pin github actions to commit hashes and linting

2026-02-06 09:56:03 +00:00 · 2025-07-18 14:39:00 +02:00 · 2025-07-18 14:39:00 +02:00 · f64369758a
commit f64369758a
parent e08d9ccc3b
1 changed files with 35 additions and 20 deletions
--- a/.github/workflows/test-e2e.yml
+++ b/.github/workflows/test-e2e.yml
@ -20,22 +20,26 @@ jobs:
            target: community
    steps:
      - name: Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+
      - name: setup .env files
        run: |
          cp backend/.env.test_e2e backend/.env
          cp webapp/.env.template webapp/.env
-      - uses: docker/setup-buildx-action@v3
+
+      - uses: docker/setup-buildx-action@c47758b77c9736f4b2ef4073d4d51994fabfe349 # v3.7.1
+
      - name: Build ${{ matrix.name }} image
-        uses: docker/build-push-action@v5
+        uses: docker/build-push-action@48aba3b46d40ca792a341ee059b55f7c3e9c2ac8 # v6.10.0
        with:
          context: ${{ matrix.context }}
          file: ${{ matrix.dockerfile }}
          target: ${{ matrix.target }}
          push: false
          outputs: type=docker,dest=/tmp/${{ matrix.name }}.tar
+
      - name: Upload ${{ matrix.name }} image
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
        with:
          name: ${{ matrix.name }}-image
          path: /tmp/${{ matrix.name }}.tar
@ -46,7 +50,7 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2

      - name: Setup .env files
        run: |
@ -54,7 +58,7 @@ jobs:
          cp webapp/.env.template webapp/.env

      - name: Download built images
-        uses: actions/download-artifact@v4
+        uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
        with:
          path: /tmp

@ -79,7 +83,7 @@ jobs:
          docker compose -f docker-compose.yml -f docker-compose.test.yml down

      - name: Upload initialized backend environment
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
        with:
          name: backend-environment-initialized
          path: |
@ -96,10 +100,10 @@ jobs:

    steps:
      - name: Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2

      - name: Setup Node.js
-        uses: actions/setup-node@v4
+        uses: actions/setup-node@08f58d1471bff7f3a07d167b4ad7df25d5fcfcb6 # v4.4.0
        with:
          node-version-file: 'backend/.tool-versions'
          cache: 'yarn'
@ -108,6 +112,7 @@ jobs:
        run: |
          cp backend/.env.test_e2e backend/.env
          cp webapp/.env.template webapp/.env
+
      - name: Compute cache key
        id: cache-key
        run: |
@ -118,9 +123,10 @@ jobs:
          KEY="ci-unified-cache-${{ runner.os }}-${ROOT_HASH}-${BACKEND_HASH}-${WEBAPP_HASH}-${CYPRESS_HASH}"
          echo "key=$KEY"
          echo "key=$KEY" >> $GITHUB_OUTPUT
+
      - name: Restore unified CI cache
        id: restore-cache
-        uses: actions/cache/restore@v4
+        uses: actions/cache/restore@5a3ec84eff668545956fd18022155c47e93e2684 # v4.0.2
        with:
          key: ${{ steps.cache-key.outputs.key }}
          path: |
@ -155,9 +161,10 @@ jobs:
        run: |
          mkdir -p node_modules backend/node_modules webapp/node_modules
          touch node_modules/.keep backend/node_modules/.keep webapp/node_modules/.keep
+
      - name: Save unified CI cache
        if: steps.restore-cache.outputs.cache-hit != 'true'
-        uses: actions/cache/save@v4
+        uses: actions/cache/save@5a3ec84eff668545956fd18022155c47e93e2684 # v4.0.2
        with:
          key: ${{ steps.cache-key.outputs.key }}
          path: |
@ -173,10 +180,10 @@ jobs:
    needs: [cache-environment]
    steps:
      - name: Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2

      - name: Restore unified CI cache
-        uses: actions/cache/restore@v4
+        uses: actions/cache/restore@5a3ec84eff668545956fd18022155c47e93e2684 # v4.0.2
        with:
          key: ${{ needs.cache-environment.outputs.cache-key }}
          path: |
@ -218,13 +225,13 @@ jobs:
    steps:
    #download docker images
      - name: Download initialized backend environment
-        uses: actions/download-artifact@v4
+        uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
        with:
          name: backend-environment-initialized
          path: /tmp

      - name: Download webapp image
-        uses: actions/download-artifact@v4
+        uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
        with:
          name: webapp-image
          path: /tmp
@ -238,20 +245,22 @@ jobs:
          docker load < /tmp/minio.tar
          docker load < /tmp/minio-mc.tar
          docker load < /tmp/mailserver.tar
+
    #checkout repository
      - name: Checkout repository
-        uses: actions/checkout@v4
-    
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+
    #setup .env files, make cypress reports dir
      - name: Setup .env files & reports dir
        run: |
          cp backend/.env.test_e2e backend/.env
          cp webapp/.env.template webapp/.env
          mkdir -p cypress/reports/json_logs
+
    #restore unified cache
      - name: Restore unified CI cache
        id: restore-cache
-        uses: actions/cache/restore@v4
+        uses: actions/cache/restore@5a3ec84eff668545956fd18022155c47e93e2684 # v4.0.2
        with:
          key: ${{ needs.cache-environment.outputs.cache-key }}
          path: |
@ -264,11 +273,13 @@ jobs:
            /opt/cucumber-json-formatter
          restore-keys: |
            ci-unified-cache-${{ runner.os }}-
-    #setup cocumber path
+
+    #setup cucumber path
      - name: Run formatter or use PATH tools
        run: |
          export PATH="/opt:$PATH"
          cucumber-json-formatter --help
+
    #rehydrate dependencies
      - name: Rehydrate dependencies
        run: |
@ -276,6 +287,7 @@ jobs:
          cd backend && yarn install --frozen-lockfile && cd ..
          cd webapp && yarn install --frozen-lockfile && cd ..
          npx cypress verify || echo "⚠️ Cypress not yet verified"
+
    #build backend
      - name: Build backend
        run: cd backend && yarn build
@ -285,6 +297,7 @@ jobs:
        run: |
          # Start all services using pre-initialized backend and neo4j images
          docker compose -f docker-compose.yml -f docker-compose.test.yml up --detach neo4j backend minio minio-mc mailserver webapp
+
    #wait for services
      - name: Wait for essential services
        run: |
@ -319,6 +332,7 @@ jobs:
          wait_for "mailserver" "http://localhost:1080"
          wait_for "minio" "http://localhost:9000/minio/health/live"
          echo "🎉 All services are up."
+
    #starting fullstack cypress tests
      - name: Full stack tests | run tests
        id: e2e-tests
@ -329,9 +343,10 @@ jobs:
        run: |
          cd cypress/
          node create-cucumber-html-report.js
+
      - name: Full stack tests | if tests failed, upload report
        if: ${{ failure() && steps.e2e-tests.conclusion == 'failure' }}
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
        with:
          name: e2e-html-report-${{ matrix.job }}
          path: cypress/reports/cucumber_html_report