ci: Additional githubaction configuration (hashicorp#3034)

- Pin action versions
- Dependabot to notify about action updates
- Update codeowners

Author: tmessi

.github/dependabot.yml

@@ -0,0 +1,13 @@
+# Copyright (c) HashiCorp, Inc.
+# SPDX-License-Identifier: MPL-2.0
+
+# See GitHub's docs for more information on this file:
+# https://docs.github.com/en/free-pro-team@latest/github/administering-a-repository/configuration-options-for-dependency-updates
+version: 2
+updates:
+  # Maintain dependencies for GitHub Actions
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      # Check for updates to GitHub Actions every weekday
+      interval: "daily"

.github/workflows/codeql-analysis.yml

@@ -14,7 +14,7 @@ jobs:
 
     steps:
     - name: Checkout repository
-      uses: actions/checkout@v2
+      uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0
       with:
         # We must fetch at least the immediate parents so that if this is
         # a pull request then we can checkout the head.
@@ -27,26 +27,10 @@ jobs:
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@v1
+      uses: github/codeql-action/init@e00cd12e3ee0ce24d476645336a315351be51d88  # TSCCR: actions in subdirectories not yet supported: init
       # Override language selection by uncommenting this and choosing your languages
       with:
         languages: go, javascript
 
-    # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
-    # If this step fails, then you should remove it and run the build manually (see below)
-    # - name: Autobuild
-    #  uses: github/codeql-action/autobuild@v1
-
-    # ℹ️ Command-line programs to run using the OS shell.
-    # 📚 https://git.io/JvXDl
-
-    # ✏️ If the Autobuild fails above, remove it and uncomment the following three lines
-    #    and modify them (or add more) to build your code if your project
-    #    uses a compiled language
-
-    #- run: |
-    #   make bootstrap
-    #   make release
-
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@v1
+      uses: github/codeql-action/analyze@e00cd12e3ee0ce24d476645336a315351be51d88  # TSCCR: actions in subdirectories not yet supported: analyze

.github/workflows/enos-fmt.yml

@@ -18,11 +18,11 @@ jobs:
     env:
       GITHUB_TOKEN: ${{ secrets.SERVICE_USER_GITHUB_TOKEN }}
     steps:
-      - uses: actions/checkout@v3
-      - uses: hashicorp/setup-terraform@v2
+      - uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0
+      - uses: hashicorp/setup-terraform@633666f66e0061ca3b725c73b2ec20cd13a8fdd1  # TSCCR: could not find tsccr entry for hashicorp/setup-terraform
         with:
           terraform_wrapper: false
-      - uses: hashicorp/action-setup-enos@v1
+      - uses: hashicorp/action-setup-enos@v1  # TSCCR: could not find tsccr entry for hashicorp/action-setup-enos
         with:
           github-token: ${{ secrets.SERVICE_USER_GITHUB_TOKEN }}
       - name: "check formatting"

.github/workflows/enos-run.yml

@@ -34,22 +34,22 @@ jobs:
       GITHUB_TOKEN: ${{ secrets.SERVICE_USER_GITHUB_TOKEN }}
     steps:
       - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0
       - name: Set up Go
-        uses: actions/setup-go@v3
+        uses: actions/setup-go@d0a58c1c4d2b25278816e339b944508c875f3613 # v3.4.0
         with:
           go-version: ${{ inputs.go-version }}
       - name: Install tools to get tparse
         run: make tools
       - name: Set up Terraform
-        uses: hashicorp/setup-terraform@v2
+        uses: hashicorp/setup-terraform@633666f66e0061ca3b725c73b2ec20cd13a8fdd1  # TSCCR: could not find tsccr entry for hashicorp/setup-terraform
         with:
           # the terraform wrapper will break Terraform execution in enos because
           # it changes the output to text when we expect it to be JSON.
           terraform_wrapper: false
       - name: Import GPG key for Boundary pass keystore
         id: import_gpg
-        uses: crazy-max/ghaction-import-gpg@v5
+        uses: crazy-max/ghaction-import-gpg@111c56156bcc6918c056dbef52164cfa583dc549  # TSCCR: could not find tsccr entry for crazy-max/ghaction-import-gpg
         with:
           gpg_private_key: ${{ secrets.ENOS_GPG_PRIVATE_KEY }}
           passphrase: ${{ secrets.ENOS_GPG_PASSPHRASE }}
@@ -60,7 +60,7 @@ jobs:
           echo "trusted-key ${{ secrets.ENOS_GPG_UID }}" >> ~/.gnupg/gpg.conf
           cat ~/.gnupg/gpg.conf
       - name: Configure AWS credentials
-        uses: aws-actions/configure-aws-credentials@v1-node16
+        uses: aws-actions/configure-aws-credentials@67fbcbb121271f7775d2e7715933280b06314838  # TSCCR: could not find tsccr entry for aws-actions/configure-aws-credentials
         with:
           aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID_CI }}
           aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY_CI }}
@@ -69,7 +69,7 @@ jobs:
           role-skip-session-tagging: true
           role-duration-seconds: 3600
       - name: Set up Enos
-        uses: hashicorp/action-setup-enos@v1
+        uses: hashicorp/action-setup-enos@v1  # TSCCR: could not find tsccr entry for hashicorp/action-setup-enos
         with:
           github-token: ${{ secrets.SERVICE_USER_GITHUB_TOKEN }}
       - name: Set up AWS SSH private key
@@ -79,7 +79,7 @@ jobs:
           chmod 600 ./enos/support/private_key.pem
       - name: Set up dependency cache
         id: dep-cache
-        uses: actions/cache@v3
+        uses: actions/cache@627f0f41f6904a5b1efbaed9f96d9eb58e92e920 # v3.2.4
         with:
           path: /tmp/test-deps
           key: enos-test-deps-password-store-1.7.4-vault-1.12.2
@@ -110,7 +110,7 @@ jobs:
           unzip /tmp/test-deps/vault.zip -d /usr/local/bin
       - name: Download Linux AMD64 Boundary bundle
         id: download
-        uses: actions/download-artifact@v3
+        uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
         with:
           name: ${{ inputs.artifact-name }}
           path: ./enos/support/downloads
@@ -150,7 +150,7 @@ jobs:
           export ENOS_VAR_enos_user=$GITHUB_ACTOR && \
           enos scenario run --timeout 60m0s --chdir ./enos ${{ matrix.filter }}
       - name: Upload e2e tests output
-        uses: actions/upload-artifact@v3
+        uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2
         with:
           name: test-e2e-output.zip
           path: enos/test*.out

.github/workflows/jira.yml

@@ -28,12 +28,12 @@ jobs:
         else
           echo "Actor ${{ github.actor }} is not a ${TEAM} team member"
         fi
-        echo "role=${ROLE}" >> $GITHUB_OUTPUT
+        echo "role=${ROLE}" >> "$GITHUB_OUTPUT"
       env:
         GITHUB_TOKEN: ${{ secrets.JIRA_SYNC_GITHUB_TOKEN }}
 
     - name: Login
-      uses: atlassian/gajira-login@v2.0.0
+      uses: atlassian/gajira-login@ca13f8850ea309cf44a6e4e0c49d9aa48ac3ca4c  # TSCCR: could not find tsccr entry for atlassian/gajira-login
       env:
         JIRA_BASE_URL: ${{ secrets.JIRA_BASE_URL }}
         JIRA_USER_EMAIL: ${{ secrets.JIRA_USER_EMAIL }}
@@ -44,14 +44,14 @@ jobs:
       id: set-ticket-type
       run: |
         if [[ "${{ github.event_name }}" == "pull_request_target" ]]; then
-          echo "type=PR" >> $GITHUB_OUTPUT
+          echo "type=PR" >> "$GITHUB_OUTPUT"
         else
-          echo "type=ISS" >> $GITHUB_OUTPUT
+          echo "type=ISS" >> "$GITHUB_OUTPUT"
         fi
 
     - name: Create ticket
       if: github.event.action == 'opened' && !steps.boundary-team-role.outputs.role
-      uses: tomhjp/gh-action-jira-create@v0.1.3
+      uses: tomhjp/gh-action-jira-create@3ed1789cad3521292e591a7cfa703215ec1348bf  # TSCCR: could not find tsccr entry for tomhjp/gh-action-jira-create
       with:
         project: ICU
         issuetype: "GH Issue"
@@ -63,28 +63,28 @@ jobs:
     - name: Search
       if: github.event.action != 'opened'
       id: search
-      uses: tomhjp/gh-action-jira-search@v0.2.1
+      uses: tomhjp/gh-action-jira-search@04700b457f317c3e341ce90da5a3ff4ce058f2fa  # TSCCR: could not find tsccr entry for tomhjp/gh-action-jira-search
       with:
         # cf[10089] is Issue Link custom field
         jql: 'issuetype = "GH Issue" and cf[10089]="${{ github.event.issue.html_url || github.event.pull_request.html_url }}"'
 
     - name: Sync comment
       if: github.event.action == 'created' && steps.search.outputs.issue
-      uses: tomhjp/gh-action-jira-comment@v0.1.0
+      uses: tomhjp/gh-action-jira-comment@6eb6b9ead70221916b6badd118c24535ed220bd9  # TSCCR: could not find tsccr entry for tomhjp/gh-action-jira-comment
       with:
         issue: ${{ steps.search.outputs.issue }}
         comment: "${{ github.actor }} ${{ github.event.review.state || 'commented' }}:\n\n${{ github.event.comment.body || github.event.review.body }}\n\n${{ github.event.comment.html_url || github.event.review.html_url }}"
 
     - name: Close ticket
       if: (github.event.action == 'closed' || github.event.action == 'deleted') && steps.search.outputs.issue
-      uses: atlassian/gajira-transition@v2.0.1
+      uses: atlassian/gajira-transition@4749176faf14633954d72af7a44d7f2af01cc92b  # TSCCR: could not find tsccr entry for atlassian/gajira-transition
       with:
         issue: ${{ steps.search.outputs.issue }}
         transition: Done
 
     - name: Reopen ticket
       if: github.event.action == 'reopened' && steps.search.outputs.issue
-      uses: atlassian/gajira-transition@v2.0.1
+      uses: atlassian/gajira-transition@4749176faf14633954d72af7a44d7f2af01cc92b  # TSCCR: could not find tsccr entry for atlassian/gajira-transition
       with:
         issue: ${{ steps.search.outputs.issue }}
         transition: "To Do"

.github/workflows/labeler.yml

@@ -10,6 +10,6 @@ jobs:
   triage:
     runs-on: ${{ fromJSON(vars.RUNNER) }}
     steps:
-    - uses: actions/labeler@main
+    - uses: actions/labeler@5c7539237e04b714afd8ad9b4aed733815b9fab4  # TSCCR: could not find tsccr entry for actions/labeler
       with:
         repo-token: "${{ secrets.GITHUB_TOKEN }}"

.github/workflows/linting.yml

@@ -9,7 +9,7 @@ jobs:
     name: "Run Linter"
     runs-on: ${{ fromJSON(vars.RUNNER) }}
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0
         with:
           fetch-depth: '0'
       - name: Determine Go version
@@ -18,9 +18,9 @@ jobs:
         # version, because "goenv" can react to it automatically.
         run: |
           echo "Building with Go $(cat .go-version)"
-          echo "go-version=$(cat .go-version)" >> $GITHUB_OUTPUT
+          echo "go-version=$(cat .go-version)" >> "$GITHUB_OUTPUT"
       - name: Set up Go
-        uses: actions/setup-go@v3
+        uses: actions/setup-go@d0a58c1c4d2b25278816e339b944508c875f3613 # v3.4.0
         with:
           go-version: "${{ steps.get-go-version.outputs.go-version }}"
       - name: Install Dependencies

.github/workflows/make-gen-delta.yml

@@ -12,7 +12,7 @@ jobs:
     name: "Check for uncommited changes from make gen"
     runs-on: ${{ fromJSON(vars.RUNNER) }}
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0
         with:
           fetch-depth: '0'
       - name: Determine Go version
@@ -21,9 +21,9 @@ jobs:
         # version, because "goenv" can react to it automatically.
         run: |
           echo "Building with Go $(cat .go-version)"
-          echo "go-version=$(cat .go-version)" >> $GITHUB_OUTPUT
+          echo "go-version=$(cat .go-version)" >> "$GITHUB_OUTPUT"
       - name: Set up Go
-        uses: actions/setup-go@v3
+        uses: actions/setup-go@d0a58c1c4d2b25278816e339b944508c875f3613 # v3.4.0
         with:
           go-version: "${{ steps.get-go-version.outputs.go-version }}"
       - name: Install Dependencies

.github/workflows/milestone-checker.yml

@@ -22,7 +22,7 @@ jobs:
     runs-on: ${{ fromJSON(vars.RUNNER) }}
     steps:
       - name: Checkout Actions
-        uses: actions/checkout@v3
+        uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0
         with:
           repository: "grafana/grafana-github-actions"
           path: ./actions

.github/workflows/security-scan.yml

@@ -9,31 +9,31 @@ on:
 
 jobs:
   scan:
-    runs-on: ubuntu-latest
+    runs-on: ${{ fromJSON(vars.RUNNER) }}
     if: ${{ github.actor != 'dependabot[bot]' || github.actor != 'hc-github-team-secure-boundary' }}
     steps:
-    - uses: actions/checkout@v3
+    - uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0
 
     - name: Determine Go version
       id: get-go-version
       # We use .go-version as our source of truth for current Go
       # version, because "goenv" can react to it automatically.
       run: |
         echo "Building with Go $(cat .go-version)"
-        echo "go-version=$(cat .go-version)" >> $GITHUB_OUTPUT
+        echo "go-version=$(cat .go-version)" >> "$GITHUB_OUTPUT"
 
     - name: Set up Go
-      uses: actions/setup-go@v3
+      uses: actions/setup-go@d0a58c1c4d2b25278816e339b944508c875f3613 # v3.4.0
       with:
         go-version: "${{ steps.get-go-version.outputs.go-version }}"
 
     - name: Set up Python
-      uses: actions/setup-python@v4
+      uses: actions/setup-python@98f2ad02fd48d057ee3b4d4f66525b231c3e52b6 # v3.1.2
       with:
         python-version: 3.x
 
     - name: Clone Security Scanner repo
-      uses: actions/checkout@v3
+      uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0
       with:
         repository: hashicorp/security-scanner
         token: ${{ secrets.HASHIBOT_PRODSEC_GITHUB_TOKEN }}
@@ -45,26 +45,26 @@ jobs:
       env:
         GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
       run: |
-        mkdir $HOME/.bin
-        cd $GITHUB_WORKSPACE/security-scanner/pkg/sdk/examples/scan-plugin-semgrep
+        mkdir "$HOME/.bin"
+        cd "$GITHUB_WORKSPACE/security-scanner/pkg/sdk/examples/scan-plugin-semgrep"
         go build -o scan-plugin-semgrep .
-        mv scan-plugin-semgrep $HOME/.bin
-        
-        cd $GITHUB_WORKSPACE/security-scanner/pkg/sdk/examples/scan-plugin-codeql
+        mv scan-plugin-semgrep "$HOME/.bin"
+
+        cd "$GITHUB_WORKSPACE/security-scanner/pkg/sdk/examples/scan-plugin-codeql"
         go build -o scan-plugin-codeql .
-        mv scan-plugin-codeql $HOME/.bin
-        
+        mv scan-plugin-codeql "$HOME/.bin"
+
         # Semgrep
         python3 -m pip install semgrep
-        
+
         # CodeQL
         LATEST=$(gh release list --repo https://github.com/github/codeql-action | cut -f 3 | sort --version-sort | tail -n1)
         gh release download --repo https://github.com/github/codeql-action --pattern codeql-bundle-linux64.tar.gz "$LATEST"
-        tar xf codeql-bundle-linux64.tar.gz -C $HOME/.bin
-        
+        tar xf codeql-bundle-linux64.tar.gz -C "$HOME/.bin"
+
         # Add to PATH
-        echo "$HOME/.bin" >> $GITHUB_PATH
-        echo "$HOME/.bin/codeql" >> $GITHUB_PATH
+        echo "$HOME/.bin" >> "$GITHUB_PATH"
+        echo "$HOME/.bin/codeql" >> "$GITHUB_PATH"
 
     - name: Scan
       id: scan
@@ -73,7 +73,7 @@ jobs:
         repository: "$PWD"
 
     - name: Upload SARIF file
-      uses: github/codeql-action/upload-sarif@v2
+      uses: github/codeql-action/upload-sarif@e00cd12e3ee0ce24d476645336a315351be51d88  # TSCCR: actions in subdirectories not yet supported: upload-sarif
       with:
         sarif_file: results.sarif
 

.github/workflows/test-ci-bootstrap-oss.yml

@@ -27,11 +27,11 @@ jobs:
       TF_TOKEN_app_terraform_io: ${{ secrets.TF_API_TOKEN }}
     runs-on: ${{ fromJSON(vars.RUNNER) }}
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0
       - name: Set up Terraform
-        uses: hashicorp/setup-terraform@v2
+        uses: hashicorp/setup-terraform@633666f66e0061ca3b725c73b2ec20cd13a8fdd1  # TSCCR: could not find tsccr entry for hashicorp/setup-terraform
       - name: Configure AWS credentials
-        uses: aws-actions/configure-aws-credentials@v1-node16
+        uses: aws-actions/configure-aws-credentials@67fbcbb121271f7775d2e7715933280b06314838  # TSCCR: could not find tsccr entry for aws-actions/configure-aws-credentials
         with:
           aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID_CI }}
           aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY_CI }}