Skip to content

Commit

Permalink
pin github action SHAs
Browse files Browse the repository at this point in the history
Signed-off-by: Nigel Jones <[email protected]>
  • Loading branch information
planetf1 committed Apr 19, 2024
1 parent 46cd5bb commit 928a7f3
Show file tree
Hide file tree
Showing 7 changed files with 39 additions and 39 deletions.
6 changes: 3 additions & 3 deletions .github/workflows/android.yml
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
name: android build

on: [push, pull_request]
on: [ push, pull_request ]

jobs:

Expand All @@ -9,9 +9,9 @@ jobs:
strategy:
fail-fast: false
matrix:
abi: [armeabi-v7a, arm64-v8a, x86, x86_64]
abi: [ armeabi-v7a, arm64-v8a, x86, x86_64 ]
steps:
- name: Checkout code
uses: actions/checkout@v3
uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # pin@v3
- name: Build project
run: ./scripts/build-android.sh $ANDROID_NDK_HOME -a ${{ matrix.abi }}
6 changes: 3 additions & 3 deletions .github/workflows/apple.yml
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
name: apple build

on: [push, pull_request]
on: [ push, pull_request ]

jobs:

Expand All @@ -9,10 +9,10 @@ jobs:
strategy:
fail-fast: false
matrix:
platform: [OS64, TVOS]
platform: [ OS64, TVOS ]
steps:
- name: Checkout code
uses: actions/checkout@v3
uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # pin@v3
- name: Generate project
run: cmake -B build --toolchain .CMake/apple.cmake -DOQS_USE_OPENSSL=OFF -DPLATFORM=${{ matrix.platform }} .
- name: Build project
Expand Down
4 changes: 2 additions & 2 deletions .github/workflows/release-test.yml
Original file line number Diff line number Diff line change
Expand Up @@ -8,15 +8,15 @@ name: Release tests
on:
push:
release:
types: [published]
types: [ published ]

jobs:
oqs-provider-release-test:
if: github.event_name == 'release' || endsWith( github.event.head_commit.message, '[trigger downstream]' )
runs-on: ubuntu-latest
steps:
- name: Checkout release tests script
uses: actions/checkout@v4
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # pin@v4
with:
sparse-checkout: |
scripts/provider-test-trigger.sh
Expand Down
15 changes: 7 additions & 8 deletions .github/workflows/scorecard.yml
Original file line number Diff line number Diff line change
Expand Up @@ -6,16 +6,16 @@ name: Scorecard supply-chain security
on:
# For Branch-Protection check. Only the default branch is supported. See
# https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection
branch_protection_rule:
# To guarantee Maintained check is occasionally updated. See
branch_protection_rule: # To guarantee Maintained check is occasionally updated. See

# https://github.com/ossf/scorecard/blob/main/docs/checks.md#maintained
schedule:
- cron: '29 9 * * 4'
push:
branches: [ "main" ]
pull_request:

# Declare default permissions as read only.
# Declare default permissions as read only.
permissions: read-all

jobs:
Expand All @@ -33,12 +33,12 @@ jobs:

steps:
- name: "Checkout code"
uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 # v3.1.0
uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # pin@v3
with:
persist-credentials: false

- name: "Run analysis"
uses: ossf/scorecard-action@e38b1902ae4f44df626f11ba0734b14fb91f8f86 # v2.1.2
uses: ossf/scorecard-action@0864cf19026789058feabb7e87baa5f140aac736 # pin@v2.3.1
with:
results_file: results.sarif
results_format: sarif
Expand All @@ -60,14 +60,13 @@ jobs:
# Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
# format to the repository Actions tab.
- name: "Upload artifact"
uses: actions/upload-artifact@3cea5372237819ed00197afe530f5a7ea3e805c8 # v3.1.0
uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # pin@v3
with:
name: SARIF file
path: results.sarif
retention-days: 5

# Upload the results to GitHub's code scanning dashboard.
#- name: "Upload to code-scanning"
# uses: github/codeql-action/upload-sarif@17573ee1cc1b9d061760f3a006fc4aac4f944fd5 # v2.2.4
# uses: github/codeql-action/upload-sarif@e949a1676c32f4c215780f7429eb9f00ff18b225 # pin@v2
# with:
# sarif_file: results.sarif
33 changes: 17 additions & 16 deletions .github/workflows/unix.yml
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
name: Linux and MacOS tests

on: [push, pull_request]
on: [ push, pull_request ]

jobs:

Expand All @@ -10,7 +10,7 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v4
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # pin@v4
- name: Ensure code conventions are upheld
run: python3 -m pytest --verbose tests/test_code_conventions.py
- name: Check that doxygen can parse the documentation
Expand All @@ -24,7 +24,7 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v4
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # pin@v4
- name: Verify copy_from_upstream state
run: |
git config --global user.name "ciuser" && \
Expand All @@ -39,14 +39,14 @@ jobs:
buildcheck:
name: Check that code passes a basic build before starting heavier tests
container: openquantumsafe/ci-ubuntu-focal-x86_64:latest
needs: [stylecheck, upstreamcheck]
needs: [ stylecheck, upstreamcheck ]
runs-on: ubuntu-latest
env:
KEM_NAME: kyber_768
SIG_NAME: dilithium_3
steps:
- name: Checkout code
uses: actions/checkout@v4
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # pin@v4
- name: Configure
run: |
mkdir build && \
Expand Down Expand Up @@ -104,7 +104,7 @@ jobs:
image: ${{ matrix.container }}
steps:
- name: Checkout code
uses: actions/checkout@v4
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # pin@v4
- name: Configure
run: mkdir build && cd build && cmake -GNinja ${{ matrix.CMAKE_ARGS }} .. && cmake -LA ..
- name: Build
Expand All @@ -119,7 +119,7 @@ jobs:
working-directory: build
- name: Retain .deb file
if: ${{ matrix.name }} == 'jammy-std-openssl3'
uses: actions/upload-artifact@v3
uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # pin@v3
with:
name: liboqs-openssl3-shared-x64
path: build/*.deb
Expand All @@ -145,7 +145,7 @@ jobs:
# CMAKE_ARGS: -DOQS_ENABLE_SIG_SPHINCS=OFF -DOQS_USE_OPENSSL=OFF -DOQS_OPT_TARGET=generic
steps:
- name: Checkout code
uses: actions/checkout@v4
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # pin@v4
- name: Install the emulation handlers
run: docker run --rm --privileged multiarch/qemu-user-static:register --reset
- name: Build in an x86_64 container
Expand Down Expand Up @@ -186,7 +186,7 @@ jobs:
CMAKE_ARGS: -DCMAKE_TOOLCHAIN_FILE=../.CMake/toolchain_windows-amd64.cmake -DBUILD_SHARED_LIBS=ON
steps:
- name: Checkout code
uses: actions/checkout@v4
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # pin@v4
- name: Configure
run: mkdir build && cd build && cmake -GNinja ${{ matrix.CMAKE_ARGS }} .. && cmake -LA ..
- name: Build
Expand All @@ -198,7 +198,8 @@ jobs:
strategy:
fail-fast: false
matrix:
os: # macos-14 runs on aarch64; the others run on x64
os:
# macos-14 runs on aarch64; the others run on x64
- macos-12
- macos-13
- macos-14
Expand All @@ -209,7 +210,7 @@ jobs:
runs-on: ${{ matrix.os }}
steps:
- name: Checkout code
uses: actions/checkout@v4
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # pin@v4
- name: Install dependencies
run: env HOMEBREW_NO_AUTO_UPDATE=1 brew install ninja && pip3 install --break-system-packages pytest pytest-xdist pyyaml
- name: Get system information
Expand All @@ -230,16 +231,16 @@ jobs:
image: openquantumsafe/ci-ubuntu-jammy:latest
steps:
- name: Checkout code
uses: actions/checkout@v4
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # pin@v4
- name: Retrieve OpenSSL330 from cache
id: cache-openssl330
uses: actions/cache@v3
uses: actions/cache@e12d46a63a90f2fae62d114769bbf2a179198b5c # pin@v3
with:
path: .localopenssl330
key: ${{ runner.os }}-openssl330
- name: Checkout the OpenSSL v3.3.0 commit
if: steps.cache-openssl330.outputs.cache-hit != 'true'
uses: actions/checkout@v4
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # pin@v4
with:
repository: 'openssl/openssl'
ref: 'openssl-3.3.0-beta1'
Expand All @@ -256,7 +257,7 @@ jobs:
- name: Save OpenSSL
id: cache-openssl-save
if: steps.cache-openssl330.outputs.cache-hit != 'true'
uses: actions/cache/save@v3
uses: actions/cache/save@e12d46a63a90f2fae62d114769bbf2a179198b5c # pin@v3
with:
path: |
.localopenssl330
Expand All @@ -268,4 +269,4 @@ jobs:
working-directory: build
- name: Run tests
timeout-minutes: 60
run: mkdir -p tmp && python3 -m pytest --verbose --ignore=tests/test_code_conventions.py --ignore=tests/test_leaks.py --ignore=tests/test_kat_all.py
run: mkdir -p tmp && python3 -m pytest --verbose --ignore=tests/test_code_conventions.py --ignore=tests/test_leaks.py --ignore=tests/test_kat_all.py
6 changes: 3 additions & 3 deletions .github/workflows/weekly.yml
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@ name: Weekly extended tests

on:
schedule:
- cron: "5 0 * * 0"
- cron: "5 0 * * 0"

jobs:

Expand All @@ -26,7 +26,7 @@ jobs:
image: ${{ matrix.container }}
steps:
- name: Checkout code
uses: actions/checkout@v2
uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 # pin@v2
- name: Configure
run: mkdir build && cd build && cmake -GNinja ${{ matrix.CMAKE_ARGS }} .. && cmake -LA ..
- name: Build
Expand Down Expand Up @@ -54,7 +54,7 @@ jobs:
image: ${{ matrix.container }}
steps:
- name: Checkout code
uses: actions/checkout@v2
uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 # pin@v2
- name: Configure
run: mkdir build && cd build && cmake -GNinja ${{ matrix.CMAKE_ARGS }} .. && cmake -LA ..
- name: Build
Expand Down
8 changes: 4 additions & 4 deletions .github/workflows/windows.yml
Original file line number Diff line number Diff line change
@@ -1,13 +1,13 @@
name: Windows tests

on: [push, pull_request]
on: [ push, pull_request ]

jobs:

windows-arm64:
runs-on: windows-2022
steps:
- uses: actions/checkout@v3
- uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # pin@v3
- name: Generate Project
run: cmake -B build --toolchain .CMake/toolchain_windows_arm64.cmake .
- name: Build Project
Expand All @@ -18,9 +18,9 @@ jobs:
strategy:
fail-fast: false
matrix:
toolchain: [.CMake/toolchain_windows_x86.cmake, .CMake/toolchain_windows_amd64.cmake]
toolchain: [ .CMake/toolchain_windows_x86.cmake, .CMake/toolchain_windows_amd64.cmake ]
steps:
- uses: actions/checkout@v3
- uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # pin@v3
- name: Generate Project
run: cmake -B build --toolchain ${{ matrix.toolchain }} .
- name: Build Project
Expand Down

0 comments on commit 928a7f3

Please sign in to comment.