Home Explore Help
Sign In
logic855
/
helm-external-secrets
mirror of https://github.com/external-secrets/external-secrets
1
0
Fork 0
Files Issues 0 Wiki
Browse Source

chore(release): fix incorrect shas from security alert pinning (#5512)

* fix(actions): fix signing action shas

Signed-off-by: Jakob Möller <jakob.moeller@sap.com>

* fix(actions): fix e2e action shas

Signed-off-by: Jakob Möller <jakob.moeller@sap.com>

---------

Signed-off-by: Jakob Möller <jakob.moeller@sap.com>
Jakob Möller 5 months ago
parent
dd534260ad
commit
4392e89376
2 changed files with 10 additions and 5 deletions
Split View Show Diff Stats
  1. 4 2
      .github/actions/e2e/action.yml
  2. 6 3
      .github/actions/sign/action.yml

+ 4 - 2
.github/actions/e2e/action.yml
View File 

@@ -38,7 +38,8 @@ runs:
 
         restore-keys: ${{ runner.os }}-pkg-${{ github.sha }}-
 
 
     - name: Setup kind
 
-      uses: engineerd/setup-kind@aa272fe2a7309878ffc2a81c56cfe3ef108e7d49 # v0.5.0
 
+      # https://github.com/engineerd/setup-kind/releases/tag/v0.5.0
 
+      uses: engineerd/setup-kind@aa272fe2a7309878ffc2a81c56cfe3ef108ae7d0 # v0.5.0
 
       with:
 
         version: ${{ env.KIND_VERSION }}
 
         wait: 10m
 
@@ -46,7 +47,8 @@ runs:
 
         name: external-secrets
 
 
     - name: Setup Docker Buildx
 
-      uses: docker/setup-buildx-action@b5ca514318bd6ebac0fb2aedd5d36ec1b5c232e5 # v2
 
+      # https://github.com/docker/setup-buildx-action/releases/tag/v2.10.0
 
+      uses: docker/setup-buildx-action@885d1462b80bc1c1c7f0b00334ad271f09369c55 # v2.10.0
 
       with:
 
         version: ${{ env.DOCKER_BUILDX_VERSION }}
 
         install: true

+ 6 - 3
.github/actions/sign/action.yml
View File 

@@ -18,12 +18,14 @@ runs:
 
   steps:
 
 
     - name: Install cosign
 
-      uses: sigstore/cosign-installer@42ab207638e63e893c6ead51f15e19ac3e46e6cc # v2
 
+      # https://github.com/sigstore/cosign-installer/releases/tag/v2.8.1
 
+      uses: sigstore/cosign-installer@c85d0e205a72a294fe064f618a87dbac13084086 # v2.8.1
 
       with:
 
         cosign-release: v1.13.6
 
 
     - name: Install Syft
 
-      uses: anchore/sbom-action/download-syft@f86d330ae046b4a16d86ccc1d9c92e16fefcf304 # v0.7.0
 
+      # https://github.com/anchore/sbom-action/releases/tag/v0.7.0
 
+      uses: anchore/sbom-action/download-syft@ce4a7cf05d7b684693d7b6bba97bfbee56806edb # v0.7.0
 
 
     - name: Check Cosign install
 
       shell: bash
 
@@ -83,7 +85,8 @@ runs:
 
         cosign verify-attestation --type spdx ${IMAGE_NAME}@${CONTAINER_DIGEST} | jq '.payload |= @base64d | .payload | fromjson'
 
 
     - name: Generate provenance
 
-      uses: philips-labs/slsa-provenance-action@c6e428e3b9ea5ab10fa23efc10d6cbf5f0fe62b1 # v0.7.2
 
+      # https://github.com/philips-labs/slsa-provenance-action/releases/tag/v0.7.2
 
+      uses: philips-labs/slsa-provenance-action@dddb40e199ae28d4cd2f17bad7f31545556fdd3d # v0.7.2
 
       with:
 
         command: generate
 
         subcommand: container