Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 3 additions & 3 deletions .github/workflows/docker-build-and-push.yml
Original file line number Diff line number Diff line change
Expand Up @@ -121,10 +121,10 @@ jobs:
mirror.gcr.io:443
release-assets.githubusercontent.com:443
${{ inputs.egress-policy-allowlist }}
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
with:
persist-credentials: false
- uses: docker/setup-qemu-action@ce360397dd3f832beb865e1373c09c0e9f86d70a # v4.0.0
- uses: docker/setup-qemu-action@06116385d9baf250c9f4dcb4858b16962ea869c3 # v4.1.0
- uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5 # v4.1.0
with:
cache-binary: false
Expand Down Expand Up @@ -238,7 +238,7 @@ jobs:
echo -n "$(cat ./trivy_results.sarif)" | reviewdog -reporter=github-check -f=sarif -level=warning -diff="git diff FETCH_HEAD"
- name: Upload results
if: ${{ inputs.scan-image && inputs.upload-sarif }}
uses: github/codeql-action/upload-sarif@7211b7c8077ea37d8641b6271f6a365a22a5fbfa # v4.36.0
uses: github/codeql-action/upload-sarif@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4.36.2
with:
sarif_file: ${{ inputs.working-directory }}/trivy_results.sarif
category: container-security
4 changes: 2 additions & 2 deletions .github/workflows/gitleaks.yml
Original file line number Diff line number Diff line change
Expand Up @@ -35,12 +35,12 @@ jobs:
objects.githubusercontent.com:443
release-assets.githubusercontent.com:443
${{ inputs.egress-policy-allowlist }}
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
with:
fetch-depth: 0
persist-credentials: false
- name: gitleaks
uses: gitleaks/gitleaks-action@ff98106e4c7b2bc287b24eaf42907196329070c7 # v2.3.9
uses: gitleaks/gitleaks-action@e0c47f4f8be36e29cdc102c57e68cb5cbf0e8d1e # v3.0.0
# Comments works only when the workflow is called on `pull_request:`
env:
GITHUB_TOKEN: ${{ github.token }}
Expand Down
10 changes: 5 additions & 5 deletions .github/workflows/go-ci.yml
Original file line number Diff line number Diff line change
Expand Up @@ -48,7 +48,7 @@ jobs:
storage.googleapis.com:443
sum.golang.org:443
${{ inputs.egress-policy-allowlist }}
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
with:
persist-credentials: false
- name: golangci-lint
Expand Down Expand Up @@ -84,11 +84,11 @@ jobs:
storage.googleapis.com:443
sum.golang.org:443
${{ inputs.egress-policy-allowlist }}
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
with:
persist-credentials: false
- name: Setup Go
uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
uses: actions/setup-go@924ae3a1cded613372ab5595356fb5720e22ba16 # v6.5.0
with:
go-version-file: ${{ inputs.working-directory }}/go.mod
cache-dependency-path: |
Expand Down Expand Up @@ -121,11 +121,11 @@ jobs:
storage.googleapis.com:443
sum.golang.org:443
${{ inputs.egress-policy-allowlist }}
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
with:
persist-credentials: false
- name: Setup Go
uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
uses: actions/setup-go@924ae3a1cded613372ab5595356fb5720e22ba16 # v6.5.0
with:
go-version-file: ${{ inputs.working-directory }}/go.mod
cache-dependency-path: |
Expand Down
4 changes: 2 additions & 2 deletions .github/workflows/go-security-scan.yml
Original file line number Diff line number Diff line change
Expand Up @@ -45,7 +45,7 @@ jobs:
release-assets.githubusercontent.com:443
${{ inputs.egress-policy-allowlist }}
- name: Checkout Source
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
with:
persist-credentials: false
- name: Run Gosec Security Scanner
Expand All @@ -61,7 +61,7 @@ jobs:
run: |
echo -n "$(cat ./gosec-results.sarif)" | reviewdog -reporter=github-check -f=sarif -level=error -diff="git diff FETCH_HEAD"
- name: Upload results
uses: github/codeql-action/upload-sarif@7211b7c8077ea37d8641b6271f6a365a22a5fbfa # v4.36.0
uses: github/codeql-action/upload-sarif@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4.36.2
with:
sarif_file: '${{ inputs.working-directory }}/gosec-results.sarif'
category: sast
Expand Down
10 changes: 5 additions & 5 deletions .github/workflows/infra-security-scan.yml
Original file line number Diff line number Diff line change
Expand Up @@ -48,7 +48,7 @@ jobs:
registry.npmjs.org:443
${{ inputs.egress-policy-allowlist }}
- name: Checkout Source
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
with:
persist-credentials: false
- name: Kics Scan
Expand All @@ -64,7 +64,7 @@ jobs:
enable_jobs_summary: true
comments_with_queries: true
- name: Upload SARIF file
uses: github/codeql-action/upload-sarif@7211b7c8077ea37d8641b6271f6a365a22a5fbfa # v4.36.0
uses: github/codeql-action/upload-sarif@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4.36.2
with:
sarif_file: ${{ inputs.working-directory }}/kics_results.sarif
category: devops
Expand All @@ -91,7 +91,7 @@ jobs:
raw.githubusercontent.com:443
release-assets.githubusercontent.com:443
releases.astral.sh:443
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
with:
persist-credentials: false
- uses: reviewdog/action-actionlint@6fb7acc99f4a1008869fa8a0f09cfca740837d9d # v1.72.0
Expand All @@ -101,7 +101,7 @@ jobs:
filter_mode: nofilter
tool_name: actionlint
- name: Install uv
uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0
uses: astral-sh/setup-uv@fac544c07dec837d0ccb6301d7b5580bf5edae39 # v8.2.0
with:
enable-cache: true
- name: Run zizmor
Expand All @@ -118,7 +118,7 @@ jobs:
run: |
echo -n "$(cat ./zizmor_results.sarif)" | reviewdog -reporter=github-check -f=sarif -level=warning -diff="git diff FETCH_HEAD"
- name: Upload SARIF file
uses: github/codeql-action/upload-sarif@7211b7c8077ea37d8641b6271f6a365a22a5fbfa # v4.36.0
uses: github/codeql-action/upload-sarif@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4.36.2
with:
sarif_file: zizmor_results.sarif
category: github-actions
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/local-auto-tagger.yml
Original file line number Diff line number Diff line change
Expand Up @@ -25,7 +25,7 @@ jobs:
api.github.com:443
github.com:443

- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
with:
fetch-depth: 0
persist-credentials: false
Expand Down
18 changes: 9 additions & 9 deletions .github/workflows/pulumi-preview.yml
Original file line number Diff line number Diff line change
Expand Up @@ -72,20 +72,20 @@ jobs:
release-assets.githubusercontent.com:443
releases.astral.sh:443
${{ inputs.egress-policy-allowlist }}
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
with:
persist-credentials: false
- uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
- uses: actions/setup-python@ece7cb06caefa5fff74198d8649806c4678c61a1 # v6.3.0
with:
python-version: ${{ inputs.python-version }}

# ----- Poetry -----
- uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
- uses: actions/cache@55cc8345863c7cc4c66a329aec7e433d2d1c52a9 # v6.1.0
if: ${{ hashFiles(format('{0}/poetry.lock', inputs.working-directory)) != '' }}
with:
path: ~/.local/bin/
key: poetry-${{ inputs.poetry-version }}
- uses: snok/install-poetry@76e04a911780d5b312d89783f7b1cd627778900a # v1.4.1
- uses: snok/install-poetry@a783c322200f0519c7926aa6faa857c4e23e9263 # v1.4.2
if: ${{ hashFiles(format('{0}/poetry.lock', inputs.working-directory)) != '' }}
with:
version: ${{ inputs.poetry-version }}
Expand All @@ -94,12 +94,12 @@ jobs:
installer-parallel: true

# ----- UV -----
- uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0
- uses: astral-sh/setup-uv@fac544c07dec837d0ccb6301d7b5580bf5edae39 # v8.2.0
if: ${{ hashFiles(format('{0}/uv.lock', inputs.working-directory)) != '' }}
with:
enable-cache: true
- id: cache-deps
uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
uses: actions/cache@55cc8345863c7cc4c66a329aec7e433d2d1c52a9 # v6.1.0
with:
path: |
${{ inputs.working-directory }}/.venv
Expand All @@ -110,17 +110,17 @@ jobs:
if: ${{ steps.cache-deps.outputs.cache-hit != 'true' && hashFiles(format('{0}/poetry.lock', inputs.working-directory)) != '' }}
- run: uv sync --locked --all-extras --dev
if: ${{ steps.cache-deps.outputs.cache-hit != 'true' && hashFiles(format('{0}/uv.lock', inputs.working-directory)) != '' }}
- uses: pulumi/auth-actions@1c89817aab0c66407723cdef72b05266e7376640 # v1.0.1
- uses: pulumi/auth-actions@141415910c3beb54e03b48e9057c204c97b956f2 # v2.1.0
with:
organization: notdodo
# kics-scan ignore-line
requested-token-type: urn:pulumi:token-type:access_token:personal
scope: user:notdodo
- uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
- uses: actions/cache@55cc8345863c7cc4c66a329aec7e433d2d1c52a9 # v6.1.0
with:
path: ${{ env.PULUMI_HOME }}/plugins
key: python-${{ inputs.python-version }}-venv-${{ hashFiles(format('{0}/poetry.lock', inputs.working-directory), format('{0}/uv.lock', inputs.working-directory)) }}
- uses: aws-actions/configure-aws-credentials@acca2b1b2070338fb9fd1ca27ecee81d687e58e5 # v6.1.2
- uses: aws-actions/configure-aws-credentials@e7f100cf4c008499ea8adda475de1042d6975c7b # v6.2.0
if: ${{ inputs.aws-role != '' }}
with:
role-to-assume: ${{ inputs.aws-role }}
Expand Down
18 changes: 9 additions & 9 deletions .github/workflows/pulumi-up.yml
Original file line number Diff line number Diff line change
Expand Up @@ -71,20 +71,20 @@ jobs:
release-assets.githubusercontent.com:443
releases.astral.sh:443
${{ inputs.egress-policy-allowlist }}
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
with:
persist-credentials: false
- uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
- uses: actions/setup-python@ece7cb06caefa5fff74198d8649806c4678c61a1 # v6.3.0
with:
python-version: ${{ inputs.python-version }}

# ----- Poetry -----
- uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
- uses: actions/cache@55cc8345863c7cc4c66a329aec7e433d2d1c52a9 # v6.1.0
if: ${{ hashFiles(format('{0}/poetry.lock', inputs.working-directory)) != '' }}
with:
path: ~/.local/bin/
key: poetry-${{ inputs.poetry-version }}
- uses: snok/install-poetry@76e04a911780d5b312d89783f7b1cd627778900a # v1.4.1
- uses: snok/install-poetry@a783c322200f0519c7926aa6faa857c4e23e9263 # v1.4.2
if: ${{ hashFiles(format('{0}/poetry.lock', inputs.working-directory)) != '' }}
with:
version: ${{ inputs.poetry-version }}
Expand All @@ -93,12 +93,12 @@ jobs:
installer-parallel: true

# ----- UV -----
- uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0
- uses: astral-sh/setup-uv@fac544c07dec837d0ccb6301d7b5580bf5edae39 # v8.2.0
if: ${{ hashFiles(format('{0}/uv.lock', inputs.working-directory)) != '' }}
with:
enable-cache: true
- id: cache-deps
uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
uses: actions/cache@55cc8345863c7cc4c66a329aec7e433d2d1c52a9 # v6.1.0
with:
path: |
${{ inputs.working-directory }}/.venv
Expand All @@ -109,17 +109,17 @@ jobs:
if: ${{ steps.cache-deps.outputs.cache-hit != 'true' && hashFiles(format('{0}/poetry.lock', inputs.working-directory)) != '' }}
- run: uv sync --locked --all-extras --dev
if: ${{ steps.cache-deps.outputs.cache-hit != 'true' && hashFiles(format('{0}/uv.lock', inputs.working-directory)) != '' }}
- uses: pulumi/auth-actions@1c89817aab0c66407723cdef72b05266e7376640 # v1.0.1
- uses: pulumi/auth-actions@141415910c3beb54e03b48e9057c204c97b956f2 # v2.1.0
with:
organization: notdodo
# kics-scan ignore-line
requested-token-type: urn:pulumi:token-type:access_token:personal
scope: user:notdodo
- uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
- uses: actions/cache@55cc8345863c7cc4c66a329aec7e433d2d1c52a9 # v6.1.0
with:
path: ${{ env.PULUMI_HOME }}/plugins
key: python-${{ inputs.python-version }}-venv-${{ hashFiles(format('{0}/poetry.lock', inputs.working-directory), format('{0}/uv.lock', inputs.working-directory)) }}
- uses: aws-actions/configure-aws-credentials@acca2b1b2070338fb9fd1ca27ecee81d687e58e5 # v6.1.2
- uses: aws-actions/configure-aws-credentials@e7f100cf4c008499ea8adda475de1042d6975c7b # v6.2.0
if: ${{ inputs.aws-role != '' }}
with:
role-to-assume: ${{ inputs.aws-role }}
Expand Down
12 changes: 6 additions & 6 deletions .github/workflows/python-ci.yml
Original file line number Diff line number Diff line change
Expand Up @@ -46,20 +46,20 @@ jobs:
release-assets.githubusercontent.com:443
releases.astral.sh:443
${{ inputs.egress-policy-allowlist }}
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
with:
persist-credentials: false
- uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
- uses: actions/setup-python@ece7cb06caefa5fff74198d8649806c4678c61a1 # v6.3.0
with:
python-version: ${{ inputs.python-version }}

# ----- Poetry -----
- uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
- uses: actions/cache@55cc8345863c7cc4c66a329aec7e433d2d1c52a9 # v6.1.0
if: ${{ hashFiles(format('{0}/poetry.lock', inputs.working-directory)) != '' }}
with:
path: ~/.local/bin/
key: poetry-${{ inputs.poetry-version }}
- uses: snok/install-poetry@76e04a911780d5b312d89783f7b1cd627778900a # v1.4.1
- uses: snok/install-poetry@a783c322200f0519c7926aa6faa857c4e23e9263 # v1.4.2
if: ${{ hashFiles(format('{0}/poetry.lock', inputs.working-directory)) != '' }}
with:
version: ${{ inputs.poetry-version }}
Expand All @@ -68,12 +68,12 @@ jobs:
installer-parallel: true

# ----- UV -----
- uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0
- uses: astral-sh/setup-uv@fac544c07dec837d0ccb6301d7b5580bf5edae39 # v8.2.0
if: ${{ hashFiles(format('{0}/uv.lock', inputs.working-directory)) != '' }}
with:
enable-cache: true
- id: cache-deps
uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
uses: actions/cache@55cc8345863c7cc4c66a329aec7e433d2d1c52a9 # v6.1.0
with:
path: |
${{ inputs.working-directory }}/.venv
Expand Down
12 changes: 6 additions & 6 deletions .github/workflows/rust-ci.yml
Original file line number Diff line number Diff line change
Expand Up @@ -63,7 +63,7 @@ jobs:
static.crates.io:443
static.rust-lang.org:443
${{ inputs.egress-policy-allowlist }}
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
with:
persist-credentials: false
- uses: actions-rust-lang/setup-rust-toolchain@46268bd060767258de96ed93c1251119784f2ab6 # v1.16.1
Expand Down Expand Up @@ -96,7 +96,7 @@ jobs:
static.crates.io:443
static.rust-lang.org:443
${{ inputs.egress-policy-allowlist }}
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
with:
persist-credentials: false
- uses: actions-rust-lang/setup-rust-toolchain@46268bd060767258de96ed93c1251119784f2ab6 # v1.16.1
Expand Down Expand Up @@ -129,7 +129,7 @@ jobs:
static.crates.io:443
static.rust-lang.org:443
${{ inputs.egress-policy-allowlist }}
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
with:
persist-credentials: false
- uses: actions-rust-lang/setup-rust-toolchain@46268bd060767258de96ed93c1251119784f2ab6 # v1.16.1
Expand All @@ -153,7 +153,7 @@ jobs:
run: |
echo -n "$(cat ./clippy-results.sarif)" | reviewdog -reporter=github-check -f=sarif -level=warning -diff="git diff FETCH_HEAD"
- name: Upload results
uses: github/codeql-action/upload-sarif@7211b7c8077ea37d8641b6271f6a365a22a5fbfa # v4.36.0
uses: github/codeql-action/upload-sarif@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4.36.2
with:
sarif_file: ${{ inputs.working-directory }}/clippy-results.sarif
category: sast
Expand Down Expand Up @@ -201,10 +201,10 @@ jobs:
zigmirror.hryx.net:443
zigmirror.nesovic.dev:443
${{ inputs.egress-policy-allowlist }}
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
with:
persist-credentials: false
- uses: aws-actions/configure-aws-credentials@acca2b1b2070338fb9fd1ca27ecee81d687e58e5 # v6.1.2
- uses: aws-actions/configure-aws-credentials@e7f100cf4c008499ea8adda475de1042d6975c7b # v6.2.0
if: ${{ inputs.aws-role != '' }}
with:
role-to-assume: ${{ inputs.aws-role }}
Expand Down
4 changes: 2 additions & 2 deletions .github/workflows/sast.yml
Original file line number Diff line number Diff line change
Expand Up @@ -29,7 +29,7 @@ jobs:
container:
image: semgrep/semgrep:1.159.0
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
with:
fetch-depth: 0
persist-credentials: false
Expand Down Expand Up @@ -58,7 +58,7 @@ jobs:
run: |
echo -n "$(cat ./sast-output.sarif)" | reviewdog -reporter=github-check -f=sarif -level=error -diff="git diff FETCH_HEAD"
- name: Upload SARIF file
uses: github/codeql-action/upload-sarif@7211b7c8077ea37d8641b6271f6a365a22a5fbfa # v4.36.0
uses: github/codeql-action/upload-sarif@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4.36.2
with:
sarif_file: ./sast-output.sarif
category: sast
Expand Down
Loading