pmem · janekmi · Sep 11, 2024 · Sep 10, 2024 · Sep 10, 2024 · Sep 10, 2024
diff --git a/.github/actions/pmem_benchmark_run/action.yml b/.github/actions/pmem_benchmark_run/action.yml
@@ -33,7 +33,7 @@ runs:
 
     - name: Archive logs
       if: always()
-      uses: actions/upload-artifact@v4
+      uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0
       with:
         name: ${{ inputs.config }}__${{ inputs.scenario }}
         path: '${{ inputs.runtime_dir }}/*.csv'

diff --git a/.github/workflows/docker_rebuild.yml b/.github/workflows/docker_rebuild.yml
@@ -37,7 +37,7 @@ jobs:
           - {OS: ubuntu, OS_VER: 22.04}
     steps:
       - name: Clone the git repo
-        uses: actions/checkout@v4
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
 
       - name: Rebuild the image
         env:

diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
@@ -13,7 +13,7 @@ jobs:
       issues: read
     steps:
       - name: Clone the git repo
-        uses: actions/checkout@v4
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
         with:
           # required for `make check-license` to work properly
           fetch-depth: 50
@@ -23,7 +23,7 @@ jobs:
         if: |
           !(github.repository == 'pmem/pmdk' &&
             (github.ref_name == 'master' || startsWith(github.ref_name, 'stable-')))
-        uses: Zomzog/[email protected]
+        uses: Zomzog/changelog-checker@09cfe9ad3618dcbfdba261adce0c41904cabb8c4 # v1.3.0
         with:
           fileName: ChangeLog
           noChangelogLabel: no changelog # the default
@@ -51,7 +51,7 @@ jobs:
 
       - name: Upload check license diff
         if: steps.check_license.outcome != 'success'
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0
         with:
           name: check-license.diff
           path: /tmp/check-license.diff
@@ -83,7 +83,7 @@ jobs:
             CXX: clang++
     steps:
       - name: Clone the git repo
-        uses: actions/checkout@v4
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
 
       - name: Install dependencies
         run: sudo apt-get -y install pandoc

diff --git a/.github/workflows/nightly.yml b/.github/workflows/nightly.yml
@@ -35,7 +35,7 @@ jobs:
         TEST_BUILD: [debug, nondebug]
     steps:
       - name: Clone the git repo
-        uses: actions/checkout@v4
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
         with:
           fetch-depth: 50
 
@@ -66,7 +66,7 @@ jobs:
                 ]
     steps:
       - name: Clone the git repo
-        uses: actions/checkout@v4
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
         with:
           fetch-depth: 50
 

diff --git a/.github/workflows/pmem_benchmark.yml b/.github/workflows/pmem_benchmark.yml
@@ -19,7 +19,7 @@ jobs:
       contents: read
     steps:
       - name: Clone the git repo
-        uses: actions/checkout@v4
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
         with:
           fetch-depth: 1
 
@@ -44,7 +44,7 @@ jobs:
       MANIFEST: ${{ matrix.ROLE }}/manifest.txt
     steps:
       - name: Clone the git repo
-        uses: actions/checkout@v4
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
         with:
           ref: ${{ matrix.GITHUB_REF }}
           fetch-depth: 1
@@ -60,7 +60,7 @@ jobs:
           git -C ${{ matrix.ROLE }} rev-parse HEAD >> $MANIFEST
 
       - name: Archive the manifest
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0
         with:
           name: manifest_${{ matrix.ROLE }}
           path: ${{ env.MANIFEST }}
@@ -109,7 +109,7 @@ jobs:
           done
 
       - name: Upload all as a single artifact
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0
         with:
           name: perf__all__${{ github.run_id }}
           path: csvs/**/*
diff --git a/.github/workflows/pmem_ras.yml b/.github/workflows/pmem_ras.yml
@@ -40,7 +40,7 @@ jobs:
 
     steps:
       - name: Clone the git repo
-        uses: actions/checkout@v4
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
 
       # Variables, such as $ras_runner are set on the controller platform
       # as environment variables.

diff --git a/.github/workflows/pmem_test_matrix.yml b/.github/workflows/pmem_test_matrix.yml
@@ -33,7 +33,7 @@ jobs:
 
 
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
 
       - name: Test prepare
         uses: ./.github/actions/pmem_test_prepare

diff --git a/.github/workflows/pmem_tests.yml b/.github/workflows/pmem_tests.yml
@@ -55,7 +55,7 @@ jobs:
         build: [static_debug, static_nondebug]
 
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
 
       - name: Test prepare
         uses: ./.github/actions/pmem_test_prepare
@@ -76,7 +76,7 @@ jobs:
     runs-on: [self-hosted, rhel]
 
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
 
       - name: Test prepare
         uses: ./.github/actions/pmem_test_prepare
@@ -102,7 +102,7 @@ jobs:
     runs-on: [self-hosted, rhel]
 
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
 
       - name: Test prepare
         uses: ./.github/actions/pmem_test_prepare

diff --git a/.github/workflows/scan_bandit.yml b/.github/workflows/scan_bandit.yml
@@ -15,7 +15,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Clone the git repo
-        uses: actions/checkout@v4
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
 
       - name: Install Bandit
         run: sudo apt-get -y install bandit

diff --git a/.github/workflows/scan_codeql.yml b/.github/workflows/scan_codeql.yml
@@ -15,7 +15,7 @@ jobs:
 
     steps:
     - name: Clone the git repo
-      uses: actions/checkout@v4
+      uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
 
     - name: Install pmem/valgrind (including dependencies)
       run: |
@@ -36,12 +36,12 @@ jobs:
         && sudo ./utils/docker/images/install-valgrind.sh
 
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@v2
+      uses: github/codeql-action/init@4dd16135b69a43b6c8efb853346f8437d92d3c93 # v3.26.6
       with:
         languages: cpp, python
 
     - name: Build PMDK
       run: make test -j$(nproc)
 
     - name: CodeQL scan
-      uses: github/codeql-action/analyze@v2
+      uses: github/codeql-action/analyze@4dd16135b69a43b6c8efb853346f8437d92d3c93 # v3.26.6
diff --git a/.github/workflows/scan_coverage.yml b/.github/workflows/scan_coverage.yml
@@ -30,7 +30,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Clone the git repo
-        uses: actions/checkout@v4
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
 
       - name: Pull the image
         run: cd $WORKDIR && ./pull-or-rebuild-image.sh
@@ -39,7 +39,7 @@ jobs:
         run: cd $WORKDIR && ./build-CI.sh
 
       - name: Upload coverage to Codecov
-        uses: codecov/codecov-action@v4
+        uses: codecov/codecov-action@e28ff129e5465c2c0dcc6f003fc735cb6ae0c673 # v4.5.0
         with:
           root_dir: /home/runner/work/pmdk/pmdk/
           directory: /home/runner/work/pmdk/pmdk/

diff --git a/.github/workflows/scan_coverity.yml b/.github/workflows/scan_coverity.yml
@@ -30,7 +30,7 @@ jobs:
         CONFIG: ["OS=ubuntu OS_VER=22.04"]
     steps:
       - name: Clone the git repo
-        uses: actions/checkout@v4
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
 
       - name: Pull or rebuild the image
         run: cd $WORKDIR && ${{ matrix.CONFIG }} ./pull-or-rebuild-image.sh

diff --git a/.github/workflows/scan_documentation.yml b/.github/workflows/scan_documentation.yml
@@ -13,7 +13,7 @@ jobs:
 
     steps:
       - name: Clone the git repo
-        uses: actions/checkout@v4
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
 
       - name: Install required packages
         run: |

diff --git a/.github/workflows/scan_log_calls.yml b/.github/workflows/scan_log_calls.yml
@@ -14,7 +14,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Clone the git repo
-        uses: actions/checkout@v4
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
 
       - name: Generate log calls' diff
         working-directory: ${{ env.WORKING_DIRECTORY }}
@@ -30,7 +30,7 @@ jobs:
 
       - name: Upload artifacts
         if: steps.log_calls_diff.outputs.length != '0'
-        uses: actions/upload-artifact@v3
+        uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0
         with:
           name: log_calls_diff
           path: ${{ env.WORKING_DIRECTORY }}/log_calls.diff

diff --git a/.github/workflows/scan_stack_usage.yml b/.github/workflows/scan_stack_usage.yml
@@ -16,7 +16,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Clone the git repo
-        uses: actions/checkout@v4
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
         with:
           path: pmdk
 
@@ -77,7 +77,7 @@ jobs:
           rm -f ${{ env.TEMP }}
 
       - name: Upload artifacts
-        uses: actions/upload-artifact@v3
+        uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0
         with:
           name: call_stacks_data
           path: |

diff --git a/.github/workflows/scan_ubsan.yml b/.github/workflows/scan_ubsan.yml
@@ -28,7 +28,7 @@ jobs:
         build: ['debug', 'nondebug']
     steps:
       - name: Clone the git repo
-        uses: actions/checkout@v4
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
 
       - name: Pull the image
         run: cd $WORKDIR && ./pull-or-rebuild-image.sh

diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml
@@ -33,7 +33,7 @@ jobs:
 
     steps:
       - name: "Checkout code"
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
         with:
           persist-credentials: false
 
@@ -69,6 +69,6 @@ jobs:
       # Upload the results to GitHub's code scanning dashboard (optional).
       # Commenting out will disable upload of results to your repo's Code Scanning dashboard
       - name: "Upload to code-scanning"
-        uses: github/codeql-action/upload-sarif@v3
+        uses: github/codeql-action/upload-sarif@4dd16135b69a43b6c8efb853346f8437d92d3c93 # v3.26.6
         with:
           sarif_file: results.sarif
diff --git a/.github/workflows/ubuntu.yml b/.github/workflows/ubuntu.yml
@@ -27,7 +27,7 @@ jobs:
         TEST_BUILD: ['debug', 'nondebug']
     steps:
       - name: Clone the git repo
-        uses: actions/checkout@v4
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
         with:
           fetch-depth: 50
 
@@ -46,7 +46,7 @@ jobs:
 
       - name: Archive logs
         if: steps.build.outcome != 'success'
-        uses: actions/upload-artifact@v4.2.0
+        uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0
         with:
           name: logs-${{ matrix.TEST_BUILD }}
           path: ${{env.HOST_WORKDIR}}/src/test/**/*.log