diff --git a/.github/workflows/codeql.yaml b/.github/workflows/codeql.yaml index 575e605900..8397905630 100644 --- a/.github/workflows/codeql.yaml +++ b/.github/workflows/codeql.yaml @@ -29,15 +29,15 @@ jobs: egress-policy: audit - name: Checkout repository - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 - name: Initialize CodeQL - uses: github/codeql-action/init@c36620d31ac7c881962c3d9dd939c40ec9434f2b + uses: github/codeql-action/init@662472033e021d55d94146f66f6058822b0b39fd with: languages: ${{ matrix.language }} - name: Autobuild - uses: github/codeql-action/autobuild@c36620d31ac7c881962c3d9dd939c40ec9434f2b + uses: github/codeql-action/autobuild@662472033e021d55d94146f66f6058822b0b39fd - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@c36620d31ac7c881962c3d9dd939c40ec9434f2b + uses: github/codeql-action/analyze@662472033e021d55d94146f66f6058822b0b39fd diff --git a/.github/workflows/dep-review.yaml b/.github/workflows/dep-review.yaml index caa71f1475..93c961793d 100644 --- a/.github/workflows/dep-review.yaml +++ b/.github/workflows/dep-review.yaml @@ -14,7 +14,7 @@ jobs: egress-policy: audit - name: 'Checkout Repository' - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 - name: 'Dependency Review' uses: actions/dependency-review-action@0659a74c94536054bfa5aeb92241f70d680cc78e diff --git a/.github/workflows/deploy_docs.yaml b/.github/workflows/deploy_docs.yaml index ae8cc76db5..17d0ad332e 100644 --- a/.github/workflows/deploy_docs.yaml +++ b/.github/workflows/deploy_docs.yaml @@ -27,7 +27,7 @@ jobs: run: working-directory: docs steps: - - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: Harden Runner uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 @@ -35,7 +35,7 @@ jobs: egress-policy: audit - name: Setup Node - uses: actions/setup-node@0a44ba7841725637a19e28fa30b79a866c81b0a6 # v4.0.4 + uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v4.1.0 with: node-version: 20.x @@ -44,7 +44,7 @@ jobs: run: echo "dir=$(yarn cache dir)" > $GITHUB_OUTPUT - name: Cache dependencies - uses: actions/cache@3624ceb22c1c5a301c8db4169662070a689d9ea8 # v4.1.1 + uses: actions/cache@6849a6489940f00c2f30c0fb92c6274307ccb58a # v4.1.2 with: path: ${{ steps.yarn-cache.outputs.dir }} key: ${{ runner.os }}-website-${{ hashFiles('**/yarn.lock') }} diff --git a/.github/workflows/e2e-build.yaml b/.github/workflows/e2e-build.yaml index 98a6552585..378fa574c2 100644 --- a/.github/workflows/e2e-build.yaml +++ b/.github/workflows/e2e-build.yaml @@ -18,7 +18,7 @@ jobs: with: egress-policy: audit - name: Set up Go - uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2 + uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0 with: go-version: "1.21" check-latest: true @@ -26,7 +26,7 @@ jobs: uses: docker/setup-buildx-action@c47758b77c9736f4b2ef4073d4d51994fabfe349 # v3.7.1 with: use: true - - uses: actions/cache@3624ceb22c1c5a301c8db4169662070a689d9ea8 # v4.1.1 + - uses: actions/cache@6849a6489940f00c2f30c0fb92c6274307ccb58a # v4.1.2 with: key: ${{ runner.OS }}-go-${{ hashFiles('**/go.sum') }} restore-keys: | @@ -36,7 +36,7 @@ jobs: ~/.cache/go-build - uses: crazy-max/ghaction-github-runtime@b3a9207c0e1ef41f4cf215303c976869d0c2c1c4 # v3.0.0 - name: Check out code into the Go module directory - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - run: 'echo ${{ inputs.bucket-id }}' - name: Set env run: | @@ -61,7 +61,7 @@ jobs: with: egress-policy: audit - name: Set up Go - uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2 + uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0 with: go-version: "1.21" check-latest: true @@ -69,7 +69,7 @@ jobs: uses: docker/setup-buildx-action@c47758b77c9736f4b2ef4073d4d51994fabfe349 # v3.7.1 with: use: true - - uses: actions/cache@3624ceb22c1c5a301c8db4169662070a689d9ea8 # v4.1.1 + - uses: actions/cache@6849a6489940f00c2f30c0fb92c6274307ccb58a # v4.1.2 with: key: ${{ runner.OS }}-go-${{ hashFiles('**/go.sum') }} restore-keys: | @@ -79,7 +79,7 @@ jobs: ~/.cache/go-build - uses: crazy-max/ghaction-github-runtime@b3a9207c0e1ef41f4cf215303c976869d0c2c1c4 # v3.0.0 - name: Check out code into the Go module directory - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: Set env run: | echo TRIVY_SCANNER_REPO=scanner >> $GITHUB_ENV @@ -103,7 +103,7 @@ jobs: with: egress-policy: audit - name: Set up Go - uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2 + uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0 with: go-version: "1.21" check-latest: true @@ -111,7 +111,7 @@ jobs: uses: docker/setup-buildx-action@c47758b77c9736f4b2ef4073d4d51994fabfe349 # v3.7.1 with: use: true - - uses: actions/cache@3624ceb22c1c5a301c8db4169662070a689d9ea8 # v4.1.1 + - uses: actions/cache@6849a6489940f00c2f30c0fb92c6274307ccb58a # v4.1.2 with: key: ${{ runner.OS }}-go-${{ hashFiles('**/go.sum') }} restore-keys: | @@ -121,7 +121,7 @@ jobs: ~/.cache/go-build - uses: crazy-max/ghaction-github-runtime@b3a9207c0e1ef41f4cf215303c976869d0c2c1c4 # v3.0.0 - name: Check out code into the Go module directory - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: Set env run: | echo MANAGER_REPO=manager >> $GITHUB_ENV @@ -145,7 +145,7 @@ jobs: with: egress-policy: audit - name: Set up Go - uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2 + uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0 with: go-version: "1.21" check-latest: true @@ -153,7 +153,7 @@ jobs: uses: docker/setup-buildx-action@c47758b77c9736f4b2ef4073d4d51994fabfe349 # v3.7.1 with: use: true - - uses: actions/cache@3624ceb22c1c5a301c8db4169662070a689d9ea8 # v4.1.1 + - uses: actions/cache@6849a6489940f00c2f30c0fb92c6274307ccb58a # v4.1.2 with: key: ${{ runner.OS }}-go-${{ hashFiles('**/go.sum') }} restore-keys: | @@ -163,7 +163,7 @@ jobs: ~/.cache/go-build - uses: crazy-max/ghaction-github-runtime@b3a9207c0e1ef41f4cf215303c976869d0c2c1c4 # v3.0.0 - name: Check out code into the Go module directory - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: Set env run: | echo COLLECTOR_REPO=collector >> $GITHUB_ENV diff --git a/.github/workflows/e2e-test.yaml b/.github/workflows/e2e-test.yaml index 7b187adaa3..6219689897 100644 --- a/.github/workflows/e2e-test.yaml +++ b/.github/workflows/e2e-test.yaml @@ -24,7 +24,7 @@ jobs: egress-policy: audit - name: Check out code into the Go module directory - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - id: set-test-matrix run: | readarray -d '' test_dirs < <(find ./test/e2e/tests -mindepth 1 -type d -print0) @@ -51,7 +51,7 @@ jobs: with: egress-policy: audit - name: Check out code into the Go module directory - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: Fetch Build Artifacts uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 with: @@ -59,7 +59,7 @@ jobs: path: ${{ github.workspace }}/images merge-multiple: true - name: Set up Go - uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2 + uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0 with: go-version: "1.21" check-latest: true diff --git a/.github/workflows/patch-docs.yaml b/.github/workflows/patch-docs.yaml index 1f0620589a..b8b6d410db 100644 --- a/.github/workflows/patch-docs.yaml +++ b/.github/workflows/patch-docs.yaml @@ -29,7 +29,7 @@ jobs: echo "PATCH_VERSION=${PATCH_VERSION}" >> ${GITHUB_ENV} echo "TAG=${TAG}" >> ${GITHUB_ENV} - - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 with: fetch-depth: 0 diff --git a/.github/workflows/release-pr.yaml b/.github/workflows/release-pr.yaml index f5db95a115..61f2bc6589 100644 --- a/.github/workflows/release-pr.yaml +++ b/.github/workflows/release-pr.yaml @@ -23,7 +23,7 @@ jobs: egress-policy: audit - name: Set up Go - uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2 + uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0 with: go-version: "1.21" check-latest: true @@ -62,7 +62,7 @@ jobs: echo "TARGET_BRANCH=main" >> ${GITHUB_ENV} fi - - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 with: fetch-depth: 0 diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index d0777cff34..ef50a06129 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -25,14 +25,14 @@ jobs: egress-policy: audit - name: Check out code into the Go module directory - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: Setup buildx instance uses: docker/setup-buildx-action@c47758b77c9736f4b2ef4073d4d51994fabfe349 # v3.7.1 with: use: true - - uses: actions/cache@3624ceb22c1c5a301c8db4169662070a689d9ea8 # v4.1.1 + - uses: actions/cache@6849a6489940f00c2f30c0fb92c6274307ccb58a # v4.1.2 with: key: ${{ runner.OS }}-go-${{ hashFiles('**/go.sum') }} restore-keys: | diff --git a/.github/workflows/scan-images.yaml b/.github/workflows/scan-images.yaml index e1e92e2bbe..d106a7513d 100644 --- a/.github/workflows/scan-images.yaml +++ b/.github/workflows/scan-images.yaml @@ -43,7 +43,7 @@ jobs: - name: Check out code if: github.event_name == 'schedule' || github.event.inputs.version == '' - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: Build image if: github.event_name == 'schedule' || github.event.inputs.version == '' @@ -51,7 +51,7 @@ jobs: make ${{ matrix.data.build_cmd }} VERSION=${{ env.TAG }} ${{ matrix.data.repo_environment_var }}=${{ env.REGISTRY }}/${{ matrix.data.image }} - name: Scan for vulnerabilities - uses: aquasecurity/trivy-action@5681af892cd0f4997658e2bacc62bd0a894cf564 # 0.27.0 + uses: aquasecurity/trivy-action@915b19bbe73b92a6cf82a1bc12b087c9a19a5fe2 # 0.28.0 with: image-ref: ${{ env.REGISTRY }}/${{ matrix.data.image }}:${{ env.TAG }} vuln-type: 'os,library' @@ -90,6 +90,6 @@ jobs: merge-multiple: true - name: Upload results to GitHub Security - uses: github/codeql-action/upload-sarif@c36620d31ac7c881962c3d9dd939c40ec9434f2b # v2.14.4 + uses: github/codeql-action/upload-sarif@662472033e021d55d94146f66f6058822b0b39fd # v2.14.4 with: sarif_file: ${{ matrix.image }}-results.sarif diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml index 332dcd3de3..e157847742 100644 --- a/.github/workflows/scorecard.yml +++ b/.github/workflows/scorecard.yml @@ -30,7 +30,7 @@ jobs: egress-policy: audit - name: "Checkout code" - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v3.1.0 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v3.1.0 with: persist-credentials: false @@ -66,6 +66,6 @@ jobs: # Upload the results to GitHub's code scanning dashboard. - name: "Upload to code-scanning" - uses: github/codeql-action/upload-sarif@c36620d31ac7c881962c3d9dd939c40ec9434f2b # v2.2.4 + uses: github/codeql-action/upload-sarif@662472033e021d55d94146f66f6058822b0b39fd # v2.2.4 with: sarif_file: results.sarif diff --git a/.github/workflows/test.yaml b/.github/workflows/test.yaml index 6a64e43d96..d063394deb 100644 --- a/.github/workflows/test.yaml +++ b/.github/workflows/test.yaml @@ -48,9 +48,9 @@ jobs: uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 with: egress-policy: audit - - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: Set up Go - uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2 + uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0 with: go-version: "1.21" check-latest: true @@ -91,11 +91,11 @@ jobs: with: egress-policy: audit - name: Set up Go - uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2 + uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0 with: go-version: "1.21" check-latest: true - - uses: actions/cache@3624ceb22c1c5a301c8db4169662070a689d9ea8 # v4.1.1 + - uses: actions/cache@6849a6489940f00c2f30c0fb92c6274307ccb58a # v4.1.2 with: key: ${{ runner.OS }}-go-${{ hashFiles('**/go.sum') }} restore-keys: | @@ -104,7 +104,7 @@ jobs: ~/go/pkg/mod ~/.cache/go-build - name: Check out code into the Go module directory - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: Unit test run: make test - name: Codecov upload @@ -124,9 +124,9 @@ jobs: with: egress-policy: audit - name: Check out code into the Go module directory - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: Set up Go - uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2 + uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0 with: go-version: "1.21" check-latest: true @@ -150,7 +150,7 @@ jobs: egress-policy: audit - name: Check out code into the Go module directory - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: Get repo run: | @@ -170,7 +170,7 @@ jobs: make docker-build-trivy-scanner TRIVY_SCANNER_REPO=${{ env.REGISTRY }}/${REPO}-trivy-scanner TRIVY_SCANNER_TAG=test - name: Run trivy for remover - uses: aquasecurity/trivy-action@5681af892cd0f4997658e2bacc62bd0a894cf564 + uses: aquasecurity/trivy-action@915b19bbe73b92a6cf82a1bc12b087c9a19a5fe2 with: image-ref: ${{ env.REGISTRY }}/remover:test exit-code: "1" @@ -178,7 +178,7 @@ jobs: vuln-type: "os,library" - name: Run trivy for eraser-manager - uses: aquasecurity/trivy-action@5681af892cd0f4997658e2bacc62bd0a894cf564 + uses: aquasecurity/trivy-action@915b19bbe73b92a6cf82a1bc12b087c9a19a5fe2 with: image-ref: ${{ env.REGISTRY }}/${{ env.REPO }}-manager:test exit-code: "1" @@ -186,7 +186,7 @@ jobs: vuln-type: "os,library" - name: Run trivy for collector - uses: aquasecurity/trivy-action@5681af892cd0f4997658e2bacc62bd0a894cf564 + uses: aquasecurity/trivy-action@915b19bbe73b92a6cf82a1bc12b087c9a19a5fe2 with: image-ref: ${{ env.REGISTRY }}/collector:test exit-code: "1" @@ -194,7 +194,7 @@ jobs: vuln-type: "os,library" - name: Run trivy for trivy-scanner - uses: aquasecurity/trivy-action@5681af892cd0f4997658e2bacc62bd0a894cf564 + uses: aquasecurity/trivy-action@915b19bbe73b92a6cf82a1bc12b087c9a19a5fe2 with: image-ref: ${{ env.REGISTRY }}/${{ env.REPO }}-trivy-scanner:test exit-code: "1"