diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index a1eaf962..30cbfab9 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -73,7 +73,7 @@ jobs: - uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3 - id: build-ci - uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6 + uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6 with: target: ${{ env.ENVIRONMENT }} cache-from: ${{ env.GHCR_IMAGE_NAME }}:cache @@ -102,7 +102,7 @@ jobs: password: ${{ github.token }} - if: ${{ github.event_name == 'push' || github.ref_name == github.event.repository.default_branch }} - uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6 + uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6 with: target: ${{ env.ENVIRONMENT }} cache-from: ${{ env.GHCR_IMAGE_NAME }}:cache @@ -113,7 +113,7 @@ jobs: ENVIRONMENT: dev - if: ${{ github.event_name == 'push' || github.ref_name == github.event.repository.default_branch }} - uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6 + uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6 with: cache-from: ${{ env.GHCR_IMAGE_NAME }}:cache cache-to: type=registry,ref=${{ env.GHCR_IMAGE_NAME }}:cache,mode=max diff --git a/.github/workflows/ossf.yml b/.github/workflows/ossf.yml index a8dba22c..100e5c03 100644 --- a/.github/workflows/ossf.yml +++ b/.github/workflows/ossf.yml @@ -41,6 +41,6 @@ jobs: # Upload the results to GitHub's code scanning dashboard (optional). # Commenting out will disable upload of results to your repo's Code Scanning dashboard - - uses: github/codeql-action/upload-sarif@45cbd0c69e560cd9e7cd7f8c32362050c9b7ded2 # v4 + - uses: github/codeql-action/upload-sarif@9e907b5e64f6b83e7804b09294d44122997950d6 # v4 with: sarif_file: results.sarif diff --git a/.github/workflows/scans.yml b/.github/workflows/scans.yml index 07f5c6e2..2926f350 100644 --- a/.github/workflows/scans.yml +++ b/.github/workflows/scans.yml @@ -25,12 +25,12 @@ jobs: steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - - uses: bridgecrewio/checkov-action@f34885219720066007f948b843e747bb136aa223 # master + - uses: bridgecrewio/checkov-action@b3c44b4437c93549fc8cfaef9208497ba4955d39 # master with: soft_fail: ${{ github.event_name != 'pull_request' }} - if: ${{ success() || failure() }} - uses: github/codeql-action/upload-sarif@45cbd0c69e560cd9e7cd7f8c32362050c9b7ded2 # v4 + uses: github/codeql-action/upload-sarif@9e907b5e64f6b83e7804b09294d44122997950d6 # v4 with: sarif_file: results.sarif @@ -46,7 +46,7 @@ jobs: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - id: build - uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6 + uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6 with: cache-from: ${{ env.GHCR_IMAGE_NAME }}:cache load: true @@ -65,7 +65,7 @@ jobs: db-file: matcher.db - if: ${{ success() || failure() }} - uses: github/codeql-action/upload-sarif@45cbd0c69e560cd9e7cd7f8c32362050c9b7ded2 # v4 + uses: github/codeql-action/upload-sarif@9e907b5e64f6b83e7804b09294d44122997950d6 # v4 with: sarif_file: clair_results.sarif @@ -80,7 +80,7 @@ jobs: - uses: microsoft/DevSkim-Action@4b5047945a44163b94642a1cecc0d93a3f428cc6 # v1 - - uses: github/codeql-action/upload-sarif@45cbd0c69e560cd9e7cd7f8c32362050c9b7ded2 # v4 + - uses: github/codeql-action/upload-sarif@9e907b5e64f6b83e7804b09294d44122997950d6 # v4 with: sarif_file: devskim-results.sarif @@ -111,7 +111,7 @@ jobs: GITHUB_TOKEN: ${{ github.token }} - if: ${{ success() || failure() }} - uses: github/codeql-action/upload-sarif@45cbd0c69e560cd9e7cd7f8c32362050c9b7ded2 # v4 + uses: github/codeql-action/upload-sarif@9e907b5e64f6b83e7804b09294d44122997950d6 # v4 with: sarif_file: results.sarif @@ -133,7 +133,7 @@ jobs: only-fixed: true - if: ${{ success() || failure() }} - uses: github/codeql-action/upload-sarif@45cbd0c69e560cd9e7cd7f8c32362050c9b7ded2 # v4 + uses: github/codeql-action/upload-sarif@9e907b5e64f6b83e7804b09294d44122997950d6 # v4 with: sarif_file: ${{ steps.grype.outputs.sarif }} @@ -149,7 +149,7 @@ jobs: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - id: build - uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6 + uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6 with: cache-from: ${{ env.GHCR_IMAGE_NAME }}:cache load: true @@ -165,7 +165,7 @@ jobs: IMAGE_ID: ${{ steps.build.outputs.imageid }} - if: ${{ success() || failure() }} - uses: github/codeql-action/upload-sarif@45cbd0c69e560cd9e7cd7f8c32362050c9b7ded2 # v4 + uses: github/codeql-action/upload-sarif@9e907b5e64f6b83e7804b09294d44122997950d6 # v4 with: sarif_file: ${{ steps.grype.outputs.sarif }} @@ -192,7 +192,7 @@ jobs: bom: true - if: ${{ success() || failure() }} - uses: github/codeql-action/upload-sarif@45cbd0c69e560cd9e7cd7f8c32362050c9b7ded2 # v4 + uses: github/codeql-action/upload-sarif@9e907b5e64f6b83e7804b09294d44122997950d6 # v4 with: sarif_file: results.sarif @@ -226,7 +226,7 @@ jobs: path: megalinter-reports - if: ${{ success() || failure() }} - uses: github/codeql-action/upload-sarif@45cbd0c69e560cd9e7cd7f8c32362050c9b7ded2 # v4 + uses: github/codeql-action/upload-sarif@9e907b5e64f6b83e7804b09294d44122997950d6 # v4 with: sarif_file: megalinter-reports/megalinter-report.sarif ref: ${{ github.head_ref && format('refs/heads/{0}', github.head_ref) || github.ref }} @@ -258,7 +258,7 @@ jobs: - uses: microsoft/security-devops-action@08976cb623803b1b36d7112d4ff9f59eae704de0 # v1 id: msdo - - uses: github/codeql-action/upload-sarif@45cbd0c69e560cd9e7cd7f8c32362050c9b7ded2 # v4 + - uses: github/codeql-action/upload-sarif@9e907b5e64f6b83e7804b09294d44122997950d6 # v4 with: sarif_file: ${{ steps.msdo.outputs.sarifFile }} @@ -306,7 +306,7 @@ jobs: only-fixed: true - if: ${{ success() || failure() }} - uses: github/codeql-action/upload-sarif@45cbd0c69e560cd9e7cd7f8c32362050c9b7ded2 # v4 + uses: github/codeql-action/upload-sarif@9e907b5e64f6b83e7804b09294d44122997950d6 # v4 with: sarif_file: ${{ steps.grype.outputs.sarif }} @@ -337,7 +337,7 @@ jobs: scanners: vuln,secret,misconfig skip-setup-trivy: true - - uses: github/codeql-action/upload-sarif@45cbd0c69e560cd9e7cd7f8c32362050c9b7ded2 # v4 + - uses: github/codeql-action/upload-sarif@9e907b5e64f6b83e7804b09294d44122997950d6 # v4 with: sarif_file: trivy-results.sarif @@ -354,7 +354,7 @@ jobs: # required for sarif upload - id: build - uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6 + uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6 with: cache-from: ${{ env.GHCR_IMAGE_NAME }}:cache load: true @@ -376,7 +376,7 @@ jobs: severity: HIGH,CRITICAL skip-setup-trivy: true - - uses: github/codeql-action/upload-sarif@45cbd0c69e560cd9e7cd7f8c32362050c9b7ded2 # v4 + - uses: github/codeql-action/upload-sarif@9e907b5e64f6b83e7804b09294d44122997950d6 # v4 with: sarif_file: trivy-results.sarif