pin version tags in database cleanup and issues response wf (#2889)

* pin version tags in database cleanup and issues response wf * update all workflow for actions version pin * edit build strategy and a few version pin typo
2025-12-30 23:23:37 +00:00 · 2023-05-03 15:20:12 +01:00
parent 2d4d96733d
commit 6d860acab4
11 changed files with 78 additions and 78 deletions
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -16,7 +16,7 @@ jobs:
    runs-on: ubuntu-22.04
    steps:
      - name: Checkout repo
-        uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b
+        uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0

      - name: Install cloc
        run: |
@@ -31,7 +31,7 @@ jobs:
    runs-on: ubuntu-22.04
    steps:
      - name: Checkout repo
-        uses: actions/checkout@a12a3943b4bdde767164f792f33f40b04645d846
+        uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0

      - name: Verify Format
        run: dotnet format --verify-no-changes
@@ -43,7 +43,7 @@ jobs:
      NUGET_PACKAGES: ${{ github.workspace }}/.nuget/packages
    steps:
      - name: Set up dotnet
-        uses: actions/setup-dotnet@9211491ffb35dd6a6657ca4f45d43dfe6e97c829
+        uses: actions/setup-dotnet@9211491ffb35dd6a6657ca4f45d43dfe6e97c829 # v2.0.0
        with:
          dotnet-version: "6.0.x"

@@ -55,7 +55,7 @@ jobs:
          echo "GitHub event: $GITHUB_EVENT"

      - name: Checkout repo
-        uses: actions/checkout@a12a3943b4bdde767164f792f33f40b04645d846
+        uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0

      - name: Restore
        run: dotnet restore --locked-mode
@@ -81,7 +81,7 @@ jobs:
        shell: pwsh

      - name: Report test results
-        uses: dorny/test-reporter@c9b3d0e2bd2a4e96aaf424dbaa31c46b42318226
+        uses: dorny/test-reporter@c9b3d0e2bd2a4e96aaf424dbaa31c46b42318226 # v1.6.0
        if: always()
        with:
          name: Test Results
@@ -128,10 +128,10 @@ jobs:
            dotnet: true
    steps:
      - name: Checkout repo
-        uses: actions/checkout@a12a3943b4bdde767164f792f33f40b04645d846
+        uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0

      - name: Set up Node
-        uses: actions/setup-node@9ced9a43a244f3ac94f13bfd896db8c8f30da67a
+        uses: actions/setup-node@9ced9a43a244f3ac94f13bfd896db8c8f30da67a # v3.0.0
        with:
          cache: "npm"
          cache-dependency-path: "**/package-lock.json"
@@ -175,7 +175,7 @@ jobs:
          ls -atlh ../../../

      - name: Upload project artifact
-        uses: actions/upload-artifact@6673cd052c4cd6fcf4b4e6e60ea986c889389535
+        uses: actions/upload-artifact@6673cd052c4cd6fcf4b4e6e60ea986c889389535 # v3.0.0
        with:
          name: ${{ matrix.project_name }}.zip
          path: ${{ matrix.base_path }}/${{ matrix.project_name }}/${{ matrix.project_name }}.zip
@@ -248,7 +248,7 @@ jobs:
            dotnet: true
    steps:
      - name: Checkout repo
-        uses: actions/checkout@a12a3943b4bdde767164f792f33f40b04645d846
+        uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0

      - name: Check Branch to Publish
        env:
@@ -265,7 +265,7 @@ jobs:

      ########## ACRs ##########
      - name: Login to Azure - QA Subscription
-        uses: Azure/login@1f63701bf3e6892515f1b7ce2d2bf1708b46beaf
+        uses: Azure/login@1f63701bf3e6892515f1b7ce2d2bf1708b46beaf # v1.4.3
        with:
          creds: ${{ secrets.AZURE_QA_KV_CREDENTIALS }}

@@ -273,7 +273,7 @@ jobs:
        run: az acr login -n bitwardenqa

      - name: Login to Azure - PROD Subscription
-        uses: Azure/login@1f63701bf3e6892515f1b7ce2d2bf1708b46beaf
+        uses: Azure/login@1f63701bf3e6892515f1b7ce2d2bf1708b46beaf # v1.4.3
        with:
          creds: ${{ secrets.AZURE_PROD_KV_CREDENTIALS }}

@@ -281,13 +281,13 @@ jobs:
        run: az acr login -n bitwardenprod

      - name: Login to Azure - CI Subscription
-        uses: Azure/login@1f63701bf3e6892515f1b7ce2d2bf1708b46beaf
+        uses: Azure/login@1f63701bf3e6892515f1b7ce2d2bf1708b46beaf # v1.4.3
        with:
          creds: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }}

      - name: Retrieve github PAT secrets
        id: retrieve-secret-pat
-        uses: bitwarden/gh-actions/get-keyvault-secrets@c3b3285993151c5af47cefcb3b9134c28ab479af
+        uses: bitwarden/gh-actions/get-keyvault-secrets@34ecb67b2a357795dc893549df0795e7383ff50f
        with:
          keyvault: "bitwarden-ci"
          secrets: "github-pat-bitwarden-devops-bot-repo-scope"
@@ -295,7 +295,7 @@ jobs:
      - name: Retrieve secrets
        if: ${{ env.is_publish_branch == 'true' }}
        id: retrieve-secrets
-        uses: bitwarden/gh-actions/get-keyvault-secrets@c3b3285993151c5af47cefcb3b9134c28ab479af
+        uses: bitwarden/gh-actions/get-keyvault-secrets@34ecb67b2a357795dc893549df0795e7383ff50f
        with:
          keyvault: "bitwarden-ci"
          secrets: "docker-password,
@@ -349,7 +349,7 @@ jobs:

      - name: Get build artifact
        if: ${{ matrix.dotnet }}
-        uses: actions/download-artifact@fb598a63ae348fa914e94cd0ff38f362e927b741
+        uses: actions/download-artifact@fb598a63ae348fa914e94cd0ff38f362e927b741 # v3.0.0
        with:
          name: ${{ matrix.project_name }}.zip

@@ -361,7 +361,7 @@ jobs:
            -d ${{ matrix.base_path }}/${{ matrix.project_name }}/obj/build-output/publish

      - name: Build Docker image
-        uses: docker/build-push-action@c56af957549030174b10d6867f20e78cfd7debc5
+        uses: docker/build-push-action@3b5e8027fcad23fda98b2e3ac259d8d67585f671 # v3.2.0
        with:
          context: ${{ matrix.base_path }}/${{ matrix.project_name }}
          file: ${{ matrix.base_path }}/${{ matrix.project_name }}/Dockerfile
@@ -391,12 +391,12 @@ jobs:
    needs: build-docker
    steps:
      - name: Set up dotnet
-        uses: actions/setup-dotnet@9211491ffb35dd6a6657ca4f45d43dfe6e97c829
+        uses: actions/setup-dotnet@9211491ffb35dd6a6657ca4f45d43dfe6e97c829 # v3.0.3
        with:
          dotnet-version: "6.0.x"

      - name: Checkout repo
-        uses: actions/checkout@a12a3943b4bdde767164f792f33f40b04645d846
+        uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0

      - name: Restore
        run: dotnet tool restore
@@ -429,7 +429,7 @@ jobs:

      - name: Upload Docker stub artifact
        if: github.ref == 'refs/heads/master' || github.ref == 'refs/heads/rc' || github.ref == 'refs/heads/hotfix-rc'
-        uses: actions/upload-artifact@6673cd052c4cd6fcf4b4e6e60ea986c889389535
+        uses: actions/upload-artifact@6673cd052c4cd6fcf4b4e6e60ea986c889389535 # v3.0.0
        with:
          name: docker-stub.zip
          path: docker-stub.zip
@@ -437,7 +437,7 @@ jobs:

      - name: Upload Docker stub checksum artifact
        if: github.ref == 'refs/heads/master' || github.ref == 'refs/heads/rc' || github.ref == 'refs/heads/hotfix-rc'
-        uses: actions/upload-artifact@6673cd052c4cd6fcf4b4e6e60ea986c889389535
+        uses: actions/upload-artifact@6673cd052c4cd6fcf4b4e6e60ea986c889389535 # v3.0.0
        with:
          name: docker-stub-sha256.txt
          path: docker-stub-sha256.txt
@@ -463,7 +463,7 @@ jobs:
          GLOBALSETTINGS__SQLSERVER__CONNECTIONSTRING: "placeholder"

      - name: Upload Swagger artifact
-        uses: actions/upload-artifact@6673cd052c4cd6fcf4b4e6e60ea986c889389535
+        uses: actions/upload-artifact@6673cd052c4cd6fcf4b4e6e60ea986c889389535 # v3.0.0
        with:
          name: swagger.json
          path: swagger.json
@@ -488,7 +488,7 @@ jobs:

    steps:
      - name: Checkout repo
-        uses: actions/checkout@a12a3943b4bdde767164f792f33f40b04645d846
+        uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0

      - name: Print environment
        run: |
@@ -507,7 +507,7 @@ jobs:

      - name: Upload project artifact Windows
        if: ${{ contains(matrix.target, 'win') == true }}
-        uses: actions/upload-artifact@6673cd052c4cd6fcf4b4e6e60ea986c889389535
+        uses: actions/upload-artifact@6673cd052c4cd6fcf4b4e6e60ea986c889389535 # v3.0.0
        with:
          name: MsSqlMigratorUtility-${{ matrix.target }}
          path: util/MsSqlMigratorUtility/obj/build-output/publish/MsSqlMigratorUtility.exe
@@ -515,7 +515,7 @@ jobs:

      - name: Upload project artifact
        if: ${{ contains(matrix.target, 'win') == false }}
-        uses: actions/upload-artifact@6673cd052c4cd6fcf4b4e6e60ea986c889389535
+        uses: actions/upload-artifact@6673cd052c4cd6fcf4b4e6e60ea986c889389535 # v3.0.0
        with:
          name: MsSqlMigratorUtility-${{ matrix.target }}
          path: util/MsSqlMigratorUtility/obj/build-output/publish/MsSqlMigratorUtility
@@ -565,21 +565,21 @@ jobs:
          fi

      - name: Login to Azure - CI subscription
-        uses: Azure/login@1f63701bf3e6892515f1b7ce2d2bf1708b46beaf
+        uses: Azure/login@1f63701bf3e6892515f1b7ce2d2bf1708b46beaf # v1.4.3
        if: failure()
        with:
          creds: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }}

      - name: Retrieve secrets
        id: retrieve-secrets
-        uses: bitwarden/gh-actions/get-keyvault-secrets@c3b3285993151c5af47cefcb3b9134c28ab479af
+        uses: bitwarden/gh-actions/get-keyvault-secrets@34ecb67b2a357795dc893549df0795e7383ff50f
        if: failure()
        with:
          keyvault: "bitwarden-ci"
          secrets: "devops-alerts-slack-webhook-url"

      - name: Notify Slack on failure
-        uses: act10ns/slack@da3191ebe2e67f49b46880b4633f5591a96d1d33
+        uses: act10ns/slack@ed1309ab9862e57e9e583e51c7889486b9a00b0f # v2.0.0
        if: failure()
        env:
          SLACK_WEBHOOK_URL: ${{ steps.retrieve-secrets.outputs.devops-alerts-slack-webhook-url }}