ci: pinned commit shas to github workflows (#1770)

Prashansa-K · web-flow · commit bfe30f11387d · 2025-09-30T14:25:40.000+05:30
diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
@@ -44,16 +44,16 @@ jobs:
       with:
         egress-policy: audit
     - name: Checkout repository
-      uses: actions/checkout@v4
+      uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4
 
     - name: Setup go
-      uses: actions/setup-go@v5
+      uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5
       with:
         go-version-file: go.mod
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@v3
+      uses: github/codeql-action/init@d6bbdef45e766d081b84a2def353b0055f728d3e # v3.29.3
       with:
         languages: ${{ matrix.language }}
         # If you wish to specify custom queries, you can do so here or in a config file.
@@ -64,7 +64,7 @@ jobs:
     # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
     # If this step fails, then you should remove it and run the build manually (see below)
     - name: Autobuild
-      uses: github/codeql-action/autobuild@v3
+      uses: github/codeql-action/autobuild@d6bbdef45e766d081b84a2def353b0055f728d3e # v3.29.3
 
     # ℹ️ Command-line programs to run using the OS shell.
     # 📚 https://git.io/JvXDl
@@ -78,4 +78,4 @@ jobs:
     #   make release
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@v3
+      uses: github/codeql-action/analyze@d6bbdef45e766d081b84a2def353b0055f728d3e # v3.29.3
diff --git a/.github/workflows/integration-enterprise.yaml b/.github/workflows/integration-enterprise.yaml
@@ -43,13 +43,13 @@ jobs:
         with:
           egress-policy: audit
       - name: Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4
       - name: Setup go
-        uses: actions/setup-go@v5
+        uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5
         with:
           go-version-file: go.mod
       - name: Login to Docker Hub
-        uses: docker/login-action@v3
+        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef
         with:
           username: ${{secrets.DOCKERHUB_PULL_USERNAME}}
           password: ${{secrets.DOCKERHUB_PULL_TOKEN}}
diff --git a/.github/workflows/integration-konnect.yaml b/.github/workflows/integration-konnect.yaml
@@ -26,9 +26,9 @@ jobs:
         with:
           egress-policy: audit
       - name: Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4
       - name: Setup go
-        uses: actions/setup-go@v5
+        uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5
         with:
           go-version-file: go.mod
       - name: Run integration tests
diff --git a/.github/workflows/integration.yaml b/.github/workflows/integration.yaml
@@ -36,9 +36,9 @@ jobs:
         with:
           egress-policy: audit
       - name: Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4
       - name: Setup go
-        uses: actions/setup-go@v5
+        uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5
         with:
           go-version-file: go.mod
       - name: Setup Kong
diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
@@ -17,15 +17,15 @@ jobs:
         with:
           egress-policy: audit
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4
         with:
           fetch-depth: 0
       - name: Set up Go
-        uses: actions/setup-go@v5
+        uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5
         with:
           go-version-file: go.mod
       - name: Run GoReleaser
-        uses: goreleaser/goreleaser-action@v6
+        uses: goreleaser/goreleaser-action@e435ccd777264be153ace6237001ef4d979d3a7a # v6
         with:
           # either 'goreleaser' (default) or 'goreleaser-pro'
           distribution: goreleaser
@@ -34,7 +34,7 @@ jobs:
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
       - name: Upload assets
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4
         with:
           name: dist
           path: dist/*
@@ -56,22 +56,22 @@ jobs:
           echo 'type=semver,pattern={{raw}}' >> $GITHUB_ENV
           echo 'EOF' >> $GITHUB_ENV
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
+        uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3
       - name: Cache Docker layers
-        uses: actions/cache@v4
+        uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4
         with:
           path: /tmp/.buildx-cache
           key: ${{ runner.os }}-buildx-${{ github.sha }}
           restore-keys: |
             ${{ runner.os }}-buildx-
       - name: Login to DockerHub
-        uses: docker/login-action@v3
+        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef
         with:
           username: ${{ secrets.DOCKER_USERNAME_JAN_2025 }}
           password: ${{ secrets.DOCKER_TOKEN_JAN_2025 }}
       - name: Docker meta
         id: meta
-        uses: docker/metadata-action@v5.7.0
+        uses: docker/metadata-action@902fa8ec7d6ecbf8d84d538b9b233a880e428804 # v5.7.0
         with:
           images: kong/deck
           tags: ${{ env.TAGS_STANDARD }}${{ env.TAGS_SUPPLEMENTAL }}
@@ -80,7 +80,7 @@ jobs:
       - name: Build and push
         timeout-minutes: 120
         id: docker_build
-        uses: docker/build-push-action@v6
+        uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6
         with:
           push: true
           file: Dockerfile
diff --git a/.github/workflows/security.yaml b/.github/workflows/security.yaml
@@ -0,0 +1,19 @@
+on: push
+
+name: Security
+
+jobs:
+  ensure-pinned-actions:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1
+        with:
+          egress-policy: audit
+      - name: Checkout code
+        uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4
+      - name: Ensure SHA pinned actions
+        uses: zgosalvez/github-actions-ensure-sha-pinned-actions@fc87bb5b5a97953d987372e74478de634726b3e5 # v3
+        with:
+          allowlist: |
+            Kong/
diff --git a/.github/workflows/test.yaml b/.github/workflows/test.yaml
@@ -21,14 +21,14 @@ jobs:
         uses: step-security/harden-runner@c6295a65d1254861815972266d5933fd6e532bdf # v2.11.1
         with:
           egress-policy: audit
-      - uses: actions/checkout@v4
-      - uses: actions/setup-go@v5
+      - uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4
+      - uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5
         with:
           go-version-file: go.mod
       - name: Run tests with Coverage
         run: make coverage
       - name: Upload Code Coverage
-        uses: codecov/codecov-action@v5
+        uses: codecov/codecov-action@5a1091511ad55cbe89839c7260b706298ca349f7 # v5
         with:
           name: codecov-deck
           token: ${{ secrets.CODECOV_TOKEN }}
@@ -42,11 +42,11 @@ jobs:
         uses: step-security/harden-runner@c6295a65d1254861815972266d5933fd6e532bdf # v2.11.1
         with:
           egress-policy: audit
-      - uses: actions/checkout@v4
-      - uses: actions/setup-go@v5
+      - uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4
+      - uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5
         with:
           go-version-file: go.mod
-      - uses: golangci/golangci-lint-action@v6.2.0
+      - uses: golangci/golangci-lint-action@ec5d18412c0aeab7936cb16880d708ba2a64e1ae # v6.2.0
 
   build:
     timeout-minutes: ${{ fromJSON(vars.GHA_DEFAULT_TIMEOUT) }}
@@ -56,8 +56,8 @@ jobs:
         uses: step-security/harden-runner@c6295a65d1254861815972266d5933fd6e532bdf # v2.11.1
         with:
           egress-policy: audit
-      - uses: actions/checkout@v4
-      - uses: actions/setup-go@v5
+      - uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4
+      - uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5
         with:
           go-version-file: go.mod
       - name: Build
diff --git a/.github/workflows/validate-kong-release.yaml b/.github/workflows/validate-kong-release.yaml
@@ -30,11 +30,11 @@ jobs:
           echo "Kong Gateway Image = ${{ inputs.kong_image }}"
           echo "decK Branch = ${{ inputs.branch }}"
       - name: Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4
         with:
           ref: ${{ inputs.branch }}
       - name: Setup go
-        uses: actions/setup-go@v5
+        uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5
         with:
           go-version-file: go.mod
       - uses: Kong/kong-license@master
diff --git a/scripts/get-action-commit-shas.sh b/scripts/get-action-commit-shas.sh
@@ -0,0 +1,102 @@
+#!/bin/bash
+
+# Script to get commit SHAs for GitHub Actions
+# Usage: ./get-action-commit-shas.sh
+
+set -e
+
+# Colors for output
+RED='\033[0;31m'
+GREEN='\033[0;32m'
+YELLOW='\033[1;33m'
+NC='\033[0m' # No Color
+
+echo -e "${YELLOW}Fetching commit SHAs for GitHub Actions...${NC}"
+echo
+
+# Function to get commit SHA for a GitHub action
+get_commit_sha() {
+    local action_ref=$1
+    local repo=$(echo $action_ref | cut -d'@' -f1)
+    local tag_or_sha=$(echo $action_ref | cut -d'@' -f2)
+    
+    # Skip if already a commit SHA (40 characters)
+    if [[ ${#tag_or_sha} -eq 40 ]]; then
+        echo -e "${GREEN}$action_ref${NC} (already pinned)"
+        return
+    fi
+    
+    # Skip master/main branches for now
+    if [[ "$tag_or_sha" == "master" || "$tag_or_sha" == "main" ]]; then
+        echo -e "${YELLOW}$action_ref${NC} (branch reference - consider pinning)"
+        return
+    fi
+    
+    echo -n "Fetching SHA for $repo@$tag_or_sha... "
+    
+    # Try multiple GitHub API endpoints to get the commit SHA
+    local sha=""
+    
+    # First try as a tag reference
+    local api_url="https://api.github.com/repos/$repo/git/refs/tags/$tag_or_sha"
+    local response=$(curl -s -w "%{http_code}" "$api_url" 2>/dev/null)
+    local http_code="${response: -3}"
+    local body="${response%???}"
+    
+    if [[ "$http_code" == "200" ]]; then
+        sha=$(echo "$body" | python3 -c "import sys, json; data=json.load(sys.stdin); print(data['object']['sha'] if data['object']['type'] == 'commit' else '')" 2>/dev/null)
+        if [[ -z "$sha" ]]; then
+            # It's a tag object, get the commit it points to
+            local tag_sha=$(echo "$body" | python3 -c "import sys, json; data=json.load(sys.stdin); print(data['object']['sha'])" 2>/dev/null)
+            if [[ -n "$tag_sha" ]]; then
+                local tag_response=$(curl -s "https://api.github.com/repos/$repo/git/tags/$tag_sha" 2>/dev/null)
+                sha=$(echo "$tag_response" | python3 -c "import sys, json; data=json.load(sys.stdin); print(data['object']['sha'])" 2>/dev/null)
+            fi
+        fi
+    fi
+    
+    # If tag approach didn't work, try as a branch/commit reference
+    if [[ -z "$sha" ]]; then
+        api_url="https://api.github.com/repos/$repo/commits/$tag_or_sha"
+        response=$(curl -s -w "%{http_code}" "$api_url" 2>/dev/null)
+        http_code="${response: -3}"
+        body="${response%???}"
+        
+        if [[ "$http_code" == "200" ]]; then
+            sha=$(echo "$body" | python3 -c "import sys, json; data=json.load(sys.stdin); print(data['sha'])" 2>/dev/null)
+        fi
+    fi
+    
+    if [[ -n "$sha" && ${#sha} -eq 40 ]]; then
+        echo -e "${GREEN}✓${NC}"
+        echo "  $repo@$sha # $tag_or_sha"
+    else
+        echo -e "${RED}✗ (could not fetch SHA)${NC}"
+        echo -e "    ${YELLOW}Manual lookup: https://github.com/$repo/releases/tag/$tag_or_sha${NC}"
+    fi
+}
+
+# Extract all GitHub Actions from workflow files
+echo "Scanning workflow files for GitHub Actions..."
+echo
+
+# Find all unique action references
+actions=$(grep -h "uses:" .github/workflows/*.yaml | \
+          sed 's/.*uses: *//' | \
+          sed 's/ *#.*//' | \
+          sort -u)
+
+echo "Found the following actions:"
+echo "$actions"
+echo
+echo "Fetching commit SHAs:"
+echo
+
+# Process each action
+while IFS= read -r action; do
+    get_commit_sha "$action"
+done <<< "$actions"
+
+echo
+echo -e "${YELLOW}Note: You can copy the output above to update your workflow files.${NC}"
+echo -e "${YELLOW}Remember to also update the comment with the version tag.${NC}"
