diff --git a/.github/workflows/.reusable-build.yml b/.github/workflows/.reusable-build.yml index 7519dcbc5..2f2253ca3 100644 --- a/.github/workflows/.reusable-build.yml +++ b/.github/workflows/.reusable-build.yml @@ -66,7 +66,7 @@ jobs: build_labels: ${{ steps.get_context.outputs.build_labels }} steps: - name: Checkout code - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 - name: Get context id: get_context uses: ./.github/actions/context @@ -83,7 +83,7 @@ jobs: cosign_public_key: ${{ steps.build.outputs.cosign_public_key }} steps: - name: Checkout code - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 - name: Build Connaisseur id: build uses: ./.github/actions/build diff --git a/.github/workflows/.reusable-compliance.yml b/.github/workflows/.reusable-compliance.yml index 1a338b6e2..4501b2d75 100644 --- a/.github/workflows/.reusable-compliance.yml +++ b/.github/workflows/.reusable-compliance.yml @@ -22,7 +22,7 @@ jobs: id-token: write steps: - name: Checkout code - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 with: persist-credentials: false - name: Analyze @@ -33,7 +33,7 @@ jobs: repo_token: ${{ secrets.SCORECARD_TOKEN }} publish_results: ${{ github.ref_name == 'master' }} - name: Upload - uses: github/codeql-action/upload-sarif@f0f3afee809481da311ca3a6ff1ff51d81dbeb24 # v3.26.4 + uses: github/codeql-action/upload-sarif@461ef6c76dfe95d5c364de2f431ddbd31a417628 # v3.26.9 with: sarif_file: results.sarif @@ -48,7 +48,7 @@ jobs: contents: write steps: - name: Checkout code - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 - name: Review uses: actions/dependency-review-action@5a2ce3f5b92ee19cbb1541a4984c76d921601d7c # v4.3.4 @@ -60,7 +60,7 @@ jobs: permissions: {} steps: - name: Checkout code - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 with: ref: ${{ github.event.pull_request.head.sha }} # Otherwise will checkout merge commit, which isn't conform fetch-depth: ${{ github.event.pull_request.commits }} # Fetch all commits of the MR, but only those diff --git a/.github/workflows/.reusable-docs.yaml b/.github/workflows/.reusable-docs.yaml index 6c2bcae4c..c66db0dc1 100644 --- a/.github/workflows/.reusable-docs.yaml +++ b/.github/workflows/.reusable-docs.yaml @@ -24,7 +24,7 @@ jobs: contents: write steps: - name: Checkout code - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 with: fetch-depth: 0 - name: Set release env diff --git a/.github/workflows/.reusable-integration-test.yml b/.github/workflows/.reusable-integration-test.yml index 21efe5a40..bf001616d 100644 --- a/.github/workflows/.reusable-integration-test.yml +++ b/.github/workflows/.reusable-integration-test.yml @@ -62,7 +62,7 @@ jobs: - 56243:56243 steps: - name: Checkout code - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 - name: Login with registry uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0 with: @@ -128,7 +128,7 @@ jobs: - 56243:56243 steps: - name: Checkout code - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 - name: Login with registry uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0 with: @@ -187,7 +187,7 @@ jobs: ] steps: - name: Checkout code - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 - name: Login with registry uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0 with: @@ -244,7 +244,7 @@ jobs: ] steps: - name: Checkout code - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 - name: Login with registry uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0 with: @@ -298,7 +298,7 @@ jobs: ] steps: - name: Checkout code - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 - name: Login with registry uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0 with: diff --git a/.github/workflows/.reusable-publish.yml b/.github/workflows/.reusable-publish.yml index cdef08a2e..0e7a3d166 100644 --- a/.github/workflows/.reusable-publish.yml +++ b/.github/workflows/.reusable-publish.yml @@ -31,7 +31,7 @@ jobs: sudo apt-get update sudo apt-get install helm git - name: Checkout code - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 with: fetch-depth: 0 - name: Lint Helm chart diff --git a/.github/workflows/.reusable-sast.yml b/.github/workflows/.reusable-sast.yml index 27e733636..61ad43726 100644 --- a/.github/workflows/.reusable-sast.yml +++ b/.github/workflows/.reusable-sast.yml @@ -26,7 +26,7 @@ jobs: security-events: write steps: - name: Checkout code - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 - name: Render Helm charts run: | mkdir deployment @@ -34,7 +34,7 @@ jobs: shell: bash - name: Scan if: inputs.output == 'table' - uses: bridgecrewio/checkov-action@b57df8031953b36872c225e6627691100b03bcde # v12.2857.0 + uses: bridgecrewio/checkov-action@d0e41abbcc8c1103c6ae7e451681d071f05e1c20 # v12.2873.0 with: output_format: cli output_file_path: console @@ -42,7 +42,7 @@ jobs: file: deployment/deployment.yaml - name: Scan if: inputs.output == 'sarif' - uses: bridgecrewio/checkov-action@b57df8031953b36872c225e6627691100b03bcde # v12.2857.0 + uses: bridgecrewio/checkov-action@d0e41abbcc8c1103c6ae7e451681d071f05e1c20 # v12.2873.0 with: output_file_path: console,checkov-results.sarif output_format: cli,sarif @@ -50,7 +50,7 @@ jobs: file: deployment/deployment.yaml - name: Upload if: inputs.output == 'sarif' - uses: github/codeql-action/upload-sarif@f0f3afee809481da311ca3a6ff1ff51d81dbeb24 # v3.26.4 + uses: github/codeql-action/upload-sarif@461ef6c76dfe95d5c364de2f431ddbd31a417628 # v3.26.9 with: sarif_file: checkov-results.sarif @@ -66,13 +66,13 @@ jobs: security-events: write steps: - name: Checkout repository - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 - name: Initialize CodeQL - uses: github/codeql-action/init@f0f3afee809481da311ca3a6ff1ff51d81dbeb24 # v3.26.4 + uses: github/codeql-action/init@461ef6c76dfe95d5c364de2f431ddbd31a417628 # v3.26.9 with: languages: 'go' - name: Analyze - uses: github/codeql-action/analyze@f0f3afee809481da311ca3a6ff1ff51d81dbeb24 # v3.26.4 + uses: github/codeql-action/analyze@461ef6c76dfe95d5c364de2f431ddbd31a417628 # v3.26.9 golangci-lint: runs-on: ubuntu-latest @@ -83,7 +83,7 @@ jobs: security-events: write steps: - name: Checkout code - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 - uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2 with: cache: false @@ -103,19 +103,19 @@ jobs: security-events: write steps: - name: Checkout code - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 - name: Analyze - uses: securego/gosec@6fbd381238e97e1d1f3358f0d6d65de78dcf9245 # v2.20.0 + uses: securego/gosec@be8bd6e40be105333f2bc783ba8d688154441559 # v2.21.3 if: inputs.output == 'table' with: args: '-fmt text -exclude-dir=test -exclude-dir=tools ./...' - name: Analyze - uses: securego/gosec@6fbd381238e97e1d1f3358f0d6d65de78dcf9245 # v2.20.0 + uses: securego/gosec@be8bd6e40be105333f2bc783ba8d688154441559 # v2.21.3 if: inputs.output == 'sarif' with: args: '-exclude-dir=test -exclude-dir=tools -no-fail -fmt sarif -out gosec-results.sarif ./...' - name: Upload - uses: github/codeql-action/upload-sarif@f0f3afee809481da311ca3a6ff1ff51d81dbeb24 # v3.26.4 + uses: github/codeql-action/upload-sarif@461ef6c76dfe95d5c364de2f431ddbd31a417628 # v3.26.9 if: inputs.output == 'sarif' with: sarif_file: 'gosec-results.sarif' @@ -130,7 +130,7 @@ jobs: security-events: write steps: - name: Checkout code - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 - name: Scan uses: hadolint/hadolint-action@54c9adbab1582c2ef04b2016b760714a4bfde3cf # v3.1.0 if: inputs.output == 'table' @@ -147,7 +147,7 @@ jobs: no-fail: true output-file: hadolint-results.sarif - name: Upload - uses: github/codeql-action/upload-sarif@f0f3afee809481da311ca3a6ff1ff51d81dbeb24 # v3.26.4 + uses: github/codeql-action/upload-sarif@461ef6c76dfe95d5c364de2f431ddbd31a417628 # v3.26.9 if: inputs.output == 'sarif' with: sarif_file: 'hadolint-results.sarif' @@ -162,7 +162,7 @@ jobs: security-events: write steps: - name: Checkout code - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 - name: Scan uses: stackrox/kube-linter-action@5792edc6a03735d592b13c08201711327a935735 # v1.0.5 if: inputs.output == 'table' @@ -179,7 +179,7 @@ jobs: format: sarif output-file: kubelinter-results.sarif - name: Upload - uses: github/codeql-action/upload-sarif@f0f3afee809481da311ca3a6ff1ff51d81dbeb24 # v3.26.4 + uses: github/codeql-action/upload-sarif@461ef6c76dfe95d5c364de2f431ddbd31a417628 # v3.26.9 if: inputs.output == 'sarif' with: sarif_file: 'kubelinter-results.sarif' @@ -196,7 +196,7 @@ jobs: image: returntocorp/semgrep steps: - name: Checkout code - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 - name: Scan if: inputs.output == 'table' run: semgrep ci --config=auto --suppress-errors --text @@ -204,7 +204,7 @@ jobs: if: inputs.output == 'sarif' run: semgrep ci --config=auto --suppress-errors --sarif --output=semgrep-results.sarif || exit 0 - name: Upload - uses: github/codeql-action/upload-sarif@f0f3afee809481da311ca3a6ff1ff51d81dbeb24 # v3.26.4 + uses: github/codeql-action/upload-sarif@461ef6c76dfe95d5c364de2f431ddbd31a417628 # v3.26.9 if: inputs.output == 'sarif' with: sarif_file: semgrep-results.sarif @@ -220,7 +220,7 @@ jobs: security-events: write steps: - name: Checkout code - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 - name: Run Trivy uses: ./.github/actions/trivy-config with: diff --git a/.github/workflows/.reusable-sca.yml b/.github/workflows/.reusable-sca.yml index 62f974f69..9d953073f 100644 --- a/.github/workflows/.reusable-sca.yml +++ b/.github/workflows/.reusable-sca.yml @@ -41,7 +41,7 @@ jobs: image: docker:stable steps: - name: Checkout code - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 - name: Run uses: ./.github/actions/trivy-image with: @@ -64,7 +64,7 @@ jobs: image: docker:stable steps: - name: Checkout code - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 - name: Run uses: ./.github/actions/grype with: diff --git a/.github/workflows/.reusable-unit-test.yml b/.github/workflows/.reusable-unit-test.yml index 49b0912b8..7dd23583d 100644 --- a/.github/workflows/.reusable-unit-test.yml +++ b/.github/workflows/.reusable-unit-test.yml @@ -17,7 +17,7 @@ jobs: if: inputs.skip != 'all' steps: - name: Checkout code - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 - name: Setup uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2 with: diff --git a/.github/workflows/dockerhub-check.yml b/.github/workflows/dockerhub-check.yml index 0b7a84644..9ab2a0a74 100644 --- a/.github/workflows/dockerhub-check.yml +++ b/.github/workflows/dockerhub-check.yml @@ -10,7 +10,7 @@ jobs: dockerhub-check: runs-on: ubuntu-latest steps: - - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + - uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 - name: Install yq run: sudo snap install yq - name: Check main image diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index 30eac2ef3..11870c64f 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -36,7 +36,7 @@ jobs: needs: [build] steps: - name: Checkout code - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 - name: Ensure version equality run: | IMAGE_TAG=${{ needs.build.outputs.original_tag }}