Skip to content

Commit aabaab1

Browse files
authored
Feature: Hash-pin sensitive workflow dependencies and enable dependabot for them (#332)
* feat: hash-pin sensitive workflows Signed-off-by: Diogo Teles Sant'Anna <[email protected]> * feat: configure dependabot to run over github actions This also is specifying how dependabot will work on updates for go modules. The config is set up to: - Update github actions together in a single monthly PR - Version updates for GO modules from "/go.mod" will be sent together in a weekly PR. - Version updates for GO modules from "/v2/go.mod" will be sent separately from the ones in "/go.mod", but will also be sent together in a weekly PR. Signed-off-by: Diogo Teles Sant'Anna <[email protected]> --------- Signed-off-by: Diogo Teles Sant'Anna <[email protected]>
1 parent 0bd0398 commit aabaab1

File tree

2 files changed

+33
-5
lines changed

2 files changed

+33
-5
lines changed

.github/dependabot.yml

+28
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,28 @@
1+
version: 2
2+
updates:
3+
- package-ecosystem: "github-actions"
4+
directory: "/"
5+
schedule:
6+
interval: "monthly"
7+
groups:
8+
github-actions:
9+
patterns:
10+
- "*"
11+
12+
- package-ecosystem: "gomod"
13+
directory: "/"
14+
schedule:
15+
interval: "weekly"
16+
groups:
17+
github-actions:
18+
patterns:
19+
- "*"
20+
21+
- package-ecosystem: "gomod"
22+
directory: "/v2"
23+
schedule:
24+
interval: "weekly"
25+
groups:
26+
github-actions:
27+
patterns:
28+
- "*"

.github/workflows/ci-update-workflow.yml

+5-5
Original file line numberDiff line numberDiff line change
@@ -19,12 +19,12 @@ jobs:
1919
id-token: write # Enable OIDC
2020
steps:
2121
- id: 'auth'
22-
uses: 'google-github-actions/auth@v1'
22+
uses: google-github-actions/auth@3a3c4c57d294ef65efaaee4ff17b22fa88dd3c69 # v1.3.0
2323
with:
2424
credentials_json: '${{ secrets.GCP_CREDENTIALS }}'
2525

2626
- name: 'Set up Cloud SDK'
27-
uses: 'google-github-actions/setup-gcloud@v1'
27+
uses: google-github-actions/setup-gcloud@e30db14379863a8c79331b04a9969f4c1e225e0b # v1.1.1
2828

2929
- name: Get available Go versions
3030
run: |
@@ -35,11 +35,11 @@ jobs:
3535
id: get_versions
3636

3737
- name: Checkout appengine repo
38-
uses: actions/checkout@v2
38+
uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 # v2.7.0
3939

4040
# Sign the commit.
4141
# https://www.chainguard.dev/unchained/keyless-git-commit-signing-with-gitsign-and-github-actions
42-
- uses: chainguard-dev/actions/setup-gitsign@main
42+
- uses: chainguard-dev/actions/setup-gitsign@e74da3cd82dab55e35736f1ef031a12fa5b95299 # main
4343

4444
- name: Update Go versions
4545
run: |
@@ -58,7 +58,7 @@ jobs:
5858
sed -i "0,/^ go-version: \[.*/s// go-version: \[$versions_str\]/" .github/workflows/ci-v2.yaml
5959
6060
- name: Create Pull Request
61-
uses: peter-evans/create-pull-request@v4
61+
uses: peter-evans/create-pull-request@38e0b6e68b4c852a5500a94740f0e535e0d7ba54 # v4.2.4
6262
with:
6363
token: ${{ secrets.GITHUB_TOKEN }}
6464
commit-message: Update go-version matrix

0 commit comments

Comments
 (0)