From ef36bcc1d77eddde37947e755b0337aaedf741b8 Mon Sep 17 00:00:00 2001 From: samuelho-dev Date: Wed, 1 Jul 2026 17:12:43 -0700 Subject: [PATCH] ci: update reusable action pins --- .github/workflows/docker-build-push.yml | 20 ++++++++++---------- .github/workflows/ecs-deploy.yml | 4 ++-- .github/workflows/ecs-smoke.yml | 4 ++-- .github/workflows/gitleaks-scan.yml | 6 +++--- .github/workflows/helm-lint.yml | 4 ++-- .github/workflows/helm-publish.yml | 10 +++++----- .github/workflows/sbom-generate.yml | 8 ++++---- .github/workflows/sync-main-to-dev.yml | 2 +- .github/workflows/terraform-apply.yml | 8 ++++---- .github/workflows/terraform-plan.yml | 12 ++++++------ .github/workflows/terraform-validate.yml | 6 +++--- .github/workflows/test.yaml | 2 +- .github/workflows/trivy-scan.yml | 8 ++++---- 13 files changed, 47 insertions(+), 47 deletions(-) diff --git a/.github/workflows/docker-build-push.yml b/.github/workflows/docker-build-push.yml index 4d30731..ebf7dfa 100644 --- a/.github/workflows/docker-build-push.yml +++ b/.github/workflows/docker-build-push.yml @@ -114,10 +114,10 @@ jobs: steps: - name: Checkout repository - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 - name: Set up Docker Buildx - uses: docker/setup-buildx-action@c47758b77c9736f4b2ef4073d4d51994fabfe349 # v3.7.1 + uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5 # v4.1.0 with: driver-opts: | image=moby/buildkit:latest @@ -125,7 +125,7 @@ jobs: - name: Log in to container registry if: inputs.push - uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0 + uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4.2.0 with: registry: ${{ inputs.registry }} username: ${{ secrets.registry-username || github.actor }} @@ -133,7 +133,7 @@ jobs: - name: Extract Docker metadata id: meta - uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81 # v5.5.1 + uses: docker/metadata-action@80c7e94dd9b9319bd5eb7a0e0fe9291e23a2a2e9 # v6.1.0 with: images: ${{ inputs.registry }}/${{ github.repository_owner }}/${{ inputs.image }} tags: | @@ -162,7 +162,7 @@ jobs: - name: Build and push Docker image id: build - uses: docker/build-push-action@4f58ea79222b3b9dc2c8bbdd6debcef730109a75 # v6.9.0 + uses: docker/build-push-action@53b7df96c91f9c12dcc8a07bcb9ccacbed38856a # v7.3.0 with: context: ${{ inputs.context }} file: ${{ inputs.dockerfile }} @@ -183,7 +183,7 @@ jobs: - name: Run Trivy vulnerability scanner (table output) if: inputs.scan - uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # v0.35.0 + uses: aquasecurity/trivy-action@a9c7b0f06e461e9d4b4d1711f154ee024b8d7ab8 # v0.36.0 with: image-ref: ${{ inputs.registry }}/${{ github.repository_owner }}/${{ inputs.image }}@${{ steps.build.outputs.digest }} format: 'table' @@ -194,7 +194,7 @@ jobs: - name: Run Trivy vulnerability scanner (SARIF output) if: inputs.scan && inputs.upload-sarif - uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # v0.35.0 + uses: aquasecurity/trivy-action@a9c7b0f06e461e9d4b4d1711f154ee024b8d7ab8 # v0.36.0 with: image-ref: ${{ inputs.registry }}/${{ github.repository_owner }}/${{ inputs.image }}@${{ steps.build.outputs.digest }} format: 'sarif' @@ -205,7 +205,7 @@ jobs: - name: Upload Trivy scan results to GitHub Security if: inputs.scan && inputs.upload-sarif - uses: github/codeql-action/upload-sarif@48ab28a6f5dbc2a99bf1e0131198dd8f1df78169 # v3.28.0 + uses: github/codeql-action/upload-sarif@1a818fd5f97ed0ee9a823421bd5b171add01227f # v4.36.2 with: sarif_file: 'trivy-results.sarif' category: 'container-scan' @@ -223,7 +223,7 @@ jobs: - name: Upload SBOM as artifact if: inputs.sbom - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 with: name: sbom-${{ inputs.image }} path: sbom.spdx.json @@ -231,7 +231,7 @@ jobs: - name: Install Cosign if: inputs.sign - uses: sigstore/cosign-installer@dc72c7d5c4d10cd6bcb8cf6e3fd625a9e5e537da # v3.7.0 + uses: sigstore/cosign-installer@6f9f17788090df1f26f669e9d70d6ae9567deba6 # v4.1.2 - name: Sign image with Cosign (keyless OIDC) if: inputs.sign && inputs.push diff --git a/.github/workflows/ecs-deploy.yml b/.github/workflows/ecs-deploy.yml index 68766c7..0e7d97c 100644 --- a/.github/workflows/ecs-deploy.yml +++ b/.github/workflows/ecs-deploy.yml @@ -60,13 +60,13 @@ jobs: timeout-minutes: 20 steps: - name: Configure AWS credentials - uses: aws-actions/configure-aws-credentials@v4 # Renovate pins to SHA + uses: aws-actions/configure-aws-credentials@254c19bd240aabef8777f48595e9d2d7b972184b # v6.2.1 with: role-to-assume: ${{ secrets.aws-role-arn }} aws-region: ${{ inputs.aws-region }} - name: Deploy to ECS Express Mode - uses: aws-actions/amazon-ecs-deploy-express-service@v1 # Renovate pins to SHA + uses: aws-actions/amazon-ecs-deploy-express-service@0031dcb4ccb40afd21a881c59c5e7e276c30c0a5 # v1.2.2 with: service-name: ${{ inputs.service-name }} image: ${{ inputs.image }} diff --git a/.github/workflows/ecs-smoke.yml b/.github/workflows/ecs-smoke.yml index 20b0261..9ef87df 100644 --- a/.github/workflows/ecs-smoke.yml +++ b/.github/workflows/ecs-smoke.yml @@ -9,7 +9,7 @@ on: workflow_call: inputs: url: - description: 'Base URL of the service (e.g. https://api.creativetoolkits.com)' + description: 'Base URL of the service (e.g. https://api.example.com)' required: true type: string path: @@ -100,7 +100,7 @@ jobs: def probe(): sep = "&" if urllib.parse.urlsplit(url).query else "?" probe_url = f"{url}{sep}ci_probe={time.time_ns()}" - req = urllib.request.Request(probe_url, headers={"Cache-Control": "no-cache", "User-Agent": "creativetoolkits-ci-smoke/1.0"}) + req = urllib.request.Request(probe_url, headers={"Cache-Control": "no-cache", "User-Agent": "git-flow-service-smoke/1.0"}) try: with urllib.request.urlopen(req, timeout=10) as resp: code, body = resp.status, resp.read().decode("utf-8") diff --git a/.github/workflows/gitleaks-scan.yml b/.github/workflows/gitleaks-scan.yml index d12cd92..c17560e 100644 --- a/.github/workflows/gitleaks-scan.yml +++ b/.github/workflows/gitleaks-scan.yml @@ -66,7 +66,7 @@ jobs: steps: - name: Checkout repository - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: fetch-depth: 0 @@ -100,14 +100,14 @@ jobs: - name: Upload Gitleaks results to GitHub Security if: inputs.upload-sarif && inputs.format == 'sarif' && always() - uses: github/codeql-action/upload-sarif@48ab28a6f5dbc2a99bf1e0131198dd8f1df78169 # v3.28.0 + uses: github/codeql-action/upload-sarif@1a818fd5f97ed0ee9a823421bd5b171add01227f # v4.36.2 with: sarif_file: 'gitleaks-results.sarif' category: 'secret-scan' - name: Upload scan results as artifact if: always() - uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 with: name: gitleaks-results path: gitleaks-results.* diff --git a/.github/workflows/helm-lint.yml b/.github/workflows/helm-lint.yml index 4c8bd3d..b2cefd1 100644 --- a/.github/workflows/helm-lint.yml +++ b/.github/workflows/helm-lint.yml @@ -84,10 +84,10 @@ jobs: result: ${{ steps.done.outputs.result }} steps: - name: Checkout repository - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 - name: Set up Helm - uses: azure/setup-helm@v4 # Renovate pins to SHA + uses: azure/setup-helm@9bc31f4ebc9c6b171d7bfbaa5d006ae7abdb4310 # v5.0.1 with: version: ${{ inputs.helm-version }} diff --git a/.github/workflows/helm-publish.yml b/.github/workflows/helm-publish.yml index 8b75ef9..947f9b2 100644 --- a/.github/workflows/helm-publish.yml +++ b/.github/workflows/helm-publish.yml @@ -88,12 +88,12 @@ jobs: steps: - name: Checkout repository - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: fetch-depth: 0 - name: Set up Helm - uses: azure/setup-helm@fe7b79cd5ee1e45176fcad797de68ecaf3ca4814 # v4.2.0 + uses: azure/setup-helm@9bc31f4ebc9c6b171d7bfbaa5d006ae7abdb4310 # v5.0.1 with: version: v3.16.3 @@ -107,7 +107,7 @@ jobs: - name: Install Cosign if: inputs.sign-chart - uses: sigstore/cosign-installer@dc72c7d5c4d10cd6bcb8cf6e3fd625a9e5e537da # v3.7.0 + uses: sigstore/cosign-installer@6f9f17788090df1f26f669e9d70d6ae9567deba6 # v4.1.2 - name: Get chart information id: chart-info @@ -136,7 +136,7 @@ jobs: # Login early to enable pulling OCI dependencies - name: Log in to OCI registry - uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0 + uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4.2.0 with: registry: ${{ inputs.registry }} username: ${{ secrets.registry-username || github.actor }} @@ -306,7 +306,7 @@ jobs: prerelease: false - name: Upload chart artifacts - uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 with: name: helm-chart-${{ steps.chart-info.outputs.name }}-${{ steps.chart-info.outputs.version }} path: | diff --git a/.github/workflows/sbom-generate.yml b/.github/workflows/sbom-generate.yml index 294ff43..5db2105 100644 --- a/.github/workflows/sbom-generate.yml +++ b/.github/workflows/sbom-generate.yml @@ -77,11 +77,11 @@ jobs: steps: - name: Checkout repository if: inputs.target-type == 'directory' || inputs.target-type == 'file' - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 - name: Log in to container registry if: inputs.target-type == 'image' && env.REGISTRY_USERNAME != '' - uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0 + uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4.2.0 with: registry: ${{ contains(inputs.target, 'ghcr.io') && 'ghcr.io' || 'docker.io' }} username: ${{ secrets.registry-username }} @@ -104,7 +104,7 @@ jobs: - name: Scan SBOM for vulnerabilities if: inputs.scan-sbom id: scan - uses: aquasecurity/trivy-action@b6643a29fecd7f34b3597bc6acb0a98b03d33ff8 # v0.33.1 + uses: aquasecurity/trivy-action@a9c7b0f06e461e9d4b4d1711f154ee024b8d7ab8 # v0.36.0 with: scan-type: 'sbom' scan-ref: ${{ inputs.output-file }} @@ -115,7 +115,7 @@ jobs: - name: Upload SBOM scan results to GitHub Security if: inputs.scan-sbom - uses: github/codeql-action/upload-sarif@48ab28a6f5dbc2a99bf1e0131198dd8f1df78169 # v3.28.0 + uses: github/codeql-action/upload-sarif@1a818fd5f97ed0ee9a823421bd5b171add01227f # v4.36.2 with: sarif_file: 'trivy-sbom-results.sarif' category: 'sbom-scan' diff --git a/.github/workflows/sync-main-to-dev.yml b/.github/workflows/sync-main-to-dev.yml index 38d8723..e05047a 100644 --- a/.github/workflows/sync-main-to-dev.yml +++ b/.github/workflows/sync-main-to-dev.yml @@ -55,7 +55,7 @@ jobs: steps: - name: Checkout repository - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: fetch-depth: 0 token: ${{ secrets.token || github.token }} diff --git a/.github/workflows/terraform-apply.yml b/.github/workflows/terraform-apply.yml index df8a577..d0ba45c 100644 --- a/.github/workflows/terraform-apply.yml +++ b/.github/workflows/terraform-apply.yml @@ -80,24 +80,24 @@ jobs: applied: ${{ steps.apply.outputs.applied }} steps: - name: Checkout repository - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: ref: ${{ inputs.checkout-ref || github.sha }} - name: Configure AWS credentials - uses: aws-actions/configure-aws-credentials@v4 # Renovate pins to SHA + uses: aws-actions/configure-aws-credentials@254c19bd240aabef8777f48595e9d2d7b972184b # v6.2.1 with: role-to-assume: ${{ secrets.aws-role-arn }} aws-region: ${{ inputs.aws-region }} - name: Set up Terraform - uses: hashicorp/setup-terraform@v3 # Renovate pins to SHA + uses: hashicorp/setup-terraform@dfe3c3f87815947d99a8997f908cb6525fc44e9e # v4.0.1 with: terraform_version: ${{ inputs.terraform-version }} terraform_wrapper: false - name: Download plan artifact - uses: actions/download-artifact@v4 # Renovate pins to SHA + uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 with: name: ${{ inputs.plan-artifact-name }} path: ${{ inputs.terraform-path }} diff --git a/.github/workflows/terraform-plan.yml b/.github/workflows/terraform-plan.yml index b7749d8..97529aa 100644 --- a/.github/workflows/terraform-plan.yml +++ b/.github/workflows/terraform-plan.yml @@ -110,19 +110,19 @@ jobs: has-destroys: ${{ steps.analyze.outputs.has-destroys }} steps: - name: Checkout repository - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: ref: ${{ inputs.checkout-ref || github.sha }} - name: Configure AWS credentials if: env.AWS_ROLE_ARN != '' - uses: aws-actions/configure-aws-credentials@v4 # Renovate pins to SHA + uses: aws-actions/configure-aws-credentials@254c19bd240aabef8777f48595e9d2d7b972184b # v6.2.1 with: role-to-assume: ${{ env.AWS_ROLE_ARN }} aws-region: ${{ inputs.aws-region }} - name: Set up Terraform - uses: hashicorp/setup-terraform@v3 # Renovate pins to SHA + uses: hashicorp/setup-terraform@dfe3c3f87815947d99a8997f908cb6525fc44e9e # v4.0.1 with: terraform_version: ${{ inputs.terraform-version }} terraform_wrapper: false @@ -179,7 +179,7 @@ jobs: PY - name: Upload plan artifact - uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 with: name: ${{ inputs.plan-artifact-name }} path: | @@ -191,7 +191,7 @@ jobs: - name: Set up Infracost if: inputs.cost-estimation - uses: infracost/actions/setup@v3 # Renovate pins to SHA + uses: infracost/actions/setup@fb736a8f219195d6efdca58682069b16fe1bc280 # v4.2.0 with: api-key: ${{ secrets.infracost-api-key }} @@ -215,7 +215,7 @@ jobs: - name: Post plan to PR if: ${{ inputs.post-pr-comment && github.event_name == 'pull_request' }} - uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 + uses: actions/github-script@d746ffe35508b1917358783b479e04febd2b8f71 # v9.0.0 env: TF_PATH: ${{ inputs.terraform-path }} HAS_CHANGES: ${{ steps.plan.outputs.has-changes }} diff --git a/.github/workflows/terraform-validate.yml b/.github/workflows/terraform-validate.yml index a53db60..3f8d2bc 100644 --- a/.github/workflows/terraform-validate.yml +++ b/.github/workflows/terraform-validate.yml @@ -55,10 +55,10 @@ jobs: result: ${{ steps.done.outputs.result }} steps: - name: Checkout repository - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 - name: Set up Terraform - uses: hashicorp/setup-terraform@v3 # Renovate pins to SHA + uses: hashicorp/setup-terraform@dfe3c3f87815947d99a8997f908cb6525fc44e9e # v4.0.1 with: terraform_version: ${{ inputs.terraform-version }} terraform_wrapper: false @@ -82,7 +82,7 @@ jobs: - name: Trivy IaC scan if: inputs.security-scan - uses: aquasecurity/trivy-action@b6643a29fecd7f34b3597bc6acb0a98b03d33ff8 # v0.33.1 + uses: aquasecurity/trivy-action@a9c7b0f06e461e9d4b4d1711f154ee024b8d7ab8 # v0.36.0 with: scan-type: 'config' scan-ref: ${{ inputs.terraform-path }} diff --git a/.github/workflows/test.yaml b/.github/workflows/test.yaml index 8989adb..1578b9e 100644 --- a/.github/workflows/test.yaml +++ b/.github/workflows/test.yaml @@ -17,7 +17,7 @@ jobs: name: Test Docker Workflow Outputs runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 - name: Run workflow output tests run: | diff --git a/.github/workflows/trivy-scan.yml b/.github/workflows/trivy-scan.yml index 6ccea61..ce59bd3 100644 --- a/.github/workflows/trivy-scan.yml +++ b/.github/workflows/trivy-scan.yml @@ -77,11 +77,11 @@ jobs: steps: - name: Checkout repository if: inputs.scan-type == 'fs' || inputs.scan-type == 'repo' || inputs.scan-type == 'config' - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 - name: Run Trivy scanner id: scan - uses: aquasecurity/trivy-action@b6643a29fecd7f34b3597bc6acb0a98b03d33ff8 # v0.33.1 + uses: aquasecurity/trivy-action@a9c7b0f06e461e9d4b4d1711f154ee024b8d7ab8 # v0.36.0 with: scan-type: ${{ inputs.scan-type }} scan-ref: ${{ inputs.scan-ref }} @@ -110,14 +110,14 @@ jobs: - name: Upload Trivy scan results to GitHub Security if: inputs.upload-sarif && inputs.format == 'sarif' && always() - uses: github/codeql-action/upload-sarif@48ab28a6f5dbc2a99bf1e0131198dd8f1df78169 # v3.28.0 + uses: github/codeql-action/upload-sarif@1a818fd5f97ed0ee9a823421bd5b171add01227f # v4.36.2 with: sarif_file: 'trivy-results.sarif' category: 'trivy-${{ inputs.scan-type }}' - name: Upload scan results as artifact if: always() - uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 with: name: trivy-results-${{ inputs.scan-type }} path: trivy-results.*