diff --git a/.github/workflows/_build.yml b/.github/workflows/_build.yml index 4fa6921..aa47bca 100644 --- a/.github/workflows/_build.yml +++ b/.github/workflows/_build.yml @@ -106,7 +106,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Harden Runner - uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # tag=v2.10.1 + uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # tag=v2.10.2 with: egress-policy: block diff --git a/.github/workflows/_dependency-review.yml b/.github/workflows/_dependency-review.yml index ef84b1c..933bd3e 100644 --- a/.github/workflows/_dependency-review.yml +++ b/.github/workflows/_dependency-review.yml @@ -12,7 +12,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Harden Runner - uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # tag=v2.10.1 + uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # tag=v2.10.2 with: disable-sudo: true egress-policy: block @@ -24,4 +24,4 @@ jobs: uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # tag=v4.2.2 - name: 'Dependency Review' - uses: actions/dependency-review-action@4081bf99e2866ebe428fc0477b69eb4fcda7220a # tag=v4.4.0 + uses: actions/dependency-review-action@3b139cfc5fae8b618d3eae3675e383bb1769c019 # tag=v4.5.0 diff --git a/.github/workflows/_labels.yml b/.github/workflows/_labels.yml index 4f144ec..b4c10f8 100644 --- a/.github/workflows/_labels.yml +++ b/.github/workflows/_labels.yml @@ -20,7 +20,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Harden Runner - uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # tag=v2.10.1 + uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # tag=v2.10.2 with: egress-policy: block allowed-endpoints: > diff --git a/.github/workflows/_scorecards.yml b/.github/workflows/_scorecards.yml index d94a0b3..642b59b 100644 --- a/.github/workflows/_scorecards.yml +++ b/.github/workflows/_scorecards.yml @@ -29,7 +29,7 @@ jobs: steps: - name: Harden Runner - uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # tag=v2.10.1 + uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # tag=v2.10.2 with: disable-sudo: true egress-policy: block @@ -79,6 +79,6 @@ jobs: # Upload the results to GitHub's code scanning dashboard. - name: "Upload to code-scanning" - uses: github/codeql-action/upload-sarif@662472033e021d55d94146f66f6058822b0b39fd # tag=codeql-bundle-v3.27.0 + uses: github/codeql-action/upload-sarif@df409f7d9260372bd5f19e5b04e83cb3c43714ae # tag=codeql-bundle-v3.27.9 with: sarif_file: results.sarif diff --git a/.github/workflows/_stale-issues.yml b/.github/workflows/_stale-issues.yml index fcd48b2..f9acd51 100644 --- a/.github/workflows/_stale-issues.yml +++ b/.github/workflows/_stale-issues.yml @@ -14,7 +14,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Harden Runner - uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # tag=v2.10.1 + uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # tag=v2.10.2 with: disable-sudo: true egress-policy: block diff --git a/.github/workflows/common-lint.yml b/.github/workflows/common-lint.yml index cf2b33d..767020d 100644 --- a/.github/workflows/common-lint.yml +++ b/.github/workflows/common-lint.yml @@ -50,7 +50,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Harden Runner - uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # tag=v2.10.1 + uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # tag=v2.10.2 with: disable-sudo: true egress-policy: block @@ -75,7 +75,7 @@ jobs: # We need the Go version and Go cache location for the actions/cache step, # so the Go installation must happen before that. - - uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # tag=v5.1.0 + - uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # tag=v5.2.0 with: go-version: ${{ inputs.go_version }} @@ -89,7 +89,7 @@ jobs: run: | echo "dir=$(go env GOCACHE)" >> $GITHUB_OUTPUT - - uses: actions/cache@6849a6489940f00c2f30c0fb92c6274307ccb58a # tag=v4.1.2 + - uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # tag=v4.2.0 env: BASE_CACHE_KEY: "${{ github.job }}-${{ runner.os }}-\ py${{ inputs.python_version }}-\ diff --git a/.github/workflows/csv-to-json.yml b/.github/workflows/csv-to-json.yml index ae13a28..8873a92 100644 --- a/.github/workflows/csv-to-json.yml +++ b/.github/workflows/csv-to-json.yml @@ -23,7 +23,7 @@ jobs: json: ${{ steps.csv-to-json.outputs.json }} steps: - name: Harden Runner - uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # tag=v2.10.1 + uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # tag=v2.10.2 with: egress-policy: block allowed-endpoints: > diff --git a/.github/workflows/diagnostics.yml b/.github/workflows/diagnostics.yml index 6cc5853..f61e2d5 100644 --- a/.github/workflows/diagnostics.yml +++ b/.github/workflows/diagnostics.yml @@ -15,7 +15,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Harden Runner - uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # tag=v2.10.1 + uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # tag=v2.10.2 with: egress-policy: block allowed-endpoints: > diff --git a/.github/workflows/docker-build-image.yml b/.github/workflows/docker-build-image.yml index 172fa8c..516c044 100644 --- a/.github/workflows/docker-build-image.yml +++ b/.github/workflows/docker-build-image.yml @@ -213,7 +213,7 @@ jobs: image_archive_name: ${{ steps.check_image_archive_key.outputs.file_name }} steps: - name: Harden Runner - uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # tag=v2.10.1 + uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # tag=v2.10.2 with: disable-sudo: true egress-policy: audit @@ -372,7 +372,7 @@ jobs: - name: Build image for push if: inputs.push == true - uses: docker/build-push-action@4f58ea79222b3b9dc2c8bbdd6debcef730109a75 # tag=v6.9.0 + uses: docker/build-push-action@48aba3b46d1b1fec4febb7c5d0c644b249a11355 # tag=v6.10.0 with: build-args: ${{ steps.prepare-build-args.outputs.build_args }} cache-from: ${{ steps.cache_scopes.outputs.from }} @@ -387,7 +387,7 @@ jobs: - name: Build image for archive if: inputs.push == false - uses: docker/build-push-action@4f58ea79222b3b9dc2c8bbdd6debcef730109a75 # tag=v6.9.0 + uses: docker/build-push-action@48aba3b46d1b1fec4febb7c5d0c644b249a11355 # tag=v6.10.0 with: build-args: ${{ steps.prepare-build-args.outputs.build_args }} cache-from: ${{ steps.cache_scopes.outputs.from }} diff --git a/.github/workflows/docker-metadata.yml b/.github/workflows/docker-metadata.yml index 2e6620a..300b299 100644 --- a/.github/workflows/docker-metadata.yml +++ b/.github/workflows/docker-metadata.yml @@ -38,7 +38,7 @@ jobs: tags: ${{ steps.prep.outputs.tags }} steps: - name: Harden Runner - uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # tag=v2.10.1 + uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # tag=v2.10.2 with: egress-policy: block allowed-endpoints: > @@ -68,7 +68,7 @@ jobs: - name: Calculate Docker metadata id: docker_meta - uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81 # tag=v5.5.1 + uses: docker/metadata-action@369eb591f429131d6889c46b94e711f089e6ca96 # tag=v5.6.1 with: flavor: | latest=false diff --git a/.github/workflows/docker-multi-arch-push.yml b/.github/workflows/docker-multi-arch-push.yml index 3f0e179..2f305b5 100644 --- a/.github/workflows/docker-multi-arch-push.yml +++ b/.github/workflows/docker-multi-arch-push.yml @@ -36,7 +36,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Harden Runner - uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # tag=v2.10.1 + uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # tag=v2.10.2 with: allowed-endpoints: > auth.docker.io:443 diff --git a/.github/workflows/docker-publish-description.yml b/.github/workflows/docker-publish-description.yml index 65c656e..37315b8 100644 --- a/.github/workflows/docker-publish-description.yml +++ b/.github/workflows/docker-publish-description.yml @@ -31,7 +31,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Harden Runner - uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # tag=v2.10.1 + uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # tag=v2.10.2 with: egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs diff --git a/.github/workflows/docker-pytest-image.yml b/.github/workflows/docker-pytest-image.yml index 3b8e01f..7ddb7b4 100644 --- a/.github/workflows/docker-pytest-image.yml +++ b/.github/workflows/docker-pytest-image.yml @@ -65,7 +65,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Harden Runner - uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # tag=v2.10.1 + uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # tag=v2.10.2 with: egress-policy: block allowed-endpoints: > @@ -108,7 +108,7 @@ jobs: python-version: ${{ inputs.python_version }} - name: Cache testing environments - uses: actions/cache@6849a6489940f00c2f30c0fb92c6274307ccb58a # tag=v4.1.2 + uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # tag=v4.2.0 env: BASE_CACHE_KEY: "${{ github.job }}-${{ runner.os }}-\ py${{ steps.setup-python.outputs.python-version }}-" diff --git a/.github/workflows/sbom-artifact.yml b/.github/workflows/sbom-artifact.yml index 2f83cd5..89a5093 100644 --- a/.github/workflows/sbom-artifact.yml +++ b/.github/workflows/sbom-artifact.yml @@ -44,7 +44,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Harden Runner - uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # tag=v2.10.1 + uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # tag=v2.10.2 with: disable-sudo: true egress-policy: audit