diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index 38d59fe..d319b81 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -104,14 +104,14 @@ jobs: uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0 - name: Download build image - uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # v8.0.0 + uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 if: ${{ github.event_name == 'pull_request' }} with: name: ${{ needs.build.outputs.image-slug }} path: /tmp - name: Download test image - uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # v8.0.0 + uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 if: ${{ github.event_name == 'pull_request' }} with: name: ${{ needs.build.outputs.image-slug }}-test diff --git a/.github/workflows/standard-build.yaml b/.github/workflows/standard-build.yaml index 9eb45dd..02fa694 100644 --- a/.github/workflows/standard-build.yaml +++ b/.github/workflows/standard-build.yaml @@ -118,7 +118,7 @@ jobs: image-slug: ${{ steps.slugify-image.outputs.slug }} steps: - name: Harden Runner - uses: step-security/harden-runner@58077d3c7e43986b6b15fba718e8ea69e387dfcc # v2.15.1 + uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0 with: egress-policy: audit # change to 'egress-policy: block' after couple of runs @@ -155,7 +155,7 @@ jobs: with: registry: ghcr.io username: ${{ github.actor }} - password: ${{ secrets.github-token }} + password: ${{ secrets.github-token }} # zizmor: ignore[secrets-outside-env] - name: Container image meta id: image_meta @@ -349,7 +349,7 @@ jobs: packages: write steps: - name: Harden Runner - uses: step-security/harden-runner@58077d3c7e43986b6b15fba718e8ea69e387dfcc # v2.15.1 + uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0 with: egress-policy: audit # change to 'egress-policy: block' after couple of runs @@ -358,10 +358,10 @@ jobs: with: registry: ghcr.io username: ${{ github.actor }} - password: ${{ secrets.github-token }} + password: ${{ secrets.github-token }} # zizmor: ignore[secrets-outside-env] - name: Install Cosign - uses: sigstore/cosign-installer@faadad0cce49287aee09b3a48701e75088a2c6ad # v4.0.0 + uses: sigstore/cosign-installer@ba7bc0a3fef59531c69a25acd34668d6d3fe6f22 # v4.1.0 - name: Sign image env: @@ -382,7 +382,7 @@ jobs: packages: write steps: - name: Harden Runner - uses: step-security/harden-runner@58077d3c7e43986b6b15fba718e8ea69e387dfcc # v2.15.1 + uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0 with: egress-policy: audit # change to 'egress-policy: block' after couple of runs @@ -391,16 +391,16 @@ jobs: with: registry: ghcr.io username: ${{ github.actor }} - password: ${{ secrets.github-token }} + password: ${{ secrets.github-token }} # zizmor: ignore[secrets-outside-env] - name: Download attestations - uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # v8.0.0 + uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 with: name: ${{ needs.build.outputs.image-slug }}-trivy-attestation path: /tmp - name: Install Cosign - uses: sigstore/cosign-installer@faadad0cce49287aee09b3a48701e75088a2c6ad # v4.0.0 + uses: sigstore/cosign-installer@ba7bc0a3fef59531c69a25acd34668d6d3fe6f22 # v4.1.0 - name: Attest image vulnerability report env: @@ -421,12 +421,12 @@ jobs: contents: write steps: - name: Harden Runner - uses: step-security/harden-runner@58077d3c7e43986b6b15fba718e8ea69e387dfcc # v2.15.1 + uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0 with: egress-policy: audit # change to 'egress-policy: block' after couple of runs - name: Install Cosign - uses: sigstore/cosign-installer@faadad0cce49287aee09b3a48701e75088a2c6ad # v4.0.0 + uses: sigstore/cosign-installer@ba7bc0a3fef59531c69a25acd34668d6d3fe6f22 # v4.1.0 - name: download attestation from image env: @@ -436,7 +436,7 @@ jobs: cosign download attestation --output-file="$IMAGE_SLUG.intoto.jsonl" "$IMAGE" - name: upload assets to release - uses: softprops/action-gh-release@a06a81a03ee405af7f2048a818ed3f03bbf83c7b # v2.5.0 + uses: softprops/action-gh-release@153bb8e04406b158c6c84fc1615b65b24149a1fe # v2.6.1 with: files: | *.intoto.jsonl @@ -451,12 +451,12 @@ jobs: contents: write steps: - name: Harden Runner - uses: step-security/harden-runner@58077d3c7e43986b6b15fba718e8ea69e387dfcc # v2.15.1 + uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0 with: egress-policy: audit # change to 'egress-policy: block' after couple of runs - name: Download sboms - uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # v8.0.0 + uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 with: name: ${{ needs.build.outputs.image-slug }}-sboms path: ./sboms @@ -465,7 +465,7 @@ jobs: run: ls -R . - name: upload assets to release - uses: softprops/action-gh-release@a06a81a03ee405af7f2048a818ed3f03bbf83c7b # v2.5.0 + uses: softprops/action-gh-release@153bb8e04406b158c6c84fc1615b65b24149a1fe # v2.6.1 if: ${{ startsWith(github.ref, 'refs/tags/') }} with: fail_on_unmatched_files: true diff --git a/.github/workflows/standard-lint.yaml b/.github/workflows/standard-lint.yaml index 354d392..dcb8caf 100644 --- a/.github/workflows/standard-lint.yaml +++ b/.github/workflows/standard-lint.yaml @@ -9,7 +9,7 @@ defaults: env: # renovate: datasource=pypi depName=zizmor - ZIZMOR_VERSION: 1.22.0 + ZIZMOR_VERSION: 1.23.1 on: workflow_call: @@ -69,7 +69,7 @@ jobs: pull-requests: write steps: - name: Harden Runner - uses: step-security/harden-runner@58077d3c7e43986b6b15fba718e8ea69e387dfcc # v2.15.1 + uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0 with: egress-policy: audit # change to 'egress-policy: block' after couple of runs @@ -88,7 +88,7 @@ jobs: VALIDATE_ALL_CODEBASE: "true" # only try to post PR comments if it's not a fork GITHUB_COMMENT_REPORTER: ${{ !github.event.pull_request.head.repo.fork }} - GITHUB_TOKEN: ${{ secrets.github-token }} + GITHUB_TOKEN: ${{ secrets.github-token }} # zizmor: ignore[secrets-outside-env] SARIF_REPORTER: "true" # Upload MegaLinter artifacts @@ -103,7 +103,7 @@ jobs: - name: Upload MegaLinter scan results to GitHub Security tab if: ${{ always() }} - uses: github/codeql-action/upload-sarif@0d579ffd059c29b07949a3cce3983f0780820c98 # v4.32.6 + uses: github/codeql-action/upload-sarif@38697555549f1db7851b81482ff19f1fa5c4fedc # v4.34.1 with: sarif_file: "megalinter-reports/megalinter-report.sarif" @@ -150,7 +150,7 @@ jobs: fetch-depth: 1 persist-credentials: false - name: Install Cosign - uses: sigstore/cosign-installer@faadad0cce49287aee09b3a48701e75088a2c6ad # v4.0.0 + uses: sigstore/cosign-installer@ba7bc0a3fef59531c69a25acd34668d6d3fe6f22 # v4.1.0 - run: | cosign dockerfile verify \ --output text \ @@ -196,7 +196,7 @@ jobs: # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL - uses: github/codeql-action/init@0d579ffd059c29b07949a3cce3983f0780820c98 # v4.32.6 + uses: github/codeql-action/init@38697555549f1db7851b81482ff19f1fa5c4fedc # v4.34.1 with: languages: ${{ matrix.language }} # If you wish to specify custom queries, you can do so here or in a config file. @@ -209,7 +209,7 @@ jobs: # Autobuild attempts to build any compiled languages (C/C++, C#, or Java). # If this step fails, then you should remove it and run the build manually (see below) - name: Autobuild - uses: github/codeql-action/autobuild@0d579ffd059c29b07949a3cce3983f0780820c98 # v4.32.6 + uses: github/codeql-action/autobuild@38697555549f1db7851b81482ff19f1fa5c4fedc # v4.34.1 # ℹī¸ Command-line programs to run using the OS shell. # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun @@ -222,7 +222,7 @@ jobs: # ./location_of_script_within_repo/buildscript.sh - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@0d579ffd059c29b07949a3cce3983f0780820c98 # v4.32.6 + uses: github/codeql-action/analyze@38697555549f1db7851b81482ff19f1fa5c4fedc # v4.34.1 with: category: "/language:${{matrix.language}}" @@ -241,7 +241,7 @@ jobs: persist-credentials: false - name: Install the latest version of uv - uses: astral-sh/setup-uv@5a095e7a2014a4212f075830d4f7277575a9d098 # v7.3.1 + uses: astral-sh/setup-uv@37802adc94f370d6bfd71619e3f0bf239e1f3b78 # v7.6.0 with: enable-cache: false @@ -253,6 +253,8 @@ jobs: disable: true concurrency-limits: disable: true + superfluous-actions: + disable: true run: | echo "${ZIZMOR_CONFIG_YAML}" > /tmp/zizmor-standard-lint-defaults.yaml @@ -264,7 +266,7 @@ jobs: ZIZMOR_CONFIG: /tmp/zizmor-standard-lint-defaults.yaml - name: Upload SARIF file - uses: github/codeql-action/upload-sarif@0d579ffd059c29b07949a3cce3983f0780820c98 # v4.32.6 + uses: github/codeql-action/upload-sarif@38697555549f1db7851b81482ff19f1fa5c4fedc # v4.34.1 with: sarif_file: results.sarif category: zizmor diff --git a/.github/workflows/standard-release.yaml b/.github/workflows/standard-release.yaml index 2857795..c4122d5 100644 --- a/.github/workflows/standard-release.yaml +++ b/.github/workflows/standard-release.yaml @@ -39,7 +39,7 @@ jobs: issues: write steps: - name: Harden Runner - uses: step-security/harden-runner@58077d3c7e43986b6b15fba718e8ea69e387dfcc # v2.15.1 + uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0 with: egress-policy: audit # change to 'egress-policy: block' after couple of runs @@ -47,8 +47,8 @@ jobs: id: app-token if: ${{ inputs.use-app-token }} with: - app-id: ${{ secrets.app-token-app-id }} - private-key: ${{ secrets.app-token-private-key }} + app-id: ${{ secrets.app-token-app-id }} # zizmor: ignore[secrets-outside-env] + private-key: ${{ secrets.app-token-private-key }} # zizmor: ignore[secrets-outside-env] owner: ${{ github.repository_owner }} - name: Checkout @@ -70,4 +70,4 @@ jobs: semantic-release-replace-plugin@1.2.0 @semantic-release/git@10.0.1 env: - GITHUB_TOKEN: ${{ secrets.semantic-release-token || steps.app-token.outputs.token || secrets.GITHUB_TOKEN }} + GITHUB_TOKEN: ${{ secrets.semantic-release-token || steps.app-token.outputs.token || secrets.GITHUB_TOKEN }} # zizmor: ignore[secrets-outside-env]