diff --git a/.github/workflows/build-docker.yml b/.github/workflows/build-docker.yml index 500e43f..868f2ad 100644 --- a/.github/workflows/build-docker.yml +++ b/.github/workflows/build-docker.yml @@ -44,14 +44,14 @@ jobs: submodules: recursive - name: Login to GitHub container registry - uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4.2.0 + uses: docker/login-action@af1e73f918a031802d376d3c8bbc3fe56130a9b0 # v4.4.0 with: registry: ghcr.io username: ${{ github.actor }} password: ${{ secrets.GITHUB_TOKEN }} - name: Set up Docker Buildx - uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5 # v4.1.0 + uses: docker/setup-buildx-action@bb05f3f5519dd87d3ba754cc423b652a5edd6d2c # v4.2.0 with: buildkitd-config-inline: | [registry."docker.io"] @@ -61,7 +61,7 @@ jobs: run: echo "SAFE_REF=${GITHUB_REF_NAME//\//-}" >> $GITHUB_ENV - name: Build container - uses: docker/build-push-action@f9f3042f7e2789586610d6e8b85c8f03e5195baf # v7.2.0 + uses: docker/build-push-action@53b7df96c91f9c12dcc8a07bcb9ccacbed38856a # v7.3.0 with: context: . platforms: linux/${{ matrix.cpu }} @@ -74,7 +74,7 @@ jobs: cache-to: type=registry,mode=max,ref=${{ env.GHCR_REPO }}:cache-${{ matrix.tag }}-${{ env.SAFE_REF }} - name: Scan image with Trivy - uses: aquasecurity/trivy-action@a9c7b0f06e461e9d4b4d1711f154ee024b8d7ab8 # v0.36.0 + uses: aquasecurity/trivy-action@ed142fd0673e97e23eac54620cfb913e5ce36c25 # v0.36.0 env: TRIVY_SHOW_SUPPRESSED: 1 TRIVY_IGNOREFILE: "./.trivyignore.yaml" @@ -102,7 +102,7 @@ jobs: - name: Docker meta id: meta - uses: docker/metadata-action@80c7e94dd9b9319bd5eb7a0e0fe9291e23a2a2e9 # v6.1.0 + uses: docker/metadata-action@dc802804100637a589fabce1cb79ff13a1411302 # v6.2.0 with: images: | ${{ env.GHCR_REPO }} @@ -110,7 +110,7 @@ jobs: tags: ${{ inputs.tags }} - name: Login to GitHub container registry - uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4.2.0 + uses: docker/login-action@af1e73f918a031802d376d3c8bbc3fe56130a9b0 # v4.4.0 with: registry: ghcr.io username: ${{ github.actor }} diff --git a/.github/workflows/lint-web.yml b/.github/workflows/lint-web.yml index c638d4e..8c8bd91 100644 --- a/.github/workflows/lint-web.yml +++ b/.github/workflows/lint-web.yml @@ -35,7 +35,7 @@ jobs: node-version: 26 - name: Install pnpm - uses: pnpm/action-setup@008330803749db0355799c700092d9a85fd074e9 # v6.0.9 + uses: pnpm/action-setup@0ebf47130e4866e96fce0953f49152a61190b271 # v6.0.9 with: cache: true version: 11 diff --git a/.github/workflows/publish-docker-latest.yml b/.github/workflows/publish-docker-latest.yml index c926721..1528e66 100644 --- a/.github/workflows/publish-docker-latest.yml +++ b/.github/workflows/publish-docker-latest.yml @@ -22,14 +22,14 @@ jobs: uses: sigstore/cosign-installer@6f9f17788090df1f26f669e9d70d6ae9567deba6 # v4.1.2 - name: Login to GitHub container registry - uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4.2.0 + uses: docker/login-action@af1e73f918a031802d376d3c8bbc3fe56130a9b0 # v4.4.0 with: registry: ghcr.io username: ${{ github.actor }} password: ${{ secrets.GITHUB_TOKEN }} - name: Set up Docker Buildx - uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5 # v4.1.0 + uses: docker/setup-buildx-action@bb05f3f5519dd87d3ba754cc423b652a5edd6d2c # v4.2.0 - name: Derive semver tag run: | diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 0c8c668..d8a0999 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -92,7 +92,7 @@ jobs: node-version: 26 - name: Install pnpm - uses: pnpm/action-setup@008330803749db0355799c700092d9a85fd074e9 # v6.0.9 + uses: pnpm/action-setup@0ebf47130e4866e96fce0953f49152a61190b271 # v6.0.9 with: cache: true version: 11 @@ -104,12 +104,12 @@ jobs: pnpm build - name: Install Rust stable - uses: dtolnay/rust-toolchain@e97e2d8cc328f1b50210efc529dca0028893a2d9 # stable + uses: dtolnay/rust-toolchain@4be7066ada62dd38de10e7b70166bc74ed198c30 # stable with: targets: "aarch64-unknown-linux-gnu" - name: Run sccache-cache - uses: mozilla-actions/sccache-action@1583d6b38d7be47f593cb472781bbb21cab4321e # v0.0.10 + uses: mozilla-actions/sccache-action@9e7fa8a12102821edf02ca5dbea1acd0f89a2696 # v0.0.10 - name: Build Linux x86_64 binary run: | @@ -319,7 +319,7 @@ jobs: deb_arch: amd64 rust_target: x86_64-unknown-linux-gnu container: - image: ubuntu:22.04 + image: ubuntu:22.04@sha256:0e0a0fc6d18feda9db1590da249ac93e8d5abfea8f4c3c0c849ce512b5ef8982 env: DEBIAN_FRONTEND: noninteractive HOME: /root @@ -350,7 +350,7 @@ jobs: node-version: 26 - name: Install pnpm - uses: pnpm/action-setup@008330803749db0355799c700092d9a85fd074e9 # v6.0.9 + uses: pnpm/action-setup@0ebf47130e4866e96fce0953f49152a61190b271 # v6.0.9 with: version: 11 @@ -363,7 +363,7 @@ jobs: pnpm build - name: Install Rust stable - uses: dtolnay/rust-toolchain@e97e2d8cc328f1b50210efc529dca0028893a2d9 # stable + uses: dtolnay/rust-toolchain@4be7066ada62dd38de10e7b70166bc74ed198c30 # stable - name: Install build dependencies run: | diff --git a/.github/workflows/sbom.yml b/.github/workflows/sbom.yml index 0b3c5ce..0f5a60b 100644 --- a/.github/workflows/sbom.yml +++ b/.github/workflows/sbom.yml @@ -33,7 +33,7 @@ jobs: submodules: recursive - name: Create SBOM with Trivy - uses: aquasecurity/trivy-action@a9c7b0f06e461e9d4b4d1711f154ee024b8d7ab8 # v0.36.0 + uses: aquasecurity/trivy-action@ed142fd0673e97e23eac54620cfb913e5ce36c25 # v0.36.0 env: TRIVY_SHOW_SUPPRESSED: 1 TRIVY_IGNOREFILE: "./.trivyignore.yaml" @@ -46,7 +46,7 @@ jobs: scanners: "vuln" - name: Create Docker image SBOM with Trivy - uses: aquasecurity/trivy-action@a9c7b0f06e461e9d4b4d1711f154ee024b8d7ab8 # v0.36.0 + uses: aquasecurity/trivy-action@ed142fd0673e97e23eac54620cfb913e5ce36c25 # v0.36.0 env: TRIVY_SHOW_SUPPRESSED: 1 TRIVY_IGNOREFILE: "./.trivyignore.yaml" @@ -59,7 +59,7 @@ jobs: scanners: "vuln" - name: Create security advisory file with Trivy - uses: aquasecurity/trivy-action@a9c7b0f06e461e9d4b4d1711f154ee024b8d7ab8 # v0.36.0 + uses: aquasecurity/trivy-action@ed142fd0673e97e23eac54620cfb913e5ce36c25 # v0.36.0 env: TRIVY_SHOW_SUPPRESSED: 1 TRIVY_IGNOREFILE: "./.trivyignore.yaml" @@ -72,7 +72,7 @@ jobs: scanners: "vuln" - name: Create Docker image security advisory file with Trivy - uses: aquasecurity/trivy-action@a9c7b0f06e461e9d4b4d1711f154ee024b8d7ab8 # v0.36.0 + uses: aquasecurity/trivy-action@ed142fd0673e97e23eac54620cfb913e5ce36c25 # v0.36.0 env: TRIVY_SHOW_SUPPRESSED: 1 TRIVY_IGNOREFILE: "./.trivyignore.yaml" diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 388ea01..377c54d 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -28,7 +28,7 @@ jobs: test: runs-on: - codebuild-defguard-proxy-runner-${{ github.run_id }}-${{ github.run_attempt }} - container: public.ecr.aws/docker/library/rust:1 + container: public.ecr.aws/docker/library/rust:1@sha256:44637ff22d0a6571a221bfaf137849711ad02ff4723dbb4736e297538f6a3e60 steps: - name: Checkout @@ -37,7 +37,7 @@ jobs: submodules: recursive - name: Scan code with Trivy - uses: aquasecurity/trivy-action@a9c7b0f06e461e9d4b4d1711f154ee024b8d7ab8 # v0.36.0 + uses: aquasecurity/trivy-action@ed142fd0673e97e23eac54620cfb913e5ce36c25 # v0.36.0 env: TRIVY_IGNOREFILE: "./.trivyignore.yaml" TRIVY_SHOW_SUPPRESSED: 1 @@ -50,7 +50,7 @@ jobs: scanners: "vuln" - name: Run sccache-cache - uses: mozilla-actions/sccache-action@1583d6b38d7be47f593cb472781bbb21cab4321e # v0.0.10 + uses: mozilla-actions/sccache-action@9e7fa8a12102821edf02ca5dbea1acd0f89a2696 # v0.0.10 - name: Install protoc run: apt-get update && apt-get -y install protobuf-compiler @@ -66,7 +66,7 @@ jobs: cargo clippy --all-targets --all-features -- -D warnings - name: Install cargo extensions - uses: taiki-e/install-action@9e1e5806d4a4822de933115878265be9aaa786d9 # v2.82.2 + uses: taiki-e/install-action@c93ccc03e00cd0e08e494f5fd058a6c55a6a1907 # v2.82.8 with: tool: cargo-deny