Skip to content

Commit 39d83b4

Browse files
damientobin1damientobin1
committed
CCM-14499: Pinning all GitHub Actions to SHAs
1 parent cd3f8d9 commit 39d83b4

11 files changed

Lines changed: 78 additions & 39 deletions

File tree

.github/actions/build-docs/action.yml

Lines changed: 4 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -23,7 +23,8 @@ runs:
2323
working-directory: "./docs"
2424
- name: Setup Pages
2525
id: pages
26-
uses: actions/configure-pages@983d7736d9b0ae728b81ab479565c72886d7745b # v5 - name: Build with Jekyll
26+
uses: actions/configure-pages@983d7736d9b0ae728b81ab479565c72886d7745b # v5
27+
- name: Build with Jekyll
2728
working-directory: ./docs
2829
# Outputs to the './_site' directory by default
2930
shell: bash
@@ -33,6 +34,7 @@ runs:
3334
JEKYLL_ENV: production
3435
- name: Upload artifact
3536
# Automatically uploads an artifact from the './_site' directory by default
36-
uses: actions/upload-pages-artifact@56afc609e74202658d3ffba0e8f6dda462b719fa # v3 with:
37+
uses: actions/upload-pages-artifact@56afc609e74202658d3ffba0e8f6dda462b719fa # v3
38+
with:
3739
path: "docs/_site/"
3840
name: jekyll-docs-${{ inputs.version }}

.github/actions/create-lines-of-code-report/action.yaml

Lines changed: 4 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -32,7 +32,8 @@ runs:
3232
run: zip lines-of-code-report.json.zip lines-of-code-report.json
3333
- name: "Upload CLOC report as an artefact"
3434
if: ${{ !env.ACT }}
35-
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4 with:
35+
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4
36+
with:
3637
name: lines-of-code-report.json.zip
3738
path: ./lines-of-code-report.json.zip
3839
retention-days: 21
@@ -43,7 +44,8 @@ runs:
4344
echo "secrets_exist=${{ inputs.idp_aws_report_upload_role_name != '' && inputs.idp_aws_report_upload_bucket_endpoint != '' }}" >> $GITHUB_OUTPUT
4445
- name: "Authenticate to send the report"
4546
if: steps.check.outputs.secrets_exist == 'true'
46-
uses: aws-actions/configure-aws-credentials@7474bc4690e29a8392af63c5b98e7449536d5c3a # v4 with:
47+
uses: aws-actions/configure-aws-credentials@7474bc4690e29a8392af63c5b98e7449536d5c3a # v4
48+
with:
4749
role-to-assume: arn:aws:iam::${{ inputs.idp_aws_report_upload_account_id }}:role/${{ inputs.idp_aws_report_upload_role_name }}
4850
aws-region: ${{ inputs.idp_aws_report_upload_region }}
4951
- name: "Send the CLOC report to the central location"

.github/actions/scan-dependencies/action.yaml

Lines changed: 6 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -32,7 +32,8 @@ runs:
3232
run: zip sbom-repository-report.json.zip sbom-repository-report.json
3333
- name: "Upload SBOM report as an artefact"
3434
if: ${{ !env.ACT }}
35-
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4 with:
35+
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4
36+
with:
3637
name: sbom-repository-report.json.zip
3738
path: ./sbom-repository-report.json.zip
3839
retention-days: 21
@@ -46,7 +47,8 @@ runs:
4647
run: zip vulnerabilities-repository-report.json.zip vulnerabilities-repository-report.json
4748
- name: "Upload vulnerabilities report as an artefact"
4849
if: ${{ !env.ACT }}
49-
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4 with:
50+
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4
51+
with:
5052
name: vulnerabilities-repository-report.json.zip
5153
path: ./vulnerabilities-repository-report.json.zip
5254
retention-days: 21
@@ -56,7 +58,8 @@ runs:
5658
run: echo "secrets_exist=${{ inputs.idp_aws_report_upload_role_name != '' && inputs.idp_aws_report_upload_bucket_endpoint != '' }}" >> $GITHUB_OUTPUT
5759
- name: "Authenticate to send the reports"
5860
if: steps.check.outputs.secrets_exist == 'true'
59-
uses: aws-actions/configure-aws-credentials@7474bc4690e29a8392af63c5b98e7449536d5c3a # v4 with:
61+
uses: aws-actions/configure-aws-credentials@7474bc4690e29a8392af63c5b98e7449536d5c3a # v4
62+
with:
6063
role-to-assume: arn:aws:iam::${{ inputs.idp_aws_report_upload_account_id }}:role/${{ inputs.idp_aws_report_upload_role_name }}
6164
aws-region: ${{ inputs.idp_aws_report_upload_region }}
6265
- name: "Send the SBOM and vulnerabilities reports to the central location"

.github/actions/sync-template-repo/action.yaml

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -8,7 +8,8 @@ runs:
88
using: "composite"
99
steps:
1010
- name: "Check out template repository"
11-
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 with:
11+
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
12+
with:
1213
repository: NHSDigital/nhs-notify-repository-template
1314
path: nhs-notify-repository-template
1415
token: ${{ inputs.github_token }}

.github/workflows/cicd-1-pull-request.yaml

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -29,7 +29,8 @@ jobs:
2929
does_pull_request_exist: ${{ steps.pr_exists.outputs.does_pull_request_exist }}
3030
steps:
3131
- name: "Checkout code"
32-
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 - name: "Set CI/CD variables"
32+
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
33+
- name: "Set CI/CD variables"
3334
id: variables
3435
run: |
3536
datetime=$(date -u +'%Y-%m-%dT%H:%M:%S%z')

.github/workflows/cicd-3-deploy.yaml

Lines changed: 4 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -37,7 +37,8 @@ jobs:
3737
# tag: ${{ steps.variables.outputs.tag }}
3838
steps:
3939
- name: "Checkout code"
40-
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 - name: "Set CI/CD variables"
40+
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
41+
- name: "Set CI/CD variables"
4142
id: variables
4243
run: |
4344
datetime=$(date -u +'%Y-%m-%dT%H:%M:%S%z')
@@ -108,5 +109,6 @@ jobs:
108109

109110
- name: Deploy to GitHub Pages
110111
id: deployment
111-
uses: actions/deploy-pages@d6db90164ac5ed86f2b6aed7e0febac5b3c0c03e # v4 with:
112+
uses: actions/deploy-pages@d6db90164ac5ed86f2b6aed7e0febac5b3c0c03e # v4
113+
with:
112114
artifact_name: jekyll-docs-${{steps.get-asset-version.outputs.release_version}}

.github/workflows/scorecard.yml

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -59,7 +59,8 @@ jobs:
5959
# Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
6060
# format to the repository Actions tab.
6161
- name: "Upload artifact"
62-
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4 with:
62+
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4
63+
with:
6364
name: SARIF file
6465
path: results.sarif
6566
retention-days: 5

.github/workflows/stage-1-commit.yaml

Lines changed: 24 additions & 12 deletions
Original file line numberDiff line numberDiff line change
@@ -39,7 +39,8 @@ jobs:
3939
timeout-minutes: 2
4040
steps:
4141
- name: "Checkout code"
42-
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 with:
42+
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
43+
with:
4344
fetch-depth: 0 # Full history is needed to scan all commits
4445
- name: "Scan secrets"
4546
uses: ./.github/actions/scan-secrets
@@ -49,7 +50,8 @@ jobs:
4950
timeout-minutes: 2
5051
steps:
5152
- name: "Checkout code"
52-
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 with:
53+
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
54+
with:
5355
fetch-depth: 0 # Full history is needed to compare branches
5456
- name: "Check file format"
5557
uses: ./.github/actions/check-file-format
@@ -59,7 +61,8 @@ jobs:
5961
timeout-minutes: 2
6062
steps:
6163
- name: "Checkout code"
62-
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 with:
64+
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
65+
with:
6366
fetch-depth: 0 # Full history is needed to compare branches
6467
- name: "Check Markdown format"
6568
uses: ./.github/actions/check-markdown-format
@@ -72,7 +75,8 @@ jobs:
7275
contents: write
7376
steps:
7477
- name: "Checkout code"
75-
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 with:
78+
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
79+
with:
7680
fetch-depth: 0 # Full history is needed to compare branches
7781
- name: "Check to see if Terraform Docs are up-to-date"
7882
run: |
@@ -92,7 +96,8 @@ jobs:
9296
timeout-minutes: 2
9397
steps:
9498
- name: "Checkout code"
95-
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 with:
99+
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
100+
with:
96101
fetch-depth: 0 # Full history is needed to compare branches
97102
- name: "Check English usage"
98103
uses: ./.github/actions/check-english-usage
@@ -102,7 +107,8 @@ jobs:
102107
timeout-minutes: 5
103108
steps:
104109
- name: "Checkout code"
105-
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 with:
110+
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
111+
with:
106112
fetch-depth: 0 # Full history is needed to compare branches
107113
- name: "Check TODO usage"
108114
uses: ./.github/actions/check-todo-usage
@@ -136,8 +142,10 @@ jobs:
136142
if: needs.detect-terraform-changes.outputs.terraform_changed == 'true'
137143
steps:
138144
- name: "Checkout code"
139-
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 - name: "Setup ASDF"
140-
uses: asdf-vm/actions/setup@a7acd3c0f80eb138922a2da9514d1df22864eaca # v4 - name: "Lint Terraform"
145+
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
146+
- name: "Setup ASDF"
147+
uses: asdf-vm/actions/setup@a7acd3c0f80eb138922a2da9514d1df22864eaca # v4
148+
- name: "Lint Terraform"
141149
uses: ./.github/actions/lint-terraform
142150
trivy:
143151
name: "Trivy Scan"
@@ -147,8 +155,10 @@ jobs:
147155
if: needs.detect-terraform-changes.outputs.terraform_changed == 'true'
148156
steps:
149157
- name: "Checkout code"
150-
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 - name: "Setup ASDF"
151-
uses: asdf-vm/actions/setup@a7acd3c0f80eb138922a2da9514d1df22864eaca # v4 - name: "Perform Setup"
158+
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
159+
- name: "Setup ASDF"
160+
uses: asdf-vm/actions/setup@a7acd3c0f80eb138922a2da9514d1df22864eaca # v4
161+
- name: "Perform Setup"
152162
uses: ./.github/actions/setup
153163
- name: "Trivy Scan"
154164
uses: ./.github/actions/trivy
@@ -161,7 +171,8 @@ jobs:
161171
timeout-minutes: 2
162172
steps:
163173
- name: "Checkout code"
164-
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 - name: "Count lines of code"
174+
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
175+
- name: "Count lines of code"
165176
uses: ./.github/actions/create-lines-of-code-report
166177
with:
167178
build_datetime: "${{ inputs.build_datetime }}"
@@ -179,7 +190,8 @@ jobs:
179190
timeout-minutes: 2
180191
steps:
181192
- name: "Checkout code"
182-
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 - name: "Scan dependencies"
193+
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
194+
- name: "Scan dependencies"
183195
uses: ./.github/actions/scan-dependencies
184196
with:
185197
build_datetime: "${{ inputs.build_datetime }}"

.github/workflows/stage-2-test.yaml

Lines changed: 8 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -39,7 +39,8 @@ jobs:
3939
timeout-minutes: 5
4040
steps:
4141
- name: "Checkout code"
42-
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 - name: "Run unit test suite"
42+
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
43+
- name: "Run unit test suite"
4344
run: |
4445
make test-unit
4546
- name: "Save the result of fast test suite"
@@ -51,7 +52,8 @@ jobs:
5152
timeout-minutes: 5
5253
steps:
5354
- name: "Checkout code"
54-
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 - name: "Run linting"
55+
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
56+
- name: "Run linting"
5557
run: |
5658
make test-lint
5759
- name: "Save the linting result"
@@ -64,7 +66,8 @@ jobs:
6466
timeout-minutes: 5
6567
steps:
6668
- name: "Checkout code"
67-
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 - name: "Run test coverage check"
69+
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
70+
- name: "Run test coverage check"
6871
run: |
6972
make test-coverage
7073
- name: "Save the coverage check result"
@@ -80,7 +83,8 @@ jobs:
8083
timeout-minutes: 5
8184
steps:
8285
- name: "Checkout code"
83-
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 with:
86+
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
87+
with:
8488
fetch-depth: 0 # Full history is needed to improving relevancy of reporting
8589
- name: "Perform static analysis"
8690
uses: ./.github/actions/perform-static-analysis

.github/workflows/stage-3-build.yaml

Lines changed: 4 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -39,7 +39,8 @@ jobs:
3939
timeout-minutes: 3
4040
steps:
4141
- name: "Checkout code"
42-
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 - name: "Build artefact 1"
42+
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
43+
- name: "Build artefact 1"
4344
run: |
4445
echo "Building artefact 1 ..."
4546
- name: "Check artefact 1"
@@ -55,7 +56,8 @@ jobs:
5556
timeout-minutes: 3
5657
steps:
5758
- name: "Checkout code"
58-
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 - name: "Build artefact n"
59+
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
60+
- name: "Build artefact n"
5961
run: |
6062
echo "Building artefact n ..."
6163
- name: "Check artefact n"

0 commit comments

Comments
 (0)