chore: pin yamllint, golangci-lint (#783)

pins the yaml-lint and golangci-lint dependency used in pre-submits. This is to fix code-scanning alerts about unpinned dependencies - https://github.com/slsa-framework/slsa-verifier/security/code-scanning/8 - https://github.com/slsa-framework/slsa-verifier/security/code-scanning/21 ### Testing Process The pre-submit test that uses yamllint and golangci-lint passes --------- Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com> Signed-off-by: Ramon Petgrave <32398091+ramonpetgrave64@users.noreply.github.com>
2026-05-10 02:26:35 +00:00 · 2024-08-02 15:51:07 -04:00
parent 7f3db9211e
commit 88bcb6bff7
3 changed files with 72 additions and 6 deletions
--- a/.github/workflows/pre-submit.lint.yml
+++ b/.github/workflows/pre-submit.lint.yml
@@ -16,25 +16,23 @@ jobs:
          go-version-file: "go.mod"
          # not needed but gets rid of warnings
          cache: false
-      - uses: golangci/golangci-lint-action@d6238b002a20823d52840fda27e2d4891c5952dc # v4
+      - uses: golangci/golangci-lint-action@a4f60bb28d35aeee14e6880718e0c85ff1882e64 # v6.0.1
        name: golangci-lint
        with:
          # Require: The version of golangci-lint to use.
          # When `install-mode` is `binary` (default) the value can be v1.2 or v1.2.3 or `latest` to use the latest version.
          # When `install-mode` is `goinstall` the value can be v1.2.3, `latest`, or the hash of a commit.
-          version: v1.55.2
+          version: v1.59.1

  yamllint:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
-      - env:
-          YAMLLINT_VERSION: "1.26.3"
-        run: |
+      - run: |
          set -euo pipefail

          # Install yamllint
-          pip install "yamllint==${YAMLLINT_VERSION}"
+          pip install -r ./requirements-lint.txt --require-hashes

          # Run yamllint
          make yamllint