GHA pinning updates (#18093)

Trusted Supply Chain Component Registry (TSCCR) enforcement starts Monday and an internal report shows our semgrep action is pinned to a version that's not currently permitted. Update all the action versions to whatever's the new hotness to maximum the time-to-live on these until we have automated pinning setup. Also version bumps our chromedriver action, which randomly broke upstream today.
2023-07-28 11:49:57 -04:00 · 2023-07-28 11:49:57 -04:00 · bebed09677
parent 34ac0e5aad
commit bebed09677
13 changed files with 41 additions and 42 deletions
--- a/.github/actions/setup-js/action.yml
+++ b/.github/actions/setup-js/action.yml
@ -26,7 +26,7 @@ runs:
    # enforce node version (self-hosted default is not necessarily what we want)
    # after yarn, so we can use yarn for cache.
    - name: Setup node
-      uses: actions/setup-node@64ed1c7eab4cce3362f8c340dee64e5eaeef8f7c # v3
+      uses: actions/setup-node@e33196f7422957bea03ed53f6fbb155025ffc7b8 # v3.7.0
      with:
        node-version: ${{ inputs.node-version }}
        cache: yarn
--- a/.github/workflows/actionlint.yml
+++ b/.github/workflows/actionlint.yml
@ -10,6 +10,6 @@ jobs:
  actionlint:
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0
+      - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
      - name: "Check workflow files"
        uses: docker://docker.mirror.hashicorp.services/rhysd/actionlint:latest
--- a/.github/workflows/backport.yml
+++ b/.github/workflows/backport.yml
@ -38,13 +38,13 @@ jobs:
    if: always() && needs.backport.result == 'failure'
    runs-on: ${{ endsWith(github.repository, '-enterprise') && fromJSON('["self-hosted", "ondemand", "linux"]') || 'ubuntu-latest' }}
    steps:
-      - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2
+      - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
      - uses: ./.github/actions/vault-secrets
        with:
          paths: |-
            kv/data/teams/nomad/slack-webhooks feed-nomad | SLACK_FEED_NOMAD ;
      - name: Send slack notification on failure
-        uses: slackapi/slack-github-action@007b2c3c751a190b6f0f040e47ed024deaa72844 # v1.23.0
+        uses: slackapi/slack-github-action@e28cf165c92ffef168d23c5c9000cffc8a25e117 # v1.24.0
        with:
          payload: |
            {
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@ -28,7 +28,7 @@ jobs:
    outputs:
      go-version: ${{ steps.get-go-version.outputs.go-version }}
    steps:
-      - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2
+      - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
        with:
          ref: ${{ github.event.inputs.build-ref }}
      - name: Determine Go version
@ -43,7 +43,7 @@ jobs:
    outputs:
      product-version: ${{ steps.get-product-version.outputs.product-version }}
    steps:
-      - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2
+      - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
        with:
          ref: ${{ github.event.inputs.build-ref }}
      - name: get product version
@ -58,7 +58,7 @@ jobs:
      filepath: ${{ steps.generate-metadata-file.outputs.filepath }}
    steps:
      - name: "Checkout directory"
-        uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2
+        uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
        with:
          ref: ${{ github.event.inputs.build-ref }}
      - name: Generate metadata file
@ -86,11 +86,11 @@ jobs:
    name: Go ${{ needs.get-go-version.outputs.go-version }} ${{ matrix.goos }} ${{ matrix.goarch }} build

    steps:
-      - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2
+      - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
        with:
          ref: ${{ github.event.inputs.build-ref }}
      - name: Setup go
-        uses: actions/setup-go@4d34df0c2316fe8122ab82dc22947d607c0c91f9 # v4.0.0
+        uses: actions/setup-go@fac708d6674e30b6ba41289acaab6d4b75aa0753 # v4.0.1
        with:
          go-version: ${{ needs.get-go-version.outputs.go-version }}

@ -98,7 +98,7 @@ jobs:
        run: make deps

      - name: Setup node and yarn
-        uses: actions/setup-node@64ed1c7eab4cce3362f8c340dee64e5eaeef8f7c # v3.6.0
+        uses: actions/setup-node@e33196f7422957bea03ed53f6fbb155025ffc7b8 # v3.7.0
        with:
          node-version: "18"
          cache-dependency-path: "ui/yarn.lock"
@ -138,11 +138,11 @@ jobs:
    name: Go ${{ needs.get-go-version.outputs.go-version }} ${{ matrix.goos }} ${{ matrix.goarch }} build

    steps:
-      - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2
+      - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
        with:
          ref: ${{ github.event.inputs.build-ref }}
      - name: Setup go
-        uses: actions/setup-go@4d34df0c2316fe8122ab82dc22947d607c0c91f9 # v4.0.0
+        uses: actions/setup-go@fac708d6674e30b6ba41289acaab6d4b75aa0753 # v4.0.1
        with:
          go-version: ${{ needs.get-go-version.outputs.go-version }}

@ -150,7 +150,7 @@ jobs:
        run: make deps

      - name: Setup node and yarn
-        uses: actions/setup-node@64ed1c7eab4cce3362f8c340dee64e5eaeef8f7c # v3.6.0
+        uses: actions/setup-node@e33196f7422957bea03ed53f6fbb155025ffc7b8 # v3.7.0
        with:
          node-version: "18"
          cache-dependency-path: "ui/yarn.lock"
@ -243,7 +243,7 @@ jobs:
    name: Go ${{ needs.get-go-version.outputs.go-version }} ${{ matrix.goos }} ${{ matrix.goarch }} build

    steps:
-      - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2
+      - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
        with:
          ref: ${{ github.event.inputs.build-ref }}

@ -256,7 +256,7 @@ jobs:
        run: git config --global url.'https://${{ env.ELEVATED_GITHUB_TOKEN }}@github.com'.insteadOf 'https://github.com'

      - name: Setup go
-        uses: actions/setup-go@4d34df0c2316fe8122ab82dc22947d607c0c91f9 # v4.0.0
+        uses: actions/setup-go@fac708d6674e30b6ba41289acaab6d4b75aa0753 # v4.0.1
        with:
          go-version: ${{ needs.get-go-version.outputs.go-version }}

@ -264,7 +264,7 @@ jobs:
        run: make deps

      - name: Setup node and yarn
-        uses: actions/setup-node@64ed1c7eab4cce3362f8c340dee64e5eaeef8f7c # v3.6.0
+        uses: actions/setup-node@e33196f7422957bea03ed53f6fbb155025ffc7b8 # v3.7.0
        with:
          node-version: "18"
          cache-dependency-path: "ui/yarn.lock"
@ -305,7 +305,7 @@ jobs:
      version: ${{needs.get-product-version.outputs.product-version}}
      revision: ${{github.sha}}
    steps:
-      - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2
+      - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
      - name: Set revision
        if: "${{ github.event.inputs.build-ref != '' }}"
        run: |
@ -347,7 +347,7 @@ jobs:
        goos: [linux]
        goarch: [amd64]
    steps:
-      - uses: actions/setup-go@4d34df0c2316fe8122ab82dc22947d607c0c91f9 # v4.0.0
+      - uses: actions/setup-go@fac708d6674e30b6ba41289acaab6d4b75aa0753 # v4.0.1
        with:
          go-version: ${{needs.get-go-version.outputs.go-version}}
      - uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
--- a/.github/workflows/checks.yaml
+++ b/.github/workflows/checks.yaml
@ -24,7 +24,7 @@ jobs:
    runs-on: ${{ endsWith(github.repository, '-enterprise') && fromJSON('["self-hosted", "ondemand", "linux", "disk_gb=255"]') || 'ubuntu-22.04' }}
    timeout-minutes: 15
    steps:
-      - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2
+      - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
        with:
          fetch-depth: 0 # needs tags for checkproto
      - uses: ./.github/actions/vault-secrets
--- a/.github/workflows/ember-test-audit.yml
+++ b/.github/workflows/ember-test-audit.yml
@ -15,12 +15,12 @@ jobs:
  time-base:
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2
+      - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
        with:
          ref: ${{ github.event.pull_request.base.sha }}
-      - uses: nanasess/setup-chromedriver@95301782a076fbe8c9ecf54395a4689f7b195285 # v2.0.0
+      - uses: nanasess/setup-chromedriver@6fb8f5ffa6b7dc11e631ff695fbd2fec0b04bb52 # v2.1.1
      - name: Use Node.js
-        uses: actions/setup-node@64ed1c7eab4cce3362f8c340dee64e5eaeef8f7c # v3.6.0
+        uses: actions/setup-node@e33196f7422957bea03ed53f6fbb155025ffc7b8 # v3.7.0
        with:
          node-version: '18'
      - run: yarn --frozen-lockfile
@ -34,10 +34,10 @@ jobs:
  time-pr:
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2
-      - uses: nanasess/setup-chromedriver@95301782a076fbe8c9ecf54395a4689f7b195285 # v2.0.0
+      - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
+      - uses: nanasess/setup-chromedriver@6fb8f5ffa6b7dc11e631ff695fbd2fec0b04bb52 # v2.1.1
      - name: Use Node.js
-        uses: actions/setup-node@64ed1c7eab4cce3362f8c340dee64e5eaeef8f7c # v3.6.0
+        uses: actions/setup-node@e33196f7422957bea03ed53f6fbb155025ffc7b8 # v3.7.0
        with:
          node-version: '18'
      - run: yarn --frozen-lockfile
@ -85,4 +85,3 @@ jobs:
 permissions:
  contents: read
  pull-requests: write
-
--- a/.github/workflows/lock.yml
+++ b/.github/workflows/lock.yml
@ -8,7 +8,7 @@ jobs:
  lock:
    runs-on: ubuntu-latest
    steps:
-      - uses: dessant/lock-threads@c1b35aecc5cdb1a34539d14196df55838bb2f836 # v4.0.0
+      - uses: dessant/lock-threads@be8aa5be94131386884a6da4189effda9b14aa21 # v4.0.1
        with:
          github-token: ${{ github.token }}
          issue-lock-comment: >
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@ -52,7 +52,7 @@ jobs:
            echo "::error::Version ${{ github.event.inputs.version }} is invalid"
            exit 1
          fi
-      - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2
+      - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
      - uses: ./.github/actions/vault-secrets
        with:
          paths: |-
@ -74,12 +74,12 @@ jobs:
          echo "go-version=$(cat .go-version)" >> "$GITHUB_OUTPUT"

      - name: Setup go
-        uses: actions/setup-go@4d34df0c2316fe8122ab82dc22947d607c0c91f9 # v4.0.0
+        uses: actions/setup-go@fac708d6674e30b6ba41289acaab6d4b75aa0753 # v4.0.1
        with:
          go-version: ${{ steps.get-go-version.outputs.go-version }}

      - name: Setup node and yarn
-        uses: actions/setup-node@64ed1c7eab4cce3362f8c340dee64e5eaeef8f7c # v3.6.0
+        uses: actions/setup-node@e33196f7422957bea03ed53f6fbb155025ffc7b8 # v3.7.0
        with:
          node-version: "18"
          cache-dependency-path: "ui/yarn.lock"
--- a/.github/workflows/semgrep.yml
+++ b/.github/workflows/semgrep.yml
@ -14,8 +14,8 @@ jobs:
    # Skip any PR created by dependabot to avoid permission issues
    if: (github.actor != 'dependabot[bot]')
    steps:
-      - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2
-      - uses: returntocorp/semgrep-action@8689a93eca50c91f8e8cfa61e3c4fb7e96d12bf2 # v1
+      - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
+      - uses: returntocorp/semgrep-action@245bf11ddb2f3d4e35f116608cf6e27ae0f9aa04 # v1
 permissions:
  contents: read

--- a/.github/workflows/test-core.yaml
+++ b/.github/workflows/test-core.yaml
@ -52,7 +52,7 @@ jobs:
    runs-on: ${{ endsWith(github.repository, '-enterprise') && fromJSON('["self-hosted", "ondemand", "linux"]') || 'ubuntu-22.04' }}
    timeout-minutes: 10
    steps:
-      - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2
+      - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
      - uses: ./.github/actions/vault-secrets
        with:
          paths: |-
@ -77,7 +77,7 @@ jobs:
    runs-on: ${{matrix.os}}
    timeout-minutes: 20
    steps:
-      - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2
+      - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
      - uses: hashicorp/setup-golang@v1
      - name: Run make dev
        run: |
@ -88,7 +88,7 @@ jobs:
    runs-on: [custom, xl, 22.04]
    timeout-minutes: 8
    steps:
-      - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2
+      - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
      - uses: hashicorp/setup-golang@v1
      - name: Run API tests
        env:
@ -112,7 +112,7 @@ jobs:
          - drivers
          - quick
    steps:
-      - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2
+      - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
      - uses: hashicorp/setup-golang@v1
      - name: Run Matrix Tests
        env:
--- a/.github/workflows/test-e2e.yml
+++ b/.github/workflows/test-e2e.yml
@ -38,7 +38,7 @@ jobs:
  test-e2e:
    runs-on: ${{ endsWith(github.repository, '-enterprise') && fromJSON('["self-hosted", "ondemand", "linux"]') || 'ubuntu-latest' }}
    steps:
-      - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2
+      - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
      - uses: ./.github/actions/vault-secrets
        with:
          paths: |-
--- a/.github/workflows/test-ui.yml
+++ b/.github/workflows/test-ui.yml
@ -45,7 +45,7 @@ jobs:
    outputs:
      nonce: ${{ steps.nonce.outputs.nonce }}
    steps:
-      - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2
+      - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
      - uses: ./.github/actions/setup-js
      - name: lint:js
        run: yarn run lint:js
@ -69,7 +69,7 @@ jobs:
        partition: [1, 2, 3, 4]
        split: [4]
    steps:
-      - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2
+      - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
      - uses: ./.github/actions/setup-js
      - uses: browser-actions/setup-chrome@c485fa3bab6be59dce18dbc18ef6ab7cbc8ff5f1 # v1.2.0
      - uses: ./.github/actions/vault-secrets
@ -92,7 +92,7 @@ jobs:
      run:
        working-directory: ui
    steps:
-      - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2
+      - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
      - uses: ./.github/actions/setup-js
      - uses: ./.github/actions/vault-secrets
        with:
--- a/.github/workflows/test-windows.yml
+++ b/.github/workflows/test-windows.yml
@ -50,9 +50,9 @@ jobs:
      - name: Docker Info
        run: docker version
      - run: git config --global core.autocrlf false
-      - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2
+      - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
      - name: Setup go
-        uses: actions/setup-go@4d34df0c2316fe8122ab82dc22947d607c0c91f9 # v4.0.0
+        uses: actions/setup-go@fac708d6674e30b6ba41289acaab6d4b75aa0753 # v4.0.1
        with:
          go-version-file: ".go-version"
      - name: Show installed Go version