From 8c87aeb5e20e66ae12d665a5cdf4fb20f45de46b Mon Sep 17 00:00:00 2001 From: Alex Welsh Date: Wed, 1 Apr 2026 10:20:26 +0100 Subject: [PATCH 1/9] Pins actions/checkout to de0fac2e4500dabe0009e67214ff5f5447ce83dd Pins actions/checkout to v6.0.2 commit hash instead of the tag. --- .github/workflows/ansible-lint.yml | 2 +- .github/workflows/ansible-validations.yml | 2 +- .github/workflows/container-promote-old.yml | 2 +- .github/workflows/container-promote.yml | 4 ++-- .github/workflows/container-publish.yml | 2 +- .github/workflows/container-sync.yml | 2 +- .github/workflows/docs-build.yml | 2 +- .github/workflows/docs-publish.yml | 2 +- .github/workflows/package-promote.yml | 4 ++-- .github/workflows/package-sync-nightly.yml | 2 +- .github/workflows/package-sync-version-test-pulp.yml | 2 +- .github/workflows/package-sync.yml | 4 ++-- .github/workflows/package-update-kayobe.yml | 4 ++-- .github/workflows/source-repo-sync.yml | 2 +- .github/workflows/terraform-github-import.yml | 2 +- .github/workflows/terraform-github.yml | 2 +- 16 files changed, 20 insertions(+), 20 deletions(-) diff --git a/.github/workflows/ansible-lint.yml b/.github/workflows/ansible-lint.yml index 40781155..532d327b 100644 --- a/.github/workflows/ansible-lint.yml +++ b/.github/workflows/ansible-lint.yml @@ -13,7 +13,7 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 # Python version must be pinned because of issue with Ubuntu permissions # See https://github.com/actions/runner-images/issues/11499 diff --git a/.github/workflows/ansible-validations.yml b/.github/workflows/ansible-validations.yml index 226f5f24..14a815c4 100644 --- a/.github/workflows/ansible-validations.yml +++ b/.github/workflows/ansible-validations.yml @@ -15,7 +15,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Setup Release Train & dependencies uses: ./.github/actions/setup diff --git a/.github/workflows/container-promote-old.yml b/.github/workflows/container-promote-old.yml index e7737ea0..bb484b76 100644 --- a/.github/workflows/container-promote-old.yml +++ b/.github/workflows/container-promote-old.yml @@ -34,7 +34,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Setup Release Train & dependencies uses: ./.github/actions/setup diff --git a/.github/workflows/container-promote.yml b/.github/workflows/container-promote.yml index ee64b977..7b47c4c1 100644 --- a/.github/workflows/container-promote.yml +++ b/.github/workflows/container-promote.yml @@ -26,7 +26,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Setup Release Train & dependencies uses: ./.github/actions/setup @@ -35,7 +35,7 @@ jobs: vault-password-file: ${{ env.ANSIBLE_VAULT_PASSWORD_FILE }} - name: Clone StackHPC Kayobe configuration repository - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: repository: stackhpc/stackhpc-kayobe-config ref: refs/heads/${{ github.event.inputs.kayobe_config_branch }} diff --git a/.github/workflows/container-publish.yml b/.github/workflows/container-publish.yml index fe7fa09c..78de12a4 100644 --- a/.github/workflows/container-publish.yml +++ b/.github/workflows/container-publish.yml @@ -29,7 +29,7 @@ jobs: name: Publish container repositories runs-on: ubuntu-latest steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Setup Release Train & dependencies uses: ./.github/actions/setup diff --git a/.github/workflows/container-sync.yml b/.github/workflows/container-sync.yml index 9dff92c3..30559aca 100644 --- a/.github/workflows/container-sync.yml +++ b/.github/workflows/container-sync.yml @@ -36,7 +36,7 @@ jobs: timeout-minutes: 720 steps: - name: Checkout - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Setup Release Train & dependencies uses: ./.github/actions/setup diff --git a/.github/workflows/docs-build.yml b/.github/workflows/docs-build.yml index c91b6a3c..60693331 100644 --- a/.github/workflows/docs-build.yml +++ b/.github/workflows/docs-build.yml @@ -7,7 +7,7 @@ jobs: name: Build documentation runs-on: ubuntu-latest steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - uses: actions/setup-python@v6 with: python-version: 3.x diff --git a/.github/workflows/docs-publish.yml b/.github/workflows/docs-publish.yml index c30dfc6c..22afb9ac 100644 --- a/.github/workflows/docs-publish.yml +++ b/.github/workflows/docs-publish.yml @@ -9,7 +9,7 @@ jobs: name: Publish documentation runs-on: ubuntu-latest steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - uses: actions/setup-python@v6 with: python-version: 3.x diff --git a/.github/workflows/package-promote.yml b/.github/workflows/package-promote.yml index e99abce1..37e8f1fc 100644 --- a/.github/workflows/package-promote.yml +++ b/.github/workflows/package-promote.yml @@ -27,7 +27,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Setup Release Train & dependencies uses: ./.github/actions/setup @@ -36,7 +36,7 @@ jobs: vault-password-file: ${{ env.ANSIBLE_VAULT_PASSWORD_FILE }} - name: Clone StackHPC Kayobe configuration repository - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: repository: stackhpc/stackhpc-kayobe-config ref: refs/heads/${{ github.event.inputs.kayobe_config_branch }} diff --git a/.github/workflows/package-sync-nightly.yml b/.github/workflows/package-sync-nightly.yml index eae5ceea..c2f8f0b8 100644 --- a/.github/workflows/package-sync-nightly.yml +++ b/.github/workflows/package-sync-nightly.yml @@ -16,7 +16,7 @@ jobs: matrix: ${{ steps.matrix-build.outputs.matrix }} steps: - name: Checkout - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Install dependencies run: | diff --git a/.github/workflows/package-sync-version-test-pulp.yml b/.github/workflows/package-sync-version-test-pulp.yml index 8b1e59ab..e312d25e 100644 --- a/.github/workflows/package-sync-version-test-pulp.yml +++ b/.github/workflows/package-sync-version-test-pulp.yml @@ -27,7 +27,7 @@ jobs: run: exit 1 - name: Checkout - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Setup Release Train & dependencies uses: ./.github/actions/setup diff --git a/.github/workflows/package-sync.yml b/.github/workflows/package-sync.yml index e990e3ca..3e8ce968 100644 --- a/.github/workflows/package-sync.yml +++ b/.github/workflows/package-sync.yml @@ -44,7 +44,7 @@ jobs: if: inputs.sync_ark steps: - name: Checkout - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Setup Release Train & dependencies uses: ./.github/actions/setup @@ -90,7 +90,7 @@ jobs: if: inputs.sync_test steps: - name: Checkout - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Setup Release Train & dependencies uses: ./.github/actions/setup diff --git a/.github/workflows/package-update-kayobe.yml b/.github/workflows/package-update-kayobe.yml index 54041f80..78391a16 100644 --- a/.github/workflows/package-update-kayobe.yml +++ b/.github/workflows/package-update-kayobe.yml @@ -22,7 +22,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Setup Release Train & dependencies uses: ./.github/actions/setup @@ -31,7 +31,7 @@ jobs: vault-password-file: ${{ env.ANSIBLE_VAULT_PASSWORD_FILE }} - name: Clone StackHPC Kayobe configuration repository - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: repository: stackhpc/stackhpc-kayobe-config ref: refs/heads/${{ github.event.inputs.kayobe_config_branch }} diff --git a/.github/workflows/source-repo-sync.yml b/.github/workflows/source-repo-sync.yml index 2d7ebe21..390e13d2 100644 --- a/.github/workflows/source-repo-sync.yml +++ b/.github/workflows/source-repo-sync.yml @@ -22,7 +22,7 @@ jobs: git config --global user.email "22933334+stackhpc-ci@users.noreply.github.com" && git config --global user.name "stackhpc-ci" - name: GitHub checkout 🛎 - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: "false" - name: Run ansible playbook 📖 diff --git a/.github/workflows/terraform-github-import.yml b/.github/workflows/terraform-github-import.yml index 28494bb0..dd7e1814 100644 --- a/.github/workflows/terraform-github-import.yml +++ b/.github/workflows/terraform-github-import.yml @@ -19,7 +19,7 @@ jobs: working-directory: "./terraform/github/" steps: - name: GitHub Checkout 🛎 - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Setup Python 🐍 uses: actions/setup-python@v6 with: diff --git a/.github/workflows/terraform-github.yml b/.github/workflows/terraform-github.yml index da1eb245..48cd352e 100644 --- a/.github/workflows/terraform-github.yml +++ b/.github/workflows/terraform-github.yml @@ -22,7 +22,7 @@ jobs: run: working-directory: "./terraform/github/" steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - uses: hashicorp/setup-terraform@v4 with: From 8c13e187a841a7a7289ad92476d5cf4077a78550 Mon Sep 17 00:00:00 2001 From: Alex Welsh Date: Wed, 1 Apr 2026 10:20:27 +0100 Subject: [PATCH 2/9] Pins actions/github-script to ed597411d8f924073f98dfc5c65a23a2325f34cd Pins actions/github-script to v8 commit hash instead of the tag. --- .github/workflows/terraform-github.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/terraform-github.yml b/.github/workflows/terraform-github.yml index 48cd352e..b42d440e 100644 --- a/.github/workflows/terraform-github.yml +++ b/.github/workflows/terraform-github.yml @@ -51,7 +51,7 @@ jobs: - name: Install fs module run: npm install fs - - uses: actions/github-script@v8 + - uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 if: github.event_name == 'pull_request' with: github-token: ${{ secrets.repository_configuration_token }} From 2da8d20add0211458a10bbc5245050e9eca508d4 Mon Sep 17 00:00:00 2001 From: Alex Welsh Date: Wed, 1 Apr 2026 10:20:28 +0100 Subject: [PATCH 3/9] Pins actions/setup-python to a309ff8b426b58ec0e2a45f0f869d46889d02405 Pins actions/setup-python to v6.2.0 commit hash instead of the tag. --- .github/actions/setup/action.yml | 2 +- .github/workflows/ansible-lint.yml | 2 +- .github/workflows/docs-build.yml | 2 +- .github/workflows/docs-publish.yml | 2 +- .github/workflows/terraform-github-import.yml | 2 +- 5 files changed, 5 insertions(+), 5 deletions(-) diff --git a/.github/actions/setup/action.yml b/.github/actions/setup/action.yml index 2f2e7e0b..c4720f9d 100644 --- a/.github/actions/setup/action.yml +++ b/.github/actions/setup/action.yml @@ -20,7 +20,7 @@ runs: shell: bash # Install python dependencies for ansible server side - - uses: actions/setup-python@v6 + - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 with: python-version: 3.11.x # Cache Python dependencies diff --git a/.github/workflows/ansible-lint.yml b/.github/workflows/ansible-lint.yml index 532d327b..cdcf8f75 100644 --- a/.github/workflows/ansible-lint.yml +++ b/.github/workflows/ansible-lint.yml @@ -18,7 +18,7 @@ jobs: # Python version must be pinned because of issue with Ubuntu permissions # See https://github.com/actions/runner-images/issues/11499 - name: Set up Python - uses: actions/setup-python@v6 + uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 with: python-version: '3.12' diff --git a/.github/workflows/docs-build.yml b/.github/workflows/docs-build.yml index 60693331..a9bf3031 100644 --- a/.github/workflows/docs-build.yml +++ b/.github/workflows/docs-build.yml @@ -8,7 +8,7 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - - uses: actions/setup-python@v6 + - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 with: python-version: 3.x - run: pip install -r docs-requirements.txt diff --git a/.github/workflows/docs-publish.yml b/.github/workflows/docs-publish.yml index 22afb9ac..246f9b27 100644 --- a/.github/workflows/docs-publish.yml +++ b/.github/workflows/docs-publish.yml @@ -10,7 +10,7 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - - uses: actions/setup-python@v6 + - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 with: python-version: 3.x - run: pip install -r docs-requirements.txt diff --git a/.github/workflows/terraform-github-import.yml b/.github/workflows/terraform-github-import.yml index dd7e1814..a5a7af3d 100644 --- a/.github/workflows/terraform-github-import.yml +++ b/.github/workflows/terraform-github-import.yml @@ -21,7 +21,7 @@ jobs: - name: GitHub Checkout 🛎 uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Setup Python 🐍 - uses: actions/setup-python@v6 + uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 with: python-version: "3.10.4" - name: Setup Terraform From 15c9887df20bca7351f4dbbf903d87332ff5ff48 Mon Sep 17 00:00:00 2001 From: Alex Welsh Date: Wed, 1 Apr 2026 10:20:29 +0100 Subject: [PATCH 4/9] Pins actions/upload-artifact to bbbca2ddaa5d8feaa63e36b76fdaad77386f024f Pins actions/upload-artifact to v7.0.0 commit hash instead of the tag. --- .github/workflows/package-update-kayobe.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/package-update-kayobe.yml b/.github/workflows/package-update-kayobe.yml index 78391a16..7551e24f 100644 --- a/.github/workflows/package-update-kayobe.yml +++ b/.github/workflows/package-update-kayobe.yml @@ -61,7 +61,7 @@ jobs: # For now, just create an artifact that the user can download. - name: Upload pulp-repo-versions.yml artifact if: ${{ steps.git-diff.outputs.changed == 'true' }} - uses: actions/upload-artifact@v7 + uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 with: name: pulp-repo-versions.yml path: stackhpc-kayobe-config/etc/kayobe/pulp-repo-versions.yml From 15dcfdf7c6cb5475711281041076a11cf6045b4d Mon Sep 17 00:00:00 2001 From: Alex Welsh Date: Wed, 1 Apr 2026 10:20:30 +0100 Subject: [PATCH 5/9] Pins dcarbone/install-yq-action to 4075b4dca348d74bd83f2bf82d30f25d7c54539b Pins dcarbone/install-yq-action to v1.3.1 commit hash instead of the tag. --- .github/workflows/package-sync-nightly.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/package-sync-nightly.yml b/.github/workflows/package-sync-nightly.yml index c2f8f0b8..a1c952b7 100644 --- a/.github/workflows/package-sync-nightly.yml +++ b/.github/workflows/package-sync-nightly.yml @@ -23,7 +23,7 @@ jobs: sudo apt update - name: Install yq - uses: dcarbone/install-yq-action@v1.3.1 + uses: dcarbone/install-yq-action@4075b4dca348d74bd83f2bf82d30f25d7c54539b # v1.3.1 - name: Create sync matrix id: matrix-build From 131af2a86c0c7011793267982de0e7a571638504 Mon Sep 17 00:00:00 2001 From: Alex Welsh Date: Wed, 1 Apr 2026 10:20:30 +0100 Subject: [PATCH 6/9] Pins hashicorp/setup-terraform to 5e8dbf3c6d9deaf4193ca7a8fb23f2ac83bb6c85 Pins hashicorp/setup-terraform to v4.0.0 commit hash instead of the tag. --- .github/workflows/terraform-github-import.yml | 2 +- .github/workflows/terraform-github.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/terraform-github-import.yml b/.github/workflows/terraform-github-import.yml index a5a7af3d..bdfa7b9f 100644 --- a/.github/workflows/terraform-github-import.yml +++ b/.github/workflows/terraform-github-import.yml @@ -25,7 +25,7 @@ jobs: with: python-version: "3.10.4" - name: Setup Terraform - uses: hashicorp/setup-terraform@v4 + uses: hashicorp/setup-terraform@5e8dbf3c6d9deaf4193ca7a8fb23f2ac83bb6c85 # v4.0.0 with: cli_config_credentials_token: ${{ secrets.TF_API_TOKEN }} terraform_wrapper: false diff --git a/.github/workflows/terraform-github.yml b/.github/workflows/terraform-github.yml index b42d440e..506148ab 100644 --- a/.github/workflows/terraform-github.yml +++ b/.github/workflows/terraform-github.yml @@ -24,7 +24,7 @@ jobs: steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - - uses: hashicorp/setup-terraform@v4 + - uses: hashicorp/setup-terraform@5e8dbf3c6d9deaf4193ca7a8fb23f2ac83bb6c85 # v4.0.0 with: cli_config_credentials_token: ${{ secrets.TF_API_TOKEN }} From 5734d91305c159dc69cab682e680671934b79eca Mon Sep 17 00:00:00 2001 From: Alex Welsh Date: Wed, 1 Apr 2026 10:20:31 +0100 Subject: [PATCH 7/9] Updates nick-fields/retry and pins to ad984534de44a9489a53aefd81eb77f87c70dc60 Updates nick-fields/retry from v3 to v4.0.0 and pins to a specific commit hash instead of the tag. --- .github/workflows/package-sync.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/package-sync.yml b/.github/workflows/package-sync.yml index 3e8ce968..da32defe 100644 --- a/.github/workflows/package-sync.yml +++ b/.github/workflows/package-sync.yml @@ -53,7 +53,7 @@ jobs: vault-password-file: ${{ env.ANSIBLE_VAULT_PASSWORD_FILE }} - name: Sync and publish package repositories in Ark - uses: nick-fields/retry@v3 + uses: nick-fields/retry@ad984534de44a9489a53aefd81eb77f87c70dc60 # v4.0.0 with: timeout_minutes: 360 max_attempts: 2 @@ -99,7 +99,7 @@ jobs: vault-password-file: ${{ env.ANSIBLE_VAULT_PASSWORD_FILE }} - name: Sync and publish package repositories in test - uses: nick-fields/retry@v3 + uses: nick-fields/retry@ad984534de44a9489a53aefd81eb77f87c70dc60 # v4.0.0 with: timeout_minutes: 360 max_attempts: 2 From 8ec716e3f09c3f43e99beba3c3f07310843903fd Mon Sep 17 00:00:00 2001 From: Alex Welsh Date: Wed, 1 Apr 2026 10:20:32 +0100 Subject: [PATCH 8/9] Updates slackapi/slack-github-action and pins to af78098f536edbc4de71162a307590698245be95 Updates slackapi/slack-github-action from v1.26.0 to v3.0.1 and pins to a specific commit hash instead of the tag. --- .github/actions/slack-alert/action.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/actions/slack-alert/action.yml b/.github/actions/slack-alert/action.yml index 9f4c1d6b..f51bf8d1 100644 --- a/.github/actions/slack-alert/action.yml +++ b/.github/actions/slack-alert/action.yml @@ -32,7 +32,7 @@ runs: using: composite steps: - name: Send message to Slack via Workflow Builder - uses: slackapi/slack-github-action@v1.26.0 + uses: slackapi/slack-github-action@af78098f536edbc4de71162a307590698245be95 # v3.0.1 with: payload: | { From a19746a7a999d6ee05277565d348f7ec25abfa78 Mon Sep 17 00:00:00 2001 From: Alex Welsh Date: Wed, 1 Apr 2026 15:22:03 +0100 Subject: [PATCH 9/9] Fix slack GH action for v3 syntax --- .github/actions/slack-alert/action.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/actions/slack-alert/action.yml b/.github/actions/slack-alert/action.yml index f51bf8d1..b4f802b2 100644 --- a/.github/actions/slack-alert/action.yml +++ b/.github/actions/slack-alert/action.yml @@ -34,6 +34,7 @@ runs: - name: Send message to Slack via Workflow Builder uses: slackapi/slack-github-action@af78098f536edbc4de71162a307590698245be95 # v3.0.1 with: + webhook-type: "incoming-webhook" payload: | { "channel-id": "${{ env.SLACK_CHANNEL_ID }}",