diff --git a/.github/workflows/build-push-common.yaml b/.github/workflows/build-push-common.yaml index 4f2a565..8485b5f 100644 --- a/.github/workflows/build-push-common.yaml +++ b/.github/workflows/build-push-common.yaml @@ -20,10 +20,10 @@ jobs: name: Publish Operator image runs-on: ${{ inputs.runner }} steps: - - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v4 with: clean: true - - uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5 + - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v5 with: go-version-file: go.mod check-latest: true @@ -37,7 +37,7 @@ jobs: run: IMG=${REGISTRY}/${PROJECT}/intel-gpu-base-operator:${{ steps.gentag.outputs.TAG }} make operator-build - name: Log in to GitHub Container Registry if: inputs.runner != 'self-hosted' - uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0 + uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4.2.0 with: registry: ${{ env.REGISTRY }} username: ${{ github.actor }} @@ -52,7 +52,7 @@ jobs: echo "image_sha=$(docker inspect --format='{{index .RepoDigests 0}}' ${REGISTRY}/${PROJECT}/intel-gpu-base-operator:${{ steps.gentag.outputs.TAG }})" >> $GITHUB_OUTPUT - name: Install cosign if: ${{ steps.gentag.outputs.TAG != 'devel' }} - uses: sigstore/cosign-installer@cad07c2e89fa2edd6e2d7bab4c1aa38e53f76003 #v4.1.1 + uses: sigstore/cosign-installer@6f9f17788090df1f26f669e9d70d6ae9567deba6 #v4.1.2 - name: Keyless image sign if: ${{ steps.gentag.outputs.TAG != 'devel' }} run: | diff --git a/.github/workflows/helm-publish.yaml b/.github/workflows/helm-publish.yaml index db13cd3..2cb816e 100644 --- a/.github/workflows/helm-publish.yaml +++ b/.github/workflows/helm-publish.yaml @@ -26,13 +26,13 @@ jobs: steps: - name: Git checkout - uses: actions/checkout@v4 + uses: actions/checkout@v6 with: fetch-tags: true - - uses: azure/setup-helm@v4.3.0 + - uses: azure/setup-helm@v5.0.0 - name: Log in to the Container registry - uses: docker/login-action@65b78e6e13532edd9afa3aa52ac7964289d1a9c1 + uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 if: inputs.runner != 'self-hosted' with: registry: ${{ env.REGISTRY }} diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml index aed7bba..5f03776 100644 --- a/.github/workflows/scorecard.yml +++ b/.github/workflows/scorecard.yml @@ -25,25 +25,25 @@ jobs: steps: - name: "Checkout code" - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: "Run analysis" - uses: ossf/scorecard-action@f49aabe0b5af0936a0987cfb85d86b75731b0186 # v2.4.1 + uses: ossf/scorecard-action@4eaacf0543bb3f2c246792bd56e8cdeffafb205a # v2.4.3 with: results_file: results.sarif results_format: sarif publish_results: true - name: "Upload artifact" - uses: actions/upload-artifact@4cec3d8aa04e39d1a68397de0c4cd6fb9dce8ec1 # v4.6.1 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 with: name: SARIF file path: results.sarif retention-days: 5 - name: "Upload to code-scanning" - uses: github/codeql-action/upload-sarif@60168efe1c415ce0f5521ea06d5c2062adbeed1b # v3.28.17 + uses: github/codeql-action/upload-sarif@7211b7c8077ea37d8641b6271f6a365a22a5fbfa # v4.36.0 with: sarif_file: results.sarif diff --git a/.github/workflows/validate-common.yaml b/.github/workflows/validate-common.yaml index 6a1ffd0..f3c5020 100644 --- a/.github/workflows/validate-common.yaml +++ b/.github/workflows/validate-common.yaml @@ -18,10 +18,10 @@ jobs: name: Check generated files are in sync runs-on: ${{ inputs.runner }} steps: - - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v4 with: clean: true - - uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5 + - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v5 with: go-version-file: go.mod check-latest: true @@ -32,10 +32,10 @@ jobs: name: Run lint runs-on: ${{ inputs.runner }} steps: - - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v4 with: clean: true - - uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5 + - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v5 with: go-version-file: go.mod check-latest: true @@ -46,10 +46,10 @@ jobs: name: Build all runs-on: ${{ inputs.runner }} steps: - - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v4 with: clean: true - - uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5 + - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v5 with: go-version-file: go.mod check-latest: true @@ -57,7 +57,7 @@ jobs: - run: make build - run: make docker-build - name: Run Trivy for operator image (json) - uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # 0.35.0 + uses: aquasecurity/trivy-action@ed142fd0673e97e23eac54620cfb913e5ce36c25 # 0.36.0 with: scan-type: image scan-ref: ghcr.io/intel/intel-gpu-base-operator:devel @@ -66,7 +66,7 @@ jobs: exit-code: 1 output: operator-image-vulnerabilities.json - name: Run Trivy for go.mod (json) - uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # 0.35.0 + uses: aquasecurity/trivy-action@ed142fd0673e97e23eac54620cfb913e5ce36c25 # 0.36.0 with: scan-type: fs scan-ref: go.mod @@ -78,7 +78,7 @@ jobs: - run: | cp .trivyignore.yaml trivyignore.yaml - name: Store image reports as artifacts - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 with: name: trivy-vulnerabilities path: | @@ -91,10 +91,10 @@ jobs: name: Run tests runs-on: ${{ inputs.runner }} steps: - - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v4 with: clean: true - - uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5 + - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v5 with: go-version-file: go.mod check-latest: true @@ -107,10 +107,10 @@ jobs: name: Run golang verify runs-on: ${{ inputs.runner }} steps: - - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v4 with: clean: true - - uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5 + - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v5 with: go-version-file: go.mod check-latest: true @@ -123,11 +123,11 @@ jobs: name: Run trivy dockerfile runs-on: ${{ inputs.runner }} steps: - - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v4 with: clean: true - name: Run Trivy for dockerfiles - uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # 0.35.0 + uses: aquasecurity/trivy-action@ed142fd0673e97e23eac54620cfb913e5ce36c25 # 0.36.0 with: scan-type: config scan-ref: build/ @@ -137,7 +137,7 @@ jobs: severity: CRITICAL,HIGH,MEDIUM - name: Run Trivy for dockerfiles (json) - uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # 0.35.0 + uses: aquasecurity/trivy-action@ed142fd0673e97e23eac54620cfb913e5ce36c25 # 0.36.0 if: always() with: scan-type: config @@ -150,7 +150,7 @@ jobs: - run: | cp .trivyignore.yaml trivyignore.yaml - name: Store dockerfile analysis report as artifact - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 if: always() with: name: trivy-dockerfiles-json @@ -163,11 +163,11 @@ jobs: name: Run trivy deployments runs-on: ${{ inputs.runner }} steps: - - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v4 with: clean: true - name: Run Trivy for deployments - uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # 0.35.0 + uses: aquasecurity/trivy-action@ed142fd0673e97e23eac54620cfb913e5ce36c25 # 0.36.0 with: scan-type: config scan-ref: config/deployments @@ -176,7 +176,7 @@ jobs: exit-code: 1 severity: CRITICAL,HIGH,MEDIUM - name: Run Trivy for deployments (json) - uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # 0.35.0 + uses: aquasecurity/trivy-action@ed142fd0673e97e23eac54620cfb913e5ce36c25 # 0.36.0 if: always() with: scan-type: config @@ -189,7 +189,7 @@ jobs: - run: | cp .trivyignore.yaml trivyignore.yaml - name: Store vulnerability report as artifact - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 if: always() with: name: trivy-deployments-json diff --git a/.github/workflows/validate-e2e.yaml b/.github/workflows/validate-e2e.yaml index 222717f..9823257 100644 --- a/.github/workflows/validate-e2e.yaml +++ b/.github/workflows/validate-e2e.yaml @@ -20,10 +20,10 @@ jobs: name: Run e2e with GPU HW runs-on: ${{ inputs.runner }} steps: - - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v4 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v4 with: clean: true - - uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5 + - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v5 with: go-version-file: go.mod check-latest: true