diff --git a/.devcontainer/Dockerfile b/.devcontainer/Dockerfile index 69b3827c..2009fbea 100644 --- a/.devcontainer/Dockerfile +++ b/.devcontainer/Dockerfile @@ -18,11 +18,14 @@ FROM mcr.microsoft.com/devcontainers/go:1.23-bookworm@@sha256:2e00578e7c526e76eb COPY --from=cosign /ko-app/cosign /usr/bin -RUN go install github.com/google/addlicense@latest +#v1.1.1 +RUN go install github.com/google/addlicense@@dc31ac9ffcca99c9457226366135701794b128c0 -RUN go install github.com/google/go-licenses@latest +# v1.6.0 +RUN go install github.com/google/go-licenses@5348b744d0983d85713295ea08a20cca1654a45e -RUN go install mvdan.cc/gofumpt@latest +# v0.7.0 +RUN go install mvdan.cc/gofumpt@86bffd62437a3c437c0b84d5d5ab244824e762fc RUN curl -sSfL https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh | sh -s -- -b $(go env GOPATH)/bin v1.60.2 diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index 541b4c1b..f8146ff1 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -52,7 +52,7 @@ jobs: steps: - name: Checkout repository - uses: actions/checkout@v4 + uses: actions/checkout@1e31de5234b9f8995739874a8ce0492dc87873e2 #v4 # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL diff --git a/.github/workflows/docker-publish.yml b/.github/workflows/docker-publish.yml index 949793af..8ae53057 100644 --- a/.github/workflows/docker-publish.yml +++ b/.github/workflows/docker-publish.yml @@ -47,7 +47,7 @@ jobs: steps: - name: Checkout repository - uses: actions/checkout@v4 + uses: actions/checkout@1e31de5234b9f8995739874a8ce0492dc87873e2 #v4 with: fetch-depth: 1 @@ -134,7 +134,7 @@ jobs: sbom-artifact-match: ".*\\.spdx$" - name: Attest build provenance - uses: actions/attest-build-provenance@v1 + uses: actions/attest-build-provenance@ef244123eb79f2f7a7e75d99086184180e6d0018 #v1.4.4 id: attest with: subject-name: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} @@ -142,7 +142,7 @@ jobs: push-to-registry: true - name: Attest SBOM - uses: actions/attest-sbom@v1 + uses: actions/attest-sbom@5026d3663739160db546203eeaffa6aa1c51a4d6 #v1.4.1 with: subject-name: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} subject-digest: ${{ steps.build-and-push.outputs.digest }} diff --git a/.github/workflows/gen-docs.yml b/.github/workflows/gen-docs.yml index 55cd9990..c87e3744 100644 --- a/.github/workflows/gen-docs.yml +++ b/.github/workflows/gen-docs.yml @@ -28,7 +28,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout Code - uses: actions/checkout@v4 + uses: actions/checkout@1e31de5234b9f8995739874a8ce0492dc87873e2 #v4 - name: Push GH Pages run: | git config pull.rebase false diff --git a/.github/workflows/golangci-lint.yml b/.github/workflows/golangci-lint.yml index 20b50f8f..422bcc7d 100644 --- a/.github/workflows/golangci-lint.yml +++ b/.github/workflows/golangci-lint.yml @@ -26,11 +26,11 @@ jobs: name: lint runs-on: ubuntu-latest steps: - - uses: actions/setup-go@v4 + - uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 #v5 with: go-version: '1.23' cache: false - - uses: actions/checkout@v4 + - uses: actions/checkout@1e31de5234b9f8995739874a8ce0492dc87873e2 #v4 - name: golangci-lint uses: golangci/golangci-lint-action@971e284b6050e8a5849b72094c50ab08da042db8 #v6.1.1 with: diff --git a/.github/workflows/gorelease-action.yml b/.github/workflows/gorelease-action.yml index 21426e8e..9763ade1 100644 --- a/.github/workflows/gorelease-action.yml +++ b/.github/workflows/gorelease-action.yml @@ -27,15 +27,15 @@ jobs: goreleaser: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 - - uses: actions/setup-go@v5 + - uses: actions/checkout@1e31de5234b9f8995739874a8ce0492dc87873e2 #v4 + - uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 #v5 with: #go-version: '>=1.18.0' go-version-file: './go.mod' check-latest: true - name: golangci-lint - uses: golangci/golangci-lint-action@v3 + uses: golangci/golangci-lint-action@971e284b6050e8a5849b72094c50ab08da042db8 #v6.1.1 with: version: latest args: --timeout=4m @@ -43,10 +43,10 @@ jobs: - name: Write private key to disk run: echo "${{ secrets.COSIGN_PRIVATE_KEY }}" > /tmp/cosign.key - - uses: sigstore/cosign-installer@main + - uses: sigstore/cosign-installer@dc72c7d5c4d10cd6bcb8cf6e3fd625a9e5e537da #v3.7.0 - name: Run GoReleaser - uses: goreleaser/goreleaser-action@v6 + uses: goreleaser/goreleaser-action@286f3b13b1b49da4ac219696163fb8c1c93e1200 #v6 with: distribution: goreleaser version: latest @@ -56,7 +56,7 @@ jobs: GITHUB_TOKEN: ${{ secrets.TOKEN }} - name: Upload assets - uses: actions/upload-artifact@v3 + uses: actions/upload-artifact@97a0fba1372883ab732affbe8f94b823f91727db # v3.pre.node20 with: name: apigeecli path: dist/* diff --git a/Dockerfile b/Dockerfile index a8a045ca..a5be89e4 100644 --- a/Dockerfile +++ b/Dockerfile @@ -30,7 +30,7 @@ RUN go mod download RUN date +%FT%H:%I:%M+%Z > /tmp/date RUN CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build -trimpath -buildvcs=true -a -gcflags='all="-l"' -ldflags='-s -w -extldflags "-static" -X main.version='${TAG}' -X main.commit='${COMMIT}' -X main.date='$(cat /tmp/date) -o /go/bin/apigeecli /go/src/apigeecli/cmd/apigeecli/apigeecli.go -FROM ghcr.io/jqlang/jq:latest AS jq +FROM ghcr.io/jqlang/jq:1.7.1@sha256:096b83865ad59b5b02841f103f83f45c51318394331bf1995e187ea3be937432 AS jq # use debug because it includes busybox FROM gcr.io/distroless/static-debian11:debug-nonroot@sha256:55716e80a7d4320ce9bc2dc8636fc193b418638041b817cf3306696bd0f975d1