diff --git a/.github/workflows/centralidp-chart-test.yaml b/.github/workflows/centralidp-chart-test.yaml index df174c5..ffa6aef 100644 --- a/.github/workflows/centralidp-chart-test.yaml +++ b/.github/workflows/centralidp-chart-test.yaml @@ -60,7 +60,7 @@ jobs: node_image: ${{ github.event.inputs.node_image || 'kindest/node:v1.27.3' }} - name: Build init container image - uses: docker/build-push-action@ca877d9245402d1537745e0e356eab47c3520991 # v6.13.0 + uses: docker/build-push-action@471d1dc4e07e5cdedd4c2171150001c434f0b7a4 # v6.15.0 with: context: . file: docker/Dockerfile.import @@ -68,7 +68,7 @@ jobs: tags: kind-registry:5000/iam:testing - name: Set up Helm - uses: azure/setup-helm@fe7b79cd5ee1e45176fcad797de68ecaf3ca4814 # v4 + uses: azure/setup-helm@b9e51907a09c216f16ebe8536097933489208112 # v4 with: version: v3.10.3 diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 193bd81..268c070 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -73,7 +73,7 @@ jobs: # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL - uses: github/codeql-action/init@dd746615b3b9d728a6a37ca2045b68ca76d4841a # v2.227 + uses: github/codeql-action/init@b56ba49b26e50535fa1e7f7db0f4f7b4bf65d80d # v2.227 with: languages: ${{ matrix.language }} # If you wish to specify custom queries, you can do so here or in a config file. @@ -87,7 +87,7 @@ jobs: # Automates dependency installation for Python, Ruby, and JavaScript, optimizing the CodeQL analysis setup. # If this step fails, then you should remove it and run the build manually (see below) - name: Autobuild - uses: github/codeql-action/autobuild@dd746615b3b9d728a6a37ca2045b68ca76d4841a # v2.227 + uses: github/codeql-action/autobuild@b56ba49b26e50535fa1e7f7db0f4f7b4bf65d80d # v2.227 # ℹī¸ Command-line programs to run using the OS shell. # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun @@ -100,6 +100,6 @@ jobs: # ./location_of_script_within_repo/buildscript.sh - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@dd746615b3b9d728a6a37ca2045b68ca76d4841a # v2.227 + uses: github/codeql-action/analyze@b56ba49b26e50535fa1e7f7db0f4f7b4bf65d80d # v2.227 with: category: "/language:${{matrix.language}}" diff --git a/.github/workflows/cx-iam.yml b/.github/workflows/cx-iam.yml index 342d105..c61ebb4 100644 --- a/.github/workflows/cx-iam.yml +++ b/.github/workflows/cx-iam.yml @@ -56,14 +56,14 @@ jobs: password: ${{ secrets.DOCKER_HUB_TOKEN }} - name: Set up Docker Buildx - uses: docker/setup-buildx-action@6524bf65af31da8d45b59e8c27de4bd072b392f5 # v3.8.0 + uses: docker/setup-buildx-action@b5ca514318bd6ebac0fb2aedd5d36ec1b5c232a2 # v3.10.0 - name: Set up QEMU - uses: docker/setup-qemu-action@53851d14592bedcffcf25ea515637cff71ef929a # v3.3.0 + uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v3.6.0 - name: Docker meta id: meta - uses: docker/metadata-action@369eb591f429131d6889c46b94e711f089e6ca96 # v5.6.1 + uses: docker/metadata-action@902fa8ec7d6ecbf8d84d538b9b233a880e428804 # v5.7.0 with: images: ${{ env.IMAGE_NAMESPACE }}/${{ env.IMAGE_NAME }} tags: | @@ -71,7 +71,7 @@ jobs: type=raw,value=${{ github.sha }} - name: Build and push Keycloak init container - uses: docker/build-push-action@ca877d9245402d1537745e0e356eab47c3520991 # v6.13.0 + uses: docker/build-push-action@471d1dc4e07e5cdedd4c2171150001c434f0b7a4 # v6.15.0 with: context: . file: ./docker/Dockerfile.import diff --git a/.github/workflows/kics.yml b/.github/workflows/kics.yml index 7bc198e..1a34708 100644 --- a/.github/workflows/kics.yml +++ b/.github/workflows/kics.yml @@ -45,7 +45,7 @@ jobs: - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: KICS scan - uses: checkmarx/kics-github-action@5a6152ef88416063435cebadfec9de28bcfd041d # v2.1.4 + uses: checkmarx/kics-github-action@3246fb456a46d1ea8848ae18793c036718b19fe0 # v2.1.5 with: # Scanning directory . path: "." @@ -69,7 +69,7 @@ jobs: # Upload findings to GitHub Advanced Security Dashboard - name: Upload SARIF file for GitHub Advanced Security Dashboard if: always() - uses: github/codeql-action/upload-sarif@dd746615b3b9d728a6a37ca2045b68ca76d4841a # v3.28.8 + uses: github/codeql-action/upload-sarif@b56ba49b26e50535fa1e7f7db0f4f7b4bf65d80d # v3.28.10 with: sarif_file: kicsResults/results.sarif diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index 9347ebd..6c86c93 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -49,7 +49,7 @@ jobs: git config user.email "$GITHUB_ACTOR@users.noreply.github.com" - name: Install Helm - uses: azure/setup-helm@fe7b79cd5ee1e45176fcad797de68ecaf3ca4814 # v4 + uses: azure/setup-helm@b9e51907a09c216f16ebe8536097933489208112 # v4 - name: Update Helm dependencies for centralidp run: | @@ -115,15 +115,15 @@ jobs: password: ${{ secrets.DOCKER_HUB_TOKEN }} - name: Set up Docker Buildx - uses: docker/setup-buildx-action@6524bf65af31da8d45b59e8c27de4bd072b392f5 # v3.8.0 + uses: docker/setup-buildx-action@b5ca514318bd6ebac0fb2aedd5d36ec1b5c232a2 # v3.10.0 - name: Set up QEMU - uses: docker/setup-qemu-action@53851d14592bedcffcf25ea515637cff71ef929a # v3.3.0 + uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v3.6.0 # Create SemVer or ref tags dependent of trigger event - name: Docker meta id: meta - uses: docker/metadata-action@369eb591f429131d6889c46b94e711f089e6ca96 # v5.6.1 + uses: docker/metadata-action@902fa8ec7d6ecbf8d84d538b9b233a880e428804 # v5.7.0 with: images: ${{ matrix.image }} # Automatically prepare image tags; See action docs for more examples. @@ -138,7 +138,7 @@ jobs: type=semver,pattern={{major}}.{{minor}},value=${{ needs.release-helm-chart.outputs.chart-version }} - name: Build and push Docker images - uses: docker/build-push-action@ca877d9245402d1537745e0e356eab47c3520991 # v6.13.0 + uses: docker/build-push-action@471d1dc4e07e5cdedd4c2171150001c434f0b7a4 # v6.15.0 with: context: . file: ${{ matrix.dockerfile }} diff --git a/.github/workflows/sharedidp-chart-test.yaml b/.github/workflows/sharedidp-chart-test.yaml index 3ff4a73..7bc639e 100644 --- a/.github/workflows/sharedidp-chart-test.yaml +++ b/.github/workflows/sharedidp-chart-test.yaml @@ -60,7 +60,7 @@ jobs: node_image: ${{ github.event.inputs.node_image || 'kindest/node:v1.27.3' }} - name: Build init container image - uses: docker/build-push-action@ca877d9245402d1537745e0e356eab47c3520991 # v6.13.0 + uses: docker/build-push-action@471d1dc4e07e5cdedd4c2171150001c434f0b7a4 # v6.15.0 with: context: . file: docker/Dockerfile.import @@ -68,7 +68,7 @@ jobs: tags: kind-registry:5000/iam:testing - name: Set up Helm - uses: azure/setup-helm@fe7b79cd5ee1e45176fcad797de68ecaf3ca4814 # v4 + uses: azure/setup-helm@b9e51907a09c216f16ebe8536097933489208112 # v4 with: version: v3.10.3 diff --git a/.github/workflows/trivy.yml b/.github/workflows/trivy.yml index 2d481c5..50d673d 100644 --- a/.github/workflows/trivy.yml +++ b/.github/workflows/trivy.yml @@ -64,7 +64,7 @@ jobs: limit-severities-for-sarif: true - name: Upload Trivy scan results to GitHub Security tab - uses: github/codeql-action/upload-sarif@dd746615b3b9d728a6a37ca2045b68ca76d4841a # v3.28.8 + uses: github/codeql-action/upload-sarif@b56ba49b26e50535fa1e7f7db0f4f7b4bf65d80d # v3.28.10 if: always() with: sarif_file: "trivy-results1.sarif" @@ -101,6 +101,6 @@ jobs: - name: Upload Trivy scan results to GitHub Security tab if: always() - uses: github/codeql-action/upload-sarif@dd746615b3b9d728a6a37ca2045b68ca76d4841a # v3.28.8 + uses: github/codeql-action/upload-sarif@b56ba49b26e50535fa1e7f7db0f4f7b4bf65d80d # v3.28.10 with: sarif_file: "trivy-results2.sarif" diff --git a/.github/workflows/trufflehog.yml b/.github/workflows/trufflehog.yml index 7cfa509..3a3dfa6 100644 --- a/.github/workflows/trufflehog.yml +++ b/.github/workflows/trufflehog.yml @@ -48,7 +48,7 @@ jobs: - name: TruffleHog OSS id: trufflehog - uses: trufflesecurity/trufflehog@853e1e8d249fd1e29d0fcc7280d29b03df3d643d #v3.88.4 + uses: trufflesecurity/trufflehog@7dc056a193116ba8d82154bf0549381c8fb8545c #v3.88.14 continue-on-error: true with: path: ./ # Scan the entire repository