diff --git a/.github/actions/generate-chart-matrix/action.yml b/.github/actions/generate-chart-matrix/action.yml index 3f0342920e..85b0026671 100644 --- a/.github/actions/generate-chart-matrix/action.yml +++ b/.github/actions/generate-chart-matrix/action.yml @@ -13,7 +13,7 @@ runs: steps: - name: Get changed dirs id: changed-files - uses: tj-actions/changed-files@48d8f15b2aaa3d255ca5af3eba4870f807ce6b3c # v45 + uses: tj-actions/changed-files@d6e91a2266cdb9d62096cebf1e8546899c6aa18f # v45 with: dir_names: "true" - name: Generate matrix diff --git a/.github/actions/gke-login/action.yml b/.github/actions/gke-login/action.yml index 05e86e60ef..f969ed9354 100644 --- a/.github/actions/gke-login/action.yml +++ b/.github/actions/gke-login/action.yml @@ -22,18 +22,18 @@ runs: steps: - name: Authenticate to Google Cloud - Workload Identity if: ${{ inputs.auth-method == 'workload-identity' }} - uses: google-github-actions/auth@8254fb75a33b976a221574d287e93919e6a36f70 # v2 + uses: google-github-actions/auth@6fc4af4b145ae7821d527454aa9bd537d1f2dc5f # v2 with: token_format: 'access_token' workload_identity_provider: ${{ inputs.workload-identity-provider }} service_account: ${{ inputs.service-account }} - name: Authenticate to Google Cloud - Service Account Key if: ${{ inputs.auth-method == 'credentials-json' }} - uses: google-github-actions/auth@8254fb75a33b976a221574d287e93919e6a36f70 # v2 + uses: google-github-actions/auth@6fc4af4b145ae7821d527454aa9bd537d1f2dc5f # v2 with: credentials_json: '${{ inputs.credentials-json }}' - name: Get GKE credentials - uses: google-github-actions/get-gke-credentials@6051de21ad50fbb1767bc93c11357a49082ad116 # v2 + uses: google-github-actions/get-gke-credentials@9025e8f90f2d8e0c3dafc3128cc705a26d992a6a # v2 with: cluster_name: ${{ inputs.cluster-name }} location: ${{ inputs.cluster-location }} diff --git a/.github/workflows/chart-chores.yaml b/.github/workflows/chart-chores.yaml index 7e707b33be..be0e4a1760 100644 --- a/.github/workflows/chart-chores.yaml +++ b/.github/workflows/chart-chores.yaml @@ -50,7 +50,7 @@ jobs: app_id: ${{ secrets.GH_APP_ID_DISTRO_CI }} private_key: ${{ secrets.GH_APP_PRIVATE_KEY_DISTRO_CI }} - name: Checkout - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 with: repository: ${{ github.event.pull_request.head.repo.full_name }} ref: ${{ github.event.pull_request.head.ref }} @@ -67,7 +67,7 @@ jobs: - name: Add Helm repos run: | make helm.repos-add - - uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4 + - uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4 with: path: | ~/.cache/go-build diff --git a/.github/workflows/chart-public-files.yaml b/.github/workflows/chart-public-files.yaml index ef541ccbbc..2c8e12d6c5 100644 --- a/.github/workflows/chart-public-files.yaml +++ b/.github/workflows/chart-public-files.yaml @@ -23,10 +23,10 @@ jobs: permissions: contents: write steps: - - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 with: ref: gh-pages - - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 with: path: main - name: Copy files diff --git a/.github/workflows/chart-release-chores.yml b/.github/workflows/chart-release-chores.yml index 9ab082a0d8..023067d80d 100644 --- a/.github/workflows/chart-release-chores.yml +++ b/.github/workflows/chart-release-chores.yml @@ -33,7 +33,7 @@ jobs: app_id: ${{ secrets.GH_APP_ID_DISTRO_CI }} private_key: ${{ secrets.GH_APP_PRIVATE_KEY_DISTRO_CI }} - name: Checkout - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 with: repository: ${{ github.event.pull_request.head.repo.full_name }} ref: ${{ github.event.pull_request.head.ref }} @@ -49,7 +49,7 @@ jobs: - name: Add Helm repos run: | make helm.repos-add - - uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4 + - uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4 with: path: | ~/.cache/go-build diff --git a/.github/workflows/chart-release-template.yaml b/.github/workflows/chart-release-template.yaml index a6431f3e7c..68fdc0ed06 100644 --- a/.github/workflows/chart-release-template.yaml +++ b/.github/workflows/chart-release-template.yaml @@ -71,7 +71,7 @@ jobs: CHART_NAME: "camunda-platform" steps: - name: Checkout - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 with: fetch-depth: 0 ref: ${{ inputs.branch }} @@ -132,7 +132,7 @@ jobs: # Security signature. - name: Install Cosign CLI if: env.PUBLISH_ARTIFACT == 'true' - uses: sigstore/cosign-installer@4959ce089c160fddf62f7b42464195ba1a56d382 # v3.6.0 + uses: sigstore/cosign-installer@dc72c7d5c4d10cd6bcb8cf6e3fd625a9e5e537da # v3.7.0 - name: Sign Helm chart with Cosign if: env.PUBLISH_ARTIFACT == 'true' run: | @@ -154,7 +154,7 @@ jobs: password: ${{ secrets.GITHUB_TOKEN }} - name: Install ORAS CLI if: env.PUBLISH_ARTIFACT == 'true' - uses: oras-project/setup-oras@ca28077386065e263c03428f4ae0c09024817c93 # v1 + uses: oras-project/setup-oras@9c92598691bfef1424de2f8fae81941568f5889c # v1 - name: Upload Helm chart Cosign bundle if: env.PUBLISH_ARTIFACT == 'true' run: | diff --git a/.github/workflows/chart-release-update-config.yml b/.github/workflows/chart-release-update-config.yml index be8ad23ad4..317c21646b 100644 --- a/.github/workflows/chart-release-update-config.yml +++ b/.github/workflows/chart-release-update-config.yml @@ -27,7 +27,7 @@ jobs: app_id: ${{ secrets.GH_APP_ID_DISTRO_CI }} private_key: ${{ secrets.GH_APP_PRIVATE_KEY_DISTRO_CI }} - name: Checkout - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 with: fetch-depth: 0 token: ${{ steps.generate-github-token.outputs.token }} diff --git a/.github/workflows/chart-release.yaml b/.github/workflows/chart-release.yaml index 9008171749..0378f44f7b 100644 --- a/.github/workflows/chart-release.yaml +++ b/.github/workflows/chart-release.yaml @@ -48,7 +48,7 @@ jobs: id-token: write steps: - name: Checkout - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 with: fetch-depth: 0 - name: Install env dependencies @@ -64,7 +64,7 @@ jobs: done echo "Dev comments removed:" git --no-pager diff - - uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4 + - uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4 with: path: | ~/.cache/go-build @@ -92,7 +92,7 @@ jobs: chartPath="$(ct list-changed | tr '\n' ' ')" \ make helm.dependency-update - name: cosign-installer - uses: sigstore/cosign-installer@4959ce089c160fddf62f7b42464195ba1a56d382 # v3.6.0 + uses: sigstore/cosign-installer@dc72c7d5c4d10cd6bcb8cf6e3fd625a9e5e537da # v3.7.0 - name: Tidy up run: | # Clean up badges from readme to avoid showing them in Artifact Hub. @@ -190,7 +190,7 @@ jobs: issues: write steps: - name: Checkout - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 with: # The verification step happens in the release branch before merging into the "main" branch. fetch-depth: 0 diff --git a/.github/workflows/chart-validate-template.yaml b/.github/workflows/chart-validate-template.yaml index f5c6162ebc..1e66d0e69c 100644 --- a/.github/workflows/chart-validate-template.yaml +++ b/.github/workflows/chart-validate-template.yaml @@ -36,7 +36,7 @@ jobs: echo "${GITHUB_CONTEXT}" # Checkout. - name: Checkout - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 with: fetch-depth: 0 ref: "${{ inputs.camunda-helm-git-ref }}" @@ -51,7 +51,7 @@ jobs: run: | echo "check-version-increment: false" >> .github/config/chart-testing.yaml # Dependencies. - - uses: actions/setup-python@f677139bbe7f9c59b41e40162b753c062f5d49a3 # v5 + - uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b # v5 with: python-version: 3.8 - name: Install dependencies diff --git a/.github/workflows/prepare-chart-release-candidate.yaml b/.github/workflows/prepare-chart-release-candidate.yaml index 72d0397138..a43e2b597e 100644 --- a/.github/workflows/prepare-chart-release-candidate.yaml +++ b/.github/workflows/prepare-chart-release-candidate.yaml @@ -57,7 +57,7 @@ jobs: app_id: ${{ secrets.GH_APP_ID_DISTRO_CI }} private_key: ${{ secrets.GH_APP_PRIVATE_KEY_DISTRO_CI }} - name: Checkout - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 with: ref: ${{ github.event.inputs.releaseCandidateBranchName }} fetch-depth: 0 diff --git a/.github/workflows/renovate-config-check.yaml b/.github/workflows/renovate-config-check.yaml index f4fa6a23f5..d2cecdb37a 100644 --- a/.github/workflows/renovate-config-check.yaml +++ b/.github/workflows/renovate-config-check.yaml @@ -17,7 +17,7 @@ jobs: name: Check renovate config runs-on: ubuntu-latest steps: - - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 - name: Validate renovate config uses: docker://renovate/renovate with: diff --git a/.github/workflows/renovate-post-upgrade.yaml b/.github/workflows/renovate-post-upgrade.yaml index 6db19a196a..e8b7798b5b 100644 --- a/.github/workflows/renovate-post-upgrade.yaml +++ b/.github/workflows/renovate-post-upgrade.yaml @@ -31,7 +31,7 @@ jobs: with: app_id: ${{ secrets.GH_APP_ID_DISTRO_CI }} private_key: ${{ secrets.GH_APP_PRIVATE_KEY_DISTRO_CI }} - - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 with: token: '${{ steps.generate-github-token.outputs.token }}' repository: ${{ github.event.pull_request.head.repo.full_name }} @@ -44,7 +44,7 @@ jobs: run: npm install -g @bitnami/readme-generator-for-helm - name: Install dependencies uses: asdf-vm/actions/install@05e0d2ed97b598bfce82fd30daf324ae0c4570e6 # v3 - - uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4 + - uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4 with: path: | ~/.cache/go-build diff --git a/.github/workflows/sec-codeql.yml b/.github/workflows/sec-codeql.yml index c5b11dc9e3..eef175cd88 100644 --- a/.github/workflows/sec-codeql.yml +++ b/.github/workflows/sec-codeql.yml @@ -44,11 +44,11 @@ jobs: steps: - name: Checkout repository - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL - uses: github/codeql-action/init@3c13be0632d1e2a15d39da6ede780272c022b84f + uses: github/codeql-action/init@87fc816d2538b0c915adeec59d61168692e8ab06 with: languages: ${{ matrix.language }} # If you wish to specify custom queries, you can do so here or in a config file. @@ -62,7 +62,7 @@ jobs: # Autobuild attempts to build any compiled languages (C/C++, C#, Go, Java, or Swift). # If this step fails, then you should remove it and run the build manually (see below) - name: Autobuild - uses: github/codeql-action/autobuild@3c13be0632d1e2a15d39da6ede780272c022b84f + uses: github/codeql-action/autobuild@87fc816d2538b0c915adeec59d61168692e8ab06 # ℹī¸ Command-line programs to run using the OS shell. # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun @@ -75,6 +75,6 @@ jobs: # ./location_of_script_within_repo/buildscript.sh - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@3c13be0632d1e2a15d39da6ede780272c022b84f + uses: github/codeql-action/analyze@87fc816d2538b0c915adeec59d61168692e8ab06 with: category: "/language:${{ matrix.language }}" diff --git a/.github/workflows/sec-scorecard.yml b/.github/workflows/sec-scorecard.yml index b96001be58..72892453b2 100644 --- a/.github/workflows/sec-scorecard.yml +++ b/.github/workflows/sec-scorecard.yml @@ -55,7 +55,7 @@ jobs: # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF # format to the repository Actions tab. - name: "Upload artifact" - uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3 + uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0 with: name: SARIF file path: results.sarif @@ -63,6 +63,6 @@ jobs: # Upload the results to GitHub's code scanning dashboard. - name: "Upload to code-scanning" - uses: github/codeql-action/upload-sarif@f779452ac5af1c261dce0346a8f964149f49322b # v3.26.13 + uses: github/codeql-action/upload-sarif@b6a472f63d85b9c78a3ac5e89422239fc15e9b3c # v3.28.1 with: sarif_file: results.sarif diff --git a/.github/workflows/test-integration-cleanup-template.yaml b/.github/workflows/test-integration-cleanup-template.yaml index 19133c1cf5..2c865deff6 100644 --- a/.github/workflows/test-integration-cleanup-template.yaml +++ b/.github/workflows/test-integration-cleanup-template.yaml @@ -54,7 +54,7 @@ jobs: - distro: if: false steps: - - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 with: # This is needed to load repo GH composite actions if the workflow triggered by workflow_call. repository: camunda/camunda-platform-helm diff --git a/.github/workflows/test-integration-rosa-cleanup.yml b/.github/workflows/test-integration-rosa-cleanup.yml index d7d6ccb17b..562d3f841e 100644 --- a/.github/workflows/test-integration-rosa-cleanup.yml +++ b/.github/workflows/test-integration-rosa-cleanup.yml @@ -27,13 +27,13 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout repository - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 with: ref: ${{ github.head_ref }} fetch-depth: 0 - name: Checkout Repository rosa modules - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 with: repository: "camunda/camunda-tf-rosa" ref: "main" diff --git a/.github/workflows/test-integration-rosa-template.yaml b/.github/workflows/test-integration-rosa-template.yaml index 496a09bf73..e1c1414872 100644 --- a/.github/workflows/test-integration-rosa-template.yaml +++ b/.github/workflows/test-integration-rosa-template.yaml @@ -65,7 +65,7 @@ jobs: outputs: platform-matrix: ${{ steps.matrix.outputs.platform-matrix }} steps: - - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 with: fetch-depth: 0 @@ -101,7 +101,7 @@ jobs: distro: ${{ fromJson(needs.clusters-info.outputs.platform-matrix).distro }} runs-on: ubuntu-latest steps: - - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 with: fetch-depth: 0 @@ -112,7 +112,7 @@ jobs: aws configure set aws_access_key_id ${{ secrets.DISTRO_CI_AWS_ACCESS_KEY }} --profile=${{ secrets.DISTRO_CI_AWS_PROFILE }} - name: Create ROSA cluster and login - uses: camunda/camunda-tf-rosa/.github/actions/rosa-create-cluster@d0471d28cb3eb13cd2212b63cc8e50d457d829c4 # main + uses: camunda/camunda-tf-rosa/.github/actions/rosa-create-cluster@3b99b47d224431b012cea62a30232116490db567 # main timeout-minutes: 125 env: AWS_PROFILE: ${{ secrets.DISTRO_CI_AWS_PROFILE }} @@ -135,7 +135,7 @@ jobs: private_key: ${{ secrets.GH_APP_PRIVATE_KEY_DISTRO_CI }} - name: Clone the distribution GitOps repo - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 with: repository: "camunda/distribution" ref: "main" @@ -281,7 +281,7 @@ jobs: aws configure set aws_access_key_id ${{ secrets.DISTRO_CI_AWS_ACCESS_KEY }} --profile=${{ secrets.DISTRO_CI_AWS_PROFILE }} - name: Delete on-demand ROSA HCP Cluster - uses: camunda/camunda-tf-rosa/.github/actions/rosa-delete-cluster@d0471d28cb3eb13cd2212b63cc8e50d457d829c4 # main + uses: camunda/camunda-tf-rosa/.github/actions/rosa-delete-cluster@3b99b47d224431b012cea62a30232116490db567 # main if: always() timeout-minutes: 125 env: diff --git a/.github/workflows/test-integration-template.yaml b/.github/workflows/test-integration-template.yaml index 4c976615a5..9283e05733 100644 --- a/.github/workflows/test-integration-template.yaml +++ b/.github/workflows/test-integration-template.yaml @@ -115,7 +115,7 @@ jobs: outputs: matrix: ${{ steps.generate-workflow-matrix.outputs.matrix }} steps: - - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 with: # This is needed if the workflow is triggered by workflow_call. repository: camunda/camunda-platform-helm @@ -165,7 +165,7 @@ jobs: echo "${GITHUB_CONTEXT}" | jq '."extra-values" = ""' echo "Workflow Inputs - Extra Values:" echo "${GITHUB_CONTEXT}" | jq -r '."extra-values"' - - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 with: # This is needed to load repo GH composite actions if the workflow triggered by workflow_call. repository: camunda/camunda-platform-helm @@ -174,7 +174,7 @@ jobs: # and populate environment variables from Vault - name: Import Vault secrets id: secrets - uses: hashicorp/vault-action@d1720f055e0635fd932a1d2a48f87a666a57906c # v3.0.0 + uses: hashicorp/vault-action@a1b77a09293a4366e48a5067a86692ac6e94fdc0 # v3.1.0 if: inputs.vault-secret-mapping != '' with: url: ${{ secrets.VAULT_ADDR }} diff --git a/.github/workflows/test-unit-template.yml b/.github/workflows/test-unit-template.yml index 094df0ef66..fedacd28d8 100644 --- a/.github/workflows/test-unit-template.yml +++ b/.github/workflows/test-unit-template.yml @@ -30,7 +30,7 @@ jobs: outputs: unitTestMatrix: ${{ steps.test-type-vars.outputs.unitTestMatrix }} steps: - - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 with: ref: "${{ inputs.camunda-helm-git-ref }}" - name: Get CI unit test matrix @@ -57,10 +57,10 @@ jobs: run: | echo "Workflow Inputs:" echo "${GITHUB_CONTEXT}" - - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 - name: Install env dependencies uses: asdf-vm/actions/install@05e0d2ed97b598bfce82fd30daf324ae0c4570e6 # v3 - - uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4 + - uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4 with: path: | ~/.cache/go-build diff --git a/.github/workflows/test-version-maintenance.yaml b/.github/workflows/test-version-maintenance.yaml index 57c3edd26a..87985bb9f8 100644 --- a/.github/workflows/test-version-maintenance.yaml +++ b/.github/workflows/test-version-maintenance.yaml @@ -31,7 +31,7 @@ jobs: outputs: matrix: ${{ steps.generate-chart-versions.outputs.matrix }} steps: - - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 - name: Generate chart versions id: generate-chart-versions uses: ./.github/actions/generate-chart-matrix