Switch logging-parent refs in CI from hashes to tags

dependabot is not able to update `logging-parent` GHA workflow references that use hashes[1][2]. Switching to tags is safe, since `rel/`-prefixed tags are protected by INFRA. [1] dependabot/dependabot-core#8654 [2] dependabot/dependabot-core#6269
apache · Dec 22, 2023 · d71dcb1 · d71dcb1
1 parent ee5ac6b
commit d71dcb1
Show file tree

Hide file tree

Showing 4 changed files with 7 additions and 40 deletions.
diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml
@@ -38,7 +38,7 @@ jobs:
 
   build:
     if: github.actor != 'dependabot[bot]'
-    uses: apache/logging-parent/.github/workflows/build-reusable.yaml@e45457c683302242be5e8e7c3c33edf8f0e0ec0e # 10.4.0
+    uses: apache/logging-parent/.github/workflows/build-reusable.yaml@rel/10.5.0
     with:
       java-version: |
         8
@@ -48,7 +48,7 @@ jobs:
   deploy-snapshot:
     needs: build
     if: github.repository == 'apache/logging-log4j2' && github.ref_name == '2.x'
-    uses: apache/logging-parent/.github/workflows/deploy-snapshot-reusable.yaml@e45457c683302242be5e8e7c3c33edf8f0e0ec0e # 10.4.0
+    uses: apache/logging-parent/.github/workflows/deploy-snapshot-reusable.yaml@rel/10.5.0
     # Secrets for deployments
     secrets:
       NEXUS_USER: ${{ secrets.NEXUS_USER }}
@@ -61,7 +61,7 @@ jobs:
   deploy-release:
     needs: build
     if: github.repository == 'apache/logging-log4j2' && startsWith(github.ref_name, 'release/')
-    uses: apache/logging-parent/.github/workflows/deploy-release-reusable.yaml@e45457c683302242be5e8e7c3c33edf8f0e0ec0e # 10.4.0
+    uses: apache/logging-parent/.github/workflows/deploy-release-reusable.yaml@rel/10.5.0
     # Secrets for deployments
     secrets:
       GPG_SECRET_KEY: ${{ secrets.LOGGING_GPG_SECRET_KEY }}

diff --git a/.github/workflows/codeql-analysis.yaml b/.github/workflows/codeql-analysis.yaml
@@ -30,7 +30,7 @@ permissions: read-all
 jobs:
 
   analyze:
-    uses: apache/logging-parent/.github/workflows/codeql-analysis-reusable.yaml@e45457c683302242be5e8e7c3c33edf8f0e0ec0e # 10.4.0
+    uses: apache/logging-parent/.github/workflows/codeql-analysis-reusable.yaml@rel/10.5.0
     with:
       java-version: |
         8

diff --git a/.github/workflows/merge-dependabot.yaml b/.github/workflows/merge-dependabot.yaml
@@ -30,15 +30,15 @@ jobs:
 
   build:
     if: github.repository == 'apache/logging-log4j2' && github.event_name == 'pull_request_target' && github.actor == 'dependabot[bot]'
-    uses: apache/logging-parent/.github/workflows/build-reusable.yaml@e45457c683302242be5e8e7c3c33edf8f0e0ec0e # 10.4.0
+    uses: apache/logging-parent/.github/workflows/build-reusable.yaml@ref/10.5.0
     with:
       java-version: |
         8
         17
 
   merge-dependabot:
     needs: build
-    uses: apache/logging-parent/.github/workflows/merge-dependabot-reusable.yaml@e45457c683302242be5e8e7c3c33edf8f0e0ec0e # 10.4.0
+    uses: apache/logging-parent/.github/workflows/merge-dependabot-reusable.yaml@rel/10.5.0
     with:
       java-version: 17
     permissions:

diff --git a/.github/workflows/scorecards-analysis.yaml b/.github/workflows/scorecards-analysis.yaml
@@ -29,43 +29,10 @@ permissions: read-all
 jobs:
 
   analysis:
-
-    name: "Scorecards analysis"
-    runs-on: ubuntu-latest
+    uses: apache/logging-parent/.github/workflows/scorecards-analysis-reusable.yaml@rel/10.5.0
     permissions:
       # Needed to upload the results to the code-scanning dashboard.
       security-events: write
       actions: read
       id-token: write # This is required for requesting the JWT
       contents: read  # This is required for actions/checkout
-
-    steps:
-
-      - name: "Checkout code"
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11   # 4.1.1
-        with:
-          persist-credentials: false
-
-      - name: "Run analysis"
-        uses: ossf/scorecard-action@0864cf19026789058feabb7e87baa5f140aac736    # 2.3.1
-        with:
-          results_file: results.sarif
-          results_format: sarif
-          # A read-only PAT token, which is sufficient for the action to function.
-          # The relevant discussion: https://github.com/ossf/scorecard-action/issues/188
-          repo_token: ${{ secrets.GITHUB_TOKEN }}
-          # Publish the results for public repositories to enable scorecard badges.
-          # For more details: https://github.com/ossf/scorecard-action#publishing-results
-          publish_results: true
-
-      - name: "Upload artifact"
-        uses: actions/upload-artifact@c7d193f32edcb7bfad88892161225aeda64e9392    # 3.1.0
-        with:
-          name: SARIF file
-          path: results.sarif
-          retention-days: 5
-
-      - name: "Upload to code-scanning"
-        uses: github/codeql-action/upload-sarif@b374143c1149a9115d881581d29b8390bbcbb59c    # 2.1.22
-        with:
-          sarif_file: results.sarif