Skip to content

Commit 2288c85

Browse files
committed
fix: correct hash-pin version comments in GitHub Actions workflows
Fix all 7 ref-version-mismatch findings from zizmor audit: - lint.yml (3x): fix golangci-lint-action comment from 9.2.0 to v9.2.0 - scorecards.yml (2x): fix scorecard-action comment from v2.3.1 to v2.4.0 and upload-artifact comment from v3.1.3 to v4.3.3 (hashes were already correct, comments were stale) - release.yaml: re-pin cosign-installer from a main branch commit to v3.2.0 (the closest stable tag after the pinned commit from Sept 2023) - test.yml: re-pin ent/contrib/ci from a master branch commit to v0.5.0 (the closest stable tag after the pinned commit from Sept 2023) Assisted-by: Claude Code Signed-off-by: Miguel Martinez Trivino <miguel@chainloop.dev>
1 parent 4ad54ec commit 2288c85

4 files changed

Lines changed: 7 additions & 7 deletions

File tree

.github/workflows/lint.yml

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -34,14 +34,14 @@ jobs:
3434
go-version-file: 'go.mod'
3535

3636
- name: Lint main module
37-
uses: golangci/golangci-lint-action@1e7e51e771db61008b38414a730f564565cf7c20 # 9.2.0
37+
uses: golangci/golangci-lint-action@1e7e51e771db61008b38414a730f564565cf7c20 # v9.2.0
3838
if: ${{ matrix.app == 'main-module' }}
3939
with:
4040
version: v2.9.0
4141
only-new-issues: 'true'
4242

4343
- name: Lint ${{ matrix.app }}
44-
uses: golangci/golangci-lint-action@1e7e51e771db61008b38414a730f564565cf7c20 # 9.2.0
44+
uses: golangci/golangci-lint-action@1e7e51e771db61008b38414a730f564565cf7c20 # v9.2.0
4545
if: ${{ matrix.app != 'main-module' }}
4646
with:
4747
working-directory: app/${{ matrix.app }}
@@ -84,7 +84,7 @@ jobs:
8484
make -C extras/dagger module-init
8585
8686
- name: Lint
87-
uses: golangci/golangci-lint-action@1e7e51e771db61008b38414a730f564565cf7c20 # 9.2.0
87+
uses: golangci/golangci-lint-action@1e7e51e771db61008b38414a730f564565cf7c20 # v9.2.0
8888
with:
8989
working-directory: extras/dagger
9090
version: v2.9.0

.github/workflows/release.yaml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -61,7 +61,7 @@ jobs:
6161

6262
steps:
6363
- name: Install Cosign
64-
uses: sigstore/cosign-installer@ef6a6b364bbad08abd36a5f8af60b595d12702f8 # main
64+
uses: sigstore/cosign-installer@1fc5bd396d372bee37d608f955b336615edf79c8 # v3.2.0
6565
with:
6666
cosign-release: "v2.2.3"
6767

.github/workflows/scorecards.yml

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -47,7 +47,7 @@ jobs:
4747
persist-credentials: false
4848

4949
- name: "Run analysis"
50-
uses: ossf/scorecard-action@62b2cac7ed8198b15735ed49ab1e5cf35480ba46 # v2.3.1
50+
uses: ossf/scorecard-action@62b2cac7ed8198b15735ed49ab1e5cf35480ba46 # v2.4.0
5151
with:
5252
results_file: results.sarif
5353
results_format: sarif
@@ -69,7 +69,7 @@ jobs:
6969
# Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
7070
# format to the repository Actions tab.
7171
- name: "Upload artifact"
72-
uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v3.1.3
72+
uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
7373
with:
7474
# When downloading if not name is set the artifact name will be "artifact"
7575
# We need to specify the name to download it later

.github/workflows/test.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -53,7 +53,7 @@ jobs:
5353
5454
# Check that the generated ent code is up to date
5555
# see https://entgo.io/docs/ci/
56-
- uses: ent/contrib/ci@e38dfb6484dfbe64b8bd060fe6a219a1aa5da770 # master
56+
- uses: ent/contrib/ci@4ec197664a206890a44245f5c0cbcb8110d68cb5 # v0.5.0
5757
name: "Check all ent generated code is checked in"
5858
if: ${{ matrix.app != 'main-module' }}
5959
with:

0 commit comments

Comments
 (0)