diff --git a/.github/workflows/continuous-integration.yml b/.github/workflows/continuous-integration.yml index 29f6e5d7..a1b29e05 100644 --- a/.github/workflows/continuous-integration.yml +++ b/.github/workflows/continuous-integration.yml @@ -47,7 +47,7 @@ jobs: needs: build-push-test if: ${{ !cancelled() }} steps: - - uses: step-security/harden-runner@f808768d1510423e83855289c910610ca9b43176 # v2.17.0 + - uses: step-security/harden-runner@6c3c2f2c1c457b00c10c4848d6f5491db3b629df # v2.18.0 with: disable-sudo: true egress-policy: audit diff --git a/.github/workflows/image-cleanup.yml b/.github/workflows/image-cleanup.yml index 44ebdbcd..d974e615 100644 --- a/.github/workflows/image-cleanup.yml +++ b/.github/workflows/image-cleanup.yml @@ -15,7 +15,7 @@ jobs: permissions: packages: write # is needed by dataaxiom/ghcr-cleanup-action to delete untagged and orphaned images steps: - - uses: step-security/harden-runner@f808768d1510423e83855289c910610ca9b43176 # v2.17.0 + - uses: step-security/harden-runner@6c3c2f2c1c457b00c10c4848d6f5491db3b629df # v2.18.0 with: disable-sudo: true allowed-endpoints: > diff --git a/.github/workflows/issue-cleanup.yml b/.github/workflows/issue-cleanup.yml index 346b5cdf..d5199b42 100644 --- a/.github/workflows/issue-cleanup.yml +++ b/.github/workflows/issue-cleanup.yml @@ -15,7 +15,7 @@ jobs: issues: write # is needed by actions/stale to close/comment on issues pull-requests: write # is needed by actions/stale to close/comment on PRs steps: - - uses: step-security/harden-runner@f808768d1510423e83855289c910610ca9b43176 # v2.17.0 + - uses: step-security/harden-runner@6c3c2f2c1c457b00c10c4848d6f5491db3b629df # v2.18.0 with: disable-sudo-and-containers: true egress-policy: audit diff --git a/.github/workflows/issue-creation-tool-versions.yml b/.github/workflows/issue-creation-tool-versions.yml index 9d3e1607..49ac152e 100644 --- a/.github/workflows/issue-creation-tool-versions.yml +++ b/.github/workflows/issue-creation-tool-versions.yml @@ -16,7 +16,7 @@ jobs: contents: read # is needed to checkout the repository issues: write # is needed by gh cli to create/close/pin/unpin issues steps: - - uses: step-security/harden-runner@f808768d1510423e83855289c910610ca9b43176 # v2.17.0 + - uses: step-security/harden-runner@6c3c2f2c1c457b00c10c4848d6f5491db3b629df # v2.18.0 with: disable-sudo-and-containers: true egress-policy: audit diff --git a/.github/workflows/linting-formatting.yml b/.github/workflows/linting-formatting.yml index 884faf5d..a52634e8 100644 --- a/.github/workflows/linting-formatting.yml +++ b/.github/workflows/linting-formatting.yml @@ -26,7 +26,7 @@ jobs: pull-requests: write # is needed by oxsecurity/megalinter and reviewdog/action-suggester to post PR comments security-events: write # is needed by oxsecurity/megalinter for uploading sarif files steps: - - uses: step-security/harden-runner@f808768d1510423e83855289c910610ca9b43176 # v2.17.0 + - uses: step-security/harden-runner@6c3c2f2c1c457b00c10c4848d6f5491db3b629df # v2.18.0 with: disable-sudo: true egress-policy: audit @@ -44,7 +44,7 @@ jobs: APPLY_FIXES: all VALIDATE_ALL_CODEBASE: true GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - - uses: github/codeql-action/upload-sarif@c10b8064de6f491fea524254123dbe5e09572f13 # v4.35.1 + - uses: github/codeql-action/upload-sarif@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4.35.2 if: success() || failure() with: sarif_file: megalinter-reports/megalinter-report.sarif diff --git a/.github/workflows/ossf-scorecard.yml b/.github/workflows/ossf-scorecard.yml index 1c2612fa..ec367938 100644 --- a/.github/workflows/ossf-scorecard.yml +++ b/.github/workflows/ossf-scorecard.yml @@ -20,7 +20,7 @@ jobs: security-events: write # is needed by github/codeql-action/upload-sarif to upload sarif files id-token: write # is needed by ossf/scorecard-action to authenticate with OIDC steps: - - uses: step-security/harden-runner@f808768d1510423e83855289c910610ca9b43176 # v2.17.0 + - uses: step-security/harden-runner@6c3c2f2c1c457b00c10c4848d6f5491db3b629df # v2.18.0 with: disable-sudo: true egress-policy: audit @@ -33,6 +33,6 @@ jobs: results_format: sarif repo_token: ${{ secrets.SCORECARD_TOKEN }} publish_results: true - - uses: github/codeql-action/upload-sarif@c10b8064de6f491fea524254123dbe5e09572f13 # v4.35.1 + - uses: github/codeql-action/upload-sarif@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4.35.2 with: sarif_file: results.sarif diff --git a/.github/workflows/pr-conventional-title.yml b/.github/workflows/pr-conventional-title.yml index cf42d8b2..57734735 100644 --- a/.github/workflows/pr-conventional-title.yml +++ b/.github/workflows/pr-conventional-title.yml @@ -17,7 +17,7 @@ jobs: permissions: pull-requests: write # is needed by marocchino/sticky-pull-request-comment to post comments on PRs steps: - - uses: step-security/harden-runner@f808768d1510423e83855289c910610ca9b43176 # v2.17.0 + - uses: step-security/harden-runner@6c3c2f2c1c457b00c10c4848d6f5491db3b629df # v2.18.0 with: disable-sudo-and-containers: true allowed-endpoints: > diff --git a/.github/workflows/pr-image-cleanup.yml b/.github/workflows/pr-image-cleanup.yml index a27c201d..e1247677 100644 --- a/.github/workflows/pr-image-cleanup.yml +++ b/.github/workflows/pr-image-cleanup.yml @@ -14,7 +14,7 @@ jobs: permissions: packages: write # is needed by dataaxiom/ghcr-cleanup-action to delete images steps: - - uses: step-security/harden-runner@f808768d1510423e83855289c910610ca9b43176 # v2.17.0 + - uses: step-security/harden-runner@6c3c2f2c1c457b00c10c4848d6f5491db3b629df # v2.18.0 with: disable-sudo: true egress-policy: audit @@ -29,7 +29,7 @@ jobs: permissions: actions: write # is needed to delete workflow run caches steps: - - uses: step-security/harden-runner@f808768d1510423e83855289c910610ca9b43176 # v2.17.0 + - uses: step-security/harden-runner@6c3c2f2c1c457b00c10c4848d6f5491db3b629df # v2.18.0 with: disable-sudo-and-containers: true egress-policy: audit diff --git a/.github/workflows/pr-report.yml b/.github/workflows/pr-report.yml index 654366e7..ac9b19f8 100644 --- a/.github/workflows/pr-report.yml +++ b/.github/workflows/pr-report.yml @@ -18,7 +18,7 @@ jobs: actions: read # is needed by philips-software/pull-request-report-action to fetch workflow run information runs-on: ubuntu-latest steps: - - uses: step-security/harden-runner@f808768d1510423e83855289c910610ca9b43176 # v2.17.0 + - uses: step-security/harden-runner@6c3c2f2c1c457b00c10c4848d6f5491db3b629df # v2.18.0 with: disable-sudo-and-containers: true egress-policy: audit diff --git a/.github/workflows/release-build.yml b/.github/workflows/release-build.yml index b3c9c0d2..1673428f 100644 --- a/.github/workflows/release-build.yml +++ b/.github/workflows/release-build.yml @@ -38,7 +38,7 @@ jobs: # currently provide a more fine-grained permission for release modification. contents: write # is needed to modify a release steps: - - uses: step-security/harden-runner@f808768d1510423e83855289c910610ca9b43176 # v2.17.0 + - uses: step-security/harden-runner@6c3c2f2c1c457b00c10c4848d6f5491db3b629df # v2.18.0 with: disable-sudo-and-containers: true egress-policy: audit @@ -73,7 +73,7 @@ jobs: REF_NAME: ${{ github.ref_name }} REGISTRY: ghcr.io steps: - - uses: step-security/harden-runner@f808768d1510423e83855289c910610ca9b43176 # v2.17.0 + - uses: step-security/harden-runner@6c3c2f2c1c457b00c10c4848d6f5491db3b629df # v2.18.0 with: disable-sudo: true egress-policy: audit @@ -132,7 +132,7 @@ jobs: contents: write # is needed to modify a release needs: [generate-documents] steps: - - uses: step-security/harden-runner@f808768d1510423e83855289c910610ca9b43176 # v2.17.0 + - uses: step-security/harden-runner@6c3c2f2c1c457b00c10c4848d6f5491db3b629df # v2.18.0 with: disable-sudo: true egress-policy: audit @@ -154,7 +154,7 @@ jobs: permissions: pull-requests: write # is needed by rdlf0/comment-released-prs-action to post comments on PRs steps: - - uses: step-security/harden-runner@f808768d1510423e83855289c910610ca9b43176 # v2.17.0 + - uses: step-security/harden-runner@6c3c2f2c1c457b00c10c4848d6f5491db3b629df # v2.18.0 with: disable-sudo-and-containers: true egress-policy: audit diff --git a/.github/workflows/release-please.yml b/.github/workflows/release-please.yml index d3032498..af24b365 100644 --- a/.github/workflows/release-please.yml +++ b/.github/workflows/release-please.yml @@ -18,7 +18,7 @@ jobs: permissions: contents: read steps: - - uses: step-security/harden-runner@f808768d1510423e83855289c910610ca9b43176 # v2.17.0 + - uses: step-security/harden-runner@6c3c2f2c1c457b00c10c4848d6f5491db3b629df # v2.18.0 with: disable-sudo-and-containers: true egress-policy: audit diff --git a/.github/workflows/update-dependencies.yml b/.github/workflows/update-dependencies.yml index 6e4db1e9..b4c0fcfc 100644 --- a/.github/workflows/update-dependencies.yml +++ b/.github/workflows/update-dependencies.yml @@ -24,7 +24,7 @@ jobs: contents: write # is needed by peter-evans/create-pull-request to create branches and push commits pull-requests: write # is needed by peter-evans/create-pull-request to create a PR steps: - - uses: step-security/harden-runner@f808768d1510423e83855289c910610ca9b43176 # v2.17.0 + - uses: step-security/harden-runner@6c3c2f2c1c457b00c10c4848d6f5491db3b629df # v2.18.0 with: egress-policy: audit - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 @@ -62,7 +62,7 @@ jobs: contents: write # is needed by peter-evans/create-pull-request to create branches and push commits pull-requests: write # is needed by peter-evans/create-pull-request to create a PR steps: - - uses: step-security/harden-runner@f808768d1510423e83855289c910610ca9b43176 # v2.17.0 + - uses: step-security/harden-runner@6c3c2f2c1c457b00c10c4848d6f5491db3b629df # v2.18.0 with: egress-policy: audit - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 diff --git a/.github/workflows/vulnerability-scan.yml b/.github/workflows/vulnerability-scan.yml index 1c49f827..e033fb21 100644 --- a/.github/workflows/vulnerability-scan.yml +++ b/.github/workflows/vulnerability-scan.yml @@ -18,7 +18,7 @@ jobs: permissions: security-events: write # is needed by github/codeql-action/upload-sarif to upload sarif files steps: - - uses: step-security/harden-runner@f808768d1510423e83855289c910610ca9b43176 # v2.17.0 + - uses: step-security/harden-runner@6c3c2f2c1c457b00c10c4848d6f5491db3b629df # v2.18.0 with: egress-policy: audit - uses: crazy-max/ghaction-container-scan@a0a3900b79d158c85ccf034e5368fae620a9233a # v4.0.0 @@ -26,7 +26,7 @@ jobs: with: image: ghcr.io/${{ github.repository }}-${{ matrix.flavor }}:latest dockerfile: .devcontainer/Dockerfile - - uses: github/codeql-action/upload-sarif@c10b8064de6f491fea524254123dbe5e09572f13 # v4.35.1 + - uses: github/codeql-action/upload-sarif@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4.35.2 if: steps.scan.outputs.sarif != '' with: sarif_file: ${{ steps.scan.outputs.sarif }} diff --git a/.github/workflows/wc-acceptance-test.yml b/.github/workflows/wc-acceptance-test.yml index 74fd3e95..826f5e9f 100644 --- a/.github/workflows/wc-acceptance-test.yml +++ b/.github/workflows/wc-acceptance-test.yml @@ -36,7 +36,7 @@ jobs: runs-on: ubuntu-latest environment: acceptance-testing steps: - - uses: step-security/harden-runner@f808768d1510423e83855289c910610ca9b43176 # v2.17.0 + - uses: step-security/harden-runner@6c3c2f2c1c457b00c10c4848d6f5491db3b629df # v2.18.0 with: disable-sudo: false # Playwright requires root privileges to install browsers egress-policy: audit diff --git a/.github/workflows/wc-build-push.yml b/.github/workflows/wc-build-push.yml index 7376dd24..f5b68c24 100644 --- a/.github/workflows/wc-build-push.yml +++ b/.github/workflows/wc-build-push.yml @@ -75,7 +75,7 @@ jobs: contents: read packages: write # is needed by docker/build-push-action to push images when using GitHub Container Registry steps: - - uses: step-security/harden-runner@f808768d1510423e83855289c910610ca9b43176 # v2.17.0 + - uses: step-security/harden-runner@6c3c2f2c1c457b00c10c4848d6f5491db3b629df # v2.18.0 with: disable-sudo: true egress-policy: audit @@ -162,7 +162,7 @@ jobs: digest: ${{ steps.inspect-manifest.outputs.digest }} version: ${{ steps.metadata.outputs.version }} steps: - - uses: step-security/harden-runner@f808768d1510423e83855289c910610ca9b43176 # v2.17.0 + - uses: step-security/harden-runner@6c3c2f2c1c457b00c10c4848d6f5491db3b629df # v2.18.0 with: disable-sudo: true egress-policy: audit diff --git a/.github/workflows/wc-dependency-review.yml b/.github/workflows/wc-dependency-review.yml index d4e2d823..9ce0c22e 100644 --- a/.github/workflows/wc-dependency-review.yml +++ b/.github/workflows/wc-dependency-review.yml @@ -26,7 +26,7 @@ jobs: contents: read pull-requests: write # is needed by actions/dependency-review-action to write PR summaries steps: - - uses: step-security/harden-runner@f808768d1510423e83855289c910610ca9b43176 # v2.17.0 + - uses: step-security/harden-runner@6c3c2f2c1c457b00c10c4848d6f5491db3b629df # v2.18.0 with: disable-sudo-and-containers: true egress-policy: audit diff --git a/.github/workflows/wc-document-generation.yml b/.github/workflows/wc-document-generation.yml index b016412f..51702ab5 100644 --- a/.github/workflows/wc-document-generation.yml +++ b/.github/workflows/wc-document-generation.yml @@ -18,7 +18,7 @@ jobs: permissions: contents: read steps: - - uses: step-security/harden-runner@f808768d1510423e83855289c910610ca9b43176 # v2.17.0 + - uses: step-security/harden-runner@6c3c2f2c1c457b00c10c4848d6f5491db3b629df # v2.18.0 with: egress-policy: audit - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 diff --git a/.github/workflows/wc-integration-test-docker.yml b/.github/workflows/wc-integration-test-docker.yml index d13e2b81..de1ddadb 100644 --- a/.github/workflows/wc-integration-test-docker.yml +++ b/.github/workflows/wc-integration-test-docker.yml @@ -45,7 +45,7 @@ jobs: permissions: contents: read steps: - - uses: step-security/harden-runner@f808768d1510423e83855289c910610ca9b43176 # v2.17.0 + - uses: step-security/harden-runner@6c3c2f2c1c457b00c10c4848d6f5491db3b629df # v2.18.0 with: disable-sudo: true egress-policy: audit diff --git a/.github/workflows/wc-integration-test-podman.yml b/.github/workflows/wc-integration-test-podman.yml index d9ceaefc..46871176 100644 --- a/.github/workflows/wc-integration-test-podman.yml +++ b/.github/workflows/wc-integration-test-podman.yml @@ -40,7 +40,7 @@ jobs: permissions: contents: read steps: - - uses: step-security/harden-runner@f808768d1510423e83855289c910610ca9b43176 # v2.17.0 + - uses: step-security/harden-runner@6c3c2f2c1c457b00c10c4848d6f5491db3b629df # v2.18.0 with: disable-sudo: false egress-policy: audit diff --git a/.github/workflows/wc-publish-templates.yml b/.github/workflows/wc-publish-templates.yml index 66d7e301..fc522d1f 100644 --- a/.github/workflows/wc-publish-templates.yml +++ b/.github/workflows/wc-publish-templates.yml @@ -13,7 +13,7 @@ jobs: permissions: packages: write # is needed by devcontainers/action to write templates as OCI artifacts steps: - - uses: step-security/harden-runner@f808768d1510423e83855289c910610ca9b43176 # v2.17.0 + - uses: step-security/harden-runner@6c3c2f2c1c457b00c10c4848d6f5491db3b629df # v2.18.0 with: disable-sudo: true egress-policy: audit diff --git a/.github/workflows/wc-sanitize-image-name.yml b/.github/workflows/wc-sanitize-image-name.yml index 9861f763..b334c2d8 100644 --- a/.github/workflows/wc-sanitize-image-name.yml +++ b/.github/workflows/wc-sanitize-image-name.yml @@ -35,7 +35,7 @@ jobs: image-name: ${{ steps.sanitize-image-name.outputs.sanitized-image-name }} fully-qualified-image-name: ${{ inputs.registry }}/${{ steps.sanitize-image-name.outputs.sanitized-image-name }} steps: - - uses: step-security/harden-runner@f808768d1510423e83855289c910610ca9b43176 # v2.17.0 + - uses: step-security/harden-runner@6c3c2f2c1c457b00c10c4848d6f5491db3b629df # v2.18.0 with: disable-sudo-and-containers: true allowed-endpoints: >