diff --git a/.github/actions/secure-builder-checkout/action.yaml b/.github/actions/secure-builder-checkout/action.yaml index 71de1f5350..a27dca1540 100644 --- a/.github/actions/secure-builder-checkout/action.yaml +++ b/.github/actions/secure-builder-checkout/action.yaml @@ -37,7 +37,7 @@ runs: # and has an associated release. This will require exceptions # for e2e tests. - name: Checkout the repository - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5 with: repository: ${{ inputs.repository }} ref: ${{ inputs.ref }} diff --git a/.github/actions/secure-download-artifact/action.yml b/.github/actions/secure-download-artifact/action.yml index bc225b8560..5ef646b14f 100644 --- a/.github/actions/secure-download-artifact/action.yml +++ b/.github/actions/secure-download-artifact/action.yml @@ -78,7 +78,7 @@ runs: echo "folder_path=${folder_path}" >> "${GITHUB_OUTPUT}" - name: Download the artifact - uses: actions/download-artifact@c850b930e6ba138125429b7e5c93fc707a7f8427 # v4.1.4 + uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7 with: name: "${{ inputs.name }}" path: "${{ steps.validate-path.outputs.folder_path }}" diff --git a/.github/actions/secure-download-folder/action.yml b/.github/actions/secure-download-folder/action.yml index 001208a734..fae0c83e80 100644 --- a/.github/actions/secure-download-folder/action.yml +++ b/.github/actions/secure-download-folder/action.yml @@ -34,7 +34,7 @@ runs: uses: slsa-framework/slsa-github-generator/.github/actions/rng@main - name: Download the artifact - uses: actions/download-artifact@c850b930e6ba138125429b7e5c93fc707a7f8427 # v4.1.4 + uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7 with: name: "${{ inputs.name }}" path: "${{ steps.rng.outputs.random }}" diff --git a/.github/actions/secure-project-checkout/action.yaml b/.github/actions/secure-project-checkout/action.yaml index b592687178..9dd6839307 100644 --- a/.github/actions/secure-project-checkout/action.yaml +++ b/.github/actions/secure-project-checkout/action.yaml @@ -40,7 +40,7 @@ runs: using: "composite" steps: - name: Checkout the repository - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5 with: fetch-depth: ${{ inputs.fetch-depth }} ref: ${{ inputs.checkout-sha1 }} diff --git a/.github/actions/secure-upload-artifact/action.yml b/.github/actions/secure-upload-artifact/action.yml index e6209abca0..a2e7c2ab36 100644 --- a/.github/actions/secure-upload-artifact/action.yml +++ b/.github/actions/secure-upload-artifact/action.yml @@ -37,7 +37,7 @@ runs: path: "${{ inputs.path }}" - name: Upload the artifact - uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1 + uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3 with: name: "${{ inputs.name }}" path: "${{ inputs.path }}" diff --git a/.github/workflows/builder_container-based_slsa3.yml b/.github/workflows/builder_container-based_slsa3.yml index 5ebccd0e52..c53e5273d6 100644 --- a/.github/workflows/builder_container-based_slsa3.yml +++ b/.github/workflows/builder_container-based_slsa3.yml @@ -209,7 +209,7 @@ jobs: allow-private-repository: ${{ inputs.rekor-log-public }} - name: Upload builder - uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1 + uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3 with: name: "${{ env.BUILDER_BINARY }}-${{ needs.rng.outputs.value }}" path: "${{ env.BUILDER_BINARY }}" @@ -228,7 +228,7 @@ jobs: runs-on: ubuntu-latest needs: [rng, detect-env, generate-builder] steps: - - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + - uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5 - name: Checkout builder repository uses: slsa-framework/slsa-github-generator/.github/actions/secure-builder-checkout@main with: @@ -372,7 +372,7 @@ jobs: set-executable: true - name: Checkout the source repository - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5 with: fetch-depth: 1 persist-credentials: false @@ -462,7 +462,7 @@ jobs: # TODO(https://github.com/slsa-framework/slsa-github-generator/issues/1655): Use a # secure upload or verify this against the SLSA layout file. id: upload-artifacts - uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1 + uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3 with: name: ${{ steps.build.outputs.build-outputs-name }} path: /tmp/build-outputs-${{ needs.rng.outputs.value }} @@ -535,7 +535,7 @@ jobs: - name: Upload unsigned intoto attestations file for pull request if: ${{ github.event_name == 'pull_request' }} id: upload-unsigned - uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1 + uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3 with: name: "${{ env.OUTPUT_FOLDER }}-${{ needs.rng.outputs.value }}" path: "attestations-${{ needs.rng.outputs.value }}" @@ -556,7 +556,7 @@ jobs: - name: Upload the signed attestations id: upload-signed if: ${{ github.event_name != 'pull_request' }} - uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1 + uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3 with: name: "${{ env.OUTPUT_FOLDER }}-${{ needs.rng.outputs.value }}" path: "${{ env.OUTPUT_FOLDER }}-${{ needs.rng.outputs.value }}" @@ -584,7 +584,7 @@ jobs: # TODO(https://github.com/slsa-framework/slsa-github-generator/issues/1655): Use the SLSA # layout files and their checksums to validate the artifacts. - name: Download artifacts - uses: actions/download-artifact@c850b930e6ba138125429b7e5c93fc707a7f8427 # v4.1.4 + uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7 with: name: "${{ needs.build.outputs.build-outputs-name }}" path: "${{ needs.build.outputs.build-outputs-name }}" @@ -592,7 +592,7 @@ jobs: # TODO(https://github.com/slsa-framework/slsa-github-generator/issues/1655): Use the # secure-folder-download action. - name: Download provenance - uses: actions/download-artifact@c850b930e6ba138125429b7e5c93fc707a7f8427 # v4.1.4 + uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7 with: name: "${{ needs.provenance.outputs.provenance-name }}" path: "${{ needs.provenance.outputs.provenance-name }}" diff --git a/.github/workflows/builder_go_slsa3.yml b/.github/workflows/builder_go_slsa3.yml index 0de010767b..2703fb117c 100644 --- a/.github/workflows/builder_go_slsa3.yml +++ b/.github/workflows/builder_go_slsa3.yml @@ -169,7 +169,7 @@ jobs: allow-private-repository: ${{ inputs.private-repository }} - name: Upload builder - uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1 + uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3 with: name: "${{ env.BUILDER_BINARY }}-${{ needs.rng.outputs.value }}" path: "${{ env.BUILDER_BINARY }}" @@ -358,7 +358,7 @@ jobs: --workingDir "$UNTRUSTED_WORKING_DIR" - name: Upload the signed provenance - uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1 + uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3 with: name: "${{ steps.sign-prov.outputs.signed-provenance-name }}" path: "${{ steps.sign-prov.outputs.signed-provenance-name }}" diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index 02ebe42dc5..d8b422c9ce 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -55,7 +55,7 @@ jobs: steps: - name: Checkout repository - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5 # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL diff --git a/.github/workflows/e2e.create-container_based-predicate.schedule.yml b/.github/workflows/e2e.create-container_based-predicate.schedule.yml index f6bb413983..b95d365c05 100644 --- a/.github/workflows/e2e.create-container_based-predicate.schedule.yml +++ b/.github/workflows/e2e.create-container_based-predicate.schedule.yml @@ -39,7 +39,7 @@ jobs: permissions: id-token: write # Needed to detect the current reusable repository and ref. steps: - - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + - uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5 - name: Detect the builder ref id: detect uses: slsa-framework/slsa-github-generator/.github/actions/detect-workflow-js@main @@ -71,7 +71,7 @@ jobs: contents: read issues: write steps: - - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + - uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5 with: repository: slsa-framework/example-package ref: main @@ -85,7 +85,7 @@ jobs: contents: read issues: write steps: - - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + - uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5 with: repository: slsa-framework/example-package ref: main diff --git a/.github/workflows/e2e.detect-workflow-js.schedule.yml b/.github/workflows/e2e.detect-workflow-js.schedule.yml index c261b75e29..b23e69d1e4 100644 --- a/.github/workflows/e2e.detect-workflow-js.schedule.yml +++ b/.github/workflows/e2e.detect-workflow-js.schedule.yml @@ -33,7 +33,7 @@ jobs: id-token: write runs-on: ubuntu-latest steps: - - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + - uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5 - id: detect uses: ./.github/actions/detect-workflow-js - id: verify @@ -70,7 +70,7 @@ jobs: contents: read issues: write steps: - - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + - uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5 with: repository: slsa-framework/example-package ref: main @@ -84,7 +84,7 @@ jobs: contents: read issues: write steps: - - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + - uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5 with: repository: slsa-framework/example-package ref: main diff --git a/.github/workflows/e2e.sign-attestations.schedule.yml b/.github/workflows/e2e.sign-attestations.schedule.yml index 01ba42fe1e..400b354298 100644 --- a/.github/workflows/e2e.sign-attestations.schedule.yml +++ b/.github/workflows/e2e.sign-attestations.schedule.yml @@ -33,7 +33,7 @@ jobs: id-token: write runs-on: ubuntu-latest steps: - - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + - uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5 - id: setup uses: ./.github/actions/sign-attestations with: @@ -62,7 +62,7 @@ jobs: contents: read issues: write steps: - - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + - uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5 with: repository: slsa-framework/example-package ref: main @@ -76,7 +76,7 @@ jobs: contents: read issues: write steps: - - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + - uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5 with: repository: slsa-framework/example-package ref: main diff --git a/.github/workflows/e2e.upload-folder.schedule.yml b/.github/workflows/e2e.upload-folder.schedule.yml index 98c182ca2b..66d3768d46 100644 --- a/.github/workflows/e2e.upload-folder.schedule.yml +++ b/.github/workflows/e2e.upload-folder.schedule.yml @@ -37,7 +37,7 @@ jobs: sha256: ${{ steps.upload.outputs.sha256 }} sha256-noroot: ${{ steps.upload-noroot.outputs.sha256 }} steps: - - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + - uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5 - name: Create folder run: | set -euo pipefail @@ -100,7 +100,7 @@ jobs: needs: [secure-upload-folder] runs-on: ubuntu-latest steps: - - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + - uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5 - name: Download in new folder uses: ./.github/actions/secure-download-folder @@ -180,7 +180,7 @@ jobs: contents: read issues: write steps: - - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + - uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5 with: repository: slsa-framework/example-package ref: main @@ -194,7 +194,7 @@ jobs: contents: read issues: write steps: - - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + - uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5 with: repository: slsa-framework/example-package ref: main diff --git a/.github/workflows/generator_container_slsa3.yml b/.github/workflows/generator_container_slsa3.yml index 4d2e325f30..ffc647f880 100644 --- a/.github/workflows/generator_container_slsa3.yml +++ b/.github/workflows/generator_container_slsa3.yml @@ -165,7 +165,7 @@ jobs: service_account: ${{ inputs.gcp-service-account }} - id: cosign-install - uses: sigstore/cosign-installer@e1523de7571e31dbe865fd2e80c5c7c23ae71eb4 # v3.4.0 + uses: sigstore/cosign-installer@59acb6260d9c0ba8f4a2f9d9b48431a222b68e20 # v3.5.0 with: cosign-release: v2.2.3 continue-on-error: true diff --git a/.github/workflows/generator_generic_slsa3.yml b/.github/workflows/generator_generic_slsa3.yml index 4e1902904a..35888e1972 100644 --- a/.github/workflows/generator_generic_slsa3.yml +++ b/.github/workflows/generator_generic_slsa3.yml @@ -238,7 +238,7 @@ jobs: - name: Upload the signed provenance id: upload-prov continue-on-error: true - uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1 + uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3 with: name: "${{ steps.sign-prov.outputs.provenance-name }}" path: "${{ steps.sign-prov.outputs.provenance-name }}" diff --git a/.github/workflows/pre-submit.actions.yml b/.github/workflows/pre-submit.actions.yml index 44560724c4..e62613ee42 100644 --- a/.github/workflows/pre-submit.actions.yml +++ b/.github/workflows/pre-submit.actions.yml @@ -27,13 +27,13 @@ jobs: name: verify no checkout in Actions runs-on: ubuntu-latest steps: - - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + - uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5 - run: ./.github/workflows/scripts/pre-submit.actions/checkout.sh check-tscommon-tarball: runs-on: ubuntu-latest steps: - - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + - uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5 - name: Untar the package tarball working-directory: .github/actions/tscommon @@ -75,7 +75,7 @@ jobs: - .github/actions/verify-token - .github/actions/detect-workflow-js steps: - - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + - uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5 - name: Set Node.js 18 uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4.0.2 @@ -98,7 +98,7 @@ jobs: fi # If index.js was different from expected, upload the expected version as an artifact - - uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1 + - uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3 if: ${{ failure() && steps.diff.conclusion == 'failure' }} with: name: dist @@ -121,7 +121,7 @@ jobs: compute-sha256: runs-on: ubuntu-latest steps: - - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + - uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5 - run: | echo "foo" > artifact - id: compute-sha256 @@ -136,7 +136,7 @@ jobs: rng: runs-on: ubuntu-latest steps: - - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + - uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5 - run: | echo "foo" > artifact - id: rng @@ -150,10 +150,10 @@ jobs: references: runs-on: ubuntu-latest steps: - - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + - uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5 with: path: __THIS_REPO__ - - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + - uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5 with: repository: slsa-framework/example-package ref: main @@ -176,7 +176,7 @@ jobs: secure-project-checkout-go: runs-on: ubuntu-latest steps: - - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + - uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5 with: path: __BUILDER_CHECKOUT_DIR__ @@ -189,7 +189,7 @@ jobs: secure-project-checkout-node: runs-on: ubuntu-latest steps: - - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + - uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5 with: path: __BUILDER_CHECKOUT_DIR__ @@ -209,7 +209,7 @@ jobs: UPLOAD_FOLDER_NO_ROOT_NAME: "upload-root/upload-folder" DOWNLOAD_FOLDER_NO_ROOT_NAME: "download-root/download-folder" steps: - - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + - uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5 - name: Create folder run: | set -euo pipefail @@ -366,7 +366,7 @@ jobs: secure-download-artifact: runs-on: ubuntu-latest steps: - - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + - uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5 with: path: __BUILDER_CHECKOUT_DIR__ @@ -393,7 +393,7 @@ jobs: secure-download-artifact-builder-name: runs-on: ubuntu-latest steps: - - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + - uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5 with: path: __BUILDER_CHECKOUT_DIR__ @@ -426,7 +426,7 @@ jobs: secure-download-artifact-builder-repo-folder: runs-on: ubuntu-latest steps: - - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + - uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5 with: path: __BUILDER_CHECKOUT_DIR__ @@ -460,7 +460,7 @@ jobs: secure-download-artifact-builder-repo-file: runs-on: ubuntu-latest steps: - - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + - uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5 with: path: __BUILDER_CHECKOUT_DIR__ @@ -494,7 +494,7 @@ jobs: generate-builder-generic-compile: runs-on: ubuntu-latest steps: - - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + - uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5 - uses: ./.github/actions/generate-builder with: repository: "slsa-framework/slsa-github-generator" @@ -508,7 +508,7 @@ jobs: generate-builder-generic-no-compile: runs-on: ubuntu-latest steps: - - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + - uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5 - name: Detect the builder ref id: detect uses: ./.github/actions/detect-workflow-js @@ -526,7 +526,7 @@ jobs: generate-attestations: runs-on: ubuntu-latest steps: - - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + - uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5 - name: Test generate attestations id: generate uses: ./.github/actions/generate-attestations diff --git a/.github/workflows/pre-submit.apis.yml b/.github/workflows/pre-submit.apis.yml index 81ee7c2d64..1e3e70339a 100644 --- a/.github/workflows/pre-submit.apis.yml +++ b/.github/workflows/pre-submit.apis.yml @@ -31,6 +31,6 @@ jobs: name: verify safe APIs runs-on: ubuntu-latest steps: - - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + - uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5 - name: Check safe file systems APIs run: ./.github/workflows/scripts/pre-submit.apis/verify-safefs.sh diff --git a/.github/workflows/pre-submit.delegators.yml b/.github/workflows/pre-submit.delegators.yml index 8bb86549eb..8e7077fe67 100644 --- a/.github/workflows/pre-submit.delegators.yml +++ b/.github/workflows/pre-submit.delegators.yml @@ -27,6 +27,6 @@ jobs: name: verify identical delegators runs-on: ubuntu-latest steps: - - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + - uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5 - name: Compare diff between the delegator workflows run: ./.github/workflows/scripts/pre-submit.delegators/compare-diff.sh diff --git a/.github/workflows/pre-submit.e2e.container-based.default.yml b/.github/workflows/pre-submit.e2e.container-based.default.yml index fde224d1c7..7aabb0a121 100644 --- a/.github/workflows/pre-submit.e2e.container-based.default.yml +++ b/.github/workflows/pre-submit.e2e.container-based.default.yml @@ -45,8 +45,8 @@ jobs: HEAD_SHA: ${{ github.event.pull_request.head.sha }} GITHUB_HEAD_REPOSITORY: ${{ github.event.pull_request.head.repo.full_name }} steps: - - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - - uses: actions/download-artifact@c850b930e6ba138125429b7e5c93fc707a7f8427 # v4.1.4 + - uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5 + - uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7 with: name: ${{ needs.build-container-based.outputs.build-outputs-name }} path: outputs @@ -57,7 +57,7 @@ jobs: name=$(find outputs/ -type f | head -1) cp "$name" . echo "name=$(basename "$name")" >> "$GITHUB_OUTPUT" - - uses: actions/download-artifact@c850b930e6ba138125429b7e5c93fc707a7f8427 # v4.1.4 + - uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7 with: name: ${{ needs.build-container-based.outputs.attestations-download-name }} - env: diff --git a/.github/workflows/pre-submit.e2e.generic.default.yml b/.github/workflows/pre-submit.e2e.generic.default.yml index 30776c0fd9..31082ddab5 100644 --- a/.github/workflows/pre-submit.e2e.generic.default.yml +++ b/.github/workflows/pre-submit.e2e.generic.default.yml @@ -47,8 +47,8 @@ jobs: needs: [build] if: ${{ always() }} steps: - - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - - uses: actions/download-artifact@c850b930e6ba138125429b7e5c93fc707a7f8427 # v4.1.4 + - uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5 + - uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7 with: name: ${{ needs.build.outputs.provenance-name }} - env: @@ -77,8 +77,8 @@ jobs: runs-on: ubuntu-latest needs: [build-continue-no-error] steps: - - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - - uses: actions/download-artifact@c850b930e6ba138125429b7e5c93fc707a7f8427 # v4.1.4 + - uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5 + - uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7 with: name: ${{ needs.build-continue-no-error.outputs.provenance-name }} - env: @@ -108,8 +108,8 @@ jobs: runs-on: ubuntu-latest needs: [build, build-continue-invalid-subjects] steps: - - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - - uses: actions/download-artifact@c850b930e6ba138125429b7e5c93fc707a7f8427 # v4.1.4 + - uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5 + - uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7 with: name: ${{ needs.build.outputs.provenance-name }} - env: diff --git a/.github/workflows/pre-submit.e2e.go.config-ldflags-main-dir.yml b/.github/workflows/pre-submit.e2e.go.config-ldflags-main-dir.yml index 862835d1bd..ae54ba4ea7 100644 --- a/.github/workflows/pre-submit.e2e.go.config-ldflags-main-dir.yml +++ b/.github/workflows/pre-submit.e2e.go.config-ldflags-main-dir.yml @@ -64,11 +64,11 @@ jobs: needs: [build] if: ${{ always() }} steps: - - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - - uses: actions/download-artifact@c850b930e6ba138125429b7e5c93fc707a7f8427 # v4.1.4 + - uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5 + - uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7 with: name: ${{ needs.build.outputs.go-binary-name }} - - uses: actions/download-artifact@c850b930e6ba138125429b7e5c93fc707a7f8427 # v4.1.4 + - uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7 with: name: ${{ needs.build.outputs.go-provenance-name }} - env: diff --git a/.github/workflows/pre-submit.lint.yml b/.github/workflows/pre-submit.lint.yml index f6c903e504..fb08c7f7dc 100644 --- a/.github/workflows/pre-submit.lint.yml +++ b/.github/workflows/pre-submit.lint.yml @@ -31,7 +31,7 @@ jobs: markdownlint: runs-on: ubuntu-latest steps: - - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + - uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5 - uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4.0.2 with: node-version: 20 @@ -44,7 +44,7 @@ jobs: - uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4.0.2 with: node-version: 20 - - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + - uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5 - run: make markdown-toc - name: markdown-toc run: ./.github/workflows/scripts/pre-submit.markdown/markdown-toc.sh @@ -52,7 +52,7 @@ jobs: golangci-lint: runs-on: ubuntu-latest steps: - - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + - uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5 - uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1 with: go-version-file: "go.mod" @@ -76,7 +76,7 @@ jobs: shellcheck: runs-on: ubuntu-latest steps: - - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + - uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5 - name: shellcheck env: SHELLCHECK_VERSION: "0.10.0" @@ -116,7 +116,7 @@ jobs: yamllint: runs-on: ubuntu-latest steps: - - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + - uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5 - run: | set -euo pipefail @@ -129,7 +129,7 @@ jobs: eslint: runs-on: ubuntu-latest steps: - - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + - uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5 - uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4.0.2 with: node-version: 20 @@ -138,7 +138,7 @@ jobs: renovate-config-validator: runs-on: ubuntu-latest steps: - - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + - uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5 - uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4.0.2 with: node-version: 20 @@ -147,8 +147,8 @@ jobs: autogen: runs-on: ubuntu-latest steps: - - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + - uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5 + - uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5 with: repository: mbrukman/autogen ref: 9026b78e17573b5dda4bff79033c352443551dc5 diff --git a/.github/workflows/pre-submit.units.yml b/.github/workflows/pre-submit.units.yml index 1ee05c4cd0..0cf3e18c8e 100644 --- a/.github/workflows/pre-submit.units.yml +++ b/.github/workflows/pre-submit.units.yml @@ -35,7 +35,7 @@ jobs: if: ${{ always() }} steps: - name: Checkout - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5 - name: setup-go uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1 @@ -58,12 +58,12 @@ jobs: if: ${{ always() }} steps: - name: Checkout - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5 with: path: generator - name: Checkout - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5 with: path: verifier repository: slsa-framework/slsa-verifier diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 4ae7e7658e..c15632945c 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -34,10 +34,10 @@ jobs: name: pre release refs verification runs-on: ubuntu-latest steps: - - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + - uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5 with: path: __THIS_REPO__ - - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + - uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5 with: repository: slsa-framework/example-package ref: main diff --git a/.github/workflows/schedule.issue-reopener.yml b/.github/workflows/schedule.issue-reopener.yml index 3c9dfcc624..f5ab4d1cf6 100644 --- a/.github/workflows/schedule.issue-reopener.yml +++ b/.github/workflows/schedule.issue-reopener.yml @@ -27,6 +27,6 @@ jobs: permissions: issues: write steps: - - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + - uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5 - name: Issue Reopener - uses: ianlewis/todo-issue-reopener@8727d6c42adc4085ffb838abcfe92e646c1f40bd # v1.2.0 + uses: ianlewis/todo-issue-reopener@339a05bfcc934adf6aa425b968a2d2f2af4f12ad # v1.2.1 diff --git a/.github/workflows/scorecards.yml b/.github/workflows/scorecards.yml index 146e51440f..42daf352a6 100644 --- a/.github/workflows/scorecards.yml +++ b/.github/workflows/scorecards.yml @@ -39,12 +39,12 @@ jobs: steps: - name: "Checkout code" - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5 with: persist-credentials: false - name: "Run analysis" - uses: ossf/scorecard-action@483ef80eb98fb506c348f7d62e28055e49fe2398 # v2.3.0 + uses: ossf/scorecard-action@dc50aa9510b46c811795eb24b2f1ba02a914e534 # v2.3.3 with: results_file: results.sarif results_format: sarif @@ -63,7 +63,7 @@ jobs: # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF # format to the repository Actions tab. - name: "Upload artifact" - uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1 + uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3 with: name: SARIF file path: results.sarif diff --git a/.github/workflows/update-actions-dist-post-commit.yml b/.github/workflows/update-actions-dist-post-commit.yml index 4ef58230f2..622b41a112 100644 --- a/.github/workflows/update-actions-dist-post-commit.yml +++ b/.github/workflows/update-actions-dist-post-commit.yml @@ -47,7 +47,7 @@ jobs: runs-on: ubuntu-latest steps: - name: checkout - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5 with: repository: ${{ github.repository }} persist-credentials: false @@ -76,7 +76,7 @@ jobs: [ -z "$(cat changes.patch)" ] && RESULT=false || RESULT=true echo "patch_not_empty=$RESULT" >> "$GITHUB_OUTPUT" - name: upload - uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1 + uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3 with: name: changes.patch path: changes.patch @@ -91,14 +91,14 @@ jobs: contents: write steps: - name: checkout - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5 - name: checkout-pr env: GH_TOKEN: ${{ github.token }} PR_NUMBER: ${{ inputs.pr_number }} run: gh pr checkout "$PR_NUMBER" - name: download-patch - uses: actions/download-artifact@c850b930e6ba138125429b7e5c93fc707a7f8427 # v4.1.4 + uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7 with: name: changes.patch - id: apply diff --git a/actions/gradle/publish/action.yml b/actions/gradle/publish/action.yml index e636fcfd11..6ee6bae06a 100644 --- a/actions/gradle/publish/action.yml +++ b/actions/gradle/publish/action.yml @@ -50,7 +50,7 @@ inputs: runs: using: "composite" steps: - - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + - uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5 - name: Set up JDK uses: actions/setup-java@99b8673ff64fbf99d8d325f52d9a5bdedb8483e9 # v4.2.1 env: diff --git a/internal/builders/gradle/action.yml b/internal/builders/gradle/action.yml index bb4375825a..6a94cf57bb 100644 --- a/internal/builders/gradle/action.yml +++ b/internal/builders/gradle/action.yml @@ -56,7 +56,7 @@ on: runs: using: "composite" steps: - - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + - uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5 - name: Set up JDK uses: actions/setup-java@99b8673ff64fbf99d8d325f52d9a5bdedb8483e9 # v4.2.1 with: diff --git a/internal/builders/maven/action.yml b/internal/builders/maven/action.yml index 9115f24868..2d3cd269d5 100644 --- a/internal/builders/maven/action.yml +++ b/internal/builders/maven/action.yml @@ -56,7 +56,7 @@ on: runs: using: "composite" steps: - - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v 3.5.2 + - uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v 3.5.2 - name: Set up JDK uses: actions/setup-java@99b8673ff64fbf99d8d325f52d9a5bdedb8483e9 # v4.2.1 with: