.github/workflows: enforce github action version pinning (#16768)

Use https://github.com/stacklok/frizbee via the new `go tool` support from Go 1.24. Updates https://github.com/tailscale/corp/issues/31017 Signed-off-by: Andrew Lytvynov <awly@tailscale.com>
2025-08-22 11:01:54 +00:00 · 2025-08-05 11:49:33 -07:00
parent ad273d75b7
commit f80ea92030
8 changed files with 120 additions and 48 deletions
--- a/.github/workflows/pin-github-actions.yml
+++ b/.github/workflows/pin-github-actions.yml
@@ -0,0 +1,29 @@
+# Pin images used in github actions to a hash instead of a version tag.
+name: pin-github-actions
+on:
+  pull_request:
+    branches:
+      - main
+    paths:
+      - ".github/workflows/**"
+
+  workflow_dispatch:
+
+permissions:
+  contents: read
+  pull-requests: read
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
+  cancel-in-progress: true
+
+jobs:
+  run:
+    name: pin-github-actions
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - name: pin
+        run: make pin-github-actions
+      - name: check for changed workflow files
+        run: git diff --no-ext-diff --exit-code .github/workflows || (echo "Some github actions versions need pinning, run make pin-github-actions."; exit 1)
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -57,7 +57,7 @@ jobs:
      # See if the cache entry already exists to avoid downloading it
      # and doing the cache write again.
      - id: check-cache
-        uses: actions/cache/restore@v4
+        uses: actions/cache/restore@5a3ec84eff668545956fd18022155c47e93e2684 # v4
        with:
          path: gomodcache # relative to workspace; see env note at top of file
          key: ${{ steps.hash.outputs.key }}