diff --git a/.github/actions/e2e/action.yaml b/.github/actions/e2e/action.yaml index 67d4c0948..28a1c8ef6 100644 --- a/.github/actions/e2e/action.yaml +++ b/.github/actions/e2e/action.yaml @@ -34,7 +34,7 @@ runs: ${{ runner.os }}-tools-bin-e2e- ${{ runner.os }}-tools-bin- - name: Download artifact - uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4 + uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4 with: name: test-release path: out @@ -80,7 +80,7 @@ runs: CAPH_LATEST_VERSION: "v1.0.0-beta.26" run: make ${{ inputs.e2e_make_target }} - name: Upload artifact - uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4 + uses: actions/upload-artifact@834a144ee995460fba8ed112a2fc961b36a5ec5a # v4 if: ${{ always() }} with: name: e2e-${{ inputs.e2e_name }} diff --git a/.github/actions/manager-image/action.yaml b/.github/actions/manager-image/action.yaml index 86ce3816b..838ffc9c3 100644 --- a/.github/actions/manager-image/action.yaml +++ b/.github/actions/manager-image/action.yaml @@ -8,10 +8,10 @@ runs: using: "composite" steps: - name: Set up Docker Buildx - uses: docker/setup-buildx-action@d70bba72b1f3fd22344832f00baa16ece964efeb # v3.3.0 + uses: docker/setup-buildx-action@988b5a0280414f521da01fcc63a27aeeb4b104db # v3.6.1 - name: Login to ghcr.io for CI - uses: docker/login-action@0d4c9c5ea7693da7b068278f7b52bda2a190a446 # v3.2.0 + uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0 with: registry: ghcr.io username: ${{ github.actor }} @@ -44,7 +44,7 @@ runs: # Import GitHub's cache build to docker cache - name: Copy Caph Golang cache to docker cache - uses: docker/build-push-action@31159d49c0d4756269a0940a750801a1ea5d7003 # v6.1.0 + uses: docker/build-push-action@16ebe778df0e7752d2cfcbd924afdbbd89c1a755 # v6.6.1 with: provenance: false context: /tmp/.cache/caph @@ -54,7 +54,7 @@ runs: target: import-cache - name: Build and push manager image - uses: docker/build-push-action@31159d49c0d4756269a0940a750801a1ea5d7003 # v6 + uses: docker/build-push-action@16ebe778df0e7752d2cfcbd924afdbbd89c1a755 # v6 with: provenance: false context: . diff --git a/.github/actions/test-release/action.yaml b/.github/actions/test-release/action.yaml index bfc987e0e..d1cab2093 100644 --- a/.github/actions/test-release/action.yaml +++ b/.github/actions/test-release/action.yaml @@ -25,7 +25,7 @@ runs: TAG: ${{ steps.meta.outputs.version }} run: make test-release - name: Upload artifact - uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4 + uses: actions/upload-artifact@834a144ee995460fba8ed112a2fc961b36a5ec5a # v4 with: name: test-release path: out diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 8649c38d2..c7607ab8d 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -33,9 +33,9 @@ jobs: fetch-depth: 0 - uses: ./.github/actions/setup-go - name: Set up QEMU - uses: docker/setup-qemu-action@68827325e0b33c7199eb31dd4e31fbe9023e06e3 # v3 + uses: docker/setup-qemu-action@49b3bc8e6bdd4a60e6116a5414239cba5943d3cf # v3 - name: Set up Docker Buildx - uses: docker/setup-buildx-action@d70bba72b1f3fd22344832f00baa16ece964efeb # v3 + uses: docker/setup-buildx-action@988b5a0280414f521da01fcc63a27aeeb4b104db # v3 - name: Generate metadata id: meta @@ -45,14 +45,14 @@ jobs: metadata_tags: ${{ env.metadata_tags }} - name: Login to ghcr.io for CI - uses: docker/login-action@0d4c9c5ea7693da7b068278f7b52bda2a190a446 # v3.2.0 + uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0 with: registry: ghcr.io username: ${{ github.actor }} password: ${{ secrets.GITHUB_TOKEN }} - name: Install Cosign - uses: sigstore/cosign-installer@59acb6260d9c0ba8f4a2f9d9b48431a222b68e20 # v3.5.0 + uses: sigstore/cosign-installer@4959ce089c160fddf62f7b42464195ba1a56d382 # v3.6.0 - name: Install Bom shell: bash @@ -88,7 +88,7 @@ jobs: # Import GitHub's cache build to docker cache - name: Copy Caph Golang cache to docker cache - uses: docker/build-push-action@31159d49c0d4756269a0940a750801a1ea5d7003 # v6.1.0 + uses: docker/build-push-action@16ebe778df0e7752d2cfcbd924afdbbd89c1a755 # v6.6.1 with: provenance: false context: /tmp/.cache/caph @@ -98,7 +98,7 @@ jobs: target: import-cache - name: Build and push manager image - uses: docker/build-push-action@31159d49c0d4756269a0940a750801a1ea5d7003 # v6 + uses: docker/build-push-action@16ebe778df0e7752d2cfcbd924afdbbd89c1a755 # v6 id: docker_build_release with: provenance: false @@ -150,7 +150,7 @@ jobs: # Store docker's golang's cache build locally only on the main branch - name: Store Caph Golang cache build locally if: ${{ steps.cache.outputs.cache-hit != 'true' }} - uses: docker/build-push-action@31159d49c0d4756269a0940a750801a1ea5d7003 # v6.1.0 + uses: docker/build-push-action@16ebe778df0e7752d2cfcbd924afdbbd89c1a755 # v6.6.1 with: provenance: false context: . diff --git a/.github/workflows/pr-verify.yml b/.github/workflows/pr-verify.yml index bebe86754..f5be14217 100644 --- a/.github/workflows/pr-verify.yml +++ b/.github/workflows/pr-verify.yml @@ -29,7 +29,7 @@ jobs: - name: Verify Starlark run: make verify-starlark - - uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4 + - uses: actions/setup-node@1e60f620b9541d16bece96c5465dc8ee9832be0b # v4 with: node-version: "18" - name: Install renovate @@ -42,7 +42,7 @@ jobs: done - name: Generate Token - uses: actions/create-github-app-token@c8f55efbd427e7465d6da1106e7979bc8aaee856 # v1 + uses: actions/create-github-app-token@31c86eb3b33c9b601a1f60f98dcbfd1d70f379b4 # v1 id: generate-token with: app-id: ${{ secrets.SYSELF_APP_ID }} diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 760c309cd..564e49eb6 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -24,9 +24,9 @@ jobs: fetch-depth: 0 - uses: ./.github/actions/setup-go - name: Set up QEMU - uses: docker/setup-qemu-action@68827325e0b33c7199eb31dd4e31fbe9023e06e3 # v3 + uses: docker/setup-qemu-action@49b3bc8e6bdd4a60e6116a5414239cba5943d3cf # v3 - name: Set up Docker Buildx - uses: docker/setup-buildx-action@d70bba72b1f3fd22344832f00baa16ece964efeb # v3 + uses: docker/setup-buildx-action@988b5a0280414f521da01fcc63a27aeeb4b104db # v3 - name: Generate metadata id: meta @@ -36,14 +36,14 @@ jobs: metadata_tags: ${{ env.metadata_tags }} - name: Login to ghcr.io for CI - uses: docker/login-action@0d4c9c5ea7693da7b068278f7b52bda2a190a446 # v3.2.0 + uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0 with: registry: ghcr.io username: ${{ github.actor }} password: ${{ secrets.GITHUB_TOKEN }} - name: Install Cosign - uses: sigstore/cosign-installer@59acb6260d9c0ba8f4a2f9d9b48431a222b68e20 # v3.5.0 + uses: sigstore/cosign-installer@4959ce089c160fddf62f7b42464195ba1a56d382 # v3.6.0 - name: Install Bom shell: bash @@ -60,7 +60,7 @@ jobs: echo 'EOF' >> $GITHUB_ENV - name: Build and push manager image - uses: docker/build-push-action@31159d49c0d4756269a0940a750801a1ea5d7003 # v6 + uses: docker/build-push-action@16ebe778df0e7752d2cfcbd924afdbbd89c1a755 # v6 id: docker_build_release with: provenance: false @@ -147,7 +147,7 @@ jobs: run: | make release-notes - name: Release - uses: softprops/action-gh-release@a74c6b72af54cfa997e81df42d94703d6313a2d0 # v2 + uses: softprops/action-gh-release@c062e08bd532815e2082a85e87e3ef29c3e6d191 # v2 with: draft: true files: out/* diff --git a/.github/workflows/schedule-update-bot.yaml b/.github/workflows/schedule-update-bot.yaml index 35a0f9c02..52f7fccb6 100644 --- a/.github/workflows/schedule-update-bot.yaml +++ b/.github/workflows/schedule-update-bot.yaml @@ -33,7 +33,7 @@ jobs: uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - name: Generate Token - uses: actions/create-github-app-token@c8f55efbd427e7465d6da1106e7979bc8aaee856 # v1 + uses: actions/create-github-app-token@31c86eb3b33c9b601a1f60f98dcbfd1d70f379b4 # v1 id: generate-token with: app-id: ${{ secrets.SYSELF_APP_ID }} @@ -44,7 +44,7 @@ jobs: echo "LOG_LEVEL=${{ github.event.inputs.logLevel || env.LOG_LEVEL }}" >> "$GITHUB_ENV" - name: Renovate - uses: renovatebot/github-action@21d88b0bf0183abcee15f990011cca090dfc47dd # v40.1.12 + uses: renovatebot/github-action@0c94129d48b4e92addf23686b8a735b3057a0448 # v40.2.5 env: RENOVATE_HOST_RULES: '[{"hostType": "docker", "matchHost": "ghcr.io", "username": "${{ github.actor }}", "password": "${{ secrets.GITHUB_TOKEN }}" }]' RENOVATE_ALLOWED_POST_UPGRADE_COMMANDS: '[".*"]' diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 318389166..5a9eaf881 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -59,7 +59,7 @@ jobs: run: make report-cover-html report-cover-treemap - name: Test Summary - uses: test-summary/action@032c8a9cec6aaa3c20228112cae6ca10a3b29336 # v2.3 + uses: test-summary/action@31493c76ec9e7aa675f1585d3ed6f1da69269a86 # v2.4 with: paths: ".coverage/junit.xml"