Pin python dependencies to hashes and cleanup/unify python setup steps in
various workflows.
We now have one dependency file containing all requirements for github
actions that is managed centrally with hashes. No direct pip installs
are needed in workflow files and everything shall go via the
requirements file.
Pinning to specific version and hashes helps with preventing supply
chain attacks.
Signed-off-by: Anas Nashif <anas.nashif@intel.com>
Default to `permissions: read-all` in all workflows and then add
additional permissions as needed at the job level
Signed-off-by: Benjamin Cabé <benjamin@zephyrproject.org>
This commit follows up on e808ccfxy and completes the pinning of *all*
GitHub Actions to SHAs, including GitHub-owned `actions/*` actions.
Signed-off-by: Benjamin Cabé <benjamin@zephyrproject.org>
This commit updates all GitHub Actions workflows to use specific
SHAs for the actions when they're not GitHub owned (`actions/*`)
instead of using tag-based versioning since tags are mutable.
Signed-off-by: Benjamin Cabé <benjamin@zephyrproject.org>
Cleanup all pip commands in the various workflow
- drop the install/upgrade for setuptool pip and wheel, seems like this
was introduced few years back to work around some old bug and it's not
needed anymore
- use pip instead of pip3, that's probably been equivalent for quite a
long time in the CI image
Signed-off-by: Fabio Baltieri <fabiobaltieri@google.com>
Update Github actions to their latest versions to fix the following
warnings on runs:
```
Node.js 16 actions are deprecated. Please update the following actions
to use Node.js 20: actions/checkout@v3, actions/cache@v3,
actions/upload-artifact@v3. For more information see:
https://github.blog/changelog/2023-09-22-github-actions-transitioning-from-node-16-to-node-20/.
```
`actions/checkout` and `actions/cache` are straight Node version
upgrades, `actions/upload-artifact` and `actions/download-artifact` have
breaking changes, but don't appear to affect our usage.
https://github.com/actions/upload-artifact
Signed-off-by: Jordan Yates <jordan.yates@data61.csiro.au>
This commit updates the CI workflows to use the `zephyrproject-rtos`
organisation-level AWS secrets instead of the repository-level secrets.
Using organisation-level secrets allows more centralised management of
the access keys used throughout the GitHub Actions CI infrastructure.
Note that the `AWS_*_ACCESS_KEY_ID` is now stored in plaintext as a
variable instead of a secret because it is equivalent to username and
needs to be identifiable for management and audit purposes.
Signed-off-by: Stephanos Ioannidis <root@stephanos.io>
This commit updates the CI workflows to use the AWS
configure-aws-credentials action v2, which is based on node.js 16 and
@actions/core 1.10.0, in preparation for the upcoming removal of the
deprecated GitHub features.
Signed-off-by: Stephanos Ioannidis <root@stephanos.io>
This commit updates the CI workflows to use the GitHub Ubuntu 22.04
virtual environment for running jobs.
Signed-off-by: Stephanos Ioannidis <root@stephanos.io>
This commit updates the CI workflows to use the latest "checkout"
action v3, which is based on Node.js 16.
Note that Node.js 12-based actions are now deprecated by GitHub and may
stop working in the near future.
Signed-off-by: Stephanos Ioannidis <root@stephanos.io>
This commit updates the daily test version workflow to use a specific
runner image version, ubuntu-20.04, instead of the latest version in
order to prevent any potential breakages due to the 'latest' version
change by GitHub.
Signed-off-by: Stephanos Ioannidis <root@stephanos.io>
Currently, nightly releases are performed in Forks as well.
Since these fail due to missing AWS credentials this causes
a lot of messages about failing builds, this commit disables
them for Forks.
Signed-off-by: Max Bachmann <kontakt@maxbachmann.de>
