diff --git a/.github/workflows/cd.yaml b/.github/workflows/cd.yaml index b5dfe1c0..14f902e4 100644 --- a/.github/workflows/cd.yaml +++ b/.github/workflows/cd.yaml @@ -46,13 +46,13 @@ jobs: steps: - name: Checkout code - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 + uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3 - name: Log in to Container Registry - uses: docker/login-action@v3 + uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3 with: registry: ${{ env.REGISTRY }} username: ${{ github.actor }} @@ -60,7 +60,7 @@ jobs: - name: Extract metadata id: meta - uses: docker/metadata-action@v5 + uses: docker/metadata-action@c299e40c65443455700f0fdfc63efafe5b349051 # v5 with: images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}/${{ matrix.package }} tags: | @@ -73,7 +73,7 @@ jobs: type=raw,value=latest,enable={{is_default_branch}} - name: Build and push Docker image - uses: docker/build-push-action@v5 + uses: docker/build-push-action@ca052bb54ab0790a636c9b5f226502c73d547a25 # v5 with: context: . file: packages/${{ matrix.package }}/Dockerfile @@ -91,7 +91,7 @@ jobs: - name: Sign container image if: github.ref == 'refs/heads/main' - uses: sigstore/cosign-installer@v3 + uses: sigstore/cosign-installer@398d4b0eeef1380460a10c8013a76f728fb906ac # v3 - name: Cosign sign image if: github.ref == 'refs/heads/main' @@ -108,7 +108,7 @@ jobs: steps: - name: Checkout code - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 with: token: ${{ secrets.GITHUB_TOKEN }} @@ -148,10 +148,10 @@ jobs: steps: - name: Checkout code - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 - name: Setup kubectl - uses: azure/setup-kubectl@v4 + uses: azure/setup-kubectl@776406bce94f63e41d621b960d78ee25c8b76ede # v4 with: version: 'v1.28.0' @@ -211,10 +211,10 @@ jobs: steps: - name: Checkout code - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 - name: Setup kubectl - uses: azure/setup-kubectl@v4 + uses: azure/setup-kubectl@776406bce94f63e41d621b960d78ee25c8b76ede # v4 with: version: 'v1.28.0' @@ -280,7 +280,7 @@ jobs: kubectl top pods -n cortex-mcp - name: Upload backup artifact - uses: actions/upload-artifact@v6 + uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6 with: name: production-backup-${{ github.sha }} path: backup-${{ github.sha }}.yaml @@ -296,7 +296,7 @@ jobs: steps: - name: Setup kubectl - uses: azure/setup-kubectl@v4 + uses: azure/setup-kubectl@776406bce94f63e41d621b960d78ee25c8b76ede # v4 with: version: 'v1.28.0' @@ -325,7 +325,7 @@ jobs: --timeout 600 - name: Notify rollback - uses: actions/github-script@v7 + uses: actions/github-script@f28e40c7f34bde8b3046d885e986cb6290c5673b # v7 with: script: | github.rest.issues.createComment({ diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index f78b8bb5..4275fa7d 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -31,10 +31,10 @@ jobs: steps: - name: Checkout code - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 - name: Setup Node.js ${{ matrix.node-version }} - uses: actions/setup-node@v4 + uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4 with: node-version: ${{ matrix.node-version }} cache: 'npm' @@ -49,7 +49,7 @@ jobs: continue-on-error: true - name: Upload coverage to Codecov - uses: codecov/codecov-action@v4 + uses: codecov/codecov-action@b9fd7d16f6d7d1b5d2bec1a2887e65ceed900238 # v4 if: matrix.node-version == '20.x' with: files: ./coverage/coverage-final.json @@ -65,10 +65,10 @@ jobs: steps: - name: Checkout code - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 - name: Setup Python - uses: actions/setup-python@v5 + uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5 with: python-version: ${{ env.PYTHON_VERSION }} cache: 'pip' diff --git a/.github/workflows/monthly-cost-report.yml b/.github/workflows/monthly-cost-report.yml index cbc19cee..707d9f74 100644 --- a/.github/workflows/monthly-cost-report.yml +++ b/.github/workflows/monthly-cost-report.yml @@ -15,15 +15,15 @@ jobs: steps: - name: Checkout repository - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 - name: Setup Python - uses: actions/setup-python@v5 + uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5 with: python-version: '3.11' - name: Setup Quarto - uses: quarto-dev/quarto-actions/setup@v2 + uses: quarto-dev/quarto-actions/setup@8a96df13519ee81fd526f2dfca5962811136661b # v2 - name: Install Python dependencies run: | @@ -39,7 +39,7 @@ jobs: quarto render cost-report.qmd - name: Upload cost report artifact - uses: actions/upload-artifact@v6 + uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6 with: name: cost-report-${{ github.run_number }} path: | @@ -57,7 +57,7 @@ jobs: echo "total_tokens=$TOTAL_TOKENS" >> $GITHUB_OUTPUT - name: Send email with cost report - uses: dawidd6/action-send-mail@v3 + uses: dawidd6/action-send-mail@4226df7daafa6fc901a43789c49bf7ab309066e7 # v3 with: server_address: ${{ secrets.MAIL_SERVER }} server_port: ${{ secrets.MAIL_PORT }} diff --git a/.github/workflows/monthly-security-audit.yml b/.github/workflows/monthly-security-audit.yml index c3d72918..48666c48 100644 --- a/.github/workflows/monthly-security-audit.yml +++ b/.github/workflows/monthly-security-audit.yml @@ -16,15 +16,15 @@ jobs: steps: - name: Checkout repository - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 - name: Setup Python - uses: actions/setup-python@v5 + uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5 with: python-version: '3.11' - name: Setup Quarto - uses: quarto-dev/quarto-actions/setup@v2 + uses: quarto-dev/quarto-actions/setup@8a96df13519ee81fd526f2dfca5962811136661b # v2 - name: Install Python dependencies run: | @@ -47,7 +47,7 @@ jobs: quarto render security-audit.qmd - name: Upload security audit artifact - uses: actions/upload-artifact@v6 + uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6 with: name: security-audit-${{ github.run_number }} path: | @@ -68,7 +68,7 @@ jobs: fi - name: Send email with security report - uses: dawidd6/action-send-mail@v3 + uses: dawidd6/action-send-mail@4226df7daafa6fc901a43789c49bf7ab309066e7 # v3 with: server_address: ${{ secrets.MAIL_SERVER }} server_port: ${{ secrets.MAIL_PORT }} diff --git a/.github/workflows/pr-check.yaml b/.github/workflows/pr-check.yaml index 02949f27..8480c3bb 100644 --- a/.github/workflows/pr-check.yaml +++ b/.github/workflows/pr-check.yaml @@ -24,12 +24,12 @@ jobs: steps: - name: Checkout code - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 with: fetch-depth: 0 - name: Check PR title format - uses: actions/github-script@v7 + uses: actions/github-script@f28e40c7f34bde8b3046d885e986cb6290c5673b # v7 with: script: | // Dependabot and security bots follow their own title format — skip validation @@ -53,7 +53,7 @@ jobs: } - name: Check PR description - uses: actions/github-script@v7 + uses: actions/github-script@f28e40c7f34bde8b3046d885e986cb6290c5673b # v7 with: script: | // Dependabot and security bots use auto-generated descriptions — skip validation @@ -94,7 +94,7 @@ jobs: fi - name: Check for WIP - uses: actions/github-script@v7 + uses: actions/github-script@f28e40c7f34bde8b3046d885e986cb6290c5673b # v7 with: script: | const title = context.payload.pull_request.title; @@ -119,12 +119,12 @@ jobs: steps: - name: Checkout code - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 with: fetch-depth: 0 - name: Setup Node.js - uses: actions/setup-node@v4 + uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4 with: node-version: ${{ env.NODE_VERSION }} @@ -148,10 +148,10 @@ jobs: steps: - name: Checkout code - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 - name: Setup Node.js - uses: actions/setup-node@v4 + uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4 with: node-version: ${{ env.NODE_VERSION }} cache: 'npm' @@ -168,7 +168,7 @@ jobs: } - name: Check for secrets - uses: trufflesecurity/trufflehog@main + uses: trufflesecurity/trufflehog@ab5dd03ee012e5f372e2ba82c4813c2ba1331261 # main with: path: ./ base: ${{ github.event.pull_request.base.sha }} @@ -182,7 +182,7 @@ jobs: steps: - name: Check PR size - uses: actions/github-script@v7 + uses: actions/github-script@f28e40c7f34bde8b3046d885e986cb6290c5673b # v7 with: script: | const additions = context.payload.pull_request.additions; @@ -234,7 +234,7 @@ jobs: steps: - name: Label based on files - uses: actions/labeler@v5 + uses: actions/labeler@8558fd74291d67161a8a78ce36a881fa63b766a9 # v5 with: repo-token: ${{ secrets.GITHUB_TOKEN }} configuration-path: .github/labeler.yml diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index 03f062ce..260ba245 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -38,13 +38,13 @@ jobs: steps: - name: Checkout code - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 with: fetch-depth: 0 token: ${{ secrets.GITHUB_TOKEN }} - name: Setup Node.js - uses: actions/setup-node@v4 + uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4 with: node-version: ${{ env.NODE_VERSION }} @@ -94,19 +94,19 @@ jobs: steps: - name: Checkout code - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 with: fetch-depth: 0 token: ${{ secrets.GITHUB_TOKEN }} persist-credentials: true - name: Setup pnpm - uses: pnpm/action-setup@v2 + uses: pnpm/action-setup@eae0cfeb286e66ffb5155f1a79b90583a127a68b # v2 with: version: ${{ env.PNPM_VERSION }} - name: Setup Node.js - uses: actions/setup-node@v4 + uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4 with: node-version: ${{ env.NODE_VERSION }} cache: 'pnpm' @@ -205,17 +205,17 @@ jobs: steps: - name: Checkout code - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 with: ref: ${{ needs.release.outputs.version }} - name: Setup pnpm - uses: pnpm/action-setup@v2 + uses: pnpm/action-setup@eae0cfeb286e66ffb5155f1a79b90583a127a68b # v2 with: version: ${{ env.PNPM_VERSION }} - name: Setup Node.js - uses: actions/setup-node@v4 + uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4 with: node-version: ${{ env.NODE_VERSION }} cache: 'pnpm' @@ -232,7 +232,7 @@ jobs: tar -czf ../../${{ matrix.package }}-${{ needs.release.outputs.version }}-${{ matrix.platform }}.tar.gz dist/ - name: Upload to release - uses: softprops/action-gh-release@v1 + uses: softprops/action-gh-release@de2c0eb89ae2a093876385947365aca7b0e5f844 # v1 with: tag_name: ${{ needs.release.outputs.version }} files: ${{ matrix.package }}-${{ needs.release.outputs.version }}-${{ matrix.platform }}.tar.gz @@ -247,7 +247,7 @@ jobs: steps: - name: Checkout code - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 with: fetch-depth: 0 ref: ${{ needs.release.outputs.version }} @@ -305,7 +305,7 @@ jobs: cat release-summary.md - name: Update release description - uses: softprops/action-gh-release@v1 + uses: softprops/action-gh-release@de2c0eb89ae2a093876385947365aca7b0e5f844 # v1 with: tag_name: ${{ needs.release.outputs.version }} body_path: release-summary.md @@ -320,7 +320,7 @@ jobs: steps: - name: Create announcement issue - uses: actions/github-script@v7 + uses: actions/github-script@f28e40c7f34bde8b3046d885e986cb6290c5673b # v7 with: script: | const version = '${{ needs.release.outputs.version }}'; diff --git a/.github/workflows/security-scan.yaml b/.github/workflows/security-scan.yaml index 6670426a..a607a4e3 100644 --- a/.github/workflows/security-scan.yaml +++ b/.github/workflows/security-scan.yaml @@ -32,15 +32,15 @@ jobs: steps: - name: Checkout code - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 - name: Setup pnpm - uses: pnpm/action-setup@v2 + uses: pnpm/action-setup@eae0cfeb286e66ffb5155f1a79b90583a127a68b # v2 with: version: ${{ env.PNPM_VERSION }} - name: Setup Node.js - uses: actions/setup-node@v4 + uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4 with: node-version: ${{ env.NODE_VERSION }} cache: 'pnpm' @@ -77,7 +77,7 @@ jobs: fi - name: Upload audit results - uses: actions/upload-artifact@v6 + uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6 if: always() with: name: dependency-audit-results @@ -104,13 +104,13 @@ jobs: steps: - name: Checkout code - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 + uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3 - name: Build Docker image - uses: docker/build-push-action@v5 + uses: docker/build-push-action@ca052bb54ab0790a636c9b5f226502c73d547a25 # v5 with: context: . file: packages/${{ matrix.package }}/Dockerfile @@ -120,7 +120,7 @@ jobs: cache-to: type=gha,mode=max - name: Run Trivy vulnerability scanner - uses: aquasecurity/trivy-action@master + uses: aquasecurity/trivy-action@ed142fd0673e97e23eac54620cfb913e5ce36c25 # master with: image-ref: ${{ matrix.package }}:test format: 'sarif' @@ -129,7 +129,7 @@ jobs: exit-code: '0' - name: Run Trivy (table format) - uses: aquasecurity/trivy-action@master + uses: aquasecurity/trivy-action@ed142fd0673e97e23eac54620cfb913e5ce36c25 # master with: image-ref: ${{ matrix.package }}:test format: 'table' @@ -137,14 +137,14 @@ jobs: exit-code: '1' - name: Upload Trivy results to GitHub Security - uses: github/codeql-action/upload-sarif@v3 + uses: github/codeql-action/upload-sarif@0daab03d71ff584ef619d027a3fd9146679c5d84 # v3 if: always() with: sarif_file: 'trivy-results-${{ matrix.package }}.sarif' category: 'container-${{ matrix.package }}' - name: Upload Trivy results - uses: actions/upload-artifact@v6 + uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6 if: always() with: name: trivy-results-${{ matrix.package }} @@ -168,19 +168,19 @@ jobs: steps: - name: Checkout code - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 - name: Initialize CodeQL - uses: github/codeql-action/init@v3 + uses: github/codeql-action/init@0daab03d71ff584ef619d027a3fd9146679c5d84 # v3 with: languages: ${{ matrix.language }} queries: security-extended,security-and-quality - name: Autobuild - uses: github/codeql-action/autobuild@v3 + uses: github/codeql-action/autobuild@0daab03d71ff584ef619d027a3fd9146679c5d84 # v3 - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v3 + uses: github/codeql-action/analyze@0daab03d71ff584ef619d027a3fd9146679c5d84 # v3 with: category: '/language:${{ matrix.language }}' @@ -192,18 +192,18 @@ jobs: steps: - name: Checkout code - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 with: fetch-depth: 0 - name: Run Gitleaks - uses: gitleaks/gitleaks-action@v2 + uses: gitleaks/gitleaks-action@ff98106e4c7b2bc287b24eaf42907196329070c7 # v2 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} GITLEAKS_LICENSE: ${{ secrets.GITLEAKS_LICENSE }} - name: Run TruffleHog - uses: trufflesecurity/trufflehog@main + uses: trufflesecurity/trufflehog@ab5dd03ee012e5f372e2ba82c4813c2ba1331261 # main with: path: ./ base: ${{ github.event.repository.default_branch }} @@ -218,15 +218,15 @@ jobs: steps: - name: Checkout code - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 - name: Setup pnpm - uses: pnpm/action-setup@v2 + uses: pnpm/action-setup@eae0cfeb286e66ffb5155f1a79b90583a127a68b # v2 with: version: ${{ env.PNPM_VERSION }} - name: Setup Node.js - uses: actions/setup-node@v4 + uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4 with: node-version: ${{ env.NODE_VERSION }} cache: 'pnpm' @@ -250,7 +250,7 @@ jobs: fi - name: Upload license report - uses: actions/upload-artifact@v6 + uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6 with: name: license-report path: licenses.json @@ -264,10 +264,10 @@ jobs: steps: - name: Checkout code - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 - name: Run Trivy IaC scanner - uses: aquasecurity/trivy-action@master + uses: aquasecurity/trivy-action@ed142fd0673e97e23eac54620cfb913e5ce36c25 # master with: scan-type: 'config' scan-ref: '.' @@ -277,7 +277,7 @@ jobs: exit-code: '0' - name: Run Trivy IaC (table format) - uses: aquasecurity/trivy-action@master + uses: aquasecurity/trivy-action@ed142fd0673e97e23eac54620cfb913e5ce36c25 # master with: scan-type: 'config' scan-ref: '.' @@ -286,14 +286,14 @@ jobs: exit-code: '1' - name: Upload IaC scan results - uses: github/codeql-action/upload-sarif@v3 + uses: github/codeql-action/upload-sarif@0daab03d71ff584ef619d027a3fd9146679c5d84 # v3 if: always() with: sarif_file: 'trivy-iac-results.sarif' category: 'iac-security' - name: Run Checkov - uses: bridgecrewio/checkov-action@master + uses: bridgecrewio/checkov-action@9201a8e6eaa919e3444d7c4ca691896efde4f033 # master with: directory: . framework: kubernetes,dockerfile @@ -302,7 +302,7 @@ jobs: soft_fail: true - name: Upload Checkov results - uses: github/codeql-action/upload-sarif@v3 + uses: github/codeql-action/upload-sarif@0daab03d71ff584ef619d027a3fd9146679c5d84 # v3 if: always() with: sarif_file: checkov-results.sarif @@ -316,15 +316,15 @@ jobs: steps: - name: Checkout code - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 - name: Setup pnpm - uses: pnpm/action-setup@v2 + uses: pnpm/action-setup@eae0cfeb286e66ffb5155f1a79b90583a127a68b # v2 with: version: ${{ env.PNPM_VERSION }} - name: Setup Node.js - uses: actions/setup-node@v4 + uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4 with: node-version: ${{ env.NODE_VERSION }} cache: 'pnpm' @@ -338,14 +338,14 @@ jobs: npx @cyclonedx/cyclonedx-npm --output-file sbom.json - name: Generate SBOM with Syft - uses: anchore/sbom-action@v0 + uses: anchore/sbom-action@e22c389904149dbc22b58101806040fa8d37a610 # v0 with: path: . format: spdx-json output-file: sbom-spdx.json - name: Upload SBOMs - uses: actions/upload-artifact@v6 + uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6 with: name: sbom-reports path: | @@ -370,10 +370,10 @@ jobs: steps: - name: Checkout code - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 - name: Download all artifacts - uses: actions/download-artifact@v7 + uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7 with: path: security-artifacts @@ -408,7 +408,7 @@ jobs: cat $REPORT_FILE - name: Upload security report - uses: actions/upload-artifact@v6 + uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6 with: name: security-report path: coordination/masters/security/reports/ @@ -416,7 +416,7 @@ jobs: - name: Comment on PR if: github.event_name == 'pull_request' - uses: actions/github-script@v7 + uses: actions/github-script@f28e40c7f34bde8b3046d885e986cb6290c5673b # v7 with: script: | const fs = require('fs'); diff --git a/.github/workflows/security-scan.yml b/.github/workflows/security-scan.yml index 45723f6c..170088da 100644 --- a/.github/workflows/security-scan.yml +++ b/.github/workflows/security-scan.yml @@ -19,10 +19,10 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout code - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - name: Setup Node.js - uses: actions/setup-node@v6 + uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6 with: node-version: '18' cache: 'npm' @@ -39,7 +39,7 @@ jobs: - name: Upload npm audit results if: always() - uses: actions/upload-artifact@v6 + uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6 with: name: npm-audit-results path: npm-audit-results.json @@ -55,10 +55,10 @@ jobs: - evaluation/requirements.txt steps: - name: Checkout code - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - name: Setup Python - uses: actions/setup-python@v6 + uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6 with: python-version: '3.12' @@ -74,7 +74,7 @@ jobs: - name: Upload pip audit results if: always() - uses: actions/upload-artifact@v6 + uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6 with: name: pip-audit-results-${{ matrix.requirements }} path: pip-audit-${{ matrix.requirements }}.json @@ -86,10 +86,10 @@ jobs: timeout-minutes: 20 steps: - name: Checkout code - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - name: Run Trivy vulnerability scanner (filesystem) - uses: aquasecurity/trivy-action@master + uses: aquasecurity/trivy-action@ed142fd0673e97e23eac54620cfb913e5ce36c25 # master with: scan-type: 'fs' scan-ref: '.' @@ -101,7 +101,7 @@ jobs: timeout: '15m' - name: Run Trivy vulnerability scanner (JSON output) - uses: aquasecurity/trivy-action@master + uses: aquasecurity/trivy-action@ed142fd0673e97e23eac54620cfb913e5ce36c25 # master with: scan-type: 'fs' scan-ref: '.' @@ -127,14 +127,14 @@ jobs: - name: Upload Trivy results to GitHub Security if: always() && github.event_name != 'pull_request' || github.actor != 'dependabot[bot]' - uses: github/codeql-action/upload-sarif@v4 + uses: github/codeql-action/upload-sarif@e46ed2cbd01164d986452f91f178727624ae40d7 # v4 with: sarif_file: 'trivy-results.sarif' continue-on-error: true - name: Upload Trivy scan results if: always() - uses: actions/upload-artifact@v6 + uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6 with: name: trivy-scan-results path: | @@ -148,7 +148,7 @@ jobs: timeout-minutes: 20 steps: - name: Checkout code - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - name: Install Syft run: | @@ -163,7 +163,7 @@ jobs: syft dir:. -o cyclonedx-json=sbom-cyclonedx.json - name: Upload SBOM artifacts - uses: actions/upload-artifact@v6 + uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6 with: name: sbom-artifacts path: | @@ -180,7 +180,7 @@ jobs: - name: Upload Grype results if: always() - uses: actions/upload-artifact@v6 + uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6 with: name: grype-scan-results path: grype-results.json @@ -193,7 +193,7 @@ jobs: if: always() steps: - name: Download all artifacts - uses: actions/download-artifact@v7 + uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7 - name: Generate security summary run: | diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml index 058029c3..f86b0049 100644 --- a/.github/workflows/security.yml +++ b/.github/workflows/security.yml @@ -12,11 +12,11 @@ jobs: security: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - name: Setup Node.js if: hashFiles('package.json') != '' - uses: actions/setup-node@v6 + uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6 with: node-version: '18' @@ -31,7 +31,7 @@ jobs: - name: Setup Python if: hashFiles('requirements.txt') != '' || hashFiles('pyproject.toml') != '' - uses: actions/setup-python@v6 + uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6 with: python-version: '3.12' @@ -43,7 +43,7 @@ jobs: continue-on-error: true - name: Run Snyk Security Scan - uses: snyk/actions/node@master + uses: snyk/actions/node@9cf6ca713d71123d2d229cc3d7f145b96ea3c518 # master continue-on-error: true env: SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} diff --git a/.github/workflows/weekly-report.yml b/.github/workflows/weekly-report.yml index c0f8129f..69e1e0d3 100644 --- a/.github/workflows/weekly-report.yml +++ b/.github/workflows/weekly-report.yml @@ -15,15 +15,15 @@ jobs: steps: - name: Checkout repository - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 - name: Setup Python - uses: actions/setup-python@v5 + uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5 with: python-version: '3.11' - name: Setup Quarto - uses: quarto-dev/quarto-actions/setup@v2 + uses: quarto-dev/quarto-actions/setup@8a96df13519ee81fd526f2dfca5962811136661b # v2 - name: Install Python dependencies run: | @@ -51,7 +51,7 @@ jobs: quarto render cost-report.qmd - name: Upload report artifacts - uses: actions/upload-artifact@v6 + uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6 with: name: weekly-reports-${{ github.run_number }} path: | @@ -60,7 +60,7 @@ jobs: retention-days: 90 - name: Send email with reports - uses: dawidd6/action-send-mail@v3 + uses: dawidd6/action-send-mail@4226df7daafa6fc901a43789c49bf7ab309066e7 # v3 with: server_address: ${{ secrets.MAIL_SERVER }} server_port: ${{ secrets.MAIL_PORT }}