chore(deps) upgrade various GH actions (#170)

* chore(ci): update comment in dependency review action * chore(deps): use commit id for action/setup-go version * deps(gha): upgrade docker/setup-buildx-action to v3.0.0 * deps(gha): upgrade docker/metadata-action to v5.0.0 * deps(gha): upgrade docker/login-action to v3.0.0 * deps(gha): upgrade docker/build-push-action to v5.0.0 * deps(gha): upgrade docker/setup-qemu-action to v3.0.0 Release notes: https://github.com/docker/setup-qemu-action/releases/tag/v3.0.0 * deps(gha): use commit id for dependency-review-action * deps(gha): upgrade goreleaser-action to v5.0.0 Release notes: https://github.com/goreleaser/goreleaser-action/releases/tag/v5.0.0 * deps(gha): use commit id for golangci-lint-action Pin to v3.7.0 Release notes: https://github.com/golangci/golangci-lint-action/releases/tag/v3.7.0
2024-12-14 11:57:56 +00:00 · 2023-09-14 15:33:53 -07:00 · 2023-09-14 15:33:53 -07:00 · 50cd583328
commit 50cd583328
parent 2511849a2d
5 changed files with 18 additions and 13 deletions
--- a/.github/workflows/dependency-review.yaml
+++ b/.github/workflows/dependency-review.yaml
@ -1,9 +1,14 @@
 # Dependency Review Action
 #
-# This Action will scan dependency manifest files that change as part of a Pull Reqest, surfacing known-vulnerable versions of the packages declared or updated in the PR. Once installed, if the workflow run is marked as required, PRs introducing known-vulnerable packages will be blocked from merging.
+# This workflow scans dependency manifest files that change as part of a pull
+# reqest, surfacing known-vulnerable versions of the packages declared or
+# updated in the PR.
+# If the workflow run is marked as required, PRs introducing known-vulnerable
+# packages will be blocked from merging.
 #
 # Source repository: https://github.com/actions/dependency-review-action
 # Public documentation: https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/about-dependency-review#dependency-review-enforcement
+#
 name: 'Dependency Review'
 on: [pull_request]

@ -17,4 +22,4 @@ jobs:
      - name: 'Checkout Repository'
        uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0
      - name: 'Dependency Review'
-        uses: actions/dependency-review-action@v3
+        uses: actions/dependency-review-action@6c5ccdad469c9f8a2996bfecaec55a631a347034 # v3.1.0
--- a/.github/workflows/docker-publish.yml
+++ b/.github/workflows/docker-publish.yml
@ -31,24 +31,24 @@ jobs:
      # https://github.com/docker/metadata-action
      - name: Extract Docker metadata
        id: meta
-        uses: docker/metadata-action@v4
+        uses: docker/metadata-action@96383f45573cb7f253c731d3b3ab81c87ef81934 # v5.0.0
        with:
          images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}

      # This action can be useful if you want to add emulation
      # support with QEMU to be able to build against more platforms.
      - name: Set up QEMU
-        uses: docker/setup-qemu-action@v2
+        uses: docker/setup-qemu-action@68827325e0b33c7199eb31dd4e31fbe9023e06e3 # v3.0.0

      # This action will create and boot a builder using
      # by default the docker-container builder driver.
      # Recommended for build multi-platform images, export cache, etc.
      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v2
+        uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3.0.0

      - name: Log into ${{ env.REGISTRY }}
        if: github.event_name != 'pull_request'
-        uses: docker/login-action@v2
+        uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0
        with:
          registry: ${{ env.REGISTRY }}
          username: ${{ github.actor }}
@ -57,7 +57,7 @@ jobs:
      # Build and push Docker image with Buildx (don't push on PR)
      # https://github.com/docker/build-push-action
      - name: Build and push Docker image
-        uses: docker/build-push-action@v4
+        uses: docker/build-push-action@0565240e2d4ab88bba5387d719585280857ece09 # v5.0.0
        with:
          context: .
          push: ${{ github.event_name != 'pull_request' }}
--- a/.github/workflows/go.yml
+++ b/.github/workflows/go.yml
@ -13,8 +13,8 @@ jobs:
    runs-on: ubuntu-latest
    steps:

-    - name: Set up Go 1.x
-      uses: actions/setup-go@v4
+    - name: Set up Go
+      uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0
      with:
        go-version: ^1.19
      id: go
--- a/.github/workflows/golangci-lint.yml
+++ b/.github/workflows/golangci-lint.yml
@ -12,12 +12,12 @@ jobs:
    name: lint
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/setup-go@v4
+      - uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0
        with:
          go-version: 1.19
      - uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0
      - name: golangci-lint
-        uses: golangci/golangci-lint-action@v3
+        uses: golangci/golangci-lint-action@3a919529898de77ec3da873e3063ca4b10e7f5cc # v3.7.0
        with:
          # Required: the version of golangci-lint is required and must be specified without patch version: we always use the latest patch version.
          version: v1.48
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@ -16,11 +16,11 @@ jobs:
      with:
        fetch-depth: 0
    - name: Set up Go
-      uses: actions/setup-go@v4
+      uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0
      with:
        go-version: 1.19
    - name: Run GoReleaser
-      uses: goreleaser/goreleaser-action@v4
+      uses: goreleaser/goreleaser-action@7ec5c2b0c6cdda6e8bbb49444bc797dd33d74dd8 # v5.0.0
      with:
        distribution: goreleaser
        version: latest