From cdbeb5e59d926175cff57ced52061cfe103293d2 Mon Sep 17 00:00:00 2001 From: Michael Hucka Date: Wed, 26 Feb 2025 17:54:26 -0800 Subject: [PATCH] Pin the versions of CI actions to commit sha's Google's security practices for GitHub Actions states the following: > When using a third-party action (one not hosted in a [Google-managed org](http://go/github/orgs)), a fixed version of the action MUST be used by [specifying a specific commit](https://help.github.com/en/github/automating-your-workflow-with-github-actions/workflow-syntax-for-github-actions#jobsjob_idstepsuses), rather than a branch like "main", or a tagged release, which can be overwritten by any maintainer of the action. This commit adds sha hash numbers to all `uses:` directives that didn't have one already. This was done by running the tool [frizbee](https://github.com/stacklok/frizbee?README) over the files. --- .github/workflows/ci-build-checks.yaml | 54 ++++++++++---------- .github/workflows/ci-file-checks.yaml | 26 +++++----- .github/workflows/ci-nightly-build-test.yaml | 10 ++-- .github/workflows/ci-nightly-cirq-test.yaml | 10 ++-- 4 files changed, 50 insertions(+), 50 deletions(-) diff --git a/.github/workflows/ci-build-checks.yaml b/.github/workflows/ci-build-checks.yaml index 72fb90f4b..30a5c60e2 100644 --- a/.github/workflows/ci-build-checks.yaml +++ b/.github/workflows/ci-build-checks.yaml @@ -178,12 +178,12 @@ jobs: debug: ${{steps.parameters.outputs.debug}} steps: - name: Check out a copy of the TFQ git repository - uses: actions/checkout@v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 # Note: setup-python has a cache facility, but we don't use it here # because we want to cache more Python things than setup-python does. - name: Set up Python ${{inputs.python_ver || env.python_ver}} - uses: actions/setup-python@v5 + uses: actions/setup-python@42375524e23c412d93fb67b49958b491fce71c38 # v5 with: python-version: ${{inputs.python_ver || env.python_ver}} @@ -218,7 +218,7 @@ jobs: fi - name: Test if the cache already exists - uses: actions/cache@v4 + uses: actions/cache@0c907a75c2c80ebcb7f088228285e798b750cf8f # v4 id: check_cache with: lookup-only: true @@ -241,7 +241,7 @@ jobs: steps.check_cache.outputs.cache-hit != 'true' || inputs.remake_python_cache == 'true' name: Set up the Python cache - uses: actions/cache@v4 + uses: actions/cache@0c907a75c2c80ebcb7f088228285e798b750cf8f # v4 id: restore_cache with: key: ${{steps.parameters.outputs.python_cache_key}} @@ -269,22 +269,22 @@ jobs: runs-on: ubuntu-20.04 steps: - name: Check out a copy of the TFQ git repository - uses: actions/checkout@v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 - name: Set up Python - uses: actions/setup-python@v5 + uses: actions/setup-python@42375524e23c412d93fb67b49958b491fce71c38 # v5 with: python-version: ${{inputs.python_ver || env.python_ver}} - name: Restore our Python cache - uses: actions/cache@v4 + uses: actions/cache@0c907a75c2c80ebcb7f088228285e798b750cf8f # v4 with: key: ${{needs.Setup.outputs.python_cache_key}} path: ${{needs.Setup.outputs.python_cache_paths}} fail-on-cache-miss: true - name: Set up Bazel - uses: bazel-contrib/setup-bazel@0.12.0 + uses: bazel-contrib/setup-bazel@c50333a3696ad2e6df1e7a2f9b417c5336db774f # 0.12.0 # Note that we don't need to set the Bazel version to use, because it # knows to use what's in the .bazel-version file. with: @@ -307,7 +307,7 @@ jobs: pip install -U ./wheel/*.whl - name: Save the wheel for the tutorial tests - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@4cec3d8aa04e39d1a68397de0c4cd6fb9dce8ec1 # v4 with: name: wheel-${{github.run_id}} path: ./wheel @@ -316,7 +316,7 @@ jobs: - if: failure() || needs.Setup.outputs.debug == 'true' name: Make Bazel artifacts downloadable for analysis - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@4cec3d8aa04e39d1a68397de0c4cd6fb9dce8ec1 # v4 with: name: bazel-build-artifacts-${{github.run_id}} retention-days: 14 @@ -338,22 +338,22 @@ jobs: runs-on: ubuntu-20.04 steps: - name: Check out a copy of the TFQ git repository - uses: actions/checkout@v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 - name: Set up Python - uses: actions/setup-python@v5 + uses: actions/setup-python@42375524e23c412d93fb67b49958b491fce71c38 # v5 with: python-version: ${{inputs.python_ver || env.python_ver}} - name: Restore our Python cache - uses: actions/cache@v4 + uses: actions/cache@0c907a75c2c80ebcb7f088228285e798b750cf8f # v4 with: key: ${{needs.Setup.outputs.python_cache_key}} path: ${{needs.Setup.outputs.python_cache_paths}} fail-on-cache-miss: true - name: Get the Python wheel we built - uses: actions/download-artifact@v4 + uses: actions/download-artifact@cc203385981b70ca67e1cc392babf9cc229d5806 # v4 with: name: wheel-${{github.run_id}} path: ./wheel @@ -374,22 +374,22 @@ jobs: runs-on: ubuntu-20.04 steps: - name: Check out a copy of the TFQ git repository - uses: actions/checkout@v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 - name: Set up Python - uses: actions/setup-python@v5 + uses: actions/setup-python@42375524e23c412d93fb67b49958b491fce71c38 # v5 with: python-version: ${{inputs.python_ver || env.python_ver}} - name: Restore our Python cache - uses: actions/cache@v4 + uses: actions/cache@0c907a75c2c80ebcb7f088228285e798b750cf8f # v4 with: key: ${{needs.Setup.outputs.python_cache_key}} path: ${{needs.Setup.outputs.python_cache_paths}} fail-on-cache-miss: true - name: Set up Bazel - uses: bazel-contrib/setup-bazel@0.12.0 + uses: bazel-contrib/setup-bazel@c50333a3696ad2e6df1e7a2f9b417c5336db774f # 0.12.0 with: bazelrc: ${{env.bazelrc_additions}} bazelisk-cache: true @@ -407,7 +407,7 @@ jobs: - if: failure() || needs.Setup.outputs.debug == 'true' name: Make Bazel artifacts downloadable for analysis - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@4cec3d8aa04e39d1a68397de0c4cd6fb9dce8ec1 # v4 with: name: bazel-tests-${{github.run_id}} retention-days: 7 @@ -428,22 +428,22 @@ jobs: needs: [Decision, Setup, Build_wheel] steps: - name: Check out a copy of the TFQ git repository - uses: actions/checkout@v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 - name: Set up Python - uses: actions/setup-python@v5 + uses: actions/setup-python@42375524e23c412d93fb67b49958b491fce71c38 # v5 with: python-version: ${{inputs.python_ver || env.python_ver}} - name: Restore our Python cache - uses: actions/cache@v4 + uses: actions/cache@0c907a75c2c80ebcb7f088228285e798b750cf8f # v4 with: key: ${{needs.Setup.outputs.python_cache_key}} path: ${{needs.Setup.outputs.python_cache_paths}} fail-on-cache-miss: true - name: Get the Python wheel we built - uses: actions/download-artifact@v4 + uses: actions/download-artifact@cc203385981b70ca67e1cc392babf9cc229d5806 # v4 with: name: wheel-${{github.run_id}} path: ./wheel @@ -473,22 +473,22 @@ jobs: runs-on: ubuntu-20.04 steps: - name: Check out a copy of the TFQ git repository - uses: actions/checkout@v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 - name: Set up Python - uses: actions/setup-python@v5 + uses: actions/setup-python@42375524e23c412d93fb67b49958b491fce71c38 # v5 with: python-version: ${{inputs.python_ver || env.python_ver}} - name: Restore our Python cache - uses: actions/cache@v4 + uses: actions/cache@0c907a75c2c80ebcb7f088228285e798b750cf8f # v4 with: key: ${{needs.Setup.outputs.python_cache_key}} path: ${{needs.Setup.outputs.python_cache_paths}} fail-on-cache-miss: true - name: Set up Bazel - uses: bazel-contrib/setup-bazel@0.12.0 + uses: bazel-contrib/setup-bazel@c50333a3696ad2e6df1e7a2f9b417c5336db774f # 0.12.0 with: bazelrc: ${{env.bazelrc_additions}} bazelisk-cache: true diff --git a/.github/workflows/ci-file-checks.yaml b/.github/workflows/ci-file-checks.yaml index a9728a3a4..d10cc5227 100644 --- a/.github/workflows/ci-file-checks.yaml +++ b/.github/workflows/ci-file-checks.yaml @@ -107,10 +107,10 @@ jobs: echo base=${{github.ref_name}} >> "$GITHUB_ENV" - name: Check out a copy of the TFQ git repository - uses: actions/checkout@v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 - name: Determine files changed by this ${{github.event_name}} event - uses: dorny/paths-filter@v3 + uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v3 id: filter with: base: ${{env.base}} @@ -136,12 +136,12 @@ jobs: cache_paths: ${{steps.parameters.outputs.cache_paths}} steps: - name: Check out a copy of the TFQ git repository - uses: actions/checkout@v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 # Note: setup-python has a cache facility, but we don't use it here # because we want to cache more Python things than setup-python does. - name: Set up Python ${{inputs.python_ver || env.python_ver}} - uses: actions/setup-python@v5 + uses: actions/setup-python@42375524e23c412d93fb67b49958b491fce71c38 # v5 with: python-version: ${{inputs.python_ver || env.python_ver}} @@ -161,7 +161,7 @@ jobs: } >> "$GITHUB_OUTPUT" - name: Test if the cache already exists - uses: actions/cache@v4 + uses: actions/cache@0c907a75c2c80ebcb7f088228285e798b750cf8f # v4 id: check_cache with: lookup-only: true @@ -184,7 +184,7 @@ jobs: steps.check_cache.outputs.cache-hit != 'true' || inputs.remake_python_cache == 'true' name: Set up the Python cache - uses: actions/cache@v4 + uses: actions/cache@0c907a75c2c80ebcb7f088228285e798b750cf8f # v4 id: restore_cache with: key: ${{steps.parameters.outputs.cache_key}} @@ -221,7 +221,7 @@ jobs: changed_files: ${{needs.Changes.outputs.cc_files}} steps: - name: Check out a copy of the TFQ git repository - uses: actions/checkout@v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 - name: Set up clang-format output problem matcher run: echo '::add-matcher::.github/problem-matchers/clang-format.json' @@ -258,15 +258,15 @@ jobs: runs-on: ubuntu-22.04 steps: - name: Check out a copy of the TFQ git repository - uses: actions/checkout@v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 - name: Set up Python - uses: actions/setup-python@v5 + uses: actions/setup-python@42375524e23c412d93fb67b49958b491fce71c38 # v5 with: python-version: ${{inputs.python_ver || env.python_ver}} - name: Restore the Python cache - uses: actions/cache@v4 + uses: actions/cache@0c907a75c2c80ebcb7f088228285e798b750cf8f # v4 with: key: ${{needs.Setup.outputs.cache_key}} path: ${{needs.Setup.outputs.cache_paths}} @@ -298,15 +298,15 @@ jobs: runs-on: ubuntu-22.04 steps: - name: Check out a copy of the TFQ git repository - uses: actions/checkout@v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 - name: Set up Python - uses: actions/setup-python@v5 + uses: actions/setup-python@42375524e23c412d93fb67b49958b491fce71c38 # v5 with: python-version: ${{inputs.python_ver || env.python_ver}} - name: Restore the Python cache - uses: actions/cache@v4 + uses: actions/cache@0c907a75c2c80ebcb7f088228285e798b750cf8f # v4 with: key: ${{needs.Setup.outputs.cache_key}} path: ${{needs.Setup.outputs.cache_paths}} diff --git a/.github/workflows/ci-nightly-build-test.yaml b/.github/workflows/ci-nightly-build-test.yaml index 2732ca175..5ba3ee7b3 100644 --- a/.github/workflows/ci-nightly-build-test.yaml +++ b/.github/workflows/ci-nightly-build-test.yaml @@ -61,7 +61,7 @@ jobs: run: ${{steps.commits.outputs.count > 0}} steps: - name: Check out a sparse copy of the git repo for TFQ - uses: actions/checkout@v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 with: sparse-checkout: . @@ -79,15 +79,15 @@ jobs: runs-on: ubuntu-20.04 steps: - name: Check out a copy of the TFQ git repository - uses: actions/checkout@v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 - name: Set up Python ${{inputs.py_version || env.py_version}} - uses: actions/setup-python@v5 + uses: actions/setup-python@42375524e23c412d93fb67b49958b491fce71c38 # v5 with: python-version: ${{inputs.py_version || env.py_version}} - name: Set up Bazel - uses: bazel-contrib/setup-bazel@0.9.1 + uses: bazel-contrib/setup-bazel@f3f50ea6791b9b0f4c4eeabba4507422426462f5 # 0.9.1 with: bazelrc: ${{env.bazelrc_additions}} @@ -123,7 +123,7 @@ jobs: - if: failure() || inputs.save_artifacts == 'true' name: Make artifacts downloadable - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@4cec3d8aa04e39d1a68397de0c4cd6fb9dce8ec1 # v4 with: name: test-artifacts retention-days: 7 diff --git a/.github/workflows/ci-nightly-cirq-test.yaml b/.github/workflows/ci-nightly-cirq-test.yaml index 74cccec00..7b7c61ea2 100644 --- a/.github/workflows/ci-nightly-cirq-test.yaml +++ b/.github/workflows/ci-nightly-cirq-test.yaml @@ -75,11 +75,11 @@ jobs: runs-on: ubuntu-20.04 steps: - name: Check out a copy of the TFQ git repository - uses: actions/checkout@v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 - name: Set up Python ${{inputs.py_version || env.py_version}} id: python - uses: actions/setup-python@v5 + uses: actions/setup-python@42375524e23c412d93fb67b49958b491fce71c38 # v5 with: python-version: ${{inputs.py_version || env.py_version}} architecture: ${{inputs.arch || env.arch}} @@ -113,7 +113,7 @@ jobs: - name: Set up Bazel with caching if: env.use_bazel_disk_cache == 'true' - uses: bazel-contrib/setup-bazel@0.12.1 + uses: bazel-contrib/setup-bazel@529dbc2648ea79358c64f2bfa5f3ec98f07859e4 # 0.12.1 env: USE_BAZEL_VERSION: ${{inputs.bazel_version || env.bazel_version}} with: @@ -127,7 +127,7 @@ jobs: - name: Set up Bazel without caching if: env.use_bazel_disk_cache == 'false' - uses: bazel-contrib/setup-bazel@0.12.1 + uses: bazel-contrib/setup-bazel@529dbc2648ea79358c64f2bfa5f3ec98f07859e4 # 0.12.1 env: USE_BAZEL_VERSION: ${{inputs.bazel_version || env.bazel_version}} with: @@ -159,7 +159,7 @@ jobs: if: >- github.event.inputs.save_artifacts == 'true' && (failure() || github.event_name == 'workflow_dispatch') - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@4cec3d8aa04e39d1a68397de0c4cd6fb9dce8ec1 # v4 with: name: bazel-out retention-days: 7