2 лет назад · fb44bfcbe6
--- a/.github/actions/package-macos/action.yaml
+++ b/.github/actions/package-macos/action.yaml
@@ -51,7 +51,7 @@ runs:
 
				             echo "SELF_HOSTED=false" >> $GITHUB_OUTPUT
			
 
				             ;;
			
 
				         esac
			
 
				-    - uses: actions/cache@v3
			
 
				+    - uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84 # v3.3.2
			
 
				       id: cache
			
 
				       if: steps.prepare.outputs.SELF_HOSTED != 'true'
			
 
				       with:
			
--- a/.github/actions/prepare-jmeter/action.yaml
+++ b/.github/actions/prepare-jmeter/action.yaml
@@ -8,7 +8,7 @@ inputs:
 
				 runs:
			
 
				   using: composite
			
 
				   steps:
			
 
				-    - uses: actions/download-artifact@v3
			
 
				+    - uses: actions/download-artifact@6b208ae046db98c579e8a3aa621ab581ff575935 # v4.1.1
			
 
				       with:
			
 
				         name: emqx-docker
			
 
				         path: /tmp
			
@@ -19,19 +19,19 @@ runs:
 
				       run: |
			
 
				         EMQX_DOCKER_IMAGE_TAG=$(docker load < /tmp/emqx-docker-${PKG_VSN}.tar.gz | sed 's/Loaded image: //g')
			
 
				         echo "_EMQX_DOCKER_IMAGE_TAG=$EMQX_DOCKER_IMAGE_TAG" >> $GITHUB_ENV
			
 
				-    - uses: actions/checkout@v3
			
 
				+    - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
			
 
				       with:
			
 
				         repository: emqx/emqx-fvt
			
 
				         ref: broker-autotest-v5
			
 
				         path: scripts
			
 
				-    - uses: actions/setup-java@v3
			
 
				+    - uses: actions/setup-java@387ac29b308b003ca37ba93a6cab5eb57c8f5f93 # v4.0.0
			
 
				       with:
			
 
				         java-version: '8.0.282' # The JDK version to make available on the path.
			
 
				         java-package: jdk # (jre, jdk, or jdk+fx) - defaults to jdk
			
 
				         architecture: x64 # (x64 or x86) - defaults to x64
			
 
				         # https://github.com/actions/setup-java/blob/main/docs/switching-to-v2.md
			
 
				         distribution: 'zulu'
			
 
				-    - uses: actions/download-artifact@v3
			
 
				+    - uses: actions/download-artifact@6b208ae046db98c579e8a3aa621ab581ff575935 # v4.1.1
			
 
				       with:
			
 
				         name: apache-jmeter.tgz
			
 
				     - name: install jmeter
			
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -0,0 +1,32 @@
 
				+version: 2
			
 
				+updates:
			
 
				+  - package-ecosystem: github-actions
			
 
				+    directory: "/"
			
 
				+    reviewers:
			
 
				+      - "emqx/emqx-review-board"
			
 
				+    schedule:
			
 
				+      interval: weekly
			
 
				+    groups:
			
 
				+      actions:
			
 
				+        patterns:
			
 
				+          - "*"
			
 
				+  - package-ecosystem: github-actions
			
 
				+    directory: "/.github/actions/package-macos/" # All subdirectories outside of "/.github/workflows" must be explicitly included.
			
 
				+    reviewers:
			
 
				+      - "emqx/emqx-review-board"
			
 
				+    schedule:
			
 
				+      interval: weekly
			
 
				+    groups:
			
 
				+      actions-package-macos:
			
 
				+        patterns:
			
 
				+          - "*"
			
 
				+  - package-ecosystem: github-actions
			
 
				+    directory: "/.github/actions/prepare-jmeter/" # All subdirectories outside of "/.github/workflows" must be explicitly included.
			
 
				+    reviewers:
			
 
				+      - "emqx/emqx-review-board"
			
 
				+    schedule:
			
 
				+      interval: weekly
			
 
				+    groups:
			
 
				+      actions-prepare-jmeter:
			
 
				+        patterns:
			
 
				+          - "*"
			
--- a/.github/workflows/_pr_entrypoint.yaml
+++ b/.github/workflows/_pr_entrypoint.yaml
@@ -14,6 +14,9 @@ on:
 
				 env:
			
 
				   IS_CI: "yes"
			
 
				 
			
 
				+permissions:
			
 
				+  contents: read
			
 
				+
			
 
				 jobs:
			
 
				   sanity-checks:
			
 
				     runs-on: ubuntu-22.04
			
@@ -30,7 +33,7 @@ jobs:
 
				       elixir_vsn: "1.15.7"
			
 
				 
			
 
				     steps:
			
 
				-      - uses: actions/checkout@v3
			
 
				+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
			
 
				         with:
			
 
				           ref: ${{ github.event.inputs.ref }}
			
 
				           fetch-depth: 0
			
@@ -125,7 +128,7 @@ jobs:
 
				           - emqx-enterprise
			
 
				 
			
 
				     steps:
			
 
				-      - uses: actions/checkout@v3
			
 
				+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
			
 
				         with:
			
 
				           fetch-depth: 0
			
 
				       - name: Work around https://github.com/actions/checkout/issues/766
			
@@ -141,7 +144,7 @@ jobs:
 
				           echo "PROFILE=${PROFILE}" | tee -a .env
			
 
				           echo "PKG_VSN=$(./pkg-vsn.sh ${PROFILE})" | tee -a .env
			
 
				           zip -ryq -x@.github/workflows/.zipignore $PROFILE.zip .
			
 
				-      - uses: actions/upload-artifact@v3
			
 
				+      - uses: actions/upload-artifact@c7d193f32edcb7bfad88892161225aeda64e9392 # v4.0.0
			
 
				         with:
			
 
				           name: ${{ matrix.profile }}
			
 
				           path: ${{ matrix.profile }}.zip
			
--- a/.github/workflows/_push-entrypoint.yaml
+++ b/.github/workflows/_push-entrypoint.yaml
@@ -14,6 +14,9 @@ on:
 
				       - 'release-5[0-9]'
			
 
				       - 'ci/**'
			
 
				 
			
 
				+permissions:
			
 
				+  contents: read
			
 
				+
			
 
				 env:
			
 
				   IS_CI: 'yes'
			
 
				 
			
@@ -35,7 +38,7 @@ jobs:
 
				       elixir_vsn: '1.15.7'
			
 
				 
			
 
				     steps:
			
 
				-      - uses: actions/checkout@v3
			
 
				+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
			
 
				         with:
			
 
				           ref: ${{ github.event.inputs.ref }}
			
 
				           fetch-depth: 0
			
@@ -133,7 +136,7 @@ jobs:
 
				           - emqx-enterprise
			
 
				 
			
 
				     steps:
			
 
				-      - uses: actions/checkout@v3
			
 
				+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
			
 
				         with:
			
 
				           ref: ${{ github.event.inputs.ref }}
			
 
				           fetch-depth: 0
			
@@ -149,7 +152,7 @@ jobs:
 
				           echo "PROFILE=${PROFILE}" | tee -a .env
			
 
				           echo "PKG_VSN=$(./pkg-vsn.sh ${PROFILE})" | tee -a .env
			
 
				           zip -ryq -x@.github/workflows/.zipignore $PROFILE.zip .
			
 
				-      - uses: actions/upload-artifact@v3
			
 
				+      - uses: actions/upload-artifact@c7d193f32edcb7bfad88892161225aeda64e9392 # v4.0.0
			
 
				         with:
			
 
				           name: ${{ matrix.profile }}
			
 
				           path: ${{ matrix.profile }}.zip
			
--- a/.github/workflows/build_and_push_docker_images.yaml
+++ b/.github/workflows/build_and_push_docker_images.yaml
@@ -91,23 +91,23 @@ jobs:
 
				             registry: 'public.ecr.aws'
			
 
				 
			
 
				     steps:
			
 
				-    - uses: actions/checkout@v3
			
 
				+    - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
			
 
				       with:
			
 
				         ref: ${{ github.event.inputs.ref }}
			
 
				         fetch-depth: 0
			
 
				 
			
 
				-    - uses: docker/setup-qemu-action@v2
			
 
				-    - uses: docker/setup-buildx-action@v2
			
 
				+    - uses: docker/setup-qemu-action@68827325e0b33c7199eb31dd4e31fbe9023e06e3 # v3.0.0
			
 
				+    - uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3.0.0
			
 
				 
			
 
				     - name: Login to hub.docker.com
			
 
				-      uses: docker/login-action@v2
			
 
				+      uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0
			
 
				       if: matrix.registry == 'docker.io'
			
 
				       with:
			
 
				         username: ${{ secrets.DOCKER_HUB_USER }}
			
 
				         password: ${{ secrets.DOCKER_HUB_TOKEN }}
			
 
				 
			
 
				     - name: Login to AWS ECR
			
 
				-      uses: docker/login-action@v2
			
 
				+      uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0
			
 
				       if: matrix.registry == 'public.ecr.aws'
			
 
				       with:
			
 
				         registry: public.ecr.aws
			
--- a/.github/workflows/build_docker_for_test.yaml
+++ b/.github/workflows/build_docker_for_test.yaml
@@ -42,7 +42,7 @@ jobs:
 
				           - emqx-enterprise-elixir
			
 
				 
			
 
				     steps:
			
 
				-      - uses: actions/checkout@v3
			
 
				+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
			
 
				       - name: build and export to Docker
			
 
				         id: build
			
 
				         run: |
			
@@ -57,7 +57,7 @@ jobs:
 
				       - name: export docker image
			
 
				         run: |
			
 
				           docker save $EMQX_IMAGE_TAG | gzip > $EMQX_NAME-docker-$PKG_VSN.tar.gz
			
 
				-      - uses: actions/upload-artifact@v3
			
 
				+      - uses: actions/upload-artifact@c7d193f32edcb7bfad88892161225aeda64e9392 # v4.0.0
			
 
				         with:
			
 
				           name: "${{ env.EMQX_NAME }}-docker"
			
 
				           path: "${{ env.EMQX_NAME }}-docker-${{ env.PKG_VSN }}.tar.gz"
			
--- a/.github/workflows/build_packages.yaml
+++ b/.github/workflows/build_packages.yaml
@@ -64,6 +64,9 @@ on:
 
				         type: string
			
 
				         default: '5.3-2'
			
 
				 
			
 
				+permissions:
			
 
				+  contents: read
			
 
				+
			
 
				 jobs:
			
 
				   mac:
			
 
				     strategy:
			
@@ -80,7 +83,7 @@ jobs:
 
				     runs-on: ${{ matrix.os }}
			
 
				     steps:
			
 
				     - uses: emqx/self-hosted-cleanup-action@v1.0.3
			
 
				-    - uses: actions/checkout@v3
			
 
				+    - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
			
 
				       with:
			
 
				         ref: ${{ github.event.inputs.ref }}
			
 
				         fetch-depth: 0
			
@@ -93,12 +96,13 @@ jobs:
 
				         apple_developer_identity: ${{ secrets.APPLE_DEVELOPER_IDENTITY }}
			
 
				         apple_developer_id_bundle: ${{ secrets.APPLE_DEVELOPER_ID_BUNDLE }}
			
 
				         apple_developer_id_bundle_password: ${{ secrets.APPLE_DEVELOPER_ID_BUNDLE_PASSWORD }}
			
 
				-    - uses: actions/upload-artifact@v3
			
 
				+    - uses: actions/upload-artifact@c7d193f32edcb7bfad88892161225aeda64e9392 # v4.0.0
			
 
				       if: success()
			
 
				       with:
			
 
				-        name: ${{ matrix.profile }}
			
 
				+        name: ${{ matrix.profile }}-${{ matrix.otp }}-${{ matrix.os }}
			
 
				         path: _packages/${{ matrix.profile }}/
			
 
				         retention-days: 7
			
 
				+        compression-level: 0
			
 
				 
			
 
				   linux:
			
 
				     runs-on: [self-hosted, ephemeral, linux, "${{ matrix.arch }}"]
			
@@ -149,7 +153,7 @@ jobs:
 
				         shell: bash
			
 
				 
			
 
				     steps:
			
 
				-    - uses: actions/checkout@v3
			
 
				+    - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
			
 
				       with:
			
 
				         ref: ${{ github.event.inputs.ref }}
			
 
				         fetch-depth: 0
			
@@ -190,9 +194,9 @@ jobs:
 
				           ./scripts/pkg-tests.sh "${PROFILE}-tgz"
			
 
				           ./scripts/pkg-tests.sh "${PROFILE}-pkg"
			
 
				         fi
			
 
				-    - uses: actions/upload-artifact@v3
			
 
				+    - uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
			
 
				       with:
			
 
				-        name: ${{ matrix.profile }}
			
 
				+        name: ${{ matrix.profile }}-${{ matrix.otp }}-${{ matrix.arch }}-${{ matrix.os }}-${{ matrix.with_elixir == 'yes' && 'elixir' || 'erlang' }}
			
 
				         path: _packages/${{ matrix.profile }}/
			
 
				         retention-days: 7
			
 
				 
			
@@ -208,9 +212,9 @@ jobs:
 
				         profile:
			
 
				           - ${{ inputs.profile }}
			
 
				     steps:
			
 
				-    - uses: actions/download-artifact@v3
			
 
				+    - uses: actions/download-artifact@6b208ae046db98c579e8a3aa621ab581ff575935 # v4.1.1
			
 
				       with:
			
 
				-        name: ${{ matrix.profile }}
			
 
				+        pattern: ${{ matrix.profile }}-*
			
 
				         path: packages/${{ matrix.profile }}
			
 
				     - name: install dos2unix
			
 
				       run: sudo apt-get update -y && sudo apt install -y dos2unix
			
@@ -224,7 +228,7 @@ jobs:
 
				           echo "$(cat $var.sha256) $var" | sha256sum -c || exit 1
			
 
				         done
			
 
				         cd -
			
 
				-    - uses: aws-actions/configure-aws-credentials@v2
			
 
				+    - uses: aws-actions/configure-aws-credentials@010d0da01d0b5a38af31e9c3470dbfdabdecca3a # v4.0.1
			
 
				       with:
			
 
				         aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
			
 
				         aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
			
--- a/.github/workflows/build_packages_cron.yaml
+++ b/.github/workflows/build_packages_cron.yaml
@@ -9,6 +9,9 @@ on:
 
				     - cron:  '0 */6 * * *'
			
 
				   workflow_dispatch:
			
 
				 
			
 
				+permissions:
			
 
				+  contents: read
			
 
				+
			
 
				 jobs:
			
 
				   linux:
			
 
				     if: github.repository_owner == 'emqx'
			
@@ -32,7 +35,7 @@ jobs:
 
				         shell: bash
			
 
				 
			
 
				     steps:
			
 
				-      - uses: actions/checkout@v3
			
 
				+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
			
 
				         with:
			
 
				           ref: ${{ matrix.profile[1] }}
			
 
				           fetch-depth: 0
			
@@ -63,14 +66,14 @@ jobs:
 
				           set -eu
			
 
				           ./scripts/pkg-tests.sh "${PROFILE}-tgz"
			
 
				           ./scripts/pkg-tests.sh "${PROFILE}-pkg"
			
 
				-      - uses: actions/upload-artifact@v3
			
 
				+      - uses: actions/upload-artifact@c7d193f32edcb7bfad88892161225aeda64e9392 # v4.0.0
			
 
				         if: success()
			
 
				         with:
			
 
				           name: ${{ matrix.profile[0] }}
			
 
				           path: _packages/${{ matrix.profile[0] }}/
			
 
				           retention-days: 7
			
 
				       - name: Send notification to Slack
			
 
				-        uses: slackapi/slack-github-action@v1.23.0
			
 
				+        uses: slackapi/slack-github-action@e28cf165c92ffef168d23c5c9000cffc8a25e117 # v1.24.0
			
 
				         if: failure()
			
 
				         env:
			
 
				           SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
			
@@ -95,7 +98,7 @@ jobs:
 
				           - macos-12-arm64
			
 
				 
			
 
				     steps:
			
 
				-      - uses: actions/checkout@v3
			
 
				+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
			
 
				         with:
			
 
				           ref: ${{ matrix.branch }}
			
 
				           fetch-depth: 0
			
@@ -108,14 +111,14 @@ jobs:
 
				           apple_developer_identity: ${{ secrets.APPLE_DEVELOPER_IDENTITY }}
			
 
				           apple_developer_id_bundle: ${{ secrets.APPLE_DEVELOPER_ID_BUNDLE }}
			
 
				           apple_developer_id_bundle_password: ${{ secrets.APPLE_DEVELOPER_ID_BUNDLE_PASSWORD }}
			
 
				-      - uses: actions/upload-artifact@v3
			
 
				+      - uses: actions/upload-artifact@c7d193f32edcb7bfad88892161225aeda64e9392 # v4.0.0
			
 
				         if: success()
			
 
				         with:
			
 
				           name: ${{ matrix.profile }}
			
 
				           path: _packages/${{ matrix.profile }}/
			
 
				           retention-days: 7
			
 
				       - name: Send notification to Slack
			
 
				-        uses: slackapi/slack-github-action@v1.23.0
			
 
				+        uses: slackapi/slack-github-action@e28cf165c92ffef168d23c5c9000cffc8a25e117 # v1.24.0
			
 
				         if: failure()
			
 
				         env:
			
 
				           SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
			
--- a/.github/workflows/build_slim_packages.yaml
+++ b/.github/workflows/build_slim_packages.yaml
@@ -41,6 +41,9 @@ on:
 
				         type: string
			
 
				         default: '1.15.7'
			
 
				 
			
 
				+permissions:
			
 
				+  contents: read
			
 
				+
			
 
				 jobs:
			
 
				   linux:
			
 
				     runs-on: ${{ github.repository_owner == 'emqx' && fromJSON(format('["self-hosted","ephemeral","linux","{0}"]', matrix.profile[4])) || 'ubuntu-22.04' }}
			
@@ -58,7 +61,7 @@ jobs:
 
				     container: "ghcr.io/emqx/emqx-builder/${{ inputs.builder_vsn }}:${{ inputs.elixir_vsn }}-${{ matrix.profile[1] }}-${{ matrix.profile[2] }}"
			
 
				 
			
 
				     steps:
			
 
				-    - uses: actions/checkout@v3
			
 
				+    - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
			
 
				       with:
			
 
				         fetch-depth: 0
			
 
				     - name: Work around https://github.com/actions/checkout/issues/766
			
@@ -85,14 +88,15 @@ jobs:
 
				       run: |
			
 
				         make ${EMQX_NAME}-elixir-pkg
			
 
				         ./scripts/pkg-tests.sh ${EMQX_NAME}-elixir-pkg
			
 
				-    - uses: actions/upload-artifact@v3
			
 
				+    - uses: actions/upload-artifact@c7d193f32edcb7bfad88892161225aeda64e9392 # v4.0.0
			
 
				       with:
			
 
				-        name: "${{ matrix.profile[0] }}-${{ matrix.profile[1] }}-${{ matrix.profile[2] }}"
			
 
				+        name: "${{ matrix.profile[0] }}-${{ matrix.profile[1] }}-${{ matrix.profile[2] }}-${{ matrix.profile[3] }}-${{ matrix.profile[4] }}"
			
 
				         path: _packages/${{ matrix.profile[0] }}/*
			
 
				         retention-days: 7
			
 
				-    - uses: actions/upload-artifact@v3
			
 
				+        compression-level: 0
			
 
				+    - uses: actions/upload-artifact@c7d193f32edcb7bfad88892161225aeda64e9392 # v4.0.0
			
 
				       with:
			
 
				-        name: "${{ matrix.profile[0] }}_schema_dump"
			
 
				+        name: "${{ matrix.profile[0] }}-schema-dump-${{ matrix.profile[1] }}-${{ matrix.profile[2] }}-${{ matrix.profile[3] }}-${{ matrix.profile[4] }}"
			
 
				         path: |
			
 
				           scripts/spellcheck
			
 
				           _build/docgen/${{ matrix.profile[0] }}/schema-en.json
			
@@ -114,7 +118,7 @@ jobs:
 
				       EMQX_NAME: ${{ matrix.profile }}
			
 
				 
			
 
				     steps:
			
 
				-    - uses: actions/checkout@v3
			
 
				+    - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
			
 
				     - uses: ./.github/actions/package-macos
			
 
				       with:
			
 
				         profile: ${{ matrix.profile }}
			
@@ -124,7 +128,7 @@ jobs:
 
				         apple_developer_identity: ${{ secrets.APPLE_DEVELOPER_IDENTITY }}
			
 
				         apple_developer_id_bundle: ${{ secrets.APPLE_DEVELOPER_ID_BUNDLE }}
			
 
				         apple_developer_id_bundle_password: ${{ secrets.APPLE_DEVELOPER_ID_BUNDLE_PASSWORD }}
			
 
				-    - uses: actions/upload-artifact@v3
			
 
				+    - uses: actions/upload-artifact@c7d193f32edcb7bfad88892161225aeda64e9392 # v4.0.0
			
 
				       with:
			
 
				         name: ${{ matrix.os }}
			
 
				         path: _packages/**/*
			
--- a/.github/workflows/check_deps_integrity.yaml
+++ b/.github/workflows/check_deps_integrity.yaml
@@ -15,7 +15,7 @@ jobs:
 
				     runs-on: ${{ endsWith(github.repository, '/emqx') && 'ubuntu-22.04' || fromJSON('["self-hosted","ephemeral","linux","x64"]') }}
			
 
				     container: ${{ inputs.builder }}
			
 
				     steps:
			
 
				-      - uses: actions/checkout@v3
			
 
				+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
			
 
				       - run: git config --global --add safe.directory "$GITHUB_WORKSPACE"
			
 
				       - run: make ensure-rebar3
			
 
				       - run: ./scripts/check-deps-integrity.escript
			
@@ -36,7 +36,7 @@ jobs:
 
				           MIX_ENV: emqx-enterprise
			
 
				           PROFILE: emqx-enterprise
			
 
				       - name: Upload produced lock files
			
 
				-        uses: actions/upload-artifact@v3
			
 
				+        uses: actions/upload-artifact@c7d193f32edcb7bfad88892161225aeda64e9392 # v4.0.0
			
 
				         if: failure()
			
 
				         with:
			
 
				           name: produced_lock_files
			
--- a/.github/workflows/codeql.yaml
+++ b/.github/workflows/codeql.yaml
@@ -4,9 +4,6 @@ on:
 
				   schedule:
			
 
				     - cron: '33 14 * * 4'
			
 
				   workflow_dispatch:
			
 
				-    inputs:
			
 
				-      ref:
			
 
				-        required: false
			
 
				 
			
 
				 permissions:
			
 
				   contents: read
			
@@ -25,13 +22,18 @@ jobs:
 
				     strategy:
			
 
				       fail-fast: false
			
 
				       matrix:
			
 
				-        language: [ 'cpp', 'python' ]
			
 
				+        branch:
			
 
				+          - master
			
 
				+          - release-54
			
 
				+        language:
			
 
				+          - cpp
			
 
				+          - python
			
 
				 
			
 
				     steps:
			
 
				     - name: Checkout repository
			
 
				-      uses: actions/checkout@v3
			
 
				+      uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
			
 
				       with:
			
 
				-        ref: ${{ github.event.inputs.ref }}
			
 
				+        ref: ${{ matrix.branch }}
			
 
				 
			
 
				     - name: Ensure git safe dir
			
 
				       run: |
			
--- a/.github/workflows/green_master.yaml
+++ b/.github/workflows/green_master.yaml
@@ -22,7 +22,7 @@ jobs:
 
				       checks: read
			
 
				       actions: write
			
 
				     steps:
			
 
				-      - uses: actions/checkout@v3
			
 
				+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
			
 
				         with:
			
 
				           ref: ${{ github.event.inputs.ref || 'master' }}
			
 
				 
			
--- a/.github/workflows/performance_test.yaml
+++ b/.github/workflows/performance_test.yaml
@@ -32,7 +32,7 @@ jobs:
 
				       PACKAGE_FILE: ${{ steps.package_file.outputs.PACKAGE_FILE }}
			
 
				 
			
 
				     steps:
			
 
				-    - uses: actions/checkout@v3
			
 
				+    - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
			
 
				       with:
			
 
				         fetch-depth: 0
			
 
				         ref: ${{ github.event.inputs.ref }}
			
@@ -52,7 +52,7 @@ jobs:
 
				       id: package_file
			
 
				       run: |
			
 
				         echo "PACKAGE_FILE=$(find _packages/emqx -name 'emqx-*.deb' | head -n 1 | xargs basename)" >> $GITHUB_OUTPUT
			
 
				-    - uses: actions/upload-artifact@v3
			
 
				+    - uses: actions/upload-artifact@c7d193f32edcb7bfad88892161225aeda64e9392 # v4.0.0
			
 
				       with:
			
 
				         name: emqx-ubuntu20.04
			
 
				         path: _packages/emqx/${{ steps.package_file.outputs.PACKAGE_FILE }}
			
@@ -66,23 +66,23 @@ jobs:
 
				 
			
 
				     steps:
			
 
				     - name: Configure AWS Credentials
			
 
				-      uses: aws-actions/configure-aws-credentials@v2
			
 
				+      uses: aws-actions/configure-aws-credentials@010d0da01d0b5a38af31e9c3470dbfdabdecca3a # v4.0.1
			
 
				       with:
			
 
				         aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_PERF_TEST }}
			
 
				         aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY_PERF_TEST }}
			
 
				         aws-region: eu-west-1
			
 
				     - name: Checkout tf-emqx-performance-test
			
 
				-      uses: actions/checkout@v3
			
 
				+      uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
			
 
				       with:
			
 
				         repository: emqx/tf-emqx-performance-test
			
 
				         path: tf-emqx-performance-test
			
 
				         ref: v0.2.3
			
 
				-    - uses: actions/download-artifact@v3
			
 
				+    - uses: actions/download-artifact@6b208ae046db98c579e8a3aa621ab581ff575935 # v4.1.1
			
 
				       with:
			
 
				         name: emqx-ubuntu20.04
			
 
				         path: tf-emqx-performance-test/
			
 
				     - name: Setup Terraform
			
 
				-      uses: hashicorp/setup-terraform@v2
			
 
				+      uses: hashicorp/setup-terraform@a1502cd9e758c50496cc9ac5308c4843bcd56d36 # v3.0.0
			
 
				       with:
			
 
				         terraform_wrapper: false
			
 
				     - name: run scenario
			
@@ -105,7 +105,7 @@ jobs:
 
				         terraform destroy -auto-approve
			
 
				         aws s3 sync --exclude '*' --include '*.tar.gz' s3://$TF_VAR_s3_bucket_name/$TF_VAR_bench_id .
			
 
				     - name: Send notification to Slack
			
 
				-      uses: slackapi/slack-github-action@v1.24.0
			
 
				+      uses: slackapi/slack-github-action@e28cf165c92ffef168d23c5c9000cffc8a25e117 # v1.24.0
			
 
				       with:
			
 
				         payload-file-path: "./tf-emqx-performance-test/slack-payload.json"
			
 
				     - name: terraform destroy
			
@@ -113,13 +113,13 @@ jobs:
 
				       working-directory: ./tf-emqx-performance-test
			
 
				       run: |
			
 
				         terraform destroy -auto-approve
			
 
				-    - uses: actions/upload-artifact@v3
			
 
				+    - uses: actions/upload-artifact@c7d193f32edcb7bfad88892161225aeda64e9392 # v4.0.0
			
 
				       if: success()
			
 
				       with:
			
 
				         name: metrics
			
 
				         path: |
			
 
				           "./tf-emqx-performance-test/*.tar.gz"
			
 
				-    - uses: actions/upload-artifact@v3
			
 
				+    - uses: actions/upload-artifact@c7d193f32edcb7bfad88892161225aeda64e9392 # v4.0.0
			
 
				       if: failure()
			
 
				       with:
			
 
				         name: terraform
			
@@ -137,23 +137,23 @@ jobs:
 
				 
			
 
				     steps:
			
 
				     - name: Configure AWS Credentials
			
 
				-      uses: aws-actions/configure-aws-credentials@v2
			
 
				+      uses: aws-actions/configure-aws-credentials@010d0da01d0b5a38af31e9c3470dbfdabdecca3a # v4.0.1
			
 
				       with:
			
 
				         aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_PERF_TEST }}
			
 
				         aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY_PERF_TEST }}
			
 
				         aws-region: eu-west-1
			
 
				     - name: Checkout tf-emqx-performance-test
			
 
				-      uses: actions/checkout@v3
			
 
				+      uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
			
 
				       with:
			
 
				         repository: emqx/tf-emqx-performance-test
			
 
				         path: tf-emqx-performance-test
			
 
				         ref: v0.2.3
			
 
				-    - uses: actions/download-artifact@v3
			
 
				+    - uses: actions/download-artifact@6b208ae046db98c579e8a3aa621ab581ff575935 # v4.1.1
			
 
				       with:
			
 
				         name: emqx-ubuntu20.04
			
 
				         path: tf-emqx-performance-test/
			
 
				     - name: Setup Terraform
			
 
				-      uses: hashicorp/setup-terraform@v2
			
 
				+      uses: hashicorp/setup-terraform@a1502cd9e758c50496cc9ac5308c4843bcd56d36 # v3.0.0
			
 
				       with:
			
 
				         terraform_wrapper: false
			
 
				     - name: run scenario
			
@@ -176,7 +176,7 @@ jobs:
 
				         terraform destroy -auto-approve
			
 
				         aws s3 sync --exclude '*' --include '*.tar.gz' s3://$TF_VAR_s3_bucket_name/$TF_VAR_bench_id .
			
 
				     - name: Send notification to Slack
			
 
				-      uses: slackapi/slack-github-action@v1.24.0
			
 
				+      uses: slackapi/slack-github-action@e28cf165c92ffef168d23c5c9000cffc8a25e117 # v1.24.0
			
 
				       with:
			
 
				         payload-file-path: "./tf-emqx-performance-test/slack-payload.json"
			
 
				     - name: terraform destroy
			
@@ -184,13 +184,13 @@ jobs:
 
				       working-directory: ./tf-emqx-performance-test
			
 
				       run: |
			
 
				         terraform destroy -auto-approve
			
 
				-    - uses: actions/upload-artifact@v3
			
 
				+    - uses: actions/upload-artifact@c7d193f32edcb7bfad88892161225aeda64e9392 # v4.0.0
			
 
				       if: success()
			
 
				       with:
			
 
				         name: metrics
			
 
				         path: |
			
 
				           "./tf-emqx-performance-test/*.tar.gz"
			
 
				-    - uses: actions/upload-artifact@v3
			
 
				+    - uses: actions/upload-artifact@c7d193f32edcb7bfad88892161225aeda64e9392 # v4.0.0
			
 
				       if: failure()
			
 
				       with:
			
 
				         name: terraform
			
@@ -209,23 +209,23 @@ jobs:
 
				 
			
 
				     steps:
			
 
				     - name: Configure AWS Credentials
			
 
				-      uses: aws-actions/configure-aws-credentials@v2
			
 
				+      uses: aws-actions/configure-aws-credentials@010d0da01d0b5a38af31e9c3470dbfdabdecca3a # v4.0.1
			
 
				       with:
			
 
				         aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_PERF_TEST }}
			
 
				         aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY_PERF_TEST }}
			
 
				         aws-region: eu-west-1
			
 
				     - name: Checkout tf-emqx-performance-test
			
 
				-      uses: actions/checkout@v3
			
 
				+      uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
			
 
				       with:
			
 
				         repository: emqx/tf-emqx-performance-test
			
 
				         path: tf-emqx-performance-test
			
 
				         ref: v0.2.3
			
 
				-    - uses: actions/download-artifact@v3
			
 
				+    - uses: actions/download-artifact@6b208ae046db98c579e8a3aa621ab581ff575935 # v4.1.1
			
 
				       with:
			
 
				         name: emqx-ubuntu20.04
			
 
				         path: tf-emqx-performance-test/
			
 
				     - name: Setup Terraform
			
 
				-      uses: hashicorp/setup-terraform@v2
			
 
				+      uses: hashicorp/setup-terraform@a1502cd9e758c50496cc9ac5308c4843bcd56d36 # v3.0.0
			
 
				       with:
			
 
				         terraform_wrapper: false
			
 
				     - name: run scenario
			
@@ -249,7 +249,7 @@ jobs:
 
				         terraform destroy -auto-approve
			
 
				         aws s3 sync --exclude '*' --include '*.tar.gz' s3://$TF_VAR_s3_bucket_name/$TF_VAR_bench_id .
			
 
				     - name: Send notification to Slack
			
 
				-      uses: slackapi/slack-github-action@v1.24.0
			
 
				+      uses: slackapi/slack-github-action@e28cf165c92ffef168d23c5c9000cffc8a25e117 # v1.24.0
			
 
				       with:
			
 
				         payload-file-path: "./tf-emqx-performance-test/slack-payload.json"
			
 
				     - name: terraform destroy
			
@@ -257,13 +257,13 @@ jobs:
 
				       working-directory: ./tf-emqx-performance-test
			
 
				       run: |
			
 
				         terraform destroy -auto-approve
			
 
				-    - uses: actions/upload-artifact@v3
			
 
				+    - uses: actions/upload-artifact@c7d193f32edcb7bfad88892161225aeda64e9392 # v4.0.0
			
 
				       if: success()
			
 
				       with:
			
 
				         name: metrics
			
 
				         path: |
			
 
				           "./tf-emqx-performance-test/*.tar.gz"
			
 
				-    - uses: actions/upload-artifact@v3
			
 
				+    - uses: actions/upload-artifact@c7d193f32edcb7bfad88892161225aeda64e9392 # v4.0.0
			
 
				       if: failure()
			
 
				       with:
			
 
				         name: terraform
			
@@ -283,23 +283,23 @@ jobs:
 
				 
			
 
				     steps:
			
 
				     - name: Configure AWS Credentials
			
 
				-      uses: aws-actions/configure-aws-credentials@v2
			
 
				+      uses: aws-actions/configure-aws-credentials@010d0da01d0b5a38af31e9c3470dbfdabdecca3a # v4.0.1
			
 
				       with:
			
 
				         aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_PERF_TEST }}
			
 
				         aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY_PERF_TEST }}
			
 
				         aws-region: eu-west-1
			
 
				     - name: Checkout tf-emqx-performance-test
			
 
				-      uses: actions/checkout@v3
			
 
				+      uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
			
 
				       with:
			
 
				         repository: emqx/tf-emqx-performance-test
			
 
				         path: tf-emqx-performance-test
			
 
				         ref: v0.2.3
			
 
				-    - uses: actions/download-artifact@v3
			
 
				+    - uses: actions/download-artifact@6b208ae046db98c579e8a3aa621ab581ff575935 # v4.1.1
			
 
				       with:
			
 
				         name: emqx-ubuntu20.04
			
 
				         path: tf-emqx-performance-test/
			
 
				     - name: Setup Terraform
			
 
				-      uses: hashicorp/setup-terraform@v2
			
 
				+      uses: hashicorp/setup-terraform@a1502cd9e758c50496cc9ac5308c4843bcd56d36 # v3.0.0
			
 
				       with:
			
 
				         terraform_wrapper: false
			
 
				     - name: run scenario
			
@@ -322,7 +322,7 @@ jobs:
 
				         terraform destroy -auto-approve
			
 
				         aws s3 sync --exclude '*' --include '*.tar.gz' s3://$TF_VAR_s3_bucket_name/$TF_VAR_bench_id .
			
 
				     - name: Send notification to Slack
			
 
				-      uses: slackapi/slack-github-action@v1.24.0
			
 
				+      uses: slackapi/slack-github-action@e28cf165c92ffef168d23c5c9000cffc8a25e117 # v1.24.0
			
 
				       with:
			
 
				         payload-file-path: "./tf-emqx-performance-test/slack-payload.json"
			
 
				     - name: terraform destroy
			
@@ -330,13 +330,13 @@ jobs:
 
				       working-directory: ./tf-emqx-performance-test
			
 
				       run: |
			
 
				         terraform destroy -auto-approve
			
 
				-    - uses: actions/upload-artifact@v3
			
 
				+    - uses: actions/upload-artifact@c7d193f32edcb7bfad88892161225aeda64e9392 # v4.0.0
			
 
				       if: success()
			
 
				       with:
			
 
				         name: metrics
			
 
				         path: |
			
 
				           "./tf-emqx-performance-test/*.tar.gz"
			
 
				-    - uses: actions/upload-artifact@v3
			
 
				+    - uses: actions/upload-artifact@c7d193f32edcb7bfad88892161225aeda64e9392 # v4.0.0
			
 
				       if: failure()
			
 
				       with:
			
 
				         name: terraform
			
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@@ -31,12 +31,12 @@ jobs:
 
				     strategy:
			
 
				       fail-fast: false
			
 
				     steps:
			
 
				-      - uses: aws-actions/configure-aws-credentials@v2
			
 
				+      - uses: aws-actions/configure-aws-credentials@010d0da01d0b5a38af31e9c3470dbfdabdecca3a # v4.0.1
			
 
				         with:
			
 
				           aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
			
 
				           aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
			
 
				           aws-region: ${{ secrets.AWS_DEFAULT_REGION }}
			
 
				-      - uses: actions/checkout@v3
			
 
				+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
			
 
				         with:
			
 
				           ref: ${{ github.event.inputs.tag }}
			
 
				       - name: Detect profile
			
@@ -132,7 +132,7 @@ jobs:
 
				       checks: write
			
 
				       actions: write
			
 
				     steps:
			
 
				-      - uses: actions/checkout@v3
			
 
				+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
			
 
				       - name: trigger re-run of app versions check on open PRs
			
 
				         shell: bash
			
 
				         env:
			
--- a/.github/workflows/run_conf_tests.yaml
+++ b/.github/workflows/run_conf_tests.yaml
@@ -25,7 +25,7 @@ jobs:
 
				           - emqx
			
 
				           - emqx-enterprise
			
 
				     steps:
			
 
				-      - uses: actions/download-artifact@v3
			
 
				+      - uses: actions/download-artifact@6b208ae046db98c579e8a3aa621ab581ff575935 # v4.1.1
			
 
				         with:
			
 
				           name: ${{ matrix.profile }}
			
 
				       - name: extract artifact
			
@@ -40,9 +40,9 @@ jobs:
 
				         if: failure()
			
 
				         run: |
			
 
				           cat _build/${{ matrix.profile }}/rel/emqx/logs/erlang.log.*
			
 
				-      - uses: actions/upload-artifact@v3
			
 
				+      - uses: actions/upload-artifact@c7d193f32edcb7bfad88892161225aeda64e9392 # v4.0.0
			
 
				         if: failure()
			
 
				         with:
			
 
				-          name: logs-${{ matrix.profile }}
			
 
				+          name: conftest-logs-${{ matrix.profile }}
			
 
				           path: _build/${{ matrix.profile }}/rel/emqx/logs
			
 
				           retention-days: 7
			
--- a/.github/workflows/run_docker_tests.yaml
+++ b/.github/workflows/run_docker_tests.yaml
@@ -36,8 +36,8 @@ jobs:
 
				       EMQX_IMAGE_OLD_VERSION_TAG: ${{ matrix.profile[1] }}
			
 
				 
			
 
				     steps:
			
 
				-      - uses: actions/checkout@v3
			
 
				-      - uses: actions/download-artifact@v3
			
 
				+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
			
 
				+      - uses: actions/download-artifact@6b208ae046db98c579e8a3aa621ab581ff575935 # v4.1.1
			
 
				         with:
			
 
				           name: ${{ env.EMQX_NAME }}-docker
			
 
				           path: /tmp
			
@@ -83,8 +83,8 @@ jobs:
 
				           - mnesia
			
 
				           - rlog
			
 
				     steps:
			
 
				-      - uses: actions/checkout@v3
			
 
				-      - uses: actions/download-artifact@v3
			
 
				+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
			
 
				+      - uses: actions/download-artifact@6b208ae046db98c579e8a3aa621ab581ff575935 # v4.1.1
			
 
				         with:
			
 
				           name: ${{ env.EMQX_NAME }}-docker
			
 
				           path: /tmp
			
--- a/.github/workflows/run_emqx_app_tests.yaml
+++ b/.github/workflows/run_emqx_app_tests.yaml
@@ -36,7 +36,7 @@ jobs:
 
				         shell: bash
			
 
				 
			
 
				     steps:
			
 
				-    - uses: actions/checkout@v3
			
 
				+    - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
			
 
				       with:
			
 
				         fetch-depth: 0
			
 
				     - name: run
			
@@ -58,7 +58,7 @@ jobs:
 
				         ./rebar3 eunit -v --name 'eunit@127.0.0.1'
			
 
				         ./rebar3 as standalone_test ct --name 'test@127.0.0.1' -v --readable=true
			
 
				         ./rebar3 proper -d test/props
			
 
				-    - uses: actions/upload-artifact@v3
			
 
				+    - uses: actions/upload-artifact@c7d193f32edcb7bfad88892161225aeda64e9392 # v4.0.0
			
 
				       if: failure()
			
 
				       with:
			
 
				         name: logs-emqx-app-tests
			
--- a/.github/workflows/run_helm_tests.yaml
+++ b/.github/workflows/run_helm_tests.yaml
@@ -42,10 +42,10 @@ jobs:
 
				         - ssl1.3
			
 
				         - ssl1.2
			
 
				     steps:
			
 
				-    - uses: actions/checkout@v3
			
 
				+    - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
			
 
				       with:
			
 
				         path: source
			
 
				-    - uses: actions/download-artifact@v3
			
 
				+    - uses: actions/download-artifact@6b208ae046db98c579e8a3aa621ab581ff575935 # v4.1.1
			
 
				       with:
			
 
				         name: "${{ env.EMQX_NAME }}-docker"
			
 
				         path: /tmp
			
@@ -165,7 +165,7 @@ jobs:
 
				           fi
			
 
				           sleep 1;
			
 
				         done
			
 
				-    - uses: actions/checkout@v3
			
 
				+    - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
			
 
				       with:
			
 
				         repository: emqx/paho.mqtt.testing
			
 
				         ref: develop-5.0
			
--- a/.github/workflows/run_jmeter_tests.yaml
+++ b/.github/workflows/run_jmeter_tests.yaml
@@ -7,13 +7,16 @@ on:
 
				         required: true
			
 
				         type: string
			
 
				 
			
 
				+permissions:
			
 
				+  contents: read
			
 
				+
			
 
				 jobs:
			
 
				   jmeter_artifact:
			
 
				     runs-on: ${{ endsWith(github.repository, '/emqx') && 'ubuntu-22.04' || fromJSON('["self-hosted","ephemeral","linux","x64"]') }}
			
 
				     steps:
			
 
				     - name: Cache Jmeter
			
 
				       id: cache-jmeter
			
 
				-      uses: actions/cache@v3
			
 
				+      uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84 # v3.3.2
			
 
				       with:
			
 
				         path: /tmp/apache-jmeter.tgz
			
 
				         key: apache-jmeter-5.4.3.tgz
			
@@ -32,7 +35,7 @@ jobs:
 
				         else
			
 
				           wget --no-verbose --no-check-certificate -O /tmp/apache-jmeter.tgz $ARCHIVE_URL
			
 
				         fi
			
 
				-    - uses: actions/upload-artifact@v3
			
 
				+    - uses: actions/upload-artifact@c7d193f32edcb7bfad88892161225aeda64e9392 # v4.0.0
			
 
				       with:
			
 
				         name: apache-jmeter.tgz
			
 
				         path: /tmp/apache-jmeter.tgz
			
@@ -52,7 +55,7 @@ jobs:
 
				 
			
 
				     needs: jmeter_artifact
			
 
				     steps:
			
 
				-    - uses: actions/checkout@v3
			
 
				+    - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
			
 
				     - uses: ./.github/actions/prepare-jmeter
			
 
				       with:
			
 
				         version-emqx: ${{ inputs.version-emqx }}
			
@@ -83,10 +86,10 @@ jobs:
 
				           echo "check logs failed"
			
 
				           exit 1
			
 
				         fi
			
 
				-    - uses: actions/upload-artifact@v3
			
 
				+    - uses: actions/upload-artifact@c7d193f32edcb7bfad88892161225aeda64e9392 # v4.0.0
			
 
				       if: always()
			
 
				       with:
			
 
				-        name: jmeter_logs
			
 
				+        name: jmeter_logs-advanced_feat-${{ matrix.scripts_type }}
			
 
				         path: ./jmeter_logs
			
 
				         retention-days: 3
			
 
				 
			
@@ -108,7 +111,7 @@ jobs:
 
				 
			
 
				     needs: jmeter_artifact
			
 
				     steps:
			
 
				-    - uses: actions/checkout@v3
			
 
				+    - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
			
 
				     - uses: ./.github/actions/prepare-jmeter
			
 
				       with:
			
 
				         version-emqx: ${{ inputs.version-emqx }}
			
@@ -150,10 +153,10 @@ jobs:
 
				       if: failure()
			
 
				       run: |
			
 
				         docker compose -f .ci/docker-compose-file/docker-compose-emqx-cluster.yaml logs --no-color > ./jmeter_logs/emqx.log
			
 
				-    - uses: actions/upload-artifact@v3
			
 
				+    - uses: actions/upload-artifact@c7d193f32edcb7bfad88892161225aeda64e9392 # v4.0.0
			
 
				       if: always()
			
 
				       with:
			
 
				-        name: jmeter_logs
			
 
				+        name: jmeter_logs-pgsql_authn_authz-${{ matrix.scripts_type }}_${{ matrix.pgsql_tag }}
			
 
				         path: ./jmeter_logs
			
 
				         retention-days: 3
			
 
				 
			
@@ -172,7 +175,7 @@ jobs:
 
				 
			
 
				     needs: jmeter_artifact
			
 
				     steps:
			
 
				-    - uses: actions/checkout@v3
			
 
				+    - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
			
 
				     - uses: ./.github/actions/prepare-jmeter
			
 
				       with:
			
 
				         version-emqx: ${{ inputs.version-emqx }}
			
@@ -210,10 +213,10 @@ jobs:
 
				           echo "check logs failed"
			
 
				           exit 1
			
 
				         fi
			
 
				-    - uses: actions/upload-artifact@v3
			
 
				+    - uses: actions/upload-artifact@c7d193f32edcb7bfad88892161225aeda64e9392 # v4.0.0
			
 
				       if: always()
			
 
				       with:
			
 
				-        name: jmeter_logs
			
 
				+        name: jmeter_logs-mysql_authn_authz-${{ matrix.scripts_type }}_${{ matrix.mysql_tag }}
			
 
				         path: ./jmeter_logs
			
 
				         retention-days: 3
			
 
				 
			
@@ -228,7 +231,7 @@ jobs:
 
				 
			
 
				     needs: jmeter_artifact
			
 
				     steps:
			
 
				-    - uses: actions/checkout@v3
			
 
				+    - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
			
 
				     - uses: ./.github/actions/prepare-jmeter
			
 
				       with:
			
 
				         version-emqx: ${{ inputs.version-emqx }}
			
@@ -262,10 +265,10 @@ jobs:
 
				           echo "check logs failed"
			
 
				           exit 1
			
 
				         fi
			
 
				-    - uses: actions/upload-artifact@v3
			
 
				+    - uses: actions/upload-artifact@c7d193f32edcb7bfad88892161225aeda64e9392 # v4.0.0
			
 
				       if: always()
			
 
				       with:
			
 
				-        name: jmeter_logs
			
 
				+        name: jmeter_logs-JWT_authn-${{ matrix.scripts_type }}
			
 
				         path: ./jmeter_logs
			
 
				         retention-days: 3
			
 
				 
			
@@ -281,7 +284,7 @@ jobs:
 
				 
			
 
				     needs: jmeter_artifact
			
 
				     steps:
			
 
				-    - uses: actions/checkout@v3
			
 
				+    - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
			
 
				     - uses: ./.github/actions/prepare-jmeter
			
 
				       with:
			
 
				         version-emqx: ${{ inputs.version-emqx }}
			
@@ -306,9 +309,9 @@ jobs:
 
				           echo "check logs failed"
			
 
				           exit 1
			
 
				         fi
			
 
				-    - uses: actions/upload-artifact@v3
			
 
				+    - uses: actions/upload-artifact@c7d193f32edcb7bfad88892161225aeda64e9392 # v4.0.0
			
 
				       if: always()
			
 
				       with:
			
 
				-        name: jmeter_logs
			
 
				+        name: jmeter_logs-built_in_database_authn_authz-${{ matrix.scripts_type }}
			
 
				         path: ./jmeter_logs
			
 
				         retention-days: 3
			
--- a/.github/workflows/run_relup_tests.yaml
+++ b/.github/workflows/run_relup_tests.yaml
@@ -25,7 +25,7 @@ jobs:
 
				       run:
			
 
				         shell: bash
			
 
				     steps:
			
 
				-    - uses: actions/download-artifact@v3
			
 
				+    - uses: actions/download-artifact@6b208ae046db98c579e8a3aa621ab581ff575935 # v4.1.1
			
 
				       with:
			
 
				         name: emqx-enterprise
			
 
				     - name: extract artifact
			
@@ -45,10 +45,10 @@ jobs:
 
				       run: |
			
 
				         export PROFILE='emqx-enterprise'
			
 
				         make emqx-enterprise-tgz
			
 
				-    - uses: actions/upload-artifact@v3
			
 
				+    - uses: actions/upload-artifact@c7d193f32edcb7bfad88892161225aeda64e9392 # v4.0.0
			
 
				       name: Upload built emqx and test scenario
			
 
				       with:
			
 
				-        name: emqx_built
			
 
				+        name: relup_tests_emqx_built
			
 
				         path: |
			
 
				           _upgrade_base
			
 
				           _packages
			
@@ -72,10 +72,10 @@ jobs:
 
				       run:
			
 
				         shell: bash
			
 
				     steps:
			
 
				-    - uses: erlef/setup-beam@v1.16.0
			
 
				+    - uses: erlef/setup-beam@a34c98fd51e370b4d4981854aba1eb817ce4e483 # v1.17.0
			
 
				       with:
			
 
				         otp-version: 26.2.1
			
 
				-    - uses: actions/checkout@v3
			
 
				+    - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
			
 
				       with:
			
 
				         repository: hawk/lux
			
 
				         ref: lux-2.8.1
			
@@ -88,10 +88,10 @@ jobs:
 
				         ./configure
			
 
				         make
			
 
				         echo "$(pwd)/bin" >> $GITHUB_PATH
			
 
				-    - uses: actions/download-artifact@v3
			
 
				+    - uses: actions/download-artifact@6b208ae046db98c579e8a3aa621ab581ff575935 # v4.1.1
			
 
				       name: Download built emqx and test scenario
			
 
				       with:
			
 
				-        name: emqx_built
			
 
				+        name: relup_tests_emqx_built
			
 
				         path: .
			
 
				     - name: run relup test
			
 
				       run: |
			
@@ -111,11 +111,11 @@ jobs:
 
				           docker logs node2.emqx.io | tee lux_logs/emqx2.log
			
 
				           exit 1
			
 
				         fi
			
 
				-    - uses: actions/upload-artifact@v3
			
 
				+    - uses: actions/upload-artifact@c7d193f32edcb7bfad88892161225aeda64e9392 # v4.0.0
			
 
				       name: Save debug data
			
 
				       if: failure()
			
 
				       with:
			
 
				-        name: debug_data
			
 
				+        name: relup_test_run_debug_data
			
 
				         path: |
			
 
				           lux_logs
			
 
				         retention-days: 3
			
--- a/.github/workflows/run_test_cases.yaml
+++ b/.github/workflows/run_test_cases.yaml
@@ -20,6 +20,9 @@ on:
 
				         required: true
			
 
				         type: string
			
 
				 
			
 
				+permissions:
			
 
				+  contents: read
			
 
				+
			
 
				 env:
			
 
				   IS_CI: "yes"
			
 
				 
			
@@ -38,7 +41,7 @@ jobs:
 
				     container: "ghcr.io/emqx/emqx-builder/${{ matrix.builder }}:${{ matrix.elixir }}-${{ matrix.otp }}-ubuntu22.04"
			
 
				 
			
 
				     steps:
			
 
				-      - uses: actions/download-artifact@v3
			
 
				+      - uses: actions/download-artifact@6b208ae046db98c579e8a3aa621ab581ff575935 # v4.1.1
			
 
				         with:
			
 
				           name: ${{ matrix.profile }}
			
 
				       - name: extract artifact
			
@@ -61,9 +64,9 @@ jobs:
 
				           CT_COVER_EXPORT_PREFIX: ${{ matrix.profile }}-${{ matrix.otp }}
			
 
				         run: make proper
			
 
				 
			
 
				-      - uses: actions/upload-artifact@v3
			
 
				+      - uses: actions/upload-artifact@c7d193f32edcb7bfad88892161225aeda64e9392 # v4.0.0
			
 
				         with:
			
 
				-          name: coverdata
			
 
				+          name: coverdata-${{ matrix.profile }}-${{ matrix.otp }}
			
 
				           path: _build/test/cover
			
 
				           retention-days: 7
			
 
				 
			
@@ -80,7 +83,7 @@ jobs:
 
				         shell: bash
			
 
				 
			
 
				     steps:
			
 
				-      - uses: actions/download-artifact@v3
			
 
				+      - uses: actions/download-artifact@6b208ae046db98c579e8a3aa621ab581ff575935 # v4.1.1
			
 
				         with:
			
 
				           name: ${{ matrix.profile }}
			
 
				       - name: extract artifact
			
@@ -105,19 +108,20 @@ jobs:
 
				           ENABLE_COVER_COMPILE: 1
			
 
				           CT_COVER_EXPORT_PREFIX: ${{ matrix.profile }}-${{ matrix.otp }}-sg${{ matrix.suitegroup }}
			
 
				         run: ./scripts/ct/run.sh --ci --app ${{ matrix.app }}
			
 
				-      - uses: actions/upload-artifact@v3
			
 
				+      - uses: actions/upload-artifact@c7d193f32edcb7bfad88892161225aeda64e9392 # v4.0.0
			
 
				         with:
			
 
				-          name: coverdata
			
 
				+          name: coverdata-${{ matrix.profile }}-${{ matrix.prefix }}-${{ matrix.otp }}-sg${{ matrix.suitegroup }}
			
 
				           path: _build/test/cover
			
 
				           retention-days: 7
			
 
				       - name: compress logs
			
 
				         if: failure()
			
 
				         run: tar -czf logs.tar.gz _build/test/logs
			
 
				-      - uses: actions/upload-artifact@v3
			
 
				+      - uses: actions/upload-artifact@c7d193f32edcb7bfad88892161225aeda64e9392 # v4.0.0
			
 
				         if: failure()
			
 
				         with:
			
 
				           name: logs-${{ matrix.profile }}-${{ matrix.prefix }}-${{ matrix.otp }}-sg${{ matrix.suitegroup }}
			
 
				           path: logs.tar.gz
			
 
				+          compression-level: 0
			
 
				           retention-days: 7
			
 
				 
			
 
				   ct:
			
@@ -134,7 +138,7 @@ jobs:
 
				         shell: bash
			
 
				 
			
 
				     steps:
			
 
				-      - uses: actions/download-artifact@v3
			
 
				+      - uses: actions/download-artifact@6b208ae046db98c579e8a3aa621ab581ff575935 # v4.1.1
			
 
				         with:
			
 
				           name: ${{ matrix.profile }}
			
 
				       - name: extract artifact
			
@@ -151,20 +155,21 @@ jobs:
 
				           CT_COVER_EXPORT_PREFIX: ${{ matrix.profile }}-${{ matrix.otp }}-sg${{ matrix.suitegroup }}
			
 
				         run: |
			
 
				           make "${{ matrix.app }}-ct"
			
 
				-      - uses: actions/upload-artifact@v3
			
 
				+      - uses: actions/upload-artifact@c7d193f32edcb7bfad88892161225aeda64e9392 # v4.0.0
			
 
				         with:
			
 
				-          name: coverdata
			
 
				+          name: coverdata-${{ matrix.profile }}-${{ matrix.prefix }}-${{ matrix.otp }}-sg${{ matrix.suitegroup }}
			
 
				           path: _build/test/cover
			
 
				           if-no-files-found: warn # do not fail if no coverdata found
			
 
				           retention-days: 7
			
 
				       - name: compress logs
			
 
				         if: failure()
			
 
				         run: tar -czf logs.tar.gz _build/test/logs
			
 
				-      - uses: actions/upload-artifact@v3
			
 
				+      - uses: actions/upload-artifact@c7d193f32edcb7bfad88892161225aeda64e9392 # v4.0.0
			
 
				         if: failure()
			
 
				         with:
			
 
				           name: logs-${{ matrix.profile }}-${{ matrix.prefix }}-${{ matrix.otp }}-sg${{ matrix.suitegroup }}
			
 
				           path: logs.tar.gz
			
 
				+          compression-level: 0
			
 
				           retention-days: 7
			
 
				 
			
 
				   tests_passed:
			
@@ -191,7 +196,7 @@ jobs:
 
				         profile:
			
 
				           - emqx-enterprise
			
 
				     steps:
			
 
				-      - uses: actions/download-artifact@v3
			
 
				+      - uses: actions/download-artifact@6b208ae046db98c579e8a3aa621ab581ff575935 # v4.1.1
			
 
				         with:
			
 
				           name: ${{ matrix.profile }}
			
 
				       - name: extract artifact
			
@@ -199,11 +204,12 @@ jobs:
 
				           unzip -o -q ${{ matrix.profile }}.zip
			
 
				           git config --global --add safe.directory "$GITHUB_WORKSPACE"
			
 
				 
			
 
				-      - uses: actions/download-artifact@v3
			
 
				+      - uses: actions/download-artifact@6b208ae046db98c579e8a3aa621ab581ff575935 # v4.1.1
			
 
				         name: download coverdata
			
 
				         with:
			
 
				-          name: coverdata
			
 
				+          pattern: coverdata-${{ matrix.profile }}-*
			
 
				           path: _build/test/cover
			
 
				+          merge-multiple: true
			
 
				 
			
 
				       - name: make cover
			
 
				         env:
			
--- a/.github/workflows/scorecard.yaml
+++ b/.github/workflows/scorecard.yaml
@@ -23,12 +23,12 @@ jobs:
 
				 
			
 
				     steps:
			
 
				       - name: "Checkout code"
			
 
				-        uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
			
 
				+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
			
 
				         with:
			
 
				           persist-credentials: false
			
 
				 
			
 
				       - name: "Run analysis"
			
 
				-        uses: ossf/scorecard-action@483ef80eb98fb506c348f7d62e28055e49fe2398 # v2.3.0
			
 
				+        uses: ossf/scorecard-action@0864cf19026789058feabb7e87baa5f140aac736 # v2.3.1
			
 
				         with:
			
 
				           results_file: results.sarif
			
 
				           results_format: sarif
			
@@ -38,7 +38,7 @@ jobs:
 
				           publish_results: true
			
 
				 
			
 
				       - name: "Upload artifact"
			
 
				-        uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
			
 
				+        uses: actions/upload-artifact@c7d193f32edcb7bfad88892161225aeda64e9392 # v4.0.0
			
 
				         with:
			
 
				           name: SARIF file
			
 
				           path: results.sarif
			
--- a/.github/workflows/spellcheck.yaml
+++ b/.github/workflows/spellcheck.yaml
@@ -19,10 +19,10 @@ jobs:
 
				         - emqx-enterprise
			
 
				     runs-on: ${{ endsWith(github.repository, '/emqx') && 'ubuntu-22.04' || fromJSON('["self-hosted","ephemeral","linux","x64"]') }}
			
 
				     steps:
			
 
				-      - uses: actions/download-artifact@v3
			
 
				+      - uses: actions/download-artifact@6b208ae046db98c579e8a3aa621ab581ff575935 # v4.1.1
			
 
				         with:
			
 
				-          name: "${{ matrix.profile }}_schema_dump"
			
 
				-          path: /tmp/
			
 
				+          pattern: "${{ matrix.profile }}-schema-dump-*-x64"
			
 
				+          merge-multiple: true
			
 
				       - name: Run spellcheck
			
 
				         run: |
			
 
				-          bash /tmp/scripts/spellcheck/spellcheck.sh /tmp/_build/docgen/${{ matrix.profile }}/schema-en.json
			
 
				+          bash scripts/spellcheck/spellcheck.sh _build/docgen/${{ matrix.profile }}/schema-en.json
			
--- a/.github/workflows/stale.yaml
+++ b/.github/workflows/stale.yaml
@@ -21,7 +21,7 @@ jobs:
 
				 
			
 
				     steps:
			
 
				       - name: Close Stale Issues
			
 
				-        uses: actions/stale@v6
			
 
				+        uses: actions/stale@28ca1036281a5e5922ead5184a1bbf96e5fc984e # v9.0.0
			
 
				         with:
			
 
				           days-before-stale: 7
			
 
				           days-before-close: 7
			
--- a/.github/workflows/static_checks.yaml
+++ b/.github/workflows/static_checks.yaml
@@ -30,14 +30,14 @@ jobs:
 
				         include: ${{ fromJson(inputs.ct-matrix) }}
			
 
				     container: "ghcr.io/emqx/emqx-builder/${{ matrix.builder }}:${{ matrix.elixir }}-${{ matrix.otp }}-ubuntu22.04"
			
 
				     steps:
			
 
				-      - uses: actions/download-artifact@v3
			
 
				+      - uses: actions/download-artifact@6b208ae046db98c579e8a3aa621ab581ff575935 # v4.1.1
			
 
				         with:
			
 
				           name: ${{ matrix.profile }}
			
 
				       - name: extract artifact
			
 
				         run: |
			
 
				           unzip -o -q ${{ matrix.profile }}.zip
			
 
				           git config --global --add safe.directory "$GITHUB_WORKSPACE"
			
 
				-      - uses: actions/cache@v3
			
 
				+      - uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84 # v3.3.2
			
 
				         with:
			
 
				           path: "emqx_dialyzer_${{ matrix.otp }}_plt"
			
 
				           key: rebar3-dialyzer-plt-${{ matrix.profile }}-${{ matrix.otp }}-${{ hashFiles('rebar.*', 'apps/*/rebar.*') }}
			
--- a/.github/workflows/upload-helm-charts.yaml
+++ b/.github/workflows/upload-helm-charts.yaml
@@ -9,18 +9,21 @@ on:
 
				         type: string
			
 
				         required: true
			
 
				 
			
 
				+permissions:
			
 
				+  contents: read
			
 
				+
			
 
				 jobs:
			
 
				   upload:
			
 
				     runs-on: ubuntu-22.04
			
 
				     strategy:
			
 
				       fail-fast: false
			
 
				     steps:
			
 
				-      - uses: aws-actions/configure-aws-credentials@v2
			
 
				+      - uses: aws-actions/configure-aws-credentials@010d0da01d0b5a38af31e9c3470dbfdabdecca3a # v4.0.1
			
 
				         with:
			
 
				           aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
			
 
				           aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
			
 
				           aws-region: ${{ secrets.AWS_DEFAULT_REGION }}
			
 
				-      - uses: actions/checkout@v3
			
 
				+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
			
 
				         with:
			
 
				           ref: ${{ github.event.inputs.tag }}
			
 
				       - name: Detect profile
			
--- a/scripts/bump-actions-versions.sh
+++ b/scripts/bump-actions-versions.sh
@@ -0,0 +1,23 @@
 
				+#!/usr/bin/env bash
			
 
				+
			
 
				+set -euo pipefail
			
 
				+
			
 
				+actions=( 'actions/checkout' 'actions/cache' 'actions/stale' 'actions/upload-artifact' 'actions/download-artifact' 'aws-actions/configure-aws-credentials' 'ossf/scorecard-action' 'erlef/setup-beam' 'slackapi/slack-github-action' 'hashicorp/setup-terraform' 'docker/login-action' 'docker/setup-buildx-action' 'docker/setup-qemu-action' 'actions/setup-java' )
			
 
				+for a in "${actions[@]}"; do
			
 
				+    # shellcheck disable=SC2086
			
 
				+    TAG=$(curl -sSfL -H "Authorization: token $GITHUB_TOKEN" https://api.github.com/repos/$a/releases/latest | jq -r '.tag_name')
			
 
				+    # shellcheck disable=SC2086
			
 
				+    TAG_OBJECT=$(curl -sSfL -H "Authorization: token $GITHUB_TOKEN" https://api.github.com/repos/$a/git/ref/tags/$TAG)
			
 
				+    if [ "$(echo "${TAG_OBJECT}" | jq -r '.object.type')" = "commit" ]; then
			
 
				+        COMMIT_SHA=$(echo "${TAG_OBJECT}" | jq -r '.object.sha')
			
 
				+    else
			
 
				+        TAG_SHA=$(echo "${TAG_OBJECT}" | jq -r '.object.sha')
			
 
				+        # shellcheck disable=SC2086
			
 
				+        COMMIT_SHA=$(curl -sSfL -H "Authorization: token $GITHUB_TOKEN" https://api.github.com/repos/$a/git/tags/$TAG_SHA | jq -r '.object.sha')
			
 
				+    fi
			
 
				+    echo "Bumping $a to $TAG ($COMMIT_SHA)"
			
 
				+    sed -i.bak -e "s|uses: $a.*$|uses: $a@$COMMIT_SHA # $TAG|g" .github/workflows/*.yaml
			
 
				+    sed -i.bak -e "s|uses: $a.*$|uses: $a@$COMMIT_SHA # $TAG|g" .github/actions/*/*.yaml
			
 
				+    rm .github/workflows/*.bak
			
 
				+    rm .github/actions/*/*.bak
			
 
				+done