From 928a7f3c128745292ffe1b61fb5d3b3c53a5d3ad Mon Sep 17 00:00:00 2001 From: Nigel Jones Date: Fri, 19 Apr 2024 10:14:47 +0100 Subject: [PATCH] pin github action SHAs Signed-off-by: Nigel Jones --- .github/workflows/android.yml | 6 +++--- .github/workflows/apple.yml | 6 +++--- .github/workflows/release-test.yml | 4 ++-- .github/workflows/scorecard.yml | 15 +++++++------- .github/workflows/unix.yml | 33 +++++++++++++++--------------- .github/workflows/weekly.yml | 6 +++--- .github/workflows/windows.yml | 8 ++++---- 7 files changed, 39 insertions(+), 39 deletions(-) diff --git a/.github/workflows/android.yml b/.github/workflows/android.yml index 895ed7b171..a0414bee04 100644 --- a/.github/workflows/android.yml +++ b/.github/workflows/android.yml @@ -1,6 +1,6 @@ name: android build -on: [push, pull_request] +on: [ push, pull_request ] jobs: @@ -9,9 +9,9 @@ jobs: strategy: fail-fast: false matrix: - abi: [armeabi-v7a, arm64-v8a, x86, x86_64] + abi: [ armeabi-v7a, arm64-v8a, x86, x86_64 ] steps: - name: Checkout code - uses: actions/checkout@v3 + uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # pin@v3 - name: Build project run: ./scripts/build-android.sh $ANDROID_NDK_HOME -a ${{ matrix.abi }} diff --git a/.github/workflows/apple.yml b/.github/workflows/apple.yml index 1ced2dea76..1579ad5dcf 100644 --- a/.github/workflows/apple.yml +++ b/.github/workflows/apple.yml @@ -1,6 +1,6 @@ name: apple build -on: [push, pull_request] +on: [ push, pull_request ] jobs: @@ -9,10 +9,10 @@ jobs: strategy: fail-fast: false matrix: - platform: [OS64, TVOS] + platform: [ OS64, TVOS ] steps: - name: Checkout code - uses: actions/checkout@v3 + uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # pin@v3 - name: Generate project run: cmake -B build --toolchain .CMake/apple.cmake -DOQS_USE_OPENSSL=OFF -DPLATFORM=${{ matrix.platform }} . - name: Build project diff --git a/.github/workflows/release-test.yml b/.github/workflows/release-test.yml index 0179b3d93e..95d6f00764 100644 --- a/.github/workflows/release-test.yml +++ b/.github/workflows/release-test.yml @@ -8,7 +8,7 @@ name: Release tests on: push: release: - types: [published] + types: [ published ] jobs: oqs-provider-release-test: @@ -16,7 +16,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout release tests script - uses: actions/checkout@v4 + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # pin@v4 with: sparse-checkout: | scripts/provider-test-trigger.sh diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml index 50e12e1ffa..fe6d256e5d 100644 --- a/.github/workflows/scorecard.yml +++ b/.github/workflows/scorecard.yml @@ -6,8 +6,8 @@ name: Scorecard supply-chain security on: # For Branch-Protection check. Only the default branch is supported. See # https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection - branch_protection_rule: - # To guarantee Maintained check is occasionally updated. See + branch_protection_rule: # To guarantee Maintained check is occasionally updated. See + # https://github.com/ossf/scorecard/blob/main/docs/checks.md#maintained schedule: - cron: '29 9 * * 4' @@ -15,7 +15,7 @@ on: branches: [ "main" ] pull_request: -# Declare default permissions as read only. + # Declare default permissions as read only. permissions: read-all jobs: @@ -33,12 +33,12 @@ jobs: steps: - name: "Checkout code" - uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 # v3.1.0 + uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # pin@v3 with: persist-credentials: false - name: "Run analysis" - uses: ossf/scorecard-action@e38b1902ae4f44df626f11ba0734b14fb91f8f86 # v2.1.2 + uses: ossf/scorecard-action@0864cf19026789058feabb7e87baa5f140aac736 # pin@v2.3.1 with: results_file: results.sarif results_format: sarif @@ -60,14 +60,13 @@ jobs: # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF # format to the repository Actions tab. - name: "Upload artifact" - uses: actions/upload-artifact@3cea5372237819ed00197afe530f5a7ea3e805c8 # v3.1.0 + uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # pin@v3 with: name: SARIF file path: results.sarif retention-days: 5 - # Upload the results to GitHub's code scanning dashboard. #- name: "Upload to code-scanning" - # uses: github/codeql-action/upload-sarif@17573ee1cc1b9d061760f3a006fc4aac4f944fd5 # v2.2.4 + # uses: github/codeql-action/upload-sarif@e949a1676c32f4c215780f7429eb9f00ff18b225 # pin@v2 # with: # sarif_file: results.sarif diff --git a/.github/workflows/unix.yml b/.github/workflows/unix.yml index 9c6142187e..ed3607f6d4 100644 --- a/.github/workflows/unix.yml +++ b/.github/workflows/unix.yml @@ -1,6 +1,6 @@ name: Linux and MacOS tests -on: [push, pull_request] +on: [ push, pull_request ] jobs: @@ -10,7 +10,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout code - uses: actions/checkout@v4 + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # pin@v4 - name: Ensure code conventions are upheld run: python3 -m pytest --verbose tests/test_code_conventions.py - name: Check that doxygen can parse the documentation @@ -24,7 +24,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout code - uses: actions/checkout@v4 + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # pin@v4 - name: Verify copy_from_upstream state run: | git config --global user.name "ciuser" && \ @@ -39,14 +39,14 @@ jobs: buildcheck: name: Check that code passes a basic build before starting heavier tests container: openquantumsafe/ci-ubuntu-focal-x86_64:latest - needs: [stylecheck, upstreamcheck] + needs: [ stylecheck, upstreamcheck ] runs-on: ubuntu-latest env: KEM_NAME: kyber_768 SIG_NAME: dilithium_3 steps: - name: Checkout code - uses: actions/checkout@v4 + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # pin@v4 - name: Configure run: | mkdir build && \ @@ -104,7 +104,7 @@ jobs: image: ${{ matrix.container }} steps: - name: Checkout code - uses: actions/checkout@v4 + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # pin@v4 - name: Configure run: mkdir build && cd build && cmake -GNinja ${{ matrix.CMAKE_ARGS }} .. && cmake -LA .. - name: Build @@ -119,7 +119,7 @@ jobs: working-directory: build - name: Retain .deb file if: ${{ matrix.name }} == 'jammy-std-openssl3' - uses: actions/upload-artifact@v3 + uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # pin@v3 with: name: liboqs-openssl3-shared-x64 path: build/*.deb @@ -145,7 +145,7 @@ jobs: # CMAKE_ARGS: -DOQS_ENABLE_SIG_SPHINCS=OFF -DOQS_USE_OPENSSL=OFF -DOQS_OPT_TARGET=generic steps: - name: Checkout code - uses: actions/checkout@v4 + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # pin@v4 - name: Install the emulation handlers run: docker run --rm --privileged multiarch/qemu-user-static:register --reset - name: Build in an x86_64 container @@ -186,7 +186,7 @@ jobs: CMAKE_ARGS: -DCMAKE_TOOLCHAIN_FILE=../.CMake/toolchain_windows-amd64.cmake -DBUILD_SHARED_LIBS=ON steps: - name: Checkout code - uses: actions/checkout@v4 + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # pin@v4 - name: Configure run: mkdir build && cd build && cmake -GNinja ${{ matrix.CMAKE_ARGS }} .. && cmake -LA .. - name: Build @@ -198,7 +198,8 @@ jobs: strategy: fail-fast: false matrix: - os: # macos-14 runs on aarch64; the others run on x64 + os: + # macos-14 runs on aarch64; the others run on x64 - macos-12 - macos-13 - macos-14 @@ -209,7 +210,7 @@ jobs: runs-on: ${{ matrix.os }} steps: - name: Checkout code - uses: actions/checkout@v4 + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # pin@v4 - name: Install dependencies run: env HOMEBREW_NO_AUTO_UPDATE=1 brew install ninja && pip3 install --break-system-packages pytest pytest-xdist pyyaml - name: Get system information @@ -230,16 +231,16 @@ jobs: image: openquantumsafe/ci-ubuntu-jammy:latest steps: - name: Checkout code - uses: actions/checkout@v4 + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # pin@v4 - name: Retrieve OpenSSL330 from cache id: cache-openssl330 - uses: actions/cache@v3 + uses: actions/cache@e12d46a63a90f2fae62d114769bbf2a179198b5c # pin@v3 with: path: .localopenssl330 key: ${{ runner.os }}-openssl330 - name: Checkout the OpenSSL v3.3.0 commit if: steps.cache-openssl330.outputs.cache-hit != 'true' - uses: actions/checkout@v4 + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # pin@v4 with: repository: 'openssl/openssl' ref: 'openssl-3.3.0-beta1' @@ -256,7 +257,7 @@ jobs: - name: Save OpenSSL id: cache-openssl-save if: steps.cache-openssl330.outputs.cache-hit != 'true' - uses: actions/cache/save@v3 + uses: actions/cache/save@e12d46a63a90f2fae62d114769bbf2a179198b5c # pin@v3 with: path: | .localopenssl330 @@ -268,4 +269,4 @@ jobs: working-directory: build - name: Run tests timeout-minutes: 60 - run: mkdir -p tmp && python3 -m pytest --verbose --ignore=tests/test_code_conventions.py --ignore=tests/test_leaks.py --ignore=tests/test_kat_all.py \ No newline at end of file + run: mkdir -p tmp && python3 -m pytest --verbose --ignore=tests/test_code_conventions.py --ignore=tests/test_leaks.py --ignore=tests/test_kat_all.py diff --git a/.github/workflows/weekly.yml b/.github/workflows/weekly.yml index 327e04d16e..a64229fdf8 100644 --- a/.github/workflows/weekly.yml +++ b/.github/workflows/weekly.yml @@ -2,7 +2,7 @@ name: Weekly extended tests on: schedule: - - cron: "5 0 * * 0" + - cron: "5 0 * * 0" jobs: @@ -26,7 +26,7 @@ jobs: image: ${{ matrix.container }} steps: - name: Checkout code - uses: actions/checkout@v2 + uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 # pin@v2 - name: Configure run: mkdir build && cd build && cmake -GNinja ${{ matrix.CMAKE_ARGS }} .. && cmake -LA .. - name: Build @@ -54,7 +54,7 @@ jobs: image: ${{ matrix.container }} steps: - name: Checkout code - uses: actions/checkout@v2 + uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 # pin@v2 - name: Configure run: mkdir build && cd build && cmake -GNinja ${{ matrix.CMAKE_ARGS }} .. && cmake -LA .. - name: Build diff --git a/.github/workflows/windows.yml b/.github/workflows/windows.yml index 8b5716554f..85619a1381 100644 --- a/.github/workflows/windows.yml +++ b/.github/workflows/windows.yml @@ -1,13 +1,13 @@ name: Windows tests -on: [push, pull_request] +on: [ push, pull_request ] jobs: windows-arm64: runs-on: windows-2022 steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # pin@v3 - name: Generate Project run: cmake -B build --toolchain .CMake/toolchain_windows_arm64.cmake . - name: Build Project @@ -18,9 +18,9 @@ jobs: strategy: fail-fast: false matrix: - toolchain: [.CMake/toolchain_windows_x86.cmake, .CMake/toolchain_windows_amd64.cmake] + toolchain: [ .CMake/toolchain_windows_x86.cmake, .CMake/toolchain_windows_amd64.cmake ] steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # pin@v3 - name: Generate Project run: cmake -B build --toolchain ${{ matrix.toolchain }} . - name: Build Project