diff --git a/.github/workflows/standard-build.yaml b/.github/workflows/standard-build.yaml index 975acd1..2ffcd4f 100644 --- a/.github/workflows/standard-build.yaml +++ b/.github/workflows/standard-build.yaml @@ -9,7 +9,7 @@ defaults: env: # renovate: datasource=github-releases depName=aquasecurity/trivy - TRIVY_VERSION: 0.69.3 + TRIVY_VERSION: 0.70.0 TRIVY_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-db:2 TRIVY_JAVA_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-java-db:1 @@ -118,7 +118,7 @@ jobs: image-slug: ${{ steps.slugify-image.outputs.slug }} steps: - name: Harden Runner - uses: step-security/harden-runner@f808768d1510423e83855289c910610ca9b43176 # v2.17.0 + uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0 with: egress-policy: audit # change to 'egress-policy: block' after couple of runs @@ -349,7 +349,7 @@ jobs: packages: write steps: - name: Harden Runner - uses: step-security/harden-runner@f808768d1510423e83855289c910610ca9b43176 # v2.17.0 + uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0 with: egress-policy: audit # change to 'egress-policy: block' after couple of runs @@ -382,7 +382,7 @@ jobs: packages: write steps: - name: Harden Runner - uses: step-security/harden-runner@f808768d1510423e83855289c910610ca9b43176 # v2.17.0 + uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0 with: egress-policy: audit # change to 'egress-policy: block' after couple of runs @@ -421,7 +421,7 @@ jobs: contents: write steps: - name: Harden Runner - uses: step-security/harden-runner@f808768d1510423e83855289c910610ca9b43176 # v2.17.0 + uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0 with: egress-policy: audit # change to 'egress-policy: block' after couple of runs @@ -451,7 +451,7 @@ jobs: contents: write steps: - name: Harden Runner - uses: step-security/harden-runner@f808768d1510423e83855289c910610ca9b43176 # v2.17.0 + uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0 with: egress-policy: audit # change to 'egress-policy: block' after couple of runs diff --git a/.github/workflows/standard-lint.yaml b/.github/workflows/standard-lint.yaml index 068c4ab..c1497f7 100644 --- a/.github/workflows/standard-lint.yaml +++ b/.github/workflows/standard-lint.yaml @@ -9,7 +9,7 @@ defaults: env: # renovate: datasource=pypi depName=zizmor - ZIZMOR_VERSION: 1.24.0 + ZIZMOR_VERSION: 1.24.1 on: workflow_call: @@ -69,7 +69,7 @@ jobs: pull-requests: write steps: - name: Harden Runner - uses: step-security/harden-runner@f808768d1510423e83855289c910610ca9b43176 # v2.17.0 + uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0 with: egress-policy: audit # change to 'egress-policy: block' after couple of runs @@ -103,7 +103,7 @@ jobs: - name: Upload MegaLinter scan results to GitHub Security tab if: ${{ always() }} - uses: github/codeql-action/upload-sarif@c10b8064de6f491fea524254123dbe5e09572f13 # v4.35.1 + uses: github/codeql-action/upload-sarif@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4.35.2 with: sarif_file: "megalinter-reports/megalinter-report.sarif" @@ -196,7 +196,7 @@ jobs: # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL - uses: github/codeql-action/init@c10b8064de6f491fea524254123dbe5e09572f13 # v4.35.1 + uses: github/codeql-action/init@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4.35.2 with: languages: ${{ matrix.language }} # If you wish to specify custom queries, you can do so here or in a config file. @@ -209,7 +209,7 @@ jobs: # Autobuild attempts to build any compiled languages (C/C++, C#, or Java). # If this step fails, then you should remove it and run the build manually (see below) - name: Autobuild - uses: github/codeql-action/autobuild@c10b8064de6f491fea524254123dbe5e09572f13 # v4.35.1 + uses: github/codeql-action/autobuild@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4.35.2 # ℹī¸ Command-line programs to run using the OS shell. # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun @@ -222,7 +222,7 @@ jobs: # ./location_of_script_within_repo/buildscript.sh - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@c10b8064de6f491fea524254123dbe5e09572f13 # v4.35.1 + uses: github/codeql-action/analyze@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4.35.2 with: category: "/language:${{matrix.language}}" @@ -241,7 +241,7 @@ jobs: persist-credentials: false - name: Install the latest version of uv - uses: astral-sh/setup-uv@cec208311dfd045dd5311c1add060b2062131d57 # v8.0.0 + uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0 with: enable-cache: false @@ -266,7 +266,7 @@ jobs: ZIZMOR_CONFIG: /tmp/zizmor-standard-lint-defaults.yaml - name: Upload SARIF file - uses: github/codeql-action/upload-sarif@c10b8064de6f491fea524254123dbe5e09572f13 # v4.35.1 + uses: github/codeql-action/upload-sarif@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4.35.2 with: sarif_file: results.sarif category: zizmor diff --git a/.github/workflows/standard-release.yaml b/.github/workflows/standard-release.yaml index d2f6123..252b053 100644 --- a/.github/workflows/standard-release.yaml +++ b/.github/workflows/standard-release.yaml @@ -39,7 +39,7 @@ jobs: issues: write steps: - name: Harden Runner - uses: step-security/harden-runner@f808768d1510423e83855289c910610ca9b43176 # v2.17.0 + uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0 with: egress-policy: audit # change to 'egress-policy: block' after couple of runs @@ -58,7 +58,7 @@ jobs: persist-credentials: false # Only required temporary: https://github.com/cycjimmy/semantic-release-action/issues/159 - - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0 + - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 with: node-version: 24