diff --git a/.github/workflows/auto-update-spec-repo-links.yml b/.github/workflows/auto-update-spec-repo-links.yml index 4470d1037..4bf54229b 100644 --- a/.github/workflows/auto-update-spec-repo-links.yml +++ b/.github/workflows/auto-update-spec-repo-links.yml @@ -14,7 +14,7 @@ jobs: latest-version: ${{ steps.check-versions.outputs.latest-version }} already-opened: ${{ steps.check-versions.outputs.already-opened }} steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 - id: check-versions name: Check versions @@ -50,7 +50,7 @@ jobs: needs: - check-versions steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 - name: Use CLA approved github bot run: .github/scripts/use-cla-approved-github-bot.sh diff --git a/.github/workflows/changelog.yml b/.github/workflows/changelog.yml index 4bf232b64..74c7c1090 100644 --- a/.github/workflows/changelog.yml +++ b/.github/workflows/changelog.yml @@ -27,16 +27,16 @@ jobs: PR_HEAD: ${{ github.event.pull_request.head.sha }} steps: - name: Checkout Repo - uses: actions/checkout@v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 with: fetch-depth: 0 - name: Setup Go - uses: actions/setup-go@v4 + uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4 with: go-version: ~1.21.6 - name: Cache Go id: go-cache - uses: actions/cache@v3 + uses: actions/cache@2f8e54208210a422b2efd51efaa6bd6d7ca8920f # v3 with: path: | ~/go/bin diff --git a/.github/workflows/checks.yml b/.github/workflows/checks.yml index ec8ff0676..e01bf3175 100644 --- a/.github/workflows/checks.yml +++ b/.github/workflows/checks.yml @@ -9,7 +9,7 @@ jobs: runs-on: ubuntu-latest steps: - name: check out code - uses: actions/checkout@v2 + uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 # v2 - name: install dependencies run: npm install @@ -24,9 +24,9 @@ jobs: runs-on: ubuntu-latest steps: - name: check out code - uses: actions/checkout@v2 + uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 # v2 - - uses: actions/setup-python@v2 + - uses: actions/setup-python@e9aba2c848f5ebd159c070c61ea2c4e2b122355e # v2 - name: install yamllint run: make install-yamllint @@ -38,7 +38,7 @@ jobs: runs-on: ubuntu-latest steps: - name: check out code - uses: actions/checkout@v2 + uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 # v2 - name: install dependencies run: npm install @@ -50,7 +50,7 @@ jobs: runs-on: ubuntu-latest steps: - name: check out code - uses: actions/checkout@v2 + uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 # v2 - name: install dependencies run: npm install @@ -65,7 +65,7 @@ jobs: runs-on: ubuntu-latest steps: - name: check out code - uses: actions/checkout@v2 + uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 # v2 - name: run misspell run: make misspell @@ -73,14 +73,14 @@ jobs: semantic-conventions: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v1 + - uses: actions/checkout@50fbc622fc4ef5163becd7fab6573eac35f8462e # v1 - name: verify semantic convention tables run: make table-check semantic-conventions-registry: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v1 + - uses: actions/checkout@50fbc622fc4ef5163becd7fab6573eac35f8462e # v1 - name: verify registry tables run: | make attribute-registry-generation @@ -89,14 +89,14 @@ jobs: schemas-check: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v1 + - uses: actions/checkout@50fbc622fc4ef5163becd7fab6573eac35f8462e # v1 - name: verify schemas run: make schema-check areas-dropdown-check: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v1 + - uses: actions/checkout@50fbc622fc4ef5163becd7fab6573eac35f8462e # v1 - name: Components dropdown in issue templates run: | make generate-gh-issue-templates @@ -105,14 +105,14 @@ jobs: policies-check: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v1 + - uses: actions/checkout@50fbc622fc4ef5163becd7fab6573eac35f8462e # v1 - name: verify semantic conventions yaml definitions run: make check-policies polices-test: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v1 + - uses: actions/checkout@50fbc622fc4ef5163becd7fab6573eac35f8462e # v1 - name: verify semantic conventions yaml definitions run: make test-policies @@ -120,6 +120,6 @@ jobs: semantic-conventions-compatibility: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v1 + - uses: actions/checkout@50fbc622fc4ef5163becd7fab6573eac35f8462e # v1 - name: verify semantic convention compatibility with latest released version run: make compatibility-check diff --git a/.github/workflows/generate-registry-area-labels.yml b/.github/workflows/generate-registry-area-labels.yml index e59c0c6e8..e3d06460e 100644 --- a/.github/workflows/generate-registry-area-labels.yml +++ b/.github/workflows/generate-registry-area-labels.yml @@ -14,7 +14,7 @@ jobs: runs-on: ubuntu-latest if: ${{ github.repository_owner == 'open-telemetry' }} steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 # areas.txt is generated by the Make target generate-gh-issue-templates - name: Generate registry area labels diff --git a/.github/workflows/prepare-new-issue.yml b/.github/workflows/prepare-new-issue.yml index a6221074e..4c06fcc7f 100644 --- a/.github/workflows/prepare-new-issue.yml +++ b/.github/workflows/prepare-new-issue.yml @@ -8,7 +8,7 @@ jobs: runs-on: ubuntu-latest if: ${{ github.repository_owner == 'open-telemetry' }} steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 - name: Run prepare-new-issue.sh run: ./.github/scripts/prepare-new-issue.sh diff --git a/.github/workflows/prepare-new-pr.yml b/.github/workflows/prepare-new-pr.yml index 926b52017..d2e0a43ad 100644 --- a/.github/workflows/prepare-new-pr.yml +++ b/.github/workflows/prepare-new-pr.yml @@ -14,9 +14,9 @@ jobs: if: ${{ github.repository_owner == 'open-telemetry' }} steps: # check out main - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 # sparse checkout to only get the .chloggen directory - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 with: ref: ${{ github.head_ref }} path: prchangelog diff --git a/.github/workflows/prepare-release.yml b/.github/workflows/prepare-release.yml index f1c549533..26f8b4897 100644 --- a/.github/workflows/prepare-release.yml +++ b/.github/workflows/prepare-release.yml @@ -10,7 +10,7 @@ jobs: create-pull-request: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 - name: Validate version run: | diff --git a/.github/workflows/stale-pr.yml b/.github/workflows/stale-pr.yml index c016b62e1..7d4360ea4 100644 --- a/.github/workflows/stale-pr.yml +++ b/.github/workflows/stale-pr.yml @@ -7,7 +7,7 @@ jobs: stale: runs-on: ubuntu-latest steps: - - uses: actions/stale@v9 + - uses: actions/stale@5bef64f19d7facfb25b37b414482c7164d639639 # v9 with: repo-token: ${{ secrets.GITHUB_TOKEN }} stale-pr-message: 'This PR was marked stale due to lack of activity. It will be closed in 7 days.' diff --git a/dependencies.Dockerfile b/dependencies.Dockerfile index 8c09ea13e..015dbaa36 100644 --- a/dependencies.Dockerfile +++ b/dependencies.Dockerfile @@ -3,11 +3,11 @@ # Dependabot can keep this file up to date with latest containers. # Weaver is used to generate markdown docs, and enforce policies on the model. -FROM otel/weaver:v0.14.0 AS weaver +FROM otel/weaver:v0.14.0@sha256:bea89bc5544ad760db2fd906c5285c2a3769c61fb04f660f9c31e7e44f11804b AS weaver # OPA is used to test policies enforced by weaver. -FROM openpolicyagent/opa:1.3.0 AS opa +FROM openpolicyagent/opa:1.3.0@sha256:e02dc1957f7a4195f0724762269dfe3309f13344629e0c926316a7cf72233af5 AS opa # Semconv gen is used for backwards compatibility checks. # TODO(jsuereth): Remove this when no longer used. -FROM otel/semconvgen:0.25.0 AS semconvgen +FROM otel/semconvgen:0.25.0@sha256:9df7b8cbaa732277d64d0c0a8604d96bb6f5a36d0e96338cba5dced720c16485 AS semconvgen