diff --git a/.github/workflows/acknowledge-new-issues.yml b/.github/workflows/acknowledge-new-issues.yml index 3d14aeda01d..03f84516abd 100644 --- a/.github/workflows/acknowledge-new-issues.yml +++ b/.github/workflows/acknowledge-new-issues.yml @@ -11,7 +11,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Comment to acknowledge issue - uses: peter-evans/create-or-update-comment@v5 + uses: peter-evans/create-or-update-comment@e8674b075228eee787fea43ef493e45ece1004c9 # v5 with: issue-number: ${{ github.event.issue.number }} body: | diff --git a/.github/workflows/acknowledge-new-prs.yml b/.github/workflows/acknowledge-new-prs.yml index 1380ce88457..969aba898db 100644 --- a/.github/workflows/acknowledge-new-prs.yml +++ b/.github/workflows/acknowledge-new-prs.yml @@ -11,7 +11,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Comment to acknowledge PRs - uses: peter-evans/create-or-update-comment@v5 + uses: peter-evans/create-or-update-comment@e8674b075228eee787fea43ef493e45ece1004c9 # v5 with: issue-number: ${{ github.event.pull_request.number }} body: | diff --git a/.github/workflows/ado-integration.yml b/.github/workflows/ado-integration.yml index 11a485d71fe..cc033031a98 100644 --- a/.github/workflows/ado-integration.yml +++ b/.github/workflows/ado-integration.yml @@ -9,7 +9,7 @@ jobs: alert: runs-on: ubuntu-latest steps: - - uses: mhamilton723/github-actions-issue-to-work-item@master + - uses: mhamilton723/github-actions-issue-to-work-item@9bd9d44197557fd55cc7043512a84ea7aa4489d3 # master env: ado_token: "${{ secrets.ADO_PERSONAL_ACCESS_TOKEN }}" github_token: "${{ secrets.GH_PERSONAL_ACCESS_TOKEN }}" diff --git a/.github/workflows/ado-pr-to-workitem.yml b/.github/workflows/ado-pr-to-workitem.yml index 8a238371423..9e64474bb05 100644 --- a/.github/workflows/ado-pr-to-workitem.yml +++ b/.github/workflows/ado-pr-to-workitem.yml @@ -10,7 +10,7 @@ jobs: alert: runs-on: ubuntu-latest steps: - - uses: danhellem/github-actions-pr-to-work-item@master + - uses: danhellem/github-actions-pr-to-work-item@496254e48adbe7f1ed14a8afb71dc520b2c052ac # master env: ado_token: '${{ secrets.ADO_PERSONAL_ACCESS_TOKEN }}' github_token: '${{ secrets.GH_PERSONAL_ACCESS_TOKEN }}' diff --git a/.github/workflows/check-dead-links.yml b/.github/workflows/check-dead-links.yml index 99f30184f14..5d5a08a6362 100644 --- a/.github/workflows/check-dead-links.yml +++ b/.github/workflows/check-dead-links.yml @@ -15,7 +15,7 @@ jobs: steps: - name: Checkout code - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 - name: Fetch sitemap URLs run: | @@ -26,7 +26,7 @@ jobs: echo "Found $(wc -l < urls.txt) URLs in sitemap" - name: Scan for dead links - uses: lycheeverse/lychee-action@v2 + uses: lycheeverse/lychee-action@8646ba30535128ac92d33dfc9133794bfdd9b411 # v2 with: args: >- --no-progress diff --git a/.github/workflows/check-semantic-prs.yaml b/.github/workflows/check-semantic-prs.yaml index cbb5736cd02..711bfdb425f 100644 --- a/.github/workflows/check-semantic-prs.yaml +++ b/.github/workflows/check-semantic-prs.yaml @@ -13,6 +13,6 @@ jobs: name: Validate PR title runs-on: ubuntu-latest steps: - - uses: amannn/action-semantic-pull-request@v5.4.0 + - uses: amannn/action-semantic-pull-request@e9fabac35e210fea40ca5b14c0da95a099eff26f # v5.4.0 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 616775e96a4..7104cb6d298 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -42,11 +42,11 @@ jobs: steps: - name: Checkout repository - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL - uses: github/codeql-action/init@v3 + uses: github/codeql-action/init@5c8a8a642e79153f5d047b10ec1cba1d1cc65699 # v3 with: languages: ${{ matrix.language }} # If you wish to specify custom queries, you can do so here or in a config file. @@ -60,7 +60,7 @@ jobs: # Autobuild attempts to build any compiled languages (C/C++, C#, Go, or Java). # If this step fails, then you should remove it and run the build manually (see below) - name: Autobuild - uses: github/codeql-action/autobuild@v3 + uses: github/codeql-action/autobuild@5c8a8a642e79153f5d047b10ec1cba1d1cc65699 # v3 # ℹī¸ Command-line programs to run using the OS shell. # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun @@ -73,6 +73,6 @@ jobs: # ./location_of_script_within_repo/buildscript.sh - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v3 + uses: github/codeql-action/analyze@5c8a8a642e79153f5d047b10ec1cba1d1cc65699 # v3 with: category: "/language:${{matrix.language}}" diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml index af385f8c143..c16fcc109b9 100644 --- a/.github/workflows/dependency-review.yml +++ b/.github/workflows/dependency-review.yml @@ -14,10 +14,10 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout code - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 - name: Dependency Review - uses: actions/dependency-review-action@v4 + uses: actions/dependency-review-action@2031cfc080254a8a887f58cffee85186f0e49e48 # v4 with: fail-on-severity: high comment-summary-in-pr: always diff --git a/.github/workflows/pr-validation.yml b/.github/workflows/pr-validation.yml index 85bfae3c347..0c9c22cf463 100644 --- a/.github/workflows/pr-validation.yml +++ b/.github/workflows/pr-validation.yml @@ -12,10 +12,10 @@ jobs: steps: - name: Checkout code - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 - name: Set up Python - uses: actions/setup-python@v5 + uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5 with: python-version: "3.12" @@ -30,10 +30,10 @@ jobs: steps: - name: Checkout code - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 - name: Set up JDK 11 - uses: actions/setup-java@v4 + uses: actions/setup-java@c1e323688fd81a25caa38c78aa6df2d33d3e20d9 # v4 with: distribution: temurin java-version: 11 diff --git a/.github/workflows/remove-awaiting-response-label.yml b/.github/workflows/remove-awaiting-response-label.yml index 1ff1e4b94d1..0882e81d16c 100644 --- a/.github/workflows/remove-awaiting-response-label.yml +++ b/.github/workflows/remove-awaiting-response-label.yml @@ -13,7 +13,7 @@ jobs: github.event.comment.author_association != 'COLLABORATOR' steps: - name: Remove needs-reply label - uses: octokit/request-action@v2.x + uses: octokit/request-action@02f5e7c637a73a3b12ed81015fa7fb5f11cc5d7d # v2.x continue-on-error: true with: route: DELETE /repos/:repository/issues/:issue/labels/:label diff --git a/.github/workflows/remove-old-issues.yml b/.github/workflows/remove-old-issues.yml index 51c9b2e41c1..b9589fea9f7 100644 --- a/.github/workflows/remove-old-issues.yml +++ b/.github/workflows/remove-old-issues.yml @@ -9,7 +9,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Close old issues that need reply - uses: dwieeb/needs-reply@v2 + uses: dwieeb/needs-reply@71e8d5144caa0d4a1e292348bfafa3866d08c855 # v2 with: repo-token: ${{ secrets.GITHUB_TOKEN }} issue-label: "awaiting response" diff --git a/.github/workflows/scorecards.yml b/.github/workflows/scorecards.yml index 818f9d23863..c6e3b51d85e 100644 --- a/.github/workflows/scorecards.yml +++ b/.github/workflows/scorecards.yml @@ -32,7 +32,7 @@ jobs: steps: - name: "Checkout code" - uses: actions/checkout@v4 # v3.1.0 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 with: persist-credentials: false diff --git a/tools/docker/demo/Dockerfile b/tools/docker/demo/Dockerfile index 7783abad272..24e4683c1d2 100644 --- a/tools/docker/demo/Dockerfile +++ b/tools/docker/demo/Dockerfile @@ -1,4 +1,4 @@ -FROM mcr.microsoft.com/mirror/docker/library/ubuntu:22.04 +FROM mcr.microsoft.com/mirror/docker/library/ubuntu:22.04@sha256:104ae83764a5119017b8e8d6218fa0832b09df65aae7d5a6de29a85d813da2fb ARG SYNAPSEML_VERSION=1.1.2 ARG DEBIAN_FRONTEND=noninteractive diff --git a/tools/docker/minimal/Dockerfile b/tools/docker/minimal/Dockerfile index d72981da7b6..566ad04e4d2 100644 --- a/tools/docker/minimal/Dockerfile +++ b/tools/docker/minimal/Dockerfile @@ -1,4 +1,4 @@ -FROM mcr.microsoft.com/mirror/docker/library/ubuntu:22.04 +FROM mcr.microsoft.com/mirror/docker/library/ubuntu:22.04@sha256:104ae83764a5119017b8e8d6218fa0832b09df65aae7d5a6de29a85d813da2fb ARG SYNAPSEML_VERSION=1.1.2 ARG DEBIAN_FRONTEND=noninteractive diff --git a/tools/helm/livy/Dockerfile b/tools/helm/livy/Dockerfile index 19c4fffaac3..9ce97cf6780 100644 --- a/tools/helm/livy/Dockerfile +++ b/tools/helm/livy/Dockerfile @@ -1,4 +1,4 @@ -FROM mcr.microsoft.com/openjdk/jdk:11-mariner +FROM mcr.microsoft.com/openjdk/jdk:11-mariner@sha256:844a36373ab341f993c7258addee6d7d66b6ef93c264ea4b367d96fc5663b7d1 LABEL maintainer="Dalitso Banda dalitsohb@gmail.com" # Get Spark from US Apache mirror. diff --git a/tools/helm/livy/mini.Dockerfile b/tools/helm/livy/mini.Dockerfile index 07caa82f0e6..fecd622880c 100644 --- a/tools/helm/livy/mini.Dockerfile +++ b/tools/helm/livy/mini.Dockerfile @@ -1,4 +1,4 @@ -FROM mcr.microsoft.com/mmlspark/spark2.4:v4_mini +FROM mcr.microsoft.com/mmlspark/spark2.4:v4_mini@sha256:a7da0d7cd86ab374d1f0dc7ae4cd35260f8798f8e40a4e4e818748f61a389279 MAINTAINER Dalitso Banda ENV LIVY_VERSION="git_master" diff --git a/tools/helm/spark/Dockerfile b/tools/helm/spark/Dockerfile index d5200fc15a0..2e42b1e7c66 100644 --- a/tools/helm/spark/Dockerfile +++ b/tools/helm/spark/Dockerfile @@ -1,4 +1,4 @@ -FROM mcr.microsoft.com/openjdk/jdk:11-mariner +FROM mcr.microsoft.com/openjdk/jdk:11-mariner@sha256:844a36373ab341f993c7258addee6d7d66b6ef93c264ea4b367d96fc5663b7d1 LABEL maintainer="Dalitso Banda dalitsohb@gmail.com" # Get Spark from US Apache mirror. diff --git a/tools/helm/spark/mini.Dockerfile b/tools/helm/spark/mini.Dockerfile index 05913f4b0b0..9078ffdb91a 100644 --- a/tools/helm/spark/mini.Dockerfile +++ b/tools/helm/spark/mini.Dockerfile @@ -15,7 +15,7 @@ # limitations under the License. # -FROM mcr.microsoft.com/openjdk/jdk:11-mariner +FROM mcr.microsoft.com/openjdk/jdk:11-mariner@sha256:844a36373ab341f993c7258addee6d7d66b6ef93c264ea4b367d96fc5663b7d1 ARG spark_jars=jars ARG img_path=kubernetes/dockerfiles diff --git a/tools/helm/zeppelin/Dockerfile b/tools/helm/zeppelin/Dockerfile index 6f92ed02039..b572c2b180a 100644 --- a/tools/helm/zeppelin/Dockerfile +++ b/tools/helm/zeppelin/Dockerfile @@ -1,4 +1,4 @@ -FROM mcr.microsoft.com/openjdk/jdk:11-mariner +FROM mcr.microsoft.com/openjdk/jdk:11-mariner@sha256:844a36373ab341f993c7258addee6d7d66b6ef93c264ea4b367d96fc5663b7d1 LABEL maintainer="Dalitso Banda dalitsohb@gmail.com" # Get Spark from US Apache mirror. diff --git a/tools/helm/zeppelin/mini.Dockerfile b/tools/helm/zeppelin/mini.Dockerfile index 6b126a81543..b0f751a4bd5 100644 --- a/tools/helm/zeppelin/mini.Dockerfile +++ b/tools/helm/zeppelin/mini.Dockerfile @@ -1,4 +1,4 @@ -FROM mcr.microsoft.com/mmlspark/spark2.4:v4_mini +FROM mcr.microsoft.com/mmlspark/spark2.4:v4_mini@sha256:a7da0d7cd86ab374d1f0dc7ae4cd35260f8798f8e40a4e4e818748f61a389279 MAINTAINER Dalitso Banda ADD patch_beam.patch /tmp/patch_beam.patch