[FR] Tie github actions to specific commit hashes (#3532)

* [FR] Tie github actions to specific commit hashes
Fixes #3530

* udpate action versions
This commit is contained in:
Matthias Mair 2022-08-15 00:20:03 +02:00 committed by GitHub
parent 427404b3ba
commit 00dbf00eb9
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
8 changed files with 91 additions and 86 deletions

View File

@ -21,10 +21,9 @@ jobs:
INVENTREE_MEDIA_ROOT: ./media INVENTREE_MEDIA_ROOT: ./media
INVENTREE_STATIC_ROOT: ./static INVENTREE_STATIC_ROOT: ./static
steps: steps:
- name: Checkout Code - name: Checkout Code
uses: actions/checkout@v2 uses: actions/checkout@7884fcad6b5d53d10323aee724dc68d8b9096a2e # pin@v2
- name: Install Dependencies - name: Install Dependencies
run: | run: |
sudo apt-get update sudo apt-get update

View File

@ -15,7 +15,7 @@ name: Docker
on: on:
release: release:
types: [published] types: [ published ]
push: push:
branches: branches:
@ -33,7 +33,7 @@ jobs:
steps: steps:
- name: Check out repo - name: Check out repo
uses: actions/checkout@v2 uses: actions/checkout@7884fcad6b5d53d10323aee724dc68d8b9096a2e # pin@v2
- name: Version Check - name: Version Check
run: | run: |
pip install requests pip install requests
@ -66,30 +66,30 @@ jobs:
test -f data/secret_key.txt test -f data/secret_key.txt
- name: Set up QEMU - name: Set up QEMU
if: github.event_name != 'pull_request' if: github.event_name != 'pull_request'
uses: docker/setup-qemu-action@v1 uses: docker/setup-qemu-action@27d0a4f181a40b142cce983c5393082c365d1480 # pin@v1
- name: Set up Docker Buildx - name: Set up Docker Buildx
if: github.event_name != 'pull_request' if: github.event_name != 'pull_request'
uses: docker/setup-buildx-action@v1 uses: docker/setup-buildx-action@f211e3e9ded2d9377c8cadc4489a4e38014bc4c9 # pin@v1
- name: Set up cosign - name: Set up cosign
if: github.event_name != 'pull_request' if: github.event_name != 'pull_request'
uses: sigstore/cosign-installer@48866aa521d8bf870604709cd43ec2f602d03ff2 uses: sigstore/cosign-installer@09a077b27eb1310dcfb21981bee195b30ce09de0 # pin@v2.5.0
- name: Login to Dockerhub - name: Login to Dockerhub
if: github.event_name != 'pull_request' if: github.event_name != 'pull_request'
uses: docker/login-action@v1 uses: docker/login-action@dd4fa0671be5250ee6f50aedf4cb05514abda2c7 # pin@v1
with: with:
username: ${{ secrets.DOCKER_USERNAME }} username: ${{ secrets.DOCKER_USERNAME }}
password: ${{ secrets.DOCKER_PASSWORD }} password: ${{ secrets.DOCKER_PASSWORD }}
- name: Extract Docker metadata - name: Extract Docker metadata
if: github.event_name != 'pull_request' if: github.event_name != 'pull_request'
id: meta id: meta
uses: docker/metadata-action@69f6fc9d46f2f8bf0d5491e4aabe0bb8c6a4678a uses: docker/metadata-action@69f6fc9d46f2f8bf0d5491e4aabe0bb8c6a4678a # pin@v4.0.1
with: with:
images: | images: |
inventree/inventree inventree/inventree
- name: Build and Push - name: Build and Push
id: build-and-push id: build-and-push
if: github.event_name != 'pull_request' if: github.event_name != 'pull_request'
uses: docker/build-push-action@v2 uses: docker/build-push-action@ac9327eae2b366085ac7f6a2d02df8aa8ead720a # pin@v2
with: with:
context: . context: .
platforms: linux/amd64,linux/arm64,linux/arm/v7 platforms: linux/amd64,linux/arm64,linux/arm/v7
@ -103,9 +103,10 @@ jobs:
if: github.event_name != 'pull_request' if: github.event_name != 'pull_request'
env: env:
COSIGN_EXPERIMENTAL: "true" COSIGN_EXPERIMENTAL: "true"
run: cosign sign ${{ steps.meta.outputs.tags }}@${{ steps.build-and-push.outputs.digest }} run: cosign sign ${{ steps.meta.outputs.tags }}@${{
steps.build-and-push.outputs.digest }}
- name: Push to Stable Branch - name: Push to Stable Branch
uses: ad-m/github-push-action@master uses: ad-m/github-push-action@9a46ba8d86d3171233e861a4351b1278a2805c83 # pin@master
if: env.stable_release == 'true' && github.event_name != 'pull_request' if: env.stable_release == 'true' && github.event_name != 'pull_request'
with: with:
github_token: ${{ secrets.GITHUB_TOKEN }} github_token: ${{ secrets.GITHUB_TOKEN }}

View File

@ -15,7 +15,6 @@ env:
python_version: 3.9 python_version: 3.9
node_version: 16 node_version: 16
# The OS version must be set per job # The OS version must be set per job
server_start_sleep: 60 server_start_sleep: 60
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
@ -30,7 +29,7 @@ jobs:
runs-on: ubuntu-20.04 runs-on: ubuntu-20.04
steps: steps:
- uses: actions/checkout@v1 - uses: actions/checkout@50fbc622fc4ef5163becd7fab6573eac35f8462e # pin@v1
- name: Enviroment Setup - name: Enviroment Setup
uses: ./.github/actions/setup uses: ./.github/actions/setup
with: with:
@ -45,7 +44,7 @@ jobs:
needs: pep_style needs: pep_style
steps: steps:
- uses: actions/checkout@v1 - uses: actions/checkout@50fbc622fc4ef5163becd7fab6573eac35f8462e # pin@v1
- name: Enviroment Setup - name: Enviroment Setup
uses: ./.github/actions/setup uses: ./.github/actions/setup
with: with:
@ -67,7 +66,7 @@ jobs:
needs: pep_style needs: pep_style
steps: steps:
- uses: actions/checkout@v1 - uses: actions/checkout@50fbc622fc4ef5163becd7fab6573eac35f8462e # pin@v1
- name: Enviroment Setup - name: Enviroment Setup
uses: ./.github/actions/setup uses: ./.github/actions/setup
with: with:
@ -83,14 +82,14 @@ jobs:
needs: pep_style needs: pep_style
steps: steps:
- uses: actions/checkout@v2 - uses: actions/checkout@7884fcad6b5d53d10323aee724dc68d8b9096a2e # pin@v2
- name: Set up Python ${{ env.python_version }} - name: Set up Python ${{ env.python_version }}
uses: actions/setup-python@v2 uses: actions/setup-python@7f80679172b057fc5e90d70d197929d454754a5a # pin@v2
with: with:
python-version: ${{ env.python_version }} python-version: ${{ env.python_version }}
cache: 'pip' cache: 'pip'
- name: Run pre-commit Checks - name: Run pre-commit Checks
uses: pre-commit/action@v2.0.3 uses: pre-commit/action@9b88afc9cd57fd75b655d5c71bd38146d07135fe # pin@v2.0.3
- name: Check Version - name: Check Version
run: | run: |
pip install requests pip install requests
@ -114,7 +113,7 @@ jobs:
INVENTREE_PYTHON_TEST_PASSWORD: testpassword INVENTREE_PYTHON_TEST_PASSWORD: testpassword
steps: steps:
- uses: actions/checkout@v1 - uses: actions/checkout@50fbc622fc4ef5163becd7fab6573eac35f8462e # pin@v1
- name: Enviroment Setup - name: Enviroment Setup
uses: ./.github/actions/setup uses: ./.github/actions/setup
with: with:
@ -122,7 +121,8 @@ jobs:
dev-install: true dev-install: true
update: true update: true
- name: Download Python Code For `${{ env.wrapper_name }}` - name: Download Python Code For `${{ env.wrapper_name }}`
run: git clone --depth 1 https://github.com/inventree/${{ env.wrapper_name }} ./${{ env.wrapper_name }} run: git clone --depth 1 https://github.com/inventree/${{ env.wrapper_name }}
./${{ env.wrapper_name }}
- name: Start InvenTree Server - name: Start InvenTree Server
run: | run: |
invoke delete-data -f invoke delete-data -f
@ -143,7 +143,7 @@ jobs:
continue-on-error: true continue-on-error: true
steps: steps:
- uses: actions/checkout@v1 - uses: actions/checkout@50fbc622fc4ef5163becd7fab6573eac35f8462e # pin@v1
- name: Enviroment Setup - name: Enviroment Setup
uses: ./.github/actions/setup uses: ./.github/actions/setup
with: with:
@ -155,7 +155,7 @@ jobs:
name: Tests - DB [SQLite] + Coverage name: Tests - DB [SQLite] + Coverage
runs-on: ubuntu-20.04 runs-on: ubuntu-20.04
needs: ['javascript', 'html', 'pre-commit'] needs: [ 'javascript', 'html', 'pre-commit' ]
continue-on-error: true # continue if a step fails so that coverage gets pushed continue-on-error: true # continue if a step fails so that coverage gets pushed
env: env:
@ -164,7 +164,7 @@ jobs:
INVENTREE_PLUGINS_ENABLED: true INVENTREE_PLUGINS_ENABLED: true
steps: steps:
- uses: actions/checkout@v1 - uses: actions/checkout@50fbc622fc4ef5163becd7fab6573eac35f8462e # pin@v1
- name: Enviroment Setup - name: Enviroment Setup
uses: ./.github/actions/setup uses: ./.github/actions/setup
with: with:
@ -186,7 +186,7 @@ jobs:
name: Tests - DB [PostgreSQL] name: Tests - DB [PostgreSQL]
runs-on: ubuntu-20.04 runs-on: ubuntu-20.04
needs: ['javascript', 'html', 'pre-commit'] needs: [ 'javascript', 'html', 'pre-commit' ]
if: github.event_name == 'push' if: github.event_name == 'push'
env: env:
@ -214,7 +214,7 @@ jobs:
- 6379:6379 - 6379:6379
steps: steps:
- uses: actions/checkout@v1 - uses: actions/checkout@50fbc622fc4ef5163becd7fab6573eac35f8462e # pin@v1
- name: Enviroment Setup - name: Enviroment Setup
uses: ./.github/actions/setup uses: ./.github/actions/setup
with: with:
@ -231,7 +231,7 @@ jobs:
name: Tests - DB [MySQL] name: Tests - DB [MySQL]
runs-on: ubuntu-20.04 runs-on: ubuntu-20.04
needs: ['javascript', 'html', 'pre-commit'] needs: [ 'javascript', 'html', 'pre-commit' ]
if: github.event_name == 'push' if: github.event_name == 'push'
env: env:
@ -253,12 +253,13 @@ jobs:
MYSQL_USER: inventree MYSQL_USER: inventree
MYSQL_PASSWORD: password MYSQL_PASSWORD: password
MYSQL_ROOT_PASSWORD: password MYSQL_ROOT_PASSWORD: password
options: --health-cmd="mysqladmin ping" --health-interval=5s --health-timeout=2s --health-retries=3 options: --health-cmd="mysqladmin ping" --health-interval=5s --health-timeout=2s
--health-retries=3
ports: ports:
- 3306:3306 - 3306:3306
steps: steps:
- uses: actions/checkout@v1 - uses: actions/checkout@50fbc622fc4ef5163becd7fab6573eac35f8462e # pin@v1
- name: Enviroment Setup - name: Enviroment Setup
uses: ./.github/actions/setup uses: ./.github/actions/setup
with: with:

View File

@ -3,15 +3,17 @@
name: Publish release notes name: Publish release notes
on: on:
release: release:
types: [published] types: [ published ]
jobs: jobs:
tweet: tweet:
runs-on: ubuntu-latest runs-on: ubuntu-latest
steps: steps:
- uses: Eomm/why-don-t-you-tweet@v1 - uses: Eomm/why-don-t-you-tweet@f61f2a86c30c46528c1398a1abb1f64aa0988f69 # pin@v1
with: with:
tweet-message: "InvenTree release ${{ github.event.release.tag_name }} is out now! Release notes: ${{ github.event.release.html_url }} #opensource #inventree" tweet-message: "InvenTree release ${{ github.event.release.tag_name }} is out
now! Release notes: ${{ github.event.release.html_url }} #opensource
#inventree"
env: env:
TWITTER_CONSUMER_API_KEY: ${{ secrets.TWITTER_CONSUMER_API_KEY }} TWITTER_CONSUMER_API_KEY: ${{ secrets.TWITTER_CONSUMER_API_KEY }}
TWITTER_CONSUMER_API_SECRET: ${{ secrets.TWITTER_CONSUMER_API_SECRET }} TWITTER_CONSUMER_API_SECRET: ${{ secrets.TWITTER_CONSUMER_API_SECRET }}
@ -21,7 +23,7 @@ jobs:
reddit: reddit:
runs-on: ubuntu-latest runs-on: ubuntu-latest
steps: steps:
- uses: bluwy/release-for-reddit-action@v1 - uses: bluwy/release-for-reddit-action@4d948192aff856da22f19f9806b00b46ca384547 # pin@v1
with: with:
username: ${{ secrets.REDDIT_USERNAME }} username: ${{ secrets.REDDIT_USERNAME }}
password: ${{ secrets.REDDIT_PASSWORD }} password: ${{ secrets.REDDIT_PASSWORD }}

View File

@ -14,10 +14,11 @@ jobs:
pull-requests: write pull-requests: write
steps: steps:
- uses: actions/stale@v3 - uses: actions/stale@98ed4cb500039dbcccf4bd9bedada4d0187f2757 # pin@v3
with: with:
repo-token: ${{ secrets.GITHUB_TOKEN }} repo-token: ${{ secrets.GITHUB_TOKEN }}
stale-issue-message: 'This issue seems stale. Please react to show this is still important.' stale-issue-message: 'This issue seems stale. Please react to show this is still
important.'
stale-pr-message: 'This PR seems stale. Please react to show this is still important.' stale-pr-message: 'This PR seems stale. Please react to show this is still important.'
stale-issue-label: 'inactive' stale-issue-label: 'inactive'
stale-pr-label: 'inactive' stale-pr-label: 'inactive'

View File

@ -20,9 +20,9 @@ jobs:
steps: steps:
- name: Checkout Code - name: Checkout Code
uses: actions/checkout@v2 uses: actions/checkout@7884fcad6b5d53d10323aee724dc68d8b9096a2e # pin@v2
- name: Set up Python 3.9 - name: Set up Python 3.9
uses: actions/setup-python@v1 uses: actions/setup-python@152ba7c4dd6521b8e9c93f72d362ce03bf6c4f20 # pin@v1
with: with:
python-version: 3.9 python-version: 3.9
- name: Install Dependencies - name: Install Dependencies
@ -42,7 +42,7 @@ jobs:
git add "*.po" git add "*.po"
git commit -m "updated translation base" git commit -m "updated translation base"
- name: Push changes - name: Push changes
uses: ad-m/github-push-action@master uses: ad-m/github-push-action@9a46ba8d86d3171233e861a4351b1278a2805c83 # pin@master
with: with:
github_token: ${{ secrets.GITHUB_TOKEN }} github_token: ${{ secrets.GITHUB_TOKEN }}
branch: l10 branch: l10

View File

@ -1,7 +1,7 @@
name: Update dependency files regularly name: Update dependency files regularly
on: on:
workflow_dispatch: workflow_dispatch: null
schedule: schedule:
- cron: "0 0 * * *" - cron: "0 0 * * *"
@ -9,14 +9,15 @@ jobs:
build: build:
runs-on: ubuntu-latest runs-on: ubuntu-latest
steps: steps:
- uses: actions/checkout@v2 - uses: actions/checkout@7884fcad6b5d53d10323aee724dc68d8b9096a2e # pin@v2
- name: Setup - name: Setup
run: pip install -r requirements-dev.txt run: pip install -r requirements-dev.txt
- name: Update requirements.txt - name: Update requirements.txt
run: pip-compile --output-file=requirements.txt requirements.in -U run: pip-compile --output-file=requirements.txt requirements.in -U
- name: Update requirements-dev.txt - name: Update requirements-dev.txt
run: pip-compile --generate-hashes --output-file=requirements-dev.txt requirements-dev.in -U run: pip-compile --generate-hashes --output-file=requirements-dev.txt
- uses: stefanzweifel/git-auto-commit-action@v4 requirements-dev.in -U
- uses: stefanzweifel/git-auto-commit-action@49620cd3ed21ee620a48530e81dba0d139c9cb80 # pin@v4
with: with:
commit_message: "[Bot] Updated dependency" commit_message: "[Bot] Updated dependency"
branch: dep-update branch: dep-update

View File

@ -2,9 +2,9 @@
name: Welcome name: Welcome
on: on:
pull_request: pull_request:
types: [opened] types: [ opened ]
issues: issues:
types: [opened] types: [ opened ]
jobs: jobs:
run: run:
@ -13,7 +13,7 @@ jobs:
pull-requests: write pull-requests: write
steps: steps:
- uses: actions/first-interaction@v1 - uses: actions/first-interaction@bd33205aa5c96838e10fd65df0d01efd613677c1 # pin@v1
with: with:
repo-token: ${{ secrets.GITHUB_TOKEN }} repo-token: ${{ secrets.GITHUB_TOKEN }}
issue-message: | issue-message: |