You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@logging.apache.org by vy...@apache.org on 2022/04/19 20:49:12 UTC
[logging-log4j2] branch release-2.x updated: LOG4J2-3360 Replace GitHub Action versions with commit checksums.
This is an automated email from the ASF dual-hosted git repository.
vy pushed a commit to branch release-2.x
in repository https://gitbox.apache.org/repos/asf/logging-log4j2.git
The following commit(s) were added to refs/heads/release-2.x by this push:
new 8f3f3af3e4 LOG4J2-3360 Replace GitHub Action versions with commit checksums.
8f3f3af3e4 is described below
commit 8f3f3af3e4ed46d5824fc2140a2f073d96d18393
Author: Volkan Yazıcı <vo...@yazi.ci>
AuthorDate: Tue Apr 19 22:49:01 2022 +0200
LOG4J2-3360 Replace GitHub Action versions with commit checksums.
---
.github/workflows/benchmark.yml | 18 +++----
.github/workflows/build.yml | 6 +--
.github/workflows/codeql-analysis.yml | 83 ++++++++++++++++---------------
.github/workflows/scorecards-analysis.yml | 8 +--
4 files changed, 58 insertions(+), 57 deletions(-)
diff --git a/.github/workflows/benchmark.yml b/.github/workflows/benchmark.yml
index c98512f0aa..edecb0338e 100644
--- a/.github/workflows/benchmark.yml
+++ b/.github/workflows/benchmark.yml
@@ -28,12 +28,12 @@ jobs:
steps:
- name: Checkout repository
- uses: actions/checkout@v3
+ uses: actions/checkout@dcd71f646680f2efd8db4afa5ad64fdcba30e748 # 3.0.1
# JDK 11 is needed for the build.
# Search `maven-toolchains-plugin` usages for details.
- name: Set up JDK 11
- uses: actions/setup-java@v3
+ uses: actions/setup-java@9519cf1382ac8dc61ad461f7f7cb45f033220189 # 3.1.1
with:
distribution: temurin
java-version: 11
@@ -44,7 +44,7 @@ jobs:
# JDK 8 is needed for the build, and it is the primary bytecode target.
# Hence, JDK 8 is set up after 11, so that JAVA_HOME used by Maven during build will point to 8.
- name: Set up JDK 8
- uses: actions/setup-java@v3
+ uses: actions/setup-java@9519cf1382ac8dc61ad461f7f7cb45f033220189 # 3.1.1
with:
distribution: temurin
java-version: 8
@@ -64,7 +64,7 @@ jobs:
package
- name: Upload built sources
- uses: actions/upload-artifact@v2
+ uses: actions/upload-artifact@6673cd052c4cd6fcf4b4e6e60ea986c889389535 # 3.0.0
with:
name: benchmarks.jar
path: log4j-perf/target/benchmarks.jar
@@ -87,16 +87,16 @@ jobs:
steps:
- name: Checkout repository
- uses: actions/checkout@v3
+ uses: actions/checkout@dcd71f646680f2efd8db4afa5ad64fdcba30e748 # 3.0.1
- name: Download built sources
- uses: actions/download-artifact@v2
+ uses: actions/download-artifact@fb598a63ae348fa914e94cd0ff38f362e927b741 # 3.0.0
with:
name: benchmarks.jar
path: log4j-perf/target
- name: Set up JDK ${{ matrix.jdk }}
- uses: actions/setup-java@v3
+ uses: actions/setup-java@9519cf1382ac8dc61ad461f7f7cb45f033220189 # 3.1.1
with:
distribution: temurin
java-version: ${{ matrix.jdk }}
@@ -192,12 +192,12 @@ jobs:
steps:
- name: Checkout repository
- uses: actions/checkout@v3
+ uses: actions/checkout@dcd71f646680f2efd8db4afa5ad64fdcba30e748 # 3.0.1
with:
ref: gh-pages
- name: Setup Python 3
- uses: actions/setup-python@v2
+ uses: actions/setup-python@98f2ad02fd48d057ee3b4d4f66525b231c3e52b6 # 2.0.2
with:
python-version: 3.x
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 4fa7a6dbc1..c060723487 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -33,12 +33,12 @@ jobs:
steps:
- name: Checkout repository
- uses: actions/checkout@v3
+ uses: actions/checkout@dcd71f646680f2efd8db4afa5ad64fdcba30e748 # 3.0.1
# JDK 11 is needed for the build.
# Search `maven-toolchains-plugin` usages for details.
- name: Setup JDK 11
- uses: actions/setup-java@v3
+ uses: actions/setup-java@9519cf1382ac8dc61ad461f7f7cb45f033220189 # 3.1.1
with:
distribution: temurin
java-version: 11
@@ -49,7 +49,7 @@ jobs:
# JDK 8 is needed for the build, and it is the primary bytecode target.
# Hence, JDK 8 is set up after 11, so that JAVA_HOME used by Maven during build will point to 8.
- name: Setup JDK 8
- uses: actions/setup-java@v3
+ uses: actions/setup-java@9519cf1382ac8dc61ad461f7f7cb45f033220189 # 3.1.1
with:
distribution: temurin
java-version: 8
diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
index 1443762661..a614873584 100644
--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@@ -42,49 +42,50 @@ jobs:
# Learn more about CodeQL language support at https://git.io/codeql-language-support
steps:
- - name: Checkout repository
- uses: actions/checkout@v3
- # Initializes the CodeQL tools for scanning.
- - name: Initialize CodeQL
- uses: github/codeql-action/init@v1
- with:
- languages: ${{ matrix.language }}
- # If you wish to specify custom queries, you can do so here or in a config file.
- # By default, queries listed here will override any specified in a config file.
- # Prefix the list here with "+" to use these queries and those in the config file.
- # queries: ./path/to/local/query, your-org/your-repo/queries@main
+ - name: Checkout repository
+ uses: actions/checkout@dcd71f646680f2efd8db4afa5ad64fdcba30e748 # 3.0.1
- # JDK 11 is needed for the build.
- # Search `maven-toolchains-plugin` usages for details.
- - name: Setup JDK 11
- uses: actions/setup-java@v3
- with:
- distribution: temurin
- java-version: 11
- java-package: jdk
- architecture: x64
- cache: maven
+ # Initializes the CodeQL tools for scanning.
+ - name: Initialize CodeQL
+ uses: github/codeql-action/init@v1
+ with:
+ languages: ${{ matrix.language }}
+ # If you wish to specify custom queries, you can do so here or in a config file.
+ # By default, queries listed here will override any specified in a config file.
+ # Prefix the list here with "+" to use these queries and those in the config file.
+ # queries: ./path/to/local/query, your-org/your-repo/queries@main
- # JDK 8 is needed for the build, and it is the primary bytecode target.
- # Hence, JDK 8 is set up after 11, so that JAVA_HOME used by Maven during build will point to 8.
- - name: Setup JDK 8
- uses: actions/setup-java@v3
- with:
- distribution: temurin
- java-version: 8
- java-package: jdk
- architecture: x64
- cache: maven
+ # JDK 11 is needed for the build.
+ # Search `maven-toolchains-plugin` usages for details.
+ - name: Setup JDK 11
+ uses: actions/setup-java@9519cf1382ac8dc61ad461f7f7cb45f033220189 # 3.1.1
+ with:
+ distribution: temurin
+ java-version: 11
+ java-package: jdk
+ architecture: x64
+ cache: maven
- - name: Build with Maven
- timeout-minutes: 60
- shell: bash
- run: |
- ./mvnw \
- --show-version --batch-mode --errors --no-transfer-progress \
- -DskipTests \
- --global-toolchains ".github/workflows/maven-toolchains.xml"
+ # JDK 8 is needed for the build, and it is the primary bytecode target.
+ # Hence, JDK 8 is set up after 11, so that JAVA_HOME used by Maven during build will point to 8.
+ - name: Setup JDK 8
+ uses: actions/setup-java@9519cf1382ac8dc61ad461f7f7cb45f033220189 # 3.1.1
+ with:
+ distribution: temurin
+ java-version: 8
+ java-package: jdk
+ architecture: x64
+ cache: maven
- - name: Perform CodeQL Analysis
- uses: github/codeql-action/analyze@v1
+ - name: Build with Maven
+ timeout-minutes: 60
+ shell: bash
+ run: |
+ ./mvnw \
+ --show-version --batch-mode --errors --no-transfer-progress \
+ -DskipTests \
+ --global-toolchains ".github/workflows/maven-toolchains.xml"
+
+ - name: Perform CodeQL Analysis
+ uses: github/codeql-action/analyze@935969c6f771d9f0a35efa2ae9cf7c10d9886ca3 # 2.8.5
diff --git a/.github/workflows/scorecards-analysis.yml b/.github/workflows/scorecards-analysis.yml
index f6d423cbe6..a268f4a1b0 100644
--- a/.github/workflows/scorecards-analysis.yml
+++ b/.github/workflows/scorecards-analysis.yml
@@ -38,12 +38,12 @@ jobs:
steps:
- name: "Checkout code"
- uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # v2.4.0
+ uses: actions/checkout@dcd71f646680f2efd8db4afa5ad64fdcba30e748 # 3.0.1
with:
persist-credentials: false
- name: "Run analysis"
- uses: ossf/scorecard-action@c1aec4ac820532bab364f02a81873c555a0ba3a1 # v1.0.4
+ uses: ossf/scorecard-action@c1aec4ac820532bab364f02a81873c555a0ba3a1 # 1.0.4
with:
results_file: results.sarif
results_format: sarif
@@ -55,13 +55,13 @@ jobs:
publish_results: true
- name: "Upload artifact"
- uses: actions/upload-artifact@82c141cc518b40d92cc801eee768e7aafc9c2fa2 # v2.3.1
+ uses: actions/upload-artifact@6673cd052c4cd6fcf4b4e6e60ea986c889389535 # 3.0.0
with:
name: SARIF file
path: results.sarif
retention-days: 5
- name: "Upload to code-scanning"
- uses: github/codeql-action/upload-sarif@5f532563584d71fdef14ee64d17bafb34f751ce5 # v1.0.26
+ uses: github/codeql-action/upload-sarif@935969c6f771d9f0a35efa2ae9cf7c10d9886ca3 # 2.8.5
with:
sarif_file: results.sarif