From 5cae35e57366d006c922823cb5850d31c4f65530 Mon Sep 17 00:00:00 2001 From: Will Da Silva Date: Fri, 14 Mar 2025 23:15:44 -0400 Subject: [PATCH] chore: pin GitHub Actions versions to commit hashes This will help prevent attacks such as [this one](https://semgrep.dev/blog/2025/popular-github-action-tj-actionschanged-files-is-compromised/). Dependabot is able to update these versions automatically, and it will preserve the readable version comments. --- .github/workflows/clean_snowflake.yml | 6 ++-- .github/workflows/el_ssa_ip_addresses.yml | 6 ++-- .github/workflows/hub_metrics_publish.yml | 6 ++-- .github/workflows/prod_deploy.yml | 6 ++-- .github/workflows/slack_notifications.yml | 6 ++-- .github/workflows/test.yml | 34 +++++++++++------------ 6 files changed, 32 insertions(+), 32 deletions(-) diff --git a/.github/workflows/clean_snowflake.yml b/.github/workflows/clean_snowflake.yml index 3d38af46..25069d4b 100644 --- a/.github/workflows/clean_snowflake.yml +++ b/.github/workflows/clean_snowflake.yml @@ -18,15 +18,15 @@ jobs: MELTANO_SEND_ANONYMOUS_USAGE_STATS: 'false' CI_BRANCH: 'b${{ github.SHA }}' steps: - - uses: actions/checkout@v3 - - uses: actions/setup-python@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + - uses: actions/setup-python@42375524e23c412d93fb67b49958b491fce71c38 # v5.4.0 with: python-version: '3.8' cache: 'pip' - run: pip install -r requirements.txt - run: echo "${{secrets.MELTANO_ENV_FILE }}" > .env # Add SSH key for accessing private dbt package repo - - uses: webfactory/ssh-agent@v0.7.0 + - uses: webfactory/ssh-agent@dc588b651fe13675774614f8e6a936a468676387 # v0.9.0 with: ssh-private-key: ${{ secrets.GIT_SSH_PRIVATE_KEY }} - run: meltano install utility dbt-snowflake diff --git a/.github/workflows/el_ssa_ip_addresses.yml b/.github/workflows/el_ssa_ip_addresses.yml index cce35fbd..529baa79 100644 --- a/.github/workflows/el_ssa_ip_addresses.yml +++ b/.github/workflows/el_ssa_ip_addresses.yml @@ -18,8 +18,8 @@ jobs: MELTANO_SEND_ANONYMOUS_USAGE_STATS: 'false' SNOWFLAKE_PASSWORD: ${{ secrets.SNOWFLAKE_PASSWORD }} steps: - - uses: actions/checkout@v3 - - uses: actions/setup-python@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + - uses: actions/setup-python@42375524e23c412d93fb67b49958b491fce71c38 # v5.4.0 with: python-version: '3.8' cache: 'pip' @@ -28,4 +28,4 @@ jobs: # Install Plugins - run: meltano install --schedule=spreadsheets_anywhere_el # Run Test - - run: meltano run spreadsheets_anywhere_el \ No newline at end of file + - run: meltano run spreadsheets_anywhere_el diff --git a/.github/workflows/hub_metrics_publish.yml b/.github/workflows/hub_metrics_publish.yml index d1f73b13..63c71684 100644 --- a/.github/workflows/hub_metrics_publish.yml +++ b/.github/workflows/hub_metrics_publish.yml @@ -22,8 +22,8 @@ jobs: AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} steps: - - uses: actions/checkout@v3 - - uses: actions/setup-python@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + - uses: actions/setup-python@42375524e23c412d93fb67b49958b491fce71c38 # v5.4.0 with: python-version: '3.8' cache: 'pip' @@ -32,4 +32,4 @@ jobs: # Install Plugins - run: meltano install --schedule=hub_metrics_publish # Run Test - - run: meltano run hub_metrics_publish \ No newline at end of file + - run: meltano run hub_metrics_publish diff --git a/.github/workflows/prod_deploy.yml b/.github/workflows/prod_deploy.yml index 121086f7..23a0f7c3 100644 --- a/.github/workflows/prod_deploy.yml +++ b/.github/workflows/prod_deploy.yml @@ -20,13 +20,13 @@ jobs: CI_BRANCH: 'b${{ github.SHA }}' SNOWFLAKE_PASSWORD: ${{ secrets.SNOWFLAKE_PASSWORD }} steps: - - uses: actions/checkout@v3 - - uses: actions/setup-python@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + - uses: actions/setup-python@42375524e23c412d93fb67b49958b491fce71c38 # v5.4.0 with: python-version: '3.8' cache: 'pip' # Add SSH key for accessing private dbt package repo - - uses: webfactory/ssh-agent@v0.7.0 + - uses: webfactory/ssh-agent@dc588b651fe13675774614f8e6a936a468676387 # v0.9.0 with: ssh-private-key: ${{ secrets.GIT_SSH_PRIVATE_KEY }} - run: pip install -r requirements.txt diff --git a/.github/workflows/slack_notifications.yml b/.github/workflows/slack_notifications.yml index d5deac4c..bbdf3530 100644 --- a/.github/workflows/slack_notifications.yml +++ b/.github/workflows/slack_notifications.yml @@ -22,8 +22,8 @@ jobs: TARGET_APPRISE_SINGER_ACTIVITY_URIS: ${{ secrets.TARGET_APPRISE_SINGER_ACTIVITY_URIS }} TARGET_APPRISE_MELTANO_ACTIVITY_URIS: ${{ secrets.TARGET_APPRISE_MELTANO_ACTIVITY_URIS }} steps: - - uses: actions/checkout@v3 - - uses: actions/setup-python@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + - uses: actions/setup-python@42375524e23c412d93fb67b49958b491fce71c38 # v5.4.0 with: python-version: '3.8' cache: 'pip' @@ -32,4 +32,4 @@ jobs: # Install Plugins - run: meltano install --schedule=slack_notifications # Run Test - - run: meltano run slack_notifications \ No newline at end of file + - run: meltano run slack_notifications diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 58f04566..7dd66bbd 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -18,8 +18,8 @@ jobs: MELTANO_SEND_ANONYMOUS_USAGE_STATS: 'false' CI_BRANCH: 'b${{ github.SHA }}' steps: - - uses: actions/checkout@v3 - - uses: actions/setup-python@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + - uses: actions/setup-python@42375524e23c412d93fb67b49958b491fce71c38 # v5.4.0 with: python-version: '3.8' cache: 'pip' @@ -40,15 +40,15 @@ jobs: MELTANO_SEND_ANONYMOUS_USAGE_STATS: 'false' CI_BRANCH: 'b${{ github.SHA }}' steps: - - uses: actions/checkout@v3 - - uses: actions/setup-python@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + - uses: actions/setup-python@42375524e23c412d93fb67b49958b491fce71c38 # v5.4.0 with: python-version: '3.8' cache: 'pip' - run: pip install -r requirements.txt - run: echo "${{secrets.MELTANO_ENV_FILE }}" > .env # Add SSH key for accessing private dbt package repo - - uses: webfactory/ssh-agent@v0.7.0 + - uses: webfactory/ssh-agent@dc588b651fe13675774614f8e6a936a468676387 # v0.9.0 with: ssh-private-key: ${{ secrets.GIT_SSH_PRIVATE_KEY }} # Run Test @@ -68,15 +68,15 @@ jobs: MELTANO_SEND_ANONYMOUS_USAGE_STATS: 'false' CI_BRANCH: 'b${{ github.SHA }}' steps: - - uses: actions/checkout@v3 - - uses: actions/setup-python@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + - uses: actions/setup-python@42375524e23c412d93fb67b49958b491fce71c38 # v5.4.0 with: python-version: '3.8' cache: 'pip' - run: pip install -r requirements.txt - run: echo "${{secrets.MELTANO_ENV_FILE }}" > .env # Add SSH key for accessing private dbt package repo - - uses: webfactory/ssh-agent@v0.7.0 + - uses: webfactory/ssh-agent@dc588b651fe13675774614f8e6a936a468676387 # v0.9.0 with: ssh-private-key: ${{ secrets.GIT_SSH_PRIVATE_KEY }} # Run Test @@ -98,8 +98,8 @@ jobs: MELTANO_SEND_ANONYMOUS_USAGE_STATS: 'false' CI_BRANCH: 'b${{ github.SHA }}' steps: - - uses: actions/checkout@v3 - - uses: actions/setup-python@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + - uses: actions/setup-python@42375524e23c412d93fb67b49958b491fce71c38 # v5.4.0 with: python-version: '3.8' cache: 'pip' @@ -110,7 +110,7 @@ jobs: - run: echo "DEFAULT_START_DATE_2HR=$(date +'%Y-%m-%d %H:%M:%S' -d '2 hours ago')" >> $GITHUB_ENV - run: echo "${{secrets.MELTANO_ENV_FILE }}" > .env # Add SSH key for accessing private dbt package repo - - uses: webfactory/ssh-agent@v0.7.0 + - uses: webfactory/ssh-agent@dc588b651fe13675774614f8e6a936a468676387 # v0.9.0 with: ssh-private-key: ${{ secrets.GIT_SSH_PRIVATE_KEY }} # Install Plugins @@ -130,15 +130,15 @@ jobs: MELTANO_SEND_ANONYMOUS_USAGE_STATS: 'false' CI_BRANCH: 'b${{ github.SHA }}' steps: - - uses: actions/checkout@v3 - - uses: actions/setup-python@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + - uses: actions/setup-python@42375524e23c412d93fb67b49958b491fce71c38 # v5.4.0 with: python-version: '3.8' cache: 'pip' - run: pip install -r requirements.txt - run: echo "${{secrets.MELTANO_ENV_FILE }}" > .env # Add SSH key for accessing private dbt package repo - - uses: webfactory/ssh-agent@v0.7.0 + - uses: webfactory/ssh-agent@dc588b651fe13675774614f8e6a936a468676387 # v0.9.0 with: ssh-private-key: ${{ secrets.GIT_SSH_PRIVATE_KEY }} # Run Test @@ -161,15 +161,15 @@ jobs: TAP_SNOWFLAKE_SINGER_ACTIVITY: '["b${{ github.SHA }}_MELTANO_HUB.SINGER_ACTIVITY_NOTIFICATIONS"]' TAP_SNOWFLAKE_MELTANO_ACTIVITY: '["b${{ github.SHA }}_MELTANO_HUB.MELTANO_ACTIVITY_NOTIFICATIONS"]' steps: - - uses: actions/checkout@v3 - - uses: actions/setup-python@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + - uses: actions/setup-python@42375524e23c412d93fb67b49958b491fce71c38 # v5.4.0 with: python-version: '3.8' cache: 'pip' - run: pip install -r requirements.txt - run: echo "${{secrets.MELTANO_ENV_FILE }}" > .env # Add SSH key for accessing private dbt package repo - - uses: webfactory/ssh-agent@v0.7.0 + - uses: webfactory/ssh-agent@dc588b651fe13675774614f8e6a936a468676387 # v0.9.0 with: ssh-private-key: ${{ secrets.GIT_SSH_PRIVATE_KEY }} # Install Plugins