diff --git a/.github/workflows/IntegrationTesting.yaml b/.github/workflows/IntegrationTesting.yaml index d10b4aab..75a7b36c 100644 --- a/.github/workflows/IntegrationTesting.yaml +++ b/.github/workflows/IntegrationTesting.yaml @@ -15,10 +15,10 @@ jobs: steps: - name: Pull in source code from aws-xray-sdk-python Github repository - uses: actions/checkout@v3 + uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 #v3.6.0 - name: Setup python - uses: actions/setup-python@v4 + uses: actions/setup-python@7f4fc3e22c37d6ff65e88745f38bd3157c663f7c #v4.9.1 with: python-version: '3.8' @@ -26,7 +26,7 @@ jobs: run: python setup.py sdist - name: Upload SDK build artifact - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 #v4.6.2 with: name: sdk-build-artifact path: . @@ -37,15 +37,15 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 #v3.6.0 - name: Setup python - uses: actions/setup-python@v4 + uses: actions/setup-python@7f4fc3e22c37d6ff65e88745f38bd3157c663f7c #v4.9.1 with: python-version: '3.8' - name: Download X-Ray SDK build artifact - uses: actions/download-artifact@v4 + uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 #v4.3.0 with: name: sdk-build-artifact path: ./sample-apps/flask @@ -59,7 +59,7 @@ jobs: working-directory: ./sample-apps/flask - name: Upload WebApp with X-Ray SDK build artifact - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 #v4.6.2 with: name: sdk-flask-build-artifact path: ./sample-apps/flask/deploy.zip @@ -71,10 +71,10 @@ jobs: steps: - name: Checkout X-Ray SDK to get terraform source - uses: actions/checkout@v3 + uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 #v3.6.0 - name: Download WebApp with X-Ray SDK build artifact - uses: actions/download-artifact@v4 + uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 #v4.3.0 with: name: sdk-flask-build-artifact @@ -82,13 +82,13 @@ jobs: run: cp deploy.zip ./terraform - name: Configure AWS Credentials - uses: aws-actions/configure-aws-credentials@v4 + uses: aws-actions/configure-aws-credentials@7474bc4690e29a8392af63c5b98e7449536d5c3a #v4.3.1 with: role-to-assume: ${{ secrets.AWS_INTEG_TEST_ROLE_ARN }} aws-region: us-west-2 - name: Setup Terraform - uses: hashicorp/setup-terraform@v2 + uses: hashicorp/setup-terraform@633666f66e0061ca3b725c73b2ec20cd13a8fdd1 #v2.0.3 - name: Terraform Init run: terraform init @@ -112,7 +112,7 @@ jobs: working-directory: ./terraform - name: Upload terraform state files for destorying resources - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 #v4.6.2 with: name: terraform-state-artifact path: ./terraform @@ -123,19 +123,19 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/setup-java@v3 + - uses: actions/setup-java@17f84c3641ba7b8f6deff6309fc4c864478f5d62 #v3.14.1 with: distribution: 'zulu' java-version: 14 - name: Configure AWS Credentials - uses: aws-actions/configure-aws-credentials@v4 + uses: aws-actions/configure-aws-credentials@7474bc4690e29a8392af63c5b98e7449536d5c3a #v4.3.1 with: role-to-assume: ${{ secrets.AWS_INTEG_TEST_ROLE_ARN }} aws-region: us-west-2 - name: Checkout test framework - uses: actions/checkout@v3 + uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 #v3.6.0 with: repository: aws-observability/aws-otel-test-framework ref: terraform @@ -151,18 +151,18 @@ jobs: steps: - name: Download terraform state artifact - uses: actions/download-artifact@v4 + uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 #v4.3.0 with: name: terraform-state-artifact - name: Configure AWS Credentials - uses: aws-actions/configure-aws-credentials@v4 + uses: aws-actions/configure-aws-credentials@7474bc4690e29a8392af63c5b98e7449536d5c3a #v4.3.1 with: role-to-assume: ${{ secrets.AWS_INTEG_TEST_ROLE_ARN }} aws-region: us-west-2 - name: Setup Terraform - uses: hashicorp/setup-terraform@v2 + uses: hashicorp/setup-terraform@633666f66e0061ca3b725c73b2ec20cd13a8fdd1 #v2.0.3 - name: Terraform Init run: terraform init diff --git a/.github/workflows/Release.yaml b/.github/workflows/Release.yaml index e62aacf5..c3d4906d 100644 --- a/.github/workflows/Release.yaml +++ b/.github/workflows/Release.yaml @@ -14,11 +14,11 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout master branch - uses: actions/checkout@v3 + uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 #v3.6.0 - name: Create Release id: create_release - uses: actions/create-release@v1 + uses: actions/create-release@0cb9c9b65d5d1901c1f53e5e66eaf4afd303e70e #v1.1.4 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} with: diff --git a/.github/workflows/UnitTesting.yaml b/.github/workflows/UnitTesting.yaml index 4223c800..875688be 100644 --- a/.github/workflows/UnitTesting.yaml +++ b/.github/workflows/UnitTesting.yaml @@ -29,7 +29,7 @@ jobs: testenv: [core, ext] steps: - name: Checkout repo - uses: actions/checkout@v3 + uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 #v3.6.0 - name: Start MySQL if: ${{ matrix.testenv == 'ext' }} @@ -41,7 +41,7 @@ jobs: mysql -e "GRANT ALL PRIVILEGES ON test_dburl.* TO test_dburl_user@localhost;" -u${{ env.DB_USER }} -p${{ env.DB_PASSWORD }} mysql -e "FLUSH PRIVILEGES;" -u${{ env.DB_USER }} -p${{ env.DB_PASSWORD }} - name: Setup Python - uses: actions/setup-python@v4 + uses: actions/setup-python@7f4fc3e22c37d6ff65e88745f38bd3157c663f7c #v4.9.1 with: python-version: ${{ env[matrix.python-version] }} @@ -50,7 +50,7 @@ jobs: - name: Cache tox environment # Preserves .tox directory between runs for faster installs - uses: actions/cache@v3 + uses: actions/cache@6f8efc29b200d32929f49075959781ed54ec270c #v3.5.0 with: path: | .tox @@ -60,3 +60,28 @@ jobs: - name: Run tox run: | tox -f ${{ matrix.python-version }}-${{ matrix.testenv }} + + static-code-checks: + runs-on: ubuntu-latest + steps: + + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 #5.0.0 + with: + fetch-depth: 0 + - name: Check for versioned GitHub actions + if: always() + run: | + # Get changed GitHub workflow/action files + CHANGED_FILES=$(git diff --name-only origin/${{ github.base_ref }}..HEAD | grep -E "^\.github/(workflows|actions)/.*\.ya?ml$" || true) + + if [ -n "$CHANGED_FILES" ]; then + # Check for any versioned actions, excluding comments and this validation script + VIOLATIONS=$(grep -Hn "uses:.*@v" $CHANGED_FILES | grep -v "grep.*uses:.*@v" | grep -v "#.*@v" || true) + if [ -n "$VIOLATIONS" ]; then + echo "Found versioned GitHub actions. Use commit SHAs instead:" + echo "$VIOLATIONS" + exit 1 + fi + fi + + echo "No versioned actions found in changed files" \ No newline at end of file diff --git a/.github/workflows/continuous-monitoring.yml b/.github/workflows/continuous-monitoring.yml index 9dc24244..89de74a3 100644 --- a/.github/workflows/continuous-monitoring.yml +++ b/.github/workflows/continuous-monitoring.yml @@ -14,15 +14,15 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout Repository - uses: actions/checkout@v3 + uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 #v3.6.0 - name: Configure AWS Credentials - uses: aws-actions/configure-aws-credentials@v4 + uses: aws-actions/configure-aws-credentials@7474bc4690e29a8392af63c5b98e7449536d5c3a #v4.3.1 with: role-to-assume: ${{ secrets.AWS_INTEG_TEST_ROLE_ARN }} aws-region: us-east-1 - - uses: actions/setup-python@v4 + - uses: actions/setup-python@7f4fc3e22c37d6ff65e88745f38bd3157c663f7c #v4.9.1 with: python-version: '3.x'