Git-Mirrors/constellation
1
0
Fork 0
mirror of https://github.com/edgelesssys/constellation.git synced 2024-10-01 01:36:09 -04:00
Code Issues Packages Projects Releases Wiki Activity

deps: update GitHub action dependencies (#1848)

Browse Source 
Co-authored-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
This commit is contained in:
renovate[bot] 2023-07-03 08:19:10 +02:00 committed by GitHub
parent 66f1333c31
commit 576b48c8b7
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
45 changed files with 112 additions and 112 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
.github/actions/build_cli/action.yml vendored
View File

@ -70,7 +70,7 @@ runs:
# once it has the functionality # once it has the functionality
- name: Install Cosign - name: Install Cosign
if: inputs.cosignPublicKey != '' && inputs.cosignPrivateKey != '' && inputs.cosignPassword != '' if: inputs.cosignPublicKey != '' && inputs.cosignPrivateKey != '' && inputs.cosignPassword != ''
uses: sigstore/cosign-installer@9becc617647dfa20ae7b1151972e9b3a2c338a2b # tag=v2.8.1 uses: sigstore/cosign-installer@c85d0e205a72a294fe064f618a87dbac13084086 # v2.8.1
- name: Install Rekor - name: Install Rekor
if: inputs.cosignPublicKey != '' && inputs.cosignPrivateKey != '' && inputs.cosignPassword != '' if: inputs.cosignPublicKey != '' && inputs.cosignPrivateKey != '' && inputs.cosignPassword != ''

2
.github/actions/build_micro_service/action.yml vendored
View File

@ -42,7 +42,7 @@ runs:
- name: Docker metadata - name: Docker metadata
id: meta id: meta
uses: docker/metadata-action@c4ee3adeed93b1fa6a762f209fb01608c1a22f1e # v4.4.0 uses: docker/metadata-action@818d4b7b91585d195f67373fd9cb0332e31a7175 # v4.6.0
with: with:
images: | images: |
ghcr.io/${{ github.repository }}/${{ inputs.name }} ghcr.io/${{ github.repository }}/${{ inputs.name }}

2
.github/actions/constellation_iam_destroy/action.yml vendored
View File

@ -23,7 +23,7 @@ runs:
- name: Login to AWS (IAM role) - name: Login to AWS (IAM role)
if: inputs.cloudProvider == 'aws' if: inputs.cloudProvider == 'aws'
uses: aws-actions/configure-aws-credentials@e1e17a757e536f70e52b5a12b2e8d1d1c60e04ef # v2.0.0 uses: aws-actions/configure-aws-credentials@5fd3084fc36e372ff1fff382a39b10d03659f355 # v2.2.0
with: with:
role-to-assume: arn:aws:iam::795746500882:role/GithubActionsE2EIAM role-to-assume: arn:aws:iam::795746500882:role/GithubActionsE2EIAM
aws-region: eu-central-1 aws-region: eu-central-1

2
.github/actions/container_registry_login/action.yml vendored
View File

@ -17,7 +17,7 @@ runs:
steps: steps:
- name: Use docker for logging in - name: Use docker for logging in
if: runner.os != 'macOS' if: runner.os != 'macOS'
uses: docker/login-action@f4ef78c080cd8ba55a85445d5b36e214a81df20a # tag=v2.1.0 uses: docker/login-action@465a07811f14bebb1938fbed4728c6a1ff8901fc # v2.2.0
with: with:
registry: ${{ inputs.registry }} registry: ${{ inputs.registry }}
username: ${{ inputs.username }} username: ${{ inputs.username }}

2
.github/actions/container_sbom/action.yml vendored
View File

@ -19,7 +19,7 @@ runs:
steps: steps:
- name: Install Cosign - name: Install Cosign
if: inputs.cosignPublicKey != '' && inputs.cosignPrivateKey != '' && inputs.cosignPassword != '' if: inputs.cosignPublicKey != '' && inputs.cosignPrivateKey != '' && inputs.cosignPassword != ''
uses: sigstore/cosign-installer@9becc617647dfa20ae7b1151972e9b3a2c338a2b # tag=v2.8.1 uses: sigstore/cosign-installer@c85d0e205a72a294fe064f618a87dbac13084086 # v2.8.1
- name: Download Syft & Grype - name: Download Syft & Grype
uses: ./.github/actions/install_syft_grype uses: ./.github/actions/install_syft_grype

6
.github/actions/e2e_benchmark/action.yml vendored
View File

@ -23,7 +23,7 @@ runs:
steps: steps:
- name: Setup python - name: Setup python
uses: actions/setup-python@57ded4d7d5e986d7296eab16560982c6dd7c923b # v4.6.0 uses: actions/setup-python@bd6b4b6205c4dbad673328db7b31b7fab9e241c0 # v4.6.1
with: with:
python-version: "3.10" python-version: "3.10"
@ -39,7 +39,7 @@ runs:
install kubestr /usr/local/bin install kubestr /usr/local/bin
- name: Checkout k8s-bench-suite - name: Checkout k8s-bench-suite
uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
with: with:
fetch-depth: 0 fetch-depth: 0
repository: "InfraBuilder/k8s-bench-suite" repository: "InfraBuilder/k8s-bench-suite"
@ -120,7 +120,7 @@ runs:
name: "knb-constellation-${{ inputs.cloudProvider }}.json" name: "knb-constellation-${{ inputs.cloudProvider }}.json"
- name: Assume AWS role to retrieve and update benchmarks in S3 - name: Assume AWS role to retrieve and update benchmarks in S3
uses: aws-actions/configure-aws-credentials@e1e17a757e536f70e52b5a12b2e8d1d1c60e04ef # v2.0.0 uses: aws-actions/configure-aws-credentials@5fd3084fc36e372ff1fff382a39b10d03659f355 # v2.2.0
with: with:
role-to-assume: arn:aws:iam::795746500882:role/GithubActionUpdateBenchmarks role-to-assume: arn:aws:iam::795746500882:role/GithubActionUpdateBenchmarks
aws-region: us-east-2 aws-region: us-east-2

2
.github/actions/e2e_sonobuoy/action.yml vendored
View File

@ -57,7 +57,7 @@ runs:
- name: Publish test results - name: Publish test results
if: (!env.ACT) && contains(inputs.sonobuoyTestSuiteCmd, '--plugin e2e') if: (!env.ACT) && contains(inputs.sonobuoyTestSuiteCmd, '--plugin e2e')
uses: mikepenz/action-junit-report@959aefb7f095e717eb407fe917238d61ca323ff3 # v3.7.6 uses: mikepenz/action-junit-report@baaeba622e27b396105f35ec9ec4ee89ffcbd306 # v3.7.8
with: with:
report_paths: "**/junit_01.xml" report_paths: "**/junit_01.xml"
fail_on_failure: true fail_on_failure: true

4
.github/actions/e2e_test/action.yml vendored
View File

@ -175,7 +175,7 @@ runs:
- name: Login to AWS (IAM role) - name: Login to AWS (IAM role)
if: inputs.cloudProvider == 'aws' if: inputs.cloudProvider == 'aws'
uses: aws-actions/configure-aws-credentials@e1e17a757e536f70e52b5a12b2e8d1d1c60e04ef # v2.0.0 uses: aws-actions/configure-aws-credentials@5fd3084fc36e372ff1fff382a39b10d03659f355 # v2.2.0
with: with:
role-to-assume: arn:aws:iam::795746500882:role/GithubActionsE2EIAM role-to-assume: arn:aws:iam::795746500882:role/GithubActionsE2EIAM
aws-region: eu-central-1 aws-region: eu-central-1
@ -216,7 +216,7 @@ runs:
- name: Login to AWS (Cluster role) - name: Login to AWS (Cluster role)
if: inputs.cloudProvider == 'aws' if: inputs.cloudProvider == 'aws'
uses: aws-actions/configure-aws-credentials@e1e17a757e536f70e52b5a12b2e8d1d1c60e04ef # v2.0.0 uses: aws-actions/configure-aws-credentials@5fd3084fc36e372ff1fff382a39b10d03659f355 # v2.2.0
with: with:
role-to-assume: arn:aws:iam::795746500882:role/GithubActionsE2ECluster role-to-assume: arn:aws:iam::795746500882:role/GithubActionsE2ECluster
aws-region: eu-central-1 aws-region: eu-central-1

2
.github/actions/install_docgen/action.yml vendored
View File

@ -5,7 +5,7 @@ runs:
using: "composite" using: "composite"
steps: steps:
- name: Checkout talos - name: Checkout talos
uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
with: with:
fetch-depth: 0 fetch-depth: 0
repository: "siderolabs/talos" repository: "siderolabs/talos"

4
.github/actions/login_gcp/action.yml vendored
View File

@ -22,11 +22,11 @@ runs:
# As described at: # As described at:
# https://github.com/google-github-actions/setup-gcloud#service-account-key-json # https://github.com/google-github-actions/setup-gcloud#service-account-key-json
- name: Authorize GCP access - name: Authorize GCP access
uses: google-github-actions/auth@e8df18b60c5dd38ba618c121b779307266153fbf # v1.1.0 uses: google-github-actions/auth@35b0e87d162680511bf346c299f71c9c5c379033 # v1.1.1
with: with:
workload_identity_provider: projects/796962942582/locations/global/workloadIdentityPools/constellation-ci-pool/providers/constellation-ci-provider workload_identity_provider: projects/796962942582/locations/global/workloadIdentityPools/constellation-ci-pool/providers/constellation-ci-provider
service_account: ${{ inputs.service_account }} service_account: ${{ inputs.service_account }}
# Even if preinstalled in Github Actions runner image, this setup does some magic authentication required for gsutil. # Even if preinstalled in Github Actions runner image, this setup does some magic authentication required for gsutil.
- name: Set up Cloud SDK - name: Set up Cloud SDK
uses: google-github-actions/setup-gcloud@62d4898025f6041e16b1068643bfc5a696863587 # v1.1.0 uses: google-github-actions/setup-gcloud@e30db14379863a8c79331b04a9969f4c1e225e0b # v1.1.1

2
.github/actions/select_image/action.yml vendored
View File

@ -18,7 +18,7 @@ runs:
using: "composite" using: "composite"
steps: steps:
- name: Login to AWS - name: Login to AWS
uses: aws-actions/configure-aws-credentials@e1e17a757e536f70e52b5a12b2e8d1d1c60e04ef # v2.0.0 uses: aws-actions/configure-aws-credentials@5fd3084fc36e372ff1fff382a39b10d03659f355 # v2.2.0
with: with:
role-to-assume: arn:aws:iam::795746500882:role/GithubConstellationVersionsAPIRead role-to-assume: arn:aws:iam::795746500882:role/GithubConstellationVersionsAPIRead
aws-region: eu-central-1 aws-region: eu-central-1

4
.github/actions/setup_linux/action.yml vendored
View File

@ -50,8 +50,8 @@ runs:
sudo apt-get install azure-cli -y sudo apt-get install azure-cli -y
- name: Set up gcloud CLI - name: Set up gcloud CLI
uses: google-github-actions/setup-gcloud@62d4898025f6041e16b1068643bfc5a696863587 # v1.1.0 uses: google-github-actions/setup-gcloud@e30db14379863a8c79331b04a9969f4c1e225e0b # v1.1.1
- name: Set up Docker Buildx - name: Set up Docker Buildx
id: docker-setup id: docker-setup
uses: docker/setup-buildx-action@4b4e9c3e2d4531116a6f8ba8e71fc6e2cb6e6c8c # v2.5.0 uses: docker/setup-buildx-action@16c0bc4a6e6ada2cfd8afd41d22d95379cf7c32a # v2.8.0

2
.github/actions/setup_mkosi/action.yaml vendored
View File

@ -32,7 +32,7 @@ runs:
echo "::endgroup::" echo "::endgroup::"
- name: Checkout systemd - name: Checkout systemd
uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
with: with:
repository: systemd/systemd repository: systemd/systemd
path: ${{ github.action_path }}/systemd path: ${{ github.action_path }}/systemd

2
.github/workflows/aws-snp-launchmeasurement.yml vendored
View File

@ -45,7 +45,7 @@ jobs:
echo "ovmfPath=${ovmfPath}" | tee -a "$GITHUB_OUTPUT" echo "ovmfPath=${ovmfPath}" | tee -a "$GITHUB_OUTPUT"
- uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # tag=v3.5.2 - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
with: with:
repository: IBM/sev-snp-measure.git repository: IBM/sev-snp-measure.git
ref: main ref: main

10
.github/workflows/azure-snp-reporter.yml vendored
View File

@ -12,7 +12,7 @@ jobs:
packages: write packages: write
steps: steps:
- name: Checkout - name: Checkout
uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
with: with:
ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }} ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}
@ -32,7 +32,7 @@ jobs:
SHELL: /bin/bash SHELL: /bin/bash
steps: steps:
- name: Checkout - name: Checkout
uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
with: with:
ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }} ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}
@ -58,12 +58,12 @@ jobs:
SHELL: /bin/bash SHELL: /bin/bash
steps: steps:
- name: Checkout - name: Checkout
uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
with: with:
ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }} ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}
- name: Set up Go - name: Set up Go
uses: actions/setup-go@4d34df0c2316fe8122ab82dc22947d607c0c91f9 # v4.0.0 uses: actions/setup-go@fac708d6674e30b6ba41289acaab6d4b75aa0753 # v4.0.1
with: with:
go-version: 1.20.5 go-version: 1.20.5
cache: false cache: false
@ -79,7 +79,7 @@ jobs:
run: go run ./hack/azure-snp-report-verify/verify.go --report "$(cat ./maa-report.jwt)" --export-path azure-snp-version.json run: go run ./hack/azure-snp-report-verify/verify.go --report "$(cat ./maa-report.jwt)" --export-path azure-snp-version.json
- name: Login to AWS - name: Login to AWS
uses: aws-actions/configure-aws-credentials@e1e17a757e536f70e52b5a12b2e8d1d1c60e04ef # v2.0.0 uses: aws-actions/configure-aws-credentials@5fd3084fc36e372ff1fff382a39b10d03659f355 # v2.2.0
with: with:
role-to-assume: arn:aws:iam::795746500882:role/GitHubConstellationImagePipeline role-to-assume: arn:aws:iam::795746500882:role/GitHubConstellationImagePipeline
aws-region: eu-central-1 aws-region: eu-central-1

2
.github/workflows/build-binaries.yml vendored
View File

@ -22,7 +22,7 @@ jobs:
runs-on: [self-hosted, bazel-cached] runs-on: [self-hosted, bazel-cached]
steps: steps:
- name: Checkout - name: Checkout
uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
with: with:
ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }} ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}

4
.github/workflows/build-ccm-gcp.yml vendored
View File

@ -21,14 +21,14 @@ jobs:
latest: true latest: true
steps: steps:
- name: Checkout kubernetes/cloud-provider-gcp - name: Checkout kubernetes/cloud-provider-gcp
uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
with: with:
repository: "kubernetes/cloud-provider-gcp" repository: "kubernetes/cloud-provider-gcp"
ref: refs/tags/ccm/${{ matrix.version }} ref: refs/tags/ccm/${{ matrix.version }}
- name: Docker meta - name: Docker meta
id: meta id: meta
uses: docker/metadata-action@c4ee3adeed93b1fa6a762f209fb01608c1a22f1e # v4.4.0 uses: docker/metadata-action@818d4b7b91585d195f67373fd9cb0332e31a7175 # v4.6.0
with: with:
images: | images: |
${{ env.REGISTRY }}/edgelesssys/cloud-provider-gcp ${{ env.REGISTRY }}/edgelesssys/cloud-provider-gcp

6
.github/workflows/build-gcp-guest-agent.yml vendored
View File

@ -69,7 +69,7 @@ jobs:
- name: Checkout GoogleCloudPlatform/guest-agent - name: Checkout GoogleCloudPlatform/guest-agent
if: steps.needs-build.outputs.out == 'true' if: steps.needs-build.outputs.out == 'true'
uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
with: with:
repository: "GoogleCloudPlatform/guest-agent" repository: "GoogleCloudPlatform/guest-agent"
ref: refs/tags/${{ steps.latest-release.outputs.latest }} ref: refs/tags/${{ steps.latest-release.outputs.latest }}
@ -77,7 +77,7 @@ jobs:
- name: Checkout Constellation - name: Checkout Constellation
if: steps.needs-build.outputs.out == 'true' if: steps.needs-build.outputs.out == 'true'
uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
with: with:
path: "constellation" path: "constellation"
ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }} ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}
@ -85,7 +85,7 @@ jobs:
- name: Docker meta - name: Docker meta
id: meta id: meta
if: steps.needs-build.outputs.out == 'true' if: steps.needs-build.outputs.out == 'true'
uses: docker/metadata-action@c4ee3adeed93b1fa6a762f209fb01608c1a22f1e # v4.4.0 uses: docker/metadata-action@818d4b7b91585d195f67373fd9cb0332e31a7175 # v4.6.0
with: with:
images: | images: |
${{ env.REGISTRY }}/edgelesssys/gcp-guest-agent ${{ env.REGISTRY }}/edgelesssys/gcp-guest-agent

2
.github/workflows/build-logcollector-images.yml vendored
View File

@ -20,7 +20,7 @@ jobs:
steps: steps:
- name: Check out repository - name: Check out repository
id: checkout id: checkout
uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
with: with:
ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }} ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}

4
.github/workflows/build-os-image-scheduled.yml vendored
View File

@ -62,12 +62,12 @@ jobs:
runs-on: ubuntu-22.04 runs-on: ubuntu-22.04
steps: steps:
- name: Checkout - name: Checkout
uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
with: with:
ref: ${{ github.head_ref }} ref: ${{ github.head_ref }}
- name: Setup Go environment - name: Setup Go environment
uses: actions/setup-go@4d34df0c2316fe8122ab82dc22947d607c0c91f9 # v4.0.0 uses: actions/setup-go@fac708d6674e30b6ba41289acaab6d4b75aa0753 # v4.0.1
with: with:
go-version: "1.20.5" go-version: "1.20.5"
cache: false cache: false

36
.github/workflows/build-os-image.yml vendored
View File

@ -58,12 +58,12 @@ jobs:
measurement-reader-sha256: ${{ steps.collect-hashes.outputs.measurement-reader-sha256 }} measurement-reader-sha256: ${{ steps.collect-hashes.outputs.measurement-reader-sha256 }}
steps: steps:
- name: Checkout - name: Checkout
uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
with: with:
ref: ${{ inputs.ref || github.head_ref }} ref: ${{ inputs.ref || github.head_ref }}
- name: Setup Go environment - name: Setup Go environment
uses: actions/setup-go@4d34df0c2316fe8122ab82dc22947d607c0c91f9 # v4.0.0 uses: actions/setup-go@fac708d6674e30b6ba41289acaab6d4b75aa0753 # v4.0.1
with: with:
go-version: "1.20.5" go-version: "1.20.5"
cache: true cache: true
@ -138,7 +138,7 @@ jobs:
cliApiBasePath: ${{ steps.image-version.outputs.cliApiBasePath }} cliApiBasePath: ${{ steps.image-version.outputs.cliApiBasePath }}
steps: steps:
- name: Checkout - name: Checkout
uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
with: with:
ref: ${{ inputs.ref || github.head_ref }} ref: ${{ inputs.ref || github.head_ref }}
@ -277,7 +277,7 @@ jobs:
attestation_variant: qemu-vtpm attestation_variant: qemu-vtpm
steps: steps:
- name: Checkout - name: Checkout
uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
with: with:
ref: ${{ inputs.ref || github.head_ref }} ref: ${{ inputs.ref || github.head_ref }}
@ -407,7 +407,7 @@ jobs:
ATTESTATION_VARIANT: ${{ matrix.attestation_variant }} ATTESTATION_VARIANT: ${{ matrix.attestation_variant }}
steps: steps:
- name: Checkout - name: Checkout
uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
with: with:
ref: ${{ inputs.ref || github.head_ref }} ref: ${{ inputs.ref || github.head_ref }}
@ -429,7 +429,7 @@ jobs:
echo "::endgroup::" echo "::endgroup::"
- name: Login to AWS - name: Login to AWS
uses: aws-actions/configure-aws-credentials@e1e17a757e536f70e52b5a12b2e8d1d1c60e04ef # v2.0.0 uses: aws-actions/configure-aws-credentials@5fd3084fc36e372ff1fff382a39b10d03659f355 # v2.2.0
with: with:
role-to-assume: arn:aws:iam::795746500882:role/GitHubConstellationImagePipeline role-to-assume: arn:aws:iam::795746500882:role/GitHubConstellationImagePipeline
aws-region: eu-central-1 aws-region: eu-central-1
@ -563,7 +563,7 @@ jobs:
attestation_variant: qemu-vtpm attestation_variant: qemu-vtpm
steps: steps:
- name: Checkout repository - name: Checkout repository
uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
with: with:
ref: ${{ inputs.ref || github.head_ref }} ref: ${{ inputs.ref || github.head_ref }}
@ -723,7 +723,7 @@ jobs:
runs-on: ubuntu-22.04 runs-on: ubuntu-22.04
steps: steps:
- name: Checkout repository - name: Checkout repository
uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
with: with:
ref: ${{ inputs.ref || github.head_ref }} ref: ${{ inputs.ref || github.head_ref }}
@ -733,13 +733,13 @@ jobs:
name: measurements name: measurements
- name: Login to AWS - name: Login to AWS
uses: aws-actions/configure-aws-credentials@e1e17a757e536f70e52b5a12b2e8d1d1c60e04ef # v2.0.0 uses: aws-actions/configure-aws-credentials@5fd3084fc36e372ff1fff382a39b10d03659f355 # v2.2.0
with: with:
role-to-assume: arn:aws:iam::795746500882:role/GitHubConstellationImagePipeline role-to-assume: arn:aws:iam::795746500882:role/GitHubConstellationImagePipeline
aws-region: eu-central-1 aws-region: eu-central-1
- name: Install Cosign - name: Install Cosign
uses: sigstore/cosign-installer@9becc617647dfa20ae7b1151972e9b3a2c338a2b # tag=v2.8.1 uses: sigstore/cosign-installer@c85d0e205a72a294fe064f618a87dbac13084086 # v2.8.1
- name: Install Rekor - name: Install Rekor
shell: bash shell: bash
@ -803,7 +803,7 @@ jobs:
runs-on: ubuntu-22.04 runs-on: ubuntu-22.04
steps: steps:
- name: Login to AWS - name: Login to AWS
uses: aws-actions/configure-aws-credentials@e1e17a757e536f70e52b5a12b2e8d1d1c60e04ef # v2.0.0 uses: aws-actions/configure-aws-credentials@5fd3084fc36e372ff1fff382a39b10d03659f355 # v2.2.0
with: with:
role-to-assume: arn:aws:iam::795746500882:role/GitHubConstellationImagePipeline role-to-assume: arn:aws:iam::795746500882:role/GitHubConstellationImagePipeline
aws-region: eu-central-1 aws-region: eu-central-1
@ -836,7 +836,7 @@ jobs:
echo "::endgroup::" echo "::endgroup::"
- name: Create SBOM in SPDX fromat - name: Create SBOM in SPDX fromat
uses: anchore/sbom-action@422cb34a0f8b599678c41b21163ea6088edb2624 # v0.14.1 uses: anchore/sbom-action@78fc58e266e87a38d4194b2137a3d4e9bcaf7ca1 # v0.14.3
with: with:
path: image.root.tree path: image.root.tree
artifact-name: sbom.spdx.json artifact-name: sbom.spdx.json
@ -844,7 +844,7 @@ jobs:
format: spdx-json format: spdx-json
- name: Create SBOM in CycloneDX fromat - name: Create SBOM in CycloneDX fromat
uses: anchore/sbom-action@422cb34a0f8b599678c41b21163ea6088edb2624 # v0.14.1 uses: anchore/sbom-action@78fc58e266e87a38d4194b2137a3d4e9bcaf7ca1 # v0.14.3
with: with:
path: image.root.tree path: image.root.tree
artifact-name: sbom.cyclonedx.json artifact-name: sbom.cyclonedx.json
@ -852,7 +852,7 @@ jobs:
format: cyclonedx-json format: cyclonedx-json
- name: Create SBOM in Syft fromat - name: Create SBOM in Syft fromat
uses: anchore/sbom-action@422cb34a0f8b599678c41b21163ea6088edb2624 # v0.14.1 uses: anchore/sbom-action@78fc58e266e87a38d4194b2137a3d4e9bcaf7ca1 # v0.14.3
with: with:
path: image.root.tree path: image.root.tree
artifact-name: sbom.syft.json artifact-name: sbom.syft.json
@ -924,7 +924,7 @@ jobs:
contents: read contents: read
steps: steps:
- name: Checkout repository - name: Checkout repository
uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
with: with:
ref: ${{ inputs.ref || github.head_ref }} ref: ${{ inputs.ref || github.head_ref }}
@ -934,7 +934,7 @@ jobs:
name: lookup-table name: lookup-table
- name: Login to AWS - name: Login to AWS
uses: aws-actions/configure-aws-credentials@e1e17a757e536f70e52b5a12b2e8d1d1c60e04ef # v2.0.0 uses: aws-actions/configure-aws-credentials@5fd3084fc36e372ff1fff382a39b10d03659f355 # v2.2.0
with: with:
role-to-assume: arn:aws:iam::795746500882:role/GitHubConstellationImagePipeline role-to-assume: arn:aws:iam::795746500882:role/GitHubConstellationImagePipeline
aws-region: eu-central-1 aws-region: eu-central-1
@ -944,12 +944,12 @@ jobs:
run: bazel run //image/upload -- info --verbose mkosi.output.*/*/image-upload*.json run: bazel run //image/upload -- info --verbose mkosi.output.*/*/image-upload*.json
- name: Checkout - name: Checkout
uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
with: with:
ref: ${{ inputs.ref || github.head_ref }} ref: ${{ inputs.ref || github.head_ref }}
- name: Setup Go environment - name: Setup Go environment
uses: actions/setup-go@4d34df0c2316fe8122ab82dc22947d607c0c91f9 # v4.0.0 uses: actions/setup-go@fac708d6674e30b6ba41289acaab6d4b75aa0753 # v4.0.1
with: with:
go-version: "1.20.5" go-version: "1.20.5"
cache: true cache: true

2
.github/workflows/build-versionsapi-ci-image.yml vendored
View File

@ -19,7 +19,7 @@ jobs:
steps: steps:
- name: Check out repository - name: Check out repository
id: checkout id: checkout
uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
with: with:
ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }} ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}

4
.github/workflows/check-links.yml vendored
View File

@ -20,12 +20,12 @@ jobs:
runs-on: ubuntu-22.04 runs-on: ubuntu-22.04
steps: steps:
- name: Checkout - name: Checkout
uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
with: with:
ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }} ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}
- name: Link Checker - name: Link Checker
uses: lycheeverse/lychee-action@97189f2c0a3c8b0cb0e704fd4e878af6e5e2b2c5 # v1.7.0 uses: lycheeverse/lychee-action@ec3ed119d4f44ad2673a7232460dc7dff59d2421 # v1.8.0
with: with:
args: "--verbose --no-progress --max-concurrency 5 --exclude-path './cli/internal/helm/charts/cilium' './**/*.md' './**/*.html'" args: "--verbose --no-progress --max-concurrency 5 --exclude-path './cli/internal/helm/charts/cilium' './**/*.md' './**/*.html'"
fail: true fail: true

10
.github/workflows/codeql.yml vendored
View File

@ -34,17 +34,17 @@ jobs:
steps: steps:
- name: Checkout repository - name: Checkout repository
uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
- name: Setup Go environment - name: Setup Go environment
if: matrix.language == 'go' if: matrix.language == 'go'
uses: actions/setup-go@4d34df0c2316fe8122ab82dc22947d607c0c91f9 # v4.0.0 uses: actions/setup-go@fac708d6674e30b6ba41289acaab6d4b75aa0753 # v4.0.1
with: with:
go-version: "1.20.5" go-version: "1.20.5"
cache: false cache: false
- name: Initialize CodeQL - name: Initialize CodeQL
uses: github/codeql-action/init@29b1f65c5e92e24fe6b6647da1eaabe529cec70f # v2.3.3 uses: github/codeql-action/init@f6e388ebf0efc915c6c5b165b019ee61a6746a38 # v2.20.1
with: with:
languages: ${{ matrix.language }} languages: ${{ matrix.language }}
@ -64,9 +64,9 @@ jobs:
- name: Build - name: Build
if: matrix.language == 'python' if: matrix.language == 'python'
uses: github/codeql-action/autobuild@29b1f65c5e92e24fe6b6647da1eaabe529cec70f # v2.3.3 uses: github/codeql-action/autobuild@f6e388ebf0efc915c6c5b165b019ee61a6746a38 # v2.20.1
- name: Perform CodeQL Analysis - name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@29b1f65c5e92e24fe6b6647da1eaabe529cec70f # v2.3.3 uses: github/codeql-action/analyze@f6e388ebf0efc915c6c5b165b019ee61a6746a38 # v2.20.1
with: with:
category: "/language:${{ matrix.language }}" category: "/language:${{ matrix.language }}"

2
.github/workflows/docs-vale.yml vendored
View File

@ -16,7 +16,7 @@ jobs:
runs-on: ubuntu-22.04 runs-on: ubuntu-22.04
steps: steps:
- name: Checkout - name: Checkout
uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
with: with:
ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }} ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}

2
.github/workflows/e2e-mini.yml vendored
View File

@ -29,7 +29,7 @@ jobs:
steps: steps:
- name: Checkout - name: Checkout
id: checkout id: checkout
uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
with: with:
ref: ${{ inputs.ref || github.event.workflow_run.head_branch || github.head_ref }} ref: ${{ inputs.ref || github.event.workflow_run.head_branch || github.head_ref }}

4
.github/workflows/e2e-test-daily.yml vendored
View File

@ -21,7 +21,7 @@ jobs:
image-release-stable: ${{ steps.relabel-output.outputs.image-release-stable }} image-release-stable: ${{ steps.relabel-output.outputs.image-release-stable }}
steps: steps:
- name: Checkout - name: Checkout
uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
with: with:
ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }} ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}
@ -58,7 +58,7 @@ jobs:
needs: [find-latest-image] needs: [find-latest-image]
steps: steps:
- name: Check out repository - name: Check out repository
uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
with: with:
fetch-depth: 0 fetch-depth: 0
ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }} ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}

12
.github/workflows/e2e-test-manual.yml vendored
View File

@ -158,19 +158,19 @@ jobs:
- name: Checkout head - name: Checkout head
if: needs.split-cliImageVersion.outputs.image == '' && inputs.git-ref == 'head' if: needs.split-cliImageVersion.outputs.image == '' && inputs.git-ref == 'head'
uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
with: with:
ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }} ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}
- name: Checkout ref - name: Checkout ref
if: needs.split-cliImageVersion.outputs.image == '' && inputs.git-ref != 'head' if: needs.split-cliImageVersion.outputs.image == '' && inputs.git-ref != 'head'
uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
with: with:
ref: ${{ inputs.git-ref }} ref: ${{ inputs.git-ref }}
- name: Login to AWS - name: Login to AWS
if: needs.split-cliImageVersion.outputs.image == '' if: needs.split-cliImageVersion.outputs.image == ''
uses: aws-actions/configure-aws-credentials@e1e17a757e536f70e52b5a12b2e8d1d1c60e04ef # v2.0.0 uses: aws-actions/configure-aws-credentials@5fd3084fc36e372ff1fff382a39b10d03659f355 # v2.2.0
with: with:
role-to-assume: arn:aws:iam::795746500882:role/GithubConstellationVersionsAPIRead role-to-assume: arn:aws:iam::795746500882:role/GithubConstellationVersionsAPIRead
aws-region: eu-central-1 aws-region: eu-central-1
@ -217,19 +217,19 @@ jobs:
- name: Checkout head - name: Checkout head
if: inputs.git-ref == 'head' if: inputs.git-ref == 'head'
uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
with: with:
ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }} ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}
- name: Checkout ref - name: Checkout ref
if: inputs.git-ref != 'head' if: inputs.git-ref != 'head'
uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
with: with:
ref: ${{ inputs.git-ref }} ref: ${{ inputs.git-ref }}
- name: Set up gcloud CLI (macOS) - name: Set up gcloud CLI (macOS)
if: inputs.cloudProvider == 'gcp' && runner.os == 'macOS' if: inputs.cloudProvider == 'gcp' && runner.os == 'macOS'
uses: google-github-actions/setup-gcloud@62d4898025f6041e16b1068643bfc5a696863587 # v1.1.0 uses: google-github-actions/setup-gcloud@e30db14379863a8c79331b04a9969f4c1e225e0b # v1.1.1
- name: Run manual E2E test - name: Run manual E2E test
id: e2e_test id: e2e_test

4
.github/workflows/e2e-test-release.yml vendored
View File

@ -171,14 +171,14 @@ jobs:
run: brew install coreutils kubectl bash run: brew install coreutils kubectl bash
- name: Checkout - name: Checkout
uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
with: with:
fetch-depth: 0 fetch-depth: 0
ref: ${{ inputs.ref || github.head_ref }} ref: ${{ inputs.ref || github.head_ref }}
- name: Set up gcloud CLI (macOS) - name: Set up gcloud CLI (macOS)
if: matrix.provider == 'gcp' && runner.os == 'macOS' if: matrix.provider == 'gcp' && runner.os == 'macOS'
uses: google-github-actions/setup-gcloud@62d4898025f6041e16b1068643bfc5a696863587 # v1.1.0 uses: google-github-actions/setup-gcloud@e30db14379863a8c79331b04a9969f4c1e225e0b # v1.1.1
- name: Run E2E test - name: Run E2E test
id: e2e_test id: e2e_test

6
.github/workflows/e2e-test-weekly.yml vendored
View File

@ -21,7 +21,7 @@ jobs:
image-release-stable: ${{ steps.relabel-output.outputs.image-release-stable }} image-release-stable: ${{ steps.relabel-output.outputs.image-release-stable }}
steps: steps:
- name: Checkout - name: Checkout
uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
with: with:
ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }} ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}
@ -178,7 +178,7 @@ jobs:
needs: [find-latest-image] needs: [find-latest-image]
steps: steps:
- name: Check out repository - name: Check out repository
uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
with: with:
fetch-depth: 0 fetch-depth: 0
ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }} ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}
@ -275,7 +275,7 @@ jobs:
steps: steps:
- name: Checkout - name: Checkout
id: checkout id: checkout
uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
with: with:
ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }} ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}

4
.github/workflows/e2e-upgrade.yml vendored
View File

@ -103,14 +103,14 @@ jobs:
steps: steps:
- name: Checkout - name: Checkout
if: inputs.gitRef == 'head' if: inputs.gitRef == 'head'
uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
with: with:
fetch-depth: 0 fetch-depth: 0
ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }} ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}
- name: Checkout ref - name: Checkout ref
if: inputs.gitRef != 'head' if: inputs.gitRef != 'head'
uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
with: with:
fetch-depth: 0 fetch-depth: 0
ref: ${{ inputs.gitRef }} ref: ${{ inputs.gitRef }}

4
.github/workflows/e2e-windows.yml vendored
View File

@ -11,7 +11,7 @@ jobs:
runs-on: ubuntu-22.04 runs-on: ubuntu-22.04
steps: steps:
- name: Checkout - name: Checkout
uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
with: with:
ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }} ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}
@ -35,7 +35,7 @@ jobs:
needs: build-cli needs: build-cli
steps: steps:
- name: Checkout - name: Checkout
uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
with: with:
ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }} ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}

6
.github/workflows/on-release.yml vendored
View File

@ -26,7 +26,7 @@ jobs:
WORKING_BRANCH: ${{ env.WORKING_BRANCH }} WORKING_BRANCH: ${{ env.WORKING_BRANCH }}
steps: steps:
- name: Checkout - name: Checkout
uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
- name: Determine branch names - name: Determine branch names
run: | run: |
@ -72,7 +72,7 @@ jobs:
latest: ${{ steps.input-passthrough.outputs.latest }}${{ steps.check-last-release.outputs.latest }} latest: ${{ steps.input-passthrough.outputs.latest }}${{ steps.check-last-release.outputs.latest }}
steps: steps:
- name: Checkout - name: Checkout
uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
- name: Override latest - name: Override latest
if: github.event.inputs.latest == 'true' if: github.event.inputs.latest == 'true'
@ -146,7 +146,7 @@ jobs:
contents: read contents: read
steps: steps:
- name: Checkout - name: Checkout
uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
- name: Remove temporary branch - name: Remove temporary branch
run: git push origin --delete "${WORKING_BRANCH}" run: git push origin --delete "${WORKING_BRANCH}"

2
.github/workflows/pseudo-version-freshness.yml vendored
View File

@ -14,7 +14,7 @@ jobs:
steps: steps:
- name: Checkout - name: Checkout
uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
with: with:
persist-credentials: false persist-credentials: false

4
.github/workflows/purge-main.yml vendored
View File

@ -18,12 +18,12 @@ jobs:
contents: read contents: read
steps: steps:
- name: Checkout - name: Checkout
uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
with: with:
ref: ${{ github.head_ref }} ref: ${{ github.head_ref }}
- name: Login to AWS - name: Login to AWS
uses: aws-actions/configure-aws-credentials@e1e17a757e536f70e52b5a12b2e8d1d1c60e04ef # v2.0.0 uses: aws-actions/configure-aws-credentials@5fd3084fc36e372ff1fff382a39b10d03659f355 # v2.2.0
with: with:
role-to-assume: arn:aws:iam::795746500882:role/GithubConstellationVersionsAPIRead role-to-assume: arn:aws:iam::795746500882:role/GithubConstellationVersionsAPIRead
aws-region: eu-central-1 aws-region: eu-central-1

10
.github/workflows/release-cli.yml vendored
View File

@ -51,7 +51,7 @@ jobs:
steps: steps:
- name: Checkout - name: Checkout
id: checkout id: checkout
uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
with: with:
ref: ${{ inputs.ref || github.head_ref }} ref: ${{ inputs.ref || github.head_ref }}
@ -89,7 +89,7 @@ jobs:
steps: steps:
- name: Checkout - name: Checkout
id: checkout id: checkout
uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
with: with:
ref: ${{ inputs.ref || github.head_ref }} ref: ${{ inputs.ref || github.head_ref }}
@ -161,12 +161,12 @@ jobs:
steps: steps:
- name: Checkout - name: Checkout
id: checkout id: checkout
uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
with: with:
ref: ${{ inputs.ref || github.head_ref }} ref: ${{ inputs.ref || github.head_ref }}
- name: Install Cosign - name: Install Cosign
uses: sigstore/cosign-installer@9becc617647dfa20ae7b1151972e9b3a2c338a2b # tag=v2.8.1 uses: sigstore/cosign-installer@c85d0e205a72a294fe064f618a87dbac13084086 # v2.8.1
- name: Download Syft & Grype - name: Download Syft & Grype
uses: ./.github/actions/install_syft_grype uses: ./.github/actions/install_syft_grype
@ -221,7 +221,7 @@ jobs:
- provenance-subjects - provenance-subjects
# This must not be pinned to digest. See: # This must not be pinned to digest. See:
# https://github.com/slsa-framework/slsa-github-generator#referencing-slsa-builders-and-generators # https://github.com/slsa-framework/slsa-github-generator#referencing-slsa-builders-and-generators
uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.5.0 uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.7.0
with: with:
base64-subjects: "${{ needs.provenance-subjects.outputs.provenance-subjects }}" base64-subjects: "${{ needs.provenance-subjects.outputs.provenance-subjects }}"

14
.github/workflows/release.yml vendored
View File

@ -30,7 +30,7 @@ jobs:
RELEASE_BRANCH: ${{ steps.version-info.outputs.RELEASE_BRANCH }} RELEASE_BRANCH: ${{ steps.version-info.outputs.RELEASE_BRANCH }}
WORKING_BRANCH: ${{ steps.version-info.outputs.WORKING_BRANCH }} WORKING_BRANCH: ${{ steps.version-info.outputs.WORKING_BRANCH }}
steps: steps:
- uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
- name: Working branch - name: Working branch
run: echo "WORKING_BRANCH=$(git branch --show-current)" | tee -a "$GITHUB_ENV" run: echo "WORKING_BRANCH=$(git branch --show-current)" | tee -a "$GITHUB_ENV"
@ -82,7 +82,7 @@ jobs:
MAJOR_MINOR: ${{ needs.verify-inputs.outputs.MAJOR_MINOR }} MAJOR_MINOR: ${{ needs.verify-inputs.outputs.MAJOR_MINOR }}
BRANCH: docs/${{ needs.verify-inputs.outputs.MAJOR_MINOR }} BRANCH: docs/${{ needs.verify-inputs.outputs.MAJOR_MINOR }}
steps: steps:
- uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
with: with:
ref: main ref: main
@ -120,7 +120,7 @@ jobs:
WORKING_BRANCH: ${{ needs.verify-inputs.outputs.WORKING_BRANCH }} WORKING_BRANCH: ${{ needs.verify-inputs.outputs.WORKING_BRANCH }}
steps: steps:
- name: Checkout - name: Checkout
uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
with: with:
ref: ${{ needs.verify-inputs.outputs.WORKING_BRANCH }} ref: ${{ needs.verify-inputs.outputs.WORKING_BRANCH }}
@ -158,7 +158,7 @@ jobs:
WITHOUT_V: ${{ needs.verify-inputs.outputs.WITHOUT_V }} WITHOUT_V: ${{ needs.verify-inputs.outputs.WITHOUT_V }}
steps: steps:
- name: Checkout - name: Checkout
uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
with: with:
ref: ${{ needs.verify-inputs.outputs.WORKING_BRANCH }} ref: ${{ needs.verify-inputs.outputs.WORKING_BRANCH }}
@ -205,12 +205,12 @@ jobs:
WITHOUT_V: ${{ needs.verify-inputs.outputs.WITHOUT_V }} WITHOUT_V: ${{ needs.verify-inputs.outputs.WITHOUT_V }}
steps: steps:
- name: Checkout - name: Checkout
uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
with: with:
ref: ${{ needs.verify-inputs.outputs.WORKING_BRANCH }} ref: ${{ needs.verify-inputs.outputs.WORKING_BRANCH }}
- name: Setup Go environment - name: Setup Go environment
uses: actions/setup-go@4d34df0c2316fe8122ab82dc22947d607c0c91f9 # v4.0.0 uses: actions/setup-go@fac708d6674e30b6ba41289acaab6d4b75aa0753 # v4.0.1
with: with:
go-version: "1.20.5" go-version: "1.20.5"
cache: true cache: true
@ -242,7 +242,7 @@ jobs:
VERSION: ${{ inputs.version }} VERSION: ${{ inputs.version }}
steps: steps:
- name: Checkout - name: Checkout
uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
with: with:
ref: ${{ needs.verify-inputs.outputs.WORKING_BRANCH }} ref: ${{ needs.verify-inputs.outputs.WORKING_BRANCH }}

2
.github/workflows/reproducible-builds.yml vendored
View File

@ -24,7 +24,7 @@ jobs:
runs-on: ${{ matrix.runner }} runs-on: ${{ matrix.runner }}
steps: steps:
- name: Checkout - name: Checkout
uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
with: with:
ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }} ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}

6
.github/workflows/scorecard.yml vendored
View File

@ -18,12 +18,12 @@ jobs:
steps: steps:
- name: Checkout - name: Checkout
uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
with: with:
persist-credentials: false persist-credentials: false
- name: Run analysis - name: Run analysis
uses: ossf/scorecard-action@80e868c13c90f172d68d1f4501dee99e2479f7af # v2.1.3 uses: ossf/scorecard-action@08b4669551908b1024bb425080c797723083c031 # v2.2.0
with: with:
results_file: results.sarif results_file: results.sarif
results_format: sarif results_format: sarif
@ -37,6 +37,6 @@ jobs:
retention-days: 5 retention-days: 5
- name: Upload to code-scanning - name: Upload to code-scanning
uses: github/codeql-action/upload-sarif@29b1f65c5e92e24fe6b6647da1eaabe529cec70f # v2.3.3 uses: github/codeql-action/upload-sarif@f6e388ebf0efc915c6c5b165b019ee61a6746a38 # v2.20.1
with: with:
sarif_file: results.sarif sarif_file: results.sarif

4
.github/workflows/test-integration.yml vendored
View File

@ -25,12 +25,12 @@ jobs:
CTEST_OUTPUT_ON_FAILURE: True CTEST_OUTPUT_ON_FAILURE: True
steps: steps:
- name: Checkout - name: Checkout
uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
with: with:
ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }} ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}
- name: Setup Go environment - name: Setup Go environment
uses: actions/setup-go@4d34df0c2316fe8122ab82dc22947d607c0c91f9 # v4.0.0 uses: actions/setup-go@fac708d6674e30b6ba41289acaab6d4b75aa0753 # v4.0.1
with: with:
go-version: "1.20.5" go-version: "1.20.5"
cache: true cache: true

4
.github/workflows/test-operator-codegen.yml vendored
View File

@ -21,12 +21,12 @@ jobs:
runs-on: ubuntu-22.04 runs-on: ubuntu-22.04
steps: steps:
- name: Checkout - name: Checkout
uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
with: with:
ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }} ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}
- name: Setup Go environment - name: Setup Go environment
uses: actions/setup-go@4d34df0c2316fe8122ab82dc22947d607c0c91f9 # v4.0.0 uses: actions/setup-go@fac708d6674e30b6ba41289acaab6d4b75aa0753 # v4.0.1
with: with:
go-version: "1.20.5" go-version: "1.20.5"
cache: true cache: true

2
.github/workflows/test-tfsec.yml vendored
View File

@ -23,7 +23,7 @@ jobs:
pull-requests: write pull-requests: write
steps: steps:
- name: Checkout - name: Checkout
uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
with: with:
ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }} ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}

4
.github/workflows/test-tidy.yml vendored
View File

@ -17,7 +17,7 @@ jobs:
contents: read contents: read
steps: steps:
- name: Checkout - name: Checkout
uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
with: with:
ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }} ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}
# No token available for forks, so we can't push changes # No token available for forks, so we can't push changes
@ -37,7 +37,7 @@ jobs:
- name: Assume AWS role to upload Bazel dependencies to S3 - name: Assume AWS role to upload Bazel dependencies to S3
if: startsWith(github.head_ref, 'renovate/') if: startsWith(github.head_ref, 'renovate/')
uses: aws-actions/configure-aws-credentials@e1e17a757e536f70e52b5a12b2e8d1d1c60e04ef # v2.0.0 uses: aws-actions/configure-aws-credentials@5fd3084fc36e372ff1fff382a39b10d03659f355 # v2.2.0
with: with:
role-to-assume: arn:aws:iam::795746500882:role/GithubConstellationMirrorWrite role-to-assume: arn:aws:iam::795746500882:role/GithubConstellationMirrorWrite
aws-region: eu-central-1 aws-region: eu-central-1

2
.github/workflows/test-unittest.yml vendored
View File

@ -26,7 +26,7 @@ jobs:
runs-on: [self-hosted, bazel-cached] runs-on: [self-hosted, bazel-cached]
steps: steps:
- name: Checkout - name: Checkout
uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
with: with:
ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }} ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}

8
.github/workflows/versionsapi.yml vendored
View File

@ -115,7 +115,7 @@ jobs:
steps: steps:
- name: Check out repository - name: Check out repository
id: checkout id: checkout
uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
with: with:
ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }} ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}
@ -149,21 +149,21 @@ jobs:
- name: Login to AWS without write access - name: Login to AWS without write access
if: steps.check-rights.outputs.write == 'false' if: steps.check-rights.outputs.write == 'false'
uses: aws-actions/configure-aws-credentials@e1e17a757e536f70e52b5a12b2e8d1d1c60e04ef # v2.0.0 uses: aws-actions/configure-aws-credentials@5fd3084fc36e372ff1fff382a39b10d03659f355 # v2.2.0
with: with:
role-to-assume: arn:aws:iam::795746500882:role/GithubConstellationVersionsAPIRead role-to-assume: arn:aws:iam::795746500882:role/GithubConstellationVersionsAPIRead
aws-region: eu-central-1 aws-region: eu-central-1
- name: Login to AWS with write access - name: Login to AWS with write access
if: steps.check-rights.outputs.write == 'true' && steps.check-rights.outputs.auth == 'false' if: steps.check-rights.outputs.write == 'true' && steps.check-rights.outputs.auth == 'false'
uses: aws-actions/configure-aws-credentials@e1e17a757e536f70e52b5a12b2e8d1d1c60e04ef # v2.0.0 uses: aws-actions/configure-aws-credentials@5fd3084fc36e372ff1fff382a39b10d03659f355 # v2.2.0
with: with:
role-to-assume: arn:aws:iam::795746500882:role/GithubConstellationVersionsAPIWrite role-to-assume: arn:aws:iam::795746500882:role/GithubConstellationVersionsAPIWrite
aws-region: eu-central-1 aws-region: eu-central-1
- name: Login to AWS with write and image remove access - name: Login to AWS with write and image remove access
if: steps.check-rights.outputs.write == 'true' && steps.check-rights.outputs.auth == 'true' if: steps.check-rights.outputs.write == 'true' && steps.check-rights.outputs.auth == 'true'
uses: aws-actions/configure-aws-credentials@e1e17a757e536f70e52b5a12b2e8d1d1c60e04ef # v2.0.0 uses: aws-actions/configure-aws-credentials@5fd3084fc36e372ff1fff382a39b10d03659f355 # v2.2.0
with: with:
role-to-assume: arn:aws:iam::795746500882:role/GithubConstellationVersionsAPIRemove role-to-assume: arn:aws:iam::795746500882:role/GithubConstellationVersionsAPIRemove
aws-region: eu-central-1 aws-region: eu-central-1