Pinning using hashes

This commit is contained in:
Mike Farah 2026-06-07 19:57:15 +10:00
parent f9b0d7e45d
commit 91a166e8d8
7 changed files with 9 additions and 9 deletions

View File

@ -29,7 +29,7 @@ jobs:
run: echo "VERSION=${GITHUB_REF##*/}" >> "${GITHUB_OUTPUT}"
- name: Generate man page
uses: docker://pandoc/core:2.14.2
uses: docker://pandoc/core:2.14.2@sha256:04e127c6642a2b9d447c26fe0ac6a5932efa8f508eda9f07da51b6e621dd7c19
id: gen-man-page
with:
args: >-
@ -43,12 +43,12 @@ jobs:
man.md
- name: Install cosign
uses: sigstore/cosign-installer@v3
uses: sigstore/cosign-installer@7e8b541eb2e61bf99390e1afd4be13a184e9ebc5 # v3.10.1
- name: Cross compile
run: |
sudo apt-get install rhash -y
go install github.com/goreleaser/goreleaser/v2@latest
go install github.com/goreleaser/goreleaser/v2@v2.16.0
./scripts/xcompile.sh
- name: Sign checksums

View File

@ -73,6 +73,6 @@ jobs:
# Upload the results to GitHub's code scanning dashboard (optional).
# Commenting out will disable upload of results to your repo's Code Scanning dashboard
- name: "Upload to code-scanning"
uses: github/codeql-action/upload-sarif@v4
uses: github/codeql-action/upload-sarif@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4.35.2
with:
sarif_file: results.sarif

View File

@ -2,7 +2,7 @@ FROM golang:1.26.4@sha256:68cb6d68bed024785b69195b89af7ac7a444f27791435f98647edf
RUN apt-get update && \
apt-get install -y npm && \
npm install -g npx cspell@latest
npm install -g npx cspell@10.0.1
COPY scripts/devtools.sh /opt/devtools.sh

View File

@ -1,5 +1,5 @@
---
$schema: https://raw.githubusercontent.com/streetsidesoftware/cspell/main/cspell.schema.json
$schema: https://raw.githubusercontent.com/streetsidesoftware/cspell/0f43abf29e5da0ecbcb08214055cdc1e3267c3ea/cspell.schema.json
version: '0.2'
language: en-GB
dictionaryDefinitions:

View File

@ -23,7 +23,7 @@
// release artifacts are signed with cosign keyless signing (Sigstore)
// users can verify with:
// cosign verify-blob --bundle checksums.bundle checksums
// install cosign: brew install cosign OR go install github.com/sigstore/cosign/v2/cmd/cosign@latest
// install cosign: brew install cosign OR go install github.com/sigstore/cosign/v2/cmd/cosign@v2.6.1
- snapcraft

View File

@ -1,5 +1,5 @@
#!/bin/sh
set -ex
go mod download golang.org/x/tools@latest
go mod download golang.org/x/tools@v0.44.0
curl -sSfL https://raw.githubusercontent.com/golangci/golangci-lint/6008b81b81c690c046ffc3fd5bce896da715d5fd/install.sh | sh -s -- -b $(go env GOPATH)/bin v2.11.3
curl -sSfL https://raw.githubusercontent.com/securego/gosec/424fc4cd9c82ea0fd6bee9cd49c2db2c3cc0c93f/install.sh | sh -s v2.22.11

View File

@ -2,7 +2,7 @@
set -eo pipefail
# You may need to go install github.com/goreleaser/goreleaser/v2@latest first
# You may need to go install github.com/goreleaser/goreleaser/v2@v2.16.0 first
GORELEASER="goreleaser build --clean"
if [ -z "$CI" ] || [[ "${GITHUB_REF_NAME:-}" == draft-* ]]; then
GORELEASER+=" --snapshot"