[llvm] [Github][CI] Hashpin actions dependencies (PR #127011)
Aiden Grossman via llvm-commits
llvm-commits at lists.llvm.org
Wed Feb 12 20:35:55 PST 2025
https://github.com/boomanaiden154 created https://github.com/llvm/llvm-project/pull/127011
This patch has pins several actions dependencies in the premerge workflow and the Windows/Linux container build workflows to help improve security in the unlikely event that someone tries to pull off a supply chain security attack by modifying release asserts for these actions.
>From 151988c15d3a22bacc65702be9c2e1fdaf0b29f5 Mon Sep 17 00:00:00 2001
From: Aiden Grossman <aidengrossman at google.com>
Date: Thu, 13 Feb 2025 04:34:11 +0000
Subject: [PATCH] [Github][CI] Hashpin actions dependencies
This patch has pins several actions dependencies in the premerge workflow and
the Windows/Linux container build workflows to help improve security in the
unlikely event that someone tries to pull off a supply chain security attack
by modifying release asserts for these actions.
---
.github/workflows/build-ci-container-windows.yml | 6 +++---
.github/workflows/build-ci-container.yml | 6 +++---
.github/workflows/premerge.yaml | 12 ++++++------
3 files changed, 12 insertions(+), 12 deletions(-)
diff --git a/.github/workflows/build-ci-container-windows.yml b/.github/workflows/build-ci-container-windows.yml
index bba34066a97cd..068cb58301080 100644
--- a/.github/workflows/build-ci-container-windows.yml
+++ b/.github/workflows/build-ci-container-windows.yml
@@ -27,7 +27,7 @@ jobs:
container-filename: ${{ steps.vars.outputs.container-filename }}
steps:
- name: Checkout LLVM
- uses: actions/checkout at v4
+ uses: actions/checkout at 11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
sparse-checkout: .github/workflows/containers/github-action-ci-windows
- name: Write Variables
@@ -46,7 +46,7 @@ jobs:
run: |
docker save ${{ steps.vars.outputs.container-name-tag }} > ${{ steps.vars.outputs.container-filename }}
- name: Upload container image
- uses: actions/upload-artifact at v4
+ uses: actions/upload-artifact at 65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
with:
name: container
path: ${{ steps.vars.outputs.container-filename }}
@@ -63,7 +63,7 @@ jobs:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
steps:
- name: Download container
- uses: actions/download-artifact at v4
+ uses: actions/download-artifact at fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
with:
name: container
- name: Push Container
diff --git a/.github/workflows/build-ci-container.yml b/.github/workflows/build-ci-container.yml
index 8272c8f6e266f..1921a3675166d 100644
--- a/.github/workflows/build-ci-container.yml
+++ b/.github/workflows/build-ci-container.yml
@@ -32,7 +32,7 @@ jobs:
runs-on: depot-ubuntu-22.04-arm-16
steps:
- name: Checkout LLVM
- uses: actions/checkout at v4
+ uses: actions/checkout at 11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
sparse-checkout: .github/workflows/containers/github-action-ci/
# podman is not installed by default on the ARM64 images.
@@ -66,7 +66,7 @@ jobs:
podman save ${{ steps.vars.outputs.container-name-agent-tag }} > ${{ steps.vars.outputs.container-agent-filename }}
- name: Upload container image
- uses: actions/upload-artifact at v4
+ uses: actions/upload-artifact at 65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
with:
name: container-${{ matrix.arch }}
path: "*.tar"
@@ -90,7 +90,7 @@ jobs:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
steps:
- name: Download container
- uses: actions/download-artifact at v4
+ uses: actions/download-artifact at fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
- name: Push Container
run: |
diff --git a/.github/workflows/premerge.yaml b/.github/workflows/premerge.yaml
index 178ab191a58be..5ec6e8f40efaa 100644
--- a/.github/workflows/premerge.yaml
+++ b/.github/workflows/premerge.yaml
@@ -33,11 +33,11 @@ jobs:
runs-on: llvm-premerge-linux-runners
steps:
- name: Checkout LLVM
- uses: actions/checkout at v4
+ uses: actions/checkout at 11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
fetch-depth: 2
- name: Setup ccache
- uses: hendrikmuhs/ccache-action at v1.2.14
+ uses: hendrikmuhs/ccache-action at a1209f81afb8c005c13b4296c32e363431bffea5 # v1.2.17
with:
max-size: "2000M"
- name: Build and Test
@@ -94,11 +94,11 @@ jobs:
shell: bash
steps:
- name: Checkout LLVM
- uses: actions/checkout at v4
+ uses: actions/checkout at 11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
fetch-depth: 2
- name: Setup ccache
- uses: hendrikmuhs/ccache-action at v1.2.14
+ uses: hendrikmuhs/ccache-action at a1209f81afb8c005c13b4296c32e363431bffea5 # v1.2.17
with:
variant: "sccache"
max-size: "2000M"
@@ -153,11 +153,11 @@ jobs:
(github.event_name != 'pull_request' || github.event.action != 'closed')
steps:
- name: Checkout LLVM
- uses: actions/checkout at v4
+ uses: actions/checkout at 11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
fetch-depth: 2
- name: Setup ccache
- uses: hendrikmuhs/ccache-action at v1.2.14
+ uses: hendrikmuhs/ccache-action at a1209f81afb8c005c13b4296c32e363431bffea5 # v1.2.17
with:
max-size: "2000M"
- name: Install Ninja
More information about the llvm-commits
mailing list