diff --git a/.github/workflows/clean-branch-cache.yml b/.github/workflows/clean-branch-cache.yml index 8516b80..72ad7ef 100644 --- a/.github/workflows/clean-branch-cache.yml +++ b/.github/workflows/clean-branch-cache.yml @@ -17,7 +17,7 @@ jobs: permissions: actions: write steps: - - uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0 + - uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0 with: disable-sudo-and-containers: ${{ inputs.disable-sudo }} egress-policy: block diff --git a/.github/workflows/docker-build-and-push.yml b/.github/workflows/docker-build-and-push.yml index 157473b..39b321f 100644 --- a/.github/workflows/docker-build-and-push.yml +++ b/.github/workflows/docker-build-and-push.yml @@ -102,7 +102,7 @@ jobs: run: working-directory: ${{ inputs.working-directory }} steps: - - uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0 + - uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0 with: disable-sudo: ${{ inputs.disable-sudo }} egress-policy: block @@ -129,7 +129,7 @@ jobs: with: cache-binary: false - name: Log in to the Container registry - uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0 + uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0 if: inputs.push with: registry: ${{ inputs.registry }} @@ -146,7 +146,7 @@ jobs: - name: Build and push id: build if: inputs.push - uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7.0.0 + uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7.1.0 with: annotations: ${{ steps.metadata.outputs.annotations }} cache-from: type=gha @@ -161,7 +161,7 @@ jobs: - name: Build push locally id: build-local if: ${{ !inputs.push }} - uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7.0.0 + uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7.1.0 with: cache-from: type=gha cache-to: type=gha,mode=max @@ -186,7 +186,7 @@ jobs: echo "local_image_ref=${LOCAL_IMAGE_REF}" } >> "${GITHUB_OUTPUT}" - name: Run Trivy Scan - uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # v0.35.0 + uses: aquasecurity/trivy-action@ed142fd0673e97e23eac54620cfb913e5ce36c25 # v0.36.0 if: inputs.scan-image with: format: sarif @@ -197,7 +197,7 @@ jobs: output: ${{ inputs.working-directory }}/trivy_results.sarif github-pat: ${{ secrets.GITHUB_TOKEN }} - name: Generate SBOM - uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # v0.35.0 + uses: aquasecurity/trivy-action@ed142fd0673e97e23eac54620cfb913e5ce36c25 # v0.36.0 if: inputs.push with: format: spdx-json @@ -214,7 +214,7 @@ jobs: create-storage-record: ${{ startsWith(inputs.registry, 'ghcr.io') }} sbom-path: ${{ inputs.working-directory }}/sbom.spdx.json - name: Install cosign - uses: sigstore/cosign-installer@ba7bc0a3fef59531c69a25acd34668d6d3fe6f22 # v4.1.0 + uses: sigstore/cosign-installer@cad07c2e89fa2edd6e2d7bab4c1aa38e53f76003 # v4.1.1 if: inputs.push && inputs.sign-image - name: Sign image if: inputs.push && inputs.sign-image @@ -238,7 +238,7 @@ jobs: echo -n "$(cat ./trivy_results.sarif)" | reviewdog -reporter=github-check -f=sarif -level=warning -diff="git diff FETCH_HEAD" - name: Upload results if: ${{ inputs.scan-image && inputs.upload-sarif }} - uses: github/codeql-action/upload-sarif@0d579ffd059c29b07949a3cce3983f0780820c98 # v4.32.6 + uses: github/codeql-action/upload-sarif@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4.35.2 with: sarif_file: ${{ inputs.working-directory }}/trivy_results.sarif category: container-security diff --git a/.github/workflows/gitleaks.yml b/.github/workflows/gitleaks.yml index 32c1dff..bac398d 100644 --- a/.github/workflows/gitleaks.yml +++ b/.github/workflows/gitleaks.yml @@ -25,7 +25,7 @@ jobs: runs-on: ${{ inputs.runs-on }} if: (github.actor != 'dependabot[bot]') steps: - - uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0 + - uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0 with: disable-sudo-and-containers: ${{ inputs.disable-sudo }} egress-policy: block diff --git a/.github/workflows/go-ci.yml b/.github/workflows/go-ci.yml index 81be3eb..f069fc8 100644 --- a/.github/workflows/go-ci.yml +++ b/.github/workflows/go-ci.yml @@ -34,7 +34,7 @@ jobs: pull-requests: write checks: write steps: - - uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0 + - uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0 with: disable-sudo-and-containers: ${{ inputs.disable-sudo }} egress-policy: block @@ -70,7 +70,7 @@ jobs: run: working-directory: ${{ inputs.working-directory }} steps: - - uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0 + - uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0 with: disable-sudo-and-containers: ${{ inputs.disable-sudo }} egress-policy: block @@ -107,7 +107,7 @@ jobs: permissions: contents: write steps: - - uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0 + - uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0 with: disable-sudo-and-containers: ${{ inputs.disable-sudo }} egress-policy: block diff --git a/.github/workflows/go-security-scan.yml b/.github/workflows/go-security-scan.yml index 4a3357b..defd0e0 100644 --- a/.github/workflows/go-security-scan.yml +++ b/.github/workflows/go-security-scan.yml @@ -33,7 +33,7 @@ jobs: env: GO111MODULE: on steps: - - uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0 + - uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0 with: disable-sudo: ${{ inputs.disable-sudo }} egress-policy: block @@ -61,7 +61,7 @@ jobs: run: | echo -n "$(cat ./gosec-results.sarif)" | reviewdog -reporter=github-check -f=sarif -level=error -diff="git diff FETCH_HEAD" - name: Upload results - uses: github/codeql-action/upload-sarif@0d579ffd059c29b07949a3cce3983f0780820c98 # v4.32.6 + uses: github/codeql-action/upload-sarif@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4.35.2 with: sarif_file: '${{ inputs.working-directory }}/gosec-results.sarif' category: sast diff --git a/.github/workflows/infra-security-scan.yml b/.github/workflows/infra-security-scan.yml index f6332f5..6aff560 100644 --- a/.github/workflows/infra-security-scan.yml +++ b/.github/workflows/infra-security-scan.yml @@ -34,7 +34,7 @@ jobs: run: working-directory: ${{ inputs.working-directory }} steps: - - uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0 + - uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0 with: disable-sudo: ${{ inputs.disable-sudo }} egress-policy: block @@ -64,7 +64,7 @@ jobs: enable_jobs_summary: true comments_with_queries: true - name: Upload SARIF file - uses: github/codeql-action/upload-sarif@0d579ffd059c29b07949a3cce3983f0780820c98 # v4.32.6 + uses: github/codeql-action/upload-sarif@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4.35.2 with: sarif_file: ${{ inputs.working-directory }}/kics_results.sarif category: devops @@ -78,7 +78,7 @@ jobs: pull-requests: write security-events: write steps: - - uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0 + - uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0 with: disable-sudo: ${{ inputs.disable-sudo }} egress-policy: block @@ -94,14 +94,14 @@ jobs: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - - uses: reviewdog/action-actionlint@0d952c597ef8459f634d7145b0b044a9699e5e43 # v1.71.0 + - uses: reviewdog/action-actionlint@6fb7acc99f4a1008869fa8a0f09cfca740837d9d # v1.72.0 continue-on-error: true with: fail_level: any filter_mode: nofilter tool_name: actionlint - name: Install uv - uses: astral-sh/setup-uv@37802adc94f370d6bfd71619e3f0bf239e1f3b78 # v7.6.0 + uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0 with: enable-cache: true - name: Run zizmor @@ -118,7 +118,7 @@ jobs: run: | echo -n "$(cat ./zizmor_results.sarif)" | reviewdog -reporter=github-check -f=sarif -level=warning -diff="git diff FETCH_HEAD" - name: Upload SARIF file - uses: github/codeql-action/upload-sarif@0d579ffd059c29b07949a3cce3983f0780820c98 # v4.32.6 + uses: github/codeql-action/upload-sarif@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4.35.2 with: sarif_file: zizmor_results.sarif category: github-actions diff --git a/.github/workflows/local-auto-tagger.yml b/.github/workflows/local-auto-tagger.yml index 2d922f1..baa3311 100644 --- a/.github/workflows/local-auto-tagger.yml +++ b/.github/workflows/local-auto-tagger.yml @@ -17,7 +17,7 @@ jobs: contents: write runs-on: ubuntu-latest steps: - - uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0 + - uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0 with: disable-sudo: true egress-policy: block @@ -31,7 +31,7 @@ jobs: persist-credentials: false - name: Get changed files for each workflow and action id: changed-files - uses: tj-actions/changed-files@22103cc46bda19c2b464ffe86db46df6922fd323 # v47.0.5 + uses: tj-actions/changed-files@9426d40962ed5378910ee2e21d5f8c6fcbf2dd96 # v47.0.6 with: files_yaml: | cleanup-cache: diff --git a/.github/workflows/pulumi-preview.yml b/.github/workflows/pulumi-preview.yml index 62536f3..e430f22 100644 --- a/.github/workflows/pulumi-preview.yml +++ b/.github/workflows/pulumi-preview.yml @@ -55,7 +55,7 @@ jobs: run: working-directory: ${{ inputs.working-directory }} steps: - - uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0 + - uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0 with: disable-sudo-and-containers: ${{ inputs.disable-sudo }} egress-policy: block @@ -80,7 +80,7 @@ jobs: python-version: ${{ inputs.python-version }} # ----- Poetry ----- - - uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4 + - uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5 if: ${{ hashFiles(format('{0}/poetry.lock', inputs.working-directory)) != '' }} with: path: ~/.local/bin/ @@ -94,12 +94,12 @@ jobs: installer-parallel: true # ----- UV ----- - - uses: astral-sh/setup-uv@37802adc94f370d6bfd71619e3f0bf239e1f3b78 # v7.6.0 + - uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0 if: ${{ hashFiles(format('{0}/uv.lock', inputs.working-directory)) != '' }} with: enable-cache: true - id: cache-deps - uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4 + uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5 with: path: | ${{ inputs.working-directory }}/.venv @@ -116,17 +116,17 @@ jobs: # kics-scan ignore-line requested-token-type: urn:pulumi:token-type:access_token:personal scope: user:notdodo - - uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4 + - uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5 with: path: ${{ env.PULUMI_HOME }}/plugins key: python-${{ inputs.python-version }}-venv-${{ hashFiles(format('{0}/poetry.lock', inputs.working-directory), format('{0}/uv.lock', inputs.working-directory)) }} - - uses: aws-actions/configure-aws-credentials@8df5847569e6427dd6c4fb1cf565c83acfa8afa7 # v6.0.0 + - uses: aws-actions/configure-aws-credentials@ec61189d14ec14c8efccab744f656cffd0e33f37 # v6.1.0 if: ${{ inputs.aws-role != '' }} with: role-to-assume: ${{ inputs.aws-role }} aws-region: ${{ inputs.aws-region }} retry-max-attempts: 2 - - uses: aws-actions/aws-secretsmanager-get-secrets@3a411b6ec5cace3d626412dd917e7bfeac242cfa # v3.0.0 + - uses: aws-actions/aws-secretsmanager-get-secrets@2cb1a461cbd4865ac4299648312e4704c646cd53 # v3.0.1 if: ${{ inputs.aws-role != '' }} with: secret-ids: > diff --git a/.github/workflows/pulumi-up.yml b/.github/workflows/pulumi-up.yml index 199045e..3ca16c0 100644 --- a/.github/workflows/pulumi-up.yml +++ b/.github/workflows/pulumi-up.yml @@ -54,7 +54,7 @@ jobs: run: working-directory: ${{ inputs.working-directory }} steps: - - uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0 + - uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0 with: disable-sudo-and-containers: ${{ inputs.disable-sudo }} egress-policy: block @@ -79,7 +79,7 @@ jobs: python-version: ${{ inputs.python-version }} # ----- Poetry ----- - - uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4 + - uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5 if: ${{ hashFiles(format('{0}/poetry.lock', inputs.working-directory)) != '' }} with: path: ~/.local/bin/ @@ -93,12 +93,12 @@ jobs: installer-parallel: true # ----- UV ----- - - uses: astral-sh/setup-uv@37802adc94f370d6bfd71619e3f0bf239e1f3b78 # v7.6.0 + - uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0 if: ${{ hashFiles(format('{0}/uv.lock', inputs.working-directory)) != '' }} with: enable-cache: true - id: cache-deps - uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4 + uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5 with: path: | ${{ inputs.working-directory }}/.venv @@ -115,17 +115,17 @@ jobs: # kics-scan ignore-line requested-token-type: urn:pulumi:token-type:access_token:personal scope: user:notdodo - - uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4 + - uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5 with: path: ${{ env.PULUMI_HOME }}/plugins key: python-${{ inputs.python-version }}-venv-${{ hashFiles(format('{0}/poetry.lock', inputs.working-directory), format('{0}/uv.lock', inputs.working-directory)) }} - - uses: aws-actions/configure-aws-credentials@8df5847569e6427dd6c4fb1cf565c83acfa8afa7 # v6.0.0 + - uses: aws-actions/configure-aws-credentials@ec61189d14ec14c8efccab744f656cffd0e33f37 # v6.1.0 if: ${{ inputs.aws-role != '' }} with: role-to-assume: ${{ inputs.aws-role }} aws-region: ${{ inputs.aws-region }} retry-max-attempts: 2 - - uses: aws-actions/aws-secretsmanager-get-secrets@3a411b6ec5cace3d626412dd917e7bfeac242cfa # v3.0.0 + - uses: aws-actions/aws-secretsmanager-get-secrets@2cb1a461cbd4865ac4299648312e4704c646cd53 # v3.0.1 if: ${{ inputs.aws-role != '' }} with: secret-ids: > diff --git a/.github/workflows/python-ci.yml b/.github/workflows/python-ci.yml index 2686916..5442c66 100644 --- a/.github/workflows/python-ci.yml +++ b/.github/workflows/python-ci.yml @@ -31,7 +31,7 @@ jobs: run: working-directory: ${{ inputs.working-directory }} steps: - - uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0 + - uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0 with: disable-sudo-and-containers: ${{ inputs.disable-sudo }} egress-policy: block @@ -54,7 +54,7 @@ jobs: python-version: ${{ inputs.python-version }} # ----- Poetry ----- - - uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4 + - uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5 if: ${{ hashFiles(format('{0}/poetry.lock', inputs.working-directory)) != '' }} with: path: ~/.local/bin/ @@ -68,12 +68,12 @@ jobs: installer-parallel: true # ----- UV ----- - - uses: astral-sh/setup-uv@37802adc94f370d6bfd71619e3f0bf239e1f3b78 # v7.6.0 + - uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0 if: ${{ hashFiles(format('{0}/uv.lock', inputs.working-directory)) != '' }} with: enable-cache: true - id: cache-deps - uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4 + uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5 with: path: | ${{ inputs.working-directory }}/.venv diff --git a/.github/workflows/rust-ci.yml b/.github/workflows/rust-ci.yml index 42adab8..d63e341 100644 --- a/.github/workflows/rust-ci.yml +++ b/.github/workflows/rust-ci.yml @@ -52,7 +52,7 @@ jobs: run: working-directory: ${{ inputs.working-directory }} steps: - - uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0 + - uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0 with: disable-sudo-and-containers: ${{ inputs.disable-sudo }} egress-policy: block @@ -66,7 +66,7 @@ jobs: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - - uses: actions-rust-lang/setup-rust-toolchain@150fca883cd4034361b621bd4e6a9d34e5143606 # v1.15.4 + - uses: actions-rust-lang/setup-rust-toolchain@2b1f5e9b395427c92ee4e3331786ca3c37afe2d7 # v1.16.0 with: components: rustfmt toolchain: ${{ inputs.rust-version }} @@ -85,7 +85,7 @@ jobs: run: working-directory: ${{ inputs.working-directory }} steps: - - uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0 + - uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0 with: disable-sudo-and-containers: ${{ inputs.disable-sudo }} egress-policy: block @@ -99,7 +99,7 @@ jobs: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - - uses: actions-rust-lang/setup-rust-toolchain@150fca883cd4034361b621bd4e6a9d34e5143606 # v1.15.4 + - uses: actions-rust-lang/setup-rust-toolchain@2b1f5e9b395427c92ee4e3331786ca3c37afe2d7 # v1.16.0 with: toolchain: ${{ inputs.rust-version }} cache-workspaces: |- @@ -116,7 +116,7 @@ jobs: run: working-directory: ${{ inputs.working-directory }} steps: - - uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0 + - uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0 with: disable-sudo-and-containers: ${{ inputs.disable-sudo }} egress-policy: block @@ -132,7 +132,7 @@ jobs: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - - uses: actions-rust-lang/setup-rust-toolchain@150fca883cd4034361b621bd4e6a9d34e5143606 # v1.15.4 + - uses: actions-rust-lang/setup-rust-toolchain@2b1f5e9b395427c92ee4e3331786ca3c37afe2d7 # v1.16.0 with: components: clippy toolchain: ${{ inputs.rust-version }} @@ -153,7 +153,7 @@ jobs: run: | echo -n "$(cat ./clippy-results.sarif)" | reviewdog -reporter=github-check -f=sarif -level=warning -diff="git diff FETCH_HEAD" - name: Upload results - uses: github/codeql-action/upload-sarif@0d579ffd059c29b07949a3cce3983f0780820c98 # v4.32.6 + uses: github/codeql-action/upload-sarif@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4.35.2 with: sarif_file: ${{ inputs.working-directory }}/clippy-results.sarif category: sast @@ -170,7 +170,7 @@ jobs: run: working-directory: ${{ inputs.working-directory }} steps: - - uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0 + - uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0 with: disable-sudo-and-containers: ${{ inputs.disable-sudo }} egress-policy: block @@ -204,7 +204,7 @@ jobs: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - - uses: aws-actions/configure-aws-credentials@8df5847569e6427dd6c4fb1cf565c83acfa8afa7 # v6.0.0 + - uses: aws-actions/configure-aws-credentials@ec61189d14ec14c8efccab744f656cffd0e33f37 # v6.1.0 if: ${{ inputs.aws-role != '' }} with: role-to-assume: ${{ inputs.aws-role }} @@ -214,7 +214,7 @@ jobs: uses: mlugg/setup-zig@d1434d08867e3ee9daa34448df10607b98908d29 # v2.2.1 with: version: latest - - uses: actions-rust-lang/setup-rust-toolchain@150fca883cd4034361b621bd4e6a9d34e5143606 # v1.15.4 + - uses: actions-rust-lang/setup-rust-toolchain@2b1f5e9b395427c92ee4e3331786ca3c37afe2d7 # v1.16.0 with: toolchain: ${{ inputs.rust-version }} cache-workspaces: |- diff --git a/.github/workflows/sast.yml b/.github/workflows/sast.yml index 4b6d180..7c53b0e 100644 --- a/.github/workflows/sast.yml +++ b/.github/workflows/sast.yml @@ -58,7 +58,7 @@ jobs: run: | echo -n "$(cat ./sast-output.sarif)" | reviewdog -reporter=github-check -f=sarif -level=error -diff="git diff FETCH_HEAD" - name: Upload SARIF file - uses: github/codeql-action/upload-sarif@0d579ffd059c29b07949a3cce3983f0780820c98 # v4.32.6 + uses: github/codeql-action/upload-sarif@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4.35.2 with: sarif_file: ./sast-output.sarif category: sast diff --git a/.github/workflows/terraform-ci.yml b/.github/workflows/terraform-ci.yml index aa44622..d0593f2 100644 --- a/.github/workflows/terraform-ci.yml +++ b/.github/workflows/terraform-ci.yml @@ -51,7 +51,7 @@ jobs: run: working-directory: ${{ inputs.working-directory }} steps: - - uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0 + - uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0 with: disable-sudo: ${{ inputs.disable-sudo }} egress-policy: audit @@ -63,7 +63,7 @@ jobs: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - - uses: aws-actions/configure-aws-credentials@8df5847569e6427dd6c4fb1cf565c83acfa8afa7 # v6.0.0 + - uses: aws-actions/configure-aws-credentials@ec61189d14ec14c8efccab744f656cffd0e33f37 # v6.1.0 if: ${{ inputs.aws-role != '' }} with: role-to-assume: ${{ inputs.aws-role }} @@ -72,7 +72,7 @@ jobs: - run: | echo "plugin_cache_dir = '$HOME/.terraform.d/plugin-cache'" > ~/.terraformrc mkdir -p ~/.terraform.d/plugin-cache - - uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4 + - uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5 with: path: ~/.terraform.d/plugin-cache key: terraform-providers-${{ hashFiles('**/.terraform.lock.hcl') }} @@ -107,7 +107,7 @@ jobs: filter_mode: nofilter - name: Run Trivy Scan - uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # v0.35.0 + uses: aquasecurity/trivy-action@ed142fd0673e97e23eac54620cfb913e5ce36c25 # v0.36.0 with: hide-progress: true format: sarif @@ -123,7 +123,7 @@ jobs: run: | echo -n "$(cat ./trivy_results.sarif)" | reviewdog -reporter=github-check -f=sarif -level=error -diff="git diff FETCH_HEAD" - name: Upload results - uses: github/codeql-action/upload-sarif@0d579ffd059c29b07949a3cce3983f0780820c98 # v4.32.6 + uses: github/codeql-action/upload-sarif@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4.35.2 with: sarif_file: ${{ inputs.working-directory }}/trivy_results.sarif category: devops @@ -142,7 +142,7 @@ jobs: run: working-directory: ${{ inputs.working-directory }} steps: - - uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0 + - uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0 with: disable-sudo-and-containers: ${{ inputs.disable-sudo }} egress-policy: audit @@ -151,7 +151,7 @@ jobs: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - - uses: aws-actions/configure-aws-credentials@8df5847569e6427dd6c4fb1cf565c83acfa8afa7 # v6.0.0 + - uses: aws-actions/configure-aws-credentials@ec61189d14ec14c8efccab744f656cffd0e33f37 # v6.1.0 if: ${{ inputs.aws-role != '' }} with: role-to-assume: ${{ inputs.aws-role }} @@ -160,7 +160,7 @@ jobs: - run: | echo "plugin_cache_dir = '$HOME/.terraform.d/plugin-cache'" > ~/.terraformrc mkdir -p ~/.terraform.d/plugin-cache - - uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4 + - uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5 with: path: ~/.terraform.d/plugin-cache key: terraform-providers-${{ hashFiles('**/.terraform.lock.hcl') }} @@ -188,7 +188,7 @@ jobs: echo "EOF" } >> "$GITHUB_OUTPUT" continue-on-error: true - - uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 + - uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 if: github.event_name == 'pull_request' env: PLAN: '${{ steps.plan.outputs.plan }}'