chore: update and pin GHA versions; add actionlint and VSCode extensi…

…on (#117)
Azure · Jan 31, 2024 · cf606a1 · cf606a1
1 parent 7156404
commit cf606a1
Show file tree

Hide file tree

Showing 15 changed files with 47 additions and 41 deletions.
diff --git a/.devcontainer/devcontainer.json b/.devcontainer/devcontainer.json
@@ -32,7 +32,8 @@
 				"ms-azuretools.vscode-bicep",
 				"GitHub.vscode-pull-request-github",
 				"jinliming2.vscode-go-template",
-				"tekumara.typos-vscode"
+				"tekumara.typos-vscode",
+				"github.vscode-github-actions"
 			]
 		}
 	},
@@ -58,6 +59,7 @@
         "ghcr.io/devcontainers/features/docker-outside-of-docker:1": {},
         "ghcr.io/devcontainers/features/kubectl-helm-minikube:1": {},
         "ghcr.io/devcontainers/features/azure-cli:1": {},
-        "ghcr.io/devcontainers-contrib/features/pre-commit:2": {}
+        "ghcr.io/devcontainers-contrib/features/pre-commit:2": {},
+        "ghcr.io/marcozac/devcontainer-features/shellcheck:1": {}
 	}
 }
diff --git a/.github/actions/commit-status/end/action.yaml b/.github/actions/commit-status/end/action.yaml
@@ -10,7 +10,7 @@ inputs:
 runs:
   using: "composite"
   steps:
-    - uses: actions/github-script@v6
+    - uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
       if: job.status == 'success'
       with:
         script: |
@@ -22,7 +22,7 @@ runs:
             state: "success",
             target_url: "https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}",
           });
-    - uses: actions/github-script@v6
+    - uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
       if: job.status == 'failure' || job.status == 'cancelled'
       with:
         script: |

diff --git a/.github/actions/commit-status/start/action.yaml b/.github/actions/commit-status/start/action.yaml
@@ -10,7 +10,7 @@ inputs:
 runs:
   using: "composite"
   steps:
-    - uses: actions/github-script@v6
+    - uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
       if: always()
       with:
         script: |

diff --git a/.github/actions/download-artifact/action.yaml b/.github/actions/download-artifact/action.yaml
@@ -3,7 +3,7 @@ description: 'Downloads and unarchives artifacts for a workflow that runs on wor
 runs:
   using: "composite"
   steps:
-    - uses: actions/github-script@v6
+    - uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
       with:
         script: |
           let allArtifacts = await github.rest.actions.listWorkflowRunArtifacts({

diff --git a/.github/actions/e2e/cleanup/action.yaml b/.github/actions/e2e/cleanup/action.yaml
@@ -2,13 +2,13 @@ name: Cleanup
 description: 'Runs all the cleanup tasks to cleanup resources deployed during E2E'
 inputs:
   client-id:
-    description: 
+    description: "Client ID"
     required: true
   tenant-id:
-    description: 
+    description: "Tenant ID"
     required: true
   subscription-id:
-    description: 
+    description: "Subscription ID"
     required: true
   # region:
   #   description: "Region to create aks cluster"
@@ -28,11 +28,11 @@ inputs:
 runs:
   using: "composite"
   steps:
-    - uses: actions/checkout@v4
+    - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
       with:
         ref: ${{ inputs.git_ref }}
     - name: az login
-      uses: azure/login@v1
+      uses: azure/login@cb79c773a3cfa27f31f25eb3f677781210c9ce3d # v1.6.1
       with:
         client-id: ${{ inputs.client-id }}
         tenant-id: ${{ inputs.tenant-id }}

diff --git a/.github/actions/e2e/create-acr/action.yaml b/.github/actions/e2e/create-acr/action.yaml
@@ -2,13 +2,13 @@ name: CreateACR
 description: 'Creates ACR'
 inputs:
   client-id:
-    description: 
+    description: "Client ID"
     required: true
   tenant-id:
-    description: 
+    description: "Tenant ID"
     required: true
   subscription-id:
-    description: 
+    description: "Subscription ID"
     required: true
   resource_group:
     description: "Name of the resource group to create the cluster within"
@@ -20,17 +20,16 @@ inputs:
     description: "The git commit, tag, or branch to check out"
     required: false
   location:
-    type: string
-    description: "the azure location to run the e2e test in"
+    description: "The azure location to run the e2e test in"
     default: "eastus"
 runs:
   using: "composite"
   steps:
-  - uses: actions/checkout@v4
+  - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
     with:
       ref: ${{ inputs.git_ref }}
   - name: az login
-    uses: azure/login@v1
+    uses: azure/login@cb79c773a3cfa27f31f25eb3f677781210c9ce3d # v1.6.1
     with:
       client-id: ${{ inputs.client-id }}
       tenant-id: ${{ inputs.tenant-id }}

diff --git a/.github/actions/e2e/create-cluster/action.yaml b/.github/actions/e2e/create-cluster/action.yaml
@@ -27,17 +27,16 @@ inputs:
     description: "The git commit, tag, or branch to check out"
     required: false
   location:
-    type: string
-    description: "the azure location to run the e2e test in"
+    description: "The azure location to run the e2e test in"
     default: "eastus"
 runs:
   using: "composite"
   steps:
-  - uses: actions/checkout@v4
+  - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
     with:
       ref: ${{ inputs.git_ref }}
   - name: az login
-    uses: azure/login@v1
+    uses: azure/login@cb79c773a3cfa27f31f25eb3f677781210c9ce3d # v1.6.1
     with:
       client-id: ${{ inputs.client-id }}
       tenant-id: ${{ inputs.tenant-id }}
@@ -52,7 +51,7 @@ runs:
     shell: bash
     run: AZURE_CLUSTER_NAME=${{ inputs.cluster_name }} AZURE_RESOURCE_GROUP=${{ inputs.resource_group }} AZURE_ACR_NAME=${{ inputs.acr_name }} AZURE_LOCATION=${{ inputs.location }} make az-mkaks-cilium
   - name: az login 2
-    uses: azure/login@v1
+    uses: azure/login@cb79c773a3cfa27f31f25eb3f677781210c9ce3d # v1.6.1
     with:
       client-id: ${{ inputs.client-id }}
       tenant-id: ${{ inputs.tenant-id }}

diff --git a/.github/actions/e2e/dump-logs/action.yaml b/.github/actions/e2e/dump-logs/action.yaml
@@ -2,13 +2,13 @@ name: DumpLogs
 description: 'Dump logs and debug information from the cluster after a test run'
 inputs:
   client-id:
-    description: 
+    description: "Client ID"
     required: true
   tenant-id:
-    description: 
+    description: "Tenant ID"
     required: true
   subscription-id:
-    description: 
+    description: "Subscription ID"
     required: true
   resource_group:
     description: "Name of the resource group for the cluster"
@@ -22,11 +22,11 @@ inputs:
 runs:
   using: "composite"
   steps:
-  - uses: actions/checkout@v4
+  - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
     with:
       ref: ${{ inputs.git_ref }}
   - name: az login
-    uses: azure/login@v1
+    uses: azure/login@cb79c773a3cfa27f31f25eb3f677781210c9ce3d # v1.6.1
     with:
       client-id: ${{ inputs.client-id }}
       tenant-id: ${{ inputs.tenant-id }}

diff --git a/.github/actions/e2e/install-karpenter/action.yaml b/.github/actions/e2e/install-karpenter/action.yaml
@@ -26,17 +26,16 @@ inputs:
     description: "The git commit, tag, or branch to check out"
     required: false
   location:
-    type: string
     description: "the azure location to run the e2e test in"
     default: "eastus"
 runs:
   using: "composite"
   steps:
-  - uses: actions/checkout@v4
+  - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
     with:
       ref: ${{ inputs.git_ref }}
   - name: az login
-    uses: azure/login@v1
+    uses: azure/login@cb79c773a3cfa27f31f25eb3f677781210c9ce3d # v1.6.1
     with:
       client-id: ${{ inputs.client-id }}
       tenant-id: ${{ inputs.tenant-id }}

diff --git a/.github/actions/install-deps/action.yml b/.github/actions/install-deps/action.yml
@@ -7,15 +7,15 @@ inputs:
 runs:
   using: "composite"
   steps:
-    - uses: actions/setup-go@v4
+    - uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
       with:
         go-version-file: go.mod
         check-latest: true
         cache-dependency-path: "**/go.sum"
     # Root path permission workaround for caching https://github.com/actions/cache/issues/845#issuecomment-1252594999
     - run: sudo chown "$USER" /usr/local
       shell: bash
-    - uses: actions/cache@v3
+    - uses: actions/cache@13aacd865c20de90d75de3b17ebe84f7a17d57d2 # v4.0.0
       id: cache-toolchain
       with:
         path: |

diff --git a/.github/workflows/build-publish-mcr.yml b/.github/workflows/build-publish-mcr.yml
@@ -34,10 +34,10 @@ jobs:
         run: |
           RELEASE_TAG=${{ inputs.releaseTag }}
           if [ -z "$RELEASE_TAG" ]; then
-            RELEASE_TAG=`git describe --tags $(git rev-list --tags --max-count=1)`
+            RELEASE_TAG="$(git describe --tags "$(git rev-list --tags --max-count=1)")"
             echo "The user input release tag is empty, will use the latest tag $RELEASE_TAG."
           fi
-          echo "release_tag=$RELEASE_TAG" >> $GITHUB_OUTPUT
+          echo "release_tag=$RELEASE_TAG" >> "$GITHUB_OUTPUT"
 
   publish-images:
     permissions:

diff --git a/.github/workflows/e2e-matrix.yaml b/.github/workflows/e2e-matrix.yaml
@@ -35,9 +35,9 @@ jobs:
 
       - id: generate-e2e-run-hash
         run: |
-          E2E_HASH=$RANDOM$RANDOM
+          E2E_HASH="$RANDOM$RANDOM"
           echo "Using e2e hash \"$E2E_HASH\""
-          echo E2E_HASH=$E2E_HASH >> $GITHUB_OUTPUT
+          echo "E2E_HASH=$E2E_HASH" >> "$GITHUB_OUTPUT"
   e2e:
     needs: [initialize-generative-params]
     strategy:

diff --git a/.github/workflows/e2e.yaml b/.github/workflows/e2e.yaml
@@ -28,6 +28,11 @@ on:
 permissions:
   contents: read
 
+env:
+  ACR_NAME:
+  RG_NAME:
+  CLUSTER_NAME:
+
 jobs:
   run-suite:
     name: suite-${{ inputs.suite }}
@@ -70,12 +75,12 @@ jobs:
         run: |
           RG_NAME=$(echo karpenter-e2e-${{ inputs.suite }}-${{ inputs.hash }} | awk '{print tolower($0)}')
           echo "Using resource group name \"$RG_NAME\""
-          echo RG_NAME=$RG_NAME >> $GITHUB_ENV
+          echo "RG_NAME=$RG_NAME" >> "$GITHUB_ENV"
       - name: generate acr name
         run: |
           ACR_NAME=$(echo ${{ inputs.suite }}acr${{ inputs.hash }} | awk '{print tolower($0)}')
           echo "Using acr name \"$ACR_NAME\""
-          echo ACR_NAME=$ACR_NAME >> $GITHUB_ENV
+          echo "ACR_NAME=$ACR_NAME" >> "$GITHUB_ENV"
       - name: create acr '${{ env.ACR_NAME }}'
         uses: ./.github/actions/e2e/create-acr
         with:
@@ -89,12 +94,12 @@ jobs:
       - name: add jitter on cluster creation
         run: |
           # Creating jitter so that we can stagger cluster creation to avoid throttling
-          sleep $(( $RANDOM % 60 + 1 ))
+          sleep $(( RANDOM % 60 + 1 ))
       - name: generate cluster name
         run: |
           CLUSTER_NAME=mc
           echo "Using cluster name \"$CLUSTER_NAME\""
-          echo CLUSTER_NAME=$CLUSTER_NAME >> $GITHUB_ENV
+          echo "CLUSTER_NAME=$CLUSTER_NAME" >> "$GITHUB_ENV"
       - name: create aks cluster '${{ env.CLUSTER_NAME }}'
         uses: ./.github/actions/e2e/create-cluster
         with:

diff --git a/Makefile b/Makefile
@@ -86,6 +86,7 @@ verify: toolchain tidy download ## Verify code. Includes dependencies, linting,
 	# TODO: restore codegen if needed; decide on the future of docgen
 	#@echo "Validating codegen/docgen build scripts..."
 	#@find hack/code hack/docs -name "*.go" -type f -print0 | xargs -0 -I {} go build -o /dev/null {}
+	actionlint -oneline
 
 vulncheck: ## Verify code vulnerabilities
 	@govulncheck ./pkg/...

diff --git a/hack/toolchain.sh b/hack/toolchain.sh
@@ -21,6 +21,7 @@ tools() {
 #   go install -tags extended github.com/gohugoio/[email protected]
     go install golang.org/x/vuln/cmd/[email protected]
     go install github.com/onsi/ginkgo/v2/[email protected]
+    go install github.com/rhysd/actionlint/cmd/[email protected]
     go install github.com/mattn/[email protected]
 
     if ! echo "$PATH" | grep -q "${GOPATH:-undefined}/bin\|$HOME/go/bin"; then