Skip to content

Commit

Permalink
Updated versions of GitHub actions
Browse files Browse the repository at this point in the history
  • Loading branch information
@dotneft
dotneft committed Jul 8, 2024
1 parent 0e59c8e commit 4d3807d
Show file tree
Hide file tree
Showing 8 changed files with 113 additions and 71 deletions.
6 changes: 3 additions & 3 deletions .github/workflows/dependency-review.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -18,7 +18,7 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Harden Runner
uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1
with:
disable-sudo: true
egress-policy: block
Expand All @@ -27,6 +27,6 @@ jobs:
github.com:443
- name: 'Checkout Repository'
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
- name: 'Dependency Review'
uses: actions/dependency-review-action@be8bc500ee15e96754d2a6f2d34be14e945a46f3 # v4.1.2
uses: actions/dependency-review-action@72eb03d02c7872a771aacd928f3123ac62ad6d3a # v4.3.3
4 changes: 2 additions & 2 deletions .github/workflows/dockerhub_description.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -48,7 +48,7 @@ jobs:
- web-service
steps:
- name: Block egress traffic
uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1
with:
disable-sudo: true
egress-policy: block
Expand All @@ -57,7 +57,7 @@ jobs:
hub.docker.com:443
- name: Checkout repository
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
with:
fetch-depth: 1

Expand Down
96 changes: 67 additions & 29 deletions .github/workflows/images_build.yml
View file

Large diffs are not rendered by default.

18 changes: 9 additions & 9 deletions .github/workflows/images_build_rhel.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,7 @@ on:
- 'Dockerfiles/*/rhel/*'
- 'build.json'
- '!**/README.md'
- '!**/README.html'
- '.github/workflows/images_build_rhel.yml'
workflow_dispatch:
inputs:
Expand All @@ -34,7 +35,6 @@ permissions:
env:
TRUNK_ONLY_EVENT: ${{ contains(fromJSON('["schedule"]'), github.event_name) }}
AUTO_PUSH_IMAGES: ${{ (! contains(fromJSON('["push"]'), github.event_name) && vars.AUTO_PUSH_IMAGES) || (contains(fromJSON('["workflow_dispatch"]'), github.event_name) && inputs.publish_images == 'true' ) }}

LATEST_BRANCH: ${{ github.event.repository.default_branch }}
TRUNK_GIT_BRANCH: "refs/heads/trunk"
IMAGES_PREFIX: "zabbix-"
Expand Down Expand Up @@ -72,7 +72,7 @@ jobs:
secret_prefix: ${{ steps.branch_info.outputs.secret_prefix }}
steps:
- name: Block egress traffic
uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1
with:
disable-sudo: true
egress-policy: block
Expand All @@ -82,7 +82,7 @@ jobs:
objects.githubusercontent.com:443
- name: Checkout repository
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
with:
fetch-depth: 1
sparse-checkout: ${{ env.MATRIX_FILE }}
Expand Down Expand Up @@ -213,7 +213,7 @@ jobs:
contents: read
steps:
- name: Checkout repository
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
with:
fetch-depth: 1

Expand Down Expand Up @@ -244,7 +244,7 @@ jobs:
- name: Build image
id: build_image
uses: redhat-actions/buildah-build@b4dc19b4ba891854660ab1f88a097d45aa158f76 # v2.12
uses: redhat-actions/buildah-build@v2.13
with:
context: ${{ format('{0}/{1}/rhel', env.DOCKERFILES_DIRECTORY, matrix.build) }}
layers: false
Expand Down Expand Up @@ -344,7 +344,7 @@ jobs:
contents: read
steps:
- name: Checkout repository
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
with:
fetch-depth: 1

Expand Down Expand Up @@ -402,7 +402,7 @@ jobs:
- name: Build image
id: build_image
uses: redhat-actions/buildah-build@b4dc19b4ba891854660ab1f88a097d45aa158f76 # v2.12
uses: redhat-actions/buildah-build@v2.13
with:
context: ${{ format('{0}/{1}/rhel', env.DOCKERFILES_DIRECTORY, matrix.build) }}
layers: false
Expand Down Expand Up @@ -502,7 +502,7 @@ jobs:
contents: read
steps:
- name: Checkout repository
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
with:
fetch-depth: 1

Expand Down Expand Up @@ -593,7 +593,7 @@ jobs:
- name: Build image
id: build_image
uses: redhat-actions/buildah-build@b4dc19b4ba891854660ab1f88a097d45aa158f76 # v2.12
uses: redhat-actions/buildah-build@v2.13
with:
context: ${{ format('{0}/{1}/rhel', env.DOCKERFILES_DIRECTORY, matrix.build) }}
layers: false
Expand Down
30 changes: 17 additions & 13 deletions .github/workflows/images_build_windows.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -27,6 +27,7 @@ env:
TRUNK_ONLY_EVENT: ${{ contains(fromJSON('["schedule"]'), github.event_name) }}
AUTO_PUSH_IMAGES: ${{ vars.AUTO_PUSH_IMAGES }}

DOCKER_REGISTRY: ${{ vars.DOCKER_REGISTRY }}
DOCKER_REPOSITORY: ${{ vars.DOCKER_REPOSITORY }}
LATEST_BRANCH: ${{ github.event.repository.default_branch }}
TRUNK_GIT_BRANCH: "refs/heads/trunk"
Expand Down Expand Up @@ -59,15 +60,15 @@ jobs:
sha_short: ${{ steps.branch_info.outputs.sha_short }}
steps:
- name: Block egress traffic
uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1
with:
disable-sudo: true
egress-policy: block
allowed-endpoints: >
github.com:443
- name: Checkout repository
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
with:
ref: ${{ env.TRUNK_ONLY_EVENT == 'true' && env.TRUNK_GIT_BRANCH || '' }}
fetch-depth: 1
Expand Down Expand Up @@ -148,14 +149,15 @@ jobs:
permissions:
contents: read
id-token: write
attestations: write
strategy:
fail-fast: false
matrix:
os: ${{ fromJson(needs.init_build.outputs.os) }}
component: ${{ fromJson(needs.init_build.outputs.components) }}
steps:
- name: Checkout repository
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
with:
ref: ${{ env.TRUNK_ONLY_EVENT == 'true' && env.TRUNK_GIT_BRANCH || '' }}
fetch-depth: 1
Expand All @@ -169,7 +171,7 @@ jobs:
run: cosign version

- name: Login to DockerHub
uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0
uses: docker/login-action@0d4c9c5ea7693da7b068278f7b52bda2a190a446 # v3.2.0
with:
username: ${{ secrets.DOCKER_USERNAME }}
password: ${{ secrets.DOCKER_PASSWORD }}
Expand All @@ -192,7 +194,7 @@ jobs:
id: meta
uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81 # v5.5.1
with:
images: ${{ env.DOCKER_REPOSITORY }}/${{ env.IMAGES_PREFIX }}${{ env.BASE_IMAGE_NAME }}
images: ${{ env.DOCKER_REGISTRY }}/${{ env.DOCKER_REPOSITORY }}/${{ env.IMAGES_PREFIX }}${{ env.BASE_IMAGE_NAME }}
context: ${{ env.TRUNK_ONLY_EVENT == 'true' && 'git' || '' }}
tags: |
type=semver,enable=${{ needs.init_build.outputs.current_branch != 'trunk' }},pattern={{version}},prefix=${{ matrix.component }}-${{ steps.base_os_tag.outputs.os_tag }}-
Expand Down Expand Up @@ -337,14 +339,15 @@ jobs:
permissions:
contents: read
id-token: write
attestations: write
strategy:
fail-fast: false
matrix:
os: ${{ fromJson(needs.init_build.outputs.os) }}
component: ${{ fromJson(needs.init_build.outputs.components) }}
steps:
- name: Checkout repository
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
with:
ref: ${{ env.TRUNK_ONLY_EVENT == 'true' && env.TRUNK_GIT_BRANCH || '' }}
fetch-depth: 1
Expand All @@ -358,7 +361,7 @@ jobs:
run: cosign version

- name: Login to DockerHub
uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0
uses: docker/login-action@0d4c9c5ea7693da7b068278f7b52bda2a190a446 # v3.2.0
with:
username: ${{ secrets.DOCKER_USERNAME }}
password: ${{ secrets.DOCKER_PASSWORD }}
Expand All @@ -381,7 +384,7 @@ jobs:
id: meta
uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81 # v5.5.1
with:
images: ${{ env.DOCKER_REPOSITORY }}/${{ env.IMAGES_PREFIX }}${{ env.BASE_BUILD_IMAGE_NAME }}
images: ${{ env.DOCKER_REGISTRY }}/${{ env.DOCKER_REPOSITORY }}/${{ env.IMAGES_PREFIX }}${{ env.BASE_BUILD_IMAGE_NAME }}
context: ${{ env.TRUNK_ONLY_EVENT == 'true' && 'git' || '' }}
tags: |
type=semver,enable=${{ needs.init_build.outputs.current_branch != 'trunk' }},pattern={{version}},prefix=${{ matrix.component }}-${{ steps.base_os_tag.outputs.os_tag }}-
Expand Down Expand Up @@ -430,7 +433,7 @@ jobs:
cosign verify `
--certificate-oidc-issuer-regexp "$Env:OIDC_ISSUER" `
--certificate-identity-regexp "$Env:IDENITY_REGEX" `
"$Env:BASE_IMAGE"
"$Env:BASE_IMAGE" | jq
- name: Build and push image
id: docker_build
Expand Down Expand Up @@ -564,14 +567,15 @@ jobs:
permissions:
contents: read
id-token: write
attestations: write
strategy:
fail-fast: false
matrix:
os: ${{ fromJson(needs.init_build.outputs.os) }}
component: ${{ fromJson(needs.init_build.outputs.components) }}
steps:
- name: Checkout repository
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
with:
ref: ${{ env.TRUNK_ONLY_EVENT == 'true' && env.TRUNK_GIT_BRANCH || '' }}
fetch-depth: 1
Expand All @@ -585,7 +589,7 @@ jobs:
run: cosign version

- name: Login to DockerHub
uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0
uses: docker/login-action@0d4c9c5ea7693da7b068278f7b52bda2a190a446 # v3.2.0
with:
username: ${{ secrets.DOCKER_USERNAME }}
password: ${{ secrets.DOCKER_PASSWORD }}
Expand All @@ -608,7 +612,7 @@ jobs:
id: meta
uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81 # v5.5.1
with:
images: ${{ env.DOCKER_REPOSITORY }}/${{ env.IMAGES_PREFIX }}${{ matrix.component }}
images: ${{ env.DOCKER_REGISTRY }}/${{ env.DOCKER_REPOSITORY }}/${{ env.IMAGES_PREFIX }}${{ matrix.component }}
context: ${{ env.TRUNK_ONLY_EVENT == 'true' && 'git' || '' }}
tags: |
type=semver,enable=${{ needs.init_build.outputs.current_branch != 'trunk' }},pattern={{version}},prefix=${{ steps.base_os_tag.outputs.os_tag }}-
Expand Down Expand Up @@ -657,7 +661,7 @@ jobs:
cosign verify `
--certificate-oidc-issuer-regexp "$Env:OIDC_ISSUER" `
--certificate-identity-regexp "$Env:IDENITY_REGEX" `
"$Env:BASE_IMAGE"
"$Env:BASE_IMAGE" | jq
- name: Build and push image
id: docker_build
Expand Down
8 changes: 4 additions & 4 deletions .github/workflows/rhel_registry_description.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -34,15 +34,15 @@ jobs:
zabbix_release: ${{ steps.branch_info.outputs.zabbix_release }}
steps:
- name: Block egress traffic
uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1
with:
disable-sudo: true
egress-policy: block
allowed-endpoints: >
github.com:443
- name: Checkout repository
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
with:
fetch-depth: 1
sparse-checkout: ${{ env.MATRIX_FILE }}
Expand Down Expand Up @@ -98,7 +98,7 @@ jobs:
component: ${{ fromJson(needs.init.outputs.components) }}
steps:
- name: Block egress traffic
uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1
with:
disable-sudo: true
egress-policy: block
Expand All @@ -109,7 +109,7 @@ jobs:
pypi.org:443
- name: Checkout repository
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
with:
fetch-depth: 1

Expand Down
10 changes: 5 additions & 5 deletions .github/workflows/scorecard.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -13,7 +13,7 @@ on:
- cron: '39 3 * * 2'
push:
branches:
- '6.4'
- '7.0'

# Declare default permissions as read only.
permissions: read-all
Expand All @@ -33,12 +33,12 @@ jobs:

steps:
- name: Harden Runner
uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1
with:
egress-policy: audit

- name: "Checkout code"
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
with:
persist-credentials: false

Expand All @@ -65,14 +65,14 @@ jobs:
# Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
# format to the repository Actions tab.
- name: "Upload artifact"
uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1
uses: actions/upload-artifact@0b2256b8c012f0828dc542b3febcab082c67f72b # v4.3.4
with:
name: SARIF file
path: results.sarif
retention-days: 5

# Upload the results to GitHub's code scanning dashboard.
- name: "Upload to code-scanning"
uses: github/codeql-action/upload-sarif@379614612a29c9e28f31f39a59013eb8012a51f0 # v3.24.3
uses: github/codeql-action/upload-sarif@b611370bb5703a7efb587f9d136a52ea24c5c38c # v3.25.11
with:
sarif_file: results.sarif
12 changes: 6 additions & 6 deletions .github/workflows/sonarcloud.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -30,9 +30,9 @@ name: SonarCloud analysis

on:
push:
branches: [ "6.4" ]
branches: [ "7.0" ]
pull_request:
branches: [ "6.4" ]
branches: [ "7.0" ]
workflow_dispatch:

permissions:
Expand All @@ -44,21 +44,21 @@ jobs:

steps:
- name: Block egress traffic
uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1
with:
egress-policy: audit

- name: Checkout repository
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
with:
# Disabling shallow clone is recommended for improving relevancy of reporting
fetch-depth: 0

- name: Analyze with SonarCloud

# You can pin the exact commit or the version.
# uses: SonarSource/sonarcloud-github-action@49e6cd3b187936a73b8280d59ffd9da69df63ec9
uses: SonarSource/sonarcloud-github-action@49e6cd3b187936a73b8280d59ffd9da69df63ec9 # v2.1.1
# uses: SonarSource/sonarcloud-github-action@e44258b109568baa0df60ed515909fc6c72cba92
uses: SonarSource/sonarcloud-github-action@e44258b109568baa0df60ed515909fc6c72cba92 # v2.3.0
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # Needed to get PR information
SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} # Generate a token on Sonarcloud.io, add it to the secrets of this repo with the name SONAR_TOKEN (Settings > Secrets > Actions > add new repository secret)
Expand Down

0 comments on commit 4d3807d

Please sign in to comment.