diff --git a/.github/workflows/actionlint.yaml b/.github/workflows/actionlint.yaml index 2c3624304b..f8882389bd 100644 --- a/.github/workflows/actionlint.yaml +++ b/.github/workflows/actionlint.yaml @@ -24,7 +24,7 @@ jobs: name: Action lint runs-on: ubuntu-latest steps: - - uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0 + - uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1 with: egress-policy: block allowed-endpoints: > diff --git a/.github/workflows/autodocs-platform.yaml b/.github/workflows/autodocs-platform.yaml index c3e29c909e..e35a6165d1 100644 --- a/.github/workflows/autodocs-platform.yaml +++ b/.github/workflows/autodocs-platform.yaml @@ -22,7 +22,7 @@ jobs: steps: - name: 'Github Actions Runner' - uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0 + uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1 with: egress-policy: audit @@ -30,7 +30,7 @@ jobs: uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: 'Setup gitsign' - uses: chainguard-dev/actions/setup-gitsign@0cba302c40fce067ec0d39f1d91b10580d4b06b0 # v1.6.16 + uses: chainguard-dev/actions/setup-gitsign@c69a264ec2a5934c3186c618f368fc1c86f16cff # v1.6.19 - name: Authenticate to Google Cloud id: auth diff --git a/.github/workflows/build-terminal-images.yaml b/.github/workflows/build-terminal-images.yaml index bb2a8ac6a3..fb202597d3 100644 --- a/.github/workflows/build-terminal-images.yaml +++ b/.github/workflows/build-terminal-images.yaml @@ -34,11 +34,11 @@ jobs: steps: - name: 'Github Actions Runner' - uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0 + uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1 with: egress-policy: audit - - uses: sigstore/cosign-installer@cad07c2e89fa2edd6e2d7bab4c1aa38e53f76003 # v4.1.1 + - uses: sigstore/cosign-installer@6f9f17788090df1f26f669e9d70d6ae9567deba6 # v4.1.2 - name: 'Checkout default branch to $GITHUB_WORKSPACE dir' uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 diff --git a/.github/workflows/check-links.yaml b/.github/workflows/check-links.yaml index a1711b22f2..4e61696252 100644 --- a/.github/workflows/check-links.yaml +++ b/.github/workflows/check-links.yaml @@ -26,7 +26,7 @@ jobs: steps: - name: 'Github Actions Runner' - uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0 + uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1 with: egress-policy: audit diff --git a/.github/workflows/cloud-run.yaml b/.github/workflows/cloud-run.yaml index 73a02c1759..d3802fb8bc 100644 --- a/.github/workflows/cloud-run.yaml +++ b/.github/workflows/cloud-run.yaml @@ -23,7 +23,7 @@ jobs: steps: - name: 'Github Actions Runner' - uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0 + uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1 with: egress-policy: audit diff --git a/.github/workflows/compile-ai-docs-from-gcs.yaml b/.github/workflows/compile-ai-docs-from-gcs.yaml index bc154829fe..eb60f3bb28 100644 --- a/.github/workflows/compile-ai-docs-from-gcs.yaml +++ b/.github/workflows/compile-ai-docs-from-gcs.yaml @@ -28,7 +28,7 @@ jobs: steps: - name: Harden Runner - uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0 + uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1 with: egress-policy: block allowed-endpoints: > @@ -210,7 +210,7 @@ jobs: - name: Install cosign if: github.ref == 'refs/heads/main' - uses: sigstore/cosign-installer@cad07c2e89fa2edd6e2d7bab4c1aa38e53f76003 # v4.1.1 + uses: sigstore/cosign-installer@6f9f17788090df1f26f669e9d70d6ae9567deba6 # v4.1.2 - name: Login to GHCR if: github.ref == 'refs/heads/main' diff --git a/.github/workflows/compile-docs-on-webhook.yml b/.github/workflows/compile-docs-on-webhook.yml index 99a01d1a13..2c5073bd0c 100644 --- a/.github/workflows/compile-docs-on-webhook.yml +++ b/.github/workflows/compile-docs-on-webhook.yml @@ -21,7 +21,7 @@ jobs: steps: - name: Harden the runner (Audit all outbound calls) - uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0 + uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1 with: egress-policy: audit diff --git a/.github/workflows/compile-docs.yml b/.github/workflows/compile-docs.yml index f764190386..5fbf5aea05 100644 --- a/.github/workflows/compile-docs.yml +++ b/.github/workflows/compile-docs.yml @@ -33,7 +33,7 @@ jobs: steps: - name: Harden the runner - uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0 + uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1 with: egress-policy: block allowed-endpoints: > @@ -166,7 +166,7 @@ jobs: tar -tzf chainguard-complete-docs.tar.gz > /dev/null - name: Install cosign - uses: sigstore/cosign-installer@cad07c2e89fa2edd6e2d7bab4c1aa38e53f76003 # v4.1.1 + uses: sigstore/cosign-installer@6f9f17788090df1f26f669e9d70d6ae9567deba6 # v4.1.2 - name: Sign documentation with cosign run: | diff --git a/.github/workflows/compile-public-docs.yml b/.github/workflows/compile-public-docs.yml index 66ee1b3153..045933a18e 100644 --- a/.github/workflows/compile-public-docs.yml +++ b/.github/workflows/compile-public-docs.yml @@ -37,7 +37,7 @@ jobs: steps: - name: Harden the runner - uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0 + uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1 with: egress-policy: block allowed-endpoints: > @@ -69,7 +69,7 @@ jobs: python-version: '3.10' - name: Install cosign - uses: sigstore/cosign-installer@cad07c2e89fa2edd6e2d7bab4c1aa38e53f76003 # v4.1.1 + uses: sigstore/cosign-installer@6f9f17788090df1f26f669e9d70d6ae9567deba6 # v4.1.2 - name: Install dependencies run: | diff --git a/.github/workflows/export-edu-docs-to-gcs.yaml b/.github/workflows/export-edu-docs-to-gcs.yaml index 5a213fbdbc..8803b54a2a 100644 --- a/.github/workflows/export-edu-docs-to-gcs.yaml +++ b/.github/workflows/export-edu-docs-to-gcs.yaml @@ -26,7 +26,7 @@ jobs: steps: - name: Harden Runner - uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0 + uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1 with: egress-policy: audit diff --git a/.github/workflows/rumble-vulnerability-data.yaml b/.github/workflows/rumble-vulnerability-data.yaml index 1170f95ed1..52b8f2022e 100644 --- a/.github/workflows/rumble-vulnerability-data.yaml +++ b/.github/workflows/rumble-vulnerability-data.yaml @@ -28,7 +28,7 @@ jobs: steps: - name: 'Github Actions Runner' - uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0 + uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1 with: egress-policy: audit diff --git a/.github/workflows/validate-nginx-config.yaml b/.github/workflows/validate-nginx-config.yaml index 4f26cb711f..c515db3f18 100644 --- a/.github/workflows/validate-nginx-config.yaml +++ b/.github/workflows/validate-nginx-config.yaml @@ -18,7 +18,7 @@ jobs: steps: - name: 'Github Actions Runner' - uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0 + uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1 with: egress-policy: audit diff --git a/.github/workflows/zizmor.yaml b/.github/workflows/zizmor.yaml index 49fe93e4d4..876f948e39 100644 --- a/.github/workflows/zizmor.yaml +++ b/.github/workflows/zizmor.yaml @@ -26,7 +26,7 @@ jobs: contents: read # Clone the repository security-events: write # Upload SARIF results to Code Scanning steps: - - uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0 + - uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1 with: egress-policy: block allowed-endpoints: >