From fb614dc1b9f2cfb4c54cd95f446881c73c8ec5e5 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 23 Mar 2026 17:48:06 +0000 Subject: [PATCH 1/2] :seedling: Bump the github-actions group across 1 directory with 10 updates Bumps the github-actions group with 10 updates in the / directory: | Package | From | To | | --- | --- | --- | | [step-security/harden-runner](https://github.com/step-security/harden-runner) | `2.14.1` | `2.16.0` | | [github/codeql-action](https://github.com/github/codeql-action) | `4.32.0` | `4.34.1` | | [actions/dependency-review-action](https://github.com/actions/dependency-review-action) | `4.8.2` | `4.9.0` | | [actions/cache](https://github.com/actions/cache) | `5.0.3` | `5.0.4` | | [nick-invision/retry](https://github.com/nick-invision/retry) | `3.0.2` | `4.0.0` | | [codecov/codecov-action](https://github.com/codecov/codecov-action) | `5.5.2` | `5.5.3` | | [revanite-io/osps-baseline-action](https://github.com/revanite-io/osps-baseline-action) | `1.0.0` | `1.3.1` | | [actions/upload-artifact](https://github.com/actions/upload-artifact) | `6.0.0` | `7.0.0` | | [sigstore/cosign-installer](https://github.com/sigstore/cosign-installer) | `4.0.0` | `4.1.0` | | [actions/stale](https://github.com/actions/stale) | `10.1.1` | `10.2.0` | Updates `step-security/harden-runner` from 2.14.1 to 2.16.0 - [Release notes](https://github.com/step-security/harden-runner/releases) - [Commits](https://github.com/step-security/harden-runner/compare/e3f713f2d8f53843e71c69a996d56f51aa9adfb9...fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594) Updates `github/codeql-action` from 4.32.0 to 4.34.1 - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](https://github.com/github/codeql-action/compare/b20883b0cd1f46c72ae0ba6d1090936928f9fa30...38697555549f1db7851b81482ff19f1fa5c4fedc) Updates `actions/dependency-review-action` from 4.8.2 to 4.9.0 - [Release notes](https://github.com/actions/dependency-review-action/releases) - [Commits](https://github.com/actions/dependency-review-action/compare/3c4e3dcb1aa7874d2c16be7d79418e9b7efd6261...2031cfc080254a8a887f58cffee85186f0e49e48) Updates `actions/cache` from 5.0.3 to 5.0.4 - [Release notes](https://github.com/actions/cache/releases) - [Changelog](https://github.com/actions/cache/blob/main/RELEASES.md) - [Commits](https://github.com/actions/cache/compare/cdf6c1fa76f9f475f3d7449005a359c84ca0f306...668228422ae6a00e4ad889ee87cd7109ec5666a7) Updates `nick-invision/retry` from 3.0.2 to 4.0.0 - [Release notes](https://github.com/nick-invision/retry/releases) - [Commits](https://github.com/nick-invision/retry/compare/ce71cc2ab81d554ebbe88c79ab5975992d79ba08...ad984534de44a9489a53aefd81eb77f87c70dc60) Updates `codecov/codecov-action` from 5.5.2 to 5.5.3 - [Release notes](https://github.com/codecov/codecov-action/releases) - [Changelog](https://github.com/codecov/codecov-action/blob/main/CHANGELOG.md) - [Commits](https://github.com/codecov/codecov-action/compare/671740ac38dd9b0130fbe1cec585b89eea48d3de...1af58845a975a7985b0beb0cbe6fbbb71a41dbad) Updates `revanite-io/osps-baseline-action` from 1.0.0 to 1.3.1 - [Release notes](https://github.com/revanite-io/osps-baseline-action/releases) - [Commits](https://github.com/revanite-io/osps-baseline-action/compare/ffcef1f33b6ee5b916c7e357e4ae1481b99b46b6...99e372da63a5587fad5ef9a1a3c6e465f7e9fc03) Updates `actions/upload-artifact` from 6.0.0 to 7.0.0 - [Release notes](https://github.com/actions/upload-artifact/releases) - [Commits](https://github.com/actions/upload-artifact/compare/b7c566a772e6b6bfb58ed0dc250532a479d7789f...bbbca2ddaa5d8feaa63e36b76fdaad77386f024f) Updates `sigstore/cosign-installer` from 4.0.0 to 4.1.0 - [Release notes](https://github.com/sigstore/cosign-installer/releases) - [Commits](https://github.com/sigstore/cosign-installer/compare/faadad0cce49287aee09b3a48701e75088a2c6ad...ba7bc0a3fef59531c69a25acd34668d6d3fe6f22) Updates `actions/stale` from 10.1.1 to 10.2.0 - [Release notes](https://github.com/actions/stale/releases) - [Changelog](https://github.com/actions/stale/blob/main/CHANGELOG.md) - [Commits](https://github.com/actions/stale/compare/997185467fa4f803885201cee163a9f38240193d...b5d41d4e1d5dceea10e7104786b73624c18a190f) --- updated-dependencies: - dependency-name: step-security/harden-runner dependency-version: 2.16.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: github-actions - dependency-name: github/codeql-action dependency-version: 4.34.1 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: github-actions - dependency-name: actions/dependency-review-action dependency-version: 4.9.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: github-actions - dependency-name: actions/cache dependency-version: 5.0.4 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: github-actions - dependency-name: nick-invision/retry dependency-version: 4.0.0 dependency-type: direct:production update-type: version-update:semver-major dependency-group: github-actions - dependency-name: codecov/codecov-action dependency-version: 5.5.3 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: github-actions - dependency-name: revanite-io/osps-baseline-action dependency-version: 1.3.1 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: github-actions - dependency-name: actions/upload-artifact dependency-version: 7.0.0 dependency-type: direct:production update-type: version-update:semver-major dependency-group: github-actions - dependency-name: sigstore/cosign-installer dependency-version: 4.1.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: github-actions - dependency-name: actions/stale dependency-version: 10.2.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: github-actions ... Signed-off-by: dependabot[bot] --- .github/workflows/codeql-analysis.yml | 8 ++--- .github/workflows/depsreview.yml | 2 +- .github/workflows/docker.yml | 2 +- .github/workflows/gitlab.yml | 10 +++--- .github/workflows/goreleaser.yaml | 2 +- .github/workflows/integration.yml | 8 ++--- .github/workflows/lint.yml | 2 +- .github/workflows/main.yml | 46 ++++++++++++------------ .github/workflows/osps-baseline.yml | 4 +-- .github/workflows/publishimage.yml | 6 ++-- .github/workflows/scorecard-analysis.yml | 4 +-- .github/workflows/stale.yml | 4 +-- .github/workflows/verify.yml | 2 +- 13 files changed, 50 insertions(+), 50 deletions(-) diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index 758da27b028..7c08efc8d56 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -55,7 +55,7 @@ jobs: steps: - name: Harden Runner - uses: step-security/harden-runner@e3f713f2d8f53843e71c69a996d56f51aa9adfb9 # v2.14.1 + uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0 with: egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs @@ -73,7 +73,7 @@ jobs: # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL - uses: github/codeql-action/init@b20883b0cd1f46c72ae0ba6d1090936928f9fa30 # v4.32.0 + uses: github/codeql-action/init@38697555549f1db7851b81482ff19f1fa5c4fedc # v4.34.1 with: languages: ${{ matrix.language }} queries: +security-extended @@ -85,7 +85,7 @@ jobs: # Autobuild attempts to build any compiled languages (C/C++, C#, or Java). # If this step fails, then you should remove it and run the build manually (see below) - name: Autobuild - uses: github/codeql-action/autobuild@b20883b0cd1f46c72ae0ba6d1090936928f9fa30 # v4.32.0 + uses: github/codeql-action/autobuild@38697555549f1db7851b81482ff19f1fa5c4fedc # v4.34.1 # ℹī¸ Command-line programs to run using the OS shell. # 📚 https://git.io/JvXDl @@ -99,4 +99,4 @@ jobs: # make release - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@b20883b0cd1f46c72ae0ba6d1090936928f9fa30 # v4.32.0 + uses: github/codeql-action/analyze@38697555549f1db7851b81482ff19f1fa5c4fedc # v4.34.1 diff --git a/.github/workflows/depsreview.yml b/.github/workflows/depsreview.yml index 0872beef72d..6af9cb8a3c8 100644 --- a/.github/workflows/depsreview.yml +++ b/.github/workflows/depsreview.yml @@ -24,4 +24,4 @@ jobs: - name: 'Checkout Repository' uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: 'Dependency Review' - uses: actions/dependency-review-action@3c4e3dcb1aa7874d2c16be7d79418e9b7efd6261 # v4.8.2 + uses: actions/dependency-review-action@2031cfc080254a8a887f58cffee85186f0e49e48 # v4.9.0 diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml index f2e97699e02..c5f31d9245e 100644 --- a/.github/workflows/docker.yml +++ b/.github/workflows/docker.yml @@ -72,7 +72,7 @@ jobs: steps: - name: Harden Runner if: (needs.docs_only_check.outputs.docs_only != 'true') - uses: step-security/harden-runner@e3f713f2d8f53843e71c69a996d56f51aa9adfb9 # v2.14.1 + uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0 with: egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs - name: Clone the code diff --git a/.github/workflows/gitlab.yml b/.github/workflows/gitlab.yml index 824d43d3f0e..444ab80883b 100644 --- a/.github/workflows/gitlab.yml +++ b/.github/workflows/gitlab.yml @@ -33,7 +33,7 @@ jobs: environment: gitlab steps: - name: Harden Runner - uses: step-security/harden-runner@e3f713f2d8f53843e71c69a996d56f51aa9adfb9 # v2.14.1 + uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0 with: egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs - name: Clone the code @@ -52,7 +52,7 @@ jobs: echo "go-mod=$(go env GOMODCACHE)" >> "$GITHUB_OUTPUT" - name: Cache builds # https://github.com/mvdan/github-actions-golang#how-do-i-set-up-caching-between-builds - uses: actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 #v5.0.3 + uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 #v5.0.4 with: path: | ${{ steps.go-cache-paths.outputs.go-build }} @@ -66,7 +66,7 @@ jobs: go mod download - name: Run GitLab tokenless E2E - uses: nick-invision/retry@ce71cc2ab81d554ebbe88c79ab5975992d79ba08 # v3.0.2 + uses: nick-invision/retry@ad984534de44a9489a53aefd81eb77f87c70dc60 # v4.0.0 if: github.event_name == 'pull_request' with: max_attempts: 3 @@ -75,7 +75,7 @@ jobs: command: make e2e-gitlab - name: Run GitLab PAT E2E # skip if auth token is not available - uses: nick-invision/retry@ce71cc2ab81d554ebbe88c79ab5975992d79ba08 # v3.0.2 + uses: nick-invision/retry@ad984534de44a9489a53aefd81eb77f87c70dc60 # v4.0.0 if: ${{ github.event_name == 'push' && github.actor != 'dependabot[bot]' }} env: GITLAB_AUTH_TOKEN: ${{ secrets.GITLAB_TOKEN }} @@ -86,7 +86,7 @@ jobs: command: make e2e-gitlab-token - name: codecov - uses: codecov/codecov-action@671740ac38dd9b0130fbe1cec585b89eea48d3de # 5.5.2 + uses: codecov/codecov-action@1af58845a975a7985b0beb0cbe6fbbb71a41dbad # 5.5.3 with: files: "*e2e-coverage.out" verbose: true diff --git a/.github/workflows/goreleaser.yaml b/.github/workflows/goreleaser.yaml index 24993af4d1c..e6c5be1e084 100644 --- a/.github/workflows/goreleaser.yaml +++ b/.github/workflows/goreleaser.yaml @@ -34,7 +34,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Harden Runner - uses: step-security/harden-runner@e3f713f2d8f53843e71c69a996d56f51aa9adfb9 # v2.14.1 + uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0 with: egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs diff --git a/.github/workflows/integration.yml b/.github/workflows/integration.yml index a204ba06275..f2190ed2b59 100644 --- a/.github/workflows/integration.yml +++ b/.github/workflows/integration.yml @@ -31,7 +31,7 @@ jobs: environment: integration-test steps: - name: Harden Runner - uses: step-security/harden-runner@e3f713f2d8f53843e71c69a996d56f51aa9adfb9 # v2.14.1 + uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0 with: egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs - name: Clone the code @@ -50,7 +50,7 @@ jobs: echo "go-mod=$(go env GOMODCACHE)" >> "$GITHUB_OUTPUT" - name: Cache builds # https://github.com/mvdan/github-actions-golang#how-do-i-set-up-caching-between-builds - uses: actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 #v5.0.3 + uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 #v5.0.4 with: path: | ${{ steps.go-cache-paths.outputs.go-build }} @@ -64,7 +64,7 @@ jobs: go mod download - name: Run GITHUB_TOKEN E2E #using retry because the GitHub token is being throttled. - uses: nick-invision/retry@ce71cc2ab81d554ebbe88c79ab5975992d79ba08 # v3.0.2 + uses: nick-invision/retry@ad984534de44a9489a53aefd81eb77f87c70dc60 # v4.0.0 env: GITHUB_AUTH_TOKEN: ${{ secrets.GITHUB_TOKEN }} with: @@ -74,7 +74,7 @@ jobs: command: make e2e-gh-token - name: codecov - uses: codecov/codecov-action@671740ac38dd9b0130fbe1cec585b89eea48d3de # 5.5.2 + uses: codecov/codecov-action@1af58845a975a7985b0beb0cbe6fbbb71a41dbad # 5.5.3 with: files: "*e2e-coverage.out" verbose: true diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml index f1d5f5f3fa7..d903528d0fb 100644 --- a/.github/workflows/lint.yml +++ b/.github/workflows/lint.yml @@ -19,7 +19,7 @@ jobs: name: check-linter runs-on: ubuntu-latest steps: - - uses: step-security/harden-runner@e3f713f2d8f53843e71c69a996d56f51aa9adfb9 # v2.14.1 + - uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0 with: egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index bf56826304f..6ec2a728cd3 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -37,7 +37,7 @@ jobs: contents: read steps: - name: Harden Runner - uses: step-security/harden-runner@e3f713f2d8f53843e71c69a996d56f51aa9adfb9 # v2.14.1 + uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0 with: egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs - name: Clone the code @@ -54,7 +54,7 @@ jobs: echo "go-mod=$(go env GOMODCACHE)" >> "$GITHUB_OUTPUT" - name: Cache builds # https://github.com/mvdan/github-actions-golang#how-do-i-set-up-caching-between-builds - uses: actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 #v5.0.3 + uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 #v5.0.4 with: path: | ${{ steps.go-cache-paths.outputs.go-build }} @@ -68,12 +68,12 @@ jobs: - name: Run unit-tests run: make unit-test - name: Upload codecoverage - uses: codecov/codecov-action@671740ac38dd9b0130fbe1cec585b89eea48d3de # 5.5.2 + uses: codecov/codecov-action@1af58845a975a7985b0beb0cbe6fbbb71a41dbad # 5.5.3 with: files: ./unit-coverage.out verbose: true - name: Run PAT Token E2E #using retry because the GitHub token is being throttled. - uses: nick-invision/retry@ce71cc2ab81d554ebbe88c79ab5975992d79ba08 + uses: nick-invision/retry@ad984534de44a9489a53aefd81eb77f87c70dc60 if: ${{ github.event_name != 'pull_request' && github.actor != 'dependabot[bot]' }} env: GITHUB_AUTH_TOKEN: ${{ secrets.GH_AUTH_TOKEN }} @@ -83,7 +83,7 @@ jobs: timeout_minutes: 30 command: make e2e-pat - name: codecov - uses: codecov/codecov-action@671740ac38dd9b0130fbe1cec585b89eea48d3de # 2.1.0 + uses: codecov/codecov-action@1af58845a975a7985b0beb0cbe6fbbb71a41dbad # 2.1.0 if: ${{ github.event_name != 'pull_request' || github.actor != 'dependabot[bot]' }} with: files: "*e2e-coverage.out" @@ -95,7 +95,7 @@ jobs: contents: read steps: - name: Harden Runner - uses: step-security/harden-runner@e3f713f2d8f53843e71c69a996d56f51aa9adfb9 # v2.14.1 + uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0 with: egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs @@ -106,7 +106,7 @@ jobs: repo-token: ${{ secrets.GITHUB_TOKEN }} - name: Cache builds # https://github.com/mvdan/github-actions-golang#how-do-i-set-up-caching-between-builds - uses: actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3 + uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4 with: path: | ~/go/pkg/mod @@ -127,7 +127,7 @@ jobs: check-latest: true cache: true - name: generate mocks - uses: nick-invision/retry@ce71cc2ab81d554ebbe88c79ab5975992d79ba08 + uses: nick-invision/retry@ad984534de44a9489a53aefd81eb77f87c70dc60 with: max_attempts: 3 retry_on: error @@ -143,7 +143,7 @@ jobs: contents: read steps: - name: Harden Runner - uses: step-security/harden-runner@e3f713f2d8f53843e71c69a996d56f51aa9adfb9 # v2.14.1 + uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0 with: egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs - name: Clone the code @@ -155,7 +155,7 @@ jobs: check-latest: true cache: true - name: generate docs - uses: nick-invision/retry@ce71cc2ab81d554ebbe88c79ab5975992d79ba08 # v3.0.2 + uses: nick-invision/retry@ad984534de44a9489a53aefd81eb77f87c70dc60 # v4.0.0 with: max_attempts: 3 retry_on: error @@ -172,7 +172,7 @@ jobs: contents: read steps: - name: Harden Runner - uses: step-security/harden-runner@e3f713f2d8f53843e71c69a996d56f51aa9adfb9 # v2.14.1 + uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0 with: egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs @@ -192,7 +192,7 @@ jobs: check-latest: true cache: true - name: build-proto - uses: nick-invision/retry@ce71cc2ab81d554ebbe88c79ab5975992d79ba08 + uses: nick-invision/retry@ad984534de44a9489a53aefd81eb77f87c70dc60 with: max_attempts: 3 retry_on: error @@ -221,12 +221,12 @@ jobs: contents: read steps: - name: Harden Runner - uses: step-security/harden-runner@e3f713f2d8f53843e71c69a996d56f51aa9adfb9 # v2.14.1 + uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0 with: egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs - name: Cache builds # https://github.com/mvdan/github-actions-golang#how-do-i-set-up-caching-between-builds - uses: actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3 + uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4 with: path: | ~/go/pkg/mod @@ -245,7 +245,7 @@ jobs: check-latest: true cache: true - name: Run build - uses: nick-invision/retry@ce71cc2ab81d554ebbe88c79ab5975992d79ba08 # v3.0.2 + uses: nick-invision/retry@ad984534de44a9489a53aefd81eb77f87c70dc60 # v4.0.0 with: max_attempts: 3 retry_on: error @@ -260,13 +260,13 @@ jobs: contents: read steps: - name: Harden Runner - uses: step-security/harden-runner@e3f713f2d8f53843e71c69a996d56f51aa9adfb9 # v2.14.1 + uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0 with: egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs - name: Cache builds # https://github.com/mvdan/github-actions-golang#how-do-i-set-up-caching-between-builds - uses: actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3 + uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4 with: path: | ~/go/pkg/mod @@ -287,7 +287,7 @@ jobs: check-latest: true cache: true - name: Run build - uses: nick-invision/retry@ce71cc2ab81d554ebbe88c79ab5975992d79ba08 + uses: nick-invision/retry@ad984534de44a9489a53aefd81eb77f87c70dc60 with: max_attempts: 3 retry_on: error @@ -302,7 +302,7 @@ jobs: contents: read steps: - name: Harden Runner - uses: step-security/harden-runner@e3f713f2d8f53843e71c69a996d56f51aa9adfb9 # v2.14.1 + uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0 with: egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs - name: Clone the code @@ -314,7 +314,7 @@ jobs: check-latest: true cache: true - name: Run build - uses: nick-invision/retry@ce71cc2ab81d554ebbe88c79ab5975992d79ba08 + uses: nick-invision/retry@ad984534de44a9489a53aefd81eb77f87c70dc60 with: max_attempts: 3 retry_on: error @@ -330,7 +330,7 @@ jobs: contents: read steps: - name: Harden Runner - uses: step-security/harden-runner@e3f713f2d8f53843e71c69a996d56f51aa9adfb9 # v2.14.1 + uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0 with: egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs @@ -350,7 +350,7 @@ jobs: check-latest: true cache: true - name: Run build - uses: nick-invision/retry@ce71cc2ab81d554ebbe88c79ab5975992d79ba08 + uses: nick-invision/retry@ad984534de44a9489a53aefd81eb77f87c70dc60 with: max_attempts: 3 retry_on: error @@ -365,7 +365,7 @@ jobs: contents: read steps: - name: Harden Runner - uses: step-security/harden-runner@e3f713f2d8f53843e71c69a996d56f51aa9adfb9 # v2.14.1 + uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0 with: egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs diff --git a/.github/workflows/osps-baseline.yml b/.github/workflows/osps-baseline.yml index 5d549400d64..36b20971741 100644 --- a/.github/workflows/osps-baseline.yml +++ b/.github/workflows/osps-baseline.yml @@ -18,7 +18,7 @@ jobs: uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Open Source Project Security Baseline Scanner - uses: revanite-io/osps-baseline-action@ffcef1f33b6ee5b916c7e357e4ae1481b99b46b6 # v1.0.0 + uses: revanite-io/osps-baseline-action@99e372da63a5587fad5ef9a1a3c6e465f7e9fc03 # v1.3.1 with: owner: ${{ github.repository_owner }} repo: ${{ github.event.repository.name }} @@ -28,7 +28,7 @@ jobs: - name: Upload assessment results if: always() - uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0 + uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 with: name: osps-assessment-results-${{ github.run_number }} path: evaluation_results/ diff --git a/.github/workflows/publishimage.yml b/.github/workflows/publishimage.yml index 66c37e2d1d6..8aac53a8ab7 100644 --- a/.github/workflows/publishimage.yml +++ b/.github/workflows/publishimage.yml @@ -36,7 +36,7 @@ jobs: COSIGN_EXPERIMENTAL: "true" steps: - name: Harden Runner - uses: step-security/harden-runner@e3f713f2d8f53843e71c69a996d56f51aa9adfb9 # v2.14.1 + uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0 with: egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs @@ -52,7 +52,7 @@ jobs: - name: install ko uses: ko-build/setup-ko@d006021bd0c28d1ce33a07e7943d48b079944c8d # v0.9 - name: publishimage - uses: nick-invision/retry@ce71cc2ab81d554ebbe88c79ab5975992d79ba08 + uses: nick-invision/retry@ad984534de44a9489a53aefd81eb77f87c70dc60 with: max_attempts: 3 retry_on: error @@ -62,7 +62,7 @@ jobs: make install make scorecard-ko - name: Install Cosign - uses: sigstore/cosign-installer@faadad0cce49287aee09b3a48701e75088a2c6ad + uses: sigstore/cosign-installer@ba7bc0a3fef59531c69a25acd34668d6d3fe6f22 - name: Sign image run: | cosign sign --yes ghcr.io/${{github.repository_owner}}/scorecard:${{ github.sha }} diff --git a/.github/workflows/scorecard-analysis.yml b/.github/workflows/scorecard-analysis.yml index 7306fea7a80..ae2e9cb8b78 100644 --- a/.github/workflows/scorecard-analysis.yml +++ b/.github/workflows/scorecard-analysis.yml @@ -42,7 +42,7 @@ jobs: # uploads of run results in SARIF format to the repository Actions tab. # https://docs.github.com/en/actions/advanced-guides/storing-workflow-data-as-artifacts - name: "Upload artifact" - uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0 + uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 with: name: SARIF file path: results.sarif @@ -51,6 +51,6 @@ jobs: # Upload the results to GitHub's code scanning dashboard (optional). # Commenting out will disable upload of results to your repo's Code Scanning dashboard - name: "Upload to code-scanning" - uses: github/codeql-action/upload-sarif@b20883b0cd1f46c72ae0ba6d1090936928f9fa30 # v4.32.0 + uses: github/codeql-action/upload-sarif@38697555549f1db7851b81482ff19f1fa5c4fedc # v4.34.1 with: sarif_file: results.sarif diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml index 705e4fd1daf..e92e64ee10c 100644 --- a/.github/workflows/stale.yml +++ b/.github/workflows/stale.yml @@ -27,11 +27,11 @@ jobs: runs-on: ubuntu-latest steps: - name: Harden Runner - uses: step-security/harden-runner@e3f713f2d8f53843e71c69a996d56f51aa9adfb9 # v2.14.1 + uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0 with: egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs - - uses: actions/stale@997185467fa4f803885201cee163a9f38240193d # v3.0.18 + - uses: actions/stale@b5d41d4e1d5dceea10e7104786b73624c18a190f # v3.0.18 with: repo-token: ${{ secrets.GITHUB_TOKEN }} stale-issue-message: 'This issue has been marked stale because it has been open for 60 days with no activity.' diff --git a/.github/workflows/verify.yml b/.github/workflows/verify.yml index ebea3b27be2..29940f40215 100644 --- a/.github/workflows/verify.yml +++ b/.github/workflows/verify.yml @@ -26,7 +26,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Harden Runner - uses: step-security/harden-runner@e3f713f2d8f53843e71c69a996d56f51aa9adfb9 # v2.14.1 + uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0 with: egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs From d936de76d365d8cecef7d90c87142c159610763d Mon Sep 17 00:00:00 2001 From: Stephen Augustus Date: Mon, 23 Mar 2026 19:04:05 +0100 Subject: [PATCH 2/2] Fix version comments Co-authored-by: Stephen Augustus Signed-off-by: Stephen Augustus --- .github/workflows/main.yml | 14 +++++++------- .github/workflows/publishimage.yml | 4 ++-- 2 files changed, 9 insertions(+), 9 deletions(-) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 6ec2a728cd3..20d84ad29ff 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -54,7 +54,7 @@ jobs: echo "go-mod=$(go env GOMODCACHE)" >> "$GITHUB_OUTPUT" - name: Cache builds # https://github.com/mvdan/github-actions-golang#how-do-i-set-up-caching-between-builds - uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 #v5.0.4 + uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4 with: path: | ${{ steps.go-cache-paths.outputs.go-build }} @@ -73,7 +73,7 @@ jobs: files: ./unit-coverage.out verbose: true - name: Run PAT Token E2E #using retry because the GitHub token is being throttled. - uses: nick-invision/retry@ad984534de44a9489a53aefd81eb77f87c70dc60 + uses: nick-invision/retry@ad984534de44a9489a53aefd81eb77f87c70dc60 # v4.0.0 if: ${{ github.event_name != 'pull_request' && github.actor != 'dependabot[bot]' }} env: GITHUB_AUTH_TOKEN: ${{ secrets.GH_AUTH_TOKEN }} @@ -127,7 +127,7 @@ jobs: check-latest: true cache: true - name: generate mocks - uses: nick-invision/retry@ad984534de44a9489a53aefd81eb77f87c70dc60 + uses: nick-invision/retry@ad984534de44a9489a53aefd81eb77f87c70dc60 # v4.0.0 with: max_attempts: 3 retry_on: error @@ -192,7 +192,7 @@ jobs: check-latest: true cache: true - name: build-proto - uses: nick-invision/retry@ad984534de44a9489a53aefd81eb77f87c70dc60 + uses: nick-invision/retry@ad984534de44a9489a53aefd81eb77f87c70dc60 # v4.0.0 with: max_attempts: 3 retry_on: error @@ -287,7 +287,7 @@ jobs: check-latest: true cache: true - name: Run build - uses: nick-invision/retry@ad984534de44a9489a53aefd81eb77f87c70dc60 + uses: nick-invision/retry@ad984534de44a9489a53aefd81eb77f87c70dc60 # v4.0.0 with: max_attempts: 3 retry_on: error @@ -314,7 +314,7 @@ jobs: check-latest: true cache: true - name: Run build - uses: nick-invision/retry@ad984534de44a9489a53aefd81eb77f87c70dc60 + uses: nick-invision/retry@ad984534de44a9489a53aefd81eb77f87c70dc60 # v4.0.0 with: max_attempts: 3 retry_on: error @@ -350,7 +350,7 @@ jobs: check-latest: true cache: true - name: Run build - uses: nick-invision/retry@ad984534de44a9489a53aefd81eb77f87c70dc60 + uses: nick-invision/retry@ad984534de44a9489a53aefd81eb77f87c70dc60 # v4.0.0 with: max_attempts: 3 retry_on: error diff --git a/.github/workflows/publishimage.yml b/.github/workflows/publishimage.yml index 8aac53a8ab7..7dceea0120a 100644 --- a/.github/workflows/publishimage.yml +++ b/.github/workflows/publishimage.yml @@ -52,7 +52,7 @@ jobs: - name: install ko uses: ko-build/setup-ko@d006021bd0c28d1ce33a07e7943d48b079944c8d # v0.9 - name: publishimage - uses: nick-invision/retry@ad984534de44a9489a53aefd81eb77f87c70dc60 + uses: nick-invision/retry@ad984534de44a9489a53aefd81eb77f87c70dc60 # v4.0.0 with: max_attempts: 3 retry_on: error @@ -62,7 +62,7 @@ jobs: make install make scorecard-ko - name: Install Cosign - uses: sigstore/cosign-installer@ba7bc0a3fef59531c69a25acd34668d6d3fe6f22 + uses: sigstore/cosign-installer@ba7bc0a3fef59531c69a25acd34668d6d3fe6f22 # v4.1.0 - name: Sign image run: | cosign sign --yes ghcr.io/${{github.repository_owner}}/scorecard:${{ github.sha }}