.github: pin actions/checkout to latest v3 or v4 as appropriate (#13551)

Pin actions/checkout usage to latest 3.x or 4.x as appropriate. These
were previously pointing to `@4` or `@3` which pull in the latest
versions at these tags as they are released, with the potential to break
our workflows if a breaking change or malicious version for either of
these streams are released.

Changing this to a pinned version also means that dependabot will keep
this in the pinend version format (e.g., referencing a SHA) when it
opens a PR to bump the dependency.

Updates #cleanup

Signed-off-by: Mario Minardi <mario@tailscale.com>
pull/13553/head
Mario Minardi 2 months ago committed by GitHub
parent 8d508712c9
commit 07991dec83
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194

@ -18,7 +18,7 @@ jobs:
runs-on: [ ubuntu-latest ] runs-on: [ ubuntu-latest ]
steps: steps:
- name: Check out code - name: Check out code
uses: actions/checkout@v4 uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
- name: Build checklocks - name: Build checklocks
run: ./tool/go build -o /tmp/checklocks gvisor.dev/gvisor/tools/checklocks/cmd/checklocks run: ./tool/go build -o /tmp/checklocks gvisor.dev/gvisor/tools/checklocks/cmd/checklocks

@ -45,7 +45,7 @@ jobs:
steps: steps:
- name: Checkout repository - name: Checkout repository
uses: actions/checkout@v4 uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
# Install a more recent Go that understands modern go.mod content. # Install a more recent Go that understands modern go.mod content.
- name: Install Go - name: Install Go

@ -10,6 +10,6 @@ jobs:
deploy: deploy:
runs-on: ubuntu-latest runs-on: ubuntu-latest
steps: steps:
- uses: actions/checkout@v4 - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
- name: "Build Docker image" - name: "Build Docker image"
run: docker build . run: docker build .

@ -17,7 +17,7 @@ jobs:
id-token: "write" id-token: "write"
contents: "read" contents: "read"
steps: steps:
- uses: "actions/checkout@v4" - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
with: with:
ref: "${{ (inputs.tag != null) && format('refs/tags/{0}', inputs.tag) || '' }}" ref: "${{ (inputs.tag != null) && format('refs/tags/{0}', inputs.tag) || '' }}"
- uses: "DeterminateSystems/nix-installer-action@main" - uses: "DeterminateSystems/nix-installer-action@main"

@ -23,7 +23,7 @@ jobs:
name: lint name: lint
runs-on: ubuntu-latest runs-on: ubuntu-latest
steps: steps:
- uses: actions/checkout@v4 - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
- uses: actions/setup-go@v4 - uses: actions/setup-go@v4
with: with:

@ -14,7 +14,7 @@ jobs:
steps: steps:
- name: Check out code into the Go module directory - name: Check out code into the Go module directory
uses: actions/checkout@v4 uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
- name: Install govulncheck - name: Install govulncheck
run: ./tool/go install golang.org/x/vuln/cmd/govulncheck@latest run: ./tool/go install golang.org/x/vuln/cmd/govulncheck@latest

@ -98,7 +98,7 @@ jobs:
# We cannot use v4, as it requires a newer glibc version than some of the # We cannot use v4, as it requires a newer glibc version than some of the
# tested images provide. See # tested images provide. See
# https://github.com/actions/checkout/issues/1487 # https://github.com/actions/checkout/issues/1487
uses: actions/checkout@v3 uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
- name: run installer - name: run installer
run: scripts/installer.sh run: scripts/installer.sh
# Package installation can fail in docker because systemd is not running # Package installation can fail in docker because systemd is not running

@ -17,7 +17,7 @@ jobs:
runs-on: [ ubuntu-latest ] runs-on: [ ubuntu-latest ]
steps: steps:
- name: Check out code - name: Check out code
uses: actions/checkout@v4 uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
- name: Build and lint Helm chart - name: Build and lint Helm chart
run: | run: |
eval `./tool/go run ./cmd/mkversion` eval `./tool/go run ./cmd/mkversion`

@ -17,7 +17,7 @@ jobs:
runs-on: ubuntu-latest runs-on: ubuntu-latest
steps: steps:
- name: Check out code - name: Check out code
uses: actions/checkout@v4 uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
- name: Run SSH integration tests - name: Run SSH integration tests
run: | run: |
make sshintegrationtest make sshintegrationtest

@ -50,7 +50,7 @@ jobs:
- shard: '4/4' - shard: '4/4'
steps: steps:
- name: checkout - name: checkout
uses: actions/checkout@v4 uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
- name: build test wrapper - name: build test wrapper
run: ./tool/go build -o /tmp/testwrapper ./cmd/testwrapper run: ./tool/go build -o /tmp/testwrapper ./cmd/testwrapper
- name: integration tests as root - name: integration tests as root
@ -78,7 +78,7 @@ jobs:
runs-on: ubuntu-22.04 runs-on: ubuntu-22.04
steps: steps:
- name: checkout - name: checkout
uses: actions/checkout@v4 uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
- name: Restore Cache - name: Restore Cache
uses: actions/cache@v3 uses: actions/cache@v3
with: with:
@ -150,7 +150,7 @@ jobs:
runs-on: windows-2022 runs-on: windows-2022
steps: steps:
- name: checkout - name: checkout
uses: actions/checkout@v4 uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
- name: Install Go - name: Install Go
uses: actions/setup-go@v4 uses: actions/setup-go@v4
@ -190,7 +190,7 @@ jobs:
options: --privileged options: --privileged
steps: steps:
- name: checkout - name: checkout
uses: actions/checkout@v4 uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
- name: chown - name: chown
run: chown -R $(id -u):$(id -g) $PWD run: chown -R $(id -u):$(id -g) $PWD
- name: privileged tests - name: privileged tests
@ -202,7 +202,7 @@ jobs:
if: github.repository == 'tailscale/tailscale' if: github.repository == 'tailscale/tailscale'
steps: steps:
- name: checkout - name: checkout
uses: actions/checkout@v4 uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
- name: Run VM tests - name: Run VM tests
run: ./tool/go test ./tstest/integration/vms -v -no-s3 -run-vm-tests -run=TestRunUbuntu2004 run: ./tool/go test ./tstest/integration/vms -v -no-s3 -run-vm-tests -run=TestRunUbuntu2004
env: env:
@ -214,7 +214,7 @@ jobs:
runs-on: ubuntu-22.04 runs-on: ubuntu-22.04
steps: steps:
- name: checkout - name: checkout
uses: actions/checkout@v4 uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
- name: build all - name: build all
run: ./tool/go install -race ./cmd/... run: ./tool/go install -race ./cmd/...
- name: build tests - name: build tests
@ -258,7 +258,7 @@ jobs:
runs-on: ubuntu-22.04 runs-on: ubuntu-22.04
steps: steps:
- name: checkout - name: checkout
uses: actions/checkout@v4 uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
- name: Restore Cache - name: Restore Cache
uses: actions/cache@v3 uses: actions/cache@v3
with: with:
@ -295,7 +295,7 @@ jobs:
runs-on: ubuntu-22.04 runs-on: ubuntu-22.04
steps: steps:
- name: checkout - name: checkout
uses: actions/checkout@v4 uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
- name: build some - name: build some
run: ./tool/go build ./ipn/... ./wgengine/ ./types/... ./control/controlclient run: ./tool/go build ./ipn/... ./wgengine/ ./types/... ./control/controlclient
env: env:
@ -317,7 +317,7 @@ jobs:
runs-on: ubuntu-22.04 runs-on: ubuntu-22.04
steps: steps:
- name: checkout - name: checkout
uses: actions/checkout@v4 uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
- name: Restore Cache - name: Restore Cache
uses: actions/cache@v3 uses: actions/cache@v3
with: with:
@ -350,7 +350,7 @@ jobs:
runs-on: ubuntu-22.04 runs-on: ubuntu-22.04
steps: steps:
- name: checkout - name: checkout
uses: actions/checkout@v4 uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
# Super minimal Android build that doesn't even use CGO and doesn't build everything that's needed # Super minimal Android build that doesn't even use CGO and doesn't build everything that's needed
# and is only arm64. But it's a smoke build: it's not meant to catch everything. But it'll catch # and is only arm64. But it's a smoke build: it's not meant to catch everything. But it'll catch
# some Android breakages early. # some Android breakages early.
@ -365,7 +365,7 @@ jobs:
runs-on: ubuntu-22.04 runs-on: ubuntu-22.04
steps: steps:
- name: checkout - name: checkout
uses: actions/checkout@v4 uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
- name: Restore Cache - name: Restore Cache
uses: actions/cache@v3 uses: actions/cache@v3
with: with:
@ -399,7 +399,7 @@ jobs:
runs-on: ubuntu-22.04 runs-on: ubuntu-22.04
steps: steps:
- name: checkout - name: checkout
uses: actions/checkout@v4 uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
- name: test tailscale_go - name: test tailscale_go
run: ./tool/go test -tags=tailscale_go,ts_enable_sockstats ./net/sockstats/... run: ./tool/go test -tags=tailscale_go,ts_enable_sockstats ./net/sockstats/...
@ -467,7 +467,7 @@ jobs:
runs-on: ubuntu-22.04 runs-on: ubuntu-22.04
steps: steps:
- name: checkout - name: checkout
uses: actions/checkout@v4 uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
- name: check depaware - name: check depaware
run: | run: |
export PATH=$(./tool/go env GOROOT)/bin:$PATH export PATH=$(./tool/go env GOROOT)/bin:$PATH
@ -477,7 +477,7 @@ jobs:
runs-on: ubuntu-22.04 runs-on: ubuntu-22.04
steps: steps:
- name: checkout - name: checkout
uses: actions/checkout@v4 uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
- name: check that 'go generate' is clean - name: check that 'go generate' is clean
run: | run: |
pkgs=$(./tool/go list ./... | grep -Ev 'dnsfallback|k8s-operator|xdp') pkgs=$(./tool/go list ./... | grep -Ev 'dnsfallback|k8s-operator|xdp')
@ -490,7 +490,7 @@ jobs:
runs-on: ubuntu-22.04 runs-on: ubuntu-22.04
steps: steps:
- name: checkout - name: checkout
uses: actions/checkout@v4 uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
- name: check that 'go mod tidy' is clean - name: check that 'go mod tidy' is clean
run: | run: |
./tool/go mod tidy ./tool/go mod tidy
@ -502,7 +502,7 @@ jobs:
runs-on: ubuntu-22.04 runs-on: ubuntu-22.04
steps: steps:
- name: checkout - name: checkout
uses: actions/checkout@v4 uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
- name: check licenses - name: check licenses
run: ./scripts/check_license_headers.sh . run: ./scripts/check_license_headers.sh .
@ -518,7 +518,7 @@ jobs:
goarch: "386" goarch: "386"
steps: steps:
- name: checkout - name: checkout
uses: actions/checkout@v4 uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
- name: install staticcheck - name: install staticcheck
run: GOBIN=~/.local/bin ./tool/go install honnef.co/go/tools/cmd/staticcheck run: GOBIN=~/.local/bin ./tool/go install honnef.co/go/tools/cmd/staticcheck
- name: run staticcheck - name: run staticcheck

@ -21,7 +21,7 @@ jobs:
steps: steps:
- name: Check out code - name: Check out code
uses: actions/checkout@v4 uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
- name: Run update-flakes - name: Run update-flakes
run: ./update-flake.sh run: ./update-flake.sh

@ -14,7 +14,7 @@ jobs:
steps: steps:
- name: Check out code - name: Check out code
uses: actions/checkout@v4 uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
- name: Run go get - name: Run go get
run: | run: |

@ -24,7 +24,7 @@ jobs:
steps: steps:
- name: Check out code - name: Check out code
uses: actions/checkout@v4 uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
- name: Install deps - name: Install deps
run: ./tool/yarn --cwd client/web run: ./tool/yarn --cwd client/web
- name: Run lint - name: Run lint

Loading…
Cancel
Save