diff --git a/.github/workflows/_.helm.lint.yaml b/.github/workflows/_.helm.lint.yaml index 1d98f62ef..8e65aac49 100644 --- a/.github/workflows/_.helm.lint.yaml +++ b/.github/workflows/_.helm.lint.yaml @@ -19,12 +19,12 @@ jobs: contents: read runs-on: ubuntu-latest steps: - - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - uses: azure/setup-helm@5119fcb9089d432beecbf79bb2c7915207344b78 # v3.5 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - - uses: actions/setup-python@82c7e631bb3cdc910f68e0081d67478d79c6982d # v5.1.0 + - uses: actions/setup-python@f677139bbe7f9c59b41e40162b753c062f5d49a3 # v5.2.0 with: python-version: '3.9' check-latest: true @@ -39,7 +39,7 @@ jobs: contents: read runs-on: ubuntu-latest steps: - - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - uses: actions/cache/restore@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2 id: restore-asdf @@ -105,8 +105,8 @@ jobs: security-events: write runs-on: ubuntu-latest steps: - - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - - uses: aquasecurity/trivy-action@d710430a6722f083d3b36b8339ff66b32f22ee55 # 0.19.0 + - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + - uses: aquasecurity/trivy-action@6e7b7d1fd3e4fef0c5fa8cce1229c54b2c9bd0d8 # 0.24.0 with: format: sarif hide-progress: false @@ -119,7 +119,7 @@ jobs: sarif_file: trivy-results.sarif # NOTE: fail the build only if vulnerabilities with severity HIGH or CRITICAL are found - - uses: aquasecurity/trivy-action@d710430a6722f083d3b36b8339ff66b32f22ee55 # 0.19.0 + - uses: aquasecurity/trivy-action@6e7b7d1fd3e4fef0c5fa8cce1229c54b2c9bd0d8 # 0.24.0 with: exit-code: '1' format: table diff --git a/.github/workflows/_.helm.list-changed.yaml b/.github/workflows/_.helm.list-changed.yaml index e0d20294d..8f1fe6dbd 100644 --- a/.github/workflows/_.helm.list-changed.yaml +++ b/.github/workflows/_.helm.list-changed.yaml @@ -16,11 +16,11 @@ jobs: contents: read runs-on: ubuntu-latest steps: - - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 with: fetch-depth: 10 - - uses: tj-actions/changed-files@0874344d6ebbaa00a27da73276ae7162fadcaf69 # v44.3.0 + - uses: tj-actions/changed-files@c65cd883420fd2eb864698a825fc4162dd94482c # v44.5.7 id: changed-images with: dir_names: true diff --git a/.github/workflows/_.helm.test.yaml b/.github/workflows/_.helm.test.yaml index d8e6bd703..7e7e7c242 100644 --- a/.github/workflows/_.helm.test.yaml +++ b/.github/workflows/_.helm.test.yaml @@ -20,7 +20,7 @@ jobs: permissions: contents: read steps: - - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 with: fetch-depth: 0 @@ -33,12 +33,12 @@ jobs: with: skip_install: ${{ steps.restore-asdf.outputs.cache-hit == 'true' }} - - uses: actions/setup-python@82c7e631bb3cdc910f68e0081d67478d79c6982d # v5.1.0 + - uses: actions/setup-python@f677139bbe7f9c59b41e40162b753c062f5d49a3 # v5.2.0 with: python-version: '3.9' check-latest: true - uses: helm/chart-testing-action@e6669bcd63d7cb57cb4380c33043eebe5d111992 # v2.6.1 - - uses: helm/kind-action@99576bfa6ddf9a8e612d83b513da5a75875caced # v1.9.0 + - uses: helm/kind-action@0025e74a8c7512023d06dc019c617aa3cf561fde # v1.10.0 with: cluster_name: kind wait: 30s diff --git a/.github/workflows/_.images.build.yaml b/.github/workflows/_.images.build.yaml index d150cc70a..6b7a865f3 100644 --- a/.github/workflows/_.images.build.yaml +++ b/.github/workflows/_.images.build.yaml @@ -47,7 +47,7 @@ jobs: contents: read runs-on: ubuntu-latest steps: - - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 with: fetch-depth: 1 @@ -122,13 +122,13 @@ jobs: matrix: platform: ${{ fromJson(needs.metadata.outputs.build-platforms) }} steps: - - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 with: fetch-depth: 1 - - uses: docker/setup-qemu-action@68827325e0b33c7199eb31dd4e31fbe9023e06e3 # v3.0.0 - - uses: docker/setup-buildx-action@d70bba72b1f3fd22344832f00baa16ece964efeb # v3.3.0 - - uses: docker/login-action@e92390c5fb421da1463c202d546fed0ec5c39f20 # v3.1.0 + - uses: docker/setup-qemu-action@49b3bc8e6bdd4a60e6116a5414239cba5943d3cf # v3.2.0 + - uses: docker/setup-buildx-action@988b5a0280414f521da01fcc63a27aeeb4b104db # v3.6.1 + - uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0 with: registry: ghcr.io username: ${{ github.actor }} @@ -146,7 +146,7 @@ jobs: com.github.beluga-cloud.ci.workflow.url=${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }} org.opencontainers.image.source=${{ github.server_url }}/${{ github.repository }}/blob/${{ github.sha }}/${{ inputs.containerfile }} - - uses: docker/build-push-action@2cdde995de11925a030ce8070c3d77a52ffcf1c0 # v5.3.0 + - uses: docker/build-push-action@ca052bb54ab0790a636c9b5f226502c73d547a25 # v5.4.0 id: build with: context: ${{ needs.metadata.outputs.build-context }} @@ -163,7 +163,7 @@ jobs: DIGEST: ${{ steps.build.outputs.digest }} # NOTE: on production mode, all images are signed - - uses: sigstore/cosign-installer@59acb6260d9c0ba8f4a2f9d9b48431a222b68e20 # v3.5.0 + - uses: sigstore/cosign-installer@4959ce089c160fddf62f7b42464195ba1a56d382 # v3.6.0 if: ${{ !inputs.dry-run }} - name: Sign 'ghcr.io/${{ github.repository_owner }}/${{ needs.metadata.outputs.image-name }}@${{ steps.build.outputs.digest }}' with GitHub OIDC Token if: ${{ !inputs.dry-run }} @@ -173,7 +173,7 @@ jobs: - name: Rename OCI image artifact before upload if: ${{ inputs.dry-run }} run: mv ${{ needs.metadata.outputs.image-slug }}.tar oci.${{ needs.metadata.outputs.image-slug }}-${{ matrix.platform.arch }}-${{ matrix.platform.os }}.tar - - uses: actions/upload-artifact@1746f4ab65b179e0ea60a494b83293b640dd5bba # v4.3.2 + - uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0 if: ${{ inputs.dry-run }} with: name: oci.${{ needs.metadata.outputs.image-slug }}-${{ matrix.platform.arch }}-${{ matrix.platform.os }}.tar @@ -208,8 +208,8 @@ jobs: security-events: write runs-on: ubuntu-latest steps: - - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - - uses: aquasecurity/trivy-action@d710430a6722f083d3b36b8339ff66b32f22ee55 # 0.19.0 + - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + - uses: aquasecurity/trivy-action@6e7b7d1fd3e4fef0c5fa8cce1229c54b2c9bd0d8 # 0.24.0 with: format: sarif hide-progress: false @@ -222,7 +222,7 @@ jobs: sarif_file: trivy-results.sarif # NOTE: fail the build only if vulnerabilities with severity HIGH or CRITICAL are found - - uses: aquasecurity/trivy-action@d710430a6722f083d3b36b8339ff66b32f22ee55 # 0.19.0 + - uses: aquasecurity/trivy-action@6e7b7d1fd3e4fef0c5fa8cce1229c54b2c9bd0d8 # 0.24.0 with: exit-code: '1' format: table diff --git a/.github/workflows/_.images.lint.yaml b/.github/workflows/_.images.lint.yaml index ac10ff2f4..519040efb 100644 --- a/.github/workflows/_.images.lint.yaml +++ b/.github/workflows/_.images.lint.yaml @@ -15,7 +15,7 @@ jobs: contents: read runs-on: ubuntu-latest steps: - - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - uses: hadolint/hadolint-action@54c9adbab1582c2ef04b2016b760714a4bfde3cf # v3.1.0 with: dockerfile: ${{ inputs.containerfile }} diff --git a/.github/workflows/_.images.list-changed.yaml b/.github/workflows/_.images.list-changed.yaml index 14a1ad741..504cb0bb8 100644 --- a/.github/workflows/_.images.list-changed.yaml +++ b/.github/workflows/_.images.list-changed.yaml @@ -23,11 +23,11 @@ jobs: contents: read runs-on: ubuntu-latest steps: - - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 with: fetch-depth: 10 - - uses: tj-actions/changed-files@0874344d6ebbaa00a27da73276ae7162fadcaf69 # v44.3.0 + - uses: tj-actions/changed-files@c65cd883420fd2eb864698a825fc4162dd94482c # v44.5.7 id: changed-images with: files: ${{ inputs.pattern }} diff --git a/.github/workflows/_.images.supply-chain.for-artifacts.yaml b/.github/workflows/_.images.supply-chain.for-artifacts.yaml index 306d66494..f83739567 100644 --- a/.github/workflows/_.images.supply-chain.for-artifacts.yaml +++ b/.github/workflows/_.images.supply-chain.for-artifacts.yaml @@ -21,11 +21,11 @@ jobs: permissions: contents: read steps: - - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 with: fetch-depth: 1 - - uses: actions/download-artifact@8caf195ad4b1dee92908e23f56eeb0696f1dd42d # v4.1.5 + - uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 id: download-oci with: name: ${{ inputs.artifact-ref }} @@ -33,13 +33,13 @@ jobs: - name: Extract OCI-Archive for Trivy run: "skopeo copy oci-archive:${{ inputs.artifact-ref }} oci:${{ github.workspace }}/trivy-${{ github.run_id }}" - - uses: aquasecurity/trivy-action@d710430a6722f083d3b36b8339ff66b32f22ee55 # 0.19.0 + - uses: aquasecurity/trivy-action@6e7b7d1fd3e4fef0c5fa8cce1229c54b2c9bd0d8 # 0.24.0 with: input: trivy-${{ github.run_id }} format: cyclonedx output: sbom.cyclonedx.json - - uses: actions/upload-artifact@1746f4ab65b179e0ea60a494b83293b640dd5bba # v4.3.2 + - uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0 with: name: sbom-cyclonedx.${{ inputs.name }}.json path: sbom.cyclonedx.json @@ -53,11 +53,11 @@ jobs: contents: read security-events: write steps: - - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 with: fetch-depth: 1 - - uses: actions/download-artifact@8caf195ad4b1dee92908e23f56eeb0696f1dd42d # v4.1.5 + - uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 id: download-oci with: name: ${{ inputs.artifact-ref }} @@ -65,18 +65,18 @@ jobs: - name: Extract OCI-Archive for Trivy run: skopeo copy oci-archive:${{ inputs.artifact-ref }} oci:${{ github.workspace }}/trivy-${{ github.run_id }} - - uses: aquasecurity/trivy-action@d710430a6722f083d3b36b8339ff66b32f22ee55 # 0.19.0 + - uses: aquasecurity/trivy-action@6e7b7d1fd3e4fef0c5fa8cce1229c54b2c9bd0d8 # 0.24.0 with: input: trivy-${{ github.run_id }} format: cosign-vuln output: vulnerabilities.cosign-vuln.json - - uses: actions/upload-artifact@1746f4ab65b179e0ea60a494b83293b640dd5bba # v4.3.2 + - uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0 with: name: cosign-vuln.${{ inputs.name }}.json path: vulnerabilities.cosign-vuln.json # Upload SARIF report for GitHub CodeQL at the same time - - uses: aquasecurity/trivy-action@d710430a6722f083d3b36b8339ff66b32f22ee55 # 0.19.0 + - uses: aquasecurity/trivy-action@6e7b7d1fd3e4fef0c5fa8cce1229c54b2c9bd0d8 # 0.24.0 with: input: trivy-${{ github.run_id }} format: sarif diff --git a/.github/workflows/_.images.supply-chain.for-registry.yaml b/.github/workflows/_.images.supply-chain.for-registry.yaml index f846062c6..9c35997e0 100644 --- a/.github/workflows/_.images.supply-chain.for-registry.yaml +++ b/.github/workflows/_.images.supply-chain.for-registry.yaml @@ -18,19 +18,19 @@ jobs: id-token: write packages: write steps: - - uses: docker/login-action@e92390c5fb421da1463c202d546fed0ec5c39f20 # v3.1.0 + - uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0 with: registry: ghcr.io username: ${{ github.actor }} password: ${{ secrets.GITHUB_TOKEN }} - - uses: aquasecurity/trivy-action@d710430a6722f083d3b36b8339ff66b32f22ee55 # 0.19.0 + - uses: aquasecurity/trivy-action@6e7b7d1fd3e4fef0c5fa8cce1229c54b2c9bd0d8 # 0.24.0 with: image-ref: ${{ inputs.image-ref }} format: cyclonedx output: sbom.cyclonedx.json - - uses: sigstore/cosign-installer@59acb6260d9c0ba8f4a2f9d9b48431a222b68e20 # v3.5.0 + - uses: sigstore/cosign-installer@4959ce089c160fddf62f7b42464195ba1a56d382 # v3.6.0 - name: Attest SBOM to ${{ inputs.image-ref }} run: cosign attest --yes --replace --predicate sbom.cyclonedx.json --type cyclonedx "${{ inputs.image-ref }}" @@ -45,26 +45,26 @@ jobs: packages: write security-events: write steps: - - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - - uses: docker/login-action@e92390c5fb421da1463c202d546fed0ec5c39f20 # v3.1.0 + - uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0 with: registry: ghcr.io username: ${{ github.actor }} password: ${{ secrets.GITHUB_TOKEN }} - - uses: aquasecurity/trivy-action@d710430a6722f083d3b36b8339ff66b32f22ee55 # 0.19.0 + - uses: aquasecurity/trivy-action@6e7b7d1fd3e4fef0c5fa8cce1229c54b2c9bd0d8 # 0.24.0 with: image-ref: ${{ inputs.image-ref }} format: cosign-vuln output: vulnerabilities.cosign-vuln.json - - uses: sigstore/cosign-installer@59acb6260d9c0ba8f4a2f9d9b48431a222b68e20 # v3.5.0 + - uses: sigstore/cosign-installer@4959ce089c160fddf62f7b42464195ba1a56d382 # v3.6.0 - name: Attest vulnerability report to ${{ inputs.image-ref }} run: cosign attest --yes --replace --predicate vulnerabilities.cosign-vuln.json --type vuln "${{ inputs.image-ref }}" # Upload SARIF report for GitHub CodeQL at the same time - - uses: aquasecurity/trivy-action@d710430a6722f083d3b36b8339ff66b32f22ee55 # 0.19.0 + - uses: aquasecurity/trivy-action@6e7b7d1fd3e4fef0c5fa8cce1229c54b2c9bd0d8 # 0.24.0 with: image-ref: ${{ inputs.image-ref }} format: sarif diff --git a/.github/workflows/push,schedule,workflow_dispatch.asdf.refresh-cache.yaml b/.github/workflows/push,schedule,workflow_dispatch.asdf.refresh-cache.yaml index c03955fb1..31a7c1b6d 100644 --- a/.github/workflows/push,schedule,workflow_dispatch.asdf.refresh-cache.yaml +++ b/.github/workflows/push,schedule,workflow_dispatch.asdf.refresh-cache.yaml @@ -22,7 +22,7 @@ jobs: contents: read runs-on: ubuntu-latest steps: - - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 with: fetch-depth: 0 diff --git a/.github/workflows/push.helm.fix-renovate.yml b/.github/workflows/push.helm.fix-renovate.yml index 19bb22666..3a0cbed73 100644 --- a/.github/workflows/push.helm.fix-renovate.yml +++ b/.github/workflows/push.helm.fix-renovate.yml @@ -44,7 +44,7 @@ jobs: with: app_id: ${{ secrets.BOT_ID }} private_key: ${{ secrets.BOT_PKEY }} - - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 with: fetch-depth: 0 token: ${{ steps.app_auth.outputs.token }} diff --git a/.github/workflows/push.helm.release.yml b/.github/workflows/push.helm.release.yml index b7449ce3d..b6c63035e 100644 --- a/.github/workflows/push.helm.release.yml +++ b/.github/workflows/push.helm.release.yml @@ -22,7 +22,7 @@ jobs: pages: write runs-on: ubuntu-latest steps: - - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 with: fetch-depth: 0 - uses: azure/setup-helm@5119fcb9089d432beecbf79bb2c7915207344b78 # v3.5 @@ -84,8 +84,8 @@ jobs: matrix: chart: ${{ fromJson(needs.list-changed-charts.outputs.charts) }} steps: - - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - - uses: aquasecurity/trivy-action@d710430a6722f083d3b36b8339ff66b32f22ee55 # 0.19.0 + - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + - uses: aquasecurity/trivy-action@6e7b7d1fd3e4fef0c5fa8cce1229c54b2c9bd0d8 # 0.24.0 with: format: sarif hide-progress: false @@ -98,7 +98,7 @@ jobs: sarif_file: trivy-results.sarif # NOTE: fail the build only if vulnerabilities with severity HIGH or CRITICAL are found - - uses: aquasecurity/trivy-action@d710430a6722f083d3b36b8339ff66b32f22ee55 # 0.19.0 + - uses: aquasecurity/trivy-action@6e7b7d1fd3e4fef0c5fa8cce1229c54b2c9bd0d8 # 0.24.0 with: exit-code: '1' format: table diff --git a/.github/workflows/push.images.release.yaml b/.github/workflows/push.images.release.yaml index b04858d47..2a76634ae 100644 --- a/.github/workflows/push.images.release.yaml +++ b/.github/workflows/push.images.release.yaml @@ -109,7 +109,7 @@ jobs: | jq --raw-output '.artifacts | map("\(.artifact)@sha256:\(.digest) ") | add' ) | tee --append "${GITHUB_OUTPUT}" - - uses: docker/login-action@e92390c5fb421da1463c202d546fed0ec5c39f20 # v3.1.0 + - uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0 with: registry: ghcr.io username: ${{ github.actor }} @@ -121,6 +121,6 @@ jobs: ${{ steps.manifest-options.outputs.images }} docker manifest push ghcr.io/${{ github.repository_owner }}/${{ matrix.artifact.name }}:${{ matrix.artifact.version }} - - uses: sigstore/cosign-installer@59acb6260d9c0ba8f4a2f9d9b48431a222b68e20 # v3.5.0 + - uses: sigstore/cosign-installer@4959ce089c160fddf62f7b42464195ba1a56d382 # v3.6.0 - name: Sign manifest 'ghcr.io/${{ github.repository_owner }}/${{ matrix.artifact.name }}:${{ matrix.artifact.version }}' run: cosign sign --yes ghcr.io/${{ github.repository_owner }}/${{ matrix.artifact.name }}:${{ matrix.artifact.version }} diff --git a/.github/workflows/repository_dispatch,schedule,workflow_dispatch.labels.synchronize.yaml b/.github/workflows/repository_dispatch,schedule,workflow_dispatch.labels.synchronize.yaml index 78c5e4fc1..16db7b321 100644 --- a/.github/workflows/repository_dispatch,schedule,workflow_dispatch.labels.synchronize.yaml +++ b/.github/workflows/repository_dispatch,schedule,workflow_dispatch.labels.synchronize.yaml @@ -14,7 +14,7 @@ jobs: permissions: contents: read steps: - - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 with: repository: beluga-cloud/.github - uses: micnncim/action-label-syncer@3abd5ab72fda571e69fffd97bd4e0033dd5f495c # v1.3.0 diff --git a/.github/workflows/schedule,workflow_dispatch.images.vulnerabilities.yaml b/.github/workflows/schedule,workflow_dispatch.images.vulnerabilities.yaml index f66308146..08d2f645e 100644 --- a/.github/workflows/schedule,workflow_dispatch.images.vulnerabilities.yaml +++ b/.github/workflows/schedule,workflow_dispatch.images.vulnerabilities.yaml @@ -17,7 +17,7 @@ jobs: contents: read runs-on: ubuntu-latest steps: - - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - name: Find all images id: find-images diff --git a/.github/workflows/schedule.helm.test-all.yml b/.github/workflows/schedule.helm.test-all.yml index 10e286074..a7c2afb39 100644 --- a/.github/workflows/schedule.helm.test-all.yml +++ b/.github/workflows/schedule.helm.test-all.yml @@ -17,7 +17,7 @@ jobs: contents: read runs-on: ubuntu-latest steps: - - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 with: fetch-depth: 1 diff --git a/.github/workflows/workflow_dispatch.helm.release.yml b/.github/workflows/workflow_dispatch.helm.release.yml index a47c2b359..02f04fe6f 100644 --- a/.github/workflows/workflow_dispatch.helm.release.yml +++ b/.github/workflows/workflow_dispatch.helm.release.yml @@ -15,7 +15,7 @@ jobs: pages: write runs-on: ubuntu-latest steps: - - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 with: fetch-depth: 0 - uses: azure/setup-helm@5119fcb9089d432beecbf79bb2c7915207344b78 # v3.5 @@ -69,7 +69,7 @@ jobs: contents: read runs-on: ubuntu-latest steps: - - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - name: Find all Containerfiles id: find-charts @@ -94,8 +94,8 @@ jobs: matrix: chart: ${{ fromJson(needs.list-all-charts.outputs.charts) }} steps: - - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - - uses: aquasecurity/trivy-action@d710430a6722f083d3b36b8339ff66b32f22ee55 # 0.19.0 + - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + - uses: aquasecurity/trivy-action@6e7b7d1fd3e4fef0c5fa8cce1229c54b2c9bd0d8 # 0.24.0 with: format: sarif hide-progress: false @@ -108,7 +108,7 @@ jobs: sarif_file: trivy-results.sarif # NOTE: fail the build only if vulnerabilities with severity HIGH or CRITICAL are found - - uses: aquasecurity/trivy-action@d710430a6722f083d3b36b8339ff66b32f22ee55 # 0.19.0 + - uses: aquasecurity/trivy-action@6e7b7d1fd3e4fef0c5fa8cce1229c54b2c9bd0d8 # 0.24.0 with: exit-code: '1' format: table diff --git a/.github/workflows/workflow_dispatch.images.release.yaml b/.github/workflows/workflow_dispatch.images.release.yaml index aa247c229..b8f36adea 100644 --- a/.github/workflows/workflow_dispatch.images.release.yaml +++ b/.github/workflows/workflow_dispatch.images.release.yaml @@ -15,7 +15,7 @@ jobs: contents: read runs-on: ubuntu-latest steps: - - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - name: Find all Containerfiles id: find-images @@ -119,7 +119,7 @@ jobs: | jq --raw-output '.artifacts | map("\(.artifact)@sha256:\(.digest) ") | add' ) | tee --append "${GITHUB_OUTPUT}" - - uses: docker/login-action@e92390c5fb421da1463c202d546fed0ec5c39f20 # v3.1.0 + - uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0 with: registry: ghcr.io username: ${{ github.actor }} @@ -131,6 +131,6 @@ jobs: ${{ steps.manifest-options.outputs.images }} docker manifest push ghcr.io/${{ github.repository_owner }}/${{ matrix.artifact.name }}:${{ matrix.artifact.version }} - - uses: sigstore/cosign-installer@59acb6260d9c0ba8f4a2f9d9b48431a222b68e20 # v3.5.0 + - uses: sigstore/cosign-installer@4959ce089c160fddf62f7b42464195ba1a56d382 # v3.6.0 - name: Sign manifest 'ghcr.io/${{ github.repository_owner }}/${{ matrix.artifact.name }}:${{ matrix.artifact.version }}' run: cosign sign --yes ghcr.io/${{ github.repository_owner }}/${{ matrix.artifact.name }}:${{ matrix.artifact.version }}