Pin all github actions to commit hash (#2129)

## Changes - Pin all github actions to commit hash. - Modify vedantmgoyal2009/winget-releaser to use tag format that dependabot can understand. Pinning is done by https://github.com/databricks/cli/blob/denik/pin-actions-script/pin_actions.py (100% chatgpt authored). Commits and tags are verified manually. This format should be recognized by dependabot enabled in https://github.com/databricks/cli/pull/2112 ## Tests Existing tests.
2025-01-14 08:39:34 +01:00 · 2025-01-14 08:39:34 +01:00 · e682eeba80
parent e1f5f60a8d
commit e682eeba80
8 changed files with 29 additions and 29 deletions
--- a/.github/workflows/close-stale-issues.yml
+++ b/.github/workflows/close-stale-issues.yml
@ -18,7 +18,7 @@ jobs:
      pull-requests: write

    steps:
-      - uses: actions/stale@v9
+      - uses: actions/stale@28ca1036281a5e5922ead5184a1bbf96e5fc984e # v9.0.0
        with:
          stale-issue-message: This issue has not received a response in a while. If you want to keep this issue open, please leave a comment below and auto-close will be canceled.
          stale-pr-message: This PR has not received an update in a while. If you want to keep this PR open, please leave a comment below or push a new commit and auto-close will be canceled.
--- a/.github/workflows/external-message.yml
+++ b/.github/workflows/external-message.yml
@ -25,7 +25,7 @@ jobs:
    if: "${{ github.event.pull_request.head.repo.fork }}"

    steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2

      - name: Delete old comments
        env:
--- a/.github/workflows/integration-main.yml
+++ b/.github/workflows/integration-main.yml
@ -20,7 +20,7 @@ jobs:
    steps:
      - name: Generate GitHub App Token
        id: generate-token
-        uses: actions/create-github-app-token@v1
+        uses: actions/create-github-app-token@c1a285145b9d317df6ced56c09f525b5c2b6f755 # v1.11.1
        with:
          app-id: ${{ secrets.DECO_WORKFLOW_TRIGGER_APP_ID }}
          private-key: ${{ secrets.DECO_WORKFLOW_TRIGGER_PRIVATE_KEY }}
--- a/.github/workflows/integration-pr.yml
+++ b/.github/workflows/integration-pr.yml
@ -23,7 +23,7 @@ jobs:
    steps:
      - name: Generate GitHub App Token
        id: generate-token
-        uses: actions/create-github-app-token@v1
+        uses: actions/create-github-app-token@c1a285145b9d317df6ced56c09f525b5c2b6f755 # v1.11.1
        with:
          app-id: ${{ secrets.DECO_WORKFLOW_TRIGGER_APP_ID }}
          private-key: ${{ secrets.DECO_WORKFLOW_TRIGGER_PRIVATE_KEY }}
--- a/.github/workflows/publish-winget.yml
+++ b/.github/workflows/publish-winget.yml
@ -16,7 +16,7 @@ jobs:
    environment: release

    steps:
-      - uses: vedantmgoyal2009/winget-releaser@93fd8b606a1672ec3e5c6c3bb19426be68d1a8b0 # https://github.com/vedantmgoyal2009/winget-releaser/releases/tag/v2
+      - uses: vedantmgoyal2009/winget-releaser@93fd8b606a1672ec3e5c6c3bb19426be68d1a8b0 # v2
        with:
          identifier: Databricks.DatabricksCLI
          installers-regex: 'windows_.*-signed\.zip$' # Only signed Windows releases
--- a/.github/workflows/push.yml
+++ b/.github/workflows/push.yml
@ -45,20 +45,20 @@ jobs:

    steps:
      - name: Checkout repository and submodules
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2

      - name: Setup Go
-        uses: actions/setup-go@v5
+        uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0
        with:
          go-version: 1.23.4

      - name: Setup Python
-        uses: actions/setup-python@v5
+        uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b # v5.3.0
        with:
          python-version: '3.9'

      - name: Install uv
-        uses: astral-sh/setup-uv@v5
+        uses: astral-sh/setup-uv@887a942a15af3a7626099df99e897a18d9e5ab3a # v5.1.0

      - name: Set go env
        run: |
@ -79,8 +79,8 @@ jobs:
    name: lint
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@v4
-      - uses: actions/setup-go@v5
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0
        with:
          go-version: 1.23.4
          # Use different schema from regular job, to avoid overwriting the same key
@ -95,7 +95,7 @@ jobs:
          # Exit with status code 1 if there are differences (i.e. unformatted files)
          git diff --exit-code
      - name: golangci-lint
-        uses: golangci/golangci-lint-action@v6
+        uses: golangci/golangci-lint-action@971e284b6050e8a5849b72094c50ab08da042db8 # v6.1.1
        with:
          version: v1.63.4
          args: --timeout=15m
@ -106,10 +106,10 @@ jobs:

    steps:
      - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2

      - name: Setup Go
-        uses: actions/setup-go@v5
+        uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0
        with:
          go-version: 1.23.4
          # Use different schema from regular job, to avoid overwriting the same key
--- a/.github/workflows/release-snapshot.yml
+++ b/.github/workflows/release-snapshot.yml
@ -26,13 +26,13 @@ jobs:

    steps:
      - name: Checkout repository and submodules
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
          fetch-depth: 0
          fetch-tags: true

      - name: Setup Go
-        uses: actions/setup-go@v5
+        uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0
        with:
          go-version: 1.23.4

@ -48,27 +48,27 @@ jobs:

      - name: Run GoReleaser
        id: releaser
-        uses: goreleaser/goreleaser-action@v6
+        uses: goreleaser/goreleaser-action@9ed2f89a662bf1735a48bc8557fd212fa902bebf # v6.1.0
        with:
          version: ~> v2
          args: release --snapshot --skip docker

      - name: Upload macOS binaries
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
        with:
          name: cli_darwin_snapshot
          path: |
            dist/*_darwin_*/

      - name: Upload Linux binaries
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
        with:
          name: cli_linux_snapshot
          path: |
            dist/*_linux_*/

      - name: Upload Windows binaries
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
        with:
          name: cli_windows_snapshot
          path: |
@ -88,7 +88,7 @@ jobs:
        # Snapshot release may only be updated for commits to the main branch.
        if: github.ref == 'refs/heads/main'

-        uses: softprops/action-gh-release@v1
+        uses: softprops/action-gh-release@de2c0eb89ae2a093876385947365aca7b0e5f844 # v1
        with:
          name: Snapshot
          prerelease: true
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@ -18,13 +18,13 @@ jobs:

    steps:
      - name: Checkout repository and submodules
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
          fetch-depth: 0
          fetch-tags: true

      - name: Setup Go
-        uses: actions/setup-go@v5
+        uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0
        with:
          go-version: 1.23.4

@ -37,7 +37,7 @@ jobs:

      # Log into the GitHub Container Registry. The goreleaser action will create
      # the docker images and push them to the GitHub Container Registry.
-      - uses: "docker/login-action@v3"
+      - uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
        with:
          registry: "ghcr.io"
          username: "${{ github.actor }}"
@ -46,11 +46,11 @@ jobs:
      # QEMU is required to build cross platform docker images using buildx.
      # It allows virtualization of the CPU architecture at the application level.
      - name: Set up QEMU dependency
-        uses: docker/setup-qemu-action@v3
+        uses: docker/setup-qemu-action@53851d14592bedcffcf25ea515637cff71ef929a # v3.3.0

      - name: Run GoReleaser
        id: releaser
-        uses: goreleaser/goreleaser-action@v6
+        uses: goreleaser/goreleaser-action@9ed2f89a662bf1735a48bc8557fd212fa902bebf # v6.1.0
        with:
          version: ~> v2
          args: release
@ -71,7 +71,7 @@ jobs:
          echo "VERSION=${VERSION:1}" >> $GITHUB_ENV

      - name: Update setup-cli
-        uses: actions/github-script@v7
+        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
        with:
          github-token: ${{ secrets.DECO_GITHUB_TOKEN }}
          script: |
@ -99,7 +99,7 @@ jobs:
          echo "VERSION=${VERSION:1}" >> $GITHUB_ENV

      - name: Update homebrew-tap
-        uses: actions/github-script@v7
+        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
        with:
          github-token: ${{ secrets.DECO_GITHUB_TOKEN }}
          script: |
@ -140,7 +140,7 @@ jobs:
          echo "VERSION=${VERSION:1}" >> $GITHUB_ENV

      - name: Update CLI version in the VSCode extension
-        uses: actions/github-script@v7
+        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
        with:
          github-token: ${{ secrets.DECO_GITHUB_TOKEN }}
          script: |