From bdbf8eb5d9552027f41a0db61941388b6043e780 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 1 May 2026 07:29:42 +0000 Subject: [PATCH] [#patch](deps): Bump the actions-deps group with 14 updates Bumps the actions-deps group with 14 updates: | Package | From | To | | --- | --- | --- | | [step-security/harden-runner](https://github.com/step-security/harden-runner) | `2.16.0` | `2.19.0` | | [docker/login-action](https://github.com/docker/login-action) | `4.0.0` | `4.1.0` | | [docker/build-push-action](https://github.com/docker/build-push-action) | `7.0.0` | `7.1.0` | | [aquasecurity/trivy-action](https://github.com/aquasecurity/trivy-action) | `0.35.0` | `0.36.0` | | [sigstore/cosign-installer](https://github.com/sigstore/cosign-installer) | `4.1.0` | `4.1.1` | | [github/codeql-action](https://github.com/github/codeql-action) | `4.32.6` | `4.35.2` | | [reviewdog/action-actionlint](https://github.com/reviewdog/action-actionlint) | `1.71.0` | `1.72.0` | | [astral-sh/setup-uv](https://github.com/astral-sh/setup-uv) | `7.6.0` | `8.1.0` | | [tj-actions/changed-files](https://github.com/tj-actions/changed-files) | `47.0.5` | `47.0.6` | | [actions/cache](https://github.com/actions/cache) | `5.0.4` | `5.0.5` | | [aws-actions/configure-aws-credentials](https://github.com/aws-actions/configure-aws-credentials) | `6.0.0` | `6.1.0` | | [aws-actions/aws-secretsmanager-get-secrets](https://github.com/aws-actions/aws-secretsmanager-get-secrets) | `3.0.0` | `3.0.1` | | [actions-rust-lang/setup-rust-toolchain](https://github.com/actions-rust-lang/setup-rust-toolchain) | `1.15.4` | `1.16.0` | | [actions/github-script](https://github.com/actions/github-script) | `8.0.0` | `9.0.0` | Updates `step-security/harden-runner` from 2.16.0 to 2.19.0 - [Release notes](https://github.com/step-security/harden-runner/releases) - [Commits](https://github.com/step-security/harden-runner/compare/fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594...8d3c67de8e2fe68ef647c8db1e6a09f647780f40) Updates `docker/login-action` from 4.0.0 to 4.1.0 - [Release notes](https://github.com/docker/login-action/releases) - [Commits](https://github.com/docker/login-action/compare/b45d80f862d83dbcd57f89517bcf500b2ab88fb2...4907a6ddec9925e35a0a9e82d7399ccc52663121) Updates `docker/build-push-action` from 7.0.0 to 7.1.0 - [Release notes](https://github.com/docker/build-push-action/releases) - [Commits](https://github.com/docker/build-push-action/compare/d08e5c354a6adb9ed34480a06d141179aa583294...bcafcacb16a39f128d818304e6c9c0c18556b85f) Updates `aquasecurity/trivy-action` from 0.35.0 to 0.36.0 - [Release notes](https://github.com/aquasecurity/trivy-action/releases) - [Commits](https://github.com/aquasecurity/trivy-action/compare/57a97c7e7821a5776cebc9bb87c984fa69cba8f1...ed142fd0673e97e23eac54620cfb913e5ce36c25) Updates `sigstore/cosign-installer` from 4.1.0 to 4.1.1 - [Release notes](https://github.com/sigstore/cosign-installer/releases) - [Commits](https://github.com/sigstore/cosign-installer/compare/ba7bc0a3fef59531c69a25acd34668d6d3fe6f22...cad07c2e89fa2edd6e2d7bab4c1aa38e53f76003) Updates `github/codeql-action` from 4.32.6 to 4.35.2 - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](https://github.com/github/codeql-action/compare/0d579ffd059c29b07949a3cce3983f0780820c98...95e58e9a2cdfd71adc6e0353d5c52f41a045d225) Updates `reviewdog/action-actionlint` from 1.71.0 to 1.72.0 - [Release notes](https://github.com/reviewdog/action-actionlint/releases) - [Commits](https://github.com/reviewdog/action-actionlint/compare/0d952c597ef8459f634d7145b0b044a9699e5e43...6fb7acc99f4a1008869fa8a0f09cfca740837d9d) Updates `astral-sh/setup-uv` from 7.6.0 to 8.1.0 - [Release notes](https://github.com/astral-sh/setup-uv/releases) - [Commits](https://github.com/astral-sh/setup-uv/compare/37802adc94f370d6bfd71619e3f0bf239e1f3b78...08807647e7069bb48b6ef5acd8ec9567f424441b) Updates `tj-actions/changed-files` from 47.0.5 to 47.0.6 - [Release notes](https://github.com/tj-actions/changed-files/releases) - [Changelog](https://github.com/tj-actions/changed-files/blob/main/HISTORY.md) - [Commits](https://github.com/tj-actions/changed-files/compare/22103cc46bda19c2b464ffe86db46df6922fd323...9426d40962ed5378910ee2e21d5f8c6fcbf2dd96) Updates `actions/cache` from 5.0.4 to 5.0.5 - [Release notes](https://github.com/actions/cache/releases) - [Changelog](https://github.com/actions/cache/blob/main/RELEASES.md) - [Commits](https://github.com/actions/cache/compare/668228422ae6a00e4ad889ee87cd7109ec5666a7...27d5ce7f107fe9357f9df03efb73ab90386fccae) Updates `aws-actions/configure-aws-credentials` from 6.0.0 to 6.1.0 - [Release notes](https://github.com/aws-actions/configure-aws-credentials/releases) - [Changelog](https://github.com/aws-actions/configure-aws-credentials/blob/main/CHANGELOG.md) - [Commits](https://github.com/aws-actions/configure-aws-credentials/compare/8df5847569e6427dd6c4fb1cf565c83acfa8afa7...ec61189d14ec14c8efccab744f656cffd0e33f37) Updates `aws-actions/aws-secretsmanager-get-secrets` from 3.0.0 to 3.0.1 - [Release notes](https://github.com/aws-actions/aws-secretsmanager-get-secrets/releases) - [Commits](https://github.com/aws-actions/aws-secretsmanager-get-secrets/compare/3a411b6ec5cace3d626412dd917e7bfeac242cfa...2cb1a461cbd4865ac4299648312e4704c646cd53) Updates `actions-rust-lang/setup-rust-toolchain` from 1.15.4 to 1.16.0 - [Release notes](https://github.com/actions-rust-lang/setup-rust-toolchain/releases) - [Changelog](https://github.com/actions-rust-lang/setup-rust-toolchain/blob/main/CHANGELOG.md) - [Commits](https://github.com/actions-rust-lang/setup-rust-toolchain/compare/150fca883cd4034361b621bd4e6a9d34e5143606...2b1f5e9b395427c92ee4e3331786ca3c37afe2d7) Updates `actions/github-script` from 8.0.0 to 9.0.0 - [Release notes](https://github.com/actions/github-script/releases) - [Commits](https://github.com/actions/github-script/compare/ed597411d8f924073f98dfc5c65a23a2325f34cd...3a2844b7e9c422d3c10d287c895573f7108da1b3) --- updated-dependencies: - dependency-name: step-security/harden-runner dependency-version: 2.19.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: actions-deps - dependency-name: docker/login-action dependency-version: 4.1.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: actions-deps - dependency-name: docker/build-push-action dependency-version: 7.1.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: actions-deps - dependency-name: aquasecurity/trivy-action dependency-version: 0.36.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: actions-deps - dependency-name: sigstore/cosign-installer dependency-version: 4.1.1 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: actions-deps - dependency-name: github/codeql-action dependency-version: 4.35.2 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: actions-deps - dependency-name: reviewdog/action-actionlint dependency-version: 1.72.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: actions-deps - dependency-name: astral-sh/setup-uv dependency-version: 8.1.0 dependency-type: direct:production update-type: version-update:semver-major dependency-group: actions-deps - dependency-name: tj-actions/changed-files dependency-version: 47.0.6 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: actions-deps - dependency-name: actions/cache dependency-version: 5.0.5 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: actions-deps - dependency-name: aws-actions/configure-aws-credentials dependency-version: 6.1.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: actions-deps - dependency-name: aws-actions/aws-secretsmanager-get-secrets dependency-version: 3.0.1 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: actions-deps - dependency-name: actions-rust-lang/setup-rust-toolchain dependency-version: 1.16.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: actions-deps - dependency-name: actions/github-script dependency-version: 9.0.0 dependency-type: direct:production update-type: version-update:semver-major dependency-group: actions-deps ... Signed-off-by: dependabot[bot] --- .github/workflows/clean-branch-cache.yml | 2 +- .github/workflows/docker-build-and-push.yml | 16 ++++++++-------- .github/workflows/gitleaks.yml | 2 +- .github/workflows/go-ci.yml | 6 +++--- .github/workflows/go-security-scan.yml | 4 ++-- .github/workflows/infra-security-scan.yml | 12 ++++++------ .github/workflows/local-auto-tagger.yml | 4 ++-- .github/workflows/pulumi-preview.yml | 14 +++++++------- .github/workflows/pulumi-up.yml | 14 +++++++------- .github/workflows/python-ci.yml | 8 ++++---- .github/workflows/rust-ci.yml | 20 ++++++++++---------- .github/workflows/sast.yml | 2 +- .github/workflows/terraform-ci.yml | 18 +++++++++--------- 13 files changed, 61 insertions(+), 61 deletions(-) diff --git a/.github/workflows/clean-branch-cache.yml b/.github/workflows/clean-branch-cache.yml index 8516b80..72ad7ef 100644 --- a/.github/workflows/clean-branch-cache.yml +++ b/.github/workflows/clean-branch-cache.yml @@ -17,7 +17,7 @@ jobs: permissions: actions: write steps: - - uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0 + - uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0 with: disable-sudo-and-containers: ${{ inputs.disable-sudo }} egress-policy: block diff --git a/.github/workflows/docker-build-and-push.yml b/.github/workflows/docker-build-and-push.yml index 157473b..39b321f 100644 --- a/.github/workflows/docker-build-and-push.yml +++ b/.github/workflows/docker-build-and-push.yml @@ -102,7 +102,7 @@ jobs: run: working-directory: ${{ inputs.working-directory }} steps: - - uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0 + - uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0 with: disable-sudo: ${{ inputs.disable-sudo }} egress-policy: block @@ -129,7 +129,7 @@ jobs: with: cache-binary: false - name: Log in to the Container registry - uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0 + uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0 if: inputs.push with: registry: ${{ inputs.registry }} @@ -146,7 +146,7 @@ jobs: - name: Build and push id: build if: inputs.push - uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7.0.0 + uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7.1.0 with: annotations: ${{ steps.metadata.outputs.annotations }} cache-from: type=gha @@ -161,7 +161,7 @@ jobs: - name: Build push locally id: build-local if: ${{ !inputs.push }} - uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7.0.0 + uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7.1.0 with: cache-from: type=gha cache-to: type=gha,mode=max @@ -186,7 +186,7 @@ jobs: echo "local_image_ref=${LOCAL_IMAGE_REF}" } >> "${GITHUB_OUTPUT}" - name: Run Trivy Scan - uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # v0.35.0 + uses: aquasecurity/trivy-action@ed142fd0673e97e23eac54620cfb913e5ce36c25 # v0.36.0 if: inputs.scan-image with: format: sarif @@ -197,7 +197,7 @@ jobs: output: ${{ inputs.working-directory }}/trivy_results.sarif github-pat: ${{ secrets.GITHUB_TOKEN }} - name: Generate SBOM - uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # v0.35.0 + uses: aquasecurity/trivy-action@ed142fd0673e97e23eac54620cfb913e5ce36c25 # v0.36.0 if: inputs.push with: format: spdx-json @@ -214,7 +214,7 @@ jobs: create-storage-record: ${{ startsWith(inputs.registry, 'ghcr.io') }} sbom-path: ${{ inputs.working-directory }}/sbom.spdx.json - name: Install cosign - uses: sigstore/cosign-installer@ba7bc0a3fef59531c69a25acd34668d6d3fe6f22 # v4.1.0 + uses: sigstore/cosign-installer@cad07c2e89fa2edd6e2d7bab4c1aa38e53f76003 # v4.1.1 if: inputs.push && inputs.sign-image - name: Sign image if: inputs.push && inputs.sign-image @@ -238,7 +238,7 @@ jobs: echo -n "$(cat ./trivy_results.sarif)" | reviewdog -reporter=github-check -f=sarif -level=warning -diff="git diff FETCH_HEAD" - name: Upload results if: ${{ inputs.scan-image && inputs.upload-sarif }} - uses: github/codeql-action/upload-sarif@0d579ffd059c29b07949a3cce3983f0780820c98 # v4.32.6 + uses: github/codeql-action/upload-sarif@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4.35.2 with: sarif_file: ${{ inputs.working-directory }}/trivy_results.sarif category: container-security diff --git a/.github/workflows/gitleaks.yml b/.github/workflows/gitleaks.yml index 32c1dff..bac398d 100644 --- a/.github/workflows/gitleaks.yml +++ b/.github/workflows/gitleaks.yml @@ -25,7 +25,7 @@ jobs: runs-on: ${{ inputs.runs-on }} if: (github.actor != 'dependabot[bot]') steps: - - uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0 + - uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0 with: disable-sudo-and-containers: ${{ inputs.disable-sudo }} egress-policy: block diff --git a/.github/workflows/go-ci.yml b/.github/workflows/go-ci.yml index 81be3eb..f069fc8 100644 --- a/.github/workflows/go-ci.yml +++ b/.github/workflows/go-ci.yml @@ -34,7 +34,7 @@ jobs: pull-requests: write checks: write steps: - - uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0 + - uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0 with: disable-sudo-and-containers: ${{ inputs.disable-sudo }} egress-policy: block @@ -70,7 +70,7 @@ jobs: run: working-directory: ${{ inputs.working-directory }} steps: - - uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0 + - uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0 with: disable-sudo-and-containers: ${{ inputs.disable-sudo }} egress-policy: block @@ -107,7 +107,7 @@ jobs: permissions: contents: write steps: - - uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0 + - uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0 with: disable-sudo-and-containers: ${{ inputs.disable-sudo }} egress-policy: block diff --git a/.github/workflows/go-security-scan.yml b/.github/workflows/go-security-scan.yml index 4a3357b..defd0e0 100644 --- a/.github/workflows/go-security-scan.yml +++ b/.github/workflows/go-security-scan.yml @@ -33,7 +33,7 @@ jobs: env: GO111MODULE: on steps: - - uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0 + - uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0 with: disable-sudo: ${{ inputs.disable-sudo }} egress-policy: block @@ -61,7 +61,7 @@ jobs: run: | echo -n "$(cat ./gosec-results.sarif)" | reviewdog -reporter=github-check -f=sarif -level=error -diff="git diff FETCH_HEAD" - name: Upload results - uses: github/codeql-action/upload-sarif@0d579ffd059c29b07949a3cce3983f0780820c98 # v4.32.6 + uses: github/codeql-action/upload-sarif@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4.35.2 with: sarif_file: '${{ inputs.working-directory }}/gosec-results.sarif' category: sast diff --git a/.github/workflows/infra-security-scan.yml b/.github/workflows/infra-security-scan.yml index f6332f5..6aff560 100644 --- a/.github/workflows/infra-security-scan.yml +++ b/.github/workflows/infra-security-scan.yml @@ -34,7 +34,7 @@ jobs: run: working-directory: ${{ inputs.working-directory }} steps: - - uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0 + - uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0 with: disable-sudo: ${{ inputs.disable-sudo }} egress-policy: block @@ -64,7 +64,7 @@ jobs: enable_jobs_summary: true comments_with_queries: true - name: Upload SARIF file - uses: github/codeql-action/upload-sarif@0d579ffd059c29b07949a3cce3983f0780820c98 # v4.32.6 + uses: github/codeql-action/upload-sarif@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4.35.2 with: sarif_file: ${{ inputs.working-directory }}/kics_results.sarif category: devops @@ -78,7 +78,7 @@ jobs: pull-requests: write security-events: write steps: - - uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0 + - uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0 with: disable-sudo: ${{ inputs.disable-sudo }} egress-policy: block @@ -94,14 +94,14 @@ jobs: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - - uses: reviewdog/action-actionlint@0d952c597ef8459f634d7145b0b044a9699e5e43 # v1.71.0 + - uses: reviewdog/action-actionlint@6fb7acc99f4a1008869fa8a0f09cfca740837d9d # v1.72.0 continue-on-error: true with: fail_level: any filter_mode: nofilter tool_name: actionlint - name: Install uv - uses: astral-sh/setup-uv@37802adc94f370d6bfd71619e3f0bf239e1f3b78 # v7.6.0 + uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0 with: enable-cache: true - name: Run zizmor @@ -118,7 +118,7 @@ jobs: run: | echo -n "$(cat ./zizmor_results.sarif)" | reviewdog -reporter=github-check -f=sarif -level=warning -diff="git diff FETCH_HEAD" - name: Upload SARIF file - uses: github/codeql-action/upload-sarif@0d579ffd059c29b07949a3cce3983f0780820c98 # v4.32.6 + uses: github/codeql-action/upload-sarif@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4.35.2 with: sarif_file: zizmor_results.sarif category: github-actions diff --git a/.github/workflows/local-auto-tagger.yml b/.github/workflows/local-auto-tagger.yml index 2d922f1..baa3311 100644 --- a/.github/workflows/local-auto-tagger.yml +++ b/.github/workflows/local-auto-tagger.yml @@ -17,7 +17,7 @@ jobs: contents: write runs-on: ubuntu-latest steps: - - uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0 + - uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0 with: disable-sudo: true egress-policy: block @@ -31,7 +31,7 @@ jobs: persist-credentials: false - name: Get changed files for each workflow and action id: changed-files - uses: tj-actions/changed-files@22103cc46bda19c2b464ffe86db46df6922fd323 # v47.0.5 + uses: tj-actions/changed-files@9426d40962ed5378910ee2e21d5f8c6fcbf2dd96 # v47.0.6 with: files_yaml: | cleanup-cache: diff --git a/.github/workflows/pulumi-preview.yml b/.github/workflows/pulumi-preview.yml index 62536f3..e430f22 100644 --- a/.github/workflows/pulumi-preview.yml +++ b/.github/workflows/pulumi-preview.yml @@ -55,7 +55,7 @@ jobs: run: working-directory: ${{ inputs.working-directory }} steps: - - uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0 + - uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0 with: disable-sudo-and-containers: ${{ inputs.disable-sudo }} egress-policy: block @@ -80,7 +80,7 @@ jobs: python-version: ${{ inputs.python-version }} # ----- Poetry ----- - - uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4 + - uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5 if: ${{ hashFiles(format('{0}/poetry.lock', inputs.working-directory)) != '' }} with: path: ~/.local/bin/ @@ -94,12 +94,12 @@ jobs: installer-parallel: true # ----- UV ----- - - uses: astral-sh/setup-uv@37802adc94f370d6bfd71619e3f0bf239e1f3b78 # v7.6.0 + - uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0 if: ${{ hashFiles(format('{0}/uv.lock', inputs.working-directory)) != '' }} with: enable-cache: true - id: cache-deps - uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4 + uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5 with: path: | ${{ inputs.working-directory }}/.venv @@ -116,17 +116,17 @@ jobs: # kics-scan ignore-line requested-token-type: urn:pulumi:token-type:access_token:personal scope: user:notdodo - - uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4 + - uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5 with: path: ${{ env.PULUMI_HOME }}/plugins key: python-${{ inputs.python-version }}-venv-${{ hashFiles(format('{0}/poetry.lock', inputs.working-directory), format('{0}/uv.lock', inputs.working-directory)) }} - - uses: aws-actions/configure-aws-credentials@8df5847569e6427dd6c4fb1cf565c83acfa8afa7 # v6.0.0 + - uses: aws-actions/configure-aws-credentials@ec61189d14ec14c8efccab744f656cffd0e33f37 # v6.1.0 if: ${{ inputs.aws-role != '' }} with: role-to-assume: ${{ inputs.aws-role }} aws-region: ${{ inputs.aws-region }} retry-max-attempts: 2 - - uses: aws-actions/aws-secretsmanager-get-secrets@3a411b6ec5cace3d626412dd917e7bfeac242cfa # v3.0.0 + - uses: aws-actions/aws-secretsmanager-get-secrets@2cb1a461cbd4865ac4299648312e4704c646cd53 # v3.0.1 if: ${{ inputs.aws-role != '' }} with: secret-ids: > diff --git a/.github/workflows/pulumi-up.yml b/.github/workflows/pulumi-up.yml index 199045e..3ca16c0 100644 --- a/.github/workflows/pulumi-up.yml +++ b/.github/workflows/pulumi-up.yml @@ -54,7 +54,7 @@ jobs: run: working-directory: ${{ inputs.working-directory }} steps: - - uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0 + - uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0 with: disable-sudo-and-containers: ${{ inputs.disable-sudo }} egress-policy: block @@ -79,7 +79,7 @@ jobs: python-version: ${{ inputs.python-version }} # ----- Poetry ----- - - uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4 + - uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5 if: ${{ hashFiles(format('{0}/poetry.lock', inputs.working-directory)) != '' }} with: path: ~/.local/bin/ @@ -93,12 +93,12 @@ jobs: installer-parallel: true # ----- UV ----- - - uses: astral-sh/setup-uv@37802adc94f370d6bfd71619e3f0bf239e1f3b78 # v7.6.0 + - uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0 if: ${{ hashFiles(format('{0}/uv.lock', inputs.working-directory)) != '' }} with: enable-cache: true - id: cache-deps - uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4 + uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5 with: path: | ${{ inputs.working-directory }}/.venv @@ -115,17 +115,17 @@ jobs: # kics-scan ignore-line requested-token-type: urn:pulumi:token-type:access_token:personal scope: user:notdodo - - uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4 + - uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5 with: path: ${{ env.PULUMI_HOME }}/plugins key: python-${{ inputs.python-version }}-venv-${{ hashFiles(format('{0}/poetry.lock', inputs.working-directory), format('{0}/uv.lock', inputs.working-directory)) }} - - uses: aws-actions/configure-aws-credentials@8df5847569e6427dd6c4fb1cf565c83acfa8afa7 # v6.0.0 + - uses: aws-actions/configure-aws-credentials@ec61189d14ec14c8efccab744f656cffd0e33f37 # v6.1.0 if: ${{ inputs.aws-role != '' }} with: role-to-assume: ${{ inputs.aws-role }} aws-region: ${{ inputs.aws-region }} retry-max-attempts: 2 - - uses: aws-actions/aws-secretsmanager-get-secrets@3a411b6ec5cace3d626412dd917e7bfeac242cfa # v3.0.0 + - uses: aws-actions/aws-secretsmanager-get-secrets@2cb1a461cbd4865ac4299648312e4704c646cd53 # v3.0.1 if: ${{ inputs.aws-role != '' }} with: secret-ids: > diff --git a/.github/workflows/python-ci.yml b/.github/workflows/python-ci.yml index 2686916..5442c66 100644 --- a/.github/workflows/python-ci.yml +++ b/.github/workflows/python-ci.yml @@ -31,7 +31,7 @@ jobs: run: working-directory: ${{ inputs.working-directory }} steps: - - uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0 + - uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0 with: disable-sudo-and-containers: ${{ inputs.disable-sudo }} egress-policy: block @@ -54,7 +54,7 @@ jobs: python-version: ${{ inputs.python-version }} # ----- Poetry ----- - - uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4 + - uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5 if: ${{ hashFiles(format('{0}/poetry.lock', inputs.working-directory)) != '' }} with: path: ~/.local/bin/ @@ -68,12 +68,12 @@ jobs: installer-parallel: true # ----- UV ----- - - uses: astral-sh/setup-uv@37802adc94f370d6bfd71619e3f0bf239e1f3b78 # v7.6.0 + - uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0 if: ${{ hashFiles(format('{0}/uv.lock', inputs.working-directory)) != '' }} with: enable-cache: true - id: cache-deps - uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4 + uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5 with: path: | ${{ inputs.working-directory }}/.venv diff --git a/.github/workflows/rust-ci.yml b/.github/workflows/rust-ci.yml index 42adab8..d63e341 100644 --- a/.github/workflows/rust-ci.yml +++ b/.github/workflows/rust-ci.yml @@ -52,7 +52,7 @@ jobs: run: working-directory: ${{ inputs.working-directory }} steps: - - uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0 + - uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0 with: disable-sudo-and-containers: ${{ inputs.disable-sudo }} egress-policy: block @@ -66,7 +66,7 @@ jobs: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - - uses: actions-rust-lang/setup-rust-toolchain@150fca883cd4034361b621bd4e6a9d34e5143606 # v1.15.4 + - uses: actions-rust-lang/setup-rust-toolchain@2b1f5e9b395427c92ee4e3331786ca3c37afe2d7 # v1.16.0 with: components: rustfmt toolchain: ${{ inputs.rust-version }} @@ -85,7 +85,7 @@ jobs: run: working-directory: ${{ inputs.working-directory }} steps: - - uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0 + - uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0 with: disable-sudo-and-containers: ${{ inputs.disable-sudo }} egress-policy: block @@ -99,7 +99,7 @@ jobs: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - - uses: actions-rust-lang/setup-rust-toolchain@150fca883cd4034361b621bd4e6a9d34e5143606 # v1.15.4 + - uses: actions-rust-lang/setup-rust-toolchain@2b1f5e9b395427c92ee4e3331786ca3c37afe2d7 # v1.16.0 with: toolchain: ${{ inputs.rust-version }} cache-workspaces: |- @@ -116,7 +116,7 @@ jobs: run: working-directory: ${{ inputs.working-directory }} steps: - - uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0 + - uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0 with: disable-sudo-and-containers: ${{ inputs.disable-sudo }} egress-policy: block @@ -132,7 +132,7 @@ jobs: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - - uses: actions-rust-lang/setup-rust-toolchain@150fca883cd4034361b621bd4e6a9d34e5143606 # v1.15.4 + - uses: actions-rust-lang/setup-rust-toolchain@2b1f5e9b395427c92ee4e3331786ca3c37afe2d7 # v1.16.0 with: components: clippy toolchain: ${{ inputs.rust-version }} @@ -153,7 +153,7 @@ jobs: run: | echo -n "$(cat ./clippy-results.sarif)" | reviewdog -reporter=github-check -f=sarif -level=warning -diff="git diff FETCH_HEAD" - name: Upload results - uses: github/codeql-action/upload-sarif@0d579ffd059c29b07949a3cce3983f0780820c98 # v4.32.6 + uses: github/codeql-action/upload-sarif@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4.35.2 with: sarif_file: ${{ inputs.working-directory }}/clippy-results.sarif category: sast @@ -170,7 +170,7 @@ jobs: run: working-directory: ${{ inputs.working-directory }} steps: - - uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0 + - uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0 with: disable-sudo-and-containers: ${{ inputs.disable-sudo }} egress-policy: block @@ -204,7 +204,7 @@ jobs: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - - uses: aws-actions/configure-aws-credentials@8df5847569e6427dd6c4fb1cf565c83acfa8afa7 # v6.0.0 + - uses: aws-actions/configure-aws-credentials@ec61189d14ec14c8efccab744f656cffd0e33f37 # v6.1.0 if: ${{ inputs.aws-role != '' }} with: role-to-assume: ${{ inputs.aws-role }} @@ -214,7 +214,7 @@ jobs: uses: mlugg/setup-zig@d1434d08867e3ee9daa34448df10607b98908d29 # v2.2.1 with: version: latest - - uses: actions-rust-lang/setup-rust-toolchain@150fca883cd4034361b621bd4e6a9d34e5143606 # v1.15.4 + - uses: actions-rust-lang/setup-rust-toolchain@2b1f5e9b395427c92ee4e3331786ca3c37afe2d7 # v1.16.0 with: toolchain: ${{ inputs.rust-version }} cache-workspaces: |- diff --git a/.github/workflows/sast.yml b/.github/workflows/sast.yml index 4b6d180..7c53b0e 100644 --- a/.github/workflows/sast.yml +++ b/.github/workflows/sast.yml @@ -58,7 +58,7 @@ jobs: run: | echo -n "$(cat ./sast-output.sarif)" | reviewdog -reporter=github-check -f=sarif -level=error -diff="git diff FETCH_HEAD" - name: Upload SARIF file - uses: github/codeql-action/upload-sarif@0d579ffd059c29b07949a3cce3983f0780820c98 # v4.32.6 + uses: github/codeql-action/upload-sarif@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4.35.2 with: sarif_file: ./sast-output.sarif category: sast diff --git a/.github/workflows/terraform-ci.yml b/.github/workflows/terraform-ci.yml index aa44622..d0593f2 100644 --- a/.github/workflows/terraform-ci.yml +++ b/.github/workflows/terraform-ci.yml @@ -51,7 +51,7 @@ jobs: run: working-directory: ${{ inputs.working-directory }} steps: - - uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0 + - uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0 with: disable-sudo: ${{ inputs.disable-sudo }} egress-policy: audit @@ -63,7 +63,7 @@ jobs: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - - uses: aws-actions/configure-aws-credentials@8df5847569e6427dd6c4fb1cf565c83acfa8afa7 # v6.0.0 + - uses: aws-actions/configure-aws-credentials@ec61189d14ec14c8efccab744f656cffd0e33f37 # v6.1.0 if: ${{ inputs.aws-role != '' }} with: role-to-assume: ${{ inputs.aws-role }} @@ -72,7 +72,7 @@ jobs: - run: | echo "plugin_cache_dir = '$HOME/.terraform.d/plugin-cache'" > ~/.terraformrc mkdir -p ~/.terraform.d/plugin-cache - - uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4 + - uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5 with: path: ~/.terraform.d/plugin-cache key: terraform-providers-${{ hashFiles('**/.terraform.lock.hcl') }} @@ -107,7 +107,7 @@ jobs: filter_mode: nofilter - name: Run Trivy Scan - uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # v0.35.0 + uses: aquasecurity/trivy-action@ed142fd0673e97e23eac54620cfb913e5ce36c25 # v0.36.0 with: hide-progress: true format: sarif @@ -123,7 +123,7 @@ jobs: run: | echo -n "$(cat ./trivy_results.sarif)" | reviewdog -reporter=github-check -f=sarif -level=error -diff="git diff FETCH_HEAD" - name: Upload results - uses: github/codeql-action/upload-sarif@0d579ffd059c29b07949a3cce3983f0780820c98 # v4.32.6 + uses: github/codeql-action/upload-sarif@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4.35.2 with: sarif_file: ${{ inputs.working-directory }}/trivy_results.sarif category: devops @@ -142,7 +142,7 @@ jobs: run: working-directory: ${{ inputs.working-directory }} steps: - - uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0 + - uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0 with: disable-sudo-and-containers: ${{ inputs.disable-sudo }} egress-policy: audit @@ -151,7 +151,7 @@ jobs: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - - uses: aws-actions/configure-aws-credentials@8df5847569e6427dd6c4fb1cf565c83acfa8afa7 # v6.0.0 + - uses: aws-actions/configure-aws-credentials@ec61189d14ec14c8efccab744f656cffd0e33f37 # v6.1.0 if: ${{ inputs.aws-role != '' }} with: role-to-assume: ${{ inputs.aws-role }} @@ -160,7 +160,7 @@ jobs: - run: | echo "plugin_cache_dir = '$HOME/.terraform.d/plugin-cache'" > ~/.terraformrc mkdir -p ~/.terraform.d/plugin-cache - - uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4 + - uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5 with: path: ~/.terraform.d/plugin-cache key: terraform-providers-${{ hashFiles('**/.terraform.lock.hcl') }} @@ -188,7 +188,7 @@ jobs: echo "EOF" } >> "$GITHUB_OUTPUT" continue-on-error: true - - uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 + - uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 if: github.event_name == 'pull_request' env: PLAN: '${{ steps.plan.outputs.plan }}'