diff --git a/.github/actions/test-image/action.yaml b/.github/actions/test-image/action.yaml index 8049bd683..91116d394 100644 --- a/.github/actions/test-image/action.yaml +++ b/.github/actions/test-image/action.yaml @@ -19,7 +19,7 @@ runs: using: composite steps: - name: Download artifact - uses: actions/download-artifact@6b208ae046db98c579e8a3aa621ab581ff575935 # v4.1.1 + uses: actions/download-artifact@eaceaf801fd36c7dee90939fad912460b18a1ffe # v4.1.2 if: ${{ github.event_name == 'pull_request' }} with: name: ${{ inputs.project-name }}-build-artifacts diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index 88540471a..da6678801 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -48,7 +48,7 @@ jobs: - name: Container meta id: container_meta - uses: docker/metadata-action@dbef88086f6cef02e264edb7dbf63250c17cef6c # v5 + uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81 # v5 with: images: | ${{ env.IMAGE_NAME }} @@ -81,7 +81,7 @@ jobs: MODULE_NAME=${{ inputs.module-name }} - name: Run Trivy vulnerability scanner - uses: aquasecurity/trivy-action@d43c1f16c00cfd3978dde6c07f4bbcf9eb6993ca # 0.16.1 + uses: aquasecurity/trivy-action@84384bd6e777ef152729993b8145ea352e9dd3ef # 0.17.0 with: image-ref: ${{ fromJson(steps.container_meta.outputs.json).tags[0] }} severity: "CRITICAL" @@ -90,7 +90,7 @@ jobs: timeout: 15m - name: Save Trivy vulnerability attestation - uses: aquasecurity/trivy-action@d43c1f16c00cfd3978dde6c07f4bbcf9eb6993ca # 0.16.1 + uses: aquasecurity/trivy-action@84384bd6e777ef152729993b8145ea352e9dd3ef # 0.17.0 with: image-ref: ${{ fromJson(steps.container_meta.outputs.json).tags[0] }} exit-code: "0" @@ -99,7 +99,7 @@ jobs: timeout: 15m - name: Upload image vulnerability attestation - uses: actions/upload-artifact@1eb3cb2b3e0f29609092a73eb033bb759a334595 # v4.1.0 + uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1 with: name: ${{ inputs.module-name }}-attestations path: | @@ -115,7 +115,7 @@ jobs: - name: Upload container image if: ${{ github.event_name == 'pull_request' }} - uses: actions/upload-artifact@1eb3cb2b3e0f29609092a73eb033bb759a334595 # v4.1.0 + uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1 with: name: ${{ inputs.module-name }}-build-artifacts path: | @@ -161,13 +161,13 @@ jobs: password: ${{ secrets.GITHUB_TOKEN }} - name: Download attestations - uses: actions/download-artifact@6b208ae046db98c579e8a3aa621ab581ff575935 # v4.1.1 + uses: actions/download-artifact@eaceaf801fd36c7dee90939fad912460b18a1ffe # v4.1.2 with: name: ${{ inputs.module-name }}-attestations path: /tmp - name: Install Cosign - uses: sigstore/cosign-installer@9614fae9e5c5eddabb09f90a270fcb487c9f7149 # v3.3.0 + uses: sigstore/cosign-installer@e1523de7571e31dbe865fd2e80c5c7c23ae71eb4 # v3.4.0 - name: Sign image run: | diff --git a/.github/workflows/chaos-test.yaml b/.github/workflows/chaos-test.yaml index fc3aca0f9..6b75b6c34 100644 --- a/.github/workflows/chaos-test.yaml +++ b/.github/workflows/chaos-test.yaml @@ -26,7 +26,7 @@ jobs: ghcr.io/miracum/recruit/chaos-tester:v1 - name: Create KinD cluster - uses: helm/kind-action@dda0770415bac9fc20092cacbc54aa298604d140 # v1.8.0 + uses: helm/kind-action@99576bfa6ddf9a8e612d83b513da5a75875caced # v1.9.0 with: cluster_name: kind diff --git a/.github/workflows/check-links.yaml b/.github/workflows/check-links.yaml index 0a541c999..b0b1f7dd4 100644 --- a/.github/workflows/check-links.yaml +++ b/.github/workflows/check-links.yaml @@ -18,7 +18,7 @@ jobs: - name: Link Checker id: lychee - uses: lycheeverse/lychee-action@c3089c702fbb949e3f7a8122be0c33c017904f9b # v1.9.1 + uses: lycheeverse/lychee-action@c053181aa0c3d17606addfe97a9075a32723548a # v1.9.3 with: args: "--config=.lychee.toml ." env: diff --git a/.github/workflows/codeql.yaml b/.github/workflows/codeql.yaml index 5b50ad811..3d4541c72 100644 --- a/.github/workflows/codeql.yaml +++ b/.github/workflows/codeql.yaml @@ -53,7 +53,7 @@ jobs: # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL - uses: github/codeql-action/init@0b21cf2492b6b02c465a3e5d7c473717ad7721ba # v3 + uses: github/codeql-action/init@e675ced7a7522a761fc9c8eb26682c8b27c42b2b # v3 with: languages: ${{ matrix.language }} # If you wish to specify custom queries, you can do so here or in a config file. @@ -66,7 +66,7 @@ jobs: # Autobuild attempts to build any compiled languages (C/C++, C#, Go, or Java). # If this step fails, then you should remove it and run the build manually (see below) - name: Autobuild - uses: github/codeql-action/autobuild@0b21cf2492b6b02c465a3e5d7c473717ad7721ba # v3 + uses: github/codeql-action/autobuild@e675ced7a7522a761fc9c8eb26682c8b27c42b2b # v3 # ℹī¸ Command-line programs to run using the OS shell. # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun @@ -79,6 +79,6 @@ jobs: # ./location_of_script_within_repo/buildscript.sh - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@0b21cf2492b6b02c465a3e5d7c473717ad7721ba # v3 + uses: github/codeql-action/analyze@e675ced7a7522a761fc9c8eb26682c8b27c42b2b # v3 with: category: "/language:${{matrix.language}}" diff --git a/.github/workflows/helm-lint.yaml b/.github/workflows/helm-lint.yaml index 8167ad48f..73ebcf05b 100644 --- a/.github/workflows/helm-lint.yaml +++ b/.github/workflows/helm-lint.yaml @@ -10,7 +10,7 @@ permissions: read-all jobs: lint: runs-on: ubuntu-22.04 - container: ghcr.io/chgl/kube-powertools:v2.2.32@sha256:f2d27b59839cec4dd73da763e354d6515a7a297aeebffa8f07fac4c977123f26 + container: ghcr.io/chgl/kube-powertools:v2.2.41@sha256:b2fb5e324c2f09cf12159c6461deb7f861c213578b3f45a4a936dddb9ee68254 steps: - name: Add workspace as safe directory run: | diff --git a/.github/workflows/mega-linter.yml b/.github/workflows/mega-linter.yml index 6e2f351b2..bddbe25e1 100644 --- a/.github/workflows/mega-linter.yml +++ b/.github/workflows/mega-linter.yml @@ -40,7 +40,7 @@ jobs: id: ml # You can override MegaLinter flavor used to have faster performances # More info at https://oxsecurity.github.io/megalinter/flavors/ - uses: oxsecurity/megalinter@7e042c726c68415475b05a65a686c612120a1232 # v7.7.0 + uses: oxsecurity/megalinter@190cd0dad6dc52b2de5b810e3b290c3d6bdcc0f2 # v7.9.0 env: # All available variables are described in documentation # https://oxsecurity.github.io/megalinter/configuration/ @@ -51,7 +51,7 @@ jobs: # Upload MegaLinter artifacts - name: Archive production artifacts if: ${{ always() }} - uses: actions/upload-artifact@1eb3cb2b3e0f29609092a73eb033bb759a334595 # v4.1.0 + uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1 with: name: MegaLinter reports path: | diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index a2c69f3ba..fd20f5791 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -35,7 +35,7 @@ jobs: repo-token: ${{ secrets.GITHUB_TOKEN }} - name: Install Cosign - uses: sigstore/cosign-installer@9614fae9e5c5eddabb09f90a270fcb487c9f7149 # v3.3.0 + uses: sigstore/cosign-installer@e1523de7571e31dbe865fd2e80c5c7c23ae71eb4 # v3.4.0 - name: Add helm repos and update deps run: | @@ -54,7 +54,7 @@ jobs: cosign sign --yes "ghcr.io/${{ github.repository }}/charts/recruit:${CHART_VERSION}" - - uses: actions/upload-artifact@1eb3cb2b3e0f29609092a73eb033bb759a334595 # v4.1.0 + - uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1 with: name: helm-chart path: | @@ -101,7 +101,7 @@ jobs: publish-kyverno-policies: name: publish kyverno policies runs-on: ubuntu-22.04 - container: ghcr.io/chgl/kube-powertools:v2.2.32@sha256:f2d27b59839cec4dd73da763e354d6515a7a297aeebffa8f07fac4c977123f26 + container: ghcr.io/chgl/kube-powertools:v2.2.41@sha256:b2fb5e324c2f09cf12159c6461deb7f861c213578b3f45a4a936dddb9ee68254 continue-on-error: true steps: - name: Checkout @@ -129,7 +129,7 @@ jobs: uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - name: Download Helm chart - uses: actions/download-artifact@6b208ae046db98c579e8a3aa621ab581ff575935 # v4 + uses: actions/download-artifact@eaceaf801fd36c7dee90939fad912460b18a1ffe # v4 with: name: helm-chart path: /tmp diff --git a/.github/workflows/reset-chart-changelog-annotations.yaml b/.github/workflows/reset-chart-changelog-annotations.yaml index d8f2f38c3..5794d3c85 100644 --- a/.github/workflows/reset-chart-changelog-annotations.yaml +++ b/.github/workflows/reset-chart-changelog-annotations.yaml @@ -16,7 +16,7 @@ jobs: reset-commit-and-push: name: reset changelog annotations, commit, and push runs-on: ubuntu-22.04 - container: ghcr.io/chgl/kube-powertools:v2.2.32@sha256:f2d27b59839cec4dd73da763e354d6515a7a297aeebffa8f07fac4c977123f26 + container: ghcr.io/chgl/kube-powertools:v2.2.41@sha256:b2fb5e324c2f09cf12159c6461deb7f861c213578b3f45a4a936dddb9ee68254 permissions: contents: write steps: @@ -46,7 +46,7 @@ jobs: # use it to replace the entire changelog annotation with a single entry. yq -i '.annotations["artifacthub.io/changes"] |= strenv(FIRST_CHANGELOG_ENTRY)' charts/recruit/Chart.yaml - - uses: EndBug/add-and-commit@1bad3abcf0d6ec49a5857d124b0bfb52dc7bb081 # v9.1.3 + - uses: EndBug/add-and-commit@a94899bca583c204427a224a7af87c02f9b325d5 # v9.1.4 # run everything above in PRs to make sure it works, but only actually commit it on releases if: ${{ github.event_name != 'pull_request' }} with: diff --git a/.github/workflows/scorecards.yml b/.github/workflows/scorecards.yml index 3d0ff06b7..9d1ad013f 100644 --- a/.github/workflows/scorecards.yml +++ b/.github/workflows/scorecards.yml @@ -59,7 +59,7 @@ jobs: # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF # format to the repository Actions tab. - name: "Upload artifact" - uses: actions/upload-artifact@1eb3cb2b3e0f29609092a73eb033bb759a334595 # v4.1.0 + uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1 with: name: SARIF file path: results.sarif @@ -67,6 +67,6 @@ jobs: # Upload the results to GitHub's code scanning dashboard. - name: "Upload to code-scanning" - uses: github/codeql-action/upload-sarif@0b21cf2492b6b02c465a3e5d7c473717ad7721ba # v3.23.1 + uses: github/codeql-action/upload-sarif@e675ced7a7522a761fc9c8eb26682c8b27c42b2b # v3.24.1 with: sarif_file: results.sarif diff --git a/.github/workflows/test-compose-installation.yaml b/.github/workflows/test-compose-installation.yaml index f700a36f3..a28137bb9 100644 --- a/.github/workflows/test-compose-installation.yaml +++ b/.github/workflows/test-compose-installation.yaml @@ -20,7 +20,7 @@ jobs: - name: Download all artifacts if: ${{ github.event_name == 'pull_request' }} - uses: actions/download-artifact@6b208ae046db98c579e8a3aa621ab581ff575935 # v4.1.1 + uses: actions/download-artifact@eaceaf801fd36c7dee90939fad912460b18a1ffe # v4.1.2 with: path: /tmp diff --git a/.github/workflows/test-k8s-installation.yaml b/.github/workflows/test-k8s-installation.yaml index a7b3579d1..4f5618044 100644 --- a/.github/workflows/test-k8s-installation.yaml +++ b/.github/workflows/test-k8s-installation.yaml @@ -40,7 +40,7 @@ jobs: ghcr.io/miracum/recruit/tester:v1 - name: Create k8s KinD cluster - uses: helm/kind-action@dda0770415bac9fc20092cacbc54aa298604d140 # v1.8.0 + uses: helm/kind-action@99576bfa6ddf9a8e612d83b513da5a75875caced # v1.9.0 with: cluster_name: kind @@ -60,7 +60,7 @@ jobs: --version 0.20.8 - name: Download all artifacts - uses: actions/download-artifact@6b208ae046db98c579e8a3aa621ab581ff575935 # v4.1.1 + uses: actions/download-artifact@eaceaf801fd36c7dee90939fad912460b18a1ffe # v4.1.2 with: path: /tmp @@ -115,7 +115,7 @@ jobs: - name: Upload cluster dump if: always() - uses: actions/upload-artifact@1eb3cb2b3e0f29609092a73eb033bb759a334595 # v4.1.0 + uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1 with: name: kind-cluster-dump.txt path: | diff --git a/.github/workflows/validate-fhir-resources.yaml b/.github/workflows/validate-fhir-resources.yaml index 2a0dd0753..81867012c 100644 --- a/.github/workflows/validate-fhir-resources.yaml +++ b/.github/workflows/validate-fhir-resources.yaml @@ -12,7 +12,7 @@ jobs: validate-fhir-resource: name: Validate FHIR resources runs-on: ubuntu-22.04 - container: ghcr.io/miracum/ig-build-tools:v2.0.27@sha256:b190ad30beaaad0f581bddadfd73ed37b9bee8aac7f2b2047a028a0348b04dcf + container: ghcr.io/miracum/ig-build-tools:v2.0.44@sha256:200f28ef1c01d6b3d3d30059a620476e60775b541bc2dc645df0694e6f9e32f3 steps: - name: Checkout code uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4 diff --git a/.github/workflows/validate-gradle-wrapper.yaml b/.github/workflows/validate-gradle-wrapper.yaml index 036f620ea..d780e56d5 100644 --- a/.github/workflows/validate-gradle-wrapper.yaml +++ b/.github/workflows/validate-gradle-wrapper.yaml @@ -15,4 +15,4 @@ jobs: runs-on: ubuntu-22.04 steps: - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - - uses: gradle/wrapper-validation-action@27152f6fa06a6b8062ef7195c795692e51fc2c81 # v2.0.0 + - uses: gradle/wrapper-validation-action@699bb18358f12c5b78b37bb0111d3a0e2276e0e2 # v2.1.1 diff --git a/.github/workflows/yamllint.yaml b/.github/workflows/yamllint.yaml index 9bbfb9fae..f7f9fb72d 100644 --- a/.github/workflows/yamllint.yaml +++ b/.github/workflows/yamllint.yaml @@ -18,7 +18,7 @@ jobs: yamllint: runs-on: ubuntu-22.04 # contains yamllint - container: ghcr.io/chgl/kube-powertools:v2.2.32@sha256:f2d27b59839cec4dd73da763e354d6515a7a297aeebffa8f07fac4c977123f26 + container: ghcr.io/chgl/kube-powertools:v2.2.41@sha256:b2fb5e324c2f09cf12159c6461deb7f861c213578b3f45a4a936dddb9ee68254 steps: - name: Checkout uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1