diff --git a/.github/actions/generate-chart-matrix/action.yml b/.github/actions/generate-chart-matrix/action.yml index 3f0342920e..a15007328f 100644 --- a/.github/actions/generate-chart-matrix/action.yml +++ b/.github/actions/generate-chart-matrix/action.yml @@ -13,7 +13,7 @@ runs: steps: - name: Get changed dirs id: changed-files - uses: tj-actions/changed-files@48d8f15b2aaa3d255ca5af3eba4870f807ce6b3c # v45 + uses: tj-actions/changed-files@4edd678ac3f81e2dc578756871e4d00c19191daf # v45 with: dir_names: "true" - name: Generate matrix diff --git a/.github/actions/gke-login/action.yml b/.github/actions/gke-login/action.yml index 05e86e60ef..6804fb34fd 100644 --- a/.github/actions/gke-login/action.yml +++ b/.github/actions/gke-login/action.yml @@ -22,18 +22,18 @@ runs: steps: - name: Authenticate to Google Cloud - Workload Identity if: ${{ inputs.auth-method == 'workload-identity' }} - uses: google-github-actions/auth@8254fb75a33b976a221574d287e93919e6a36f70 # v2 + uses: google-github-actions/auth@6fc4af4b145ae7821d527454aa9bd537d1f2dc5f # v2 with: token_format: 'access_token' workload_identity_provider: ${{ inputs.workload-identity-provider }} service_account: ${{ inputs.service-account }} - name: Authenticate to Google Cloud - Service Account Key if: ${{ inputs.auth-method == 'credentials-json' }} - uses: google-github-actions/auth@8254fb75a33b976a221574d287e93919e6a36f70 # v2 + uses: google-github-actions/auth@6fc4af4b145ae7821d527454aa9bd537d1f2dc5f # v2 with: credentials_json: '${{ inputs.credentials-json }}' - name: Get GKE credentials - uses: google-github-actions/get-gke-credentials@6051de21ad50fbb1767bc93c11357a49082ad116 # v2 + uses: google-github-actions/get-gke-credentials@206d64b64b0eba0a6e2f25113d044c31776ca8d6 # v2 with: cluster_name: ${{ inputs.cluster-name }} location: ${{ inputs.cluster-location }} diff --git a/.github/workflows/chart-public-files.yaml b/.github/workflows/chart-public-files.yaml index ef541ccbbc..2c8e12d6c5 100644 --- a/.github/workflows/chart-public-files.yaml +++ b/.github/workflows/chart-public-files.yaml @@ -23,10 +23,10 @@ jobs: permissions: contents: write steps: - - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 with: ref: gh-pages - - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 with: path: main - name: Copy files diff --git a/.github/workflows/chart-release-chores.yml b/.github/workflows/chart-release-chores.yml index 9ab082a0d8..e27af4be12 100644 --- a/.github/workflows/chart-release-chores.yml +++ b/.github/workflows/chart-release-chores.yml @@ -33,7 +33,7 @@ jobs: app_id: ${{ secrets.GH_APP_ID_DISTRO_CI }} private_key: ${{ secrets.GH_APP_PRIVATE_KEY_DISTRO_CI }} - name: Checkout - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 with: repository: ${{ github.event.pull_request.head.repo.full_name }} ref: ${{ github.event.pull_request.head.ref }} @@ -49,7 +49,7 @@ jobs: - name: Add Helm repos run: | make helm.repos-add - - uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4 + - uses: actions/cache@6849a6489940f00c2f30c0fb92c6274307ccb58a # v4 with: path: | ~/.cache/go-build diff --git a/.github/workflows/chart-release-template.yaml b/.github/workflows/chart-release-template.yaml index a6431f3e7c..68fdc0ed06 100644 --- a/.github/workflows/chart-release-template.yaml +++ b/.github/workflows/chart-release-template.yaml @@ -71,7 +71,7 @@ jobs: CHART_NAME: "camunda-platform" steps: - name: Checkout - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 with: fetch-depth: 0 ref: ${{ inputs.branch }} @@ -132,7 +132,7 @@ jobs: # Security signature. - name: Install Cosign CLI if: env.PUBLISH_ARTIFACT == 'true' - uses: sigstore/cosign-installer@4959ce089c160fddf62f7b42464195ba1a56d382 # v3.6.0 + uses: sigstore/cosign-installer@dc72c7d5c4d10cd6bcb8cf6e3fd625a9e5e537da # v3.7.0 - name: Sign Helm chart with Cosign if: env.PUBLISH_ARTIFACT == 'true' run: | @@ -154,7 +154,7 @@ jobs: password: ${{ secrets.GITHUB_TOKEN }} - name: Install ORAS CLI if: env.PUBLISH_ARTIFACT == 'true' - uses: oras-project/setup-oras@ca28077386065e263c03428f4ae0c09024817c93 # v1 + uses: oras-project/setup-oras@9c92598691bfef1424de2f8fae81941568f5889c # v1 - name: Upload Helm chart Cosign bundle if: env.PUBLISH_ARTIFACT == 'true' run: | diff --git a/.github/workflows/chart-release-update-config.yml b/.github/workflows/chart-release-update-config.yml index be8ad23ad4..317c21646b 100644 --- a/.github/workflows/chart-release-update-config.yml +++ b/.github/workflows/chart-release-update-config.yml @@ -27,7 +27,7 @@ jobs: app_id: ${{ secrets.GH_APP_ID_DISTRO_CI }} private_key: ${{ secrets.GH_APP_PRIVATE_KEY_DISTRO_CI }} - name: Checkout - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 with: fetch-depth: 0 token: ${{ steps.generate-github-token.outputs.token }} diff --git a/.github/workflows/chart-release.yaml b/.github/workflows/chart-release.yaml index 894c218942..f0065fb259 100644 --- a/.github/workflows/chart-release.yaml +++ b/.github/workflows/chart-release.yaml @@ -29,7 +29,7 @@ jobs: id-token: write steps: - name: Checkout - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 with: fetch-depth: 0 - name: Install env dependencies @@ -45,7 +45,7 @@ jobs: done echo "Dev comments removed:" git --no-pager diff - - uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4 + - uses: actions/cache@6849a6489940f00c2f30c0fb92c6274307ccb58a # v4 with: path: | ~/.cache/go-build @@ -73,7 +73,7 @@ jobs: chartPath="$(ct list-changed | tr '\n' ' ')" \ make helm.dependency-update - name: cosign-installer - uses: sigstore/cosign-installer@4959ce089c160fddf62f7b42464195ba1a56d382 # v3.6.0 + uses: sigstore/cosign-installer@dc72c7d5c4d10cd6bcb8cf6e3fd625a9e5e537da # v3.7.0 - name: Tidy up run: | # Clean up badges from readme to avoid showing them in Artifact Hub. @@ -171,7 +171,7 @@ jobs: issues: write steps: - name: Checkout - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 with: # The verification step happens in the release branch before merging into the "main" branch. fetch-depth: 0 diff --git a/.github/workflows/chart-update-readme-and-golden-files.yaml b/.github/workflows/chart-update-readme-and-golden-files.yaml index f618f2b10a..9dc7791dea 100644 --- a/.github/workflows/chart-update-readme-and-golden-files.yaml +++ b/.github/workflows/chart-update-readme-and-golden-files.yaml @@ -51,7 +51,7 @@ jobs: app_id: ${{ secrets.GH_APP_ID_DISTRO_CI }} private_key: ${{ secrets.GH_APP_PRIVATE_KEY_DISTRO_CI }} - name: Checkout - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 with: repository: ${{ github.event.pull_request.head.repo.full_name }} ref: ${{ github.event.pull_request.head.ref }} @@ -68,7 +68,7 @@ jobs: - name: Add Helm repos run: | make helm.repos-add - - uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4 + - uses: actions/cache@6849a6489940f00c2f30c0fb92c6274307ccb58a # v4 with: path: | ~/.cache/go-build diff --git a/.github/workflows/chart-validate-template.yaml b/.github/workflows/chart-validate-template.yaml index 0d1800bce2..90a9c169b2 100644 --- a/.github/workflows/chart-validate-template.yaml +++ b/.github/workflows/chart-validate-template.yaml @@ -36,7 +36,7 @@ jobs: echo "${GITHUB_CONTEXT}" # Checkout. - name: Checkout - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 with: fetch-depth: 0 ref: "${{ inputs.camunda-helm-git-ref }}" @@ -51,7 +51,7 @@ jobs: run: | echo "check-version-increment: false" >> .github/config/chart-testing.yaml # Dependencies. - - uses: actions/setup-python@f677139bbe7f9c59b41e40162b753c062f5d49a3 # v5 + - uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b # v5 with: python-version: 3.7 - name: Install dependencies diff --git a/.github/workflows/renovate-config-check.yaml b/.github/workflows/renovate-config-check.yaml index f4fa6a23f5..d2cecdb37a 100644 --- a/.github/workflows/renovate-config-check.yaml +++ b/.github/workflows/renovate-config-check.yaml @@ -17,7 +17,7 @@ jobs: name: Check renovate config runs-on: ubuntu-latest steps: - - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 - name: Validate renovate config uses: docker://renovate/renovate with: diff --git a/.github/workflows/renovate-post-upgrade.yaml b/.github/workflows/renovate-post-upgrade.yaml index 6db19a196a..3eb873936b 100644 --- a/.github/workflows/renovate-post-upgrade.yaml +++ b/.github/workflows/renovate-post-upgrade.yaml @@ -31,7 +31,7 @@ jobs: with: app_id: ${{ secrets.GH_APP_ID_DISTRO_CI }} private_key: ${{ secrets.GH_APP_PRIVATE_KEY_DISTRO_CI }} - - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 with: token: '${{ steps.generate-github-token.outputs.token }}' repository: ${{ github.event.pull_request.head.repo.full_name }} @@ -44,7 +44,7 @@ jobs: run: npm install -g @bitnami/readme-generator-for-helm - name: Install dependencies uses: asdf-vm/actions/install@05e0d2ed97b598bfce82fd30daf324ae0c4570e6 # v3 - - uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4 + - uses: actions/cache@6849a6489940f00c2f30c0fb92c6274307ccb58a # v4 with: path: | ~/.cache/go-build diff --git a/.github/workflows/sec-codeql.yml b/.github/workflows/sec-codeql.yml index c5b11dc9e3..43ef1e43fa 100644 --- a/.github/workflows/sec-codeql.yml +++ b/.github/workflows/sec-codeql.yml @@ -44,11 +44,11 @@ jobs: steps: - name: Checkout repository - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL - uses: github/codeql-action/init@3c13be0632d1e2a15d39da6ede780272c022b84f + uses: github/codeql-action/init@a1695c562bbfa68dc5ab58c9b5e9f616b52bf5be with: languages: ${{ matrix.language }} # If you wish to specify custom queries, you can do so here or in a config file. @@ -62,7 +62,7 @@ jobs: # Autobuild attempts to build any compiled languages (C/C++, C#, Go, Java, or Swift). # If this step fails, then you should remove it and run the build manually (see below) - name: Autobuild - uses: github/codeql-action/autobuild@3c13be0632d1e2a15d39da6ede780272c022b84f + uses: github/codeql-action/autobuild@a1695c562bbfa68dc5ab58c9b5e9f616b52bf5be # ℹī¸ Command-line programs to run using the OS shell. # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun @@ -75,6 +75,6 @@ jobs: # ./location_of_script_within_repo/buildscript.sh - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@3c13be0632d1e2a15d39da6ede780272c022b84f + uses: github/codeql-action/analyze@a1695c562bbfa68dc5ab58c9b5e9f616b52bf5be with: category: "/language:${{ matrix.language }}" diff --git a/.github/workflows/sec-scorecard.yml b/.github/workflows/sec-scorecard.yml index b96001be58..0e8083d8c2 100644 --- a/.github/workflows/sec-scorecard.yml +++ b/.github/workflows/sec-scorecard.yml @@ -63,6 +63,6 @@ jobs: # Upload the results to GitHub's code scanning dashboard. - name: "Upload to code-scanning" - uses: github/codeql-action/upload-sarif@f779452ac5af1c261dce0346a8f964149f49322b # v3.26.13 + uses: github/codeql-action/upload-sarif@ea9e4e37992a54ee68a9622e985e60c8e8f12d9f # v3.27.4 with: sarif_file: results.sarif diff --git a/.github/workflows/test-integration-cleanup-template.yaml b/.github/workflows/test-integration-cleanup-template.yaml index 19133c1cf5..2c865deff6 100644 --- a/.github/workflows/test-integration-cleanup-template.yaml +++ b/.github/workflows/test-integration-cleanup-template.yaml @@ -54,7 +54,7 @@ jobs: - distro: if: false steps: - - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 with: # This is needed to load repo GH composite actions if the workflow triggered by workflow_call. repository: camunda/camunda-platform-helm diff --git a/.github/workflows/test-integration-rosa-cleanup.yml b/.github/workflows/test-integration-rosa-cleanup.yml index eabddd5cbd..3958d34c74 100644 --- a/.github/workflows/test-integration-rosa-cleanup.yml +++ b/.github/workflows/test-integration-rosa-cleanup.yml @@ -27,13 +27,13 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout repository - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 with: ref: ${{ github.head_ref }} fetch-depth: 0 - name: Checkout Repository rosa modules - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 with: repository: "camunda/camunda-tf-rosa" ref: "main" diff --git a/.github/workflows/test-integration-rosa-template.yaml b/.github/workflows/test-integration-rosa-template.yaml index 8b21272afe..9e7751cabc 100644 --- a/.github/workflows/test-integration-rosa-template.yaml +++ b/.github/workflows/test-integration-rosa-template.yaml @@ -65,7 +65,7 @@ jobs: outputs: platform-matrix: ${{ steps.matrix.outputs.platform-matrix }} steps: - - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 with: fetch-depth: 0 @@ -101,7 +101,7 @@ jobs: distro: ${{ fromJson(needs.clusters-info.outputs.platform-matrix).distro }} runs-on: ubuntu-latest steps: - - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 with: fetch-depth: 0 @@ -112,7 +112,7 @@ jobs: aws configure set aws_access_key_id ${{ secrets.DISTRO_CI_AWS_ACCESS_KEY }} --profile=${{ secrets.DISTRO_CI_AWS_PROFILE }} - name: Create ROSA cluster and login - uses: camunda/camunda-tf-rosa/.github/actions/rosa-create-cluster@d0471d28cb3eb13cd2212b63cc8e50d457d829c4 # main + uses: camunda/camunda-tf-rosa/.github/actions/rosa-create-cluster@e0020480a5c07f33569ec744723de897f6e4a215 # main timeout-minutes: 125 env: AWS_PROFILE: ${{ secrets.DISTRO_CI_AWS_PROFILE }} @@ -135,7 +135,7 @@ jobs: private_key: ${{ secrets.GH_APP_PRIVATE_KEY_DISTRO_CI }} - name: Clone the distribution GitOps repo - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 with: repository: "camunda/distribution" ref: "main" @@ -281,7 +281,7 @@ jobs: aws configure set aws_access_key_id ${{ secrets.DISTRO_CI_AWS_ACCESS_KEY }} --profile=${{ secrets.DISTRO_CI_AWS_PROFILE }} - name: Delete on-demand ROSA HCP Cluster - uses: camunda/camunda-tf-rosa/.github/actions/rosa-delete-cluster@d0471d28cb3eb13cd2212b63cc8e50d457d829c4 # main + uses: camunda/camunda-tf-rosa/.github/actions/rosa-delete-cluster@e0020480a5c07f33569ec744723de897f6e4a215 # main if: always() timeout-minutes: 125 env: diff --git a/.github/workflows/test-integration-template.yaml b/.github/workflows/test-integration-template.yaml index 9d87358d64..92943506ce 100644 --- a/.github/workflows/test-integration-template.yaml +++ b/.github/workflows/test-integration-template.yaml @@ -110,7 +110,7 @@ jobs: outputs: matrix: ${{ steps.generate-workflow-matrix.outputs.matrix }} steps: - - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 with: # This is needed if the workflow is triggered by workflow_call. repository: camunda/camunda-platform-helm @@ -160,7 +160,7 @@ jobs: echo "${GITHUB_CONTEXT}" | jq '."extra-values" = ""' echo "Workflow Inputs - Extra Values:" echo "${GITHUB_CONTEXT}" | jq -r '."extra-values"' - - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 with: # This is needed to load repo GH composite actions if the workflow triggered by workflow_call. repository: camunda/camunda-platform-helm diff --git a/.github/workflows/test-unit-template.yml b/.github/workflows/test-unit-template.yml index 094df0ef66..01641c1d78 100644 --- a/.github/workflows/test-unit-template.yml +++ b/.github/workflows/test-unit-template.yml @@ -30,7 +30,7 @@ jobs: outputs: unitTestMatrix: ${{ steps.test-type-vars.outputs.unitTestMatrix }} steps: - - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 with: ref: "${{ inputs.camunda-helm-git-ref }}" - name: Get CI unit test matrix @@ -57,10 +57,10 @@ jobs: run: | echo "Workflow Inputs:" echo "${GITHUB_CONTEXT}" - - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 - name: Install env dependencies uses: asdf-vm/actions/install@05e0d2ed97b598bfce82fd30daf324ae0c4570e6 # v3 - - uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4 + - uses: actions/cache@6849a6489940f00c2f30c0fb92c6274307ccb58a # v4 with: path: | ~/.cache/go-build diff --git a/.github/workflows/test-version-maintenance.yaml b/.github/workflows/test-version-maintenance.yaml index ffc707c006..a2ffd08f0d 100644 --- a/.github/workflows/test-version-maintenance.yaml +++ b/.github/workflows/test-version-maintenance.yaml @@ -30,7 +30,7 @@ jobs: outputs: matrix: ${{ steps.generate-chart-versions.outputs.matrix }} steps: - - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 - name: Generate chart versions id: generate-chart-versions uses: ./.github/actions/generate-chart-matrix