From 5a746eee30e98d6d1368fac27973c8769199a059 Mon Sep 17 00:00:00 2001 From: Brendan Walsh Date: Tue, 31 Mar 2026 04:50:25 +0000 Subject: [PATCH] ci: pin GitHub Actions and Docker images to immutable references Pin all GitHub Actions to commit SHAs and Docker base images to digest hashes to improve supply chain security and satisfy the OpenSSF Scorecard Pinned-Dependencies check. - Pin GitHub-owned actions (actions/checkout, actions/setup-python, etc.) - Pin third-party actions (peter-evans/*, lycheeverse/*, etc.) - Pin Docker base images to SHA256 digests - Add version comments for maintainability --- .github/workflows/acknowledge-new-issues.yml | 2 +- .github/workflows/acknowledge-new-prs.yml | 2 +- .github/workflows/ado-integration.yml | 2 +- .github/workflows/ado-pr-to-workitem.yml | 2 +- .github/workflows/check-dead-links.yml | 4 ++-- .github/workflows/check-semantic-prs.yaml | 2 +- .github/workflows/codeql.yml | 8 ++++---- .github/workflows/dependency-review.yml | 4 ++-- .github/workflows/pr-validation.yml | 8 ++++---- .github/workflows/remove-awaiting-response-label.yml | 2 +- .github/workflows/remove-old-issues.yml | 2 +- .github/workflows/scorecards.yml | 2 +- tools/docker/demo/Dockerfile | 2 +- tools/docker/minimal/Dockerfile | 2 +- tools/helm/livy/Dockerfile | 2 +- tools/helm/livy/mini.Dockerfile | 2 +- tools/helm/spark/Dockerfile | 2 +- tools/helm/spark/mini.Dockerfile | 2 +- tools/helm/zeppelin/Dockerfile | 2 +- tools/helm/zeppelin/mini.Dockerfile | 2 +- 20 files changed, 28 insertions(+), 28 deletions(-) diff --git a/.github/workflows/acknowledge-new-issues.yml b/.github/workflows/acknowledge-new-issues.yml index 3d14aeda01d..03f84516abd 100644 --- a/.github/workflows/acknowledge-new-issues.yml +++ b/.github/workflows/acknowledge-new-issues.yml @@ -11,7 +11,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Comment to acknowledge issue - uses: peter-evans/create-or-update-comment@v5 + uses: peter-evans/create-or-update-comment@e8674b075228eee787fea43ef493e45ece1004c9 # v5 with: issue-number: ${{ github.event.issue.number }} body: | diff --git a/.github/workflows/acknowledge-new-prs.yml b/.github/workflows/acknowledge-new-prs.yml index 1380ce88457..969aba898db 100644 --- a/.github/workflows/acknowledge-new-prs.yml +++ b/.github/workflows/acknowledge-new-prs.yml @@ -11,7 +11,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Comment to acknowledge PRs - uses: peter-evans/create-or-update-comment@v5 + uses: peter-evans/create-or-update-comment@e8674b075228eee787fea43ef493e45ece1004c9 # v5 with: issue-number: ${{ github.event.pull_request.number }} body: | diff --git a/.github/workflows/ado-integration.yml b/.github/workflows/ado-integration.yml index 11a485d71fe..cc033031a98 100644 --- a/.github/workflows/ado-integration.yml +++ b/.github/workflows/ado-integration.yml @@ -9,7 +9,7 @@ jobs: alert: runs-on: ubuntu-latest steps: - - uses: mhamilton723/github-actions-issue-to-work-item@master + - uses: mhamilton723/github-actions-issue-to-work-item@9bd9d44197557fd55cc7043512a84ea7aa4489d3 # master env: ado_token: "${{ secrets.ADO_PERSONAL_ACCESS_TOKEN }}" github_token: "${{ secrets.GH_PERSONAL_ACCESS_TOKEN }}" diff --git a/.github/workflows/ado-pr-to-workitem.yml b/.github/workflows/ado-pr-to-workitem.yml index 8a238371423..9e64474bb05 100644 --- a/.github/workflows/ado-pr-to-workitem.yml +++ b/.github/workflows/ado-pr-to-workitem.yml @@ -10,7 +10,7 @@ jobs: alert: runs-on: ubuntu-latest steps: - - uses: danhellem/github-actions-pr-to-work-item@master + - uses: danhellem/github-actions-pr-to-work-item@496254e48adbe7f1ed14a8afb71dc520b2c052ac # master env: ado_token: '${{ secrets.ADO_PERSONAL_ACCESS_TOKEN }}' github_token: '${{ secrets.GH_PERSONAL_ACCESS_TOKEN }}' diff --git a/.github/workflows/check-dead-links.yml b/.github/workflows/check-dead-links.yml index 99f30184f14..5d5a08a6362 100644 --- a/.github/workflows/check-dead-links.yml +++ b/.github/workflows/check-dead-links.yml @@ -15,7 +15,7 @@ jobs: steps: - name: Checkout code - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 - name: Fetch sitemap URLs run: | @@ -26,7 +26,7 @@ jobs: echo "Found $(wc -l < urls.txt) URLs in sitemap" - name: Scan for dead links - uses: lycheeverse/lychee-action@v2 + uses: lycheeverse/lychee-action@8646ba30535128ac92d33dfc9133794bfdd9b411 # v2 with: args: >- --no-progress diff --git a/.github/workflows/check-semantic-prs.yaml b/.github/workflows/check-semantic-prs.yaml index cbb5736cd02..711bfdb425f 100644 --- a/.github/workflows/check-semantic-prs.yaml +++ b/.github/workflows/check-semantic-prs.yaml @@ -13,6 +13,6 @@ jobs: name: Validate PR title runs-on: ubuntu-latest steps: - - uses: amannn/action-semantic-pull-request@v5.4.0 + - uses: amannn/action-semantic-pull-request@e9fabac35e210fea40ca5b14c0da95a099eff26f # v5.4.0 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 616775e96a4..7104cb6d298 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -42,11 +42,11 @@ jobs: steps: - name: Checkout repository - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL - uses: github/codeql-action/init@v3 + uses: github/codeql-action/init@5c8a8a642e79153f5d047b10ec1cba1d1cc65699 # v3 with: languages: ${{ matrix.language }} # If you wish to specify custom queries, you can do so here or in a config file. @@ -60,7 +60,7 @@ jobs: # Autobuild attempts to build any compiled languages (C/C++, C#, Go, or Java). # If this step fails, then you should remove it and run the build manually (see below) - name: Autobuild - uses: github/codeql-action/autobuild@v3 + uses: github/codeql-action/autobuild@5c8a8a642e79153f5d047b10ec1cba1d1cc65699 # v3 # ℹī¸ Command-line programs to run using the OS shell. # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun @@ -73,6 +73,6 @@ jobs: # ./location_of_script_within_repo/buildscript.sh - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v3 + uses: github/codeql-action/analyze@5c8a8a642e79153f5d047b10ec1cba1d1cc65699 # v3 with: category: "/language:${{matrix.language}}" diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml index af385f8c143..c16fcc109b9 100644 --- a/.github/workflows/dependency-review.yml +++ b/.github/workflows/dependency-review.yml @@ -14,10 +14,10 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout code - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 - name: Dependency Review - uses: actions/dependency-review-action@v4 + uses: actions/dependency-review-action@2031cfc080254a8a887f58cffee85186f0e49e48 # v4 with: fail-on-severity: high comment-summary-in-pr: always diff --git a/.github/workflows/pr-validation.yml b/.github/workflows/pr-validation.yml index 85bfae3c347..0c9c22cf463 100644 --- a/.github/workflows/pr-validation.yml +++ b/.github/workflows/pr-validation.yml @@ -12,10 +12,10 @@ jobs: steps: - name: Checkout code - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 - name: Set up Python - uses: actions/setup-python@v5 + uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5 with: python-version: "3.12" @@ -30,10 +30,10 @@ jobs: steps: - name: Checkout code - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 - name: Set up JDK 11 - uses: actions/setup-java@v4 + uses: actions/setup-java@c1e323688fd81a25caa38c78aa6df2d33d3e20d9 # v4 with: distribution: temurin java-version: 11 diff --git a/.github/workflows/remove-awaiting-response-label.yml b/.github/workflows/remove-awaiting-response-label.yml index 1ff1e4b94d1..0882e81d16c 100644 --- a/.github/workflows/remove-awaiting-response-label.yml +++ b/.github/workflows/remove-awaiting-response-label.yml @@ -13,7 +13,7 @@ jobs: github.event.comment.author_association != 'COLLABORATOR' steps: - name: Remove needs-reply label - uses: octokit/request-action@v2.x + uses: octokit/request-action@02f5e7c637a73a3b12ed81015fa7fb5f11cc5d7d # v2.x continue-on-error: true with: route: DELETE /repos/:repository/issues/:issue/labels/:label diff --git a/.github/workflows/remove-old-issues.yml b/.github/workflows/remove-old-issues.yml index 51c9b2e41c1..b9589fea9f7 100644 --- a/.github/workflows/remove-old-issues.yml +++ b/.github/workflows/remove-old-issues.yml @@ -9,7 +9,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Close old issues that need reply - uses: dwieeb/needs-reply@v2 + uses: dwieeb/needs-reply@71e8d5144caa0d4a1e292348bfafa3866d08c855 # v2 with: repo-token: ${{ secrets.GITHUB_TOKEN }} issue-label: "awaiting response" diff --git a/.github/workflows/scorecards.yml b/.github/workflows/scorecards.yml index 818f9d23863..c6e3b51d85e 100644 --- a/.github/workflows/scorecards.yml +++ b/.github/workflows/scorecards.yml @@ -32,7 +32,7 @@ jobs: steps: - name: "Checkout code" - uses: actions/checkout@v4 # v3.1.0 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 with: persist-credentials: false diff --git a/tools/docker/demo/Dockerfile b/tools/docker/demo/Dockerfile index 7783abad272..24e4683c1d2 100644 --- a/tools/docker/demo/Dockerfile +++ b/tools/docker/demo/Dockerfile @@ -1,4 +1,4 @@ -FROM mcr.microsoft.com/mirror/docker/library/ubuntu:22.04 +FROM mcr.microsoft.com/mirror/docker/library/ubuntu:22.04@sha256:104ae83764a5119017b8e8d6218fa0832b09df65aae7d5a6de29a85d813da2fb ARG SYNAPSEML_VERSION=1.1.2 ARG DEBIAN_FRONTEND=noninteractive diff --git a/tools/docker/minimal/Dockerfile b/tools/docker/minimal/Dockerfile index d72981da7b6..566ad04e4d2 100644 --- a/tools/docker/minimal/Dockerfile +++ b/tools/docker/minimal/Dockerfile @@ -1,4 +1,4 @@ -FROM mcr.microsoft.com/mirror/docker/library/ubuntu:22.04 +FROM mcr.microsoft.com/mirror/docker/library/ubuntu:22.04@sha256:104ae83764a5119017b8e8d6218fa0832b09df65aae7d5a6de29a85d813da2fb ARG SYNAPSEML_VERSION=1.1.2 ARG DEBIAN_FRONTEND=noninteractive diff --git a/tools/helm/livy/Dockerfile b/tools/helm/livy/Dockerfile index 19c4fffaac3..9ce97cf6780 100644 --- a/tools/helm/livy/Dockerfile +++ b/tools/helm/livy/Dockerfile @@ -1,4 +1,4 @@ -FROM mcr.microsoft.com/openjdk/jdk:11-mariner +FROM mcr.microsoft.com/openjdk/jdk:11-mariner@sha256:844a36373ab341f993c7258addee6d7d66b6ef93c264ea4b367d96fc5663b7d1 LABEL maintainer="Dalitso Banda dalitsohb@gmail.com" # Get Spark from US Apache mirror. diff --git a/tools/helm/livy/mini.Dockerfile b/tools/helm/livy/mini.Dockerfile index 07caa82f0e6..fecd622880c 100644 --- a/tools/helm/livy/mini.Dockerfile +++ b/tools/helm/livy/mini.Dockerfile @@ -1,4 +1,4 @@ -FROM mcr.microsoft.com/mmlspark/spark2.4:v4_mini +FROM mcr.microsoft.com/mmlspark/spark2.4:v4_mini@sha256:a7da0d7cd86ab374d1f0dc7ae4cd35260f8798f8e40a4e4e818748f61a389279 MAINTAINER Dalitso Banda ENV LIVY_VERSION="git_master" diff --git a/tools/helm/spark/Dockerfile b/tools/helm/spark/Dockerfile index d5200fc15a0..2e42b1e7c66 100644 --- a/tools/helm/spark/Dockerfile +++ b/tools/helm/spark/Dockerfile @@ -1,4 +1,4 @@ -FROM mcr.microsoft.com/openjdk/jdk:11-mariner +FROM mcr.microsoft.com/openjdk/jdk:11-mariner@sha256:844a36373ab341f993c7258addee6d7d66b6ef93c264ea4b367d96fc5663b7d1 LABEL maintainer="Dalitso Banda dalitsohb@gmail.com" # Get Spark from US Apache mirror. diff --git a/tools/helm/spark/mini.Dockerfile b/tools/helm/spark/mini.Dockerfile index 05913f4b0b0..9078ffdb91a 100644 --- a/tools/helm/spark/mini.Dockerfile +++ b/tools/helm/spark/mini.Dockerfile @@ -15,7 +15,7 @@ # limitations under the License. # -FROM mcr.microsoft.com/openjdk/jdk:11-mariner +FROM mcr.microsoft.com/openjdk/jdk:11-mariner@sha256:844a36373ab341f993c7258addee6d7d66b6ef93c264ea4b367d96fc5663b7d1 ARG spark_jars=jars ARG img_path=kubernetes/dockerfiles diff --git a/tools/helm/zeppelin/Dockerfile b/tools/helm/zeppelin/Dockerfile index 6f92ed02039..b572c2b180a 100644 --- a/tools/helm/zeppelin/Dockerfile +++ b/tools/helm/zeppelin/Dockerfile @@ -1,4 +1,4 @@ -FROM mcr.microsoft.com/openjdk/jdk:11-mariner +FROM mcr.microsoft.com/openjdk/jdk:11-mariner@sha256:844a36373ab341f993c7258addee6d7d66b6ef93c264ea4b367d96fc5663b7d1 LABEL maintainer="Dalitso Banda dalitsohb@gmail.com" # Get Spark from US Apache mirror. diff --git a/tools/helm/zeppelin/mini.Dockerfile b/tools/helm/zeppelin/mini.Dockerfile index 6b126a81543..b0f751a4bd5 100644 --- a/tools/helm/zeppelin/mini.Dockerfile +++ b/tools/helm/zeppelin/mini.Dockerfile @@ -1,4 +1,4 @@ -FROM mcr.microsoft.com/mmlspark/spark2.4:v4_mini +FROM mcr.microsoft.com/mmlspark/spark2.4:v4_mini@sha256:a7da0d7cd86ab374d1f0dc7ae4cd35260f8798f8e40a4e4e818748f61a389279 MAINTAINER Dalitso Banda ADD patch_beam.patch /tmp/patch_beam.patch