From 5b25704b7a51ab940e212d8f6de8ed460dc07449 Mon Sep 17 00:00:00 2001 From: avivkeller Date: Mon, 28 Jul 2025 09:30:43 -0400 Subject: [PATCH 1/2] chore(ci): harden --- .github/dependabot.yml | 6 ++++++ .github/workflows/docker.yml | 28 +++++++++++++++++----------- 2 files changed, 23 insertions(+), 11 deletions(-) create mode 100644 .github/dependabot.yml diff --git a/.github/dependabot.yml b/.github/dependabot.yml new file mode 100644 index 00000000..3a626c3a --- /dev/null +++ b/.github/dependabot.yml @@ -0,0 +1,6 @@ +version: 2 +updates: + - package-ecosystem: github-actions + directory: / + schedule: + interval: monthly diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml index c728d134..b92e8eac 100644 --- a/.github/workflows/docker.yml +++ b/.github/workflows/docker.yml @@ -20,40 +20,46 @@ jobs: - apps/telegram steps: - name: Checkout - uses: actions/checkout@v3 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + persist-credentials: false - - name: Use Node.js ${{ matrix.node-version }} - uses: actions/setup-node@v3 + - name: Use Node.js LTS + uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0 with: - node-version: ${{ matrix.node-version }} + node-version: lts/* - run: yarn install - name: Write commit hash in the assets directory - run: echo -n "${{ github.sha }}" > assets/git-commit-hash.txt + run: echo -n "$SHA" > assets/git-commit-hash.txt + env: + SHA: ${{ github.sha }} - run: yarn build - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 + uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1 - name: Login to GitHub Container Registry - uses: docker/login-action@v2 + uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0 with: registry: ghcr.io username: ${{ github.repository_owner }} password: ${{ secrets.GITHUB_TOKEN }} - name: Extract package name - run: echo "PACKAGE_NAME=$(basename ${{ matrix.package }})" >> $GITHUB_ENV + run: echo "PACKAGE_NAME=$(basename $PACKAGE)" >> $GITHUB_ENV + env: + PACKAGE: ${{ matrix.package }} - name: 'Image metadata for ${{ env.PACKAGE_NAME }}' id: image_meta - uses: docker/metadata-action@v4 + uses: docker/metadata-action@902fa8ec7d6ecbf8d84d538b9b233a880e428804 # v5.7.0 with: images: ghcr.io/${{ github.repository }}/${{ env.PACKAGE_NAME }} - name: 'BFF: Build and push ${{ env.PACKAGE_NAME }}' - uses: docker/build-push-action@v4 + uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0 with: context: . file: ${{ matrix.package }}/Dockerfile @@ -63,7 +69,7 @@ jobs: builder: ${{ steps.setup-buildx.outputs.name }} platforms: linux/amd64 - - uses: cowprotocol/autodeploy-action@v2 + - uses: cowprotocol/autodeploy-action@0c950eb2856af4f520a652b59e786bd349516480 # v2 if: ${{ github.ref == 'refs/heads/main' }} with: images: ghcr.io/cowprotocol/bff/${{ env.PACKAGE_NAME }}:main From dcb2534771ce65856d3074e810aa202572ad3a00 Mon Sep 17 00:00:00 2001 From: Aviv Keller Date: Mon, 28 Jul 2025 09:40:55 -0400 Subject: [PATCH 2/2] add id --- .github/workflows/docker.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml index b92e8eac..7f6562f3 100644 --- a/.github/workflows/docker.yml +++ b/.github/workflows/docker.yml @@ -38,6 +38,7 @@ jobs: - run: yarn build - name: Set up Docker Buildx + id: setup-buildx uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1 - name: Login to GitHub Container Registry