From 39765534f11a69ce0fd54525136b76c6992bd876 Mon Sep 17 00:00:00 2001
From: Gustavo Valverde <gustavo@iterativo.do>
Date: Mon, 21 Mar 2022 19:07:01 -0400
Subject: [PATCH] fix(actions): use a specific shortening length for SHAs
 (#3929)

* fix(actions): use a specific shortening length for SHAs

The rlespinasse/github-slug-action now works without checking out the code, reduce time and improving security with following actions.

This requires to specify the GITHUB_SHA_SHORT variable length, as git uses 8 by default, but docker uses 7 by default.

* fix(actions): target correct rlespinasse/github-slug-action version

* fix(actions): just use major version

* fix(actions): github-slug-action is not being correctly referenced
---
 .github/workflows/cd.yml                   | 14 ++++-----
 .github/workflows/clean.yml                |  6 ++--
 .github/workflows/test-full-sync.yml       |  8 ++---
 .github/workflows/test.yml                 | 34 +++++++++-------------
 .github/workflows/zcash-lightwalletd.yml   |  2 ++
 .github/workflows/zcash-params.yml         |  2 ++
 .github/workflows/zcashd-manual-deploy.yml |  2 ++
 7 files changed, 32 insertions(+), 36 deletions(-)

diff --git a/.github/workflows/cd.yml b/.github/workflows/cd.yml
index 9eec7720..9ec81d56 100644
--- a/.github/workflows/cd.yml
+++ b/.github/workflows/cd.yml
@@ -38,6 +38,8 @@ jobs:
 
     - name: Inject slug/short variables
       uses: rlespinasse/github-slug-action@v4
+      with:
+        short-length: 7
 
       # Automatic tag management and OCI Image Format Specification for labels
     - name: Docker meta
@@ -129,12 +131,10 @@ jobs:
     if: ${{ github.event_name == 'push' && github.ref_name == 'main' }}
 
     steps:
-      - uses: actions/checkout@v3.0.0
-        with:
-          persist-credentials: false
-
       - name: Inject slug/short variables
         uses: rlespinasse/github-slug-action@v4
+        with:
+          short-length: 7
 
       # Setup gcloud CLI
       - name: Authenticate to Google Cloud
@@ -195,12 +195,10 @@ jobs:
     if: github.event_name == 'workflow_dispatch'
 
     steps:
-      - uses: actions/checkout@v3.0.0
-        with:
-          persist-credentials: false
-
       - name: Inject slug/short variables
         uses: rlespinasse/github-slug-action@v4
+        with:
+          short-length: 7
 
       # Setup gcloud CLI
       - name: Authenticate to Google Cloud
diff --git a/.github/workflows/clean.yml b/.github/workflows/clean.yml
index 54d17adf..e5c961b9 100644
--- a/.github/workflows/clean.yml
+++ b/.github/workflows/clean.yml
@@ -21,12 +21,10 @@ jobs:
       contents: 'read'
       id-token: 'write'
     steps:
-      - uses: actions/checkout@v2.4.0
-        with:
-          persist-credentials: false
-
       - name: Inject slug/short variables
         uses: rlespinasse/github-slug-action@v4
+        with:
+          short-length: 7
 
       # Setup gcloud CLI
       - name: Authenticate to Google Cloud
diff --git a/.github/workflows/test-full-sync.yml b/.github/workflows/test-full-sync.yml
index acdd4149..a0885f42 100644
--- a/.github/workflows/test-full-sync.yml
+++ b/.github/workflows/test-full-sync.yml
@@ -55,6 +55,8 @@ jobs:
 
       - name: Inject slug/short variables
         uses: rlespinasse/github-slug-action@v4
+        with:
+          short-length: 7
 
       # Automatic tag management and OCI Image Format Specification for labels
       - name: Docker meta
@@ -135,12 +137,10 @@ jobs:
       contents: 'read'
       id-token: 'write'
     steps:
-      - uses: actions/checkout@v3.0.0
-        with:
-          persist-credentials: false
-
       - name: Inject slug/short variables
         uses: rlespinasse/github-slug-action@v4
+        with:
+          short-length: 7
 
       # Setup gcloud CLI
       - name: Authenticate to Google Cloud
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index 7edbd1d5..e13af4c8 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -56,6 +56,8 @@ jobs:
 
       - name: Inject slug/short variables
         uses: rlespinasse/github-slug-action@v4
+        with:
+          short-length: 7
 
         # Automatic tag management and OCI Image Format Specification for labels
       - name: Docker meta
@@ -134,12 +136,10 @@ jobs:
     needs: build
     if: ${{ github.event.inputs.regenerate-disks != 'true' }}
     steps:
-      - uses: actions/checkout@v3.0.0
-        with:
-          persist-credentials: false
-
       - name: Inject slug/short variables
         uses: rlespinasse/github-slug-action@v4
+        with:
+          short-length: 7
 
       - name: Run all zebrad tests
         run: |
@@ -157,12 +157,10 @@ jobs:
     needs: build
     if: ${{ github.event.inputs.regenerate-disks != 'true' }}
     steps:
-      - uses: actions/checkout@v3.0.0
-        with:
-          persist-credentials: false
-
       - name: Inject slug/short variables
         uses: rlespinasse/github-slug-action@v4
+        with:
+          short-length: 7
 
       - name: Run tests with fake activation heights
         run: |
@@ -178,12 +176,10 @@ jobs:
     needs: build
     if: ${{ github.event.inputs.regenerate-disks != 'true' }}
     steps:
-      - uses: actions/checkout@v3.0.0
-        with:
-          persist-credentials: false
-
       - name: Inject slug/short variables
         uses: rlespinasse/github-slug-action@v4
+        with:
+          short-length: 7
 
       - name: Run zebrad large sync tests
         run: |
@@ -196,12 +192,10 @@ jobs:
     needs: build
     if: ${{ github.event.inputs.regenerate-disks != 'true' }}
     steps:
-      - uses: actions/checkout@v3.0.0
-        with:
-          persist-credentials: false
-
       - name: Inject slug/short variables
         uses: rlespinasse/github-slug-action@v4
+        with:
+          short-length: 7
 
       - name: Run tests with included lightwalletd binary
         run: |
@@ -248,6 +242,8 @@ jobs:
 
       - name: Inject slug/short variables
         uses: rlespinasse/github-slug-action@v4
+        with:
+          short-length: 7
 
       - name: Downcase network name for disks
         run: |
@@ -364,12 +360,10 @@ jobs:
       contents: 'read'
       id-token: 'write'
     steps:
-      - uses: actions/checkout@v3.0.0
-        with:
-          persist-credentials: false
-
       - name: Inject slug/short variables
         uses: rlespinasse/github-slug-action@v4
+        with:
+          short-length: 7
 
       - name: Downcase network name for disks
         run: |
diff --git a/.github/workflows/zcash-lightwalletd.yml b/.github/workflows/zcash-lightwalletd.yml
index cf980688..1c01ce00 100644
--- a/.github/workflows/zcash-lightwalletd.yml
+++ b/.github/workflows/zcash-lightwalletd.yml
@@ -48,6 +48,8 @@ jobs:
 
     - name: Inject slug/short variables
       uses: rlespinasse/github-slug-action@v4
+        with:
+          short-length: 7
 
       # Automatic tag management and OCI Image Format Specification for labels
     - name: Docker meta
diff --git a/.github/workflows/zcash-params.yml b/.github/workflows/zcash-params.yml
index b014d1b2..61e1484b 100644
--- a/.github/workflows/zcash-params.yml
+++ b/.github/workflows/zcash-params.yml
@@ -38,6 +38,8 @@ jobs:
 
     - name: Inject slug/short variables
       uses: rlespinasse/github-slug-action@v4
+        with:
+          short-length: 7
 
       # Automatic tag management and OCI Image Format Specification for labels
     - name: Docker meta
diff --git a/.github/workflows/zcashd-manual-deploy.yml b/.github/workflows/zcashd-manual-deploy.yml
index 8eed584b..399c305f 100644
--- a/.github/workflows/zcashd-manual-deploy.yml
+++ b/.github/workflows/zcashd-manual-deploy.yml
@@ -30,6 +30,8 @@ jobs:
 
       - name: Inject slug/short variables
         uses: rlespinasse/github-slug-action@v4
+        with:
+          short-length: 7
 
       # Setup gcloud CLI
       - name: Authenticate to Google Cloud