From 70b07c1cf33ca91acc17205484d894a4fddcfd54 Mon Sep 17 00:00:00 2001 From: "Jens L." Date: Wed, 8 Oct 2025 21:50:25 +0200 Subject: [PATCH] ci: migrate actions to commit hashes (#17339) * remove deprecated action Signed-off-by: Jens Langhammer * migrate v1 Signed-off-by: Jens Langhammer * cleanup tags Signed-off-by: Jens Langhammer * remove netlify action since its not maintained Signed-off-by: Jens Langhammer --------- Signed-off-by: Jens Langhammer --- .../_reusable-docker-build-single.yml | 16 +++---- .github/workflows/_reusable-docker-build.yml | 12 ++--- .github/workflows/api-ts-publish.yml | 14 +++--- .github/workflows/ci-api-docs.yml | 16 +++---- .github/workflows/ci-aws-cfn.yml | 4 +- .github/workflows/ci-docs-source.yml | 8 ++-- .github/workflows/ci-docs.yml | 22 ++++----- .github/workflows/ci-main-daily.yml | 2 +- .github/workflows/ci-main.yml | 18 ++++---- .github/workflows/ci-outpost.yml | 28 +++++------ .github/workflows/ci-web.yml | 12 ++--- .github/workflows/gen-image-compress.yml | 16 +++---- .github/workflows/gen-update-webauthn-mds.yml | 12 ++--- .github/workflows/gh-cherry-pick.yml | 4 +- .github/workflows/gh-gha-cache-cleanup.yml | 2 +- .github/workflows/gh-ghcr-retention.yml | 8 ++-- .github/workflows/packages-npm-publish.yml | 6 +-- .github/workflows/qa-codeql.yml | 2 +- .github/workflows/qa-semgrep.yml | 2 +- .github/workflows/release-branch-off.yml | 14 +++--- .github/workflows/release-next-branch.yml | 2 +- .github/workflows/release-publish.yml | 46 +++++++++---------- .github/workflows/release-tag.yml | 20 ++++---- .github/workflows/repo-mirror-cleanup.yml | 4 +- .github/workflows/repo-mirror.yml | 4 +- .github/workflows/repo-stale.yml | 8 ++-- .github/workflows/translation-advice.yml | 4 +- .../workflows/translation-extract-compile.yml | 12 ++--- .github/workflows/translation-rename.yml | 10 ++-- 29 files changed, 164 insertions(+), 164 deletions(-) diff --git a/.github/workflows/_reusable-docker-build-single.yml b/.github/workflows/_reusable-docker-build-single.yml index 13f60afdb6..5bba63a355 100644 --- a/.github/workflows/_reusable-docker-build-single.yml +++ b/.github/workflows/_reusable-docker-build-single.yml @@ -42,9 +42,9 @@ jobs: # Needed for checkout contents: read steps: - - uses: actions/checkout@v5 - - uses: docker/setup-qemu-action@v3.6.0 - - uses: docker/setup-buildx-action@v3 + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5 + - uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v3.6.0 + - uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3 - name: prepare variables uses: ./.github/actions/docker-push-variables id: ev @@ -56,13 +56,13 @@ jobs: release: ${{ inputs.release }} - name: Login to Docker Hub if: ${{ inputs.registry_dockerhub }} - uses: docker/login-action@v3 + uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3 with: username: ${{ secrets.DOCKER_CORP_USERNAME }} password: ${{ secrets.DOCKER_CORP_PASSWORD }} - name: Login to GitHub Container Registry if: ${{ inputs.registry_ghcr }} - uses: docker/login-action@v3 + uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3 with: registry: ghcr.io username: ${{ github.repository_owner }} @@ -74,7 +74,7 @@ jobs: mkdir -p ./gen-go-api - name: Setup node if: ${{ !inputs.release }} - uses: actions/setup-node@v5 + uses: actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444 # v5 with: node-version-file: web/package.json cache: "npm" @@ -83,7 +83,7 @@ jobs: if: ${{ !inputs.release }} run: make gen-client-ts - name: Build Docker Image - uses: docker/build-push-action@v6 + uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6 id: push with: context: . @@ -97,7 +97,7 @@ jobs: platforms: linux/${{ inputs.image_arch }} cache-from: type=registry,ref=${{ steps.ev.outputs.attestImageNames }}:buildcache-${{ inputs.image_arch }} cache-to: ${{ steps.ev.outputs.cacheTo }} - - uses: actions/attest-build-provenance@v3 + - uses: actions/attest-build-provenance@977bb373ede98d70efdf65b84cb5f73e068dcc2a # v3 id: attest if: ${{ steps.ev.outputs.shouldPush == 'true' }} with: diff --git a/.github/workflows/_reusable-docker-build.yml b/.github/workflows/_reusable-docker-build.yml index 0f60246f3d..9e435db357 100644 --- a/.github/workflows/_reusable-docker-build.yml +++ b/.github/workflows/_reusable-docker-build.yml @@ -49,7 +49,7 @@ jobs: tags: ${{ steps.ev.outputs.imageTagsJSON }} shouldPush: ${{ steps.ev.outputs.shouldPush }} steps: - - uses: actions/checkout@v5 + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5 - name: prepare variables uses: ./.github/actions/docker-push-variables id: ev @@ -69,7 +69,7 @@ jobs: matrix: tag: ${{ fromJson(needs.get-tags.outputs.tags) }} steps: - - uses: actions/checkout@v5 + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5 - name: prepare variables uses: ./.github/actions/docker-push-variables id: ev @@ -79,25 +79,25 @@ jobs: image-name: ${{ inputs.image_name }} - name: Login to Docker Hub if: ${{ inputs.registry_dockerhub }} - uses: docker/login-action@v3 + uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3 with: username: ${{ secrets.DOCKER_CORP_USERNAME }} password: ${{ secrets.DOCKER_CORP_PASSWORD }} - name: Login to GitHub Container Registry if: ${{ inputs.registry_ghcr }} - uses: docker/login-action@v3 + uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3 with: registry: ghcr.io username: ${{ github.repository_owner }} password: ${{ secrets.GITHUB_TOKEN }} - - uses: int128/docker-manifest-create-action@v2 + - uses: int128/docker-manifest-create-action@7061c6f396e85522c0949526ae22f77cb0e987c8 # v2 id: build with: tags: ${{ matrix.tag }} sources: | ${{ steps.ev.outputs.attestImageNames }}@${{ needs.build-server-amd64.outputs.image-digest }} ${{ steps.ev.outputs.attestImageNames }}@${{ needs.build-server-arm64.outputs.image-digest }} - - uses: actions/attest-build-provenance@v3 + - uses: actions/attest-build-provenance@977bb373ede98d70efdf65b84cb5f73e068dcc2a # v3 id: attest with: subject-name: ${{ steps.ev.outputs.attestImageNames }} diff --git a/.github/workflows/api-ts-publish.yml b/.github/workflows/api-ts-publish.yml index 546c9d4cbd..e0a169a8e4 100644 --- a/.github/workflows/api-ts-publish.yml +++ b/.github/workflows/api-ts-publish.yml @@ -14,14 +14,14 @@ jobs: runs-on: ubuntu-latest steps: - id: generate_token - uses: tibdex/github-app-token@v2 + uses: actions/create-github-app-token@67018539274d69449ef7c02e8e71183d1719ab42 # v2 with: - app_id: ${{ secrets.GH_APP_ID }} - private_key: ${{ secrets.GH_APP_PRIVATE_KEY }} - - uses: actions/checkout@v5 + app-id: ${{ secrets.GH_APP_ID }} + private-key: ${{ secrets.GH_APP_PRIVATE_KEY }} + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5 with: token: ${{ steps.generate_token.outputs.token }} - - uses: actions/setup-node@v5 + - uses: actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444 # v5 with: node-version-file: web/package.json registry-url: "https://registry.npmjs.org" @@ -44,7 +44,7 @@ jobs: run: | export VERSION=`node -e 'console.log(require("../gen-ts-api/package.json").version)'` npm i @goauthentik/api@$VERSION - - uses: peter-evans/create-pull-request@v7 + - uses: peter-evans/create-pull-request@271a8d0340265f705b14b6d32b9829c1cb33d45e # v7 id: cpr with: token: ${{ steps.generate_token.outputs.token }} @@ -57,7 +57,7 @@ jobs: # ID from https://api.github.com/users/authentik-automation[bot] author: authentik-automation[bot] <135050075+authentik-automation[bot]@users.noreply.github.com> labels: dependencies - - uses: peter-evans/enable-pull-request-automerge@v3 + - uses: peter-evans/enable-pull-request-automerge@a660677d5469627102a1c1e11409dd063606628d # v3 with: token: ${{ steps.generate_token.outputs.token }} pull-request-number: ${{ steps.cpr.outputs.pull-request-number }} diff --git a/.github/workflows/ci-api-docs.yml b/.github/workflows/ci-api-docs.yml index 70de911185..942f367831 100644 --- a/.github/workflows/ci-api-docs.yml +++ b/.github/workflows/ci-api-docs.yml @@ -21,7 +21,7 @@ jobs: command: - prettier-check steps: - - uses: actions/checkout@v5 + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5 - name: Install Dependencies working-directory: website/ run: npm ci @@ -32,8 +32,8 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v5 - - uses: actions/setup-node@v5 + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5 + - uses: actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444 # v5 with: node-version-file: website/package.json cache: "npm" @@ -41,7 +41,7 @@ jobs: - working-directory: website/ name: Install Dependencies run: npm ci - - uses: actions/cache@v4 + - uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4 with: path: | ${{ github.workspace }}/website/api/.docusaurus @@ -55,7 +55,7 @@ jobs: env: NODE_ENV: production run: npm run build -w api - - uses: actions/upload-artifact@v4 + - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4 with: name: api-docs path: website/api/build @@ -66,12 +66,12 @@ jobs: - lint - build steps: - - uses: actions/checkout@v5 - - uses: actions/download-artifact@v5 + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5 + - uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5 with: name: api-docs path: website/api/build - - uses: actions/setup-node@v5 + - uses: actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444 # v5 with: node-version-file: website/package.json cache: "npm" diff --git a/.github/workflows/ci-aws-cfn.yml b/.github/workflows/ci-aws-cfn.yml index 7d144ebe5a..bd131ddc96 100644 --- a/.github/workflows/ci-aws-cfn.yml +++ b/.github/workflows/ci-aws-cfn.yml @@ -21,10 +21,10 @@ jobs: check-changes-applied: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v5 + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5 - name: Setup authentik env uses: ./.github/actions/setup - - uses: actions/setup-node@v5 + - uses: actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444 # v5 with: node-version-file: lifecycle/aws/package.json cache: "npm" diff --git a/.github/workflows/ci-docs-source.yml b/.github/workflows/ci-docs-source.yml index 1c4ca3fcac..799f45b04d 100644 --- a/.github/workflows/ci-docs-source.yml +++ b/.github/workflows/ci-docs-source.yml @@ -17,7 +17,7 @@ jobs: runs-on: ubuntu-latest timeout-minutes: 120 steps: - - uses: actions/checkout@v5 + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5 - name: Setup authentik env uses: ./.github/actions/setup - name: generate docs @@ -25,9 +25,9 @@ jobs: uv run make migrate uv run ak build_source_docs - name: Publish - uses: netlify/actions/cli@master - with: - args: deploy --dir=source_docs --prod env: NETLIFY_SITE_ID: eb246b7b-1d83-4f69-89f7-01a936b4ca59 NETLIFY_AUTH_TOKEN: ${{ secrets.NETLIFY_AUTH_TOKEN }} + run: | + npm install -g netlify-cli + netlify deploy --dir=source_docs --prod diff --git a/.github/workflows/ci-docs.yml b/.github/workflows/ci-docs.yml index f9cb83d9f5..07e9e14294 100644 --- a/.github/workflows/ci-docs.yml +++ b/.github/workflows/ci-docs.yml @@ -21,7 +21,7 @@ jobs: command: - prettier-check steps: - - uses: actions/checkout@v5 + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5 - name: Install dependencies working-directory: website/ run: npm ci @@ -32,8 +32,8 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v5 - - uses: actions/setup-node@v5 + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5 + - uses: actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444 # v5 with: node-version-file: website/package.json cache: "npm" @@ -48,8 +48,8 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v5 - - uses: actions/setup-node@v5 + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5 + - uses: actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444 # v5 with: node-version-file: website/package.json cache: "npm" @@ -70,13 +70,13 @@ jobs: id-token: write attestations: write steps: - - uses: actions/checkout@v5 + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5 with: ref: ${{ github.event.pull_request.head.sha }} - name: Set up QEMU - uses: docker/setup-qemu-action@v3.6.0 + uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v3.6.0 - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 + uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3 - name: prepare variables uses: ./.github/actions/docker-push-variables id: ev @@ -86,14 +86,14 @@ jobs: image-name: ghcr.io/goauthentik/dev-docs - name: Login to Container Registry if: ${{ steps.ev.outputs.shouldPush == 'true' }} - uses: docker/login-action@v3 + uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3 with: registry: ghcr.io username: ${{ github.repository_owner }} password: ${{ secrets.GITHUB_TOKEN }} - name: Build Docker Image id: push - uses: docker/build-push-action@v6 + uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6 with: tags: ${{ steps.ev.outputs.imageTags }} file: website/Dockerfile @@ -102,7 +102,7 @@ jobs: context: . cache-from: type=registry,ref=ghcr.io/goauthentik/dev-docs:buildcache cache-to: ${{ steps.ev.outputs.shouldPush == 'true' && 'type=registry,ref=ghcr.io/goauthentik/dev-docs:buildcache,mode=max' || '' }} - - uses: actions/attest-build-provenance@v3 + - uses: actions/attest-build-provenance@977bb373ede98d70efdf65b84cb5f73e068dcc2a # v3 id: attest if: ${{ steps.ev.outputs.shouldPush == 'true' }} with: diff --git a/.github/workflows/ci-main-daily.yml b/.github/workflows/ci-main-daily.yml index eacf6e512a..cd74691b77 100644 --- a/.github/workflows/ci-main-daily.yml +++ b/.github/workflows/ci-main-daily.yml @@ -19,7 +19,7 @@ jobs: - version-2025-4 - version-2025-2 steps: - - uses: actions/checkout@v5 + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5 - run: | current="$(pwd)" dir="/tmp/authentik/${{ matrix.version }}" diff --git a/.github/workflows/ci-main.yml b/.github/workflows/ci-main.yml index 5d145c814d..d6cd8e753f 100644 --- a/.github/workflows/ci-main.yml +++ b/.github/workflows/ci-main.yml @@ -37,7 +37,7 @@ jobs: - mypy runs-on: ubuntu-latest steps: - - uses: actions/checkout@v5 + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5 - name: Setup authentik env uses: ./.github/actions/setup - name: run job @@ -45,7 +45,7 @@ jobs: test-migrations: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v5 + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5 - name: Setup authentik env uses: ./.github/actions/setup - name: run migrations @@ -71,7 +71,7 @@ jobs: - 18-alpine run_id: [1, 2, 3, 4, 5] steps: - - uses: actions/checkout@v5 + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5 with: fetch-depth: 0 - name: checkout stable @@ -129,7 +129,7 @@ jobs: - 18-alpine run_id: [1, 2, 3, 4, 5] steps: - - uses: actions/checkout@v5 + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5 - name: Setup authentik env uses: ./.github/actions/setup with: @@ -149,11 +149,11 @@ jobs: runs-on: ubuntu-latest timeout-minutes: 30 steps: - - uses: actions/checkout@v5 + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5 - name: Setup authentik env uses: ./.github/actions/setup - name: Create k8s Kind Cluster - uses: helm/kind-action@v1.12.0 + uses: helm/kind-action@a1b0e391336a6ee6713a0583f8c6240d70863de3 # v1.12.0 - name: run integration run: | uv run coverage run manage.py test tests/integration @@ -187,14 +187,14 @@ jobs: - name: flows glob: tests/e2e/test_flows* steps: - - uses: actions/checkout@v5 + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5 - name: Setup authentik env uses: ./.github/actions/setup - name: Setup e2e env (chrome, etc) run: | docker compose -f tests/e2e/docker-compose.yml up -d --quiet-pull - id: cache-web - uses: actions/cache@v4 + uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4 with: path: web/dist key: ${{ runner.os }}-web-${{ hashFiles('web/package-lock.json', 'package-lock.json', 'web/src/**', 'web/packages/sfe/src/**') }}-b @@ -253,7 +253,7 @@ jobs: pull-requests: write timeout-minutes: 120 steps: - - uses: actions/checkout@v5 + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5 with: ref: ${{ github.event.pull_request.head.sha }} - name: prepare variables diff --git a/.github/workflows/ci-outpost.yml b/.github/workflows/ci-outpost.yml index 136f13795d..a7f64ee031 100644 --- a/.github/workflows/ci-outpost.yml +++ b/.github/workflows/ci-outpost.yml @@ -16,8 +16,8 @@ jobs: lint-golint: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v5 - - uses: actions/setup-go@v6 + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5 + - uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6 with: go-version-file: "go.mod" - name: Prepare and generate API @@ -29,7 +29,7 @@ jobs: - name: Generate API run: make gen-client-go - name: golangci-lint - uses: golangci/golangci-lint-action@v8 + uses: golangci/golangci-lint-action@4afd733a84b1f43292c63897423277bb7f4313a9 # v8 with: version: latest args: --timeout 5000s --verbose @@ -37,8 +37,8 @@ jobs: test-unittest: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v5 - - uses: actions/setup-go@v6 + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5 + - uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6 with: go-version-file: "go.mod" - name: Setup authentik env @@ -79,13 +79,13 @@ jobs: id-token: write attestations: write steps: - - uses: actions/checkout@v5 + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5 with: ref: ${{ github.event.pull_request.head.sha }} - name: Set up QEMU - uses: docker/setup-qemu-action@v3.6.0 + uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v3.6.0 - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 + uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3 - name: prepare variables uses: ./.github/actions/docker-push-variables id: ev @@ -95,7 +95,7 @@ jobs: image-name: ghcr.io/goauthentik/dev-${{ matrix.type }} - name: Login to Container Registry if: ${{ steps.ev.outputs.shouldPush == 'true' }} - uses: docker/login-action@v3 + uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3 with: registry: ghcr.io username: ${{ github.repository_owner }} @@ -104,7 +104,7 @@ jobs: run: make gen-client-go - name: Build Docker Image id: push - uses: docker/build-push-action@v6 + uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6 with: tags: ${{ steps.ev.outputs.imageTags }} file: ${{ matrix.type }}.Dockerfile @@ -115,7 +115,7 @@ jobs: context: . cache-from: type=registry,ref=ghcr.io/goauthentik/dev-${{ matrix.type }}:buildcache cache-to: ${{ steps.ev.outputs.shouldPush == 'true' && format('type=registry,ref=ghcr.io/goauthentik/dev-{0}:buildcache,mode=max', matrix.type) || '' }} - - uses: actions/attest-build-provenance@v3 + - uses: actions/attest-build-provenance@977bb373ede98d70efdf65b84cb5f73e068dcc2a # v3 id: attest if: ${{ steps.ev.outputs.shouldPush == 'true' }} with: @@ -138,13 +138,13 @@ jobs: goos: [linux] goarch: [amd64, arm64] steps: - - uses: actions/checkout@v5 + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5 with: ref: ${{ github.event.pull_request.head.sha }} - - uses: actions/setup-go@v6 + - uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6 with: go-version-file: "go.mod" - - uses: actions/setup-node@v5 + - uses: actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444 # v5 with: node-version-file: web/package.json cache: "npm" diff --git a/.github/workflows/ci-web.yml b/.github/workflows/ci-web.yml index e1b1d43393..632d033da5 100644 --- a/.github/workflows/ci-web.yml +++ b/.github/workflows/ci-web.yml @@ -31,8 +31,8 @@ jobs: - command: lit-analyse project: web steps: - - uses: actions/checkout@v5 - - uses: actions/setup-node@v5 + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5 + - uses: actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444 # v5 with: node-version-file: ${{ matrix.project }}/package.json cache: "npm" @@ -48,8 +48,8 @@ jobs: build: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v5 - - uses: actions/setup-node@v5 + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5 + - uses: actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444 # v5 with: node-version-file: web/package.json cache: "npm" @@ -76,8 +76,8 @@ jobs: - ci-web-mark runs-on: ubuntu-latest steps: - - uses: actions/checkout@v5 - - uses: actions/setup-node@v5 + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5 + - uses: actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444 # v5 with: node-version-file: web/package.json cache: "npm" diff --git a/.github/workflows/gen-image-compress.yml b/.github/workflows/gen-image-compress.yml index 8f910574bd..7fa855c66e 100644 --- a/.github/workflows/gen-image-compress.yml +++ b/.github/workflows/gen-image-compress.yml @@ -29,32 +29,32 @@ jobs: github.event.pull_request.head.repo.full_name == github.repository) steps: - id: generate_token - uses: tibdex/github-app-token@v2 + uses: actions/create-github-app-token@67018539274d69449ef7c02e8e71183d1719ab42 # v2 with: - app_id: ${{ secrets.GH_APP_ID }} - private_key: ${{ secrets.GH_APP_PRIVATE_KEY }} - - uses: actions/checkout@v5 + app-id: ${{ secrets.GH_APP_ID }} + private-key: ${{ secrets.GH_APP_PRIVATE_KEY }} + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5 with: token: ${{ steps.generate_token.outputs.token }} - name: Compress images id: compress - uses: calibreapp/image-actions@main + uses: calibreapp/image-actions@05b1cf44e88c3b041b841452482df9497f046ef7 # main with: GITHUB_TOKEN: ${{ steps.generate_token.outputs.token }} compressOnly: ${{ github.event_name != 'pull_request' }} - - uses: peter-evans/create-pull-request@v7 + - uses: peter-evans/create-pull-request@271a8d0340265f705b14b6d32b9829c1cb33d45e # v7 if: "${{ github.event_name != 'pull_request' && steps.compress.outputs.markdown != '' }}" id: cpr with: token: ${{ steps.generate_token.outputs.token }} title: "*: Auto compress images" branch-suffix: timestamp - commit-messsage: "*: compress images" + commit-message: "*: compress images" body: ${{ steps.compress.outputs.markdown }} delete-branch: true signoff: true labels: dependencies - - uses: peter-evans/enable-pull-request-automerge@v3 + - uses: peter-evans/enable-pull-request-automerge@a660677d5469627102a1c1e11409dd063606628d # v3 if: "${{ github.event_name != 'pull_request' && steps.compress.outputs.markdown != '' }}" with: token: ${{ steps.generate_token.outputs.token }} diff --git a/.github/workflows/gen-update-webauthn-mds.yml b/.github/workflows/gen-update-webauthn-mds.yml index ef1c98db97..7cc751a499 100644 --- a/.github/workflows/gen-update-webauthn-mds.yml +++ b/.github/workflows/gen-update-webauthn-mds.yml @@ -17,17 +17,17 @@ jobs: runs-on: ubuntu-latest steps: - id: generate_token - uses: tibdex/github-app-token@v2 + uses: actions/create-github-app-token@67018539274d69449ef7c02e8e71183d1719ab42 # v2 with: - app_id: ${{ secrets.GH_APP_ID }} - private_key: ${{ secrets.GH_APP_PRIVATE_KEY }} - - uses: actions/checkout@v5 + app-id: ${{ secrets.GH_APP_ID }} + private-key: ${{ secrets.GH_APP_PRIVATE_KEY }} + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5 with: token: ${{ steps.generate_token.outputs.token }} - name: Setup authentik env uses: ./.github/actions/setup - run: uv run ak update_webauthn_mds - - uses: peter-evans/create-pull-request@v7 + - uses: peter-evans/create-pull-request@271a8d0340265f705b14b6d32b9829c1cb33d45e # v7 id: cpr with: token: ${{ steps.generate_token.outputs.token }} @@ -40,7 +40,7 @@ jobs: # ID from https://api.github.com/users/authentik-automation[bot] author: authentik-automation[bot] <135050075+authentik-automation[bot]@users.noreply.github.com> labels: dependencies - - uses: peter-evans/enable-pull-request-automerge@v3 + - uses: peter-evans/enable-pull-request-automerge@a660677d5469627102a1c1e11409dd063606628d # v3 with: token: ${{ steps.generate_token.outputs.token }} pull-request-number: ${{ steps.cpr.outputs.pull-request-number }} diff --git a/.github/workflows/gh-cherry-pick.yml b/.github/workflows/gh-cherry-pick.yml index a5a61d6c5f..55718e7b05 100644 --- a/.github/workflows/gh-cherry-pick.yml +++ b/.github/workflows/gh-cherry-pick.yml @@ -10,14 +10,14 @@ jobs: steps: - id: app-token name: Generate app token - uses: actions/create-github-app-token@v2 + uses: actions/create-github-app-token@67018539274d69449ef7c02e8e71183d1719ab42 # v2 if: ${{ env.GH_APP_ID != '' }} with: app-id: ${{ secrets.GH_APP_ID }} private-key: ${{ secrets.GH_APP_PRIVATE_KEY }} env: GH_APP_ID: ${{ secrets.GH_APP_ID }} - - uses: actions/checkout@v5 + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5 if: ${{ steps.app-token.outcome != 'skipped' }} with: fetch-depth: 0 diff --git a/.github/workflows/gh-gha-cache-cleanup.yml b/.github/workflows/gh-gha-cache-cleanup.yml index 468b8e4672..88ea00a578 100644 --- a/.github/workflows/gh-gha-cache-cleanup.yml +++ b/.github/workflows/gh-gha-cache-cleanup.yml @@ -16,7 +16,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Check out code - uses: actions/checkout@v5 + uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5 - name: Cleanup run: | diff --git a/.github/workflows/gh-ghcr-retention.yml b/.github/workflows/gh-ghcr-retention.yml index 3ecc81d488..d32bed0d2d 100644 --- a/.github/workflows/gh-ghcr-retention.yml +++ b/.github/workflows/gh-ghcr-retention.yml @@ -13,12 +13,12 @@ jobs: runs-on: ubuntu-latest steps: - id: generate_token - uses: tibdex/github-app-token@v2 + uses: actions/create-github-app-token@67018539274d69449ef7c02e8e71183d1719ab42 # v2 with: - app_id: ${{ secrets.GH_APP_ID }} - private_key: ${{ secrets.GH_APP_PRIVATE_KEY }} + app-id: ${{ secrets.GH_APP_ID }} + private-key: ${{ secrets.GH_APP_PRIVATE_KEY }} - name: Delete 'dev' containers older than a week - uses: snok/container-retention-policy@v2 + uses: snok/container-retention-policy@b56f4ff7539c1f94f01e5dc726671cd619aa8072 # v2 with: image-names: dev-server,dev-ldap,dev-proxy cut-off: One week ago UTC diff --git a/.github/workflows/packages-npm-publish.yml b/.github/workflows/packages-npm-publish.yml index 98f4f8fc14..89115fc6e5 100644 --- a/.github/workflows/packages-npm-publish.yml +++ b/.github/workflows/packages-npm-publish.yml @@ -26,16 +26,16 @@ jobs: - packages/tsconfig - packages/esbuild-plugin-live-reload steps: - - uses: actions/checkout@v5 + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5 with: fetch-depth: 2 - - uses: actions/setup-node@v5 + - uses: actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444 # v5 with: node-version-file: ${{ matrix.package }}/package.json registry-url: "https://registry.npmjs.org" - name: Get changed files id: changed-files - uses: tj-actions/changed-files@24d32ffd492484c1d75e0c0b894501ddb9d30d62 + uses: tj-actions/changed-files@24d32ffd492484c1d75e0c0b894501ddb9d30d62 # 24d32ffd492484c1d75e0c0b894501ddb9d30d62 with: files: | ${{ matrix.package }}/package.json diff --git a/.github/workflows/qa-codeql.yml b/.github/workflows/qa-codeql.yml index 351045331b..b8ba7e5aae 100644 --- a/.github/workflows/qa-codeql.yml +++ b/.github/workflows/qa-codeql.yml @@ -24,7 +24,7 @@ jobs: language: ["go", "javascript", "python"] steps: - name: Checkout repository - uses: actions/checkout@v5 + uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5 - name: Setup authentik env uses: ./.github/actions/setup - name: Initialize CodeQL diff --git a/.github/workflows/qa-semgrep.yml b/.github/workflows/qa-semgrep.yml index 8036cf95a4..1f8203413a 100644 --- a/.github/workflows/qa-semgrep.yml +++ b/.github/workflows/qa-semgrep.yml @@ -26,5 +26,5 @@ jobs: image: semgrep/semgrep if: (github.actor != 'dependabot[bot]') steps: - - uses: actions/checkout@v5 + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5 - run: semgrep ci diff --git a/.github/workflows/release-branch-off.yml b/.github/workflows/release-branch-off.yml index 1c4ed77eb8..cb6fb27e1c 100644 --- a/.github/workflows/release-branch-off.yml +++ b/.github/workflows/release-branch-off.yml @@ -29,12 +29,12 @@ jobs: steps: - id: app-token name: Generate app token - uses: actions/create-github-app-token@v2 + uses: actions/create-github-app-token@67018539274d69449ef7c02e8e71183d1719ab42 # v2 with: app-id: ${{ secrets.GH_APP_ID }} private-key: ${{ secrets.GH_APP_PRIVATE_KEY }} - name: Checkout main - uses: actions/checkout@v5 + uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5 with: ref: main token: "${{ steps.app-token.outputs.token }}" @@ -57,12 +57,12 @@ jobs: runs-on: ubuntu-latest steps: - id: generate_token - uses: tibdex/github-app-token@v2 + uses: actions/create-github-app-token@67018539274d69449ef7c02e8e71183d1719ab42 # v2 with: - app_id: ${{ secrets.GH_APP_ID }} - private_key: ${{ secrets.GH_APP_PRIVATE_KEY }} + app-id: ${{ secrets.GH_APP_ID }} + private-key: ${{ secrets.GH_APP_PRIVATE_KEY }} - name: Checkout main - uses: actions/checkout@v5 + uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5 with: ref: main token: ${{ steps.generate_token.outputs.token }} @@ -73,7 +73,7 @@ jobs: - name: Bump version run: "make bump version=${{ inputs.next_version }}.0-rc1" - name: Create pull request - uses: peter-evans/create-pull-request@v7 + uses: peter-evans/create-pull-request@271a8d0340265f705b14b6d32b9829c1cb33d45e # v7 with: token: ${{ steps.generate_token.outputs.token }} branch: release-bump-${{ inputs.next_version }} diff --git a/.github/workflows/release-next-branch.yml b/.github/workflows/release-next-branch.yml index 0512283a24..cecaba8826 100644 --- a/.github/workflows/release-next-branch.yml +++ b/.github/workflows/release-next-branch.yml @@ -16,7 +16,7 @@ jobs: runs-on: ubuntu-latest environment: internal-production steps: - - uses: actions/checkout@v5 + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5 with: ref: main - run: | diff --git a/.github/workflows/release-publish.yml b/.github/workflows/release-publish.yml index 545e02f85f..db1fd165f9 100644 --- a/.github/workflows/release-publish.yml +++ b/.github/workflows/release-publish.yml @@ -31,11 +31,11 @@ jobs: id-token: write attestations: write steps: - - uses: actions/checkout@v5 + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5 - name: Set up QEMU - uses: docker/setup-qemu-action@v3.6.0 + uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v3.6.0 - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 + uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3 - name: prepare variables uses: ./.github/actions/docker-push-variables id: ev @@ -44,21 +44,21 @@ jobs: with: image-name: ghcr.io/goauthentik/docs - name: Login to GitHub Container Registry - uses: docker/login-action@v3 + uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3 with: registry: ghcr.io username: ${{ github.repository_owner }} password: ${{ secrets.GITHUB_TOKEN }} - name: Build Docker Image id: push - uses: docker/build-push-action@v6 + uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6 with: tags: ${{ steps.ev.outputs.imageTags }} file: website/Dockerfile push: true platforms: linux/amd64,linux/arm64 context: . - - uses: actions/attest-build-provenance@v3 + - uses: actions/attest-build-provenance@977bb373ede98d70efdf65b84cb5f73e068dcc2a # v3 id: attest if: true with: @@ -83,14 +83,14 @@ jobs: - radius - rac steps: - - uses: actions/checkout@v5 - - uses: actions/setup-go@v6 + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5 + - uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6 with: go-version-file: "go.mod" - name: Set up QEMU - uses: docker/setup-qemu-action@v3.6.0 + uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v3.6.0 - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 + uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3 - name: prepare variables uses: ./.github/actions/docker-push-variables id: ev @@ -103,18 +103,18 @@ jobs: mkdir -p ./gen-ts-api mkdir -p ./gen-go-api - name: Docker Login Registry - uses: docker/login-action@v3 + uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3 with: username: ${{ secrets.DOCKER_CORP_USERNAME }} password: ${{ secrets.DOCKER_CORP_PASSWORD }} - name: Login to GitHub Container Registry - uses: docker/login-action@v3 + uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3 with: registry: ghcr.io username: ${{ github.repository_owner }} password: ${{ secrets.GITHUB_TOKEN }} - name: Build Docker Image - uses: docker/build-push-action@v6 + uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6 id: push with: push: true @@ -124,7 +124,7 @@ jobs: file: ${{ matrix.type }}.Dockerfile platforms: linux/amd64,linux/arm64 context: . - - uses: actions/attest-build-provenance@v3 + - uses: actions/attest-build-provenance@977bb373ede98d70efdf65b84cb5f73e068dcc2a # v3 id: attest with: subject-name: ${{ steps.ev.outputs.attestImageNames }} @@ -146,11 +146,11 @@ jobs: goos: [linux, darwin] goarch: [amd64, arm64] steps: - - uses: actions/checkout@v5 - - uses: actions/setup-go@v6 + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5 + - uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6 with: go-version-file: "go.mod" - - uses: actions/setup-node@v5 + - uses: actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444 # v5 with: node-version-file: web/package.json cache: "npm" @@ -168,7 +168,7 @@ jobs: export CGO_ENABLED=0 go build -tags=outpost_static_embed -v -o ./authentik-outpost-${{ matrix.type }}_${{ matrix.goos }}_${{ matrix.goarch }} ./cmd/${{ matrix.type }} - name: Upload binaries to release - uses: svenstaro/upload-release-action@v2 + uses: svenstaro/upload-release-action@81c65b7cd4de9b2570615ce3aad67a41de5b1a13 # v2 with: repo_token: ${{ secrets.GITHUB_TOKEN }} file: ./authentik-outpost-${{ matrix.type }}_${{ matrix.goos }}_${{ matrix.goarch }} @@ -186,8 +186,8 @@ jobs: AWS_REGION: eu-central-1 runs-on: ubuntu-latest steps: - - uses: actions/checkout@v5 - - uses: aws-actions/configure-aws-credentials@v5 + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5 + - uses: aws-actions/configure-aws-credentials@00943011d9042930efac3dcd3a170e4273319bc8 # v5 with: role-to-assume: "arn:aws:iam::016170277896:role/github_goauthentik_authentik" aws-region: ${{ env.AWS_REGION }} @@ -202,7 +202,7 @@ jobs: - build-outpost-binary runs-on: ubuntu-latest steps: - - uses: actions/checkout@v5 + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5 - name: Run test suite in final docker images run: | echo "PG_PASS=$(openssl rand 32 | base64 -w 0)" >> .env @@ -218,7 +218,7 @@ jobs: - build-outpost-binary runs-on: ubuntu-latest steps: - - uses: actions/checkout@v5 + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5 - name: prepare variables uses: ./.github/actions/docker-push-variables id: ev @@ -232,7 +232,7 @@ jobs: container=$(docker container create ${{ steps.ev.outputs.imageMainName }}) docker cp ${container}:web/ . - name: Create a Sentry.io release - uses: getsentry/action-release@v3 + uses: getsentry/action-release@4f502acc1df792390abe36f2dcb03612ef144818 # v3 continue-on-error: true env: SENTRY_AUTH_TOKEN: ${{ secrets.SENTRY_AUTH_TOKEN }} diff --git a/.github/workflows/release-tag.yml b/.github/workflows/release-tag.yml index 93432c8f1c..05ecb2a12d 100644 --- a/.github/workflows/release-tag.yml +++ b/.github/workflows/release-tag.yml @@ -48,7 +48,7 @@ jobs: name: Pre-release test runs-on: ubuntu-latest steps: - - uses: actions/checkout@v5 + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5 - run: make test-docker bump-authentik: name: Bump authentik version @@ -59,7 +59,7 @@ jobs: steps: - id: app-token name: Generate app token - uses: actions/create-github-app-token@v2 + uses: actions/create-github-app-token@67018539274d69449ef7c02e8e71183d1719ab42 # v2 with: app-id: ${{ secrets.GH_APP_ID }} private-key: ${{ secrets.GH_APP_PRIVATE_KEY }} @@ -68,7 +68,7 @@ jobs: run: echo "user-id=$(gh api "/users/${{ steps.app-token.outputs.app-slug }}[bot]" --jq .id)" >> "$GITHUB_OUTPUT" env: GH_TOKEN: "${{ steps.app-token.outputs.token }}" - - uses: actions/checkout@v5 + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5 with: ref: "version-${{ needs.check-inputs.outputs.major_version }}" token: "${{ steps.app-token.outputs.token }}" @@ -87,7 +87,7 @@ jobs: git tag "version/${{ inputs.version }}" HEAD -m "version/${{ inputs.version }}" git push --follow-tags - name: Create Release - uses: softprops/action-gh-release@v2 + uses: softprops/action-gh-release@aec2ec56f94eb8180ceec724245f64ef008b89f5 # v2 with: token: "${{ steps.app-token.outputs.token }}" tag_name: "version/${{ inputs.version }}" @@ -106,7 +106,7 @@ jobs: steps: - id: app-token name: Generate app token - uses: actions/create-github-app-token@v2 + uses: actions/create-github-app-token@67018539274d69449ef7c02e8e71183d1719ab42 # v2 with: app-id: ${{ secrets.GH_APP_ID }} private-key: ${{ secrets.GH_APP_PRIVATE_KEY }} @@ -116,7 +116,7 @@ jobs: run: echo "user-id=$(gh api "/users/${{ steps.app-token.outputs.app-slug }}[bot]" --jq .id)" >> "$GITHUB_OUTPUT" env: GH_TOKEN: "${{ steps.app-token.outputs.token }}" - - uses: actions/checkout@v5 + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5 with: repository: "${{ github.repository_owner }}/helm" token: "${{ steps.app-token.outputs.token }}" @@ -128,7 +128,7 @@ jobs: sed -E -i 's/[0-9]{4}\.[0-9]{1,2}\.[0-9]+$/${{ inputs.version }}/' charts/authentik/Chart.yaml ./scripts/helm-docs.sh - name: Create pull request - uses: peter-evans/create-pull-request@v7 + uses: peter-evans/create-pull-request@271a8d0340265f705b14b6d32b9829c1cb33d45e # v7 with: token: "${{ steps.app-token.outputs.token }}" branch: bump-${{ inputs.version }} @@ -148,7 +148,7 @@ jobs: steps: - id: app-token name: Generate app token - uses: actions/create-github-app-token@v2 + uses: actions/create-github-app-token@67018539274d69449ef7c02e8e71183d1719ab42 # v2 with: app-id: ${{ secrets.GH_APP_ID }} private-key: ${{ secrets.GH_APP_PRIVATE_KEY }} @@ -158,7 +158,7 @@ jobs: run: echo "user-id=$(gh api "/users/${{ steps.app-token.outputs.app-slug }}[bot]" --jq .id)" >> "$GITHUB_OUTPUT" env: GH_TOKEN: "${{ steps.app-token.outputs.token }}" - - uses: actions/checkout@v5 + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5 with: repository: "${{ github.repository_owner }}/version" token: "${{ steps.app-token.outputs.token }}" @@ -183,7 +183,7 @@ jobs: '.stable.version = $version | .stable.changelog = $changelog | .stable.changelog_url = $changelog_url' version.json > version.new.json mv version.new.json version.json - name: Create pull request - uses: peter-evans/create-pull-request@v7 + uses: peter-evans/create-pull-request@271a8d0340265f705b14b6d32b9829c1cb33d45e # v7 with: token: "${{ steps.app-token.outputs.token }}" branch: bump-${{ inputs.version }} diff --git a/.github/workflows/repo-mirror-cleanup.yml b/.github/workflows/repo-mirror-cleanup.yml index 3667cd7bcb..5e01fd8f10 100644 --- a/.github/workflows/repo-mirror-cleanup.yml +++ b/.github/workflows/repo-mirror-cleanup.yml @@ -9,11 +9,11 @@ jobs: if: ${{ github.repository != 'goauthentik/authentik-internal' }} runs-on: ubuntu-latest steps: - - uses: actions/checkout@v5 + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5 with: fetch-depth: 0 - if: ${{ env.MIRROR_KEY != '' }} - uses: BeryJu/repository-mirroring-action@5cf300935bc2e068f73ea69bcc411a8a997208eb + uses: BeryJu/repository-mirroring-action@5cf300935bc2e068f73ea69bcc411a8a997208eb # 5cf300935bc2e068f73ea69bcc411a8a997208eb with: target_repo_url: git@github.com:goauthentik/authentik-internal.git ssh_private_key: ${{ secrets.GH_MIRROR_KEY }} diff --git a/.github/workflows/repo-mirror.yml b/.github/workflows/repo-mirror.yml index e05f1a76e4..390f19cf1b 100644 --- a/.github/workflows/repo-mirror.yml +++ b/.github/workflows/repo-mirror.yml @@ -8,11 +8,11 @@ jobs: if: ${{ github.repository != 'goauthentik/authentik-internal' }} runs-on: ubuntu-latest steps: - - uses: actions/checkout@v5 + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5 with: fetch-depth: 0 - if: ${{ env.MIRROR_KEY != '' }} - uses: BeryJu/repository-mirroring-action@5cf300935bc2e068f73ea69bcc411a8a997208eb + uses: BeryJu/repository-mirroring-action@5cf300935bc2e068f73ea69bcc411a8a997208eb # 5cf300935bc2e068f73ea69bcc411a8a997208eb with: target_repo_url: git@github.com:goauthentik/authentik-internal.git ssh_private_key: ${{ secrets.GH_MIRROR_KEY }} diff --git a/.github/workflows/repo-stale.yml b/.github/workflows/repo-stale.yml index c350553a0e..cacc788540 100644 --- a/.github/workflows/repo-stale.yml +++ b/.github/workflows/repo-stale.yml @@ -16,11 +16,11 @@ jobs: runs-on: ubuntu-latest steps: - id: generate_token - uses: tibdex/github-app-token@v2 + uses: actions/create-github-app-token@67018539274d69449ef7c02e8e71183d1719ab42 # v2 with: - app_id: ${{ secrets.GH_APP_ID }} - private_key: ${{ secrets.GH_APP_PRIVATE_KEY }} - - uses: actions/stale@v10 + app-id: ${{ secrets.GH_APP_ID }} + private-key: ${{ secrets.GH_APP_PRIVATE_KEY }} + - uses: actions/stale@5f858e3efba33a5ca4407a664cc011ad407f2008 # v10 with: repo-token: ${{ steps.generate_token.outputs.token }} days-before-stale: 60 diff --git a/.github/workflows/translation-advice.yml b/.github/workflows/translation-advice.yml index 6af1282154..50a302b007 100644 --- a/.github/workflows/translation-advice.yml +++ b/.github/workflows/translation-advice.yml @@ -20,14 +20,14 @@ jobs: runs-on: ubuntu-latest steps: - name: Find Comment - uses: peter-evans/find-comment@v4 + uses: peter-evans/find-comment@b30e6a3c0ed37e7c023ccd3f1db5c6c0b0c23aad # v4 id: fc with: issue-number: ${{ github.event.pull_request.number }} comment-author: "github-actions[bot]" body-includes: authentik translations instructions - name: Create or update comment - uses: peter-evans/create-or-update-comment@v5 + uses: peter-evans/create-or-update-comment@e8674b075228eee787fea43ef493e45ece1004c9 # v5 with: comment-id: ${{ steps.fc.outputs.comment-id }} issue-number: ${{ github.event.pull_request.number }} diff --git a/.github/workflows/translation-extract-compile.yml b/.github/workflows/translation-extract-compile.yml index 2a12cb9c2a..5ae4109d9f 100644 --- a/.github/workflows/translation-extract-compile.yml +++ b/.github/workflows/translation-extract-compile.yml @@ -22,15 +22,15 @@ jobs: steps: - id: generate_token if: ${{ github.event_name != 'pull_request' }} - uses: tibdex/github-app-token@v2 + uses: actions/create-github-app-token@67018539274d69449ef7c02e8e71183d1719ab42 # v2 with: - app_id: ${{ secrets.GH_APP_ID }} - private_key: ${{ secrets.GH_APP_PRIVATE_KEY }} - - uses: actions/checkout@v5 + app-id: ${{ secrets.GH_APP_ID }} + private-key: ${{ secrets.GH_APP_PRIVATE_KEY }} + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5 if: ${{ github.event_name != 'pull_request' }} with: token: ${{ steps.generate_token.outputs.token }} - - uses: actions/checkout@v5 + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5 if: ${{ github.event_name == 'pull_request' }} - name: Setup authentik env uses: ./.github/actions/setup @@ -45,7 +45,7 @@ jobs: make web-check-compile - name: Create Pull Request if: ${{ github.event_name != 'pull_request' }} - uses: peter-evans/create-pull-request@v7 + uses: peter-evans/create-pull-request@271a8d0340265f705b14b6d32b9829c1cb33d45e # v7 with: token: ${{ steps.generate_token.outputs.token }} branch: extract-compile-backend-translation diff --git a/.github/workflows/translation-rename.yml b/.github/workflows/translation-rename.yml index 925126d044..57854841d0 100644 --- a/.github/workflows/translation-rename.yml +++ b/.github/workflows/translation-rename.yml @@ -16,12 +16,12 @@ jobs: runs-on: ubuntu-latest if: ${{ github.event.pull_request.user.login == 'transifex-integration[bot]'}} steps: - - uses: actions/checkout@v5 + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5 - id: generate_token - uses: tibdex/github-app-token@v2 + uses: actions/create-github-app-token@67018539274d69449ef7c02e8e71183d1719ab42 # v2 with: - app_id: ${{ secrets.GH_APP_ID }} - private_key: ${{ secrets.GH_APP_PRIVATE_KEY }} + app-id: ${{ secrets.GH_APP_ID }} + private-key: ${{ secrets.GH_APP_PRIVATE_KEY }} - name: Get current title id: title env: @@ -34,7 +34,7 @@ jobs: GH_TOKEN: ${{ steps.generate_token.outputs.token }} run: | gh pr edit ${{ github.event.pull_request.number }} -t "translate: ${{ steps.title.outputs.title }}" --add-label dependencies - - uses: peter-evans/enable-pull-request-automerge@v3 + - uses: peter-evans/enable-pull-request-automerge@a660677d5469627102a1c1e11409dd063606628d # v3 with: token: ${{ steps.generate_token.outputs.token }} pull-request-number: ${{ github.event.pull_request.number }}