diff --git a/.github/workflows/automerge.yml b/.github/workflows/automerge.yml index a95d7ea..414f12e 100644 --- a/.github/workflows/automerge.yml +++ b/.github/workflows/automerge.yml @@ -19,7 +19,7 @@ jobs: runs-on: ubuntu-latest steps: - id: metadata - uses: dependabot/fetch-metadata@ffa630c65fa7e0ecfa0625b5ceda64399aea1b36 # v2 + uses: dependabot/fetch-metadata@21025c705c08248db411dc16f3619e6b5f9ea21a # v2 - name: log metadata run: echo "${DEPENDABOT_METADATA}" diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 42dd5d2..febc4ae 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -73,7 +73,7 @@ jobs: - uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4 - id: build-ci - uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7 + uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7 with: target: ${{ env.ENVIRONMENT }} cache-from: ${{ env.GHCR_IMAGE_NAME }}:cache @@ -102,7 +102,7 @@ jobs: password: ${{ github.token }} - if: ${{ github.event_name == 'push' || github.ref_name == github.event.repository.default_branch }} - uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7 + uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7 with: target: ${{ env.ENVIRONMENT }} cache-from: ${{ env.GHCR_IMAGE_NAME }}:cache @@ -113,7 +113,7 @@ jobs: ENVIRONMENT: dev - if: ${{ github.event_name == 'push' || github.ref_name == github.event.repository.default_branch }} - uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7 + uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7 with: cache-from: ${{ env.GHCR_IMAGE_NAME }}:cache cache-to: type=registry,ref=${{ env.GHCR_IMAGE_NAME }}:cache,mode=max diff --git a/.github/workflows/ossf.yml b/.github/workflows/ossf.yml index a0440cc..ab044b1 100644 --- a/.github/workflows/ossf.yml +++ b/.github/workflows/ossf.yml @@ -41,6 +41,6 @@ jobs: # Upload the results to GitHub's code scanning dashboard (optional). # Commenting out will disable upload of results to your repo's Code Scanning dashboard - - uses: github/codeql-action/upload-sarif@c10b8064de6f491fea524254123dbe5e09572f13 # v4 + - uses: github/codeql-action/upload-sarif@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4 with: sarif_file: results.sarif diff --git a/.github/workflows/scans.yml b/.github/workflows/scans.yml index 2ea0802..90ec61f 100644 --- a/.github/workflows/scans.yml +++ b/.github/workflows/scans.yml @@ -25,12 +25,12 @@ jobs: steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - - uses: bridgecrewio/checkov-action@002cd2e8cc0fe0535e6f364509e091c1a9870efa # master + - uses: bridgecrewio/checkov-action@5ef773c6dcc9416c0e1973045ca575493c4ce41a # master with: soft_fail: ${{ github.event_name != 'pull_request' }} - if: ${{ success() || failure() }} - uses: github/codeql-action/upload-sarif@c10b8064de6f491fea524254123dbe5e09572f13 # v4 + uses: github/codeql-action/upload-sarif@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4 with: sarif_file: results.sarif @@ -46,7 +46,7 @@ jobs: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - id: build - uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7 + uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7 with: cache-from: ${{ env.GHCR_IMAGE_NAME }}:cache load: true @@ -65,7 +65,7 @@ jobs: db-file: matcher.db - if: ${{ success() || failure() }} - uses: github/codeql-action/upload-sarif@c10b8064de6f491fea524254123dbe5e09572f13 # v4 + uses: github/codeql-action/upload-sarif@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4 with: sarif_file: clair_results.sarif @@ -80,7 +80,7 @@ jobs: - uses: microsoft/DevSkim-Action@4b5047945a44163b94642a1cecc0d93a3f428cc6 # v1 - - uses: github/codeql-action/upload-sarif@c10b8064de6f491fea524254123dbe5e09572f13 # v4 + - uses: github/codeql-action/upload-sarif@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4 with: sarif_file: devskim-results.sarif @@ -111,7 +111,7 @@ jobs: GITHUB_TOKEN: ${{ github.token }} - if: ${{ success() || failure() }} - uses: github/codeql-action/upload-sarif@c10b8064de6f491fea524254123dbe5e09572f13 # v4 + uses: github/codeql-action/upload-sarif@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4 with: sarif_file: results.sarif @@ -133,7 +133,7 @@ jobs: only-fixed: true - if: ${{ success() || failure() }} - uses: github/codeql-action/upload-sarif@c10b8064de6f491fea524254123dbe5e09572f13 # v4 + uses: github/codeql-action/upload-sarif@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4 with: sarif_file: ${{ steps.grype.outputs.sarif }} @@ -149,7 +149,7 @@ jobs: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - id: build - uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7 + uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7 with: cache-from: ${{ env.GHCR_IMAGE_NAME }}:cache load: true @@ -165,7 +165,7 @@ jobs: IMAGE_ID: ${{ steps.build.outputs.imageid }} - if: ${{ success() || failure() }} - uses: github/codeql-action/upload-sarif@c10b8064de6f491fea524254123dbe5e09572f13 # v4 + uses: github/codeql-action/upload-sarif@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4 with: sarif_file: ${{ steps.grype.outputs.sarif }} @@ -192,7 +192,7 @@ jobs: bom: true - if: ${{ success() || failure() }} - uses: github/codeql-action/upload-sarif@c10b8064de6f491fea524254123dbe5e09572f13 # v4 + uses: github/codeql-action/upload-sarif@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4 with: sarif_file: results.sarif @@ -220,13 +220,13 @@ jobs: GITHUB_TOKEN: ${{ github.token }} - if: ${{ success() || failure() }} - uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7 with: name: megalinter-reports path: megalinter-reports - if: ${{ success() || failure() }} - uses: github/codeql-action/upload-sarif@c10b8064de6f491fea524254123dbe5e09572f13 # v4 + uses: github/codeql-action/upload-sarif@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4 with: sarif_file: megalinter-reports/megalinter-report.sarif ref: ${{ github.head_ref && format('refs/heads/{0}', github.head_ref) || github.ref }} @@ -258,7 +258,7 @@ jobs: - uses: microsoft/security-devops-action@08976cb623803b1b36d7112d4ff9f59eae704de0 # v1 id: msdo - - uses: github/codeql-action/upload-sarif@c10b8064de6f491fea524254123dbe5e09572f13 # v4 + - uses: github/codeql-action/upload-sarif@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4 with: sarif_file: ${{ steps.msdo.outputs.sarifFile }} @@ -306,7 +306,7 @@ jobs: only-fixed: true - if: ${{ success() || failure() }} - uses: github/codeql-action/upload-sarif@c10b8064de6f491fea524254123dbe5e09572f13 # v4 + uses: github/codeql-action/upload-sarif@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4 with: sarif_file: ${{ steps.grype.outputs.sarif }} @@ -337,7 +337,7 @@ jobs: scanners: vuln,secret,misconfig skip-setup-trivy: true - - uses: github/codeql-action/upload-sarif@c10b8064de6f491fea524254123dbe5e09572f13 # v4 + - uses: github/codeql-action/upload-sarif@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4 with: sarif_file: trivy-results.sarif @@ -354,7 +354,7 @@ jobs: # required for sarif upload - id: build - uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7 + uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7 with: cache-from: ${{ env.GHCR_IMAGE_NAME }}:cache load: true @@ -376,7 +376,7 @@ jobs: severity: HIGH,CRITICAL skip-setup-trivy: true - - uses: github/codeql-action/upload-sarif@c10b8064de6f491fea524254123dbe5e09572f13 # v4 + - uses: github/codeql-action/upload-sarif@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4 with: sarif_file: trivy-results.sarif @@ -404,7 +404,7 @@ jobs: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - id: changed-files - uses: step-security/changed-files@60967b822d3001fa82242f8d6b4ed46bc3600a68 # v47 + uses: step-security/changed-files@2e07db73e5ccdb319b9a6c7766bd46d39d304bad # v47 with: files: "**/*.{cs,java,js,py}" separator: ","