diff --git a/.github/workflows/acceptance-test.yml b/.github/workflows/acceptance-test.yml index fa7af2f9..d2b582d3 100644 --- a/.github/workflows/acceptance-test.yml +++ b/.github/workflows/acceptance-test.yml @@ -22,7 +22,7 @@ jobs: - uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v9.0.1 with: egress-policy: audit - - uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 + - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 with: persist-credentials: false - uses: actions/setup-node@0a44ba7841725637a19e28fa30b79a866c81b0a6 # v4.0.4 diff --git a/.github/workflows/build-push.yml b/.github/workflows/build-push.yml index 32ab9a77..fccf45ab 100644 --- a/.github/workflows/build-push.yml +++ b/.github/workflows/build-push.yml @@ -36,7 +36,7 @@ jobs: - uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v9.0.1 with: egress-policy: audit - - uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 + - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 with: persist-credentials: false - uses: sigstore/cosign-installer@dc72c7d5c4d10cd6bcb8cf6e3fd625a9e5e537da # v3.7.0 @@ -48,7 +48,7 @@ jobs: registry: ${{ env.REGISTRY }} username: ${{ github.actor }} password: ${{ secrets.GITHUB_TOKEN }} - - uses: actions/cache@2cdf405574d6ef1f33a1d12acccd3ae82f47b3f2 # v4.1.0 + - uses: actions/cache@3624ceb22c1c5a301c8db4169662070a689d9ea8 # v4.1.1 if: matrix.flavor == 'cpp' id: buildkit-cache with: @@ -111,7 +111,7 @@ jobs: header: container-size-diff-${{ matrix.flavor }} message: | ${{ steps.container-size-diff.outputs.size-diff-markdown }} - - uses: anchore/sbom-action@61119d458adab75f756bc0b9e4bde25725f86a7a # v0.17.2 + - uses: anchore/sbom-action@f5e124a5e5e1d497a692818ae907d3c45829d033 # v0.17.3 if: steps.build-and-push.outputs.digest != '' && github.event_name != 'merge_group' with: image: ${{ env.REGISTRY }}/${{ github.repository }}-${{ matrix.flavor }}@${{ steps.build-and-push.outputs.digest }} diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 2d89e52b..f8502c17 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -22,7 +22,7 @@ jobs: steps: # While the docker/build-push-action works from the Git context, we still need # the checkout step for running our tests. - - uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 + - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 with: persist-credentials: false - uses: docker/setup-buildx-action@c47758b77c9736f4b2ef4073d4d51994fabfe349 # v3.7.1 @@ -32,7 +32,7 @@ jobs: load: true tags: ${{ github.repository }}-${{ matrix.flavor }}:test cache-from: type=gha,scope=${{ github.repository }}-${{ matrix.flavor }} - - uses: actions/cache/restore@2cdf405574d6ef1f33a1d12acccd3ae82f47b3f2 # v4.1.0 + - uses: actions/cache/restore@3624ceb22c1c5a301c8db4169662070a689d9ea8 # v4.1.1 if: matrix.flavor == 'cpp' with: path: test/.xwin-cache @@ -43,7 +43,7 @@ jobs: run: | set -Eeuo pipefail docker run --rm --mount type=bind,src=/var/run/docker.sock,dst=/var/run/docker.sock --mount type=bind,src="${{ github.workspace }}/.devcontainer/${{ matrix.flavor }}/test",dst=/ws -w /ws ${{ github.repository }}-${{ matrix.flavor }}:test bats --formatter junit testsuite.bats | tee test-report-${{ matrix.flavor }}.xml - - uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0 + - uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3 if: always() with: name: test-results-${{ matrix.flavor }} diff --git a/.github/workflows/linting-formatting.yml b/.github/workflows/linting-formatting.yml index 57760bd4..913e3ade 100644 --- a/.github/workflows/linting-formatting.yml +++ b/.github/workflows/linting-formatting.yml @@ -22,20 +22,20 @@ jobs: pull-requests: write security-events: write steps: - - uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 + - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 with: fetch-depth: 0 persist-credentials: false - - uses: oxsecurity/megalinter@c217fe8f7bc9207062a084e989bd97efd56e7b9a # v8.0.0 + - uses: oxsecurity/megalinter@b38cdf1f0cbe056fad4112cb7cd99c2b574c9617 # v8.1.0 env: APPLY_FIXES: all VALIDATE_ALL_CODEBASE: true GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - - uses: github/codeql-action/upload-sarif@6db8d6351fd0be61f9ed8ebd12ccd35dcec51fea # v3.26.11 + - uses: github/codeql-action/upload-sarif@c36620d31ac7c881962c3d9dd939c40ec9434f2b # v3.26.12 if: success() || failure() with: sarif_file: megalinter-reports/megalinter-report.sarif - - uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0 + - uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3 if: success() || failure() with: name: Linter Report diff --git a/.github/workflows/ossf-scorecard.yml b/.github/workflows/ossf-scorecard.yml index db614b2c..89f925f4 100644 --- a/.github/workflows/ossf-scorecard.yml +++ b/.github/workflows/ossf-scorecard.yml @@ -18,7 +18,7 @@ jobs: security-events: write id-token: write steps: - - uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 + - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 with: persist-credentials: false - uses: ossf/scorecard-action@62b2cac7ed8198b15735ed49ab1e5cf35480ba46 # v2.4.0 @@ -27,6 +27,6 @@ jobs: results_format: sarif repo_token: ${{ secrets.SCORECARD_TOKEN }} publish_results: true - - uses: github/codeql-action/upload-sarif@6db8d6351fd0be61f9ed8ebd12ccd35dcec51fea # v3.26.11 + - uses: github/codeql-action/upload-sarif@c36620d31ac7c881962c3d9dd939c40ec9434f2b # v3.26.12 with: sarif_file: results.sarif diff --git a/.github/workflows/pr-report.yml b/.github/workflows/pr-report.yml index cb458e77..f48f01b5 100644 --- a/.github/workflows/pr-report.yml +++ b/.github/workflows/pr-report.yml @@ -18,7 +18,7 @@ jobs: actions: read runs-on: ubuntu-latest steps: - - uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 + - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 with: persist-credentials: false - uses: philips-software/pull-request-report-action@39e2f082490099021474c109cb207953221a8e47 # v0.1.5 diff --git a/.github/workflows/prime-cache.yml b/.github/workflows/prime-cache.yml index 3559bdc9..7c99aa15 100644 --- a/.github/workflows/prime-cache.yml +++ b/.github/workflows/prime-cache.yml @@ -20,7 +20,7 @@ jobs: flavor: ["cpp", "rust"] steps: - uses: docker/setup-buildx-action@c47758b77c9736f4b2ef4073d4d51994fabfe349 # v3.7.1 - - uses: actions/cache@2cdf405574d6ef1f33a1d12acccd3ae82f47b3f2 # v4.1.0 + - uses: actions/cache@3624ceb22c1c5a301c8db4169662070a689d9ea8 # v4.1.1 if: matrix.flavor == 'cpp' id: buildkit-cache with: @@ -49,7 +49,7 @@ jobs: set -Eeuo pipefail mkdir test docker run --rm --mount type=bind,src="$(pwd)/test",dst=/ws -w /ws ghcr.io/${{ github.repository }}-cpp:latest xwin --accept-license splat --preserve-ms-arch-notation - - uses: actions/cache/save@2cdf405574d6ef1f33a1d12acccd3ae82f47b3f2 # v4.1.0 + - uses: actions/cache/save@3624ceb22c1c5a301c8db4169662070a689d9ea8 # v4.1.1 with: path: test/.xwin-cache key: xwin-cache-${{ github.run_id }} diff --git a/.github/workflows/update-dependencies.yml b/.github/workflows/update-dependencies.yml index 21fe53cc..00d21918 100644 --- a/.github/workflows/update-dependencies.yml +++ b/.github/workflows/update-dependencies.yml @@ -22,7 +22,7 @@ jobs: contents: write pull-requests: write steps: - - uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 + - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 with: persist-credentials: false - uses: ./.github/actions/update-apt-packages @@ -51,7 +51,7 @@ jobs: contents: write pull-requests: write steps: - - uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 + - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 with: persist-credentials: false - uses: ./.github/actions/update-vscode-extensions diff --git a/.github/workflows/vulnerability-scan.yml b/.github/workflows/vulnerability-scan.yml index d4204c52..9f2fea90 100644 --- a/.github/workflows/vulnerability-scan.yml +++ b/.github/workflows/vulnerability-scan.yml @@ -22,7 +22,7 @@ jobs: with: image: ghcr.io/${{ github.repository }}-${{ matrix.flavor }}:latest dockerfile: .devcontainer/Dockerfile - - uses: github/codeql-action/upload-sarif@6db8d6351fd0be61f9ed8ebd12ccd35dcec51fea # v3.26.11 + - uses: github/codeql-action/upload-sarif@c36620d31ac7c881962c3d9dd939c40ec9434f2b # v3.26.12 if: steps.scan.outputs.sarif != '' with: sarif_file: ${{ steps.scan.outputs.sarif }}