From 0f30cb04e43fdf3674a8366f99039fe1d85fc6d9 Mon Sep 17 00:00:00 2001
From: James Strong <strong.james.e@gmail.com>
Date: Thu, 23 Jun 2022 18:55:20 -0500
Subject: [PATCH] Ci pin deps (#8720)

* pinning deps for CI

* update all the actions and pin them

* missed one

* update helm to another action

* typo on step

* typo on step

* Update .github/workflows/ci.yaml

Co-authored-by: Jintao Zhang <tao12345666333@163.com>

Co-authored-by: Jintao Zhang <tao12345666333@163.com>
---
 .github/workflows/ci.yaml        |  68 ++++++++--------
 .github/workflows/depreview.yaml |   4 +-
 .github/workflows/docs.yaml      |   9 ++-
 .github/workflows/helm.yaml      |   9 ++-
 .github/workflows/perftest.yaml  |   3 +
 .github/workflows/release.txt    | 128 -------------------------------
 6 files changed, 50 insertions(+), 171 deletions(-)
 delete mode 100644 .github/workflows/release.txt

diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
index 534c7af00..c200ef1be 100644
--- a/.github/workflows/ci.yaml
+++ b/.github/workflows/ci.yaml
@@ -26,9 +26,9 @@ jobs:
     steps:
 
       - name: Checkout
-        uses: actions/checkout@629c2de402a417ea7690ca6ce3f33229e27606a5 # v2
+        uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b # v3.0.2
 
-      - uses: dorny/paths-filter@b2feaf19c27470162a626bd6fa8438ae5b263721 # v2
+      - uses: dorny/paths-filter@b2feaf19c27470162a626bd6fa8438ae5b263721 # v2.10.2
         id: filter
         with:
           token: ${{ secrets.GITHUB_TOKEN }}
@@ -49,7 +49,7 @@ jobs:
     steps:
 
       - name: Checkout
-        uses: actions/checkout@629c2de402a417ea7690ca6ce3f33229e27606a5 # v2
+        uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b # v3.0.2
 
       - name: Run Gosec Security Scanner
         uses: securego/gosec@b99b5f7838e43a4104354ad92a6a1774302ee1f9 # master
@@ -67,20 +67,22 @@ jobs:
     steps:
 
       - name: Checkout
-        uses: actions/checkout@629c2de402a417ea7690ca6ce3f33229e27606a5 # v2
+        uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b # v3.0.2
 
       - name: Set up Go 1.18
         id: go
-        uses: actions/setup-go@b22fbbc2921299758641fab08929b4ac52b32923 # v2
+        uses: actions/setup-go@b22fbbc2921299758641fab08929b4ac52b32923 # v3.2.0
         with:
           go-version: '1.18.2'
 
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@8b122486cedac8393e77aa9734c3528886e4a1a8 #v2.0.0
+
       - name: Set up Docker Buildx
         id: buildx
-        uses: crazy-max/ghaction-docker-buildx@126d331dc69f4a1aa02452e374835e6a5d565613 # v1
+        uses: docker/setup-buildx-action@dc7b9719a96d48369863986a06765841d7ea23f6 # v2.0.0
         with:
-          buildx-version: latest
-          qemu-version: latest
+          version: latest
 
       - name: Available platforms
         run: echo ${{ steps.buildx.outputs.platforms }}
@@ -111,7 +113,7 @@ jobs:
             | pigz > docker.tar.gz
 
       - name: cache
-        uses: actions/upload-artifact@3cea5372237819ed00197afe530f5a7ea3e805c8 # v2
+        uses: actions/upload-artifact@3cea5372237819ed00197afe530f5a7ea3e805c8 # v3.1.0
         with:
           name: docker.tar.gz
           path: docker.tar.gz
@@ -128,15 +130,15 @@ jobs:
     steps:
 
       - name: Checkout
-        uses: actions/checkout@629c2de402a417ea7690ca6ce3f33229e27606a5 # v2
+        uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b # v3.0.2
 
       - name: Setup Go
-        uses: actions/setup-go@b22fbbc2921299758641fab08929b4ac52b32923 # v2
+        uses: actions/setup-go@b22fbbc2921299758641fab08929b4ac52b32923 # v3.2.0
         with:
           go-version: '1.18.2'
 
       - name: cache
-        uses: actions/download-artifact@fb598a63ae348fa914e94cd0ff38f362e927b741 # v2
+        uses: actions/download-artifact@fb598a63ae348fa914e94cd0ff38f362e927b741 # v3
         with:
           name: docker.tar.gz
 
@@ -146,7 +148,7 @@ jobs:
 
       - name: Run helm-docs
         run: |
-          GOBIN=$PWD GO111MODULE=on go install github.com/norwoodj/helm-docs/cmd/helm-docs@v1.8.1
+          GOBIN=$PWD GO111MODULE=on go install github.com/norwoodj/helm-docs/cmd/helm-docs@e91c4c3337d3bf3fdad8de1763999a5c3325567f  # v1.8.1
           ./helm-docs --chart-search-root=${GITHUB_WORKSPACE}/charts
           DIFF=$(git diff ${GITHUB_WORKSPACE}/charts/ingress-nginx/README.md)
           if [ ! -z "$DIFF" ]; then
@@ -169,7 +171,7 @@ jobs:
 
       - name: Create Kubernetes cluster
         id: kind
-        uses: engineerd/setup-kind@v0.5.0
+        uses: engineerd/setup-kind@aa272fe2a7309878ffc2a81c56cfe3ef108ae7d0 #v0.5.0
         with:
           version: v0.14.0
           image: kindest/node:v1.21.12
@@ -209,7 +211,7 @@ jobs:
     steps:
 
       - name: Checkout
-        uses: actions/checkout@629c2de402a417ea7690ca6ce3f33229e27606a5 # v2
+        uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b # v3.0.2
 
       - name: cache
         uses: actions/download-artifact@fb598a63ae348fa914e94cd0ff38f362e927b741 # v2
@@ -218,7 +220,7 @@ jobs:
 
       - name: Create Kubernetes ${{ matrix.k8s }} cluster
         id: kind
-        uses: engineerd/setup-kind@v0.5.0
+        uses: engineerd/setup-kind@aa272fe2a7309878ffc2a81c56cfe3ef108ae7d0 #v0.5.0
         with:
           version: v0.14.0
           config: test/e2e/kind.yaml
@@ -230,12 +232,10 @@ jobs:
           failOnError: false
 
       - name: Prepare cluster for testing
+        uses: azure/setup-helm@217bf70cbd2e930ba2e81ba7e1de2f7faecc42ba #v2.1
+        with:
+          version: 'v3.8.0'
         id: local-path
-        run: |
-          kubectl version
-          echo
-          echo "installing helm 3..."
-          curl -sSL https://raw.githubusercontent.com/helm/helm/master/scripts/get-helm-3 | bash
 
       - name: Load images from cache
         run: |
@@ -267,7 +267,7 @@ jobs:
     steps:
 
       - name: Checkout
-        uses: actions/checkout@v2
+        uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b # v3.0.2
 
       - name: cache
         uses: actions/download-artifact@fb598a63ae348fa914e94cd0ff38f362e927b741
@@ -276,24 +276,22 @@ jobs:
 
       - name: Create Kubernetes ${{ matrix.k8s }} cluster
         id: kind
-        uses: engineerd/setup-kind@v0.5.0
+        uses: engineerd/setup-kind@aa272fe2a7309878ffc2a81c56cfe3ef108ae7d0 #v0.5.0
         with:
           version: v0.14.0
           config: test/e2e/kind.yaml
           image: kindest/node:${{ matrix.k8s }}
 
-      - uses: geekyeggo/delete-artifact@v1
+      - uses: geekyeggo/delete-artifact@a6ab43859c960a8b74cbc6291f362c7fb51829ba
         with:
           name: docker.tar.gz
           failOnError: false
 
       - name: Prepare cluster for testing
+        uses: azure/setup-helm@217bf70cbd2e930ba2e81ba7e1de2f7faecc42ba #v2.1
+        with:
+          version: 'v3.8.0'
         id: local-path
-        run: |
-          kubectl version
-          echo
-          echo "installing helm 3..."
-          curl -sSL https://raw.githubusercontent.com/helm/helm/master/scripts/get-helm-3 | bash
 
       - name: Load images from cache
         run: |
@@ -319,9 +317,9 @@ jobs:
       PLATFORMS: linux/amd64,linux/arm64
     steps:
       - name: Checkout
-        uses: actions/checkout@629c2de402a417ea7690ca6ce3f33229e27606a5 # v2
+        uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b # v3.0.2
 
-      - uses: dorny/paths-filter@b2feaf19c27470162a626bd6fa8438ae5b263721 # v2
+      - uses: dorny/paths-filter@b2feaf19c27470162a626bd6fa8438ae5b263721 # v2.10.2
         id: filter-images
         with:
           token: ${{ secrets.GITHUB_TOKEN }}
@@ -385,9 +383,9 @@ jobs:
       PLATFORMS: linux/amd64
     steps:
       - name: Checkout
-        uses: actions/checkout@629c2de402a417ea7690ca6ce3f33229e27606a5 # v2
+        uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b # v3.0.2
 
-      - uses: dorny/paths-filter@b2feaf19c27470162a626bd6fa8438ae5b263721 # v2
+      - uses: dorny/paths-filter@b2feaf19c27470162a626bd6fa8438ae5b263721 # v2.10.2
         id: filter-images
         with:
           token: ${{ secrets.GITHUB_TOKEN }}
@@ -398,7 +396,7 @@ jobs:
       - name: Create Kubernetes cluster
         id: kind
         if: ${{ steps.filter-images.outputs.kube-webhook-certgen == 'true' }}
-        uses: engineerd/setup-kind@v0.5.0
+        uses: engineerd/setup-kind@aa272fe2a7309878ffc2a81c56cfe3ef108ae7d0 #v0.5.0
         with:
           version: v0.14.0
           image: kindest/node:v1.21.12
@@ -406,7 +404,7 @@ jobs:
       - name: Set up Go 1.18
         id: go
         if: ${{ steps.filter-images.outputs.kube-webhook-certgen == 'true' }}
-        uses: actions/setup-go@b22fbbc2921299758641fab08929b4ac52b32923 # v2
+        uses: actions/setup-go@b22fbbc2921299758641fab08929b4ac52b32923 # v3.2.0
         with:
           go-version: '1.18.2'
 
diff --git a/.github/workflows/depreview.yaml b/.github/workflows/depreview.yaml
index a25de591b..0f84fd837 100644
--- a/.github/workflows/depreview.yaml
+++ b/.github/workflows/depreview.yaml
@@ -9,6 +9,6 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: 'Checkout Repository'
-        uses: actions/checkout@v3
+        uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b #v3.0.2
       - name: 'Dependency Review'
-        uses: actions/dependency-review-action@v2
+        uses: actions/dependency-review-action@1c59cdf2a9c7f29c90e8da32237eb04b81bad9f0 #v2.0.2
diff --git a/.github/workflows/docs.yaml b/.github/workflows/docs.yaml
index df398b3f1..834859aa0 100644
--- a/.github/workflows/docs.yaml
+++ b/.github/workflows/docs.yaml
@@ -5,6 +5,9 @@ on:
     branches:
       - main
 
+permissions:
+  contents: read
+
 jobs:
 
   changes:
@@ -21,9 +24,9 @@ jobs:
     steps:
 
       - name: Checkout
-        uses: actions/checkout@629c2de402a417ea7690ca6ce3f33229e27606a5 # v2
+        uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b #v3.0.2
 
-      - uses: dorny/paths-filter@b2feaf19c27470162a626bd6fa8438ae5b263721 # v2
+      - uses: dorny/paths-filter@b2feaf19c27470162a626bd6fa8438ae5b263721 # v2.10.2
         id: filter
         with:
           token: ${{ secrets.GITHUB_TOKEN }}
@@ -46,7 +49,7 @@ jobs:
     steps:
 
       - name: Checkout master
-        uses: actions/checkout@629c2de402a417ea7690ca6ce3f33229e27606a5 # v2
+        uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b #v3.0.2
 
       - name: Deploy
         uses: ./.github/actions/mkdocs
diff --git a/.github/workflows/helm.yaml b/.github/workflows/helm.yaml
index c20716065..49ef6acd4 100644
--- a/.github/workflows/helm.yaml
+++ b/.github/workflows/helm.yaml
@@ -6,6 +6,9 @@ on:
       - main
       - legacy
 
+permissions:
+  contents: read
+
 jobs:
 
   changes:
@@ -22,9 +25,9 @@ jobs:
     steps:
 
       - name: Checkout
-        uses: actions/checkout@629c2de402a417ea7690ca6ce3f33229e27606a5 # v2
+        uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b # v3.0.2
 
-      - uses: dorny/paths-filter@b2feaf19c27470162a626bd6fa8438ae5b263721 # v2
+      - uses: dorny/paths-filter@b2feaf19c27470162a626bd6fa8438ae5b263721 # v2.10.2
         id: filter
         with:
           token: ${{ secrets.GITHUB_TOKEN }}
@@ -49,7 +52,7 @@ jobs:
     steps:
 
       - name: Checkout master
-        uses: actions/checkout@629c2de402a417ea7690ca6ce3f33229e27606a5 # v2
+        uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b # v3.0.2
         with:
           # Fetch entire history. Required for chart-releaser; see https://github.com/helm/chart-releaser-action/issues/13#issuecomment-602063896
           fetch-depth: 0
diff --git a/.github/workflows/perftest.yaml b/.github/workflows/perftest.yaml
index 370b37d87..aeda0425e 100644
--- a/.github/workflows/perftest.yaml
+++ b/.github/workflows/perftest.yaml
@@ -9,6 +9,9 @@ on:
       tags:
         description: 'K6 Load Test'  
 
+permissions:
+  contents: read
+
 jobs:
   k6_test_run:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/release.txt b/.github/workflows/release.txt
deleted file mode 100644
index 18039311e..000000000
--- a/.github/workflows/release.txt
+++ /dev/null
@@ -1,128 +0,0 @@
-name: Release
-
-on:
-  watch:
-    types: [started]
-
-jobs:
-  release:
-    runs-on: ubuntu-latest
-    if: github.actor == 'aledbf'
-    steps:
-      - name: Checkout master
-        uses: actions/checkout@v2
-
-      - name: Set up Go 1.14
-        uses: actions/setup-go@master
-        with:
-          go-version: 1.14
-
-      - name: Build krew plugin
-        shell: bash
-        run: |
-          export PATH=${PATH}:`go env GOPATH`/bin
-          make build-plugin
-
-#      - name: Build and publish images
-#        shell: bash
-#        run: |
-#          cat <<EOF | > build/images/nginx/aws.tfvars
-#          access_key = "${{ secrets.AWS_ACCESS_KEY }}"
-#          secret_key = "${{ secrets.AWS_ACCESS_SECRET_KEY }}"
-#          EOF
-#
-#          cat <<EOF | > build/images/nginx/env.tfvars
-#          docker_username="${{ secrets.DOCKER_USERNAME }}"
-#          docker_password="${{ secrets.DOCKER_PASSWORD }}"
-#          EOF
-#
-#          ./build/build-ingress-controller.sh
-
-      - name: Create env variables
-        shell: bash
-        run: |
-          # $(cat cmd/plugin/release/ingress-nginx.yaml)
-          echo "::set-env name=RELEASE_VERSION::$(make show-version)"
-          echo "::set-env name=RELEASE_CHANGELOG::##CHANGELOG##"
-
-      - name: Create release
-        id: create_release
-        uses: actions/create-release@v1
-        if: github.event_name == 'push' && startsWith(github.ref, 'refs/tags/controller')
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        with:
-          tag_name: controller-${{ env.RELEASE_VERSION }}
-          release_name: "NGINX: ${{ env.RELEASE_VERSION }}"
-          body: |
-            **Image:** `quay.io/kubernetes-ingress-controller/nginx-ingress-controller:${{ env.RELEASE_VERSION }}`
-
-            ${{ env.RELEASE_CHANGELOG }}
-
-            Complete changelog [here](https://github.com/kubernetes/ingress-nginx/blob/master/Changelog.md)
-
-          draft: false
-          prerelease: false
-
-      - name: Upload krew plugin Darwin
-        uses: actions/upload-release-asset@v1
-        if: github.event_name == 'push' && startsWith(github.ref, 'refs/tags/controller')
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        with:
-          upload_url: ${{ steps.create_release.outputs.upload_url }}
-          asset_path: cmd/plugin/release/kubectl-ingress_nginx-darwin-amd64.tar.gz
-          asset_name: kubectl-ingress_nginx-darwin-amd64.tar.gz
-          asset_content_type: application/tar+gzip
-
-      - name: Upload krew plugin Linux
-        uses: actions/upload-release-asset@v1
-        if: github.event_name == 'push' && startsWith(github.ref, 'refs/tags/controller')
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        with:
-          upload_url: ${{ steps.create_release.outputs.upload_url }}
-          asset_path: cmd/plugin/release/kubectl-ingress_nginx-linux-amd64.tar.gz
-          asset_name: kubectl-ingress_nginx-linux-amd64.tar.gz
-          asset_content_type: application/tar+gzip
-
-      - name: Upload krew plugin Windows
-        uses: actions/upload-release-asset@v1
-        if: github.event_name == 'push' && startsWith(github.ref, 'refs/tags/controller')
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        with:
-          upload_url: ${{ steps.create_release.outputs.upload_url }}
-          asset_path: cmd/plugin/release/kubectl-ingress_nginx-windows-amd64.tar.gz
-          asset_name: kubectl-ingress_nginx-windows-amd64.tar.gz
-          asset_content_type: application/tar+gzip
-
-      - name: Upload krew plugin
-        uses: actions/upload-release-asset@v1
-        if: github.event_name == 'push' && startsWith(github.ref, 'refs/tags/controller')
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        with:
-          upload_url: ${{ steps.create_release.outputs.upload_url }}
-          asset_path: cmd/plugin/release/ingress-nginx.yaml
-          asset_name: ingress-nginx.yaml
-          asset_content_type: text/x-yaml
-
-      - name: Create KREW_PLUGIN_BODY_PR env variable
-        shell: bash
-        run: |
-          echo "::set-env name=KREW_PLUGIN_BODY_PR::$(cat cmd/plugin/release/ingress-nginx.yaml)"
-
-#      - name: Open PR for new release of Krew Plugin
-#        uses: gha-utilities/init-pull-request@v0.1.2
-#        env:
-#          GITHUB_REPOSITORY: maintainer/repo-name
-#        with:
-#          verbose: true
-#          draft: false
-#          pull_request_token: ${{ secrets.GITHUB_TOKEN }}
-#          head: ingress-nginx:krew
-#          base: krew
-#          title: 'Update ingress-nginx krew plugin to ${{ env.RELEASE_VERSION }}'
-#          body: |
-#            ${{ env.KREW_PLUGIN_BODY_PR }}