From 6e4c0bd8aa1e7ab7892378778ded1689fa26e060 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Daniel=20Wei=C3=9Fe?= <66256922+daniel-weisse@users.noreply.github.com> Date: Thu, 21 Dec 2023 15:52:58 +0100 Subject: [PATCH] ci: fix artifacts download/upload for release draft workflow (#2759) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * Pin upload and download actions by hash * Dont expect encrypted artifacts in release pipeline --------- Signed-off-by: Daniel Weiße --- .github/actions/artifact_download/action.yml | 2 +- .github/actions/artifact_upload/action.yml | 2 +- .../download_release_binaries/action.yml | 34 ++++++------------- .github/workflows/draft-release.yml | 6 ---- 4 files changed, 12 insertions(+), 32 deletions(-) diff --git a/.github/actions/artifact_download/action.yml b/.github/actions/artifact_download/action.yml index 36a885657..4ca96c369 100644 --- a/.github/actions/artifact_download/action.yml +++ b/.github/actions/artifact_download/action.yml @@ -28,7 +28,7 @@ runs: run: echo "directory=$(mktemp -d)" >> "$GITHUB_OUTPUT" - name: Download the artifact - uses: actions/download-artifact@v3 + uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2 with: name: ${{ inputs.name }} path: ${{ steps.tempdir.outputs.directory }} diff --git a/.github/actions/artifact_upload/action.yml b/.github/actions/artifact_upload/action.yml index fd850b354..d60b0a61f 100644 --- a/.github/actions/artifact_upload/action.yml +++ b/.github/actions/artifact_upload/action.yml @@ -52,7 +52,7 @@ runs: fi - name: Upload archive as artifact - uses: actions/upload-artifact@v3 + uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3 with: name: ${{ inputs.name }} path: ${{ steps.tempdir.outputs.directory }}/archive.zip diff --git a/.github/actions/download_release_binaries/action.yml b/.github/actions/download_release_binaries/action.yml index 39bb74846..af8cfa398 100644 --- a/.github/actions/download_release_binaries/action.yml +++ b/.github/actions/download_release_binaries/action.yml @@ -1,69 +1,55 @@ name: Download release binaries description: "Downloads all binaries created by a different job (and therefore not available in this job) in the release pipeline." -inputs: - encryption-secret: - description: 'The secret to use for decrypting the artifact.' - required: true runs: using: "composite" steps: - name: Download CLI binaries darwin-amd64 - uses: ./.github/actions/artifact_download + uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2 with: name: constellation-darwin-amd64 - encryption-secret: ${{ inputs.encryption-secret }} - name: Download CLI binaries darwin-arm64 - uses: ./.github/actions/artifact_download + uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2 with: name: constellation-darwin-arm64 - encryption-secret: ${{ inputs.encryption-secret }} - name: Download CLI binaries linux-amd64 - uses: ./.github/actions/artifact_download + uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2 with: name: constellation-linux-amd64 - encryption-secret: ${{ inputs.encryption-secret }} - name: Download CLI binaries linux-arm64 - uses: ./.github/actions/artifact_download + uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2 with: name: constellation-linux-arm64 - encryption-secret: ${{ inputs.encryption-secret }} - name: Download CLI binaries windows-amd64 - uses: ./.github/actions/artifact_download + uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2 with: name: constellation-windows-amd64 - encryption-secret: ${{ inputs.encryption-secret }} - name: Download Terraform module - uses: ./.github/actions/artifact_download + uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2 with: name: terraform-module - encryption-secret: ${{ inputs.encryption-secret }} - name: Download Terraform provider binary darwin-amd64 - uses: ./.github/actions/artifact_download + uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2 with: name: terraform-provider-constellation-darwin-amd64 - encryption-secret: ${{ inputs.encryption-secret }} - name: Download Terraform provider binary darwin-arm64 - uses: ./.github/actions/artifact_download + uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2 with: name: terraform-provider-constellation-darwin-arm64 - encryption-secret: ${{ inputs.encryption-secret }} - name: Download Terraform provider binary linux-amd64 - uses: ./.github/actions/artifact_download + uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2 with: name: terraform-provider-constellation-linux-amd64 - encryption-secret: ${{ inputs.encryption-secret }} - name: Download Terraform provider binary linux-arm64 - uses: ./.github/actions/artifact_download + uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2 with: name: terraform-provider-constellation-linux-arm64 - encryption-secret: ${{ inputs.encryption-secret }} diff --git a/.github/workflows/draft-release.yml b/.github/workflows/draft-release.yml index d0d929b8a..018d59d55 100644 --- a/.github/workflows/draft-release.yml +++ b/.github/workflows/draft-release.yml @@ -227,8 +227,6 @@ jobs: - name: Download release binaries uses: ./.github/actions/download_release_binaries - with: - encryption-secret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }} - name: Download CLI SBOM uses: ./.github/actions/artifact_download @@ -343,8 +341,6 @@ jobs: - name: Download release binaries uses: ./.github/actions/download_release_binaries - with: - encryption-secret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }} - name: Download CLI SBOM uses: ./.github/actions/artifact_download @@ -425,8 +421,6 @@ jobs: - name: Download binaries uses: ./.github/actions/download_release_binaries - with: - encryption-secret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }} - name: Download CLI SBOM uses: ./.github/actions/artifact_download