From 7752625f49aae7886ea44b0bf98add5bcbff2eab Mon Sep 17 00:00:00 2001 From: Wilson Snyder Date: Tue, 23 Jun 2026 21:24:21 -0400 Subject: [PATCH] CI: Pin actions to hashes --- .github/workflows/build-test.yml | 6 ++--- .github/workflows/contributor.yml | 2 +- .github/workflows/coverage.yml | 16 ++++++------ .github/workflows/docker.yml | 12 ++++----- .github/workflows/format.yml | 2 +- .github/workflows/pages.yml | 10 +++---- .github/workflows/reusable-build.yml | 6 ++--- .github/workflows/reusable-lint-py.yml | 2 +- .github/workflows/reusable-rtlmeter-build.yml | 6 ++--- .github/workflows/reusable-rtlmeter-run.yml | 12 ++++----- .github/workflows/reusable-test.yml | 6 ++--- .github/workflows/rtlmeter.yml | 26 +++++++++---------- 12 files changed, 53 insertions(+), 53 deletions(-) diff --git a/.github/workflows/build-test.yml b/.github/workflows/build-test.yml index 8b42e2306..d0dfeccb7 100644 --- a/.github/workflows/build-test.yml +++ b/.github/workflows/build-test.yml @@ -154,11 +154,11 @@ jobs: CCACHE_DIR: ${{ github.workspace }}/.ccache CCACHE_LIMIT_MULTIPLE: 0.95 steps: - - uses: actions/checkout@v7 + - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7 with: path: repo - name: Cache $CCACHE_DIR - uses: actions/cache@v5 + uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5 with: path: ${{ env.CCACHE_DIR }} key: msbuild-msvc-cmake @@ -171,7 +171,7 @@ jobs: - name: Zip up repository run: Compress-Archive -LiteralPath install -DestinationPath verilator.zip - name: Upload zip archive - uses: actions/upload-artifact@v7 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7 with: path: ${{ github.workspace }}/repo/verilator.zip name: verilator-win.zip diff --git a/.github/workflows/contributor.yml b/.github/workflows/contributor.yml index afb5b9fe5..4fef0fd66 100644 --- a/.github/workflows/contributor.yml +++ b/.github/workflows/contributor.yml @@ -16,5 +16,5 @@ jobs: name: "'docs/CONTRIBUTORS' was signed" runs-on: ubuntu-24.04 steps: - - uses: actions/checkout@v7 + - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7 - run: test_regress/t/t_dist_contributors.py diff --git a/.github/workflows/coverage.yml b/.github/workflows/coverage.yml index d4934c92b..cc6b463b0 100644 --- a/.github/workflows/coverage.yml +++ b/.github/workflows/coverage.yml @@ -74,10 +74,10 @@ jobs: runs-on: ubuntu-24.04 steps: - name: Checkout - uses: actions/checkout@v7 + uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7 - name: Download code coverage data - uses: actions/download-artifact@v8 + uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8 with: pattern: code-coverage-* path: obj_coverage @@ -90,7 +90,7 @@ jobs: find obj_coverage -type f | paste -sd, | sed "s/^/files=/" >> "$GITHUB_OUTPUT" - name: Upload to codecov.io - uses: codecov/codecov-action@v7 + uses: codecov/codecov-action@fb8b3582c8e4def4969c97caa2f19720cb33a72f # v7 with: disable_file_fixes: true disable_search: true @@ -114,7 +114,7 @@ jobs: sudo apt install lcov - name: Download repository archive - uses: actions/download-artifact@v8 + uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8 with: name: ${{ needs.build.outputs.archive }} path: ${{ github.workspace }} @@ -125,7 +125,7 @@ jobs: ls -lsha - name: Download code coverage data - uses: actions/download-artifact@v8 + uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8 with: pattern: code-coverage-* path: repo/obj_coverage @@ -172,14 +172,14 @@ jobs: fi - name: Upload report - uses: actions/upload-artifact@v7 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7 with: path: repo/obj_coverage name: coverage-report - name: Upload notification if: ${{ github.event_name == 'pull_request' }} - uses: actions/upload-artifact@v7 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7 with: path: repo/notification name: pr-notification @@ -195,7 +195,7 @@ jobs: # Creating issues requires elevated privilege - name: Generate access token id: generate-token - uses: actions/create-github-app-token@v3.2.0 + uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3.2.0 with: client-id: ${{ vars.VERILATOR_CI_ID }} private-key: ${{ secrets.VERILATOR_CI_KEY }} diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml index 37c35f8f8..f41c513a5 100644 --- a/.github/workflows/docker.yml +++ b/.github/workflows/docker.yml @@ -39,7 +39,7 @@ jobs: steps: - name: Checkout - uses: actions/checkout@v7 + uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7 - name: Extract context variables run: | @@ -54,7 +54,7 @@ jobs: - name: Docker meta id: docker_meta - uses: docker/metadata-action@v6 + uses: docker/metadata-action@80c7e94dd9b9319bd5eb7a0e0fe9291e23a2a2e9 # v6 with: images: | ${{ vars.DOCKER_HUB_NAMESPACE }}/${{ env.image_name }} @@ -64,21 +64,21 @@ jobs: type=raw,value=latest,enable=${{ inputs.add_latest_tag == true }} - name: Set up QEMU - uses: docker/setup-qemu-action@v4 + uses: docker/setup-qemu-action@06116385d9baf250c9f4dcb4858b16962ea869c3 # v4 - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v4 + uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5 # v4 with: buildkitd-flags: --debug - name: Login to Docker Hub - uses: docker/login-action@v4 + uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4 with: username: ${{ secrets.DOCKER_HUB_USER }} password: ${{ secrets.DOCKER_HUB_ACCESS_TOKEN }} - name: Build and Push to Docker - uses: docker/build-push-action@v7 + uses: docker/build-push-action@f9f3042f7e2789586610d6e8b85c8f03e5195baf # v7 if: startsWith(github.ref, 'refs/tags/v') || github.event_name == 'workflow_dispatch' with: context: ${{ env.build_context }} diff --git a/.github/workflows/format.yml b/.github/workflows/format.yml index 6716b4f48..5a604fa73 100644 --- a/.github/workflows/format.yml +++ b/.github/workflows/format.yml @@ -21,7 +21,7 @@ jobs: CI_COMMIT: ${{ github.sha }} steps: - name: Checkout - uses: actions/checkout@v7 + uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7 with: token: ${{ secrets.GITHUB_TOKEN }} - name: Install packages for build diff --git a/.github/workflows/pages.yml b/.github/workflows/pages.yml index bc314b298..59048157c 100644 --- a/.github/workflows/pages.yml +++ b/.github/workflows/pages.yml @@ -38,7 +38,7 @@ jobs: pr-run-ids: ${{ steps.build.outputs.pr-run-ids }} steps: - name: Checkout - uses: actions/checkout@v7 + uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7 - name: Build pages id: build env: @@ -48,7 +48,7 @@ jobs: ls -lsha tree -L 3 pages - name: Upload pages artifact - uses: actions/upload-pages-artifact@v5 + uses: actions/upload-pages-artifact@fc324d3547104276b827a68afc52ff2a11cc49c9 # v5 with: path: pages @@ -61,7 +61,7 @@ jobs: url: ${{ steps.deployment.outputs.page_url }} steps: - name: Deploy to GitHub Pages - uses: actions/deploy-pages@v5 + uses: actions/deploy-pages@cd2ce8fcbc39b97be8ca5fce6e763baed58fa128 # v5 notify: name: Notify @@ -70,11 +70,11 @@ jobs: if: ${{ github.repository == 'verilator/verilator' }} steps: - name: Checkout - uses: actions/checkout@v7 + uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7 # Use the Verilator CI app to post the comment - name: Generate access token id: generate-token - uses: actions/create-github-app-token@v3.2.0 + uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3.2.0 with: client-id: ${{ vars.VERILATOR_CI_ID }} private-key: ${{ secrets.VERILATOR_CI_KEY }} diff --git a/.github/workflows/reusable-build.yml b/.github/workflows/reusable-build.yml index 2601765e1..5d053cadb 100644 --- a/.github/workflows/reusable-build.yml +++ b/.github/workflows/reusable-build.yml @@ -61,14 +61,14 @@ jobs: CCACHE_MAXSIZE: 1000M # Per build matrix entry (* 5 = 5000M in total) steps: - name: Checkout - uses: actions/checkout@v7 + uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7 with: path: repo ref: ${{ inputs.sha }} fetch-depth: ${{ inputs.dev-gcov && '0' || '1' }} # Coverage flow needs full history - name: Cache $CCACHE_DIR - uses: actions/cache@v5 + uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5 env: CACHE_KEY: ${{ env.CACHE_BASE_KEY }}-ccache with: @@ -93,7 +93,7 @@ jobs: echo "archive=$ARCHIVE" >> "$GITHUB_OUTPUT" - name: Upload repository archive - uses: actions/upload-artifact@v7 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7 with: path: ${{ github.workspace }}/${{ steps.create-archive.outputs.archive }} name: ${{ steps.create-archive.outputs.archive }} diff --git a/.github/workflows/reusable-lint-py.yml b/.github/workflows/reusable-lint-py.yml index fa8405693..f37027aa7 100644 --- a/.github/workflows/reusable-lint-py.yml +++ b/.github/workflows/reusable-lint-py.yml @@ -27,7 +27,7 @@ jobs: name: Sub-lint | Python steps: - name: Checkout - uses: actions/checkout@v7 + uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7 with: path: repo diff --git a/.github/workflows/reusable-rtlmeter-build.yml b/.github/workflows/reusable-rtlmeter-build.yml index b6c87a6dc..cdfee423a 100644 --- a/.github/workflows/reusable-rtlmeter-build.yml +++ b/.github/workflows/reusable-rtlmeter-build.yml @@ -50,7 +50,7 @@ jobs: sudo apt install ccache mold help2man libfl-dev libjemalloc-dev libsystemc-dev - name: Use saved ccache - uses: actions/cache@v5 + uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5 with: path: ccache key: rtlmeter-build-ccache-${{ inputs.runs-on }}-${{ inputs.cc }}-${{ inputs.sha }}-${{ github.run_id }}-${{ github.run_attempt }} @@ -60,7 +60,7 @@ jobs: rtlmeter-build-ccache-${{ inputs.runs-on }}-${{ inputs.cc }} - name: Checkout - uses: actions/checkout@v7 + uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7 with: path: repo ref: ${{ inputs.sha }} @@ -89,7 +89,7 @@ jobs: echo "archive=$ARCHIVE" >> $GITHUB_OUTPUT - name: Upload Verilator installation archive - uses: actions/upload-artifact@v7 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7 with: path: ${{ steps.create-archive.outputs.archive }} name: ${{ steps.create-archive.outputs.archive }} diff --git a/.github/workflows/reusable-rtlmeter-run.yml b/.github/workflows/reusable-rtlmeter-run.yml index a5dee222c..81aaad405 100644 --- a/.github/workflows/reusable-rtlmeter-run.yml +++ b/.github/workflows/reusable-rtlmeter-run.yml @@ -73,7 +73,7 @@ jobs: sudo apt install ccache mold libfl-dev libjemalloc-dev libsystemc-dev - name: Checkout RTLMeter - uses: actions/checkout@v7 + uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7 with: repository: "verilator/rtlmeter" path: rtlmeter @@ -84,7 +84,7 @@ jobs: - name: Use saved ccache if: ${{ env.CCACHE_DISABLE == 0 }} - uses: actions/cache@v5 + uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5 with: path: ${{ env.CCACHE_DIR }} key: rtlmeter-run-ccache-${{ inputs.runs-on }}-${{ inputs.cc }}-${{ inputs.cases }}-${{ inputs.compileArgs }}-${{ github.run_id }}-${{ github.run_attempt }} @@ -95,7 +95,7 @@ jobs: ######################################################################## - name: Download Verilator installation archive - new - uses: actions/download-artifact@v8 + uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8 with: name: ${{ inputs.verilator-archive-new }} @@ -135,7 +135,7 @@ jobs: ./rtlmeter report --steps '*' --metrics '*' ../results-${{ steps.results.outputs.hash }}.json - name: Upload results - new - uses: actions/upload-artifact@v7 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7 with: path: results-${{ steps.results.outputs.hash }}.json name: rtlmeter-${{ inputs.tag }}-results-${{ steps.results.outputs.hash }} @@ -157,7 +157,7 @@ jobs: - name: Download Verilator installation archive - old if: ${{ inputs.verilator-archive-old != '' }} - uses: actions/download-artifact@v8 + uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8 with: name: ${{ inputs.verilator-archive-old }} @@ -198,7 +198,7 @@ jobs: - name: Upload results - old if: ${{ inputs.verilator-archive-old != '' }} - uses: actions/upload-artifact@v7 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7 with: path: reference-${{ steps.results.outputs.hash }}.json name: rtlmeter-${{ inputs.tag }}-reference-${{ steps.results.outputs.hash }} diff --git a/.github/workflows/reusable-test.yml b/.github/workflows/reusable-test.yml index 7f363f2d9..efc9c50fe 100644 --- a/.github/workflows/reusable-test.yml +++ b/.github/workflows/reusable-test.yml @@ -55,7 +55,7 @@ jobs: steps: - name: Download repository archive - uses: actions/download-artifact@v8 + uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8 with: name: ${{ inputs.archive }} path: ${{ github.workspace }} @@ -67,7 +67,7 @@ jobs: ls -lsha - name: Cache $CCACHE_DIR - uses: actions/cache@v5 + uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5 env: CACHE_KEY: ${{ env.CACHE_BASE_KEY }}-ccache2 with: @@ -99,7 +99,7 @@ jobs: - name: Upload code coverage data if: ${{ inputs.dev-gcov }} - uses: actions/upload-artifact@v7 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7 with: path: ${{ github.workspace }}/repo/obj_coverage/verilator-${{ inputs.suite }}.info name: code-coverage-${{ inputs.suite }} diff --git a/.github/workflows/rtlmeter.yml b/.github/workflows/rtlmeter.yml index af79a9a0f..1848d4ec8 100644 --- a/.github/workflows/rtlmeter.yml +++ b/.github/workflows/rtlmeter.yml @@ -45,7 +45,7 @@ jobs: cases: ${{ steps.cases.outputs.cases }} steps: - name: Checkout - uses: actions/checkout@v7 + uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7 - name: Startup id: start @@ -208,7 +208,7 @@ jobs: run: echo "tags=$(jq -r 'keys | map(sub("^run-"; "")) | join(" ")' <<< '${{ toJSON(needs) }}')" >> "$GITHUB_OUTPUT" - name: Checkout RTLMeter - uses: actions/checkout@v7 + uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7 with: repository: "verilator/rtlmeter" path: rtlmeter @@ -232,7 +232,7 @@ jobs: ./rtlmeter collate ../all-results-$tag/*.json > ../all-results-$tag.json done - name: Upload combined results - uses: actions/upload-artifact@v7 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7 with: path: all-results-*.json name: all-results @@ -259,7 +259,7 @@ jobs: done - name: Upload reference results if: ${{ github.event_name == 'pull_request' }} - uses: actions/upload-artifact@v7 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7 with: path: all-reference-*.json name: all-reference @@ -278,19 +278,19 @@ jobs: runs-on: ubuntu-24.04 steps: - name: Download combined results - uses: actions/download-artifact@v8 + uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8 with: name: all-results path: results - name: Upload published results - uses: actions/upload-artifact@v7 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7 with: path: results/*.json name: published-results # Pushing to verilator/verilator-rtlmeter-results requires elevated permissions - name: Generate access token id: generate-token - uses: actions/create-github-app-token@v3.2.0 + uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3.2.0 with: client-id: ${{ vars.VERILATOR_CI_ID }} private-key: ${{ secrets.VERILATOR_CI_KEY }} @@ -298,7 +298,7 @@ jobs: repositories: verilator-rtlmeter-results permission-contents: write - name: Checkout verilator-rtlmeter-results - uses: actions/checkout@v7 + uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7 with: repository: "verilator/verilator-rtlmeter-results" token: ${{ steps.generate-token.outputs.token }} @@ -331,7 +331,7 @@ jobs: actions: read steps: - name: Checkout RTLMeter - uses: actions/checkout@v7 + uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7 with: repository: "verilator/rtlmeter" path: rtlmeter @@ -341,7 +341,7 @@ jobs: run: make venv - name: Checkout Verilator - uses: actions/checkout@v7 + uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7 with: path: verilator @@ -367,13 +367,13 @@ jobs: echo ${{ github.event.number }} > ../notification-artifact/pr-number.txt - name: Upload report - uses: actions/upload-artifact@v7 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7 with: path: report-artifact name: rtlmeter-report - name: Upload notification - uses: actions/upload-artifact@v7 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7 with: path: notification-artifact name: pr-notification @@ -392,7 +392,7 @@ jobs: # Creating issues requires elevated privilege - name: Generate access token id: generate-token - uses: actions/create-github-app-token@v3.2.0 + uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3.2.0 with: client-id: ${{ vars.VERILATOR_CI_ID }} private-key: ${{ secrets.VERILATOR_CI_KEY }}