diff --git a/.github/workflows/pipeline.yml b/.github/workflows/pipeline.yml index 5b40e75..e32852b 100644 --- a/.github/workflows/pipeline.yml +++ b/.github/workflows/pipeline.yml @@ -69,24 +69,24 @@ jobs: BUILD_VERSION: ${{ needs.generate-version.outputs.version }} IS_PUBLIC_BUILD: ${{ needs.generate-version.outputs.is-public-build }} steps: - - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - name: Setup QEMU - uses: docker/setup-qemu-action@53851d14592bedcffcf25ea515637cff71ef929a # v3.3.0 + uses: docker/setup-qemu-action@06116385d9baf250c9f4dcb4858b16962ea869c3 # v4.1.0 with: platforms: arm64 - - uses: docker/setup-buildx-action@6524bf65af31da8d45b59e8c27de4bd072b392f5 # v3.8.0 + - uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5 # v4.1.0 id: buildx with: install: true version: latest - - uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0 + - uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4.2.0 with: registry: ghcr.io username: ${{ github.actor }} password: ${{ secrets.GITHUB_TOKEN }} - name: Docker Meta id: meta - uses: docker/metadata-action@369eb591f429131d6889c46b94e711f089e6ca96 # v5.6.1 + uses: docker/metadata-action@80c7e94dd9b9319bd5eb7a0e0fe9291e23a2a2e9 # v6.1.0 with: images: ${{ env.IMAGE_NAME }} tags: | @@ -94,7 +94,7 @@ jobs: type=raw,value=pr-artifact,enable=${{ github.event_name == 'pull_request' }} type=raw,value=dispatch-artifact,enable=${{ github.event_name == 'workflow_dispatch' }} type=raw,value=release-artifact,enable=${{ needs.generate-version.outputs.version != '0.0.1' }} - - uses: docker/build-push-action@ca877d9245402d1537745e0e356eab47c3520991 # v6.13.0 + - uses: docker/build-push-action@f9f3042f7e2789586610d6e8b85c8f03e5195baf # v7.2.0 id: build with: file: Dockerfile @@ -114,8 +114,8 @@ jobs: env: BUILD_VERSION: ${{ needs.generate-version.outputs.version }} steps: - - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - - uses: imranismail/setup-kustomize@2ba527d4d055ab63514ba50a99456fc35684947f # v2.1.0 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 + - uses: imranismail/setup-kustomize@53f941b41dca13ed61874bbc6b4b6e1562877530 # v3.0.0 - name: Generate Manifests (Prod) run: | set -xe @@ -147,7 +147,7 @@ jobs: cp manifests/install/all/crds/crds.yaml ./crds.yaml shell: bash - name: Publish (Artifacts) - uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 with: name: manifests path: | @@ -161,9 +161,9 @@ jobs: env: BUILD_VERSION: ${{ needs.generate-version.outputs.version }} steps: - - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - - uses: imranismail/setup-kustomize@2ba527d4d055ab63514ba50a99456fc35684947f # v2.1.0 - - uses: azure/setup-helm@fe7b79cd5ee1e45176fcad797de68ecaf3ca4814 # v4.2.0 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 + - uses: imranismail/setup-kustomize@53f941b41dca13ed61874bbc6b4b6e1562877530 # v3.0.0 + - uses: azure/setup-helm@dda3372f752e03dde6b3237bc9431cdc2f7a02a2 # v5.0.0 with: version: v3.19.2 - name: Generate Chart @@ -184,21 +184,21 @@ jobs: | tee ./manifests/helm/dist/output.yaml shell: bash - name: Publish (Chart) - uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 with: name: helm-chart path: | manifests/helm/dist/*.tgz retention-days: 7 - name: Publish (Schema) - uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 with: name: helm-schema path: | manifests/helm/values.schema.json retention-days: 7 - name: Publish (Manifests) - uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 with: name: helm-manifests path: | @@ -225,19 +225,19 @@ jobs: IMAGE: ghcr.io/contrast-security-oss/agent-operator/operator@${{ needs.build-image.outputs.digest }} if: ${{ github.event_name != 'pull_request' }} # should match push logic in build-image steps: - - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - - uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 + - uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4.2.0 with: registry: ghcr.io username: ${{ github.actor }} password: ${{ secrets.GITHUB_TOKEN }} - - uses: nolar/setup-k3d-k3s@293b8e5822a20bc0d5bcdd4826f1a665e72aba96 # v1.0.9 + - uses: nolar/setup-k3d-k3s@62c9d1bd2bc843275c85d2e7dcd696edc1160eee # v1.1.0 name: Deploy K3d with: version: v${{ matrix.k3s-version }} github-token: ${{ secrets.GITHUB_TOKEN }} - name: Import Images - uses: nick-fields/retry@7152eba30c6575329ac0576536151aca5a72780e # v3.0.0 + uses: nick-fields/retry@ad984534de44a9489a53aefd81eb77f87c70dc60 # v4.0.0 with: timeout_minutes: 10 max_attempts: 5 @@ -263,7 +263,7 @@ jobs: kubectl apply -k manifests/examples/testing shell: bash - name: Setup .NET SDK - uses: actions/setup-dotnet@87b7050bc53ea08284295505d98d2aa94301e852 # v4.2.0 + uses: actions/setup-dotnet@9a946fdbd5fb07b82b2f5a4466058b876ab72bb2 # v5.3.0 with: dotnet-version: 10.0.x - name: Execute Functional Tests @@ -272,7 +272,7 @@ jobs: dotnet test ./tests/Contrast.K8s.AgentOperator.FunctionalTests/Contrast.K8s.AgentOperator.FunctionalTests.csproj shell: bash - name: Dump Operator Logs - uses: nick-fields/retry@7152eba30c6575329ac0576536151aca5a72780e # v3.0.0 + uses: nick-fields/retry@ad984534de44a9489a53aefd81eb77f87c70dc60 # v4.0.0 if: ${{ always() }} with: timeout_minutes: 10 @@ -303,9 +303,9 @@ jobs: fail-fast: false steps: - name: Setup Pluto - uses: fairwindsops/pluto/github-action@d45f6d122de3d99fc4b7576592939ff62655db66 # v5.21.1 + uses: fairwindsops/pluto/github-action@dd5ec8cccce5e42dfe8054b8250baa35546056a0 # v5.24.0 - name: Setup Polaris - uses: fairwindsops/polaris/.github/actions/setup-polaris@80e6f7214ee611feb8a0ad2f8be6e58f822b868b # v9.6.1 + uses: fairwindsops/polaris/.github/actions/setup-polaris@1fdfec73a1a6611078cad745340ad2f0ae0f7db7 # v10.2.0 with: version: 7.2.0 - name: Setup Kubeconform @@ -315,7 +315,7 @@ jobs: tar xf kubeconform-linux-amd64.tar.gz sudo install kubeconform /usr/local/bin/kubeconform - name: Download Manifests - uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 + uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 id: download-artifacts with: name: ${{ matrix.artifact }} @@ -372,16 +372,16 @@ jobs: IMAGE_NAME: ghcr.io/contrast-security-oss/agent-operator/operator if: ${{ github.event_name != 'pull_request' && github.actor != 'dependabot[bot]' }} steps: - - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - name: Login (GitHub) - uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0 + uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4.2.0 with: registry: ghcr.io username: ${{ github.actor }} password: ${{ secrets.GITHUB_TOKEN }} - name: Docker Meta id: meta - uses: docker/metadata-action@369eb591f429131d6889c46b94e711f089e6ca96 # v5.6.1 + uses: docker/metadata-action@80c7e94dd9b9319bd5eb7a0e0fe9291e23a2a2e9 # v6.1.0 with: images: ${{ env.IMAGE_NAME }} tags: | @@ -390,7 +390,7 @@ jobs: type=semver,pattern={{major}},value=${{ env.BUILD_VERSION }},enable=${{ needs.generate-version.outputs.is-release == 'true' }} type=raw,latest,enable=${{ needs.generate-version.outputs.is-release == 'true' }} - name: Tag for Release - uses: akhilerm/tag-push-action@f35ff2cb99d407368b5c727adbcc14a2ed81d509 # v2.2.0 + uses: akhilerm/tag-push-action@eadeefebd39db8a47e146115649adae1fce576a6 # v2.3.0 with: src: ghcr.io/contrast-security-oss/agent-operator/operator@${{ needs.build-image.outputs.digest }} dst: | @@ -415,27 +415,27 @@ jobs: BUILD_VERSION: ${{ needs.generate-version.outputs.version }} if: ${{ needs.generate-version.outputs.version != '0.0.1' }} steps: - - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - name: Login (GitHub) - uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0 + uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4.2.0 with: registry: ghcr.io username: ${{ github.actor }} password: ${{ secrets.GITHUB_TOKEN }} - name: Login (Dockerhub) - uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0 + uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4.2.0 with: username: ${{ secrets.DOCKERHUB_USERNAME }} password: ${{ secrets.DOCKERHUB_PAT }} - name: Login (Quay) - uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0 + uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4.2.0 with: registry: quay.io username: ${{ secrets.QUAY_USERNAME }} password: ${{ secrets.QUAY_PASSWORD }} - name: Docker Meta id: dockerhub-meta - uses: docker/metadata-action@369eb591f429131d6889c46b94e711f089e6ca96 # v5.6.1 + uses: docker/metadata-action@80c7e94dd9b9319bd5eb7a0e0fe9291e23a2a2e9 # v6.1.0 with: images: | docker.io/contrast/agent-operator @@ -447,17 +447,17 @@ jobs: type=semver,pattern={{major}},value=${{ env.BUILD_VERSION }},enable=${{ needs.generate-version.outputs.is-release == 'true' }} type=raw,latest,enable=${{ needs.generate-version.outputs.is-release == 'true' }} - name: Tag for Release - uses: akhilerm/tag-push-action@f35ff2cb99d407368b5c727adbcc14a2ed81d509 # v2.2.0 + uses: akhilerm/tag-push-action@eadeefebd39db8a47e146115649adae1fce576a6 # v2.3.0 with: src: ghcr.io/contrast-security-oss/agent-operator/operator@${{ needs.build-image.outputs.digest }} dst: | ${{ steps.dockerhub-meta.outputs.tags }} - - uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 + - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 id: download-manifests with: name: manifests path: ./artifacts/manifests - - uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 + - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 id: download-schema with: name: helm-schema @@ -482,7 +482,7 @@ jobs: immutableCreate: true prerelease: ${{ needs.generate-version.outputs.is-release == 'false' }} # pre-releases will have is-release false - name: Publish Helm Chart - uses: peter-evans/repository-dispatch@ff45666b9427631e3450c54a1bcbee4d9ff4d7c0 # v3.0.0 + uses: peter-evans/repository-dispatch@28959ce8df70de7be546dd1250a005dd32156697 # v4.0.1 if: ${{ needs.generate-version.outputs.is-release == 'true' }} with: token: ${{ secrets.GH_PR_WRITE_PAT }} @@ -506,7 +506,7 @@ jobs: # SENTRY_ORG: sentry # SENTRY_PROJECT: agent-operator # SENTRY_URL: https://sentry.prod.dotnet.contsec.com - - uses: act10ns/slack@44541246747a30eb3102d87f7a4cc5471b0ffb7d # v2.1.0 + - uses: act10ns/slack@d96404edccc6d6467fc7f8134a420c851b1e9054 # v2.2.0 if: ${{ needs.generate-version.outputs.is-release == 'true' }} with: status: ${{ job.status }} diff --git a/.github/workflows/wiz-scan.yml b/.github/workflows/wiz-scan.yml index b26038b..b550188 100644 --- a/.github/workflows/wiz-scan.yml +++ b/.github/workflows/wiz-scan.yml @@ -22,7 +22,7 @@ jobs: contents: read steps: - name: Checkout repo - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - name: Build the Docker image run: docker build . --tag agent-operator:dev @@ -38,7 +38,7 @@ jobs: - name: Capture Wiz Output if: always() - uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 with: name: agent-operator-wiz-report path: |