[Github] Hash Pin Actions in Most Workflows #129486
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This patch haspins all actions in most of the LLVM Github workflows. This is something we try to do, but no one has gone through and combed through all of the workflows before this patch. Notably, this patch does not bump any major versions of actions just in case there are subtle breaking changes introduced between versions that could impact us. Also, this patch omits the libc/libc++ workflows so that they can be split into separate PRs for the respective subproject maintainers to review.
|
@llvm/pr-subscribers-github-workflow Author: Aiden Grossman (boomanaiden154) ChangesThis patch haspins all actions in most of the LLVM Github workflows. This is something we try to do, but no one has gone through and combed through all of the workflows before this patch. Notably, this patch does not bump any major versions of actions just in case there are subtle breaking changes introduced between versions that could impact us. Also, this patch omits the libc/libc++ workflows so that they can be split into separate PRs for the respective subproject maintainers to review. Full diff: https://github.com/llvm/llvm-project/pull/129486.diff 21 Files Affected:
diff --git a/.github/workflows/build-metrics-container.yml b/.github/workflows/build-metrics-container.yml
index 751ab679411dc..7924779fc3f8d 100644
--- a/.github/workflows/build-metrics-container.yml
+++ b/.github/workflows/build-metrics-container.yml
@@ -27,7 +27,7 @@ jobs:
container-filename: ${{ steps.vars.outputs.container-filename }}
steps:
- name: Checkout LLVM
- uses: actions/checkout@v4
+ uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
sparse-checkout: .ci/metrics/
- name: Write Variables
@@ -49,7 +49,7 @@ jobs:
run: |
podman save ${{ steps.vars.outputs.container-name-tag }} > ${{ steps.vars.outputs.container-filename }}
- name: Upload Container Image
- uses: actions/upload-artifact@v4
+ uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
with:
name: container
path: ${{ steps.vars.outputs.container-filename }}
@@ -66,7 +66,7 @@ jobs:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
steps:
- name: Download Container
- uses: actions/download-artifact@v4
+ uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
with:
name: container
- name: Push Container
diff --git a/.github/workflows/ci-post-commit-analyzer.yml b/.github/workflows/ci-post-commit-analyzer.yml
index d614dd07b3a49..e0d30b66f66b6 100644
--- a/.github/workflows/ci-post-commit-analyzer.yml
+++ b/.github/workflows/ci-post-commit-analyzer.yml
@@ -44,7 +44,7 @@ jobs:
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
- name: Setup ccache
- uses: hendrikmuhs/ccache-action@v1
+ uses: hendrikmuhs/ccache-action@a1209f81afb8c005c13b4296c32e363431bffea5 # v1.2.17
with:
# A full build of llvm, clang, lld, and lldb takes about 250MB
# of ccache space. There's not much reason to have more than this,
diff --git a/.github/workflows/commit-access-review.yml b/.github/workflows/commit-access-review.yml
index f9195a1863dee..5ab0ddd50d241 100644
--- a/.github/workflows/commit-access-review.yml
+++ b/.github/workflows/commit-access-review.yml
@@ -15,7 +15,7 @@ jobs:
runs-on: ubuntu-22.04
steps:
- name: Fetch LLVM sources
- uses: actions/checkout@v4
+ uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- name: Install dependencies
run: |
diff --git a/.github/workflows/docs.yml b/.github/workflows/docs.yml
index b4fa27203236a..3561344bf87c2 100644
--- a/.github/workflows/docs.yml
+++ b/.github/workflows/docs.yml
@@ -60,12 +60,12 @@ jobs:
# a local checkout beforehand.
- name: Fetch LLVM sources (Push)
if: ${{ github.event_name == 'push' }}
- uses: actions/checkout@v4
+ uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
fetch-depth: 1
- name: Get subprojects that have doc changes
id: docs-changed-subprojects
- uses: tj-actions/changed-files@v39
+ uses: tj-actions/changed-files@fea790cb660e33aef4bdf07304e28fedd77dfa13 # v39.2.4
with:
files_yaml: |
llvm:
@@ -98,11 +98,11 @@ jobs:
- '.github/workflows/docs.yml'
- name: Fetch LLVM sources (PR)
if: ${{ github.event_name == 'pull_request' }}
- uses: actions/checkout@v4
+ uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
fetch-depth: 1
- name: Setup Python env
- uses: actions/setup-python@v5
+ uses: actions/setup-python@42375524e23c412d93fb67b49958b491fce71c38 # v5.4.0
with:
python-version: '3.11'
cache: 'pip'
@@ -216,7 +216,7 @@ jobs:
mkdir built-docs/flang
cp -r flang-build/docs/* built-docs/flang/
- name: Upload docs
- uses: actions/upload-artifact@v4
+ uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
with:
name: docs-output
path: built-docs/
diff --git a/.github/workflows/email-check.yaml b/.github/workflows/email-check.yaml
index 8f32d020975f5..5719203c5f908 100644
--- a/.github/workflows/email-check.yaml
+++ b/.github/workflows/email-check.yaml
@@ -14,7 +14,7 @@ jobs:
if: github.repository == 'llvm/llvm-project'
steps:
- name: Fetch LLVM sources
- uses: actions/checkout@v4
+ uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
ref: ${{ github.event.pull_request.head.sha }}
diff --git a/.github/workflows/issue-release-workflow.yml b/.github/workflows/issue-release-workflow.yml
index 5027d4f3ea6f1..1582d06a97d3f 100644
--- a/.github/workflows/issue-release-workflow.yml
+++ b/.github/workflows/issue-release-workflow.yml
@@ -42,7 +42,7 @@ jobs:
contains(github.event.action == 'opened' && github.event.issue.body || github.event.comment.body, '/cherry-pick')
steps:
- name: Fetch LLVM sources
- uses: actions/checkout@v4
+ uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
repository: llvm/llvm-project
# GitHub stores the token used for checkout and uses it for pushes
diff --git a/.github/workflows/issue-subscriber.yml b/.github/workflows/issue-subscriber.yml
index ef4fdf4418193..2fb8ad18eb0ac 100644
--- a/.github/workflows/issue-subscriber.yml
+++ b/.github/workflows/issue-subscriber.yml
@@ -14,7 +14,7 @@ jobs:
if: github.repository == 'llvm/llvm-project'
steps:
- name: Checkout Automation Script
- uses: actions/checkout@v4
+ uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
sparse-checkout: llvm/utils/git/
ref: main
diff --git a/.github/workflows/issue-write.yml b/.github/workflows/issue-write.yml
index 5334157a7fd20..712c7d8268239 100644
--- a/.github/workflows/issue-write.yml
+++ b/.github/workflows/issue-write.yml
@@ -25,7 +25,7 @@ jobs:
)
steps:
- name: Fetch Sources
- uses: actions/checkout@v4
+ uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
sparse-checkout: |
.github/workflows/unprivileged-download-artifact/action.yml
@@ -39,7 +39,7 @@ jobs:
- name: 'Comment on PR'
if: steps.download-artifact.outputs.artifact-id != ''
- uses: actions/github-script@v3
+ uses: actions/github-script@ffc2c79a5b2490bd33e0a41c1de74b877714d736 # v3.2.0
with:
github-token: ${{ secrets.GITHUB_TOKEN }}
script: |
diff --git a/.github/workflows/libclang-abi-tests.yml b/.github/workflows/libclang-abi-tests.yml
index 41b3075288d2d..8995d52b9925f 100644
--- a/.github/workflows/libclang-abi-tests.yml
+++ b/.github/workflows/libclang-abi-tests.yml
@@ -38,7 +38,7 @@ jobs:
LLVM_VERSION_PATCH: ${{ steps.version.outputs.patch }}
steps:
- name: Checkout source
- uses: actions/checkout@v4
+ uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
fetch-depth: 250
diff --git a/.github/workflows/llvm-bugs.yml b/.github/workflows/llvm-bugs.yml
index c392078fa4525..a54e52456e860 100644
--- a/.github/workflows/llvm-bugs.yml
+++ b/.github/workflows/llvm-bugs.yml
@@ -14,13 +14,13 @@ jobs:
runs-on: ubuntu-latest
if: github.repository == 'llvm/llvm-project'
steps:
- - uses: actions/setup-node@v4
+ - uses: actions/setup-node@1d0ff469b7ec7b3cb9d8673fde0c81c44821de2a # v4.2.0
with:
node-version: 18
check-latest: true
- run: npm install mailgun.js form-data
- name: Send notification
- uses: actions/github-script@v6
+ uses: actions/github-script@d7906e4ad0b1822421a7e6a35d5ca353c962f410 # v6.4.1
env:
MAILGUN_API_KEY: ${{ secrets.LLVM_BUGS_KEY }}
with:
diff --git a/.github/workflows/llvm-project-tests.yml b/.github/workflows/llvm-project-tests.yml
index 4ff84c511250f..d857995d325d0 100644
--- a/.github/workflows/llvm-project-tests.yml
+++ b/.github/workflows/llvm-project-tests.yml
@@ -82,7 +82,7 @@ jobs:
# lldb. Using this setup-python action to make 3.10 the default
# python fixes this.
- name: Setup Python
- uses: actions/setup-python@v5
+ uses: actions/setup-python@42375524e23c412d93fb67b49958b491fce71c38 # v5.4.0
with:
python-version: ${{ inputs.python_version }}
- name: Install Ninja
@@ -91,11 +91,11 @@ jobs:
# actions/checkout deletes any existing files in the new git directory,
# so this needs to either run before ccache-action or it has to use
# clean: false.
- - uses: actions/checkout@v4
+ - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
fetch-depth: 250
- name: Setup ccache
- uses: hendrikmuhs/ccache-action@v1
+ uses: hendrikmuhs/ccache-action@a1209f81afb8c005c13b4296c32e363431bffea5 # v1.2.17
with:
# A full build of llvm, clang, lld, and lldb takes about 250MB
# of ccache space. There's not much reason to have more than this,
diff --git a/.github/workflows/llvm-tests.yml b/.github/workflows/llvm-tests.yml
index 9b3d49d4e99b9..2c41368369ce8 100644
--- a/.github/workflows/llvm-tests.yml
+++ b/.github/workflows/llvm-tests.yml
@@ -38,7 +38,7 @@ jobs:
LLVM_VERSION_PATCH: ${{ steps.version.outputs.patch }}
steps:
- name: Checkout source
- uses: actions/checkout@v4
+ uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
fetch-depth: 250
diff --git a/.github/workflows/merged-prs.yml b/.github/workflows/merged-prs.yml
index e29afd4097f9f..aa559e4b75a76 100644
--- a/.github/workflows/merged-prs.yml
+++ b/.github/workflows/merged-prs.yml
@@ -21,7 +21,7 @@ jobs:
(github.event.pull_request.merged == true)
steps:
- name: Checkout Automation Script
- uses: actions/checkout@v4
+ uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
sparse-checkout: llvm/utils/git/
ref: main
diff --git a/.github/workflows/new-prs.yml b/.github/workflows/new-prs.yml
index 88175d6f8d64d..3f042e7616011 100644
--- a/.github/workflows/new-prs.yml
+++ b/.github/workflows/new-prs.yml
@@ -35,7 +35,7 @@ jobs:
(github.event.pull_request.author_association != 'OWNER')
steps:
- name: Checkout Automation Script
- uses: actions/checkout@v4
+ uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
sparse-checkout: llvm/utils/git/
ref: main
@@ -67,7 +67,7 @@ jobs:
github.event.pull_request.draft == false &&
github.event.pull_request.commits < 10
steps:
- - uses: actions/labeler@v4
+ - uses: actions/labeler@ac9175f8a1f3625fd0d4fb234536d26811351594 # v4.3.0
with:
configuration-path: .github/new-prs-labeler.yml
# workaround for https://github.com/actions/labeler/issues/112
diff --git a/.github/workflows/pr-code-format.yml b/.github/workflows/pr-code-format.yml
index 0e6180acf4a46..a5a5626369bdb 100644
--- a/.github/workflows/pr-code-format.yml
+++ b/.github/workflows/pr-code-format.yml
@@ -19,12 +19,12 @@ jobs:
if: github.repository == 'llvm/llvm-project'
steps:
- name: Fetch LLVM sources
- uses: actions/checkout@v4
+ uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
ref: ${{ github.event.pull_request.head.sha }}
- name: Checkout through merge base
- uses: rmacklin/fetch-through-merge-base@v0
+ uses: rmacklin/fetch-through-merge-base@bfe4d03a86f9afa52bc1a70e9814fc92a07f7b75 # v0.3.0
with:
base_ref: ${{ github.event.pull_request.base.ref }}
head_ref: ${{ github.event.pull_request.head.sha }}
@@ -32,7 +32,7 @@ jobs:
- name: Get changed files
id: changed-files
- uses: tj-actions/changed-files@v39
+ uses: tj-actions/changed-files@fea790cb660e33aef4bdf07304e28fedd77dfa13 # v39.2.4
with:
separator: ","
skip_initial_fetch: true
@@ -40,7 +40,7 @@ jobs:
# We need to pull the script from the main branch, so that we ensure
# we get the latest version of this script.
- name: Fetch code formatting utils
- uses: actions/checkout@v4
+ uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
repository: ${{ github.repository }}
ref: ${{ github.base_ref }}
@@ -58,12 +58,12 @@ jobs:
echo "$CHANGED_FILES"
- name: Install clang-format
- uses: aminya/setup-cpp@v1
+ uses: aminya/setup-cpp@17c11551771948abc5752bbf3183482567c7caf0 # v1.1.1
with:
clangformat: 19.1.6
- name: Setup Python env
- uses: actions/setup-python@v5
+ uses: actions/setup-python@42375524e23c412d93fb67b49958b491fce71c38 # v5.4.0
with:
python-version: '3.11'
cache: 'pip'
diff --git a/.github/workflows/pr-subscriber.yml b/.github/workflows/pr-subscriber.yml
index 272d3e2f9ef8a..0e3d3e04ee938 100644
--- a/.github/workflows/pr-subscriber.yml
+++ b/.github/workflows/pr-subscriber.yml
@@ -14,7 +14,7 @@ jobs:
if: github.repository == 'llvm/llvm-project'
steps:
- name: Checkout Automation Script
- uses: actions/checkout@v4
+ uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
sparse-checkout: llvm/utils/git/
ref: main
diff --git a/.github/workflows/release-binaries.yml b/.github/workflows/release-binaries.yml
index 231dd26e54ae0..fd6a6cc931ec4 100644
--- a/.github/workflows/release-binaries.yml
+++ b/.github/workflows/release-binaries.yml
@@ -336,7 +336,7 @@ jobs:
runs-on: ${{ needs.prepare.outputs.test-runs-on }}
steps:
- name: Checkout Actions
- uses: actions/checkout@v4
+ uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
ref: ${{ (github.event_name == 'pull_request' && github.sha) || 'main' }}
sparse-checkout: |
diff --git a/.github/workflows/release-documentation.yml b/.github/workflows/release-documentation.yml
index 09e21585bfc56..bac500080f90a 100644
--- a/.github/workflows/release-documentation.yml
+++ b/.github/workflows/release-documentation.yml
@@ -37,7 +37,7 @@ jobs:
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
- name: Setup Python env
- uses: actions/setup-python@v5
+ uses: actions/setup-python@42375524e23c412d93fb67b49958b491fce71c38 # v5.4.0
with:
cache: 'pip'
cache-dependency-path: './llvm/docs/requirements.txt'
diff --git a/.github/workflows/release-doxygen.yml b/.github/workflows/release-doxygen.yml
index ea95e5bb12b2b..17d437e3a649d 100644
--- a/.github/workflows/release-doxygen.yml
+++ b/.github/workflows/release-doxygen.yml
@@ -43,7 +43,7 @@ jobs:
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
- name: Setup Python env
- uses: actions/setup-python@v5
+ uses: actions/setup-python@42375524e23c412d93fb67b49958b491fce71c38 # v5.4.0
with:
cache: 'pip'
cache-dependency-path: './llvm/docs/requirements.txt'
diff --git a/.github/workflows/release-lit.yml b/.github/workflows/release-lit.yml
index 9d6f3140e6883..346cf3bf2c460 100644
--- a/.github/workflows/release-lit.yml
+++ b/.github/workflows/release-lit.yml
@@ -45,7 +45,7 @@ jobs:
./llvm/utils/release/./github-upload-release.py --token "$GITHUB_TOKEN" --user ${{ github.actor }} --user-token "$USER_TOKEN" check-permissions
- name: Setup Cpp
- uses: aminya/setup-cpp@v1
+ uses: aminya/setup-cpp@17c11551771948abc5752bbf3183482567c7caf0 # v1.1.1
with:
compiler: llvm-16.0.6
cmake: true
@@ -66,14 +66,14 @@ jobs:
python3 setup.py sdist bdist_wheel
- name: Upload lit to test.pypi.org
- uses: pypa/gh-action-pypi-publish@release/v1
+ uses: pypa/gh-action-pypi-publish@76f52bc884231f62b9a034ebfe128415bbaabdfc # v1.12.4
with:
password: ${{ secrets.LLVM_LIT_TEST_PYPI_API_TOKEN }}
repository-url: https://test.pypi.org/legacy/
packages-dir: llvm/utils/lit/dist/
- name: Upload lit to pypi.org
- uses: pypa/gh-action-pypi-publish@release/v1
+ uses: pypa/gh-action-pypi-publish@76f52bc884231f62b9a034ebfe128415bbaabdfc # v1.12.4
with:
password: ${{ secrets.LLVM_LIT_PYPI_API_TOKEN }}
packages-dir: llvm/utils/lit/dist/
diff --git a/.github/workflows/version-check.yml b/.github/workflows/version-check.yml
index 894e07d323ca9..18e21a1a8f295 100644
--- a/.github/workflows/version-check.yml
+++ b/.github/workflows/version-check.yml
@@ -17,7 +17,7 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Fetch LLVM sources
- uses: actions/checkout@v4
+ uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
fetch-depth: 0
|
Error: Command failed due to missing milestone. |
carlocab
approved these changes
Mar 3, 2025
I did not realize that was a thing. Seems like it's still a public preview. I'll make a not to look at it again when it's GA and look at migrating, because not having to lookup SHAs for every action would be nice. |
carlocab
reviewed
Mar 17, 2025
| with: | ||
| fetch-depth: 1 | ||
| - name: Get subprojects that have doc changes | ||
| id: docs-changed-subprojects | ||
| uses: tj-actions/changed-files@v39 | ||
| uses: tj-actions/changed-files@fea790cb660e33aef4bdf07304e28fedd77dfa13 # v39.2.4 |
There was a problem hiding this comment.
This was good timing: https://www.stepsecurity.io/blog/harden-runner-detection-tj-actions-changed-files-action-is-compromised
May still be worth an audit regardless. CC @tstellar
There was a problem hiding this comment.
Yeah. It was really good timing.
I changed to the StepSecurity fork when the actions were taken down (6616acd). I want to do at least look at all the third party actions we're using and maybe even reimplement some of the simple ones to reduce risk.
There was a problem hiding this comment.
I want to do at least look at all the third party actions we're using and maybe even reimplement some of the simple ones to reduce risk.
This is a good idea. Lots of them won't be too difficult to replace with direct calls to the GitHub REST/GraphQL API.
We may also want to create an allowlist of third-party actions that can be used in LLVM organisation repos. This can be configured in the repo settings so that workflows that use actions not on the allowlist will fail to execute and error out.
jph-13
pushed a commit
to jph-13/llvm-project
that referenced
this pull request
Mar 21, 2025
This patch haspins all actions in most of the LLVM Github workflows. This is something we try to do, but no one has gone through and combed through all of the workflows before this patch. Notably, this patch does not bump any major versions of actions just in case there are subtle breaking changes introduced between versions that could impact us. Also, this patch omits the libc/libc++ workflows so that they can be split into separate PRs for the respective subproject maintainers to review.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This patch haspins all actions in most of the LLVM Github workflows. This is something we try to do, but no one has gone through and combed through all of the workflows before this patch.
Notably, this patch does not bump any major versions of actions just in case there are subtle breaking changes introduced between versions that could impact us. Also, this patch omits the libc/libc++ workflows so that they can be split into separate PRs for the respective subproject maintainers to review.