diff --git a/.github/renovate.json5 b/.github/renovate.json5 index 4d2a6705..f052deed 100644 --- a/.github/renovate.json5 +++ b/.github/renovate.json5 @@ -2,7 +2,11 @@ $schema: "https://docs.renovatebot.com/renovate-schema.json", extends: [ "config:recommended", - "helpers:pinGitHubActionDigests", + // Pin Action digests AND write the full semver (e.g. `# v6.0.2`) as the + // comment, not the major (`# v6`). zizmor's `ref-version-mismatch` audit + // (run via MegaLinter) fails when the comment doesn't match the exact tag + // the pinned SHA resolves to. + "helpers:pinGitHubActionDigestsToSemver", ":semanticCommits", ":timezone(Europe/London)", ], diff --git a/.github/workflows/_build-container.yml b/.github/workflows/_build-container.yml index 7cd4607b..64edf32d 100644 --- a/.github/workflows/_build-container.yml +++ b/.github/workflows/_build-container.yml @@ -24,7 +24,7 @@ jobs: build: runs-on: ubuntu-24.04 steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false @@ -35,7 +35,7 @@ jobs: env: IMAGE_NAME: ${{ inputs.image_registry }}/${{ inputs.image_name }} - - uses: jdx/mise-action@1648a7812b9aeae629881980618f079932869151 # v4 + - uses: jdx/mise-action@1648a7812b9aeae629881980618f079932869151 # v4.0.1 with: install: true @@ -50,7 +50,7 @@ jobs: chmod +x install.sh - name: Log in to GHCR - uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4 + uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0 with: registry: ${{ inputs.image_registry }} username: ${{ github.actor }} @@ -127,7 +127,7 @@ jobs: rm -rf "$work" - name: Attest container provenance - uses: actions/attest@59d89421af93a897026c735860bf21b6eb4f7b26 # v4 + uses: actions/attest@59d89421af93a897026c735860bf21b6eb4f7b26 # v4.1.0 with: subject-name: ${{ steps.image.outputs.name }} subject-digest: ${{ steps.push.outputs.digest }} diff --git a/.github/workflows/_upload-scripts.yml b/.github/workflows/_upload-scripts.yml index 39724568..01857b37 100644 --- a/.github/workflows/_upload-scripts.yml +++ b/.github/workflows/_upload-scripts.yml @@ -23,11 +23,11 @@ jobs: upload: runs-on: ubuntu-24.04 steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - - uses: jdx/mise-action@1648a7812b9aeae629881980618f079932869151 # v4 + - uses: jdx/mise-action@1648a7812b9aeae629881980618f079932869151 # v4.0.1 with: install: true @@ -54,7 +54,7 @@ jobs: --clobber - name: Attest install script provenance - uses: actions/attest@59d89421af93a897026c735860bf21b6eb4f7b26 # v4 + uses: actions/attest@59d89421af93a897026c735860bf21b6eb4f7b26 # v4.1.0 with: subject-path: | install.sh diff --git a/.github/workflows/badgesort.yml b/.github/workflows/badgesort.yml index 829027bd..2af18a5d 100644 --- a/.github/workflows/badgesort.yml +++ b/.github/workflows/badgesort.yml @@ -23,7 +23,7 @@ jobs: permissions: contents: write steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false diff --git a/.github/workflows/e2e-install.yml b/.github/workflows/e2e-install.yml index f30c0e51..fc60704c 100644 --- a/.github/workflows/e2e-install.yml +++ b/.github/workflows/e2e-install.yml @@ -50,11 +50,11 @@ jobs: # kics-scan ignore-line — ephemeral CI-only Vaultwarden test password (not a repo secret). BW_PASSWORD: "CiTestPassword123!" steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - - uses: jdx/mise-action@1648a7812b9aeae629881980618f079932869151 # v4 + - uses: jdx/mise-action@1648a7812b9aeae629881980618f079932869151 # v4.0.1 with: install: true @@ -118,11 +118,11 @@ jobs: if: github.event.action != 'closed' runs-on: windows-2025 steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - - uses: jdx/mise-action@1648a7812b9aeae629881980618f079932869151 # v4 + - uses: jdx/mise-action@1648a7812b9aeae629881980618f079932869151 # v4.0.1 with: install: true @@ -172,11 +172,11 @@ jobs: if: github.event.action != 'closed' runs-on: macos-26 steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - - uses: jdx/mise-action@1648a7812b9aeae629881980618f079932869151 # v4 + - uses: jdx/mise-action@1648a7812b9aeae629881980618f079932869151 # v4.0.1 with: install: true diff --git a/.github/workflows/megalinter.yml b/.github/workflows/megalinter.yml index 8f268c2d..55b39a24 100644 --- a/.github/workflows/megalinter.yml +++ b/.github/workflows/megalinter.yml @@ -21,7 +21,7 @@ jobs: runs-on: ubuntu-24.04 if: github.event.action != 'closed' && (github.event_name == 'pull_request' || !contains(github.actor, '[bot]')) steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: fetch-depth: 0 persist-credentials: false @@ -36,6 +36,6 @@ jobs: - name: Upload SARIF report if: always() - uses: github/codeql-action/upload-sarif@9e0d7b8d25671d64c341c19c0152d693099fb5ba # v4 + uses: github/codeql-action/upload-sarif@9e0d7b8d25671d64c341c19c0152d693099fb5ba # v4.35.5 with: sarif_file: megalinter-reports/megalinter-report.sarif diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 2f6de36d..8c8ce96d 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -28,7 +28,7 @@ jobs: steps: - name: Release Please id: rp - uses: googleapis/release-please-action@45996ed1f6d02564a971a2fa1b5860e934307cf7 # v5 + uses: googleapis/release-please-action@45996ed1f6d02564a971a2fa1b5860e934307cf7 # v5.0.0 # --- Build and attest container image (reusable workflow for SLSA L3) --- diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 55dc3d82..2bde84ae 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -19,11 +19,11 @@ jobs: os: [ubuntu-24.04, windows-2025] runs-on: ${{ matrix.os }} steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - - uses: jdx/mise-action@1648a7812b9aeae629881980618f079932869151 # v4 + - uses: jdx/mise-action@1648a7812b9aeae629881980618f079932869151 # v4.0.1 with: install: true diff --git a/.github/workflows/wiki-sync.yml b/.github/workflows/wiki-sync.yml index 100fbc70..caeeb139 100644 --- a/.github/workflows/wiki-sync.yml +++ b/.github/workflows/wiki-sync.yml @@ -20,7 +20,7 @@ jobs: sync-wiki: runs-on: ubuntu-24.04 steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false