diff --git a/.github/workflows/build-engine-docker-image-and-publish-to-dockerhub.yml b/.github/workflows/build-engine-docker-image-and-publish-to-dockerhub.yml index f5186222..a3b3d521 100644 --- a/.github/workflows/build-engine-docker-image-and-publish-to-dockerhub.yml +++ b/.github/workflows/build-engine-docker-image-and-publish-to-dockerhub.yml @@ -26,6 +26,7 @@ jobs: # we have one large .whl file which is referenced in the engine Dockerfile.. we need to # fetch that file to be able to properly build the image lfs: true + persist-credentials: false - name: Set engine version number in settings file if: inputs.engine_version uses: ./.github/actions/set-engine-version-in-settings @@ -34,7 +35,7 @@ jobs: engine_version_number: ${{ inputs.engine_version }} settings_file_path: engine/settings/base.py - name: Build engine Docker image and push to Dockerhub - uses: grafana/shared-workflows/actions/build-push-to-dockerhub@main + uses: grafana/shared-workflows/actions/build-push-to-dockerhub@b7d33d6a98dc9cf332674c6cdebe92b8bcb05670 #v0.3.0 with: context: engine/ push: true diff --git a/.github/workflows/e2e-tests.yml b/.github/workflows/e2e-tests.yml index 417a4d33..988b46a2 100644 --- a/.github/workflows/e2e-tests.yml +++ b/.github/workflows/e2e-tests.yml @@ -45,16 +45,18 @@ jobs: steps: - name: Checkout uses: actions/checkout@v4 + with: + persist-credentials: false - name: Collect Workflow Telemetry - uses: catchpoint/workflow-telemetry-action@v2 + uses: catchpoint/workflow-telemetry-action@94c3c3d9567a0205de6da68a76c428ce4e769af1 #v2.0.0 with: comment_on_pr: false proc_trace_chart_show: false proc_trace_table_show: false - name: Install Kind - uses: helm/kind-action@v1.10.0 + uses: helm/kind-action@0025e74a8c7512023d06dc019c617aa3cf561fde #v1.10.0 with: config: ./dev/kind.yml install_only: true @@ -121,7 +123,7 @@ jobs: - name: Get Vault secrets if: inputs.run-expensive-tests id: get-secrets - uses: grafana/shared-workflows/actions/get-vault-secrets@main + uses: grafana/shared-workflows/actions/get-vault-secrets@b7d33d6a98dc9cf332674c6cdebe92b8bcb05670 #v0.3.0 with: repo_secrets: | GH_APP_ID=github-app:app-id diff --git a/.github/workflows/linting-and-tests.yml b/.github/workflows/linting-and-tests.yml index 93fadd73..c938066b 100644 --- a/.github/workflows/linting-and-tests.yml +++ b/.github/workflows/linting-and-tests.yml @@ -23,7 +23,7 @@ jobs: install-dependencies: "false" - name: Install frontend dependencies uses: ./.github/actions/install-frontend-dependencies - - uses: pre-commit/action@v3.0.1 + - uses: pre-commit/action@2c7b3805fd2a0fd8c1884dcaebf91fc102a13ecd #v3.0.1 lint-test-and-build-frontend: name: "Lint, test, and build frontend" @@ -101,14 +101,37 @@ jobs: # Checkout the head commit of the PR ref: ${{ github.event.pull_request.head.sha }} + - name: Extract and validate base ref + id: extract_base_ref + shell: bash + env: + BASE_REF: ${{ github.event.pull_request.base.ref }} + run: | + # Validate against safe pattern (alphanumeric, underscore, dash, dot, and forward slash only) + if [[ ! "${BASE_REF}" =~ ^[a-zA-Z0-9_/.-]+$ ]]; then + echo "Invalid branch name pattern detected" + exit 1 + fi + # Store validated ref for later steps + echo "base_ref=${BASE_REF}" >> $GITHUB_OUTPUT + - name: Fetch base branch - run: git fetch origin ${{ github.event.pull_request.base.ref }}:${{ github.event.pull_request.base.ref }} + shell: bash + run: | + # Use validated ref + SAFE_REF="${{ steps.extract_base_ref.outputs.base_ref }}" + git fetch origin "${SAFE_REF}:refs/remotes/origin/${SAFE_REF}" - name: Check for RemoveField in Migrations # yamllint disable rule:line-length + shell: bash run: | - # Get the list of files changed in the PR - git diff --name-only ${{ github.event.pull_request.base.ref }}...${{ github.event.pull_request.head.sha }} > changed_files.txt + # Use validated ref + SAFE_REF="${{ steps.extract_base_ref.outputs.base_ref }}" + HEAD_SHA="${{ github.event.pull_request.head.sha }}" + + # Get the list of files changed in the PR using validated refs + git diff --name-only "refs/remotes/origin/${SAFE_REF}...${HEAD_SHA}" > changed_files.txt # Filter for migration files grep -E '^.*/migrations/.*\.py$' changed_files.txt > migration_files.txt || true @@ -144,7 +167,7 @@ jobs: steps: - name: Checkout project uses: actions/checkout@v4 - - uses: azure/setup-helm@v4.2.0 + - uses: azure/setup-helm@fe7b79cd5ee1e45176fcad797de68ecaf3ca4814 #v4.2.0 with: version: v3.8.0 - name: Install helm unittest plugin diff --git a/.github/workflows/on-issue-closed.yml b/.github/workflows/on-issue-closed.yml index 8763b93c..afda00f7 100644 --- a/.github/workflows/on-issue-closed.yml +++ b/.github/workflows/on-issue-closed.yml @@ -12,6 +12,6 @@ jobs: steps: - uses: actions/checkout@v2 - name: Remove "needs triage" label - uses: actions-ecosystem/action-remove-labels@v1.3.0 + uses: actions-ecosystem/action-remove-labels@2ce5d41b4b6aa8503e285553f75ed56e0a40bae0 #v1.3.0 with: labels: needs triage diff --git a/.github/workflows/on-issue-creation.yml b/.github/workflows/on-issue-creation.yml index 23307322..85ebeb54 100644 --- a/.github/workflows/on-issue-creation.yml +++ b/.github/workflows/on-issue-creation.yml @@ -16,7 +16,7 @@ jobs: - uses: actions/checkout@v2 - name: Get latest version tag id: get-latest-tag - uses: actions-ecosystem/action-get-latest-tag@v1 + uses: actions-ecosystem/action-get-latest-tag@b7c32daec3395a9616f88548363a42652b22d435 #v1.6.0 with: semver_only: true - name: Add latest version comment @@ -37,7 +37,7 @@ jobs: steps: - uses: actions/checkout@v2 - name: Add "needs triage" label - uses: actions-ecosystem/action-add-labels@v1 + uses: actions-ecosystem/action-add-labels@18f1af5e3544586314bbe15c0273249c770b2daf #v1.1.3 with: labels: needs triage @@ -54,14 +54,14 @@ jobs: steps: - uses: actions/checkout@v2 - id: issue-form-values - uses: stefanbuck/github-issue-parser@v3 + uses: stefanbuck/github-issue-parser@2ea9b35a8c584529ed00891a8f7e41dc46d0441e #v3.2.1 - run: echo $JSON_STRING env: JSON_STRING: ${{ steps.issue-form-values.outputs.jsonString }} - name: Map mobile app product area to appropriate assignees - uses: actions-ecosystem/action-add-assignees@v1 + uses: actions-ecosystem/action-add-assignees@ce5019e63cc4f35aba27308dc88d19c8f3686747 #v1.0.0 if: contains(steps.issue-form-values.outputs.issueparser_product_area, 'Mobile App') with: github_token: ${{ secrets.GITHUB_TOKEN }} @@ -70,7 +70,7 @@ jobs: dieterbe - name: Map selected product area(s) to issue labels - uses: actions-ecosystem/action-add-labels@v1 + uses: actions-ecosystem/action-add-labels@18f1af5e3544586314bbe15c0273249c770b2daf #v1.1.3 # github actions have a weird ternary operator, see below for more details # https://docs.github.com/en/actions/learn-github-actions/expressions#literals:~:text=GitHub%20offers%20ternary%20operator%20like%20behaviour%20that%20you%20can%20use%20in%20expressions with: diff --git a/.github/workflows/on-release-published.yml b/.github/workflows/on-release-published.yml index b438a56e..fffe9af6 100644 --- a/.github/workflows/on-release-published.yml +++ b/.github/workflows/on-release-published.yml @@ -27,7 +27,7 @@ jobs: uses: ./.github/actions/install-frontend-dependencies # This will fetch the secret keys from vault and set them as environment variables for subsequent steps - name: Get Vault secrets - uses: grafana/shared-workflows/actions/get-vault-secrets@main + uses: grafana/shared-workflows/actions/get-vault-secrets@b7d33d6a98dc9cf332674c6cdebe92b8bcb05670 #v0.3.0 with: repo_secrets: | GRAFANA_ACCESS_POLICY_TOKEN=grafana_cloud_access_policy_token:value @@ -38,11 +38,11 @@ jobs: with: plugin_version_number: ${{ github.ref_name }} - name: Authenticate with GCS - uses: google-github-actions/auth@v2 + uses: google-github-actions/auth@6fc4af4b145ae7821d527454aa9bd537d1f2dc5f #v2.1.7 with: credentials_json: ${{ env.GCS_PLUGIN_PUBLISHER_SERVICE_ACCOUNT_JSON }} - name: Publish plugin artifact to GCS - uses: google-github-actions/upload-cloud-storage@v2 + uses: google-github-actions/upload-cloud-storage@386ab77f37fdf51c0e38b3d229fad286861cc0d0 #v2.2.1 with: path: grafana-plugin/${{ steps.build-sign-and-package-plugin.outputs.artifact_filename }} destination: grafana-oncall-app/releases @@ -88,7 +88,7 @@ jobs: echo version="${GITHUB_REF_NAME:1}" >> $GITHUB_OUTPUT - name: Update oncall Helm chart Chart.yaml id: update-helm-chart-pr - uses: fjogeleit/yaml-update-action@v0.12.3 + uses: fjogeleit/yaml-update-action@d98ee6a10a971effea75480e3f315e4dacc89a23 #v0.12.3 with: valueFile: helm/oncall/Chart.yaml branch: helm-release/${{ steps.prepare-version-tags.outputs.version }} @@ -120,7 +120,7 @@ jobs: contents: read steps: - name: Get Vault secrets - uses: grafana/shared-workflows/actions/get-vault-secrets@main + uses: grafana/shared-workflows/actions/get-vault-secrets@b7d33d6a98dc9cf332674c6cdebe92b8bcb05670 #v0.3.0 with: repo_secrets: | GH_APP_ID=github-app:app-id @@ -134,7 +134,7 @@ jobs: private-key: ${{ env.GH_APP_PRIVATE_KEY }} - name: Merge pull Request - uses: juliangruber/merge-pull-request-action@v1 + uses: juliangruber/merge-pull-request-action@d4773803fdc1d1fd46801ab0c56c135df9075de8 #v1.1.1 with: github-token: ${{ steps.generate-token.outputs.token }} number: ${{ needs.create-helm-release-pr.outputs.helm_release_pr_number }} diff --git a/.github/workflows/publish-technical-documentation-next.yml b/.github/workflows/publish-technical-documentation-next.yml index 53a5b7a7..919614e5 100644 --- a/.github/workflows/publish-technical-documentation-next.yml +++ b/.github/workflows/publish-technical-documentation-next.yml @@ -16,6 +16,6 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 - - uses: grafana/writers-toolkit/publish-technical-documentation@publish-technical-documentation/v1 + - uses: grafana/writers-toolkit/publish-technical-documentation@39cdc38767184996e25d611923f8ce697e33bc70 #publish-technical-documentation/v1.2.0 with: website_directory: content/docs/oncall/next diff --git a/.github/workflows/publish-technical-documentation-release.yml b/.github/workflows/publish-technical-documentation-release.yml index e91b642a..e5100aac 100644 --- a/.github/workflows/publish-technical-documentation-release.yml +++ b/.github/workflows/publish-technical-documentation-release.yml @@ -20,7 +20,7 @@ jobs: - uses: actions/checkout@v4 with: fetch-depth: 0 - - uses: grafana/writers-toolkit/publish-technical-documentation-release@publish-technical-documentation-release/v2 + - uses: grafana/writers-toolkit/publish-technical-documentation-release@8cc658b604c6e05c275af30163a1c7728dfe19b2 #publish-technical-documentation-release/v2.2.4 with: release_tag_regexp: "^v(0|[1-9][0-9]*)\\.(0|[1-9][0-9]*)\\.(0|[1-9][0-9]*)$" release_branch_regexp: "^release-(0|[1-9][0-9]*)\\.(0|[1-9][0-9]*)$" diff --git a/.github/workflows/snyk-security-scan.yml b/.github/workflows/snyk-security-scan.yml index 0ecedc75..be970b65 100644 --- a/.github/workflows/snyk-security-scan.yml +++ b/.github/workflows/snyk-security-scan.yml @@ -24,12 +24,12 @@ jobs: - name: Install frontend dependencies uses: ./.github/actions/install-frontend-dependencies - name: Get Vault secrets - uses: grafana/shared-workflows/actions/get-vault-secrets@main + uses: grafana/shared-workflows/actions/get-vault-secrets@b7d33d6a98dc9cf332674c6cdebe92b8bcb05670 #v0.3.0 with: common_secrets: | SNYK_TOKEN=snyk_scan_github_action:token - name: Install Snyk - uses: snyk/actions/setup@master + uses: snyk/actions/setup@b98d498629f1c368650224d6d212bf7dfa89e4bf #v0.4.0 # NOTE: on the snyk monitor and snyk test commands, we are excluding the dev and tools directories # because we can't install the requirements.txt files of these directories alongside the main engine # requirements.txt (some conflicting dep versions). If we realllly wanted to test these, we should do it diff --git a/.github/workflows/update-make-docs.yml b/.github/workflows/update-make-docs.yml index bde39d31..849da751 100644 --- a/.github/workflows/update-make-docs.yml +++ b/.github/workflows/update-make-docs.yml @@ -10,6 +10,6 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 - - uses: grafana/writers-toolkit/update-make-docs@update-make-docs/v1 + - uses: grafana/writers-toolkit/update-make-docs@f65819d6a412b752c0e0263375215f049507b0e6 #update-make-docs/v1.3.0 with: pr_options: --label "release:ignore"