diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml index b98c6d730..17faaa3d0 100644 --- a/.github/workflows/dependency-review.yml +++ b/.github/workflows/dependency-review.yml @@ -18,7 +18,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Harden Runner - uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1 + uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0 with: disable-sudo: true egress-policy: block diff --git a/.github/workflows/dockerhub_description.yml b/.github/workflows/dockerhub_description.yml index b430cc79c..7e3974475 100644 --- a/.github/workflows/dockerhub_description.yml +++ b/.github/workflows/dockerhub_description.yml @@ -48,7 +48,7 @@ jobs: - web-service steps: - name: Block egress traffic - uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1 + uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0 with: disable-sudo: true egress-policy: block diff --git a/.github/workflows/images_build.yml b/.github/workflows/images_build.yml index 43245e30c..956966585 100644 --- a/.github/workflows/images_build.yml +++ b/.github/workflows/images_build.yml @@ -64,7 +64,7 @@ jobs: sha_short: ${{ steps.branch_info.outputs.sha_short }} steps: - name: Block egress traffic - uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1 + uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0 with: disable-sudo: true egress-policy: block @@ -175,7 +175,7 @@ jobs: attestations: write steps: - name: Block egress traffic - uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1 + uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0 with: disable-sudo: true egress-policy: audit @@ -275,7 +275,7 @@ jobs: - name: Install cosign if: ${{ env.AUTO_PUSH_IMAGES == 'true' }} - uses: sigstore/cosign-installer@4959ce089c160fddf62f7b42464195ba1a56d382 + uses: sigstore/cosign-installer@d7d6bc7722e3daa8354c50bcb52f4837da5e9b6a with: cosign-release: 'v2.4.0' @@ -284,13 +284,13 @@ jobs: run: cosign version - name: Set up QEMU - uses: docker/setup-qemu-action@5927c834f5b4fdf503fca6f4c7eccda82949e1ee # v3.1.0 + uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v3.6.0 with: image: tonistiigi/binfmt:qemu-v8.1.5 platforms: all - name: Set up Docker Buildx - uses: docker/setup-buildx-action@4fd812986e6c8c2a69e18311145f9371337f27d4 # v3.4.0 + uses: docker/setup-buildx-action@b5ca514318bd6ebac0fb2aedd5d36ec1b5c232a2 # v3.10.0 with: driver-opts: image=moby/buildkit:master @@ -311,7 +311,7 @@ jobs: - name: Generate tags id: meta - uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81 # v5.5.1 + uses: docker/metadata-action@902fa8ec7d6ecbf8d84d538b9b233a880e428804 # v5.7.0 with: images: | ${{ format('{0}/{1}/{2}{3}', env.DOCKER_REGISTRY_TEST, env.DOCKER_REPOSITORY_TEST, env.IMAGES_PREFIX, env.BASE_BUILD_NAME ) }},enable=${{ env.AUTO_PUSH_IMAGES != 'true' }} @@ -377,7 +377,7 @@ jobs: - name: Build and publish image id: docker_build - uses: docker/build-push-action@5cd11c3a4ced054e52742c5fd54dca954e0edd85 # v6.7.0 + uses: docker/build-push-action@471d1dc4e07e5cdedd4c2171150001c434f0b7a4 # v6.15.0 with: context: ${{ format('{0}/{1}/{2}', env.DOCKERFILES_DIRECTORY, env.BASE_BUILD_NAME, matrix.os) }} file: ${{ format('{0}/{1}/{2}/Dockerfile', env.DOCKERFILES_DIRECTORY, env.BASE_BUILD_NAME, matrix.os) }} @@ -436,7 +436,7 @@ jobs: echo "${METADATA}" > "$CACHE_FILE_NAME" - name: Cache image metadata - uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0 + uses: actions/cache@d4323d4df104b026a6aa633fdb11d772146be0bf # v4.2.2 with: path: ${{ env.BASE_CACHE_FILE_NAME }} key: ${{ env.BASE_BUILD_NAME }}-${{ matrix.os }}-${{ github.run_id }} @@ -458,7 +458,7 @@ jobs: attestations: write steps: - name: Block egress traffic - uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1 + uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0 with: disable-sudo: true egress-policy: block @@ -496,7 +496,7 @@ jobs: - name: Install cosign if: ${{ env.AUTO_PUSH_IMAGES == 'true' }} - uses: sigstore/cosign-installer@4959ce089c160fddf62f7b42464195ba1a56d382 + uses: sigstore/cosign-installer@d7d6bc7722e3daa8354c50bcb52f4837da5e9b6a with: cosign-release: 'v2.4.0' @@ -505,13 +505,13 @@ jobs: run: cosign version - name: Set up QEMU - uses: docker/setup-qemu-action@5927c834f5b4fdf503fca6f4c7eccda82949e1ee # v3.1.0 + uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v3.6.0 with: image: tonistiigi/binfmt:qemu-v8.1.5 platforms: all - name: Set up Docker Buildx - uses: docker/setup-buildx-action@4fd812986e6c8c2a69e18311145f9371337f27d4 # v3.4.0 + uses: docker/setup-buildx-action@b5ca514318bd6ebac0fb2aedd5d36ec1b5c232a2 # v3.10.0 with: driver-opts: image=moby/buildkit:master @@ -532,7 +532,7 @@ jobs: - name: Generate tags id: meta - uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81 # v5.5.1 + uses: docker/metadata-action@902fa8ec7d6ecbf8d84d538b9b233a880e428804 # v5.7.0 with: images: | ${{ format('{0}/{1}/{2}{3}', env.DOCKER_REGISTRY_TEST, env.DOCKER_REPOSITORY_TEST, env.IMAGES_PREFIX, matrix.build ) }},enable=${{ env.AUTO_PUSH_IMAGES != 'true' }} @@ -550,7 +550,7 @@ jobs: latest=${{ (matrix.os == 'alpine') && (!contains(fromJSON('["workflow_dispatch"]'), github.event_name)) && ( needs.init_build.outputs.is_default_branch == 'true' ) }} - name: Download metadata of ${{ env.BASE_BUILD_NAME }}:${{ matrix.os }} - uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0 + uses: actions/cache@d4323d4df104b026a6aa633fdb11d772146be0bf # v4.2.2 with: path: ${{ env.BASE_CACHE_FILE_NAME }} key: ${{ env.BASE_BUILD_NAME }}-${{ matrix.os }}-${{ github.run_id }} @@ -641,11 +641,12 @@ jobs: - name: Build ${{ matrix.build }}/${{ matrix.os }} and push id: docker_build - uses: docker/build-push-action@5cd11c3a4ced054e52742c5fd54dca954e0edd85 # v6.7.0 + uses: docker/build-push-action@471d1dc4e07e5cdedd4c2171150001c434f0b7a4 # v6.15.0 with: context: ${{ format('{0}/{1}/{2}/', env.DOCKERFILES_DIRECTORY, matrix.build, matrix.os) }} build-contexts: | sources=./sources/ + config_templates=./config_templates/ file: ${{ format('{0}/{1}/{2}/Dockerfile', env.DOCKERFILES_DIRECTORY, matrix.build, matrix.os) }} platforms: ${{ steps.platform.outputs.list }} push: true @@ -701,7 +702,7 @@ jobs: echo "${METADATA}" > "$CACHE_FILE_NAME" - name: Cache image metadata - uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0 + uses: actions/cache@d4323d4df104b026a6aa633fdb11d772146be0bf # v4.2.2 with: path: ${{ env.BUILD_CACHE_FILE_NAME }} key: ${{ matrix.build }}-${{ matrix.os }}-${{ github.run_id }} @@ -724,7 +725,7 @@ jobs: attestations: write steps: - name: Block egress traffic - uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1 + uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0 with: disable-sudo: true egress-policy: block @@ -856,7 +857,7 @@ jobs: - name: Install cosign if: ${{ env.AUTO_PUSH_IMAGES == 'true' }} - uses: sigstore/cosign-installer@4959ce089c160fddf62f7b42464195ba1a56d382 + uses: sigstore/cosign-installer@d7d6bc7722e3daa8354c50bcb52f4837da5e9b6a with: cosign-release: 'v2.4.0' @@ -865,13 +866,13 @@ jobs: run: cosign version - name: Set up QEMU - uses: docker/setup-qemu-action@5927c834f5b4fdf503fca6f4c7eccda82949e1ee # v3.1.0 + uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v3.6.0 with: image: tonistiigi/binfmt:qemu-v8.1.5 platforms: all - name: Set up Docker Buildx - uses: docker/setup-buildx-action@4fd812986e6c8c2a69e18311145f9371337f27d4 # v3.4.0 + uses: docker/setup-buildx-action@b5ca514318bd6ebac0fb2aedd5d36ec1b5c232a2 # v3.10.0 with: driver-opts: image=moby/buildkit:master @@ -924,7 +925,7 @@ jobs: - name: Generate tags id: meta - uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81 # v5.5.1 + uses: docker/metadata-action@902fa8ec7d6ecbf8d84d538b9b233a880e428804 # v5.7.0 with: images: | ${{ format('{0}/{1}/{2}{3}', env.DOCKER_REGISTRY_TEST, env.DOCKER_REPOSITORY_TEST, env.IMAGES_PREFIX, matrix.build ) }},enable=${{ env.AUTO_PUSH_IMAGES != 'true' }} @@ -942,7 +943,7 @@ jobs: latest=${{ (matrix.os == 'alpine') && (!contains(fromJSON('["workflow_dispatch"]'), github.event_name)) && ( needs.init_build.outputs.is_default_branch == 'true' ) }} - name: Download metadata of ${{ steps.build_base_image.outputs.build_base }}:${{ matrix.os }} - uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0 + uses: actions/cache@d4323d4df104b026a6aa633fdb11d772146be0bf # v4.2.2 if: ${{ matrix.build != 'snmptraps' }} with: path: ${{ env.BUILD_CACHE_FILE_NAME }} @@ -1013,7 +1014,7 @@ jobs: - name: Build and push image id: docker_build - uses: docker/build-push-action@5cd11c3a4ced054e52742c5fd54dca954e0edd85 # v6.7.0 + uses: docker/build-push-action@471d1dc4e07e5cdedd4c2171150001c434f0b7a4 # v6.15.0 with: context: ${{ format('{0}/{1}/{2}', env.DOCKERFILES_DIRECTORY, matrix.build, matrix.os) }} file: ${{ format('{0}/{1}/{2}/Dockerfile', env.DOCKERFILES_DIRECTORY, matrix.build, matrix.os) }} diff --git a/.github/workflows/images_build_rhel.yml b/.github/workflows/images_build_rhel.yml index 7de5a5d9c..a40156b58 100644 --- a/.github/workflows/images_build_rhel.yml +++ b/.github/workflows/images_build_rhel.yml @@ -72,7 +72,7 @@ jobs: secret_prefix: ${{ steps.branch_info.outputs.secret_prefix }} steps: - name: Block egress traffic - uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1 + uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0 with: disable-sudo: true egress-policy: block @@ -219,7 +219,7 @@ jobs: - name: Install cosign if: ${{ env.AUTO_PUSH_IMAGES == 'true' }} - uses: sigstore/cosign-installer@4959ce089c160fddf62f7b42464195ba1a56d382 + uses: sigstore/cosign-installer@d7d6bc7722e3daa8354c50bcb52f4837da5e9b6a with: cosign-release: 'v2.4.0' @@ -236,7 +236,7 @@ jobs: - name: Generate tags id: meta - uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81 # v5.5.1 + uses: docker/metadata-action@902fa8ec7d6ecbf8d84d538b9b233a880e428804 # v5.7.0 with: images: ${{ env.IMAGES_PREFIX }}${{ matrix.build }} tags: | @@ -281,7 +281,7 @@ jobs: echo "image_tag=${IMAGE_TAG}" >> $GITHUB_OUTPUT - name: Cache image metadata - uses: actions/cache/save@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0 + uses: actions/cache/save@d4323d4df104b026a6aa633fdb11d772146be0bf # v4.2.2 with: path: | ${{ env.BASE_BUILD_NAME }}_${{ matrix.arch }}_tag_id @@ -356,7 +356,7 @@ jobs: echo "arch=${ARCH,,}" >> $GITHUB_OUTPUT - name: Download metadata of ${{ env.BASE_BUILD_NAME }}:${{ matrix.arch }} - uses: actions/cache/restore@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0 + uses: actions/cache/restore@d4323d4df104b026a6aa633fdb11d772146be0bf # v4.2.2 with: path: | ${{ env.BASE_BUILD_NAME }}_${{ matrix.arch }}_tag_id @@ -394,7 +394,7 @@ jobs: - name: Generate tags id: meta - uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81 # v5.5.1 + uses: docker/metadata-action@902fa8ec7d6ecbf8d84d538b9b233a880e428804 # v5.7.0 with: images: ${{ env.IMAGES_PREFIX }}${{ matrix.build }} tags: | @@ -413,6 +413,7 @@ jobs: extra-args: | --iidfile=${{ github.workspace }}/iidfile --build-context sources=./sources/ + --build-context config_templates=./config_templates/ - name: Prepare image metadata id: image_metadata @@ -440,7 +441,7 @@ jobs: echo "image_tag=${IMAGE_TAG}" >> $GITHUB_OUTPUT - name: Cache image metadata - uses: actions/cache/save@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0 + uses: actions/cache/save@d4323d4df104b026a6aa633fdb11d772146be0bf # v4.2.2 with: path: | ${{ matrix.build }}_${{ matrix.arch }}_tag_id @@ -537,7 +538,7 @@ jobs: - name: Download metadata of ${{ steps.build_base_image.outputs.build_base }}:${{ matrix.arch }} if: ${{ matrix.build != 'snmptraps' }} - uses: actions/cache/restore@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0 + uses: actions/cache/restore@d4323d4df104b026a6aa633fdb11d772146be0bf # v4.2.2 with: path: | ${{ steps.build_base_image.outputs.build_base }}_${{ matrix.arch }}_tag_id @@ -582,7 +583,7 @@ jobs: - name: Generate tags id: meta - uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81 # v5.5.1 + uses: docker/metadata-action@902fa8ec7d6ecbf8d84d538b9b233a880e428804 # v5.7.0 with: images: ${{ env.REGISTRY }}/${{ env.REGISTRY_NAMESPACE }}/${{ secrets[format('{0}_{1}_PROJECT', needs.init_build.outputs.secret_prefix, steps.var_format.outputs.matrix_build)] || matrix.build }} tags: | @@ -719,7 +720,7 @@ jobs: permissions: {} steps: - name: Download metadata of ${{ matrix.build }}:${{ matrix.arch }} - uses: actions/cache/restore@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0 + uses: actions/cache/restore@d4323d4df104b026a6aa633fdb11d772146be0bf # v4.2.2 with: path: | ${{ matrix.build }}_${{ matrix.arch }}_tag_id @@ -740,7 +741,7 @@ jobs: echo "::endgroup::" - name: Download metadata of ${{ env.BASE_BUILD_NAME }}:${{ matrix.arch }} - uses: actions/cache/restore@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0 + uses: actions/cache/restore@d4323d4df104b026a6aa633fdb11d772146be0bf # v4.2.2 with: path: | ${{ env.BASE_BUILD_NAME }}_${{ matrix.arch }}_tag_id diff --git a/.github/workflows/images_build_windows.yml b/.github/workflows/images_build_windows.yml index 52704ad06..45b70c0ba 100644 --- a/.github/workflows/images_build_windows.yml +++ b/.github/workflows/images_build_windows.yml @@ -61,7 +61,7 @@ jobs: sha_short: ${{ steps.branch_info.outputs.sha_short }} steps: - name: Block egress traffic - uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1 + uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0 with: disable-sudo: true egress-policy: block @@ -164,7 +164,7 @@ jobs: fetch-depth: 1 - name: Install cosign - uses: sigstore/cosign-installer@4959ce089c160fddf62f7b42464195ba1a56d382 + uses: sigstore/cosign-installer@d7d6bc7722e3daa8354c50bcb52f4837da5e9b6a with: cosign-release: 'v2.4.0' @@ -193,7 +193,7 @@ jobs: - name: Generate tags id: meta - uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81 # v5.5.1 + uses: docker/metadata-action@902fa8ec7d6ecbf8d84d538b9b233a880e428804 # v5.7.0 with: images: ${{ env.DOCKER_REGISTRY }}/${{ env.DOCKER_REPOSITORY }}/${{ env.IMAGES_PREFIX }}${{ env.BASE_IMAGE_NAME }} context: ${{ env.TRUNK_ONLY_EVENT == 'true' && 'git' || '' }} @@ -327,7 +327,7 @@ jobs: $Env:DIGEST | Set-Content -Path $Env:CACHE_FILE_NAME - name: Cache image digest - uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0 + uses: actions/cache@d4323d4df104b026a6aa633fdb11d772146be0bf # v4.2.2 with: path: ${{ env.BASE_IMAGE_NAME }}_${{ matrix.os }}_${{ matrix.component }} key: ${{ env.BASE_IMAGE_NAME }}-${{ matrix.os }}-${{ github.run_id }} @@ -354,7 +354,7 @@ jobs: fetch-depth: 1 - name: Install cosign - uses: sigstore/cosign-installer@4959ce089c160fddf62f7b42464195ba1a56d382 + uses: sigstore/cosign-installer@d7d6bc7722e3daa8354c50bcb52f4837da5e9b6a with: cosign-release: 'v2.4.0' @@ -383,7 +383,7 @@ jobs: - name: Generate tags id: meta - uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81 # v5.5.1 + uses: docker/metadata-action@902fa8ec7d6ecbf8d84d538b9b233a880e428804 # v5.7.0 with: images: ${{ env.DOCKER_REGISTRY }}/${{ env.DOCKER_REPOSITORY }}/${{ env.IMAGES_PREFIX }}${{ env.BASE_BUILD_IMAGE_NAME }} context: ${{ env.TRUNK_ONLY_EVENT == 'true' && 'git' || '' }} @@ -399,7 +399,7 @@ jobs: latest=false - name: Download SHA256 tag of ${{ env.BASE_IMAGE_NAME }}:${{ matrix.os }} - uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0 + uses: actions/cache@d4323d4df104b026a6aa633fdb11d772146be0bf # v4.2.2 with: path: ${{ env.BASE_IMAGE_NAME }}_${{ matrix.os }}_${{ matrix.component }} key: ${{ env.BASE_IMAGE_NAME }}-${{ matrix.os }}-${{ github.run_id }} @@ -555,7 +555,7 @@ jobs: $Env:DIGEST | Set-Content -Path $Env:CACHE_FILE_NAME - name: Cache image digest - uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0 + uses: actions/cache@d4323d4df104b026a6aa633fdb11d772146be0bf # v4.2.2 with: path: ${{ env.BASE_BUILD_IMAGE_NAME }}_${{ matrix.os }}_${{ matrix.component }} key: ${{ env.BASE_BUILD_IMAGE_NAME }}-${{ matrix.os }}-${{ github.run_id }} @@ -582,7 +582,7 @@ jobs: fetch-depth: 1 - name: Install cosign - uses: sigstore/cosign-installer@4959ce089c160fddf62f7b42464195ba1a56d382 + uses: sigstore/cosign-installer@d7d6bc7722e3daa8354c50bcb52f4837da5e9b6a with: cosign-release: 'v2.4.0' @@ -611,7 +611,7 @@ jobs: - name: Generate tags id: meta - uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81 # v5.5.1 + uses: docker/metadata-action@902fa8ec7d6ecbf8d84d538b9b233a880e428804 # v5.7.0 with: images: ${{ env.DOCKER_REGISTRY }}/${{ env.DOCKER_REPOSITORY }}/${{ env.IMAGES_PREFIX }}${{ matrix.component }} context: ${{ env.TRUNK_ONLY_EVENT == 'true' && 'git' || '' }} @@ -627,7 +627,7 @@ jobs: latest=false - name: Download SHA256 tag of ${{ env.BASE_BUILD_IMAGE_NAME }}:${{ matrix.os }} - uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0 + uses: actions/cache@d4323d4df104b026a6aa633fdb11d772146be0bf # v4.2.2 with: path: ${{ env.BASE_BUILD_IMAGE_NAME }}_${{ matrix.os }}_${{ matrix.component }} key: ${{ env.BASE_BUILD_IMAGE_NAME }}-${{ matrix.os }}-${{ github.run_id }} diff --git a/.github/workflows/rhel_registry_description.yml b/.github/workflows/rhel_registry_description.yml index e9bc9621d..100e0f97a 100644 --- a/.github/workflows/rhel_registry_description.yml +++ b/.github/workflows/rhel_registry_description.yml @@ -34,7 +34,7 @@ jobs: zabbix_release: ${{ steps.branch_info.outputs.zabbix_release }} steps: - name: Block egress traffic - uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1 + uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0 with: disable-sudo: true egress-policy: block @@ -98,7 +98,7 @@ jobs: component: ${{ fromJson(needs.init.outputs.components) }} steps: - name: Block egress traffic - uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1 + uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0 with: disable-sudo: true egress-policy: block @@ -127,7 +127,7 @@ jobs: echo "matrix_build=${MATRIX_BUILD}" >> $GITHUB_OUTPUT - name: Setup Python 3.x - uses: actions/setup-python@0a5c61591373683505ea898e09a3ea4f39ef2b9c # v5.0.0 + uses: actions/setup-python@42375524e23c412d93fb67b49958b491fce71c38 # v5.4.0 with: python-version: '3.x' diff --git a/.github/workflows/sonarcloud.yml b/.github/workflows/sonarcloud.yml index eea49c1b0..acdb1d501 100644 --- a/.github/workflows/sonarcloud.yml +++ b/.github/workflows/sonarcloud.yml @@ -44,7 +44,7 @@ jobs: steps: - name: Block egress traffic - uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1 + uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0 with: egress-policy: audit @@ -55,25 +55,7 @@ jobs: fetch-depth: 0 - name: Analyze with SonarCloud - - # You can pin the exact commit or the version. - # uses: SonarSource/sonarcloud-github-action@e44258b109568baa0df60ed515909fc6c72cba92 - uses: SonarSource/sonarcloud-github-action@e44258b109568baa0df60ed515909fc6c72cba92 # v2.3.0 + uses: SonarSource/sonarqube-scan-action@v5.0.0 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # Needed to get PR information SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} # Generate a token on Sonarcloud.io, add it to the secrets of this repo with the name SONAR_TOKEN (Settings > Secrets > Actions > add new repository secret) - with: - # Additional arguments for the sonarcloud scanner - args: - # Unique keys of your project and organization. You can find them in SonarCloud > Information (bottom-left menu) - # mandatory - -Dsonar.projectKey=zabbix-docker - -Dsonar.organization=zabbix - # Comma-separated paths to directories containing main source files. - #-Dsonar.sources= # optional, default is project base directory - # When you need the analysis to take place in a directory other than the one from which it was launched - #-Dsonar.projectBaseDir= # optional, default is . - # Comma-separated paths to directories containing test source files. - #-Dsonar.tests= # optional. For more info about Code Coverage, please refer to https://docs.sonarcloud.io/enriching/test-coverage/overview/ - # Adds more detail to both client and server-side analysis logs, activating DEBUG mode for the scanner, and adding client-side environment variables and system properties to the server-side log of analysis report processing. - #-Dsonar.verbose= # optional, default is false