diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml index 17faaa3d0..a937c05a9 100644 --- a/.github/workflows/dependency-review.yml +++ b/.github/workflows/dependency-review.yml @@ -18,7 +18,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Harden Runner - uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0 + uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0 with: disable-sudo: true egress-policy: block @@ -27,6 +27,6 @@ jobs: github.com:443 - name: 'Checkout Repository' - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 - name: 'Dependency Review' - uses: actions/dependency-review-action@72eb03d02c7872a771aacd928f3123ac62ad6d3a # v4.3.3 + uses: actions/dependency-review-action@3c4e3dcb1aa7874d2c16be7d79418e9b7efd6261 # v4.8.2 diff --git a/.github/workflows/dockerhub_description.yml b/.github/workflows/dockerhub_description.yml index 7e3974475..4904398b2 100644 --- a/.github/workflows/dockerhub_description.yml +++ b/.github/workflows/dockerhub_description.yml @@ -48,7 +48,7 @@ jobs: - web-service steps: - name: Block egress traffic - uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0 + uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0 with: disable-sudo: true egress-policy: block @@ -57,12 +57,12 @@ jobs: hub.docker.com:443 - name: Checkout repository - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 with: fetch-depth: 1 - name: Update DockerHub repo description (zabbix-${{ matrix.component }}) - uses: peter-evans/dockerhub-description@e98e4d1628a5f3be2be7c231e50981aee98723ae # v4.0.0 + uses: peter-evans/dockerhub-description@1b9a80c056b620d92cedb9d9b5a223409c68ddfa # v5.0.0 with: username: ${{ secrets.DOCKER_USERNAME }} password: ${{ secrets.DOCKER_PASSWORD }} diff --git a/.github/workflows/images_build.yml b/.github/workflows/images_build.yml index f6b4ba92e..a5713f19b 100644 --- a/.github/workflows/images_build.yml +++ b/.github/workflows/images_build.yml @@ -64,7 +64,7 @@ jobs: sha_short: ${{ steps.branch_info.outputs.sha_short }} steps: - name: Block egress traffic - uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0 + uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0 with: disable-sudo: true egress-policy: block @@ -72,9 +72,10 @@ jobs: api.github.com:443 github.com:443 objects.githubusercontent.com:443 + release-assets.githubusercontent.com:443 - name: Checkout repository - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 with: ref: ${{ env.TRUNK_ONLY_EVENT == 'true' && env.TRUNK_GIT_BRANCH || '' }} fetch-depth: 1 @@ -175,7 +176,7 @@ jobs: attestations: write steps: - name: Block egress traffic - uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0 + uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0 with: disable-sudo: true egress-policy: block @@ -183,6 +184,7 @@ jobs: abqix.mm.fcix.net:80 api.github.com:443 archive.ubuntu.com:443 + release-assets.githubusercontent.com:443 archive.ubuntu.com:80 atl.mirrors.knownhost.com:443 atl.mirrors.knownhost.com:80 @@ -398,25 +400,24 @@ jobs: ziply.mm.fcix.net:80 pkg-containers.githubusercontent.com:443 raw.githubusercontent.com:443 + timestamp.sigstore.dev:443 - name: Checkout repository - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 with: ref: ${{ env.TRUNK_ONLY_EVENT == 'true' && env.TRUNK_GIT_BRANCH || '' }} fetch-depth: 1 - name: Install cosign if: ${{ env.AUTO_PUSH_IMAGES == 'true' }} - uses: sigstore/cosign-installer@d7d6bc7722e3daa8354c50bcb52f4837da5e9b6a - with: - cosign-release: 'v2.4.0' + uses: sigstore/cosign-installer@faadad0cce49287aee09b3a48701e75088a2c6ad - name: Check cosign version if: ${{ env.AUTO_PUSH_IMAGES == 'true' }} run: cosign version - name: Set up QEMU - uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v3.6.0 + uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130 # v3.7.0 with: image: tonistiigi/binfmt:qemu-v8.1.5 platforms: all @@ -443,7 +444,7 @@ jobs: - name: Generate tags id: meta - uses: docker/metadata-action@902fa8ec7d6ecbf8d84d538b9b233a880e428804 # v5.7.0 + uses: docker/metadata-action@c1e51972afc2121e065aed6d45c65596fe445f3f # v5.8.0 with: images: | ${{ format('{0}/{1}/{2}{3}', env.DOCKER_REGISTRY_TEST, env.DOCKER_REPOSITORY_TEST, env.IMAGES_PREFIX, env.BASE_BUILD_NAME ) }},enable=${{ env.AUTO_PUSH_IMAGES != 'true' }} @@ -494,14 +495,14 @@ jobs: - name: Login to DockerHub if: ${{ env.AUTO_PUSH_IMAGES == 'true' }} - uses: docker/login-action@0d4c9c5ea7693da7b068278f7b52bda2a190a446 # v3.2.0 + uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0 with: username: ${{ secrets.DOCKER_USERNAME }} password: ${{ secrets.DOCKER_PASSWORD }} - name: Login to ${{ env.DOCKER_REGISTRY_TEST }} if: ${{ env.AUTO_PUSH_IMAGES != 'true' }} - uses: docker/login-action@0d4c9c5ea7693da7b068278f7b52bda2a190a446 # v3.2.0 + uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0 with: registry: ${{ env.DOCKER_REGISTRY_TEST }} username: ${{ github.actor }} @@ -547,7 +548,7 @@ jobs: - name: Attest images if: ${{ env.AUTO_PUSH_IMAGES == 'true' }} id: attest - uses: actions/attest-build-provenance@v2 + uses: actions/attest-build-provenance@v3 with: subject-name: ${{ format('{0}/{1}/{2}{3}', env.DOCKER_REGISTRY, env.DOCKER_REPOSITORY, env.IMAGES_PREFIX, env.BASE_BUILD_NAME ) }} subject-digest: ${{ steps.docker_build.outputs.digest }} @@ -568,7 +569,7 @@ jobs: echo "${METADATA}" > "$CACHE_FILE_NAME" - name: Cache image metadata - uses: actions/cache@d4323d4df104b026a6aa633fdb11d772146be0bf # v4.2.2 + uses: actions/cache@9255dc7a253b0ccc959486e2bca901246202afeb # v5.0.1 with: path: ${{ env.BASE_CACHE_FILE_NAME }} key: ${{ env.BASE_BUILD_NAME }}-${{ matrix.os }}-${{ github.run_id }} @@ -590,12 +591,13 @@ jobs: attestations: write steps: - name: Block egress traffic - uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0 + uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0 with: disable-sudo: true egress-policy: block allowed-endpoints: > api.github.com:443 + release-assets.githubusercontent.com:443 auth.docker.io:443 git.zabbix.com:443 github.com:443 @@ -603,7 +605,9 @@ jobs: go.mongodb.org:443 golang.org:443 google.golang.org:443 + sum.golang.org:443 golang.zabbix.com:443 + sum.golang.org:443 gopkg.in:443 ghcr.io:443 index.docker.io:443 @@ -619,25 +623,24 @@ jobs: rekor.sigstore.dev:443 pkg-containers.githubusercontent.com:443 raw.githubusercontent.com:443 + timestamp.sigstore.dev:443 - name: Checkout repository - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 with: ref: ${{ env.TRUNK_ONLY_EVENT == 'true' && env.TRUNK_GIT_BRANCH || '' }} fetch-depth: 1 - name: Install cosign if: ${{ env.AUTO_PUSH_IMAGES == 'true' }} - uses: sigstore/cosign-installer@d7d6bc7722e3daa8354c50bcb52f4837da5e9b6a - with: - cosign-release: 'v2.4.0' + uses: sigstore/cosign-installer@faadad0cce49287aee09b3a48701e75088a2c6ad - name: Check cosign version if: ${{ env.AUTO_PUSH_IMAGES == 'true' }} run: cosign version - name: Set up QEMU - uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v3.6.0 + uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130 # v3.7.0 with: image: tonistiigi/binfmt:qemu-v8.1.5 platforms: all @@ -664,7 +667,7 @@ jobs: - name: Generate tags id: meta - uses: docker/metadata-action@902fa8ec7d6ecbf8d84d538b9b233a880e428804 # v5.7.0 + uses: docker/metadata-action@c1e51972afc2121e065aed6d45c65596fe445f3f # v5.8.0 with: images: | ${{ format('{0}/{1}/{2}{3}', env.DOCKER_REGISTRY_TEST, env.DOCKER_REPOSITORY_TEST, env.IMAGES_PREFIX, matrix.build ) }},enable=${{ env.AUTO_PUSH_IMAGES != 'true' }} @@ -682,7 +685,7 @@ jobs: latest=${{ (matrix.os == 'alpine') && (!contains(fromJSON('["workflow_dispatch"]'), github.event_name)) && ( needs.init_build.outputs.is_default_branch == 'true' ) }} - name: Download metadata of ${{ env.BASE_BUILD_NAME }}:${{ matrix.os }} - uses: actions/cache@d4323d4df104b026a6aa633fdb11d772146be0bf # v4.2.2 + uses: actions/cache@9255dc7a253b0ccc959486e2bca901246202afeb # v5.0.1 with: path: ${{ env.BASE_CACHE_FILE_NAME }} key: ${{ env.BASE_BUILD_NAME }}-${{ matrix.os }}-${{ github.run_id }} @@ -758,14 +761,14 @@ jobs: - name: Login to DockerHub if: ${{ env.AUTO_PUSH_IMAGES == 'true' }} - uses: docker/login-action@0d4c9c5ea7693da7b068278f7b52bda2a190a446 # v3.2.0 + uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0 with: username: ${{ secrets.DOCKER_USERNAME }} password: ${{ secrets.DOCKER_PASSWORD }} - name: Login to ${{ env.DOCKER_REGISTRY_TEST }} if: ${{ env.AUTO_PUSH_IMAGES != 'true' }} - uses: docker/login-action@0d4c9c5ea7693da7b068278f7b52bda2a190a446 # v3.2.0 + uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0 with: registry: ${{ env.DOCKER_REGISTRY_TEST }} username: ${{ github.actor }} @@ -812,7 +815,7 @@ jobs: - name: Attest images if: ${{ env.AUTO_PUSH_IMAGES == 'true' }} id: attest - uses: actions/attest-build-provenance@v2 + uses: actions/attest-build-provenance@v3 with: subject-name: ${{ format('{0}/{1}/{2}{3}', env.DOCKER_REGISTRY, env.DOCKER_REPOSITORY, env.IMAGES_PREFIX, matrix.build ) }} subject-digest: ${{ steps.docker_build.outputs.digest }} @@ -833,7 +836,7 @@ jobs: echo "${METADATA}" > "$CACHE_FILE_NAME" - name: Cache image metadata - uses: actions/cache@d4323d4df104b026a6aa633fdb11d772146be0bf # v4.2.2 + uses: actions/cache@9255dc7a253b0ccc959486e2bca901246202afeb # v5.0.1 with: path: ${{ env.BUILD_CACHE_FILE_NAME }} key: ${{ matrix.build }}-${{ matrix.os }}-${{ github.run_id }} @@ -856,7 +859,7 @@ jobs: attestations: write steps: - name: Block egress traffic - uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0 + uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0 with: disable-sudo: true egress-policy: block @@ -865,6 +868,19 @@ jobs: api.github.com:443 archive.ubuntu.com:443 archive.ubuntu.com:80 + release-assets.githubusercontent.com:443 + apt.postgresql.org:80 + auth.docker.io:443 + dl-cdn.alpinelinux.org:443 + github.com:443 + index.docker.io:443 + production.cloudflare.docker.com:443 + registry-1.docker.io:443 + fulcio.sigstore.dev:443 + objects.githubusercontent.com:443 + tuf-repo-cdn.sigstore.dev:443 + rekor.sigstore.dev:443 + api.github.com:443 atl.mirrors.knownhost.com:443 atl.mirrors.knownhost.com:80 auth.docker.io:443 @@ -1083,25 +1099,24 @@ jobs: ziply.mm.fcix.net:80 pkg-containers.githubusercontent.com:443 raw.githubusercontent.com:443 + timestamp.sigstore.dev:443 - name: Checkout repository - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 with: ref: ${{ env.TRUNK_ONLY_EVENT == 'true' && env.TRUNK_GIT_BRANCH || '' }} fetch-depth: 1 - name: Install cosign if: ${{ env.AUTO_PUSH_IMAGES == 'true' }} - uses: sigstore/cosign-installer@d7d6bc7722e3daa8354c50bcb52f4837da5e9b6a - with: - cosign-release: 'v2.4.0' + uses: sigstore/cosign-installer@faadad0cce49287aee09b3a48701e75088a2c6ad - name: Check cosign version if: ${{ env.AUTO_PUSH_IMAGES == 'true' }} run: cosign version - name: Set up QEMU - uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v3.6.0 + uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130 # v3.7.0 with: image: tonistiigi/binfmt:qemu-v8.1.5 platforms: all @@ -1160,7 +1175,7 @@ jobs: - name: Generate tags id: meta - uses: docker/metadata-action@902fa8ec7d6ecbf8d84d538b9b233a880e428804 # v5.7.0 + uses: docker/metadata-action@c1e51972afc2121e065aed6d45c65596fe445f3f # v5.8.0 with: images: | ${{ format('{0}/{1}/{2}{3}', env.DOCKER_REGISTRY_TEST, env.DOCKER_REPOSITORY_TEST, env.IMAGES_PREFIX, matrix.build ) }},enable=${{ env.AUTO_PUSH_IMAGES != 'true' }} @@ -1178,7 +1193,7 @@ jobs: latest=${{ (matrix.os == 'alpine') && (!contains(fromJSON('["workflow_dispatch"]'), github.event_name)) && ( needs.init_build.outputs.is_default_branch == 'true' ) }} - name: Download metadata of ${{ steps.build_base_image.outputs.build_base }}:${{ matrix.os }} - uses: actions/cache@d4323d4df104b026a6aa633fdb11d772146be0bf # v4.2.2 + uses: actions/cache@9255dc7a253b0ccc959486e2bca901246202afeb # v5.0.1 if: ${{ matrix.build != 'snmptraps' }} with: path: ${{ env.BUILD_CACHE_FILE_NAME }} @@ -1242,7 +1257,7 @@ jobs: - name: Login to DockerHub if: ${{ env.AUTO_PUSH_IMAGES == 'true' }} - uses: docker/login-action@0d4c9c5ea7693da7b068278f7b52bda2a190a446 # v3.2.0 + uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0 with: username: ${{ secrets.DOCKER_USERNAME }} password: ${{ secrets.DOCKER_PASSWORD }} @@ -1286,7 +1301,7 @@ jobs: - name: Attest images if: ${{ env.AUTO_PUSH_IMAGES == 'true' }} id: attest - uses: actions/attest-build-provenance@v2 + uses: actions/attest-build-provenance@v3 with: subject-name: ${{ format('{0}/{1}/{2}{3}', env.DOCKER_REGISTRY, env.DOCKER_REPOSITORY, env.IMAGES_PREFIX, matrix.build ) }} subject-digest: ${{ steps.docker_build.outputs.digest }} diff --git a/.github/workflows/images_build_rhel.yml b/.github/workflows/images_build_rhel.yml index 0a758011d..c0cb40651 100644 --- a/.github/workflows/images_build_rhel.yml +++ b/.github/workflows/images_build_rhel.yml @@ -72,7 +72,7 @@ jobs: secret_prefix: ${{ steps.branch_info.outputs.secret_prefix }} steps: - name: Block egress traffic - uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0 + uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0 with: disable-sudo: true egress-policy: block @@ -80,9 +80,10 @@ jobs: api.github.com:443 github.com:443 objects.githubusercontent.com:443 + release-assets.githubusercontent.com:443 - name: Checkout repository - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 with: fetch-depth: 1 sparse-checkout: ${{ env.MATRIX_FILE }} @@ -213,13 +214,13 @@ jobs: contents: read steps: - name: Checkout repository - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 with: fetch-depth: 1 - name: Install cosign if: ${{ env.AUTO_PUSH_IMAGES == 'true' }} - uses: sigstore/cosign-installer@d7d6bc7722e3daa8354c50bcb52f4837da5e9b6a + uses: sigstore/cosign-installer@faadad0cce49287aee09b3a48701e75088a2c6ad with: cosign-release: 'v2.4.0' @@ -236,7 +237,7 @@ jobs: - name: Generate tags id: meta - uses: docker/metadata-action@902fa8ec7d6ecbf8d84d538b9b233a880e428804 # v5.7.0 + uses: docker/metadata-action@c1e51972afc2121e065aed6d45c65596fe445f3f # v5.8.0 with: images: ${{ env.IMAGES_PREFIX }}${{ matrix.build }} tags: | @@ -281,7 +282,7 @@ jobs: echo "image_tag=${IMAGE_TAG}" >> $GITHUB_OUTPUT - name: Cache image metadata - uses: actions/cache/save@d4323d4df104b026a6aa633fdb11d772146be0bf # v4.2.2 + uses: actions/cache/save@9255dc7a253b0ccc959486e2bca901246202afeb # v5.0.1 with: path: | ${{ env.BASE_BUILD_NAME }}_${{ matrix.arch }}_tag_id @@ -344,7 +345,7 @@ jobs: contents: read steps: - name: Checkout repository - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 with: fetch-depth: 1 @@ -356,7 +357,7 @@ jobs: echo "arch=${ARCH,,}" >> $GITHUB_OUTPUT - name: Download metadata of ${{ env.BASE_BUILD_NAME }}:${{ matrix.arch }} - uses: actions/cache/restore@d4323d4df104b026a6aa633fdb11d772146be0bf # v4.2.2 + uses: actions/cache/restore@9255dc7a253b0ccc959486e2bca901246202afeb # v5.0.1 with: path: | ${{ env.BASE_BUILD_NAME }}_${{ matrix.arch }}_tag_id @@ -394,7 +395,7 @@ jobs: - name: Generate tags id: meta - uses: docker/metadata-action@902fa8ec7d6ecbf8d84d538b9b233a880e428804 # v5.7.0 + uses: docker/metadata-action@c1e51972afc2121e065aed6d45c65596fe445f3f # v5.8.0 with: images: ${{ env.IMAGES_PREFIX }}${{ matrix.build }} tags: | @@ -440,7 +441,7 @@ jobs: echo "image_tag=${IMAGE_TAG}" >> $GITHUB_OUTPUT - name: Cache image metadata - uses: actions/cache/save@d4323d4df104b026a6aa633fdb11d772146be0bf # v4.2.2 + uses: actions/cache/save@9255dc7a253b0ccc959486e2bca901246202afeb # v5.0.1 with: path: | ${{ matrix.build }}_${{ matrix.arch }}_tag_id @@ -503,7 +504,7 @@ jobs: contents: read steps: - name: Checkout repository - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 with: fetch-depth: 1 @@ -537,7 +538,7 @@ jobs: - name: Download metadata of ${{ steps.build_base_image.outputs.build_base }}:${{ matrix.arch }} if: ${{ matrix.build != 'snmptraps' }} - uses: actions/cache/restore@d4323d4df104b026a6aa633fdb11d772146be0bf # v4.2.2 + uses: actions/cache/restore@9255dc7a253b0ccc959486e2bca901246202afeb # v5.0.1 with: path: | ${{ steps.build_base_image.outputs.build_base }}_${{ matrix.arch }}_tag_id @@ -582,7 +583,7 @@ jobs: - name: Generate tags id: meta - uses: docker/metadata-action@902fa8ec7d6ecbf8d84d538b9b233a880e428804 # v5.7.0 + uses: docker/metadata-action@c1e51972afc2121e065aed6d45c65596fe445f3f # v5.8.0 with: images: ${{ env.REGISTRY }}/${{ env.REGISTRY_NAMESPACE }}/${{ secrets[format('{0}_{1}_PROJECT', needs.init_build.outputs.secret_prefix, steps.var_format.outputs.matrix_build)] || matrix.build }} tags: | @@ -648,7 +649,7 @@ jobs: --env PFLT_LOGLEVEL=$PFLT_LOGLEVEL \ --env PFLT_ARTIFACTS=/artifacts \ --env PFLT_LOGFILE=/artifacts/preflight.log \ - --env PFLT_CERTIFICATION_COMPONENT_ID=$PFLT_CERTIFICATION_PROJECT_ID \ + --env PFLT_CERTIFICATION_PROJECT_ID=$PFLT_CERTIFICATION_PROJECT_ID \ --env PFLT_PYXIS_API_TOKEN=$PFLT_PYXIS_API_TOKEN \ --env PFLT_DOCKERCONFIG=/temp-authfile.json \ -v $PFLT_ARTIFACTS:/artifacts \ @@ -718,7 +719,7 @@ jobs: permissions: {} steps: - name: Download metadata of ${{ matrix.build }}:${{ matrix.arch }} - uses: actions/cache/restore@d4323d4df104b026a6aa633fdb11d772146be0bf # v4.2.2 + uses: actions/cache/restore@9255dc7a253b0ccc959486e2bca901246202afeb # v5.0.1 with: path: | ${{ matrix.build }}_${{ matrix.arch }}_tag_id @@ -739,7 +740,7 @@ jobs: echo "::endgroup::" - name: Download metadata of ${{ env.BASE_BUILD_NAME }}:${{ matrix.arch }} - uses: actions/cache/restore@d4323d4df104b026a6aa633fdb11d772146be0bf # v4.2.2 + uses: actions/cache/restore@9255dc7a253b0ccc959486e2bca901246202afeb # v5.0.1 with: path: | ${{ env.BASE_BUILD_NAME }}_${{ matrix.arch }}_tag_id diff --git a/.github/workflows/images_build_windows.yml b/.github/workflows/images_build_windows.yml index bcc0d2e09..abd1bf381 100644 --- a/.github/workflows/images_build_windows.yml +++ b/.github/workflows/images_build_windows.yml @@ -60,15 +60,16 @@ jobs: sha_short: ${{ steps.branch_info.outputs.sha_short }} steps: - name: Block egress traffic - uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0 + uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0 with: disable-sudo: true egress-policy: block allowed-endpoints: > github.com:443 + release-assets.githubusercontent.com:443 - name: Checkout repository - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 with: ref: ${{ env.TRUNK_ONLY_EVENT == 'true' && env.TRUNK_GIT_BRANCH || '' }} fetch-depth: 1 @@ -157,13 +158,13 @@ jobs: component: ${{ fromJson(needs.init_build.outputs.components) }} steps: - name: Checkout repository - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 with: ref: ${{ env.TRUNK_ONLY_EVENT == 'true' && env.TRUNK_GIT_BRANCH || '' }} fetch-depth: 1 - name: Install cosign - uses: sigstore/cosign-installer@d7d6bc7722e3daa8354c50bcb52f4837da5e9b6a + uses: sigstore/cosign-installer@faadad0cce49287aee09b3a48701e75088a2c6ad with: cosign-release: 'v2.4.0' @@ -171,7 +172,7 @@ jobs: run: cosign version - name: Login to DockerHub - uses: docker/login-action@0d4c9c5ea7693da7b068278f7b52bda2a190a446 # v3.2.0 + uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0 with: username: ${{ secrets.DOCKER_USERNAME }} password: ${{ secrets.DOCKER_PASSWORD }} @@ -192,7 +193,7 @@ jobs: - name: Generate tags id: meta - uses: docker/metadata-action@902fa8ec7d6ecbf8d84d538b9b233a880e428804 # v5.7.0 + uses: docker/metadata-action@c1e51972afc2121e065aed6d45c65596fe445f3f # v5.8.0 with: images: ${{ env.DOCKER_REGISTRY }}/${{ env.DOCKER_REPOSITORY }}/${{ env.IMAGES_PREFIX }}${{ env.BASE_IMAGE_NAME }} context: ${{ env.TRUNK_ONLY_EVENT == 'true' && 'git' || '' }} @@ -326,7 +327,7 @@ jobs: $Env:DIGEST | Set-Content -Path $Env:CACHE_FILE_NAME - name: Cache image digest - uses: actions/cache@d4323d4df104b026a6aa633fdb11d772146be0bf # v4.2.2 + uses: actions/cache@9255dc7a253b0ccc959486e2bca901246202afeb # v5.0.1 with: path: ${{ env.BASE_IMAGE_NAME }}_${{ matrix.os }}_${{ matrix.component }} key: ${{ env.BASE_IMAGE_NAME }}-${{ matrix.os }}-${{ github.run_id }} @@ -347,13 +348,13 @@ jobs: component: ${{ fromJson(needs.init_build.outputs.components) }} steps: - name: Checkout repository - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 with: ref: ${{ env.TRUNK_ONLY_EVENT == 'true' && env.TRUNK_GIT_BRANCH || '' }} fetch-depth: 1 - name: Install cosign - uses: sigstore/cosign-installer@d7d6bc7722e3daa8354c50bcb52f4837da5e9b6a + uses: sigstore/cosign-installer@faadad0cce49287aee09b3a48701e75088a2c6ad with: cosign-release: 'v2.4.0' @@ -361,7 +362,7 @@ jobs: run: cosign version - name: Login to DockerHub - uses: docker/login-action@0d4c9c5ea7693da7b068278f7b52bda2a190a446 # v3.2.0 + uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0 with: username: ${{ secrets.DOCKER_USERNAME }} password: ${{ secrets.DOCKER_PASSWORD }} @@ -382,7 +383,7 @@ jobs: - name: Generate tags id: meta - uses: docker/metadata-action@902fa8ec7d6ecbf8d84d538b9b233a880e428804 # v5.7.0 + uses: docker/metadata-action@c1e51972afc2121e065aed6d45c65596fe445f3f # v5.8.0 with: images: ${{ env.DOCKER_REGISTRY }}/${{ env.DOCKER_REPOSITORY }}/${{ env.IMAGES_PREFIX }}${{ env.BASE_BUILD_IMAGE_NAME }} context: ${{ env.TRUNK_ONLY_EVENT == 'true' && 'git' || '' }} @@ -398,7 +399,7 @@ jobs: latest=false - name: Download SHA256 tag of ${{ env.BASE_IMAGE_NAME }}:${{ matrix.os }} - uses: actions/cache@d4323d4df104b026a6aa633fdb11d772146be0bf # v4.2.2 + uses: actions/cache@9255dc7a253b0ccc959486e2bca901246202afeb # v5.0.1 with: path: ${{ env.BASE_IMAGE_NAME }}_${{ matrix.os }}_${{ matrix.component }} key: ${{ env.BASE_IMAGE_NAME }}-${{ matrix.os }}-${{ github.run_id }} @@ -554,7 +555,7 @@ jobs: $Env:DIGEST | Set-Content -Path $Env:CACHE_FILE_NAME - name: Cache image digest - uses: actions/cache@d4323d4df104b026a6aa633fdb11d772146be0bf # v4.2.2 + uses: actions/cache@9255dc7a253b0ccc959486e2bca901246202afeb # v5.0.1 with: path: ${{ env.BASE_BUILD_IMAGE_NAME }}_${{ matrix.os }}_${{ matrix.component }} key: ${{ env.BASE_BUILD_IMAGE_NAME }}-${{ matrix.os }}-${{ github.run_id }} @@ -575,13 +576,13 @@ jobs: component: ${{ fromJson(needs.init_build.outputs.components) }} steps: - name: Checkout repository - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 with: ref: ${{ env.TRUNK_ONLY_EVENT == 'true' && env.TRUNK_GIT_BRANCH || '' }} fetch-depth: 1 - name: Install cosign - uses: sigstore/cosign-installer@d7d6bc7722e3daa8354c50bcb52f4837da5e9b6a + uses: sigstore/cosign-installer@faadad0cce49287aee09b3a48701e75088a2c6ad with: cosign-release: 'v2.4.0' @@ -589,7 +590,7 @@ jobs: run: cosign version - name: Login to DockerHub - uses: docker/login-action@0d4c9c5ea7693da7b068278f7b52bda2a190a446 # v3.2.0 + uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0 with: username: ${{ secrets.DOCKER_USERNAME }} password: ${{ secrets.DOCKER_PASSWORD }} @@ -610,7 +611,7 @@ jobs: - name: Generate tags id: meta - uses: docker/metadata-action@902fa8ec7d6ecbf8d84d538b9b233a880e428804 # v5.7.0 + uses: docker/metadata-action@c1e51972afc2121e065aed6d45c65596fe445f3f # v5.8.0 with: images: ${{ env.DOCKER_REGISTRY }}/${{ env.DOCKER_REPOSITORY }}/${{ env.IMAGES_PREFIX }}${{ matrix.component }} context: ${{ env.TRUNK_ONLY_EVENT == 'true' && 'git' || '' }} @@ -626,7 +627,7 @@ jobs: latest=false - name: Download SHA256 tag of ${{ env.BASE_BUILD_IMAGE_NAME }}:${{ matrix.os }} - uses: actions/cache@d4323d4df104b026a6aa633fdb11d772146be0bf # v4.2.2 + uses: actions/cache@9255dc7a253b0ccc959486e2bca901246202afeb # v5.0.1 with: path: ${{ env.BASE_BUILD_IMAGE_NAME }}_${{ matrix.os }}_${{ matrix.component }} key: ${{ env.BASE_BUILD_IMAGE_NAME }}-${{ matrix.os }}-${{ github.run_id }} diff --git a/.github/workflows/rhel_registry_description.yml b/.github/workflows/rhel_registry_description.yml index 100e0f97a..6ee9b965a 100644 --- a/.github/workflows/rhel_registry_description.yml +++ b/.github/workflows/rhel_registry_description.yml @@ -34,7 +34,7 @@ jobs: zabbix_release: ${{ steps.branch_info.outputs.zabbix_release }} steps: - name: Block egress traffic - uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0 + uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0 with: disable-sudo: true egress-policy: block @@ -42,7 +42,7 @@ jobs: github.com:443 - name: Checkout repository - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 with: fetch-depth: 1 sparse-checkout: ${{ env.MATRIX_FILE }} @@ -98,7 +98,7 @@ jobs: component: ${{ fromJson(needs.init.outputs.components) }} steps: - name: Block egress traffic - uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0 + uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0 with: disable-sudo: true egress-policy: block @@ -109,7 +109,7 @@ jobs: pypi.org:443 - name: Checkout repository - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 with: fetch-depth: 1 @@ -127,7 +127,7 @@ jobs: echo "matrix_build=${MATRIX_BUILD}" >> $GITHUB_OUTPUT - name: Setup Python 3.x - uses: actions/setup-python@42375524e23c412d93fb67b49958b491fce71c38 # v5.4.0 + uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0 with: python-version: '3.x'