mirror of
https://github.com/bitwarden/browser
synced 2025-01-07 16:02:58 +01:00
pinning commit hashes instead of versions to protect against supply chain attacks in github actions (#319)
This commit is contained in:
Joseph Flinn
GitHub
parent
75236daeb8
commit
3539d490d5
34
.github/workflows/release.yml
vendored
34
.github/workflows/release.yml
vendored
@ -26,7 +26,7 @@ jobs:
|
|||||||
fi
|
fi
|
||||||
|
|
||||||
- name: Checkout repo
|
- name: Checkout repo
|
||||||
uses: actions/checkout@v2
|
uses: actions/checkout@5a4ac9002d0be2fb38bd78e4b4dbde5606d7042f # 2.3.4
|
||||||
|
|
||||||
- name: Create Release Vars
|
- name: Create Release Vars
|
||||||
id: create_tags
|
id: create_tags
|
||||||
@ -53,7 +53,7 @@ jobs:
|
|||||||
|
|
||||||
- name: Create Draft Release
|
- name: Create Draft Release
|
||||||
id: create_release
|
id: create_release
|
||||||
uses: actions/create-release@v1
|
uses: actions/create-release@0cb9c9b65d5d1901c1f53e5e66eaf4afd303e70e # 1.1.4 - Repo Archived
|
||||||
env:
|
env:
|
||||||
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|
||||||
with:
|
with:
|
||||||
@ -69,7 +69,7 @@ jobs:
|
|||||||
needs: setup
|
needs: setup
|
||||||
steps:
|
steps:
|
||||||
- name: Checkout repo
|
- name: Checkout repo
|
||||||
uses: actions/checkout@v2
|
uses: actions/create-release@0cb9c9b65d5d1901c1f53e5e66eaf4afd303e70e # 1.1.4 - Repo Archived
|
||||||
|
|
||||||
- name: Setup Windows builder
|
- name: Setup Windows builder
|
||||||
run: |
|
run: |
|
||||||
@ -77,7 +77,7 @@ jobs:
|
|||||||
choco install reshack --no-progress
|
choco install reshack --no-progress
|
||||||
|
|
||||||
- name: Set up Node
|
- name: Set up Node
|
||||||
uses: actions/setup-node@v1
|
uses: actions/setup-node@46071b5c7a2e0c34e49c3cb8a0e792e86e18d5ea # 2.1.5
|
||||||
with:
|
with:
|
||||||
node-version: '14.x'
|
node-version: '14.x'
|
||||||
|
|
||||||
@ -165,14 +165,14 @@ jobs:
|
|||||||
-t sha256 | Out-File -Encoding ASCII ./dist/bw-linux-sha256-${env:PACKAGE_VERSION}.txt
|
-t sha256 | Out-File -Encoding ASCII ./dist/bw-linux-sha256-${env:PACKAGE_VERSION}.txt
|
||||||
|
|
||||||
- name: build artifact - linux zip
|
- name: build artifact - linux zip
|
||||||
uses: actions/upload-artifact@v2
|
uses: actions/upload-artifact@ee69f02b3dfdecd58bb31b4d133da38ba6fe3700 # 2.2.3
|
||||||
with:
|
with:
|
||||||
name: bw-linux-${{ env.PACKAGE_VERSION }}.zip
|
name: bw-linux-${{ env.PACKAGE_VERSION }}.zip
|
||||||
path: ./dist/bw-linux-${{ env.PACKAGE_VERSION }}.zip
|
path: ./dist/bw-linux-${{ env.PACKAGE_VERSION }}.zip
|
||||||
|
|
||||||
- name: upload windows zip release asset
|
- name: upload windows zip release asset
|
||||||
id: upload-windows-zip
|
id: upload-windows-zip
|
||||||
uses: actions/upload-release-asset@v1
|
uses: actions/upload-release-asset@e8f9f06c4b078e705bd2ea027f0926603fc9b4d5 # 1.0.2 - Archived
|
||||||
env:
|
env:
|
||||||
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|
||||||
with:
|
with:
|
||||||
@ -183,7 +183,7 @@ jobs:
|
|||||||
|
|
||||||
- name: upload macos zip release asset
|
- name: upload macos zip release asset
|
||||||
id: upload-macos-zip
|
id: upload-macos-zip
|
||||||
uses: actions/upload-release-asset@v1
|
uses: actions/upload-release-asset@e8f9f06c4b078e705bd2ea027f0926603fc9b4d5 # 1.0.2 - Archived
|
||||||
env:
|
env:
|
||||||
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|
||||||
with:
|
with:
|
||||||
@ -194,7 +194,7 @@ jobs:
|
|||||||
|
|
||||||
- name: upload linux zip release asset
|
- name: upload linux zip release asset
|
||||||
id: upload-linux-zip
|
id: upload-linux-zip
|
||||||
uses: actions/upload-release-asset@v1
|
uses: actions/upload-release-asset@e8f9f06c4b078e705bd2ea027f0926603fc9b4d5 # 1.0.2 - Archived
|
||||||
env:
|
env:
|
||||||
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|
||||||
with:
|
with:
|
||||||
@ -205,7 +205,7 @@ jobs:
|
|||||||
|
|
||||||
- name: Upload windows checksum release asset
|
- name: Upload windows checksum release asset
|
||||||
id: upload-windows-checksum
|
id: upload-windows-checksum
|
||||||
uses: actions/upload-release-asset@v1
|
uses: actions/upload-release-asset@e8f9f06c4b078e705bd2ea027f0926603fc9b4d5 # 1.0.2 - Archived
|
||||||
env:
|
env:
|
||||||
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|
||||||
with:
|
with:
|
||||||
@ -216,7 +216,7 @@ jobs:
|
|||||||
|
|
||||||
- name: Upload macos checksum release asset
|
- name: Upload macos checksum release asset
|
||||||
id: upload-macos-checksum
|
id: upload-macos-checksum
|
||||||
uses: actions/upload-release-asset@v1
|
uses: actions/upload-release-asset@e8f9f06c4b078e705bd2ea027f0926603fc9b4d5 # 1.0.2 - Archived
|
||||||
env:
|
env:
|
||||||
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|
||||||
with:
|
with:
|
||||||
@ -227,7 +227,7 @@ jobs:
|
|||||||
|
|
||||||
- name: Upload linux checksum release asset
|
- name: Upload linux checksum release asset
|
||||||
id: upload-linux-checksum
|
id: upload-linux-checksum
|
||||||
uses: actions/upload-release-asset@v1
|
uses: actions/upload-release-asset@e8f9f06c4b078e705bd2ea027f0926603fc9b4d5 # 1.0.2 - Archived
|
||||||
env:
|
env:
|
||||||
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|
||||||
with:
|
with:
|
||||||
@ -238,7 +238,7 @@ jobs:
|
|||||||
|
|
||||||
- name: Upload chocolatey nupkg release asset
|
- name: Upload chocolatey nupkg release asset
|
||||||
id: upload-choco-nupkg
|
id: upload-choco-nupkg
|
||||||
uses: actions/upload-release-asset@v1
|
uses: actions/upload-release-asset@e8f9f06c4b078e705bd2ea027f0926603fc9b4d5 # 1.0.2 - Archived
|
||||||
env:
|
env:
|
||||||
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|
||||||
with:
|
with:
|
||||||
@ -258,10 +258,10 @@ jobs:
|
|||||||
PACKAGE_VERSION: ${{ needs.setup.outputs.package_version }}
|
PACKAGE_VERSION: ${{ needs.setup.outputs.package_version }}
|
||||||
steps:
|
steps:
|
||||||
- name: Checkout repo
|
- name: Checkout repo
|
||||||
uses: actions/checkout@v2
|
uses: actions/checkout@5a4ac9002d0be2fb38bd78e4b4dbde5606d7042f # 2.3.4
|
||||||
|
|
||||||
- name: Install Snapcraft
|
- name: Install Snapcraft
|
||||||
uses: samuelmeuli/action-snapcraft@v1
|
uses: samuelmeuli/action-snapcraft@10d7d0a84d9d86098b19f872257df314b0bd8e2d # 1.2.0
|
||||||
|
|
||||||
- name: Print environment
|
- name: Print environment
|
||||||
run: |
|
run: |
|
||||||
@ -275,7 +275,7 @@ jobs:
|
|||||||
GITHUB_EVENT: ${{ github.event_name }}
|
GITHUB_EVENT: ${{ github.event_name }}
|
||||||
|
|
||||||
- name: get linux zip artifact
|
- name: get linux zip artifact
|
||||||
uses: actions/download-artifact@v2
|
uses: actions/download-artifact@158ca71f7c614ae705e79f25522ef4658df18253 # 2.0.9
|
||||||
with:
|
with:
|
||||||
name: bw-linux-${{ env.PACKAGE_VERSION }}.zip
|
name: bw-linux-${{ env.PACKAGE_VERSION }}.zip
|
||||||
path: ./dist/snap
|
path: ./dist/snap
|
||||||
@ -310,7 +310,7 @@ jobs:
|
|||||||
sudo snap remove bw
|
sudo snap remove bw
|
||||||
|
|
||||||
- name: Upload snap release asset
|
- name: Upload snap release asset
|
||||||
uses: actions/upload-release-asset@v1
|
uses: actions/upload-release-asset@e8f9f06c4b078e705bd2ea027f0926603fc9b4d5 # 1.0.2 - Archived
|
||||||
env:
|
env:
|
||||||
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|
||||||
with:
|
with:
|
||||||
@ -320,7 +320,7 @@ jobs:
|
|||||||
asset_content_type: application
|
asset_content_type: application
|
||||||
|
|
||||||
- name: Upload snap checksum release asset
|
- name: Upload snap checksum release asset
|
||||||
uses: actions/upload-release-asset@v1
|
uses: actions/upload-release-asset@e8f9f06c4b078e705bd2ea027f0926603fc9b4d5 # 1.0.2 - Archived
|
||||||
env:
|
env:
|
||||||
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|
||||||
with:
|
with:
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user