ci: request vpc quota increase (#20360)

* Fix regions on two service quotas * Request an increase in VPCs per region * Pin github actions workflows Signed-off-by: Ryan Cragun <me@ryan.ec>
2023-05-22 11:18:06 -06:00 · 2023-05-22 11:18:06 -06:00 · 1e752e0cba
parent dc8d2af2d8
commit 1e752e0cba
23 changed files with 76 additions and 76 deletions
--- a/.github/workflows/actionlint.yml
+++ b/.github/workflows/actionlint.yml
@ -10,6 +10,6 @@ jobs:
  actionlint:
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c
+      - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2
      - name: "Check workflow files"
        uses: docker://docker.mirror.hashicorp.services/rhysd/actionlint@sha256:93834930f56ca380be3e9a3377670d7aa5921be251b9c774891a39b3629b83b8
--- a/.github/workflows/build-vault-oss.yml
+++ b/.github/workflows/build-vault-oss.yml
@ -40,12 +40,12 @@ jobs:
    runs-on: ubuntu-latest
    name: Vault ${{ inputs.goos }} ${{ inputs.goarch }} v${{ inputs.vault-version }}
    steps:
-      - uses: actions/checkout@v3
-      - uses: actions/setup-go@v3
+      - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2
+      - uses: actions/setup-go@4d34df0c2316fe8122ab82dc22947d607c0c91f9 # v4.0.0
        with:
          go-version: ${{ inputs.go-version }}
      - name: Set up node and yarn
-        uses: actions/setup-node@v3
+        uses: actions/setup-node@64ed1c7eab4cce3362f8c340dee64e5eaeef8f7c # v3.6.0
        with:
          node-version-file: './ui/package.json'
          cache: yarn
@ -68,7 +68,7 @@ jobs:
        env:
          BUNDLE_PATH: out/${{ env.ARTIFACT_BASENAME }}.zip
        run: make ci-bundle
-      - uses: actions/upload-artifact@v3
+      - uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2
        with:
          name: ${{ env.ARTIFACT_BASENAME }}.zip
          path: out/${{ env.ARTIFACT_BASENAME }}.zip
@ -96,13 +96,13 @@ jobs:
          echo "RPM_PACKAGE=$(basename out/*.rpm)" >> "$GITHUB_ENV"
          echo "DEB_PACKAGE=$(basename out/*.deb)" >> "$GITHUB_ENV"
      - if: ${{ inputs.create-packages }}
-        uses: actions/upload-artifact@v3
+        uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2
        with:
          name: ${{ env.RPM_PACKAGE }}
          path: out/${{ env.RPM_PACKAGE }}
          if-no-files-found: error
      - if: ${{ inputs.create-packages }}
-        uses: actions/upload-artifact@v3
+        uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2
        with:
          name: ${{ env.DEB_PACKAGE }}
          path: out/${{ env.DEB_PACKAGE }}
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@ -22,7 +22,7 @@ jobs:
    outputs:
      is_docs_change: ${{ steps.get-changeddir.outputs.is_docs_change }}
    steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2
        with:
          ref: ${{ github.event.pull_request.head.sha }}
          fetch-depth: 0 # Use fetch depth 0 for comparing changes to base branch
@ -51,7 +51,7 @@ jobs:
      vault-version: ${{ steps.get-metadata.outputs.vault-version }}
      vault-base-version: ${{ steps.get-metadata.outputs.vault-base-version }}
    steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2
      - name: Get metadata
        id: get-metadata
        env:
@ -73,7 +73,7 @@ jobs:
        with:
          version: ${{ steps.get-metadata.outputs.vault-version }}
          product: ${{ steps.get-metadata.outputs.package-name }}
-      - uses: actions/upload-artifact@v3
+      - uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2
        with:
          name: metadata.json
          path: ${{ steps.generate-metadata-file.outputs.filepath }}
@ -152,7 +152,7 @@ jobs:
      matrix:
        arch: [arm, arm64, 386, amd64]
    steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2
      - uses: hashicorp/actions-docker-build@v1
        with:
          version: ${{ needs.product-metadata.outputs.vault-version }}
@ -173,7 +173,7 @@ jobs:
      matrix:
        arch: [amd64]
    steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2
      - uses: hashicorp/actions-docker-build@v1
        with:
          version: ${{ needs.product-metadata.outputs.vault-version }}
--- a/.github/workflows/changelog-checker.yml
+++ b/.github/workflows/changelog-checker.yml
@ -18,7 +18,7 @@ jobs:
    runs-on: ubuntu-latest

    steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2
        with:
          ref: ${{ github.event.pull_request.head.sha }}
          fetch-depth: 0 # by default the checkout action doesn't checkout all branches
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@ -54,7 +54,7 @@ jobs:
    container:
      image: returntocorp/semgrep@sha256:ffc6f3567654f9431456d49fd059dfe548f007c494a7eb6cd5a1a3e50d813fb3
    steps:
-    - uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c
+    - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2
    - name: Run Semgrep Rules
      id: semgrep
      run: semgrep ci --include '*.go' --config 'tools/semgrep/ci'
@ -72,8 +72,8 @@ jobs:
    - setup
    runs-on: ${{ fromJSON(needs.setup.outputs.compute-tiny) }}
    steps:
-    - uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c
-    - uses: actions/setup-go@d0a58c1c4d2b25278816e339b944508c875f3613
+    - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2
+    - uses: actions/setup-go@4d34df0c2316fe8122ab82dc22947d607c0c91f9 # v4.0.0
      with:
        go-version-file: ./.go-version
        cache: true
@ -92,7 +92,7 @@ jobs:
    if: ${{ needs.setup.outputs.enterprise != '' && github.base_ref != '' }}
    runs-on: ${{ fromJSON(needs.setup.outputs.compute-tiny) }}
    steps:
-    - uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c
+    - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2
      with:
        fetch-depth: 0
    - id: determine-branch
@ -209,20 +209,20 @@ jobs:
      contents: read
    runs-on: ${{ fromJSON(needs.setup.outputs.compute-larger) }}
    steps:
-    - uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c
-    - uses: actions/setup-go@d0a58c1c4d2b25278816e339b944508c875f3613
+    - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2
+    - uses: actions/setup-go@4d34df0c2316fe8122ab82dc22947d607c0c91f9 # v4.0.0
      with:
        go-version-file: ./.go-version
        cache: true
    # Setup node.js without caching to allow running npm install -g yarn (next step)
-    - uses: actions/setup-node@64ed1c7eab4cce3362f8c340dee64e5eaeef8f7c
+    - uses: actions/setup-node@64ed1c7eab4cce3362f8c340dee64e5eaeef8f7c # v3.6.0
      with:
        node-version-file: './ui/package.json'
    - id: install-yarn
      run: |
        npm install -g yarn
    # Setup node.js with caching using the yarn.lock file
-    - uses: actions/setup-node@64ed1c7eab4cce3362f8c340dee64e5eaeef8f7c
+    - uses: actions/setup-node@64ed1c7eab4cce3362f8c340dee64e5eaeef8f7c # v3.6.0
      with:
        node-version-file: './ui/package.json'
        cache: yarn
@ -230,7 +230,7 @@ jobs:
    - id: install-browser-libraries
      run: sudo apt install -y libnss3-dev libgdk-pixbuf2.0-dev libgtk-3-dev libxss-dev libasound2
    - id: install-browser
-      uses: browser-actions/setup-chrome@29abc1a83d1d71557708563b4bc962d0f983a376
+      uses: browser-actions/setup-chrome@c485fa3bab6be59dce18dbc18ef6ab7cbc8ff5f1 # v1.2.0
    - id: ui-dependencies
      name: ui-dependencies
      working-directory: ./ui
@ -281,12 +281,12 @@ jobs:
        cd ui
        mkdir -p test-results/qunit
        yarn test:oss
-    - uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce
+    - uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2
      with:
        name: test-results-ui
        path: ui/test-results
      if: always()
-    - uses: test-summary/action@62bc5c68de2a6a0d02039763b8c754569df99e3f
+    - uses: test-summary/action@62bc5c68de2a6a0d02039763b8c754569df99e3f # TSCCR: no entry for repository "test-summary/action"
      with:
        paths: "ui/test-results/qunit/results.xml"
        show: "fail"
--- a/.github/workflows/drepecated-functions-checker.yml
+++ b/.github/workflows/drepecated-functions-checker.yml
@ -12,11 +12,11 @@ jobs:
    timeout-minutes: 30
    steps:
      - name: Checkout code
-        uses: actions/checkout@24cb9080177205b6e8c946b17badbe402adc938f # v3.4.0
+        uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2
        with:
          fetch-depth: 0 # by default the checkout action doesn't checkout all branches
      - name: Setup Go
-        uses: actions/setup-go@4d34df0c2316fe8122ab82dc22947d607c0c91f9 #v4
+        uses: actions/setup-go@4d34df0c2316fe8122ab82dc22947d607c0c91f9 # v4.0.0
        with:
          go-version-file: ./.go-version
          cache: true
--- a/.github/workflows/enos-fmt.yml
+++ b/.github/workflows/enos-fmt.yml
@ -15,7 +15,7 @@ jobs:
    env:
      GITHUB_TOKEN: ${{ secrets.ELEVATED_GITHUB_TOKEN }}
    steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2
      - uses: hashicorp/setup-terraform@v2
        with:
          terraform_wrapper: false
--- a/.github/workflows/enos-release-testing-oss.yml
+++ b/.github/workflows/enos-release-testing-oss.yml
@ -15,7 +15,7 @@ jobs:
      vault-revision: ${{ steps.get-metadata.outputs.vault-revision }}
      vault-version: ${{ steps.get-metadata.outputs.vault-version }}
    steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2
        with:
          # Check out the repository at the same Git SHA that was used to create
          # the artifacts to get the correct metadata.
--- a/.github/workflows/enos-run-k8s.yml
+++ b/.github/workflows/enos-run-k8s.yml
@ -31,7 +31,7 @@ jobs:
      GITHUB_TOKEN: ${{ secrets.ELEVATED_GITHUB_TOKEN }}
    steps:
      - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2
      - name: Set up Terraform
        uses: hashicorp/setup-terraform@v2
        with:
@ -44,7 +44,7 @@ jobs:
          github-token: ${{ secrets.ELEVATED_GITHUB_TOKEN }}
      - name: Download Docker Image
        id: download
-        uses: actions/download-artifact@e9ef242655d12993efdcda9058dee2db83a2cb9b
+        uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
        with:
          name: ${{ inputs.artifact-name }}
          path: ./enos/support/downloads
--- a/.github/workflows/godoc-test-checker.yml
+++ b/.github/workflows/godoc-test-checker.yml
@ -11,11 +11,11 @@ jobs:
  godoc-test-check:
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c
+      - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2
        with:
          fetch-depth: 0
      - name: Set Up Go
-        uses: actions/setup-go@d0a58c1c4d2b25278816e339b944508c875f3613
+        uses: actions/setup-go@4d34df0c2316fe8122ab82dc22947d607c0c91f9 # v4.0.0
        with:
          cache: true
          go-version-file: ./.go-version
--- a/.github/workflows/milestone-checker.yml
+++ b/.github/workflows/milestone-checker.yml
@ -21,7 +21,7 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout Actions
-        uses: actions/checkout@v3
+        uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2
        with:
          repository: "grafana/grafana-github-actions"
          path: ./actions
--- a/.github/workflows/oss.yml
+++ b/.github/workflows/oss.yml
@ -19,9 +19,9 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - if: github.event.pull_request != null
-        uses: actions/checkout@v3
+        uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2
      - if: github.event.pull_request != null
-        uses: dorny/paths-filter@v2
+        uses: dorny/paths-filter@4512585405083f25c027a35db413c2b3b9006d50 # v2.11.1
        id: changes
        with:
          # derived from CODEOWNERS
@ -68,7 +68,7 @@ jobs:
      - if: github.event.pull_request != null && steps.changes.outputs.ui == 'true'
        run: echo "PROJECT=171" >> "$GITHUB_ENV"

-      - uses: actions/add-to-project@v0.3.0
+      - uses: actions/add-to-project@v0.3.0 # TSCCR: no entry for repository "actions/add-to-project"
        with:
          project-url: https://github.com/orgs/hashicorp/projects/${{ env.PROJECT }}
          github-token: ${{ secrets.TRIAGE_GITHUB_TOKEN }}
--- a/.github/workflows/remove-labels.yml
+++ b/.github/workflows/remove-labels.yml
@ -13,7 +13,7 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Remove triaging labels from closed issues and PRs
-        uses: actions-ecosystem/action-remove-labels@v1
+        uses: actions-ecosystem/action-remove-labels@2ce5d41b4b6aa8503e285553f75ed56e0a40bae0 # v1.3.0
        with:
          labels: |
            waiting-for-response
--- a/.github/workflows/security-scan.yml
+++ b/.github/workflows/security-scan.yml
@ -13,20 +13,20 @@ jobs:
    runs-on: ['linux', 'large']
    if: ${{ github.actor != 'dependabot[bot]' || github.actor != 'hc-github-team-secure-vault-core' }}
    steps:
-    - uses: actions/checkout@v3
+    - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2

    - name: Set up Go
-      uses: actions/setup-go@v3
+      uses: actions/setup-go@4d34df0c2316fe8122ab82dc22947d607c0c91f9 # v4.0.0
      with:
        go-version: 1.18

    - name: Set up Python
-      uses: actions/setup-python@v4
+      uses: actions/setup-python@57ded4d7d5e986d7296eab16560982c6dd7c923b # v4.6.0
      with:
        python-version: 3.x

    - name: Clone Security Scanner repo
-      uses: actions/checkout@v3
+      uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2
      with:
        repository: hashicorp/security-scanner
        token: ${{ secrets.HASHIBOT_PRODSEC_GITHUB_TOKEN }}
@ -77,6 +77,6 @@ jobs:
        cat results.sarif

    - name: Upload SARIF file
-      uses: github/codeql-action/upload-sarif@v2
+      uses: github/codeql-action/upload-sarif@9a866ed4524fc3422c3af1e446dab8efa3503411 # codeql-bundle-20230418
      with:
        sarif_file: results.sarif
--- a/.github/workflows/setup-go-cache.yml
+++ b/.github/workflows/setup-go-cache.yml
@ -8,10 +8,10 @@ jobs:
  setup-go-cache:
    runs-on: ${{ fromJSON(inputs.runs-on) }}
    steps:
-    - uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c #v3.3.0 as of 2023-01-18
+    - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2
    - id: setup-go
      name: Setup go
-      uses: actions/setup-go@d0a58c1c4d2b25278816e339b944508c875f3613 #v3.4.0 as of 2022-12-07
+      uses: actions/setup-go@4d34df0c2316fe8122ab82dc22947d607c0c91f9 # v4.0.0
      with:
        go-version-file: ./.go-version
        cache: true
--- a/.github/workflows/stable-website.yaml
+++ b/.github/workflows/stable-website.yaml
@ -10,7 +10,7 @@ jobs:
    name: Cherry pick to stable-website branch
    steps:
    - name: Checkout
-      uses: actions/checkout@v3
+      uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2
      with:
        ref: stable-website
    - run: |
--- a/.github/workflows/test-ci-bootstrap.yml
+++ b/.github/workflows/test-ci-bootstrap.yml
@ -24,11 +24,11 @@ jobs:
      TF_VAR_aws_ssh_public_key: ${{ secrets.SSH_KEY_PUBLIC_CI }}
      TF_TOKEN_app_terraform_io: ${{ secrets.TF_API_TOKEN }}
    steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2
      - name: Set up Terraform
        uses: hashicorp/setup-terraform@v2
      - name: Configure AWS credentials
-        uses: aws-actions/configure-aws-credentials@v1
+        uses: aws-actions/configure-aws-credentials@e1e17a757e536f70e52b5a12b2e8d1d1c60e04ef # v2.0.0
        with:
          aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID_CI }}
          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY_CI }}
--- a/.github/workflows/test-ci-cleanup.yml
+++ b/.github/workflows/test-ci-cleanup.yml
@ -11,7 +11,7 @@ jobs:
      regions: ${{steps.setup.outputs.regions}}
    steps:
      - name: Configure AWS credentials
-        uses: aws-actions/configure-aws-credentials@v1-node16
+        uses: aws-actions/configure-aws-credentials@e1e17a757e536f70e52b5a12b2e8d1d1c60e04ef # v2.0.0
        with:
          aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID_CI }}
          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY_CI }}
@ -40,7 +40,7 @@ jobs:
    steps:
      - name: Configure AWS credentials
        id: aws-configure
-        uses: aws-actions/configure-aws-credentials@v1-node16
+        uses: aws-actions/configure-aws-credentials@e1e17a757e536f70e52b5a12b2e8d1d1c60e04ef # v2.0.0
        with:
          aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID_CI }}
          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY_CI }}
@ -49,7 +49,7 @@ jobs:
          role-skip-session-tagging: true
          role-duration-seconds: 3600
          mask-aws-account-id: false
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2
      - name: Configure
        run: |
          cp enos/ci/aws-nuke.yml .
@ -75,7 +75,7 @@ jobs:
        region: ${{ fromJSON(needs.setup.outputs.regions) }}
    steps:
      - name: Configure AWS credentials
-        uses: aws-actions/configure-aws-credentials@v1-node16
+        uses: aws-actions/configure-aws-credentials@e1e17a757e536f70e52b5a12b2e8d1d1c60e04ef # v2.0.0
        with:
          aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID_CI }}
          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY_CI }}
--- a/.github/workflows/test-enos-scenario-ui.yml
+++ b/.github/workflows/test-enos-scenario-ui.yml
@ -35,7 +35,7 @@ jobs:
      runs-on: ${{ steps.get-metadata.outputs.runs-on }}
      vault_edition: ${{ steps.get-metadata.outputs.vault_edition }}
    steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2
      - id: get-metadata
        env:
          IS_ENT: ${{ startsWith(github.event.repository.name, 'vault-enterprise' ) }}
@ -67,9 +67,9 @@ jobs:
      GOPRIVATE: github.com/hashicorp
    steps:
      - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2
      - name: Set Up Go
-        uses: actions/setup-go@v3
+        uses: actions/setup-go@4d34df0c2316fe8122ab82dc22947d607c0c91f9 # v4.0.0
        with:
          go-version-file: ./.go-version
      - uses: hashicorp/action-setup-enos@v1
@ -78,7 +78,7 @@ jobs:
      - name: Set Up Git
        run: git config --global url."https://${{ secrets.elevated_github_token }}:@github.com".insteadOf "https://github.com"
      - name: Set Up Node
-        uses: actions/setup-node@v3
+        uses: actions/setup-node@64ed1c7eab4cce3362f8c340dee64e5eaeef8f7c # v3.6.0
        with:
          node-version-file: './ui/package.json'
      - name: Set Up Terraform
@ -104,12 +104,12 @@ jobs:
          sudo apt install -y libnss3-dev libgdk-pixbuf2.0-dev libgtk-3-dev libxss-dev libasound2
      - name: Install Chrome
        if: steps.chrome-check.outputs.chrome-version == 'not-installed'
-        uses: browser-actions/setup-chrome@v1
+        uses: browser-actions/setup-chrome@c485fa3bab6be59dce18dbc18ef6ab7cbc8ff5f1 # v1.2.0
      - name: Installed Chrome Version
        run: |
          echo "Installed Chrome Version = [$(chrome --version 2> /dev/null || google-chrome --version 2> /dev/null || google-chrome-stable --version 2> /dev/null)]"
      - name: Configure AWS credentials from Test account
-        uses: aws-actions/configure-aws-credentials@v1-node16
+        uses: aws-actions/configure-aws-credentials@e1e17a757e536f70e52b5a12b2e8d1d1c60e04ef # v2.0.0
        with:
          aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID_CI }}
          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY_CI }}
--- a/.github/workflows/test-go.yml
+++ b/.github/workflows/test-go.yml
@ -40,7 +40,7 @@ jobs:
    runs-on: ${{ fromJSON(inputs.runs-on) }}
    name: Verify Test Package Distribution
    steps:
-    - uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c
+    - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2
    - id: test
      working-directory: .github/scripts
      run: |
@ -80,8 +80,8 @@ jobs:
      GOPRIVATE: github.com/hashicorp/*
      TIMEOUT_IN_MINUTES: 60
    steps:
-      - uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c
-      - uses: actions/setup-go@d0a58c1c4d2b25278816e339b944508c875f3613
+      - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2
+      - uses: actions/setup-go@4d34df0c2316fe8122ab82dc22947d607c0c91f9 # v4.0.0
        with:
          go-version-file: ./.go-version
          cache: true
@ -205,13 +205,13 @@ jobs:
          datadog-ci junit upload --service "$GITHUB_REPOSITORY" test-results/go-test/results.xml
        if: always()
      - name: Archive test results
-        uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce
+        uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2
        with:
          name: test-results-${{ matrix.runner-index }}
          path: test-results/
        if: always()
      - name: Create a summary of tests
-        uses: test-summary/action@62bc5c68de2a6a0d02039763b8c754569df99e3f
+        uses: test-summary/action@62bc5c68de2a6a0d02039763b8c754569df99e3f # TSCCR: no entry for repository "test-summary/action"
        with:
          paths: "test-results/go-test/results.xml"
          show: "fail"
--- a/.github/workflows/test-run-acc-tests-for-path.yml
+++ b/.github/workflows/test-run-acc-tests-for-path.yml
@ -20,13 +20,13 @@ jobs:
  go-test:
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c
+      - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2
      - name: Set Up Go
-        uses: actions/setup-go@d0a58c1c4d2b25278816e339b944508c875f3613
+        uses: actions/setup-go@4d34df0c2316fe8122ab82dc22947d607c0c91f9 # v4.0.0
        with:
          go-version-file: ./.go-version
      - run: go test -v ./${{ inputs.path }}/... 2>&1 | tee ${{ inputs.name }}.txt
-      - uses: actions/upload-artifact@b7f8abb1508181956e8e162db84b466c27e18ce
+      - uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2
        with:
          name: ${{ inputs.name }}-output
          path: ${{ inputs.name }}.txt
--- a/.github/workflows/test-run-enos-scenario-matrix.yml
+++ b/.github/workflows/test-run-enos-scenario-matrix.yml
@ -72,7 +72,7 @@ jobs:
      MATRIX_FILE: ./.github/enos-run-matrices/${{ inputs.matrix-file-name }}.json
      MATRIX_TEST_GROUP: ${{ inputs.matrix-test-group }}
    steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2
        with:
          ref: ${{ inputs.vault-revision }}
      - id: metadata
@ -106,13 +106,13 @@ jobs:
      ENOS_VAR_vault_license_path: ./support/vault.hclic
      ENOS_DEBUG_DATA_ROOT_DIR: /tmp/enos-debug-data
    steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2
      - uses: hashicorp/setup-terraform@v2
        with:
          # the Terraform wrapper will break Terraform execution in Enos because
          # it changes the output to text when we expect it to be JSON.
          terraform_wrapper: false
-      - uses: aws-actions/configure-aws-credentials@v1-node16
+      - uses: aws-actions/configure-aws-credentials@e1e17a757e536f70e52b5a12b2e8d1d1c60e04ef # v2.0.0
        with:
          aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID_CI }}
          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY_CI }}
@ -131,7 +131,7 @@ jobs:
          chmod 600 "./enos/support/private_key.pem"
          echo "debug_data_artifact_name=enos-debug-data_$(echo "${{ matrix.scenario }}" | sed -e 's/ /_/g' | sed -e 's/:/=/g')" >> "$GITHUB_OUTPUT"
      - if: contains(inputs.matrix-file-name, 'github')
-        uses: actions/download-artifact@v3
+        uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
        with:
          name: ${{ inputs.build-artifact-name }}
          path: ./enos/support/downloads
@ -150,7 +150,7 @@ jobs:
        run: enos scenario run --timeout 60m0s --chdir ./enos ${{ matrix.scenario }}
      - name: Upload Debug Data
        if: failure()
-        uses: actions/upload-artifact@v3
+        uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2
        with:
          # The name of the artifact is the same as the matrix scenario name with the spaces replaced with underscores and colons replaced by equals.
          name: ${{ steps.prepare_scenario.outputs.debug_data_artifact_name }}
--- a/enos/ci/service-user-iam/service-quotas.tf
+++ b/enos/ci/service-user-iam/service-quotas.tf
@ -9,35 +9,35 @@ locals {
 }

 resource "aws_servicequotas_service_quota" "vpcs_per_region_us_east_1" {
-  provider     = aws.us_east_2
+  provider     = aws.us_east_1
  quota_code   = local.subnets_per_vpcs_quota
  service_code = "vpc"
-  value        = 50
+  value        = 100
 }

 resource "aws_servicequotas_service_quota" "vpcs_per_region_us_east_2" {
  provider     = aws.us_east_2
  quota_code   = local.subnets_per_vpcs_quota
  service_code = "vpc"
-  value        = 50
+  value        = 100
 }

 resource "aws_servicequotas_service_quota" "vpcs_per_region_us_west_1" {
  provider     = aws.us_west_1
  quota_code   = local.subnets_per_vpcs_quota
  service_code = "vpc"
-  value        = 50
+  value        = 100
 }

 resource "aws_servicequotas_service_quota" "vpcs_per_region_us_west_2" {
  provider     = aws.us_west_2
  quota_code   = local.subnets_per_vpcs_quota
  service_code = "vpc"
-  value        = 50
+  value        = 100
 }

 resource "aws_servicequotas_service_quota" "spot_requests_per_region_us_east_1" {
-  provider     = aws.us_east_2
+  provider     = aws.us_east_1
  quota_code   = local.standard_spot_instance_requests_quota
  service_code = "ec2"
  value        = 640