44`	`steps:`
`45`	`45`	`-`
`46`	`46`	`name: Checkout`
`47`		`- uses: actions/checkout@v6`
	`47`	`+ uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6`
`48`	`48`	`-`
`49`	`49`	`name: Update daemon.json`
`50`	`50`	`run: \|`
`@@ -63,7 +63,7 @@ jobs:`
`63`	`63`	`docker info`
`64`	`64`	`-`
`65`	`65`	`name: Set up Docker Buildx`
`66`		`- uses: docker/setup-buildx-action@v4`
	`66`	`+ uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4`
`67`	`67`	`-`
`68`	`68`	`name: Run ${{ matrix.target }}`
`69`	`69`	`run: \|`
`@@ -74,7 +74,7 @@ jobs:`
`74`	`74`	`TESTFLAGS: -coverprofile=/tmp/coverage/coverage.txt`
`75`	`75`	`-`
`76`	`76`	`name: Send to Codecov`
`77`		`- uses: codecov/codecov-action@v5`
	`77`	`+ uses: codecov/codecov-action@1af58845a975a7985b0beb0cbe6fbbb71a41dbad # v5`
`78`	`78`	`with:`
`79`	`79`	`files: ./build/coverage/coverage.txt`
`80`	`80`	`token: ${{ secrets.CODECOV_TOKEN }}`
Original file line number	Diff line number	Diff line change
`@@ -38,7 +38,7 @@ jobs:`
`38`	`38`	`steps:`
`39`	`39`	`-`
`40`	`40`	`name: Run`
`41`		`- uses: docker/bake-action@v7`
	`41`	`+ uses: docker/bake-action@82490499d2e5613fcead7e128237ef0b0ea210f7 # v7`
`42`	`42`	`with:`
`43`	`43`	`targets: ${{ matrix.target }}`
`44`	`44`
`@@ -48,7 +48,7 @@ jobs:`
`48`	`48`	`steps:`
`49`	`49`	`-`
`50`	`50`	`name: Checkout`
`51`		`- uses: actions/checkout@v6`
	`51`	`+ uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6`
`52`	`52`	`-`
`53`	`53`	`name: Generate`
`54`	`54`	`shell: 'script --return --quiet --command "bash {0}"'`
`@@ -74,7 +74,7 @@ jobs:`
`74`	`74`	`steps:`
`75`	`75`	`-`
`76`	`76`	`name: Checkout`
`77`		`- uses: actions/checkout@v6`
	`77`	`+ uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6`
`78`	`78`	`-`
`79`	`79`	`name: Run`
`80`	`80`	`shell: 'script --return --quiet --command "bash {0}"'`