Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
20 changes: 10 additions & 10 deletions .github/workflows/docker-build-push.yml
Original file line number Diff line number Diff line change
Expand Up @@ -114,26 +114,26 @@ jobs:

steps:
- name: Checkout repository
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0

- name: Set up Docker Buildx
uses: docker/setup-buildx-action@c47758b77c9736f4b2ef4073d4d51994fabfe349 # v3.7.1
uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5 # v4.1.0
with:
driver-opts: |
image=moby/buildkit:latest
network=host

- name: Log in to container registry
if: inputs.push
uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4.2.0
with:
registry: ${{ inputs.registry }}
username: ${{ secrets.registry-username || github.actor }}
password: ${{ secrets.registry-password || secrets.GITHUB_TOKEN }}

- name: Extract Docker metadata
id: meta
uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81 # v5.5.1
uses: docker/metadata-action@80c7e94dd9b9319bd5eb7a0e0fe9291e23a2a2e9 # v6.1.0
with:
images: ${{ inputs.registry }}/${{ github.repository_owner }}/${{ inputs.image }}
tags: |
Expand Down Expand Up @@ -162,7 +162,7 @@ jobs:

- name: Build and push Docker image
id: build
uses: docker/build-push-action@4f58ea79222b3b9dc2c8bbdd6debcef730109a75 # v6.9.0
uses: docker/build-push-action@53b7df96c91f9c12dcc8a07bcb9ccacbed38856a # v7.3.0
with:
context: ${{ inputs.context }}
file: ${{ inputs.dockerfile }}
Expand All @@ -183,7 +183,7 @@ jobs:

- name: Run Trivy vulnerability scanner (table output)
if: inputs.scan
uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # v0.35.0
uses: aquasecurity/trivy-action@a9c7b0f06e461e9d4b4d1711f154ee024b8d7ab8 # v0.36.0
with:
image-ref: ${{ inputs.registry }}/${{ github.repository_owner }}/${{ inputs.image }}@${{ steps.build.outputs.digest }}
format: 'table'
Expand All @@ -194,7 +194,7 @@ jobs:

- name: Run Trivy vulnerability scanner (SARIF output)
if: inputs.scan && inputs.upload-sarif
uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # v0.35.0
uses: aquasecurity/trivy-action@a9c7b0f06e461e9d4b4d1711f154ee024b8d7ab8 # v0.36.0
with:
image-ref: ${{ inputs.registry }}/${{ github.repository_owner }}/${{ inputs.image }}@${{ steps.build.outputs.digest }}
format: 'sarif'
Expand All @@ -205,7 +205,7 @@ jobs:

- name: Upload Trivy scan results to GitHub Security
if: inputs.scan && inputs.upload-sarif
uses: github/codeql-action/upload-sarif@48ab28a6f5dbc2a99bf1e0131198dd8f1df78169 # v3.28.0
uses: github/codeql-action/upload-sarif@1a818fd5f97ed0ee9a823421bd5b171add01227f # v4.36.2
with:
sarif_file: 'trivy-results.sarif'
category: 'container-scan'
Expand All @@ -223,15 +223,15 @@ jobs:

- name: Upload SBOM as artifact
if: inputs.sbom
uses: actions/upload-artifact@v4
uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
with:
name: sbom-${{ inputs.image }}
path: sbom.spdx.json
retention-days: 30

- name: Install Cosign
if: inputs.sign
uses: sigstore/cosign-installer@dc72c7d5c4d10cd6bcb8cf6e3fd625a9e5e537da # v3.7.0
uses: sigstore/cosign-installer@6f9f17788090df1f26f669e9d70d6ae9567deba6 # v4.1.2

- name: Sign image with Cosign (keyless OIDC)
if: inputs.sign && inputs.push
Expand Down
4 changes: 2 additions & 2 deletions .github/workflows/ecs-deploy.yml
Original file line number Diff line number Diff line change
Expand Up @@ -60,13 +60,13 @@ jobs:
timeout-minutes: 20
steps:
- name: Configure AWS credentials
uses: aws-actions/configure-aws-credentials@v4 # Renovate pins to SHA
uses: aws-actions/configure-aws-credentials@254c19bd240aabef8777f48595e9d2d7b972184b # v6.2.1
with:
role-to-assume: ${{ secrets.aws-role-arn }}
aws-region: ${{ inputs.aws-region }}

- name: Deploy to ECS Express Mode
uses: aws-actions/amazon-ecs-deploy-express-service@v1 # Renovate pins to SHA
uses: aws-actions/amazon-ecs-deploy-express-service@0031dcb4ccb40afd21a881c59c5e7e276c30c0a5 # v1.2.2
with:
service-name: ${{ inputs.service-name }}
image: ${{ inputs.image }}
Expand Down
4 changes: 2 additions & 2 deletions .github/workflows/ecs-smoke.yml
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,7 @@ on:
workflow_call:
inputs:
url:
description: 'Base URL of the service (e.g. https://api.creativetoolkits.com)'
description: 'Base URL of the service (e.g. https://api.example.com)'
required: true
type: string
path:
Expand Down Expand Up @@ -100,7 +100,7 @@ jobs:
def probe():
sep = "&" if urllib.parse.urlsplit(url).query else "?"
probe_url = f"{url}{sep}ci_probe={time.time_ns()}"
req = urllib.request.Request(probe_url, headers={"Cache-Control": "no-cache", "User-Agent": "creativetoolkits-ci-smoke/1.0"})
req = urllib.request.Request(probe_url, headers={"Cache-Control": "no-cache", "User-Agent": "git-flow-service-smoke/1.0"})
try:
with urllib.request.urlopen(req, timeout=10) as resp:
code, body = resp.status, resp.read().decode("utf-8")
Expand Down
6 changes: 3 additions & 3 deletions .github/workflows/gitleaks-scan.yml
Original file line number Diff line number Diff line change
Expand Up @@ -66,7 +66,7 @@ jobs:

steps:
- name: Checkout repository
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
with:
fetch-depth: 0

Expand Down Expand Up @@ -100,14 +100,14 @@ jobs:

- name: Upload Gitleaks results to GitHub Security
if: inputs.upload-sarif && inputs.format == 'sarif' && always()
uses: github/codeql-action/upload-sarif@48ab28a6f5dbc2a99bf1e0131198dd8f1df78169 # v3.28.0
uses: github/codeql-action/upload-sarif@1a818fd5f97ed0ee9a823421bd5b171add01227f # v4.36.2
with:
sarif_file: 'gitleaks-results.sarif'
category: 'secret-scan'

- name: Upload scan results as artifact
if: always()
uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
with:
name: gitleaks-results
path: gitleaks-results.*
Expand Down
4 changes: 2 additions & 2 deletions .github/workflows/helm-lint.yml
Original file line number Diff line number Diff line change
Expand Up @@ -84,10 +84,10 @@ jobs:
result: ${{ steps.done.outputs.result }}
steps:
- name: Checkout repository
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0

- name: Set up Helm
uses: azure/setup-helm@v4 # Renovate pins to SHA
uses: azure/setup-helm@9bc31f4ebc9c6b171d7bfbaa5d006ae7abdb4310 # v5.0.1
with:
version: ${{ inputs.helm-version }}

Expand Down
10 changes: 5 additions & 5 deletions .github/workflows/helm-publish.yml
Original file line number Diff line number Diff line change
Expand Up @@ -88,12 +88,12 @@ jobs:

steps:
- name: Checkout repository
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
with:
fetch-depth: 0

- name: Set up Helm
uses: azure/setup-helm@fe7b79cd5ee1e45176fcad797de68ecaf3ca4814 # v4.2.0
uses: azure/setup-helm@9bc31f4ebc9c6b171d7bfbaa5d006ae7abdb4310 # v5.0.1
with:
version: v3.16.3

Expand All @@ -107,7 +107,7 @@ jobs:

- name: Install Cosign
if: inputs.sign-chart
uses: sigstore/cosign-installer@dc72c7d5c4d10cd6bcb8cf6e3fd625a9e5e537da # v3.7.0
uses: sigstore/cosign-installer@6f9f17788090df1f26f669e9d70d6ae9567deba6 # v4.1.2

- name: Get chart information
id: chart-info
Expand Down Expand Up @@ -136,7 +136,7 @@ jobs:

# Login early to enable pulling OCI dependencies
- name: Log in to OCI registry
uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4.2.0
with:
registry: ${{ inputs.registry }}
username: ${{ secrets.registry-username || github.actor }}
Expand Down Expand Up @@ -306,7 +306,7 @@ jobs:
prerelease: false

- name: Upload chart artifacts
uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
with:
name: helm-chart-${{ steps.chart-info.outputs.name }}-${{ steps.chart-info.outputs.version }}
path: |
Expand Down
8 changes: 4 additions & 4 deletions .github/workflows/sbom-generate.yml
Original file line number Diff line number Diff line change
Expand Up @@ -77,11 +77,11 @@ jobs:
steps:
- name: Checkout repository
if: inputs.target-type == 'directory' || inputs.target-type == 'file'
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0

- name: Log in to container registry
if: inputs.target-type == 'image' && env.REGISTRY_USERNAME != ''
uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4.2.0
with:
registry: ${{ contains(inputs.target, 'ghcr.io') && 'ghcr.io' || 'docker.io' }}
username: ${{ secrets.registry-username }}
Expand All @@ -104,7 +104,7 @@ jobs:
- name: Scan SBOM for vulnerabilities
if: inputs.scan-sbom
id: scan
uses: aquasecurity/trivy-action@b6643a29fecd7f34b3597bc6acb0a98b03d33ff8 # v0.33.1
uses: aquasecurity/trivy-action@a9c7b0f06e461e9d4b4d1711f154ee024b8d7ab8 # v0.36.0
with:
scan-type: 'sbom'
scan-ref: ${{ inputs.output-file }}
Expand All @@ -115,7 +115,7 @@ jobs:

- name: Upload SBOM scan results to GitHub Security
if: inputs.scan-sbom
uses: github/codeql-action/upload-sarif@48ab28a6f5dbc2a99bf1e0131198dd8f1df78169 # v3.28.0
uses: github/codeql-action/upload-sarif@1a818fd5f97ed0ee9a823421bd5b171add01227f # v4.36.2
with:
sarif_file: 'trivy-sbom-results.sarif'
category: 'sbom-scan'
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/sync-main-to-dev.yml
Original file line number Diff line number Diff line change
Expand Up @@ -55,7 +55,7 @@ jobs:

steps:
- name: Checkout repository
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
with:
fetch-depth: 0
token: ${{ secrets.token || github.token }}
Expand Down
8 changes: 4 additions & 4 deletions .github/workflows/terraform-apply.yml
Original file line number Diff line number Diff line change
Expand Up @@ -80,24 +80,24 @@ jobs:
applied: ${{ steps.apply.outputs.applied }}
steps:
- name: Checkout repository
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
with:
ref: ${{ inputs.checkout-ref || github.sha }}

- name: Configure AWS credentials
uses: aws-actions/configure-aws-credentials@v4 # Renovate pins to SHA
uses: aws-actions/configure-aws-credentials@254c19bd240aabef8777f48595e9d2d7b972184b # v6.2.1
with:
role-to-assume: ${{ secrets.aws-role-arn }}
aws-region: ${{ inputs.aws-region }}

- name: Set up Terraform
uses: hashicorp/setup-terraform@v3 # Renovate pins to SHA
uses: hashicorp/setup-terraform@dfe3c3f87815947d99a8997f908cb6525fc44e9e # v4.0.1
with:
terraform_version: ${{ inputs.terraform-version }}
terraform_wrapper: false

- name: Download plan artifact
uses: actions/download-artifact@v4 # Renovate pins to SHA
uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
with:
name: ${{ inputs.plan-artifact-name }}
path: ${{ inputs.terraform-path }}
Expand Down
12 changes: 6 additions & 6 deletions .github/workflows/terraform-plan.yml
Original file line number Diff line number Diff line change
Expand Up @@ -110,19 +110,19 @@ jobs:
has-destroys: ${{ steps.analyze.outputs.has-destroys }}
steps:
- name: Checkout repository
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
with:
ref: ${{ inputs.checkout-ref || github.sha }}

- name: Configure AWS credentials
if: env.AWS_ROLE_ARN != ''
uses: aws-actions/configure-aws-credentials@v4 # Renovate pins to SHA
uses: aws-actions/configure-aws-credentials@254c19bd240aabef8777f48595e9d2d7b972184b # v6.2.1
with:
role-to-assume: ${{ env.AWS_ROLE_ARN }}
aws-region: ${{ inputs.aws-region }}

- name: Set up Terraform
uses: hashicorp/setup-terraform@v3 # Renovate pins to SHA
uses: hashicorp/setup-terraform@dfe3c3f87815947d99a8997f908cb6525fc44e9e # v4.0.1
with:
terraform_version: ${{ inputs.terraform-version }}
terraform_wrapper: false
Expand Down Expand Up @@ -179,7 +179,7 @@ jobs:
PY

- name: Upload plan artifact
uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
with:
name: ${{ inputs.plan-artifact-name }}
path: |
Expand All @@ -191,7 +191,7 @@ jobs:

- name: Set up Infracost
if: inputs.cost-estimation
uses: infracost/actions/setup@v3 # Renovate pins to SHA
uses: infracost/actions/setup@fb736a8f219195d6efdca58682069b16fe1bc280 # v4.2.0
with:
api-key: ${{ secrets.infracost-api-key }}

Expand All @@ -215,7 +215,7 @@ jobs:

- name: Post plan to PR
if: ${{ inputs.post-pr-comment && github.event_name == 'pull_request' }}
uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
uses: actions/github-script@d746ffe35508b1917358783b479e04febd2b8f71 # v9.0.0
env:
TF_PATH: ${{ inputs.terraform-path }}
HAS_CHANGES: ${{ steps.plan.outputs.has-changes }}
Expand Down
6 changes: 3 additions & 3 deletions .github/workflows/terraform-validate.yml
Original file line number Diff line number Diff line change
Expand Up @@ -55,10 +55,10 @@ jobs:
result: ${{ steps.done.outputs.result }}
steps:
- name: Checkout repository
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0

- name: Set up Terraform
uses: hashicorp/setup-terraform@v3 # Renovate pins to SHA
uses: hashicorp/setup-terraform@dfe3c3f87815947d99a8997f908cb6525fc44e9e # v4.0.1
with:
terraform_version: ${{ inputs.terraform-version }}
terraform_wrapper: false
Expand All @@ -82,7 +82,7 @@ jobs:

- name: Trivy IaC scan
if: inputs.security-scan
uses: aquasecurity/trivy-action@b6643a29fecd7f34b3597bc6acb0a98b03d33ff8 # v0.33.1
uses: aquasecurity/trivy-action@a9c7b0f06e461e9d4b4d1711f154ee024b8d7ab8 # v0.36.0
with:
scan-type: 'config'
scan-ref: ${{ inputs.terraform-path }}
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/test.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -17,7 +17,7 @@ jobs:
name: Test Docker Workflow Outputs
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔒 Security & Privacy | 🟡 Minor | ⚡ Quick win

Disable credential persistence on checkout.

zizmor flags this checkout as artipackedpersist-credentials isn't set to false. This job only runs a local test script and doesn't need authenticated git access, so persisting the token is unnecessary exposure.

🔒 Proposed fix
-      - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
+      - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
+        with:
+          persist-credentials: false
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
with:
persist-credentials: false
🧰 Tools
🪛 zizmor (1.26.1)

[warning] 20-20: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false

(artipacked)

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/test.yaml at line 20, The checkout step in the test
workflow is persisting git credentials unnecessarily, which triggers the
artipacked warning. Update the actions/checkout usage in the test job to
explicitly disable credential persistence by setting persist-credentials to
false, since the job only runs local tests and does not need authenticated git
access.

Source: Linters/SAST tools


- name: Run workflow output tests
run: |
Expand Down
8 changes: 4 additions & 4 deletions .github/workflows/trivy-scan.yml
Original file line number Diff line number Diff line change
Expand Up @@ -77,11 +77,11 @@ jobs:
steps:
- name: Checkout repository
if: inputs.scan-type == 'fs' || inputs.scan-type == 'repo' || inputs.scan-type == 'config'
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0

- name: Run Trivy scanner
id: scan
uses: aquasecurity/trivy-action@b6643a29fecd7f34b3597bc6acb0a98b03d33ff8 # v0.33.1
uses: aquasecurity/trivy-action@a9c7b0f06e461e9d4b4d1711f154ee024b8d7ab8 # v0.36.0
with:
scan-type: ${{ inputs.scan-type }}
scan-ref: ${{ inputs.scan-ref }}
Expand Down Expand Up @@ -110,14 +110,14 @@ jobs:

- name: Upload Trivy scan results to GitHub Security
if: inputs.upload-sarif && inputs.format == 'sarif' && always()
uses: github/codeql-action/upload-sarif@48ab28a6f5dbc2a99bf1e0131198dd8f1df78169 # v3.28.0
uses: github/codeql-action/upload-sarif@1a818fd5f97ed0ee9a823421bd5b171add01227f # v4.36.2
with:
sarif_file: 'trivy-results.sarif'
category: 'trivy-${{ inputs.scan-type }}'

- name: Upload scan results as artifact
if: always()
uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
with:
name: trivy-results-${{ inputs.scan-type }}
path: trivy-results.*
Expand Down