Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
54 changes: 27 additions & 27 deletions .github/workflows/ci.yml
Original file line number Diff line number Diff line change
Expand Up @@ -29,15 +29,15 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v6.0.2
uses: actions/checkout@v6.0.3

- name: Setup .NET
uses: actions/setup-dotnet@v5.2.0
uses: actions/setup-dotnet@v5.3.0
with:
dotnet-version: ${{ env.DOTNET_VERSION }}

- name: Cache NuGet packages
uses: actions/cache@v5.0.3
uses: actions/cache@v5.0.5
with:
path: ~/.nuget/packages
key: ${{ runner.os }}-nuget-${{ hashFiles('**/*.csproj', '**/*.props', '**/*.targets') }}
Expand All @@ -52,14 +52,14 @@ jobs:
run: dotnet test --configuration Release --no-build --verbosity normal --collect:"XPlat Code Coverage" --results-directory ./coverage

- name: Upload coverage to Codecov
uses: codecov/codecov-action@v5.5.2
uses: codecov/codecov-action@v7.0.0
with:
directory: ./coverage
fail_ci_if_error: false

- name: Upload test artifacts
if: always()
uses: actions/upload-artifact@v7.0.0
uses: actions/upload-artifact@v7.0.1
with:
name: test-results
path: ./coverage
Expand All @@ -80,13 +80,13 @@ jobs:
language: ['csharp']
steps:
- name: Checkout code
uses: actions/checkout@v6.0.2
uses: actions/checkout@v6.0.3
- name: Setup .NET
uses: actions/setup-dotnet@v5.2.0
uses: actions/setup-dotnet@v5.3.0
with:
dotnet-version: ${{ env.DOTNET_VERSION }}
- name: Initialize CodeQL
uses: github/codeql-action/init@v4.32.6
uses: github/codeql-action/init@v4.36.2
with:
languages: ${{ matrix.language }}
build-mode: none
Expand All @@ -95,7 +95,7 @@ jobs:
dotnet restore OpenReferralApi.sln
dotnet build OpenReferralApi.sln --configuration Release --no-restore --verbosity normal
- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@v4.32.6
uses: github/codeql-action/analyze@v4.36.2

# --- JOB 3: TRIVY FS ---
security-scan-fs:
Expand All @@ -104,23 +104,23 @@ jobs:
needs: build-and-test
steps:
- name: Checkout code
uses: actions/checkout@v6.0.2
uses: actions/checkout@v6.0.3
- name: Cache Trivy database
uses: actions/cache@v5.0.3
uses: actions/cache@v5.0.5
with:
path: ~/.cache/trivy
key: trivy-db-${{ github.run_id }}
restore-keys: trivy-db-
- name: Run Trivy (fs)
uses: aquasecurity/trivy-action@0.35.0
uses: aquasecurity/trivy-action@v0.36.0
with:
scan-type: 'fs'
scan-ref: '.'
format: 'sarif'
output: 'trivy-fs-results.sarif'
severity: 'CRITICAL,HIGH,MEDIUM,UNKNOWN'
- name: Upload Trivy FS SARIF
uses: github/codeql-action/upload-sarif@v4.32.6
uses: github/codeql-action/upload-sarif@v4.36.2
if: always()
with:
sarif_file: trivy-fs-results.sarif
Expand All @@ -134,11 +134,11 @@ jobs:
image_ref: ${{ steps.image_ref.outputs.image_ref }}
steps:
- name: Checkout code
uses: actions/checkout@v6.0.2
uses: actions/checkout@v6.0.3
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v4.0.0
uses: docker/setup-buildx-action@v4.1.0
- name: Login to GHCR
uses: docker/login-action@v4.0.0
uses: docker/login-action@v4.2.0
with:
registry: ghcr.io
username: ${{ github.actor }}
Expand All @@ -150,7 +150,7 @@ jobs:
echo "repo_name=$(echo "${{ github.event.repository.name }}" | tr '[:upper:]' '[:lower:]')" >> "$GITHUB_OUTPUT"
- name: Extract Docker metadata & tags
id: meta
uses: docker/metadata-action@v6.0.0
uses: docker/metadata-action@v6.1.0
with:
images: ghcr.io/${{ steps.lowercase.outputs.repo_owner }}/${{ steps.lowercase.outputs.repo_name }}
tags: |
Expand All @@ -165,7 +165,7 @@ jobs:
echo "short_sha=$SHORT_SHA" >> $GITHUB_OUTPUT
- name: Build and push
id: build
uses: docker/build-push-action@v7.0.0
uses: docker/build-push-action@v7.2.0
with:
context: .
file: ./Dockerfile
Expand Down Expand Up @@ -194,22 +194,22 @@ jobs:
needs: docker-build
steps:
- name: Checkout code
uses: actions/checkout@v6.0.2
uses: actions/checkout@v6.0.3
- name: Cache Trivy database
uses: actions/cache@v5.0.3
uses: actions/cache@v5.0.5
with:
path: ~/.cache/trivy
key: trivy-db-${{ github.run_id }}
restore-keys: trivy-db-
- name: Login to GHCR
uses: docker/login-action@v4.0.0
uses: docker/login-action@v4.2.0
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Run Trivy (image)
id: trivy_scan
uses: aquasecurity/trivy-action@0.35.0
uses: aquasecurity/trivy-action@v0.36.0
continue-on-error: true
with:
image-ref: ${{ needs.docker-build.outputs.image_ref }}
Expand All @@ -218,7 +218,7 @@ jobs:
severity: 'CRITICAL,HIGH,MEDIUM,UNKNOWN'

- name: Upload Trivy Image SARIF
uses: github/codeql-action/upload-sarif@v4.32.6
uses: github/codeql-action/upload-sarif@v4.36.2
if: always() && hashFiles('trivy-image-results.sarif') != ''
with:
sarif_file: trivy-image-results.sarif
Expand All @@ -230,9 +230,9 @@ jobs:
needs: docker-build
steps:
- name: Checkout code
uses: actions/checkout@v6.0.2
uses: actions/checkout@v6.0.3
- name: Login to GHCR
uses: docker/login-action@v4.0.0
uses: docker/login-action@v4.2.0
with:
registry: ghcr.io
username: ${{ github.actor }}
Expand Down Expand Up @@ -279,7 +279,7 @@ jobs:
docker run --rm --network zap-network -v ${{ github.workspace }}/zap-reports:/zap/wrk/:rw ghcr.io/zaproxy/zaproxy:stable zap-baseline.py -t http://app:80 -J report_json.json -I || true
- name: Upload ZAP results
if: always() && hashFiles('zap-reports/*') != ''
uses: actions/upload-artifact@v7.0.0
uses: actions/upload-artifact@v7.0.1
with:
name: zap-scan-results
path: zap-reports/
Expand Down Expand Up @@ -332,7 +332,7 @@ jobs:
sleep 12
curl --fail "${{ vars.HEALTH_ENDPOINT }}" || echo "⚠️ Production health check failed"
- name: Create Release
uses: softprops/action-gh-release@v2.5.0
uses: softprops/action-gh-release@v3.0.0
with:
tag_name: v${{ github.run_number }}
name: Release v${{ github.run_number }}
Expand Down
4 changes: 2 additions & 2 deletions .github/workflows/dependabot-auto-merge.yml
Original file line number Diff line number Diff line change
Expand Up @@ -14,11 +14,11 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v6.0.2
uses: actions/checkout@v6.0.3

- name: Fetch Dependabot metadata
id: metadata
uses: dependabot/fetch-metadata@v2.5.0
uses: dependabot/fetch-metadata@v3.1.0
with:
github-token: "${{ secrets.GITHUB_TOKEN }}"

Expand Down
4 changes: 2 additions & 2 deletions .github/workflows/sbom.yml
Original file line number Diff line number Diff line change
Expand Up @@ -13,7 +13,7 @@ jobs:

steps:
- name: Checkout code
uses: actions/checkout@v6.0.2
uses: actions/checkout@v6.0.3

- name: Export SBOM
# We use the GitHub CLI (gh) which is pre-installed on runners
Expand All @@ -24,7 +24,7 @@ jobs:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}

- name: Upload SBOM Artifact
uses: actions/upload-artifact@v7.0.0
uses: actions/upload-artifact@v7.0.1
with:
name: software-bill-of-materials
path: sbom.spdx.json
4 changes: 2 additions & 2 deletions .github/workflows/staging-to-main.yml
Original file line number Diff line number Diff line change
Expand Up @@ -25,7 +25,7 @@ jobs:

- name: Success status (from staging)
if: success()
uses: actions/github-script@v8.0.0
uses: actions/github-script@v9.0.0
with:
script: |
await github.rest.repos.createCommitStatus({
Expand All @@ -39,7 +39,7 @@ jobs:

- name: Fail status + comment (not from staging)
if: failure()
uses: actions/github-script@v8.0.0
uses: actions/github-script@v9.0.0
with:
script: |
await github.rest.repos.createCommitStatus({
Expand Down