Ensure all GitHub action versions are pinned and tracked

[lemeurherve]

Service(s)

GitHub

Summary

We're using several GitHub actions in some of our repositories, but not all of them have their version pinned, and we aren't tracking most of these.

We should add updatecli manifests to track these versions and keep them up to date.

Example: https://github.com/search?q=org%3Ajenkins-infra+tibdex%2Fgithub-app-token&type=code, returning v1, v1.5 and v1.7

[dduportal]

Related: https://github.com/jenkins-infra/docker-jenkins-lts/pull/674

[smerle33]

I am taking this issue and plan to use dependabot as most of the repository are using it and it will be more efficient than updatecli on this matter.

[lemeurherve]

Reopening as the goal of this issue is to track GitHub actions versions across all @jenkins-infra repositories.

[dduportal]

Which one are missing ?

[smerle33]

as for this search : https://github.com/search?q=org%3Ajenkins-infra+tibdex%2Fgithub-app-token&type=code they are all tracked ... but you may want to check on all "active" repositories ...?

[lemeurherve]

I don't understand for example why in jenkins-infra/status the tibdex action version isn't udpated while there is a dependabot config.

[dduportal]

I don't understand for example why in jenkins-infra/status the tibdex action version isn't udpated while there is a dependabot config.

Agree, this is weird.

Let's start by listing all repositories that have .github/workflows/* files: each of those must have a .github/dependabot.yaml file with github-actions string inside. Looks good?

[lemeurherve]

Here are the repositories with a .github/workflows folder but without .github/dependabot.yml file:

• [ ] https://github.com/jenkins-infra/account-app/tree/main/.github
• [ ] https://github.com/jenkins-infra/docker-404/tree/main/.github
• [ ] https://github.com/jenkins-infra/docker-builder/tree/main/.github
• [ ] https://github.com/jenkins-infra/docker-confluence-data/tree/main/.github
• [ ] https://github.com/jenkins-infra/docker-crond/tree/main/.github
• [ ] https://github.com/jenkins-infra/docker-hashicorp-tools/tree/main/.github
• [ ] https://github.com/jenkins-infra/docker-helmfile/tree/main/.github
• [ ] https://github.com/jenkins-infra/docker-mirrorbits/tree/main/.github
• [x] https://github.com/jenkins-infra/docker-openvpn/tree/main/.github (the file .dependabot.yaml should be renamed dependabot.yml)
• [ ] https://github.com/jenkins-infra/docker-packaging/tree/main/.github
• [ ] https://github.com/jenkins-infra/docker-plugin-site-issues/tree/main/.github
• [ ] https://github.com/jenkins-infra/docker-rsyncd/tree/main/.github
• [ ] https://github.com/jenkins-infra/gatsby-plugin-jenkins-layout/tree/main/.github
• [ ] https://github.com/jenkins-infra/incrementals-publisher/tree/master/.github
• [ ] https://github.com/jenkins-infra/jenkins-io-components/tree/main/.github
• [ ] https://github.com/jenkins-infra/kubernetes-management/tree/main/.github
• [ ] https://github.com/jenkins-infra/packer-images/tree/main/.github
• [ ] https://github.com/jenkins-infra/plugin-site/tree/master/.github
• [ ] https://github.com/jenkins-infra/rating/tree/master/.github
• [ ] https://github.com/jenkins-infra/release/tree/master/.github

[lemeurherve]

I don't understand for example why in jenkins-infra/status the tibdex action version isn't udpated while there is a dependabot config.

Renaming the file .dependabot.yaml to dependabot.yml in jenkins-infra/status fixed it: https://github.com/jenkins-infra/status/pulls

[lemeurherve]

For the record, I've obtained this list by running find . -type d -name "workflows" | sort -u and find . -name "dependabot.yml" | sort -u in a folder containing all @jenkinsci repositories, then manually merging these lists and checking each of them manually.

[lemeurherve]

$ grep -r -e 'uses: ' on active @jenkins-infra repositories: ✅

``` ./account-app/.github/workflows/release-drafter.yml: uses: actions/checkout@v3 ./account-app/.github/workflows/release-drafter.yml: uses: release-drafter/release-drafter@v5 ./captain-hook/.github/workflows/docs.yaml: uses: actions/checkout@v2 ./captain-hook/.github/workflows/docs.yaml: uses: docker://jnorwood/helm-docs:latest ./captain-hook/.github/workflows/docs.yaml: uses: peter-evans/create-pull-request@v3 ./captain-hook/.github/workflows/go.yml: uses: actions/checkout@v2 ./captain-hook/.github/workflows/go.yml: uses: actions/setup-go@v2 ./captain-hook/.github/workflows/golangci-lint.yml: uses: golangci/golangci-lint-action@v2 ./captain-hook/.github/workflows/golangci-lint.yml: - uses: actions/checkout@v2 ./captain-hook/.github/workflows/main.yaml: uses: actions/checkout@v2 ./captain-hook/.github/workflows/main.yaml: uses: actions/setup-go@v2 ./captain-hook/.github/workflows/main.yaml: uses: azure/setup-helm@v1 ./captain-hook/.github/workflows/main.yaml: uses: docker/build-push-action@v2 ./captain-hook/.github/workflows/main.yaml: uses: docker/login-action@v1 ./captain-hook/.github/workflows/main.yaml: uses: docker/setup-buildx-action@v1 ./captain-hook/.github/workflows/main.yaml: uses: docker/setup-qemu-action@v1 ./captain-hook/.github/workflows/main.yaml: uses: goreleaser/goreleaser-action@v2.4.1 ./captain-hook/.github/workflows/main.yaml: uses: mikefarah/yq@v4.6.0 ./captain-hook/.github/workflows/pr.yaml: uses: actions/checkout@v2 ./captain-hook/.github/workflows/pr.yaml: uses: actions/setup-go@v2 ./captain-hook/.github/workflows/pr.yaml: uses: azure/setup-helm@v1 ./captain-hook/.github/workflows/pr.yaml: uses: goreleaser/goreleaser-action@v2.4.1 ./captain-hook/.github/workflows/pr.yaml: - uses: actions/setup-python@v2 ./captain-hook/.github/workflows/release.yaml: uses: actions/checkout@v2 ./captain-hook/.github/workflows/release.yaml: uses: actions/setup-go@v2 ./captain-hook/.github/workflows/release.yaml: uses: azure/setup-helm@v1 ./captain-hook/.github/workflows/release.yaml: uses: docker/build-push-action@v2 ./captain-hook/.github/workflows/release.yaml: uses: docker/login-action@v1 ./captain-hook/.github/workflows/release.yaml: uses: docker/setup-buildx-action@v1 ./captain-hook/.github/workflows/release.yaml: uses: docker/setup-qemu-action@v1 ./captain-hook/.github/workflows/release.yaml: uses: goreleaser/goreleaser-action@v2.4.1 ./captain-hook/.github/workflows/release.yaml: uses: helm/chart-releaser-action@v1.2.0 ./captain-hook/.github/workflows/release.yaml: uses: mikefarah/yq@v4.6.0 ./docker-404/.github/workflows/release-drafter.yml: - uses: release-drafter/release-drafter@v5 ./docker-aws/.github/workflows/release-drafter.yml: - uses: release-drafter/release-drafter@v5 ./docker-builder/.github/workflows/release-drafter.yml: - uses: release-drafter/release-drafter@v5 ./docker-confluence-data/.github/workflows/release-drafter.yml: - uses: release-drafter/release-drafter@v5 ./docker-crond/.github/workflows/release-drafter.yml: - uses: release-drafter/release-drafter@v5 ./docker-hashicorp-tools/.github/workflows/release-drafter.yml: - uses: release-drafter/release-drafter@v5 ./docker-helmfile/.github/workflows/release-drafter.yml: - uses: release-drafter/release-drafter@v5 ./docker-jenkins-lts/.github/workflows/latest-lts.yaml: uses: actions/checkout@v3 ./docker-jenkins-lts/.github/workflows/latest-lts.yaml: uses: jenkins-infra/jenkins-version@0.3.1 ./docker-jenkins-lts/.github/workflows/latest-lts.yaml: uses: jenkins-infra/uc@0.1.4 ./docker-jenkins-lts/.github/workflows/latest-lts.yaml: uses: peter-evans/create-pull-request@v4 ./docker-jenkins-lts/.github/workflows/latest-lts.yaml: - uses: tibdex/github-app-token@v1.8 ./docker-jenkins-lts/.github/workflows/release-drafter.yml: uses: actions/checkout@v3 ./docker-jenkins-lts/.github/workflows/release-drafter.yml: uses: release-drafter/release-drafter@v5.22.0 ./docker-jenkins-lts/.github/workflows/update.yaml: uses: actions/checkout@v3 ./docker-jenkins-lts/.github/workflows/update.yaml: uses: actions/setup-java@v3 ./docker-jenkins-lts/.github/workflows/update.yaml: uses: peter-evans/create-pull-request@v4 ./docker-jenkins-lts/.github/workflows/update.yaml: - uses: tibdex/github-app-token@v1.8 ./docker-jenkins-weekly/.github/workflows/latest-weekly.yaml: uses: actions/checkout@v3 ./docker-jenkins-weekly/.github/workflows/latest-weekly.yaml: uses: jenkins-infra/jenkins-version@0.3.1 ./docker-jenkins-weekly/.github/workflows/latest-weekly.yaml: uses: peter-evans/create-pull-request@v4 ./docker-jenkins-weekly/.github/workflows/latest-weekly.yaml: - uses: tibdex/github-app-token@v1.8 ./docker-jenkins-weekly/.github/workflows/plugins-update.yaml: uses: actions/checkout@v3 ./docker-jenkins-weekly/.github/workflows/plugins-update.yaml: uses: actions/setup-java@v3 ./docker-jenkins-weekly/.github/workflows/plugins-update.yaml: uses: peter-evans/create-pull-request@v4 ./docker-jenkins-weekly/.github/workflows/plugins-update.yaml: - uses: tibdex/github-app-token@v1.8 ./docker-jenkins-weekly/.github/workflows/release-drafter.yml: uses: actions/checkout@v3 ./docker-jenkins-weekly/.github/workflows/release-drafter.yml: uses: release-drafter/release-drafter@v5.22.0 ./docker-mirrorbits/.github/workflows/release-drafter.yml: - uses: release-drafter/release-drafter@v5 ./docker-openvpn/.github/workflows/release-drafter.yaml: - uses: release-drafter/release-drafter@v5 ./docker-packaging/.github/workflows/release-drafter.yml: - uses: release-drafter/release-drafter@v5 ./docker-packer/.github/workflows/release-drafter.yml: - uses: release-drafter/release-drafter@v5 ./docker-plugin-site-issues/.github/workflows/codeql-analysis.yml: uses: actions/checkout@v3 ./docker-plugin-site-issues/.github/workflows/codeql-analysis.yml: uses: github/codeql-action/analyze@v1 ./docker-plugin-site-issues/.github/workflows/codeql-analysis.yml: uses: github/codeql-action/autobuild@v1 ./docker-plugin-site-issues/.github/workflows/codeql-analysis.yml: uses: github/codeql-action/init@v1 ./docker-plugin-site-issues/.github/workflows/release-drafter.yml: - uses: release-drafter/release-drafter@v5 ./docker-plugin-site-issues/src/db.ts: getJiraIssues(component: number | string, startAt: number, statuses: Array<string>): Promise<Issue[]>; ./docker-repo-proxy/.github/workflows/release-drafter.yml: - uses: release-drafter/release-drafter@v5 ./docker-rsyncd/.github/workflows/release-drafter.yml: - uses: release-drafter/release-drafter@v5 ./docker-terraform/.github/workflows/release-drafter.yml: - uses: release-drafter/release-drafter@v5 ./gatsby-plugin-jenkins-layout/.github/workflows/build.yml: uses: actions/setup-node@v3 ./gatsby-plugin-jenkins-layout/.github/workflows/build.yml: uses: github/codeql-action/upload-sarif@v2 ./gatsby-plugin-jenkins-layout/.github/workflows/build.yml: - uses: actions/checkout@v3 ./gatsby-plugin-jenkins-layout/.github/workflows/release.yml: uses: actions/checkout@v2 ./gatsby-plugin-jenkins-layout/.github/workflows/release.yml: uses: actions/setup-node@v2 ./github-reusable-workflows/.github/workflows/maven-cd.yml: uses: jenkins-infra/interesting-category-action@v1.2.1 ./github-reusable-workflows/.github/workflows/maven-cd.yml: uses: jenkins-infra/verify-ci-status-action@v1.2.2 ./github-reusable-workflows/.github/workflows/maven-cd.yml: uses: release-drafter/release-drafter@v5 ./github-reusable-workflows/.github/workflows/maven-cd.yml: uses: actions/checkout@v3 ./github-reusable-workflows/.github/workflows/maven-cd.yml: uses: actions/setup-java@v3 ./github-reusable-workflows/.github/workflows/maven-cd.yml: uses: jenkins-infra/jenkins-maven-cd-action@v1.3.3 ./github-reusable-workflows/.github/workflows/self-update-major-tag.yml: uses: actions/checkout@v3 ./helm-charts/.github/workflows/release.yml: uses: actions/checkout@v3 ./helm-charts/.github/workflows/release.yml: uses: azure/setup-helm@v3 ./helm-charts/.github/workflows/release.yml: uses: helm/chart-releaser-action@v1.5.0 ./helm-charts/.github/workflows/sync-readme.yaml: - uses: actions/checkout@v2 ./helm-charts/.github/workflows/test.yml: uses: actions/checkout@v3 ./helm-charts/.github/workflows/test.yml: uses: azure/setup-helm@v3 ./helpdesk/.github/workflows/autolabeler.yaml: uses: tibdex/github-app-token@v1 ./helpdesk/.github/workflows/autolabeler.yaml: - uses: actions/checkout@v3 ./helpdesk/.github/workflows/autolabeler.yaml: - uses: andymckay/labeler@master ./helpdesk/.github/workflows/autolabeler.yaml: - uses: stefanbuck/github-issue-parser@v3 ./helpdesk/.github/workflows/autonotifier.yaml: uses: tibdex/github-app-token@v1 ./helpdesk/.github/workflows/autonotifier.yaml: - uses: jenschelkopf/issue-label-notification-action@1.3 ./helpdesk/.github/workflows/infra-meeting-release.yaml: uses: "actions/github-script@v6" ./helpdesk/.github/workflows/issues-similarity.yml: uses: actions-cool/issues-similarity-analysis@v1 ./ideas/.github/workflows/issues-similarity.yml: uses: actions-cool/issues-similarity-analysis@v1.0.0 ./incrementals-publisher/.github/workflows/release-drafter.yml: - uses: release-drafter/release-drafter@v5 ./ircbot/.github/workflows/release-drafter.yml: - uses: release-drafter/release-drafter@v5 ./jenkins-infra/.github/workflows/updatecli.yaml: uses: "updatecli/updatecli-action@v2.21.0" ./jenkins-infra/.github/workflows/updatecli.yaml: uses: actions/checkout@v3.3.0 ./jenkins-infra/.github/workflows/updatecli.yaml: uses: aws-actions/configure-aws-credentials@v1-node16 ./jenkins-infra/.github/workflows/updatecli.yaml: - uses: tibdex/github-app-token@v1.8 ./jenkins-io-components/.github/workflows/codeql.yml: uses: actions/checkout@v3 ./jenkins-io-components/.github/workflows/codeql.yml: uses: github/codeql-action/analyze@v2 ./jenkins-io-components/.github/workflows/codeql.yml: uses: github/codeql-action/autobuild@v2 ./jenkins-io-components/.github/workflows/codeql.yml: uses: github/codeql-action/init@v2 ./jenkins-io-components/.github/workflows/crowdin.yml: uses: actions/checkout@v3 ./jenkins-io-components/.github/workflows/crowdin.yml: uses: crowdin/github-action@1.5.2 ./jenkins-io-components/.github/workflows/scorecard.yml: uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 # v3.1.0 ./jenkins-io-components/.github/workflows/scorecard.yml: uses: actions/upload-artifact@3cea5372237819ed00197afe530f5a7ea3e805c8 # v3.1.0 ./jenkins-io-components/.github/workflows/scorecard.yml: uses: github/codeql-action/upload-sarif@807578363a7869ca324a79039e6db9c843e0e100 # v2.1.27 ./jenkins-io-components/.github/workflows/scorecard.yml: uses: ossf/scorecard-action@99c53751e09b9529366343771cc321ec74e9bd3d # v2.0.6 ./jenkins-security-scan/.github/workflows/jenkins-security-scan.yaml: uses: actions/checkout@v3 ./jenkins-security-scan/.github/workflows/jenkins-security-scan.yaml: uses: actions/setup-java@v3 ./jenkins-security-scan/.github/workflows/jenkins-security-scan.yaml: uses: actions/upload-artifact@v3 ./jenkins-security-scan/.github/workflows/jenkins-security-scan.yaml: uses: github/codeql-action/upload-sarif@v2 ./jenkins-security-scan/.github/workflows/jenkins-security-scan.yaml: uses: jenkins-infra/fetch-codeql-action@v1 ./jenkins-version/.github/workflows/go.yml: uses: actions/checkout@v3 ./jenkins-version/.github/workflows/go.yml: uses: actions/setup-go@v3 ./jenkins-version/.github/workflows/golangci-lint.yml: uses: golangci/golangci-lint-action@v3 ./jenkins-version/.github/workflows/golangci-lint.yml: - uses: actions/checkout@v3 ./jenkins-version/.github/workflows/golangci-lint.yml: - uses: actions/setup-go@v3 ./jenkins-version/.github/workflows/release.yaml: uses: actions/checkout@v3 ./jenkins-version/.github/workflows/release.yaml: uses: actions/setup-go@v2 ./jenkins-version/.github/workflows/release.yaml: uses: docker/build-push-action@v4 ./jenkins-version/.github/workflows/release.yaml: uses: docker/login-action@v2 ./jenkins-version/.github/workflows/release.yaml: uses: docker/setup-buildx-action@v2 ./jenkins-version/.github/workflows/release.yaml: uses: docker/setup-qemu-action@v2 ./jenkins-version/.github/workflows/release.yaml: uses: goreleaser/goreleaser-action@v4.2.0 ./jenkins-version/.github/workflows/release.yaml: - uses: tibdex/github-app-token@v1 ./jenkins.io/content/blog/2022/09/2022-09-07-jenkinsfile-runner-as-github-actions.adoc: - uses: actions/checkout@v2 ./jenkins.io/content/projects/gsoc/2022/projects/jenkinsfile-runner-action-for-github-actions.adoc: - uses: actions/checkout@v2 ./kubernetes-management/.github/workflows/delete-unmerged-branch.yaml: uses: actions/github-script@v6 ./kubernetes-management/.github/workflows/pr-updater.yaml: uses: maxkomarychev/pr-updater-action@v1.0.0 ./kubernetes-management/.github/workflows/pr-updater.yaml: - uses: actions/checkout@v2 ./packer-images/.github/workflows/release-drafter.yml: - uses: release-drafter/release-drafter@v5 ./pipeline-library/.github/workflows/updatecli.yaml: uses: actions/checkout@v3 ./pipeline-library/.github/workflows/updatecli.yaml: - uses: tibdex/github-app-token@v1.8 ./pipeline-metadata-utils/.github/workflows/jenkins-security-scans.yml: uses: jenkins-infra/jenkins-security-scan/.github/workflows/jenkins-security-scan.yaml@v2 ./pipeline-metadata-utils/.github/workflows/release-drafter.yml: - uses: release-drafter/release-drafter@v5.22.0 ./plugin-health-scoring/.github/workflows/release-drafter.yml: - uses: release-drafter/release-drafter@v5.22.0 ./plugin-site/.github/workflows/codeql-analysis.yml: uses: actions/checkout@v3 ./plugin-site/.github/workflows/codeql-analysis.yml: uses: github/codeql-action/analyze@v2 ./plugin-site/.github/workflows/codeql-analysis.yml: uses: github/codeql-action/autobuild@v2 ./plugin-site/.github/workflows/codeql-analysis.yml: uses: github/codeql-action/init@v2 ./plugin-site/.github/workflows/release-drafter.yml: - uses: release-drafter/release-drafter@v5 ./rating/.github/workflows/release-drafter.yml: - uses: release-drafter/release-drafter@v5 ./release/.github/workflows/updatecli.yaml: uses: actions/checkout@v2 ./release/.github/workflows/updatecli.yaml: uses: updatecli/updatecli-action@v1.19.0 ./repository-permissions-updater/.github/workflows/hosting-comment-checker.yml: uses: actions/github-script@v6 ./repository-permissions-updater/.github/workflows/hosting-comment-checker.yml: - uses: actions/checkout@v3 ./repository-permissions-updater/.github/workflows/hosting-comment-checker.yml: - uses: actions/setup-java@v3 ./repository-permissions-updater/.github/workflows/hosting-comment-hoster.yml: uses: actions/github-script@v6 ./repository-permissions-updater/.github/workflows/hosting-comment-hoster.yml: - uses: actions/checkout@v3 ./repository-permissions-updater/.github/workflows/hosting-comment-hoster.yml: - uses: actions/setup-java@v3 ./repository-permissions-updater/.github/workflows/hosting-comment-hoster.yml: - uses: tspascoal/get-user-teams-membership@v2 ./repository-permissions-updater/.github/workflows/hosting-issue-checker.yml: - uses: actions/checkout@v3 ./repository-permissions-updater/.github/workflows/hosting-issue-checker.yml: - uses: actions/setup-java@v3 ./status/.github/workflows/check-links.yaml: uses: gaurav-nelson/github-action-markdown-link-check@v1 ./status/.github/workflows/check-links.yaml: - uses: actions/checkout@v3 ./status/.github/workflows/hugo.yaml: uses: klakegg/actions-hugo@1.0.0 ./status/.github/workflows/hugo.yaml: - uses: actions/checkout@v3 ./status/.github/workflows/updatecli.yaml: uses: actions/checkout@v3 ./status/.github/workflows/updatecli.yaml: uses: updatecli/updatecli-action@v2 ./status/.github/workflows/updatecli.yaml: - uses: tibdex/github-app-token@v1.8 ./uc/.github/workflows/go.yml: uses: actions/checkout@v3 ./uc/.github/workflows/go.yml: uses: actions/setup-go@v3 ./uc/.github/workflows/golangci-lint.yml: uses: golangci/golangci-lint-action@v3.1.0 ./uc/.github/workflows/golangci-lint.yml: - uses: actions/checkout@v3 ./uc/.github/workflows/release.yaml: uses: actions/checkout@v3 ./uc/.github/workflows/release.yaml: uses: actions/setup-go@v3 ./uc/.github/workflows/release.yaml: uses: docker/build-push-action@v2 ./uc/.github/workflows/release.yaml: uses: docker/login-action@v1 ./uc/.github/workflows/release.yaml: uses: docker/setup-buildx-action@v1 ./uc/.github/workflows/release.yaml: uses: docker/setup-qemu-action@v1 ./uc/.github/workflows/release.yaml: uses: goreleaser/goreleaser-action@v2.9.1 ./uc/.github/workflows/release.yaml: - uses: tibdex/github-app-token@v1 ./uc/.github/workflows/updatecli.yaml: uses: actions/checkout@v3 ./uc/.github/workflows/updatecli.yaml: uses: updatecli/updatecli-action@v1.32.0 ./uc/.github/workflows/updatecli.yaml: - uses: tibdex/github-app-token@v1.5 ```

[lemeurherve]

Reopening as there are errors on workflow runs:

No event triggers defined in on

Ex: https://github.com/jenkins-infra/packer-images/actions/runs/4235208310

[lemeurherve]

I used the wrong folder in my initial pull requests, now fixed.

Closing the issue (again ^^)