From b972a0218ae53a6c3b042969faa405873ac32e2f Mon Sep 17 00:00:00 2001 From: Matthew Elwell Date: Mon, 8 Jun 2026 11:24:07 +0100 Subject: [PATCH] ci: Pin third-party GitHub Actions to commit SHAs Pin every third-party `uses:` ref across `.github/workflows/` and `.github/actions/` to its full 40-char commit SHA with a trailing `# vX.Y.Z` comment, hardening the workflows against supply-chain attacks targeting action repositories. Two refs that floated on `@main` are now pinned to their latest stable releases: - `fjogeleit/yaml-update-action` -> v0.17.0 - `actions-cool/check-user-permission` -> v2.0.1 Local `./...` refs and `Flagsmith/*` actions are intentionally left on tags. `renovate.json` extends `helpers:pinGitHubActionDigests` so newly added actions are auto-pinned, with `Flagsmith/**` excluded. Co-Authored-By: Claude Opus 4.7 (1M context) --- .github/actions/api-deploy-ecs/action.yml | 12 ++++---- .github/actions/codeartifact-login/action.yml | 2 +- .../docker-build-report-to-pr/action.yml | 8 +++--- .github/actions/e2e-tests/action.yml | 8 +++--- .github/actions/install-uv/action.yml | 2 +- .../task-processor-deploy-ecs/action.yml | 6 ++-- .github/workflows/.reusable-deploy-ecs.yml | 16 +++++------ .github/workflows/.reusable-docker-build.yml | 10 +++---- .../workflows/.reusable-docker-e2e-tests.yml | 22 +++++++-------- .../workflows/.reusable-docker-publish.yml | 12 ++++---- .../workflows/.reusable-frontend-deploy.yml | 6 ++-- .../workflows/api-deploy-production-ecs.yml | 2 +- .github/workflows/api-pull-request.yml | 10 +++---- .github/workflows/api-run-makefile-target.yml | 4 +-- .../api-tests-with-private-packages.yml | 4 +-- .github/workflows/docs-pull-request.yml | 4 +-- .github/workflows/frontend-chromatic.yml | 6 ++-- .../workflows/frontend-deploy-production.yml | 6 ++-- .github/workflows/frontend-pull-request.yml | 4 +-- .github/workflows/frontend-test-staging.yml | 2 +- .github/workflows/github-labeler.yml | 2 +- .github/workflows/manual-e2e-tests.yml | 4 +-- .../workflows/mcp-docker-build-publish.yml | 28 +++++++++---------- .github/workflows/mcp-pull-request.yml | 8 +++--- .../platform-docker-build-test-publish.yml | 8 +++--- .../workflows/platform-docker-trivy-scan.yml | 6 ++-- .github/workflows/platform-pull-request.yml | 6 ++-- .github/workflows/renovate.yml | 6 ++-- .../update-flagsmith-environment.yml | 4 +-- renovate.json | 9 +++++- 30 files changed, 117 insertions(+), 110 deletions(-) diff --git a/.github/actions/api-deploy-ecs/action.yml b/.github/actions/api-deploy-ecs/action.yml index 0c58c89a984d..7379ad96c104 100644 --- a/.github/actions/api-deploy-ecs/action.yml +++ b/.github/actions/api-deploy-ecs/action.yml @@ -53,7 +53,7 @@ runs: steps: - name: Configure AWS Credentials - uses: aws-actions/configure-aws-credentials@v4 + uses: aws-actions/configure-aws-credentials@ff717079ee2060e4bcee96c4779b553acc87447c # v4 with: aws-access-key-id: ${{ inputs.aws_access_key_id }} aws-secret-access-key: ${{ inputs.aws_secret_access_key }} @@ -61,7 +61,7 @@ runs: - name: Render SDK API task definition id: task-def-sdk-api - uses: aws-actions/amazon-ecs-render-task-definition@v1 + uses: aws-actions/amazon-ecs-render-task-definition@6853cfae8c3a7d978fbf68b5a55453395541dfbb # v1 with: task-definition: ${{ inputs.aws_task_definitions_directory_path }}/ecs-task-definition-sdk-api.json container-name: flagsmith-api @@ -69,7 +69,7 @@ runs: - name: Render Admin API task definition id: task-def-admin-api - uses: aws-actions/amazon-ecs-render-task-definition@v1 + uses: aws-actions/amazon-ecs-render-task-definition@6853cfae8c3a7d978fbf68b5a55453395541dfbb # v1 with: task-definition: ${{ inputs.aws_task_definitions_directory_path }}/ecs-task-definition-admin-api.json container-name: flagsmith-api @@ -78,7 +78,7 @@ runs: # This is used in both the SQL migrations and the Dynamo Identity Migrations - name: Fill in the new image ID in the Amazon ECS migration task definition id: task-def-migration - uses: aws-actions/amazon-ecs-render-task-definition@v1 + uses: aws-actions/amazon-ecs-render-task-definition@6853cfae8c3a7d978fbf68b5a55453395541dfbb # v1 with: task-definition: ${{ inputs.aws_task_definitions_directory_path }}/ecs-task-definition-migration.json container-name: flagsmith-api-migration @@ -103,7 +103,7 @@ runs: - name: Deploy new Task Definition to ECS Admin API service id: deploy-admin-api-task-definition - uses: aws-actions/amazon-ecs-deploy-task-definition@v2 + uses: aws-actions/amazon-ecs-deploy-task-definition@a310a830f5c14e583e35d84e4e1ec7dd177c3c9c # v2 with: cluster: ${{ inputs.aws_ecs_cluster_name }} service: ${{ inputs.aws_ecs_service_name }} @@ -111,7 +111,7 @@ runs: - name: Deploy new Task Definition to ECS SDK API service id: deploy-sdk-api-task-definition - uses: aws-actions/amazon-ecs-deploy-task-definition@v2 + uses: aws-actions/amazon-ecs-deploy-task-definition@a310a830f5c14e583e35d84e4e1ec7dd177c3c9c # v2 with: cluster: ${{ inputs.aws_ecs_cluster_name }} service: ${{ inputs.aws_ecs_sdk_service_name }} diff --git a/.github/actions/codeartifact-login/action.yml b/.github/actions/codeartifact-login/action.yml index 7e6311211411..901cbc86f74e 100644 --- a/.github/actions/codeartifact-login/action.yml +++ b/.github/actions/codeartifact-login/action.yml @@ -13,7 +13,7 @@ runs: using: composite steps: - name: Configure AWS credentials for CodeArtifact - uses: aws-actions/configure-aws-credentials@v4 + uses: aws-actions/configure-aws-credentials@ff717079ee2060e4bcee96c4779b553acc87447c # v4 with: role-to-assume: arn:aws:iam::084060095745:role/codeartifact-github-actions-production aws-region: eu-west-2 diff --git a/.github/actions/docker-build-report-to-pr/action.yml b/.github/actions/docker-build-report-to-pr/action.yml index fbb387b41619..f899f35bef94 100644 --- a/.github/actions/docker-build-report-to-pr/action.yml +++ b/.github/actions/docker-build-report-to-pr/action.yml @@ -16,19 +16,19 @@ runs: using: composite steps: - - uses: peter-evans/find-comment@v3 + - uses: peter-evans/find-comment@3eae4d37986fb5a8592848f6a574fdf654e61f9e # v3 id: find-comment with: issue-number: ${{ github.event.pull_request.number }} body-includes: 'Docker builds report' - - uses: chuhlomin/render-template@v1.4 + - uses: chuhlomin/render-template@aacf4ca31e76dfdf3c5c32f7803d67271469f2a6 # v1.4 if: ${{ !inputs.image-tag }} id: render-header with: template: .github/docker_build_comment_template.md - - uses: peter-evans/create-or-update-comment@v4 + - uses: peter-evans/create-or-update-comment@71345be0265236311c031f5c7866368bd1eff043 # v4 if: ${{ !inputs.image-tag }} with: comment-id: ${{ steps.find-comment.outputs.comment-id }} @@ -36,7 +36,7 @@ runs: issue-number: ${{ github.event.pull_request.number }} body: ${{ steps.render-header.outputs.result }} - - uses: peter-evans/create-or-update-comment@v4 + - uses: peter-evans/create-or-update-comment@71345be0265236311c031f5c7866368bd1eff043 # v4 if: ${{ inputs.image-tag }} with: comment-id: ${{ steps.find-comment.outputs.comment-id }} diff --git a/.github/actions/e2e-tests/action.yml b/.github/actions/e2e-tests/action.yml index 8339d34f630d..4c49a5eba20a 100644 --- a/.github/actions/e2e-tests/action.yml +++ b/.github/actions/e2e-tests/action.yml @@ -19,15 +19,15 @@ runs: using: composite steps: - - uses: actions/checkout@v5 - - uses: actions/setup-node@v4 + - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 + - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4 with: cache: npm node-version-file: frontend/.nvmrc cache-dependency-path: frontend/package-lock.json - name: Cache Playwright browsers - uses: actions/cache@v4 + uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4 with: path: ~/.cache/ms-playwright key: ${{ runner.os }}-playwright-${{ hashFiles('frontend/package-lock.json') }} @@ -46,7 +46,7 @@ runs: shell: bash - name: Run E2E tests - uses: nick-fields/retry@v3 + uses: nick-fields/retry@ce71cc2ab81d554ebbe88c79ab5975992d79ba08 # v3 with: shell: bash command: | diff --git a/.github/actions/install-uv/action.yml b/.github/actions/install-uv/action.yml index c2aac908b483..6fcacb7f672f 100644 --- a/.github/actions/install-uv/action.yml +++ b/.github/actions/install-uv/action.yml @@ -12,7 +12,7 @@ inputs: runs: using: composite steps: - - uses: astral-sh/setup-uv@v6 + - uses: astral-sh/setup-uv@d0d8abe699bfb85fec6de9f7adb5ae17292296ff # v6 with: version-file: api/pyproject.toml python-version: ${{ inputs.python-version }} diff --git a/.github/actions/task-processor-deploy-ecs/action.yml b/.github/actions/task-processor-deploy-ecs/action.yml index feea24590283..aad11f8153a4 100644 --- a/.github/actions/task-processor-deploy-ecs/action.yml +++ b/.github/actions/task-processor-deploy-ecs/action.yml @@ -26,7 +26,7 @@ runs: steps: - name: Configure AWS Credentials - uses: aws-actions/configure-aws-credentials@v4 + uses: aws-actions/configure-aws-credentials@ff717079ee2060e4bcee96c4779b553acc87447c # v4 with: aws-access-key-id: ${{ inputs.aws_access_key_id }} aws-secret-access-key: ${{ inputs.aws_secret_access_key }} @@ -34,7 +34,7 @@ runs: - name: Fill in the new image ID in the Amazon ECS Task Processor task definition id: task-def-task-processor - uses: aws-actions/amazon-ecs-render-task-definition@v1 + uses: aws-actions/amazon-ecs-render-task-definition@6853cfae8c3a7d978fbf68b5a55453395541dfbb # v1 with: task-definition: ${{ inputs.aws_task_definitions_directory_path }}/ecs-task-definition-task-processor.json container-name: flagsmith-task-processor @@ -42,7 +42,7 @@ runs: - name: Deploy Amazon ECS Task Processor task definition id: deploy-task-processor-task-def - uses: aws-actions/amazon-ecs-deploy-task-definition@v2 + uses: aws-actions/amazon-ecs-deploy-task-definition@a310a830f5c14e583e35d84e4e1ec7dd177c3c9c # v2 with: cluster: ${{ inputs.aws_ecs_cluster_name }} service: ${{ inputs.aws_ecs_service_name }} diff --git a/.github/workflows/.reusable-deploy-ecs.yml b/.github/workflows/.reusable-deploy-ecs.yml index d5ed11e0ce08..1ea14b3526fe 100644 --- a/.github/workflows/.reusable-deploy-ecs.yml +++ b/.github/workflows/.reusable-deploy-ecs.yml @@ -27,13 +27,13 @@ jobs: steps: - name: Cloning repo - uses: actions/checkout@v5 + uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 - name: Set up Depot CLI - uses: depot/setup-action@v1 + uses: depot/setup-action@15c09a5f77a0840ad4bce955686522a257853461 # v1 - name: Configure AWS Credentials - uses: aws-actions/configure-aws-credentials@v4 + uses: aws-actions/configure-aws-credentials@ff717079ee2060e4bcee96c4779b553acc87447c # v4 with: aws-access-key-id: ${{ vars.AWS_ACCESS_KEY_ID }} aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} @@ -42,11 +42,11 @@ jobs: - name: Login to Amazon ECR id: login-ecr - uses: aws-actions/amazon-ecr-login@v1 + uses: aws-actions/amazon-ecr-login@5a88a04c91d5c6f97aae0d9be790e64d9b1d47b7 # v1 - name: Extract Docker metadata id: meta - uses: docker/metadata-action@v5 + uses: docker/metadata-action@c299e40c65443455700f0fdfc63efafe5b349051 # v5 with: images: | ${{ steps.login-ecr.outputs.registry }}/${{ inputs.saas-image-name }} @@ -59,7 +59,7 @@ jobs: uses: ./.github/actions/codeartifact-login - name: Build saas-api image - uses: depot/build-push-action@v1 + uses: depot/build-push-action@98e78adca7817480b8185f474a400b451d74e287 # v1 with: target: saas-api context: . @@ -78,7 +78,7 @@ jobs: runs-on: depot-ubuntu-latest steps: - name: Cloning repo - uses: actions/checkout@v5 + uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 - name: Deploy API to ${{ inputs.environment }} id: deploy-api @@ -119,7 +119,7 @@ jobs: steps: - name: Cloning repo - uses: actions/checkout@v5 + uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 # Temporarily install Firefox 143.0 to avoid test failures as superior versions cause frontend e2e tests to hang # To be removed once upstream issue correctly resolved diff --git a/.github/workflows/.reusable-docker-build.yml b/.github/workflows/.reusable-docker-build.yml index 86327a8660e6..9a211196b9d6 100644 --- a/.github/workflows/.reusable-docker-build.yml +++ b/.github/workflows/.reusable-docker-build.yml @@ -89,14 +89,14 @@ jobs: steps: - name: Cloning repo - uses: actions/checkout@v5 + uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 - name: Set up Depot CLI - uses: depot/setup-action@v1 + uses: depot/setup-action@15c09a5f77a0840ad4bce955686522a257853461 # v1 - name: Login to Github Container Registry if: ${{ !inputs.ephemeral }} - uses: docker/login-action@v3 + uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3 with: registry: ${{ inputs.registry-url }} username: ${{ github.actor }} @@ -104,7 +104,7 @@ jobs: - name: Extract Docker metadata id: meta - uses: docker/metadata-action@v5 + uses: docker/metadata-action@c299e40c65443455700f0fdfc63efafe5b349051 # v5 with: images: | ${{ inputs.registry-url }}/flagsmith/${{ inputs.image-name }} @@ -117,7 +117,7 @@ jobs: - name: Build and push image id: build - uses: depot/build-push-action@v1 + uses: depot/build-push-action@98e78adca7817480b8185f474a400b451d74e287 # v1 with: context: . save: ${{ inputs.ephemeral }} diff --git a/.github/workflows/.reusable-docker-e2e-tests.yml b/.github/workflows/.reusable-docker-e2e-tests.yml index 247361ecb3f4..ca59272da0e5 100644 --- a/.github/workflows/.reusable-docker-e2e-tests.yml +++ b/.github/workflows/.reusable-docker-e2e-tests.yml @@ -61,7 +61,7 @@ jobs: steps: - name: Cloning repo - uses: actions/checkout@v5 + uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 - name: Determine test type id: test-type @@ -76,14 +76,14 @@ jobs: - name: Login to Github Container Registry if: ${{ env.GCR_TOKEN }} - uses: docker/login-action@v3 + uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3 with: registry: ghcr.io username: ${{ github.actor }} password: ${{ env.GCR_TOKEN }} - name: Set up Depot CLI - uses: depot/setup-action@v1 + uses: depot/setup-action@15c09a5f77a0840ad4bce955686522a257853461 # v1 - name: Login to Depot Registry run: depot pull-token | docker login -u x-token --password-stdin registry.depot.dev @@ -97,7 +97,7 @@ jobs: if: inputs.visual-regression id: download-baseline continue-on-error: true - uses: dawidd6/action-download-artifact@v6 + uses: dawidd6/action-download-artifact@bf251b5aa9c2f7eeb574a96ee720e24f801b7c11 # v6 with: github_token: ${{ secrets.GCR_TOKEN }} workflow: platform-docker-build-test-publish.yml @@ -133,7 +133,7 @@ jobs: - name: Upload HTML report if: failure() - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4 with: name: playwright-html-report-${{ steps.test-type.outputs.type }}-${{ github.run_id }}-${{ github.run_attempt }}-${{ strategy.job-index }} path: frontend/e2e/playwright-report/ @@ -167,7 +167,7 @@ jobs: - name: Generate test report summary (success) id: report-summary-success if: success() && github.event_name == 'pull_request' - uses: daun/playwright-report-summary@v3 + uses: daun/playwright-report-summary@1229105480a2a4bdd91598d8a146fbab41343fce # v3 with: report-file: frontend/e2e/playwright-report/results.json comment-title: 'Playwright Test Results (${{ steps.test-type.outputs.label }} - ${{ inputs.runs-on }})' @@ -178,7 +178,7 @@ jobs: - name: Generate test report summary (failure) id: report-summary-failure if: failure() && github.event_name == 'pull_request' - uses: daun/playwright-report-summary@v3 + uses: daun/playwright-report-summary@1229105480a2a4bdd91598d8a146fbab41343fce # v3 with: report-file: frontend/e2e/playwright-report/results.json comment-title: 'Playwright Test Results (${{ steps.test-type.outputs.label }} - ${{ inputs.runs-on }})' @@ -190,7 +190,7 @@ jobs: - name: Comment PR with test results if: always() && github.event_name == 'pull_request' && (steps.report-summary-success.outputs.summary || steps.report-summary-failure.outputs.summary) continue-on-error: true - uses: marocchino/sticky-pull-request-comment@v2 + uses: marocchino/sticky-pull-request-comment@773744901bac0e8cbb5a0dc842800d45e9b2b405 # v2 with: header: playwright-e2e-results append: true @@ -199,7 +199,7 @@ jobs: # Visual regression: after all E2E retries, run comparison and upload results - name: Upload visual regression baselines (main branch) if: always() && inputs.visual-regression-update - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4 with: name: visual-regression-baselines path: frontend/e2e/visual-regression-screenshots/ @@ -208,7 +208,7 @@ jobs: - name: Upload visual regression report if: always() && inputs.visual-regression && !inputs.visual-regression-update - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4 with: name: visual-regression-report-${{ github.run_id }}-${{ strategy.job-index }} path: frontend/e2e/visual-regression-report/ @@ -234,7 +234,7 @@ jobs: - name: Comment PR with visual regression results if: always() && inputs.visual-regression && !inputs.visual-regression-update && github.event_name == 'pull_request' && steps.visual-regression-summary.outputs.message continue-on-error: true - uses: marocchino/sticky-pull-request-comment@v2 + uses: marocchino/sticky-pull-request-comment@773744901bac0e8cbb5a0dc842800d45e9b2b405 # v2 with: header: visual-regression-results message: | diff --git a/.github/workflows/.reusable-docker-publish.yml b/.github/workflows/.reusable-docker-publish.yml index 9b3676e1ccec..3de52ddfec89 100644 --- a/.github/workflows/.reusable-docker-publish.yml +++ b/.github/workflows/.reusable-docker-publish.yml @@ -40,20 +40,20 @@ jobs: steps: - name: Cloning repo - uses: actions/checkout@v5 + uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 with: sparse-checkout: depot.json sparse-checkout-cone-mode: false - name: Login to Github Container Registry - uses: docker/login-action@v3 + uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3 with: registry: ghcr.io username: ${{ github.actor }} password: ${{ secrets.GITHUB_TOKEN }} - name: Login to Docker Hub - uses: docker/login-action@v3 + uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3 with: registry: ${{ inputs.target-registry-url }} username: ${{ inputs.docker-username }} @@ -61,7 +61,7 @@ jobs: - name: Docker metadata id: meta - uses: docker/metadata-action@v5 + uses: docker/metadata-action@c299e40c65443455700f0fdfc63efafe5b349051 # v5 with: images: ${{ inputs.target-images }} tags: | @@ -69,10 +69,10 @@ jobs: type=semver,pattern={{major}}.{{minor}} # Setup Docker buildx with Depot builder so imagetools have access to Depot cache - - uses: depot/use-action@v1 + - uses: depot/use-action@9bda29f1fc3163c06fc15f375887a341096a5639 # v1 - name: Publish Image - uses: kphrx/docker-buildx-imagetools-action@v0.1.2 + uses: kphrx/docker-buildx-imagetools-action@dc0bb0ebac7e6db5e34a0f3f51817912727216ba # v0.1.2 with: sources: ${{ inputs.source-images }} tags: ${{ steps.meta.outputs.tags }} diff --git a/.github/workflows/.reusable-frontend-deploy.yml b/.github/workflows/.reusable-frontend-deploy.yml index 47343ec6ef1e..a53f71b68024 100644 --- a/.github/workflows/.reusable-frontend-deploy.yml +++ b/.github/workflows/.reusable-frontend-deploy.yml @@ -26,15 +26,15 @@ jobs: steps: - name: Cloning repo - uses: actions/checkout@v5 + uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 - name: Setup Node.js - uses: actions/setup-node@v4 + uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4 with: node-version-file: frontend/.nvmrc - name: Cache dependencies - uses: actions/cache@v3 + uses: actions/cache@6f8efc29b200d32929f49075959781ed54ec270c # v3 with: path: ~/.npm key: npm-${{ hashFiles('package-lock.json') }} diff --git a/.github/workflows/api-deploy-production-ecs.yml b/.github/workflows/api-deploy-production-ecs.yml index 2415bc27e937..59582e4013aa 100644 --- a/.github/workflows/api-deploy-production-ecs.yml +++ b/.github/workflows/api-deploy-production-ecs.yml @@ -31,7 +31,7 @@ jobs: run: working-directory: api steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 - name: Install uv uses: ./.github/actions/install-uv diff --git a/.github/workflows/api-pull-request.yml b/.github/workflows/api-pull-request.yml index 2453f5de1513..c6f79d4828df 100644 --- a/.github/workflows/api-pull-request.yml +++ b/.github/workflows/api-pull-request.yml @@ -40,7 +40,7 @@ jobs: steps: - name: Cloning repo - uses: actions/checkout@v5 + uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 - name: Install uv uses: ./.github/actions/install-uv @@ -55,7 +55,7 @@ jobs: opts: --no-input --dry-run --check run: make django-make-migrations - - uses: liskin/gh-problem-matcher-wrap@v2 + - uses: liskin/gh-problem-matcher-wrap@4abcf297257f3006bf8834221ec75181d6aff5e9 # v2 with: action: add linters: mypy @@ -63,13 +63,13 @@ jobs: - name: Check for new typing errors run: make typecheck - - uses: liskin/gh-problem-matcher-wrap@v2 + - uses: liskin/gh-problem-matcher-wrap@4abcf297257f3006bf8834221ec75181d6aff5e9 # v2 with: action: remove linters: mypy - name: Check autogenerated documentation - uses: nickcharlton/diff-check@v1.0.0 + uses: nickcharlton/diff-check@9fa7ac2bd275b9ec60f13dbcef1b90cfaadc1872 # v1.0.0 with: command: make -C api generate-docs @@ -77,7 +77,7 @@ jobs: run: make test - name: Upload Coverage - uses: codecov/codecov-action@v5 + uses: codecov/codecov-action@75cd11691c0faa626561e295848008c8a7dddffe # v5 env: PYTHON: ${{ matrix.python-version }} with: diff --git a/.github/workflows/api-run-makefile-target.yml b/.github/workflows/api-run-makefile-target.yml index 8a876c5ef0c1..1954daa5c1fd 100644 --- a/.github/workflows/api-run-makefile-target.yml +++ b/.github/workflows/api-run-makefile-target.yml @@ -31,7 +31,7 @@ jobs: runs-on: depot-ubuntu-latest steps: - - uses: actions/checkout@v5 + - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 - name: Install uv uses: ./.github/actions/install-uv @@ -47,7 +47,7 @@ jobs: run: make ${{ inputs.target }} - name: Create Pull Request - uses: peter-evans/create-pull-request@v5 + uses: peter-evans/create-pull-request@4e1beaa7521e8b457b572c090b25bd3db56bf1c5 # v5 with: branch: chore/make-${{ inputs.target }}-${{ github.run_id }} title: ${{ inputs.pr-title }} diff --git a/.github/workflows/api-tests-with-private-packages.yml b/.github/workflows/api-tests-with-private-packages.yml index b6412642c7d0..f4d8536cb748 100644 --- a/.github/workflows/api-tests-with-private-packages.yml +++ b/.github/workflows/api-tests-with-private-packages.yml @@ -38,7 +38,7 @@ jobs: steps: - name: Cloning repo - uses: actions/checkout@v5 + uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 - name: Install uv uses: ./.github/actions/install-uv @@ -66,7 +66,7 @@ jobs: run: make test - name: Upload Coverage - uses: codecov/codecov-action@v5 + uses: codecov/codecov-action@75cd11691c0faa626561e295848008c8a7dddffe # v5 env: PRIVATE_PACKAGES: "true" PYTHON: ${{ matrix.python-version }} diff --git a/.github/workflows/docs-pull-request.yml b/.github/workflows/docs-pull-request.yml index df7adacc3a79..7cd1717f27b7 100644 --- a/.github/workflows/docs-pull-request.yml +++ b/.github/workflows/docs-pull-request.yml @@ -18,10 +18,10 @@ jobs: steps: - name: Checkout - uses: actions/checkout@v5 + uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 - name: Use Node.js 20 - uses: actions/setup-node@v4 + uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4 with: node-version: 20 cache: 'npm' diff --git a/.github/workflows/frontend-chromatic.yml b/.github/workflows/frontend-chromatic.yml index 05da418eefab..aebe54750878 100644 --- a/.github/workflows/frontend-chromatic.yml +++ b/.github/workflows/frontend-chromatic.yml @@ -35,12 +35,12 @@ jobs: working-directory: frontend steps: - - uses: actions/checkout@v5 + - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 with: fetch-depth: 0 - name: Setup Node.js - uses: actions/setup-node@v4 + uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4 with: node-version-file: frontend/.nvmrc cache: npm @@ -50,7 +50,7 @@ jobs: run: npm ci - name: Publish to Chromatic - uses: chromaui/action@v16 + uses: chromaui/action@c7e1f40cfeebe80056934d48dee31ca630e9577b # v16 with: workingDir: frontend projectToken: ${{ secrets.CHROMATIC_PROJECT_TOKEN }} diff --git a/.github/workflows/frontend-deploy-production.yml b/.github/workflows/frontend-deploy-production.yml index 5f2e1b3f66e7..b4e51f7f71e4 100644 --- a/.github/workflows/frontend-deploy-production.yml +++ b/.github/workflows/frontend-deploy-production.yml @@ -19,10 +19,10 @@ jobs: steps: - name: Cloning repo - uses: actions/checkout@v5 + uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 - name: Setup Node.js - uses: actions/setup-node@v4 + uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4 with: node-version-file: frontend/.nvmrc cache: npm @@ -45,7 +45,7 @@ jobs: steps: - name: Cloning repo - uses: actions/checkout@v5 + uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 # Temporarily install Firefox 143.0 to avoid test failures as superior versions cause frontend e2e tests to hang # To be removed once upstream issue correctly resolved diff --git a/.github/workflows/frontend-pull-request.yml b/.github/workflows/frontend-pull-request.yml index 9a202c776213..f0c5bc7018ee 100644 --- a/.github/workflows/frontend-pull-request.yml +++ b/.github/workflows/frontend-pull-request.yml @@ -20,10 +20,10 @@ jobs: working-directory: frontend steps: - - uses: actions/checkout@v5 + - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 - name: Setup Node.js - uses: actions/setup-node@v4 + uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4 with: node-version-file: frontend/.nvmrc cache: npm diff --git a/.github/workflows/frontend-test-staging.yml b/.github/workflows/frontend-test-staging.yml index 00e516b235d5..3369be6369d9 100644 --- a/.github/workflows/frontend-test-staging.yml +++ b/.github/workflows/frontend-test-staging.yml @@ -13,7 +13,7 @@ jobs: steps: - name: Cloning repo - uses: actions/checkout@v5 + uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 - name: Run E2E tests against staging uses: ./.github/actions/e2e-tests diff --git a/.github/workflows/github-labeler.yml b/.github/workflows/github-labeler.yml index 77b993491b09..c876c167895d 100644 --- a/.github/workflows/github-labeler.yml +++ b/.github/workflows/github-labeler.yml @@ -12,4 +12,4 @@ jobs: steps: - name: Run labeler - uses: actions/labeler@v5 + uses: actions/labeler@8558fd74291d67161a8a78ce36a881fa63b766a9 # v5 diff --git a/.github/workflows/manual-e2e-tests.yml b/.github/workflows/manual-e2e-tests.yml index 32c5626c79a5..be409e350448 100644 --- a/.github/workflows/manual-e2e-tests.yml +++ b/.github/workflows/manual-e2e-tests.yml @@ -15,8 +15,8 @@ jobs: runs-on: depot-ubuntu-latest steps: - - uses: actions/checkout@v5 - - uses: actions/setup-node@v4 + - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 + - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4 with: cache: npm node-version-file: frontend/.nvmrc diff --git a/.github/workflows/mcp-docker-build-publish.yml b/.github/workflows/mcp-docker-build-publish.yml index 61f4afc6f93b..a33be08ce4b9 100644 --- a/.github/workflows/mcp-docker-build-publish.yml +++ b/.github/workflows/mcp-docker-build-publish.yml @@ -70,30 +70,30 @@ jobs: id-token: write steps: - name: Cloning repo - uses: actions/checkout@v5 + uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 with: sparse-checkout: depot.json sparse-checkout-cone-mode: false - name: Login to Github Container Registry - uses: docker/login-action@v3 + uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3 with: registry: ghcr.io username: ${{ github.actor }} password: ${{ secrets.GITHUB_TOKEN }} - name: Configure AWS credentials - uses: aws-actions/configure-aws-credentials@v4 + uses: aws-actions/configure-aws-credentials@ff717079ee2060e4bcee96c4779b553acc87447c # v4 with: role-to-assume: ${{ vars.MCP_ECR_GITHUB_ROLE_ARN }} aws-region: eu-west-2 - name: Login to Amazon ECR - uses: aws-actions/amazon-ecr-login@v1 + uses: aws-actions/amazon-ecr-login@5a88a04c91d5c6f97aae0d9be790e64d9b1d47b7 # v1 - name: Docker metadata id: meta - uses: docker/metadata-action@v5 + uses: docker/metadata-action@c299e40c65443455700f0fdfc63efafe5b349051 # v5 with: images: ${{ vars.MCP_ECR_REPOSITORY_URL }} tags: | @@ -101,10 +101,10 @@ jobs: type=sha # Setup Docker buildx with Depot builder so imagetools have access to Depot cache - - uses: depot/use-action@v1 + - uses: depot/use-action@9bda29f1fc3163c06fc15f375887a341096a5639 # v1 - name: Publish Image - uses: kphrx/docker-buildx-imagetools-action@v0.1.2 + uses: kphrx/docker-buildx-imagetools-action@dc0bb0ebac7e6db5e34a0f3f51817912727216ba # v0.1.2 with: sources: ${{ needs.docker-build-mcp.outputs.image }} tags: ${{ steps.meta.outputs.tags }} @@ -124,30 +124,30 @@ jobs: id-token: write steps: - name: Cloning repo - uses: actions/checkout@v5 + uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 with: sparse-checkout: depot.json sparse-checkout-cone-mode: false - name: Login to Github Container Registry - uses: docker/login-action@v3 + uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3 with: registry: ghcr.io username: ${{ github.actor }} password: ${{ secrets.GITHUB_TOKEN }} - name: Configure AWS credentials - uses: aws-actions/configure-aws-credentials@v4 + uses: aws-actions/configure-aws-credentials@ff717079ee2060e4bcee96c4779b553acc87447c # v4 with: role-to-assume: ${{ vars.MCP_ECR_GITHUB_ROLE_ARN }} aws-region: eu-west-2 - name: Login to Amazon ECR - uses: aws-actions/amazon-ecr-login@v1 + uses: aws-actions/amazon-ecr-login@5a88a04c91d5c6f97aae0d9be790e64d9b1d47b7 # v1 - name: Docker metadata id: meta - uses: docker/metadata-action@v5 + uses: docker/metadata-action@c299e40c65443455700f0fdfc63efafe5b349051 # v5 with: images: ${{ vars.MCP_ECR_REPOSITORY_URL }} tags: | @@ -155,10 +155,10 @@ jobs: type=semver,pattern={{major}}.{{minor}} # Setup Docker buildx with Depot builder so imagetools have access to Depot cache - - uses: depot/use-action@v1 + - uses: depot/use-action@9bda29f1fc3163c06fc15f375887a341096a5639 # v1 - name: Publish Image - uses: kphrx/docker-buildx-imagetools-action@v0.1.2 + uses: kphrx/docker-buildx-imagetools-action@dc0bb0ebac7e6db5e34a0f3f51817912727216ba # v0.1.2 with: sources: ${{ needs.docker-build-mcp.outputs.image }} tags: ${{ steps.meta.outputs.tags }} diff --git a/.github/workflows/mcp-pull-request.yml b/.github/workflows/mcp-pull-request.yml index 1ab98e38678d..b3cb025a587a 100644 --- a/.github/workflows/mcp-pull-request.yml +++ b/.github/workflows/mcp-pull-request.yml @@ -27,10 +27,10 @@ jobs: steps: - name: Cloning repo - uses: actions/checkout@v5 + uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 - name: Install uv - uses: astral-sh/setup-uv@v6 + uses: astral-sh/setup-uv@d0d8abe699bfb85fec6de9f7adb5ae17292296ff # v6 with: python-version: "3.14" enable-cache: true @@ -39,7 +39,7 @@ jobs: - name: Install dependencies run: make install - - uses: liskin/gh-problem-matcher-wrap@v2 + - uses: liskin/gh-problem-matcher-wrap@4abcf297257f3006bf8834221ec75181d6aff5e9 # v2 with: action: add linters: mypy @@ -47,7 +47,7 @@ jobs: - name: Check for new typing errors run: make typecheck - - uses: liskin/gh-problem-matcher-wrap@v2 + - uses: liskin/gh-problem-matcher-wrap@4abcf297257f3006bf8834221ec75181d6aff5e9 # v2 with: action: remove linters: mypy diff --git a/.github/workflows/platform-docker-build-test-publish.yml b/.github/workflows/platform-docker-build-test-publish.yml index 65b01db2bfb9..55e036511d6b 100644 --- a/.github/workflows/platform-docker-build-test-publish.yml +++ b/.github/workflows/platform-docker-build-test-publish.yml @@ -195,7 +195,7 @@ jobs: runs-on: depot-ubuntu-latest steps: - name: Close prior open PRs - uses: actions/github-script@v7 + uses: actions/github-script@f28e40c7f34bde8b3046d885e986cb6290c5673b # v7 with: github-token: ${{ secrets.FLAGSMITH_CHARTS_GITHUB_TOKEN }} script: | @@ -222,7 +222,7 @@ jobs: } - name: Checkout Target Charts Repository to update yaml - uses: actions/checkout@v5 + uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 with: repository: flagsmith/flagsmith-charts path: chart @@ -234,13 +234,13 @@ jobs: TAG=${{ github.event.release.tag_name }} echo "version=${TAG#v}" >> $GITHUB_OUTPUT - - uses: actions-tools/yaml-outputs@v2 + - uses: actions-tools/yaml-outputs@1a26d8aaa36aa54fe71d91c265dd6d4369a4fcfb # v2 id: chart-yaml with: file-path: ./chart/charts/flagsmith/Chart.yaml - name: Open a PR bumping Flagsmith to ${{ github.event.release.tag_name }} - uses: fjogeleit/yaml-update-action@main + uses: fjogeleit/yaml-update-action@dffe9a5223d84653c13374032382f6bb5de8e5ef # v0.17.0 env: COMMIT_MESSAGE: "deps: bump Flagsmith from ${{ steps.chart-yaml.outputs.appVersion }} to ${{ steps.version-trim.outputs.version }}" with: diff --git a/.github/workflows/platform-docker-trivy-scan.yml b/.github/workflows/platform-docker-trivy-scan.yml index 373bec059b13..fe51f5f90761 100644 --- a/.github/workflows/platform-docker-trivy-scan.yml +++ b/.github/workflows/platform-docker-trivy-scan.yml @@ -52,10 +52,10 @@ jobs: steps: - name: Prepare oras CLI - uses: oras-project/setup-oras@v1 + uses: oras-project/setup-oras@22ce207df3b08e061f537244349aac6ae1d214f6 # v1 - name: Pull and republish Trivy databases - uses: nick-fields/retry@v3 + uses: nick-fields/retry@ce71cc2ab81d554ebbe88c79ab5975992d79ba08 # v3 with: shell: bash command: | @@ -92,7 +92,7 @@ jobs: steps: - name: Checkout trivy.yaml - uses: actions/checkout@v5 + uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 with: sparse-checkout: | trivy.yaml diff --git a/.github/workflows/platform-pull-request.yml b/.github/workflows/platform-pull-request.yml index b51f819f6051..e3d3771db584 100644 --- a/.github/workflows/platform-pull-request.yml +++ b/.github/workflows/platform-pull-request.yml @@ -14,7 +14,7 @@ jobs: outputs: can-write: ${{ steps.check.outputs.require-result }} steps: - - uses: actions-cool/check-user-permission@main + - uses: actions-cool/check-user-permission@03bc95735303a2e2c0935cfec24a306bb237f03a # v2.0.1 id: check with: require: write @@ -28,7 +28,7 @@ jobs: pull-requests: write steps: - name: Auto-label PR with Conventional Commit title - uses: kramen22/conventional-release-labels@v1 + uses: kramen22/conventional-release-labels@524a8cf435efcdd072d59926dfd1ce0402e173d1 # v1 with: type_labels: | { @@ -53,7 +53,7 @@ jobs: permissions: pull-requests: write steps: - - uses: actions/checkout@v5 + - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 with: sparse-checkout: .github/ sparse-checkout-cone-mode: false diff --git a/.github/workflows/renovate.yml b/.github/workflows/renovate.yml index 20722e91f5d7..a564e979e784 100644 --- a/.github/workflows/renovate.yml +++ b/.github/workflows/renovate.yml @@ -14,7 +14,7 @@ jobs: runs-on: depot-ubuntu-latest-16 steps: - name: Checkout - uses: actions/checkout@v5 + uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 - name: Authenticate with CodeArtifact id: codeartifact @@ -22,13 +22,13 @@ jobs: - name: Generate GitHub App token id: app-token - uses: actions/create-github-app-token@v1 + uses: actions/create-github-app-token@d72941d797fd3113feb6b93fd0dec494b13a2547 # v1 with: app-id: ${{ vars.FLAGSMITH_ENGINEERING_GH_APP_ID }} private-key: ${{ secrets.FLAGSMITH_ENGINEERING_GH_APP_PRIVATE_KEY }} - name: Run Renovate - uses: renovatebot/github-action@v46.1.14 + uses: renovatebot/github-action@693b9ef15eec82123529a37c782242f091365961 # v46.1.14 env: RENOVATE_TOKEN: ${{ steps.app-token.outputs.token }} RENOVATE_REPOSITORIES: ${{ github.repository }} diff --git a/.github/workflows/update-flagsmith-environment.yml b/.github/workflows/update-flagsmith-environment.yml index 69ccd4231dfa..a0bf3b8ff96f 100644 --- a/.github/workflows/update-flagsmith-environment.yml +++ b/.github/workflows/update-flagsmith-environment.yml @@ -21,7 +21,7 @@ jobs: FLAGSMITH_ON_FLAGSMITH_SERVER_KEY: ${{ secrets.FLAGSMITH_ON_FLAGSMITH_SERVER_KEY }} steps: - - uses: actions/checkout@v5 + - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 - name: Install uv uses: ./.github/actions/install-uv @@ -35,7 +35,7 @@ jobs: run: uv run python manage.py updateflagsmithenvironment - name: Create Pull Request - uses: peter-evans/create-pull-request@v8 + uses: peter-evans/create-pull-request@5f6978faf089d4d20b00c7766989d076bb2fc7f1 # v8 with: commit-message: Update API Flagsmith Defaults delete-branch: true diff --git a/renovate.json b/renovate.json index d5a006f794ca..708b82106214 100644 --- a/renovate.json +++ b/renovate.json @@ -2,7 +2,8 @@ "$schema": "https://docs.renovatebot.com/renovate-schema.json", "extends": [ "security:only-security-updates", - ":semanticCommitTypeAll(deps)" + ":semanticCommitTypeAll(deps)", + "helpers:pinGitHubActionDigests" ], "packageRules": [ { @@ -34,6 +35,12 @@ "matchFileNames": [".github/**"], "addLabels": ["ci", "dependencies"], "semanticCommitScope": "CI" + }, + { + "description": "Trusted action orgs are left on version tags rather than SHA-pinned", + "matchManagers": ["github-actions"], + "matchPackageNames": ["Flagsmith/**"], + "pinDigests": false } ], "semanticCommitScope": ""