diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index d22b9e3..504749e 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -17,7 +17,7 @@ jobs: env: CGO_ENABLED: "1" steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@v7 - uses: actions/setup-go@v6 with: diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 102dcb4..2ed7051 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -47,13 +47,13 @@ jobs: steps: - name: Harden runner egress # step-security/harden-runner v2.19.0 - uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 + uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 with: egress-policy: audit - name: Checkout tag # actions/checkout v4.2.2 - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd + uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 with: # On workflow_dispatch, build the supplied existing tag; on a tag # push, the pushed ref. Full history so goreleaser version detection @@ -92,7 +92,7 @@ jobs: - name: Install cosign # sigstore/cosign-installer v3.9.2 — provides `cosign` for the keyless # signing step in .goreleaser.yaml (signs: cmd: cosign). - uses: sigstore/cosign-installer@d58896d6a1865668819e1d91763c7751a165e159 + uses: sigstore/cosign-installer@6f9f17788090df1f26f669e9d70d6ae9567deba6 - name: Install syft # anchore/sbom-action v0.24.0 (download-syft sub-action) — puts `syft` @@ -103,7 +103,7 @@ jobs: - name: Run GoReleaser # goreleaser/goreleaser-action v6.2.1 - uses: goreleaser/goreleaser-action@90a3faa9d0182683851fbfa97ca1a2cb983bfca3 + uses: goreleaser/goreleaser-action@f06c13b6b1a9625abc9e6e439d9c05a8f2190e94 with: version: '~> v2' args: release --clean diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml index 1ae22d3..272ac52 100644 --- a/.github/workflows/scorecard.yml +++ b/.github/workflows/scorecard.yml @@ -41,7 +41,7 @@ jobs: - name: Checkout code # actions/checkout v6.0.2 - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd + uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 with: persist-credentials: false @@ -64,6 +64,6 @@ jobs: - name: Upload SARIF to GitHub code-scanning # github/codeql-action/upload-sarif v3.35.2 - uses: github/codeql-action/upload-sarif@8aad20d150bbac5944a9f9d289da16a4b0d87c1e + uses: github/codeql-action/upload-sarif@54f647b7e1bb85c95cddabcd46b0c578ec92bc1a with: sarif_file: results.sarif diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml index 0faec9e..a453888 100644 --- a/.github/workflows/security.yml +++ b/.github/workflows/security.yml @@ -33,7 +33,7 @@ jobs: OSV_SCANNER_VERSION: 2.3.5 GH_TOKEN: ${{ github.token }} steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v4.2.2 + - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v4.2.2 # Install osv-scanner from the official GitHub release (binary, not the # action — google/osv-scanner-action's `action.yml` is composite-only and # fails when invoked as a job step). Using the preinstalled `gh` CLI @@ -70,7 +70,7 @@ jobs: permissions: contents: read steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v4.2.2 + - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v4.2.2 - uses: aquasecurity/trivy-action@ed142fd0673e97e23eac54620cfb913e5ce36c25 # v0.36.0 with: scan-type: fs @@ -85,8 +85,8 @@ jobs: permissions: contents: read steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v4.2.2 - - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 + - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v4.2.2 + - uses: actions/setup-python@ece7cb06caefa5fff74198d8649806c4678c61a1 # v6.3.0 with: python-version: '3.12' - name: Install semgrep @@ -110,7 +110,7 @@ jobs: GITLEAKS_VERSION: 8.30.1 GH_TOKEN: ${{ github.token }} steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v4.2.2 + - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v4.2.2 with: fetch-depth: 0 # The official `gitleaks/gitleaks-action` requires a paid license for @@ -133,7 +133,7 @@ jobs: permissions: contents: read steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v4.2.2 + - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v4.2.2 - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 with: node-version: '20' @@ -165,7 +165,7 @@ jobs: permissions: contents: read steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v4.2.2 + - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v4.2.2 - name: Generate SPDX SBOM uses: anchore/sbom-action@e22c389904149dbc22b58101806040fa8d37a610 # v0.24.0 with: