[#255] Pin GitHub Action versions

Previously versions were using tags. By pinning them to SHAs, it ensures the versions cannot be changed. Also note that I used the latest release, so many of the actions received a version bump as part of this change.
2022-03-07 12:33:15 -05:00 · 2022-03-07 12:33:15 -05:00 · ca68fcf9ae
parent 85f2154657
commit ca68fcf9ae
4 changed files with 28 additions and 27 deletions
--- a/.github/actions/setup/action.yml
+++ b/.github/actions/setup/action.yml
@ -8,7 +8,7 @@ runs:
      run: |
        echo "home=${HOME}" >> "$GITHUB_ENV"
    - name: Set up Java
-      uses: actions/setup-java@v2
+      uses: actions/setup-java@f69f00b5e5324696b07f6b1c92f0470a6df00780
      with:
        distribution: 'zulu'
        java-version: 17
@ -20,13 +20,13 @@ runs:
        echo "org.gradle.daemon=false" >> ~/.gradle/gradle.properties
    - name: Gradle Wrapper Cache
      id: gradle-wrapper-cache
-      uses: actions/cache@v2.1.7
+      uses: actions/cache@937d24475381cd9c75ae6db12cb4e79714b926ed
      with:
        path: ~/.gradle/wrapper
        key: ${{ runner.os }}-gradle-wrapper-${{ hashFiles(format('{0}{1}', github.workspace, '/gradle/wrapper/gradle-wrapper.properties')) }}
    - name: Gradle Dependency Cache
      id: gradle-dependency-cache
-      uses: actions/cache@v2.1.7
+      uses: actions/cache@937d24475381cd9c75ae6db12cb4e79714b926ed
      with:
        path: ~/.gradle/caches/modules-2
        key: ${{ runner.os }}-gradle-deps-${{ hashFiles(format('{0}{1}', github.workspace, '/gradle.properties')) }}
--- a/.github/workflows/deploy.yml
+++ b/.github/workflows/deploy.yml
@ -31,12 +31,12 @@ jobs:
    steps:
      - name: Checkout
        timeout-minutes: 1
-        uses: actions/checkout@v2.4.0
+        uses: actions/checkout@a12a3943b4bdde767164f792f33f40b04645d846
      # Gradle Wrapper validation can be flaky
      # https://github.com/gradle/wrapper-validation-action/issues/40
      - name: Gradle Wrapper Validation
        timeout-minutes: 1
-        uses: gradle/wrapper-validation-action@v1.0.4
+        uses: gradle/wrapper-validation-action@e6e38bacfdf1a337459f332974bb2327a31aaf4b

  check_secrets:
    environment: deployment
@ -65,14 +65,14 @@ jobs:
    steps:
      - name: Checkout
        timeout-minutes: 1
-        uses: actions/checkout@v2.4.0
+        uses: actions/checkout@a12a3943b4bdde767164f792f33f40b04645d846
      - name: Setup
        id: setup
        timeout-minutes: 8
        uses: ./.github/actions/setup
      - name: Authenticate to Google Cloud for Google Play
        id: auth_google_play
-        uses: google-github-actions/auth@v0.5.0
+        uses: google-github-actions/auth@8d125895b958610ec414ca4dae010257eaa814d3
        with:
          create_credentials_file: true
          project_id: ${{ secrets.GOOGLE_PLAY_CLOUD_PROJECT }}
@ -109,7 +109,7 @@ jobs:
          zip -r ${BINARIES_ZIP_PATH} . -i *app/build/outputs/apk/*/release/*.apk *app/build/outputs/bundle/*/release/*.aab
          zip -r ${MAPPINGS_ZIP_PATH} . -i *app/build/outputs/mapping/*/mapping.txt
      - name: Upload Artifacts
-        uses: actions/upload-artifact@v2
+        uses: actions/upload-artifact@6673cd052c4cd6fcf4b4e6e60ea986c889389535
        timeout-minutes: 1
        with:
          name: Release binaries
--- a/.github/workflows/pull-request.yml
+++ b/.github/workflows/pull-request.yml
@ -22,12 +22,12 @@ jobs:
    steps:
      - name: Checkout
        timeout-minutes: 1
-        uses: actions/checkout@v2.4.0
+        uses: actions/checkout@a12a3943b4bdde767164f792f33f40b04645d846
      # Gradle Wrapper validation can be flaky
      # https://github.com/gradle/wrapper-validation-action/issues/40
      - name: Gradle Wrapper Validation
        timeout-minutes: 1
-        uses: gradle/wrapper-validation-action@v1.0.4
+        uses: gradle/wrapper-validation-action@e6e38bacfdf1a337459f332974bb2327a31aaf4b

  prime_cache:
    needs: validate_gradle_wrapper
@ -37,7 +37,7 @@ jobs:
    steps:
      - name: Checkout
        timeout-minutes: 1
-        uses: actions/checkout@v2.4.0
+        uses: actions/checkout@a12a3943b4bdde767164f792f33f40b04645d846
      - name: Setup
        id: setup
        timeout-minutes: 8
@ -64,7 +64,7 @@ jobs:
    steps:
      - name: Checkout
        timeout-minutes: 1
-        uses: actions/checkout@v2.4.0
+        uses: actions/checkout@a12a3943b4bdde767164f792f33f40b04645d846
      - name: Setup
        id: setup
        timeout-minutes: 5
@ -85,7 +85,7 @@ jobs:
          zip -r ${REPORTS_ZIP_PATH} . -i build/reports/detekt/*
      - name: Upload Artifacts
        if: ${{ always() }}
-        uses: actions/upload-artifact@v2
+        uses: actions/upload-artifact@6673cd052c4cd6fcf4b4e6e60ea986c889389535
        timeout-minutes: 1
        with:
          name: Detekt static analysis results
@ -99,7 +99,7 @@ jobs:
    steps:
      - name: Checkout
        timeout-minutes: 1
-        uses: actions/checkout@v2.4.0
+        uses: actions/checkout@a12a3943b4bdde767164f792f33f40b04645d846
      - name: Setup
        id: setup
        timeout-minutes: 5
@ -120,7 +120,7 @@ jobs:
          zip -r ${REPORTS_ZIP_PATH} . -i build/reports/ktlint/*
      - name: Upload Artifacts
        if: ${{ always() }}
-        uses: actions/upload-artifact@v2
+        uses: actions/upload-artifact@6673cd052c4cd6fcf4b4e6e60ea986c889389535
        timeout-minutes: 1
        with:
          name: Ktlint static analysis results
@ -134,7 +134,7 @@ jobs:
    steps:
      - name: Checkout
        timeout-minutes: 1
-        uses: actions/checkout@v2.4.0
+        uses: actions/checkout@a12a3943b4bdde767164f792f33f40b04645d846
      - name: Setup
        id: setup
        timeout-minutes: 5
@ -155,7 +155,7 @@ jobs:
          mkdir ${ARTIFACTS_DIR_PATH}
          zip -r ${LINT_ZIP_PATH} . -i *build/reports/*
      - name: Upload Artifacts
-        uses: actions/upload-artifact@v2
+        uses: actions/upload-artifact@6673cd052c4cd6fcf4b4e6e60ea986c889389535
        timeout-minutes: 1
        with:
          name: Android Lint static analysis results
@ -169,7 +169,7 @@ jobs:
    steps:
      - name: Checkout
        timeout-minutes: 1
-        uses: actions/checkout@v2.4.0
+        uses: actions/checkout@a12a3943b4bdde767164f792f33f40b04645d846
      - name: Setup
        id: setup
        timeout-minutes: 5
@ -188,7 +188,7 @@ jobs:
          mkdir ${ARTIFACTS_DIR_PATH}
          zip -r ${RESULTS_ZIP_PATH} . -i *build/reports/*
      - name: Upload Artifacts
-        uses: actions/upload-artifact@v2
+        uses: actions/upload-artifact@6673cd052c4cd6fcf4b4e6e60ea986c889389535
        timeout-minutes: 1
        with:
          name: Test Kotlin modules results
@ -204,7 +204,7 @@ jobs:
    steps:
      - name: Checkout
        timeout-minutes: 1
-        uses: actions/checkout@v2.4.0
+        uses: actions/checkout@a12a3943b4bdde767164f792f33f40b04645d846
      - name: Setup
        id: setup
        timeout-minutes: 5
@ -215,7 +215,7 @@ jobs:
          ./gradlew assembleDebug assembleAndroidTest
      - name: Authenticate to Google Cloud for Firebase Test Lab
        id: auth_test_lab
-        uses: google-github-actions/auth@v0.5.0
+        uses: google-github-actions/auth@8d125895b958610ec414ca4dae010257eaa814d3
        with:
          create_credentials_file: true
          project_id: ${{ secrets.FIREBASE_TEST_LAB_PROJECT }}
@ -241,7 +241,7 @@ jobs:

          zip -r ${TEST_RESULTS_ZIP_PATH} . -i *build/outputs/androidTest-results/*
      - name: Upload Artifacts
-        uses: actions/upload-artifact@v2
+        uses: actions/upload-artifact@6673cd052c4cd6fcf4b4e6e60ea986c889389535
        timeout-minutes: 1
        with:
          name: Test Android modules results
@ -255,7 +255,7 @@ jobs:
    steps:
      - name: Checkout
        timeout-minutes: 1
-        uses: actions/checkout@v2.4.0
+        uses: actions/checkout@a12a3943b4bdde767164f792f33f40b04645d846
      - name: Setup
        id: setup
        timeout-minutes: 5
@ -287,7 +287,7 @@ jobs:
          zip -r ${BINARIES_ZIP_PATH} . -i *app/build/outputs/apk/*/release/*.apk *app/build/outputs/bundle/*/release/*.aab
          zip -r ${MAPPINGS_ZIP_PATH} . -i *app/build/outputs/mapping/*/mapping.txt
      - name: Upload Artifacts
-        uses: actions/upload-artifact@v2
+        uses: actions/upload-artifact@6673cd052c4cd6fcf4b4e6e60ea986c889389535
        timeout-minutes: 1
        with:
          name: Release binaries
@ -306,14 +306,14 @@ jobs:
    steps:
      - name: Checkout
        timeout-minutes: 1
-        uses: actions/checkout@v2.4.0
+        uses: actions/checkout@a12a3943b4bdde767164f792f33f40b04645d846
      - name: Setup
        id: setup
        timeout-minutes: 5
        uses: ./.github/actions/setup
      - name: Authenticate to Google Cloud for Firebase Test Lab
        id: auth_test_lab
-        uses: google-github-actions/auth@v0.5.0
+        uses: google-github-actions/auth@8d125895b958610ec414ca4dae010257eaa814d3
        with:
          create_credentials_file: true
          project_id: ${{ secrets.FIREBASE_TEST_LAB_PROJECT }}
@ -321,7 +321,7 @@ jobs:
          workload_identity_provider: ${{ secrets.FIREBASE_TEST_LAB_WORKLOAD_IDENTITY_PROVIDER }}
          access_token_lifetime: '900s'
      - name: Download a single artifact
-        uses: actions/download-artifact@v2
+        uses: actions/download-artifact@fb598a63ae348fa914e94cd0ff38f362e927b741
        with:
          name: Release binaries
      - name: Robo test
--- a/integrity.md
+++ b/integrity.md
@ -3,6 +3,7 @@ Multiple tools can be put in place to enhance build integrity and reduce the ris
 * Policy — We try to minimize third party dependencies, especially when they are not provided by Google and JetBrains. We also try to minimize the number of Gradle plugins.
 * Checklists — Our [pull request checklist](../.github/pull_request_template.md) specifies only running code from contributors after reviewing the changes first. Our [dependency update checklist](../.github/ISSUE_TEMPLATE/dependency.md) specifies verifying lock file changes during dependency updates.
 * Fixed dependency versions — For our dependency declarations, we use exact dependency versions in gradle.properties instead of version ranges.
+ * GitHub Actions versions use SHA instead of tags
 * Dependency locking
     * Gradle buildscript (e.g. plugins) dependencies are locked
     * Kotlin Multiplatform modules have dependency locking enabled