diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 22ae9bb..bbd8bbc 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -34,13 +34,13 @@ jobs: # JavaScript and TypeScript. build-mode: none means CodeQL analyses # the source directly without needing a compilation step. - name: Initialize CodeQL - uses: github/codeql-action/init@b1bff81932f5cdfc8695c7752dcee935dcd061c8 # v4.33.0 + uses: github/codeql-action/init@38697555549f1db7851b81482ff19f1fa5c4fedc # v4.34.1 with: languages: javascript build-mode: none - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@b1bff81932f5cdfc8695c7752dcee935dcd061c8 # v4.33.0 + uses: github/codeql-action/analyze@38697555549f1db7851b81482ff19f1fa5c4fedc # v4.34.1 with: category: codeql output: codeql-results.sarif diff --git a/.github/workflows/docker-publish.yml b/.github/workflows/docker-publish.yml index f594b4c..6f97f84 100644 --- a/.github/workflows/docker-publish.yml +++ b/.github/workflows/docker-publish.yml @@ -236,7 +236,7 @@ jobs: exit-code: '0' - name: Upload Trivy SARIF to Security tab - uses: github/codeql-action/upload-sarif@b1bff81932f5cdfc8695c7752dcee935dcd061c8 # v4.33.0 + uses: github/codeql-action/upload-sarif@38697555549f1db7851b81482ff19f1fa5c4fedc # v4.34.1 if: always() with: sarif_file: trivy-release.sarif @@ -362,7 +362,7 @@ jobs: # Generate a Software Bill of Materials (SBOM) for the released image. # The SBOM is written to sbom.spdx.json and uploaded to the GitHub Release. - name: Generate SBOM - uses: anchore/sbom-action@57aae528053a48a3f6235f2d9461b05fbcb7366d # v0.23.1 + uses: anchore/sbom-action@e22c389904149dbc22b58101806040fa8d37a610 # v0.24.0 with: image: ${{ steps.tags.outputs.semver }} format: spdx-json @@ -649,7 +649,7 @@ jobs: exit-code: '0' - name: Upload Trivy SARIF to Security tab - uses: github/codeql-action/upload-sarif@b1bff81932f5cdfc8695c7752dcee935dcd061c8 # v4.33.0 + uses: github/codeql-action/upload-sarif@38697555549f1db7851b81482ff19f1fa5c4fedc # v4.34.1 if: always() with: sarif_file: trivy-pr.sarif @@ -675,7 +675,7 @@ jobs: # Verifies anchore/sbom-action can scan and produce a valid SPDX file # before this change reaches the release pipeline. - name: Smoke test SBOM generation - uses: anchore/sbom-action@57aae528053a48a3f6235f2d9461b05fbcb7366d # v0.23.1 + uses: anchore/sbom-action@e22c389904149dbc22b58101806040fa8d37a610 # v0.24.0 with: image: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:pr-${{ github.event.pull_request.number }}-amd64 format: spdx-json diff --git a/.github/workflows/functional-tests.yml b/.github/workflows/functional-tests.yml index 3a64dea..a911071 100644 --- a/.github/workflows/functional-tests.yml +++ b/.github/workflows/functional-tests.yml @@ -35,7 +35,7 @@ jobs: run: npm audit --audit-level=high - name: Scan dependencies (OSV) - uses: google/osv-scanner-action/osv-scanner-action@c5996e0193a3df57d695c1b8a1dec2a4c62e8730 # v2.3.3 + uses: google/osv-scanner-action/osv-scanner-action@c51854704019a247608d928f370c98740469d4b5 # v2.3.5 with: scan-args: |- --recursive @@ -55,7 +55,7 @@ jobs: TEST_BOOKSTACK_TOKEN_SECRET: ${{ secrets.TEST_BOOKSTACK_TOKEN_SECRET }} - name: Upload coverage to Codecov - uses: codecov/codecov-action@1af58845a975a7985b0beb0cbe6fbbb71a41dbad # v5.5.3 + uses: codecov/codecov-action@57e3a136b779b570ffcdbf80b3bdc90e7fab3de2 # v6.0.0 with: files: packages/core/coverage/lcov.info env: diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml index 1f1023c..b69db68 100644 --- a/.github/workflows/scorecard.yml +++ b/.github/workflows/scorecard.yml @@ -37,7 +37,7 @@ jobs: name: SARIF file path: scorecard.sarif - - uses: github/codeql-action/upload-sarif@b1bff81932f5cdfc8695c7752dcee935dcd061c8 # v4.33.0 + - uses: github/codeql-action/upload-sarif@38697555549f1db7851b81482ff19f1fa5c4fedc # v4.34.1 with: sarif_file: scorecard.sarif category: scorecard