diff --git a/.github/workflows/docker-build-and-push.yml b/.github/workflows/docker-build-and-push.yml index f832c35..2bebdbd 100644 --- a/.github/workflows/docker-build-and-push.yml +++ b/.github/workflows/docker-build-and-push.yml @@ -121,10 +121,10 @@ jobs: mirror.gcr.io:443 release-assets.githubusercontent.com:443 ${{ inputs.egress-policy-allowlist }} - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: persist-credentials: false - - uses: docker/setup-qemu-action@ce360397dd3f832beb865e1373c09c0e9f86d70a # v4.0.0 + - uses: docker/setup-qemu-action@06116385d9baf250c9f4dcb4858b16962ea869c3 # v4.1.0 - uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5 # v4.1.0 with: cache-binary: false @@ -238,7 +238,7 @@ jobs: echo -n "$(cat ./trivy_results.sarif)" | reviewdog -reporter=github-check -f=sarif -level=warning -diff="git diff FETCH_HEAD" - name: Upload results if: ${{ inputs.scan-image && inputs.upload-sarif }} - uses: github/codeql-action/upload-sarif@7211b7c8077ea37d8641b6271f6a365a22a5fbfa # v4.36.0 + uses: github/codeql-action/upload-sarif@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4.36.2 with: sarif_file: ${{ inputs.working-directory }}/trivy_results.sarif category: container-security diff --git a/.github/workflows/gitleaks.yml b/.github/workflows/gitleaks.yml index 61a6662..05b48ca 100644 --- a/.github/workflows/gitleaks.yml +++ b/.github/workflows/gitleaks.yml @@ -35,12 +35,12 @@ jobs: objects.githubusercontent.com:443 release-assets.githubusercontent.com:443 ${{ inputs.egress-policy-allowlist }} - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: fetch-depth: 0 persist-credentials: false - name: gitleaks - uses: gitleaks/gitleaks-action@ff98106e4c7b2bc287b24eaf42907196329070c7 # v2.3.9 + uses: gitleaks/gitleaks-action@e0c47f4f8be36e29cdc102c57e68cb5cbf0e8d1e # v3.0.0 # Comments works only when the workflow is called on `pull_request:` env: GITHUB_TOKEN: ${{ github.token }} diff --git a/.github/workflows/go-ci.yml b/.github/workflows/go-ci.yml index 693630e..eb9ccd3 100644 --- a/.github/workflows/go-ci.yml +++ b/.github/workflows/go-ci.yml @@ -48,7 +48,7 @@ jobs: storage.googleapis.com:443 sum.golang.org:443 ${{ inputs.egress-policy-allowlist }} - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: persist-credentials: false - name: golangci-lint @@ -84,11 +84,11 @@ jobs: storage.googleapis.com:443 sum.golang.org:443 ${{ inputs.egress-policy-allowlist }} - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: persist-credentials: false - name: Setup Go - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0 + uses: actions/setup-go@924ae3a1cded613372ab5595356fb5720e22ba16 # v6.5.0 with: go-version-file: ${{ inputs.working-directory }}/go.mod cache-dependency-path: | @@ -121,11 +121,11 @@ jobs: storage.googleapis.com:443 sum.golang.org:443 ${{ inputs.egress-policy-allowlist }} - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: persist-credentials: false - name: Setup Go - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0 + uses: actions/setup-go@924ae3a1cded613372ab5595356fb5720e22ba16 # v6.5.0 with: go-version-file: ${{ inputs.working-directory }}/go.mod cache-dependency-path: | diff --git a/.github/workflows/go-security-scan.yml b/.github/workflows/go-security-scan.yml index a0fa0a9..50da2cc 100644 --- a/.github/workflows/go-security-scan.yml +++ b/.github/workflows/go-security-scan.yml @@ -45,7 +45,7 @@ jobs: release-assets.githubusercontent.com:443 ${{ inputs.egress-policy-allowlist }} - name: Checkout Source - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: persist-credentials: false - name: Run Gosec Security Scanner @@ -61,7 +61,7 @@ jobs: run: | echo -n "$(cat ./gosec-results.sarif)" | reviewdog -reporter=github-check -f=sarif -level=error -diff="git diff FETCH_HEAD" - name: Upload results - uses: github/codeql-action/upload-sarif@7211b7c8077ea37d8641b6271f6a365a22a5fbfa # v4.36.0 + uses: github/codeql-action/upload-sarif@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4.36.2 with: sarif_file: '${{ inputs.working-directory }}/gosec-results.sarif' category: sast diff --git a/.github/workflows/infra-security-scan.yml b/.github/workflows/infra-security-scan.yml index 61d8e00..3dfd503 100644 --- a/.github/workflows/infra-security-scan.yml +++ b/.github/workflows/infra-security-scan.yml @@ -48,7 +48,7 @@ jobs: registry.npmjs.org:443 ${{ inputs.egress-policy-allowlist }} - name: Checkout Source - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: persist-credentials: false - name: Kics Scan @@ -64,7 +64,7 @@ jobs: enable_jobs_summary: true comments_with_queries: true - name: Upload SARIF file - uses: github/codeql-action/upload-sarif@7211b7c8077ea37d8641b6271f6a365a22a5fbfa # v4.36.0 + uses: github/codeql-action/upload-sarif@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4.36.2 with: sarif_file: ${{ inputs.working-directory }}/kics_results.sarif category: devops @@ -91,7 +91,7 @@ jobs: raw.githubusercontent.com:443 release-assets.githubusercontent.com:443 releases.astral.sh:443 - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: persist-credentials: false - uses: reviewdog/action-actionlint@6fb7acc99f4a1008869fa8a0f09cfca740837d9d # v1.72.0 @@ -101,7 +101,7 @@ jobs: filter_mode: nofilter tool_name: actionlint - name: Install uv - uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0 + uses: astral-sh/setup-uv@fac544c07dec837d0ccb6301d7b5580bf5edae39 # v8.2.0 with: enable-cache: true - name: Run zizmor @@ -118,7 +118,7 @@ jobs: run: | echo -n "$(cat ./zizmor_results.sarif)" | reviewdog -reporter=github-check -f=sarif -level=warning -diff="git diff FETCH_HEAD" - name: Upload SARIF file - uses: github/codeql-action/upload-sarif@7211b7c8077ea37d8641b6271f6a365a22a5fbfa # v4.36.0 + uses: github/codeql-action/upload-sarif@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4.36.2 with: sarif_file: zizmor_results.sarif category: github-actions diff --git a/.github/workflows/local-auto-tagger.yml b/.github/workflows/local-auto-tagger.yml index 69d5664..baaf7a7 100644 --- a/.github/workflows/local-auto-tagger.yml +++ b/.github/workflows/local-auto-tagger.yml @@ -25,7 +25,7 @@ jobs: api.github.com:443 github.com:443 - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: fetch-depth: 0 persist-credentials: false diff --git a/.github/workflows/pulumi-preview.yml b/.github/workflows/pulumi-preview.yml index d92a135..ff76481 100644 --- a/.github/workflows/pulumi-preview.yml +++ b/.github/workflows/pulumi-preview.yml @@ -72,20 +72,20 @@ jobs: release-assets.githubusercontent.com:443 releases.astral.sh:443 ${{ inputs.egress-policy-allowlist }} - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: persist-credentials: false - - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 + - uses: actions/setup-python@ece7cb06caefa5fff74198d8649806c4678c61a1 # v6.3.0 with: python-version: ${{ inputs.python-version }} # ----- Poetry ----- - - uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5 + - uses: actions/cache@55cc8345863c7cc4c66a329aec7e433d2d1c52a9 # v6.1.0 if: ${{ hashFiles(format('{0}/poetry.lock', inputs.working-directory)) != '' }} with: path: ~/.local/bin/ key: poetry-${{ inputs.poetry-version }} - - uses: snok/install-poetry@76e04a911780d5b312d89783f7b1cd627778900a # v1.4.1 + - uses: snok/install-poetry@a783c322200f0519c7926aa6faa857c4e23e9263 # v1.4.2 if: ${{ hashFiles(format('{0}/poetry.lock', inputs.working-directory)) != '' }} with: version: ${{ inputs.poetry-version }} @@ -94,12 +94,12 @@ jobs: installer-parallel: true # ----- UV ----- - - uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0 + - uses: astral-sh/setup-uv@fac544c07dec837d0ccb6301d7b5580bf5edae39 # v8.2.0 if: ${{ hashFiles(format('{0}/uv.lock', inputs.working-directory)) != '' }} with: enable-cache: true - id: cache-deps - uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5 + uses: actions/cache@55cc8345863c7cc4c66a329aec7e433d2d1c52a9 # v6.1.0 with: path: | ${{ inputs.working-directory }}/.venv @@ -110,17 +110,17 @@ jobs: if: ${{ steps.cache-deps.outputs.cache-hit != 'true' && hashFiles(format('{0}/poetry.lock', inputs.working-directory)) != '' }} - run: uv sync --locked --all-extras --dev if: ${{ steps.cache-deps.outputs.cache-hit != 'true' && hashFiles(format('{0}/uv.lock', inputs.working-directory)) != '' }} - - uses: pulumi/auth-actions@1c89817aab0c66407723cdef72b05266e7376640 # v1.0.1 + - uses: pulumi/auth-actions@141415910c3beb54e03b48e9057c204c97b956f2 # v2.1.0 with: organization: notdodo # kics-scan ignore-line requested-token-type: urn:pulumi:token-type:access_token:personal scope: user:notdodo - - uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5 + - uses: actions/cache@55cc8345863c7cc4c66a329aec7e433d2d1c52a9 # v6.1.0 with: path: ${{ env.PULUMI_HOME }}/plugins key: python-${{ inputs.python-version }}-venv-${{ hashFiles(format('{0}/poetry.lock', inputs.working-directory), format('{0}/uv.lock', inputs.working-directory)) }} - - uses: aws-actions/configure-aws-credentials@acca2b1b2070338fb9fd1ca27ecee81d687e58e5 # v6.1.2 + - uses: aws-actions/configure-aws-credentials@e7f100cf4c008499ea8adda475de1042d6975c7b # v6.2.0 if: ${{ inputs.aws-role != '' }} with: role-to-assume: ${{ inputs.aws-role }} diff --git a/.github/workflows/pulumi-up.yml b/.github/workflows/pulumi-up.yml index 40201ab..34683f2 100644 --- a/.github/workflows/pulumi-up.yml +++ b/.github/workflows/pulumi-up.yml @@ -71,20 +71,20 @@ jobs: release-assets.githubusercontent.com:443 releases.astral.sh:443 ${{ inputs.egress-policy-allowlist }} - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: persist-credentials: false - - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 + - uses: actions/setup-python@ece7cb06caefa5fff74198d8649806c4678c61a1 # v6.3.0 with: python-version: ${{ inputs.python-version }} # ----- Poetry ----- - - uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5 + - uses: actions/cache@55cc8345863c7cc4c66a329aec7e433d2d1c52a9 # v6.1.0 if: ${{ hashFiles(format('{0}/poetry.lock', inputs.working-directory)) != '' }} with: path: ~/.local/bin/ key: poetry-${{ inputs.poetry-version }} - - uses: snok/install-poetry@76e04a911780d5b312d89783f7b1cd627778900a # v1.4.1 + - uses: snok/install-poetry@a783c322200f0519c7926aa6faa857c4e23e9263 # v1.4.2 if: ${{ hashFiles(format('{0}/poetry.lock', inputs.working-directory)) != '' }} with: version: ${{ inputs.poetry-version }} @@ -93,12 +93,12 @@ jobs: installer-parallel: true # ----- UV ----- - - uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0 + - uses: astral-sh/setup-uv@fac544c07dec837d0ccb6301d7b5580bf5edae39 # v8.2.0 if: ${{ hashFiles(format('{0}/uv.lock', inputs.working-directory)) != '' }} with: enable-cache: true - id: cache-deps - uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5 + uses: actions/cache@55cc8345863c7cc4c66a329aec7e433d2d1c52a9 # v6.1.0 with: path: | ${{ inputs.working-directory }}/.venv @@ -109,17 +109,17 @@ jobs: if: ${{ steps.cache-deps.outputs.cache-hit != 'true' && hashFiles(format('{0}/poetry.lock', inputs.working-directory)) != '' }} - run: uv sync --locked --all-extras --dev if: ${{ steps.cache-deps.outputs.cache-hit != 'true' && hashFiles(format('{0}/uv.lock', inputs.working-directory)) != '' }} - - uses: pulumi/auth-actions@1c89817aab0c66407723cdef72b05266e7376640 # v1.0.1 + - uses: pulumi/auth-actions@141415910c3beb54e03b48e9057c204c97b956f2 # v2.1.0 with: organization: notdodo # kics-scan ignore-line requested-token-type: urn:pulumi:token-type:access_token:personal scope: user:notdodo - - uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5 + - uses: actions/cache@55cc8345863c7cc4c66a329aec7e433d2d1c52a9 # v6.1.0 with: path: ${{ env.PULUMI_HOME }}/plugins key: python-${{ inputs.python-version }}-venv-${{ hashFiles(format('{0}/poetry.lock', inputs.working-directory), format('{0}/uv.lock', inputs.working-directory)) }} - - uses: aws-actions/configure-aws-credentials@acca2b1b2070338fb9fd1ca27ecee81d687e58e5 # v6.1.2 + - uses: aws-actions/configure-aws-credentials@e7f100cf4c008499ea8adda475de1042d6975c7b # v6.2.0 if: ${{ inputs.aws-role != '' }} with: role-to-assume: ${{ inputs.aws-role }} diff --git a/.github/workflows/python-ci.yml b/.github/workflows/python-ci.yml index 941a7a1..922ccf9 100644 --- a/.github/workflows/python-ci.yml +++ b/.github/workflows/python-ci.yml @@ -46,20 +46,20 @@ jobs: release-assets.githubusercontent.com:443 releases.astral.sh:443 ${{ inputs.egress-policy-allowlist }} - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: persist-credentials: false - - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 + - uses: actions/setup-python@ece7cb06caefa5fff74198d8649806c4678c61a1 # v6.3.0 with: python-version: ${{ inputs.python-version }} # ----- Poetry ----- - - uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5 + - uses: actions/cache@55cc8345863c7cc4c66a329aec7e433d2d1c52a9 # v6.1.0 if: ${{ hashFiles(format('{0}/poetry.lock', inputs.working-directory)) != '' }} with: path: ~/.local/bin/ key: poetry-${{ inputs.poetry-version }} - - uses: snok/install-poetry@76e04a911780d5b312d89783f7b1cd627778900a # v1.4.1 + - uses: snok/install-poetry@a783c322200f0519c7926aa6faa857c4e23e9263 # v1.4.2 if: ${{ hashFiles(format('{0}/poetry.lock', inputs.working-directory)) != '' }} with: version: ${{ inputs.poetry-version }} @@ -68,12 +68,12 @@ jobs: installer-parallel: true # ----- UV ----- - - uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0 + - uses: astral-sh/setup-uv@fac544c07dec837d0ccb6301d7b5580bf5edae39 # v8.2.0 if: ${{ hashFiles(format('{0}/uv.lock', inputs.working-directory)) != '' }} with: enable-cache: true - id: cache-deps - uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5 + uses: actions/cache@55cc8345863c7cc4c66a329aec7e433d2d1c52a9 # v6.1.0 with: path: | ${{ inputs.working-directory }}/.venv diff --git a/.github/workflows/rust-ci.yml b/.github/workflows/rust-ci.yml index 6eb0f71..019344c 100644 --- a/.github/workflows/rust-ci.yml +++ b/.github/workflows/rust-ci.yml @@ -63,7 +63,7 @@ jobs: static.crates.io:443 static.rust-lang.org:443 ${{ inputs.egress-policy-allowlist }} - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: persist-credentials: false - uses: actions-rust-lang/setup-rust-toolchain@46268bd060767258de96ed93c1251119784f2ab6 # v1.16.1 @@ -96,7 +96,7 @@ jobs: static.crates.io:443 static.rust-lang.org:443 ${{ inputs.egress-policy-allowlist }} - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: persist-credentials: false - uses: actions-rust-lang/setup-rust-toolchain@46268bd060767258de96ed93c1251119784f2ab6 # v1.16.1 @@ -129,7 +129,7 @@ jobs: static.crates.io:443 static.rust-lang.org:443 ${{ inputs.egress-policy-allowlist }} - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: persist-credentials: false - uses: actions-rust-lang/setup-rust-toolchain@46268bd060767258de96ed93c1251119784f2ab6 # v1.16.1 @@ -153,7 +153,7 @@ jobs: run: | echo -n "$(cat ./clippy-results.sarif)" | reviewdog -reporter=github-check -f=sarif -level=warning -diff="git diff FETCH_HEAD" - name: Upload results - uses: github/codeql-action/upload-sarif@7211b7c8077ea37d8641b6271f6a365a22a5fbfa # v4.36.0 + uses: github/codeql-action/upload-sarif@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4.36.2 with: sarif_file: ${{ inputs.working-directory }}/clippy-results.sarif category: sast @@ -201,10 +201,10 @@ jobs: zigmirror.hryx.net:443 zigmirror.nesovic.dev:443 ${{ inputs.egress-policy-allowlist }} - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: persist-credentials: false - - uses: aws-actions/configure-aws-credentials@acca2b1b2070338fb9fd1ca27ecee81d687e58e5 # v6.1.2 + - uses: aws-actions/configure-aws-credentials@e7f100cf4c008499ea8adda475de1042d6975c7b # v6.2.0 if: ${{ inputs.aws-role != '' }} with: role-to-assume: ${{ inputs.aws-role }} diff --git a/.github/workflows/sast.yml b/.github/workflows/sast.yml index 2c2d6f3..27ca51f 100644 --- a/.github/workflows/sast.yml +++ b/.github/workflows/sast.yml @@ -29,7 +29,7 @@ jobs: container: image: semgrep/semgrep:1.159.0 steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: fetch-depth: 0 persist-credentials: false @@ -58,7 +58,7 @@ jobs: run: | echo -n "$(cat ./sast-output.sarif)" | reviewdog -reporter=github-check -f=sarif -level=error -diff="git diff FETCH_HEAD" - name: Upload SARIF file - uses: github/codeql-action/upload-sarif@7211b7c8077ea37d8641b6271f6a365a22a5fbfa # v4.36.0 + uses: github/codeql-action/upload-sarif@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4.36.2 with: sarif_file: ./sast-output.sarif category: sast diff --git a/.github/workflows/terraform-ci.yml b/.github/workflows/terraform-ci.yml index d932c01..6591f25 100644 --- a/.github/workflows/terraform-ci.yml +++ b/.github/workflows/terraform-ci.yml @@ -60,10 +60,10 @@ jobs: raw.githubusercontent.com:443 release-assets.githubusercontent.com:443 ${{ inputs.egress-policy-allowlist }} - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: persist-credentials: false - - uses: aws-actions/configure-aws-credentials@acca2b1b2070338fb9fd1ca27ecee81d687e58e5 # v6.1.2 + - uses: aws-actions/configure-aws-credentials@e7f100cf4c008499ea8adda475de1042d6975c7b # v6.2.0 if: ${{ inputs.aws-role != '' }} with: role-to-assume: ${{ inputs.aws-role }} @@ -72,14 +72,14 @@ jobs: - run: | echo "plugin_cache_dir = '$HOME/.terraform.d/plugin-cache'" > ~/.terraformrc mkdir -p ~/.terraform.d/plugin-cache - - uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5 + - uses: actions/cache@55cc8345863c7cc4c66a329aec7e433d2d1c52a9 # v6.1.0 with: path: ~/.terraform.d/plugin-cache key: terraform-providers-${{ hashFiles('**/.terraform.lock.hcl') }} restore-keys: terraform-providers- - uses: hashicorp/setup-terraform@dfe3c3f87815947d99a8997f908cb6525fc44e9e # v4.0.1 - name: Sops Binary Installer - uses: mdgreenwald/mozilla-sops-action@fe9db4c6a9f56efabf8855966e98c7ec9d09eb3e + uses: mdgreenwald/mozilla-sops-action@bb2d96a13ef438ad122e5827a57ebd75d6ff118d - name: Decrypt Secrets env: SOPS_AGE_KEY: ${{ secrets.sops-age-key }} @@ -123,7 +123,7 @@ jobs: run: | echo -n "$(cat ./trivy_results.sarif)" | reviewdog -reporter=github-check -f=sarif -level=error -diff="git diff FETCH_HEAD" - name: Upload results - uses: github/codeql-action/upload-sarif@7211b7c8077ea37d8641b6271f6a365a22a5fbfa # v4.36.0 + uses: github/codeql-action/upload-sarif@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4.36.2 with: sarif_file: ${{ inputs.working-directory }}/trivy_results.sarif category: devops @@ -148,10 +148,10 @@ jobs: egress-policy: audit allowed-endpoints: > ${{ inputs.egress-policy-allowlist }} - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: persist-credentials: false - - uses: aws-actions/configure-aws-credentials@acca2b1b2070338fb9fd1ca27ecee81d687e58e5 # v6.1.2 + - uses: aws-actions/configure-aws-credentials@e7f100cf4c008499ea8adda475de1042d6975c7b # v6.2.0 if: ${{ inputs.aws-role != '' }} with: role-to-assume: ${{ inputs.aws-role }} @@ -160,14 +160,14 @@ jobs: - run: | echo "plugin_cache_dir = '$HOME/.terraform.d/plugin-cache'" > ~/.terraformrc mkdir -p ~/.terraform.d/plugin-cache - - uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5 + - uses: actions/cache@55cc8345863c7cc4c66a329aec7e433d2d1c52a9 # v6.1.0 with: path: ~/.terraform.d/plugin-cache key: terraform-providers-${{ hashFiles('**/.terraform.lock.hcl') }} restore-keys: terraform-providers- - uses: hashicorp/setup-terraform@dfe3c3f87815947d99a8997f908cb6525fc44e9e # v4.0.1 - name: Sops Binary Installer - uses: mdgreenwald/mozilla-sops-action@fe9db4c6a9f56efabf8855966e98c7ec9d09eb3e + uses: mdgreenwald/mozilla-sops-action@bb2d96a13ef438ad122e5827a57ebd75d6ff118d - name: Decrypt Secrets env: SOPS_AGE_KEY: ${{ secrets.sops-age-key }}