From d687494141272b86158e1dafcd1310f984241bd7 Mon Sep 17 00:00:00 2001 From: slawomirbabicz <111378977+slawomirbabicz@users.noreply.github.com> Date: Wed, 8 Apr 2026 18:25:55 +0200 Subject: [PATCH 01/12] chore: pin actions to SHA in .github/workflows/build-runner.yaml --- .github/workflows/build-runner.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/build-runner.yaml b/.github/workflows/build-runner.yaml index e18cd8e67..747ab7b7c 100644 --- a/.github/workflows/build-runner.yaml +++ b/.github/workflows/build-runner.yaml @@ -25,10 +25,10 @@ jobs: runs-on: ubuntu-latest steps: - name: Check out the repo - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 - name: "๐Ÿ”ง Login to GitHub Container Registry" - uses: docker/login-action@v3 + uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0 with: registry: ghcr.io username: ${{ github.actor }} From 806a0a50ea59199ac60d9b16558547f335d01ab9 Mon Sep 17 00:00:00 2001 From: slawomirbabicz <111378977+slawomirbabicz@users.noreply.github.com> Date: Wed, 8 Apr 2026 18:25:56 +0200 Subject: [PATCH 02/12] chore: pin actions to SHA in .github/workflows/clean-bazel-caches.yaml --- .github/workflows/clean-bazel-caches.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/clean-bazel-caches.yaml b/.github/workflows/clean-bazel-caches.yaml index fbfc8cb0c..7f2a05dbf 100644 --- a/.github/workflows/clean-bazel-caches.yaml +++ b/.github/workflows/clean-bazel-caches.yaml @@ -18,12 +18,12 @@ jobs: matrix: runner: [1, 2, 3, 4] # We currently have 4 runners, adjust this number if more runners are added steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 with: fetch-depth: 1 - name: "โ˜๏ธ Setup bazelisk" - uses: bazelbuild/setup-bazelisk@v3 + uses: bazelbuild/setup-bazelisk@b39c379c82683a5f25d34f0d062761f62693e0b2 # v3 - name: Clean Bazel Cache run: | From fd9dc459ec7b92e6ba5c1ef20274c062b2aeaa70 Mon Sep 17 00:00:00 2001 From: slawomirbabicz <111378977+slawomirbabicz@users.noreply.github.com> Date: Wed, 8 Apr 2026 18:25:57 +0200 Subject: [PATCH 03/12] chore: pin actions to SHA in .github/workflows/dashboard.yaml --- .github/workflows/dashboard.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/dashboard.yaml b/.github/workflows/dashboard.yaml index b46eef67a..97c846be3 100644 --- a/.github/workflows/dashboard.yaml +++ b/.github/workflows/dashboard.yaml @@ -21,13 +21,13 @@ jobs: build: runs-on: ubuntu-22.04 steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 - name: "๐Ÿš€ Building" run: | docker build -t ghcr.io/dfinity/dre/ic-management-frontend:$GITHUB_SHA -f dashboard/Dockerfile dashboard - name: "๐Ÿ”ง Login to GitHub Container Registry" - uses: docker/login-action@v3 + uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0 with: registry: ghcr.io username: ${{ github.actor }} From 0e9eeacd1350ce1633f91d7282d0e3f19967355a Mon Sep 17 00:00:00 2001 From: slawomirbabicz <111378977+slawomirbabicz@users.noreply.github.com> Date: Wed, 8 Apr 2026 18:25:59 +0200 Subject: [PATCH 04/12] chore: pin actions to SHA in .github/workflows/dre-release.yaml --- .github/workflows/dre-release.yaml | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/.github/workflows/dre-release.yaml b/.github/workflows/dre-release.yaml index aad49ef0f..e587d7db2 100644 --- a/.github/workflows/dre-release.yaml +++ b/.github/workflows/dre-release.yaml @@ -14,7 +14,7 @@ jobs: labels: dre-runner-custom container: ghcr.io/dfinity/dre/actions-runner:6413f2909a49329ecbf5371ee7ddf07a9799b625 steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 - name: "โ˜๏ธ Setup runner" uses: ./.github/workflows/manage-runner-pre @@ -31,7 +31,7 @@ jobs: needs: [test] runs-on: macos-14 steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 with: fetch-depth: 0 @@ -54,7 +54,7 @@ jobs: echo "toolchain=$ver" >> "$GITHUB_OUTPUT" - name: Set up Rust toolchain - uses: dtolnay/rust-toolchain@master + uses: dtolnay/rust-toolchain@3c5f7ea28cd621ae0bf5283f0e981fb97b8a7af9 # master with: toolchain: ${{ steps.rust.outputs.toolchain }} @@ -79,7 +79,7 @@ jobs: cargo build --release -p dre --target aarch64-apple-darwin - name: Upload macOS aarch64 artifact - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 with: name: dre-aarch64-apple-darwin path: target/aarch64-apple-darwin/release/dre @@ -97,7 +97,7 @@ jobs: cargo build --release -p dre --target x86_64-apple-darwin - name: Upload macOS x86_64 artifact - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 with: name: dre-x86_64-apple-darwin path: target/x86_64-apple-darwin/release/dre @@ -113,7 +113,7 @@ jobs: packages: write pages: write steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 with: fetch-tags: true fetch-depth: 0 @@ -125,7 +125,7 @@ jobs: # If regular secrets.GITHUB_TOKEN is used instead, the push will not trigger any actions # https://github.com/orgs/community/discussions/25702 - name: Create GitHub App Token - uses: actions/create-github-app-token@v2 + uses: actions/create-github-app-token@fee1f7d63c2ff003460e3d139729b119787bc349 # v2.2.2 id: app-token with: app-id: ${{ vars.PR_AUTOMATION_BOT_PUBLIC_APP_ID }} @@ -158,7 +158,7 @@ jobs: cp --dereference bazel-out/k8-opt/bin/rs/cli/dre release/artifacts/dre-x86_64-unknown-linux - name: Download macOS x86_64 artifact - uses: actions/download-artifact@v4 + uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0 with: name: dre-x86_64-apple-darwin path: release/artifacts/ @@ -168,7 +168,7 @@ jobs: run: mv release/artifacts/dre release/artifacts/dre-x86_64-apple-darwin - name: Download macOS aarch64 artifact - uses: actions/download-artifact@v4 + uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0 with: name: dre-aarch64-apple-darwin path: release/artifacts/ @@ -202,7 +202,7 @@ jobs: rm -rf release - name: "๐Ÿ†• Create a new Pull Request with the changes" - uses: peter-evans/create-pull-request@v7 + uses: peter-evans/create-pull-request@22a9089034f40e5a961c8808d113e2c98fb63676 # v7.0.11 with: commit-message: "chore(release): New release of `dre` version ${{ steps.tag.outputs.tag }}" branch: bot-release-${{ steps.tag.outputs.tag }} From 9d2ff1c58543ba13013a322d76e0c131025eca91 Mon Sep 17 00:00:00 2001 From: slawomirbabicz <111378977+slawomirbabicz@users.noreply.github.com> Date: Wed, 8 Apr 2026 18:26:00 +0200 Subject: [PATCH 05/12] chore: pin actions to SHA in .github/workflows/main.yaml --- .github/workflows/main.yaml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/main.yaml b/.github/workflows/main.yaml index bd549a654..1fdb71c9b 100644 --- a/.github/workflows/main.yaml +++ b/.github/workflows/main.yaml @@ -37,7 +37,7 @@ jobs: packages: write pages: write steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 with: fetch-depth: 2 @@ -45,7 +45,7 @@ jobs: # If regular secrets.GITHUB_TOKEN is used instead, the push will not trigger any actions # https://github.com/orgs/community/discussions/25702 - name: Create GitHub App Token - uses: actions/create-github-app-token@v2 + uses: actions/create-github-app-token@fee1f7d63c2ff003460e3d139729b119787bc349 # v2.2.2 id: app-token with: app-id: ${{ vars.PR_AUTOMATION_BOT_PUBLIC_APP_ID }} @@ -85,7 +85,7 @@ jobs: - name: "๐Ÿงช Upload test artifacts" if: ${{ github.ref == 'refs/heads/main' }} - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 with: name: test-artifacts path: bazel-out/k8-opt/bin/rs/ic-observability/multiservice-discovery/multiservice-discovery From 349600d7a00ac8e0e5514335000041d7751b6cce Mon Sep 17 00:00:00 2001 From: slawomirbabicz <111378977+slawomirbabicz@users.noreply.github.com> Date: Wed, 8 Apr 2026 18:26:01 +0200 Subject: [PATCH 06/12] chore: pin actions to SHA in .github/workflows/msd-diff.yaml --- .github/workflows/msd-diff.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/msd-diff.yaml b/.github/workflows/msd-diff.yaml index 050ea2c2b..51a1b6e57 100644 --- a/.github/workflows/msd-diff.yaml +++ b/.github/workflows/msd-diff.yaml @@ -19,7 +19,7 @@ jobs: # This image is based on ubuntu:20.04 container: ghcr.io/dfinity/dre/actions-runner:6413f2909a49329ecbf5371ee7ddf07a9799b625 steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 with: ref: ${{ github.event.pull_request.head.ref }} @@ -27,7 +27,7 @@ jobs: uses: ./.github/workflows/manage-runner-pre - name: "๐Ÿ“ฅ Download main test artifact" - uses: dawidd6/action-download-artifact@v11 + uses: dawidd6/action-download-artifact@ac66b43f0e6a346234dd65d4d0c8fbb31cb316e5 # v11 with: name: test-artifacts branch: main From 1483aa5e8e7dd795814d0c23838f5f34bf53a828 Mon Sep 17 00:00:00 2001 From: slawomirbabicz <111378977+slawomirbabicz@users.noreply.github.com> Date: Wed, 8 Apr 2026 18:26:02 +0200 Subject: [PATCH 07/12] chore: pin actions to SHA in .github/workflows/pull-request-update.yaml --- .github/workflows/pull-request-update.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/pull-request-update.yaml b/.github/workflows/pull-request-update.yaml index aa57858d2..442aad358 100644 --- a/.github/workflows/pull-request-update.yaml +++ b/.github/workflows/pull-request-update.yaml @@ -10,12 +10,12 @@ jobs: runs-on: ubuntu-22.04 steps: - name: Create GitHub App Token - uses: actions/create-github-app-token@v2 + uses: actions/create-github-app-token@fee1f7d63c2ff003460e3d139729b119787bc349 # v2.2.2 id: app-token with: app-id: ${{ vars.PR_AUTOMATION_BOT_PUBLIC_APP_ID }} private-key: ${{ secrets.PR_AUTOMATION_BOT_PUBLIC_PRIVATE_KEY }} - - uses: chinthakagodawita/autoupdate@v1.7.0 + - uses: chinthakagodawita/autoupdate@0707656cd062a3b0cf8fa9b2cda1d1404d74437e # v1.7.0 env: GITHUB_TOKEN: "${{ steps.app-token.outputs.token }}" MERGE_MSG: "Branch was auto-updated." From 850468d28f24ccbfe0cec71fa092c1cab9db2715 Mon Sep 17 00:00:00 2001 From: slawomirbabicz <111378977+slawomirbabicz@users.noreply.github.com> Date: Wed, 8 Apr 2026 18:26:03 +0200 Subject: [PATCH 08/12] chore: pin actions to SHA in .github/workflows/release-controller.yaml --- .github/workflows/release-controller.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/release-controller.yaml b/.github/workflows/release-controller.yaml index be3b8915a..37a706f97 100644 --- a/.github/workflows/release-controller.yaml +++ b/.github/workflows/release-controller.yaml @@ -42,7 +42,7 @@ jobs: packages: write pages: write steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 with: fetch-depth: 2 @@ -50,7 +50,7 @@ jobs: # If regular secrets.GITHUB_TOKEN is used instead, the push will not trigger any actions # https://github.com/orgs/community/discussions/25702 - name: Create GitHub App Token - uses: actions/create-github-app-token@v2 + uses: actions/create-github-app-token@fee1f7d63c2ff003460e3d139729b119787bc349 # v2.2.2 id: app-token with: app-id: ${{ vars.PR_AUTOMATION_BOT_PUBLIC_APP_ID }} From faef130dcb9dc944e674a4684be49a950fd00ed4 Mon Sep 17 00:00:00 2001 From: slawomirbabicz <111378977+slawomirbabicz@users.noreply.github.com> Date: Wed, 8 Apr 2026 18:26:05 +0200 Subject: [PATCH 09/12] chore: pin actions to SHA in .github/workflows/release.yaml --- .github/workflows/release.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index 187add890..3a90bf6c4 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -20,7 +20,7 @@ jobs: container: ghcr.io/dfinity/dre/actions-runner:6413f2909a49329ecbf5371ee7ddf07a9799b625 name: Check changed release index files steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 - name: Run checks for release index run: | rye sync From 087d79cb0f49fee29c1b609a7c53bae29e7ebbb6 Mon Sep 17 00:00:00 2001 From: slawomirbabicz <111378977+slawomirbabicz@users.noreply.github.com> Date: Wed, 8 Apr 2026 18:26:06 +0200 Subject: [PATCH 10/12] chore: pin actions to SHA in .github/workflows/required-checks.yaml --- .github/workflows/required-checks.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/required-checks.yaml b/.github/workflows/required-checks.yaml index fb18205f0..6cf10d583 100644 --- a/.github/workflows/required-checks.yaml +++ b/.github/workflows/required-checks.yaml @@ -12,7 +12,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Wait for running jobs - uses: lewagon/wait-on-check-action@v1.3.4 + uses: lewagon/wait-on-check-action@ccfb013c15c8afb7bf2b7c028fb74dc5a068cccc # v1.3.4 with: ref: ${{ github.ref }} running-workflow-name: Wait for required jobs to complete or be skipped From cb3f6a144c9d41f3e347733420ea76dae940afdd Mon Sep 17 00:00:00 2001 From: slawomirbabicz <111378977+slawomirbabicz@users.noreply.github.com> Date: Wed, 8 Apr 2026 18:26:07 +0200 Subject: [PATCH 11/12] chore: pin actions to SHA in .github/workflows/trusted-neurons-alerts.yaml --- .github/workflows/trusted-neurons-alerts.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/trusted-neurons-alerts.yaml b/.github/workflows/trusted-neurons-alerts.yaml index 1fc097c62..a5c9cfac5 100644 --- a/.github/workflows/trusted-neurons-alerts.yaml +++ b/.github/workflows/trusted-neurons-alerts.yaml @@ -38,7 +38,7 @@ jobs: packages: write pages: write steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 with: fetch-depth: 2 @@ -46,7 +46,7 @@ jobs: # If regular secrets.GITHUB_TOKEN is used instead, the push will not trigger any actions # https://github.com/orgs/community/discussions/25702 - name: Create GitHub App Token - uses: actions/create-github-app-token@v2 + uses: actions/create-github-app-token@fee1f7d63c2ff003460e3d139729b119787bc349 # v2.2.2 id: app-token with: app-id: ${{ vars.PR_AUTOMATION_BOT_PUBLIC_APP_ID }} From 72e7c9e6d9e217094b0679129f795ae89e938600 Mon Sep 17 00:00:00 2001 From: slawomirbabicz <111378977+slawomirbabicz@users.noreply.github.com> Date: Wed, 8 Apr 2026 18:26:09 +0200 Subject: [PATCH 12/12] chore: pin actions to SHA in .github/workflows/update-dependencies.yaml --- .github/workflows/update-dependencies.yaml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/update-dependencies.yaml b/.github/workflows/update-dependencies.yaml index affb6f516..6b6dfaa7d 100644 --- a/.github/workflows/update-dependencies.yaml +++ b/.github/workflows/update-dependencies.yaml @@ -11,12 +11,12 @@ jobs: container: ghcr.io/dfinity/dre/actions-runner:6413f2909a49329ecbf5371ee7ddf07a9799b625 steps: - name: Create GitHub App Token - uses: actions/create-github-app-token@v2 + uses: actions/create-github-app-token@fee1f7d63c2ff003460e3d139729b119787bc349 # v2.2.2 id: app-token with: app-id: ${{ vars.PR_AUTOMATION_BOT_PUBLIC_APP_ID }} private-key: ${{ secrets.PR_AUTOMATION_BOT_PUBLIC_PRIVATE_KEY }} - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 - name: "๐Ÿ”ง Setup runner" uses: ./.github/workflows/manage-runner-pre @@ -57,7 +57,7 @@ jobs: ./bin/release-controller-update-data-model.sh - name: "๐Ÿ†• Create a new Pull Request with the changes" - uses: peter-evans/create-pull-request@v7 + uses: peter-evans/create-pull-request@22a9089034f40e5a961c8808d113e2c98fb63676 # v7.0.11 with: commit-message: "chore(deps): Update dependencies" branch: bot-update-deps