Git-Mirrors/constellation
1
0
Fork 0
mirror of https://github.com/edgelesssys/constellation.git synced 2025-04-20 23:36:29 -04:00
Code Issues Packages Projects Releases Wiki Activity

deps: update GitHub action dependencies (#3711)

Browse Source 
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
This commit is contained in:
renovate[bot] 2025-03-25 11:59:07 +01:00 committed by GitHub
parent ec46c97d4c
commit c7369fa2a7
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
43 changed files with 96 additions and 96 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
.github/actions/artifact_download/action.yml vendored
View File

@ -28,7 +28,7 @@ runs:
run: echo "directory=$(mktemp -d)" >> "$GITHUB_OUTPUT"
- name: Download the artifact
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
uses: actions/download-artifact@95815c38cf2ff2164869cbab79da8d1f422bc89e # v4.2.1
with:
name: ${{ inputs.name }}
path: ${{ steps.tempdir.outputs.directory }}

2
.github/actions/artifact_upload/action.yml vendored
View File

@ -69,7 +69,7 @@ runs:
done
- name: Upload archive as artifact
uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
with:
name: ${{ inputs.name }}
path: ${{ steps.tempdir.outputs.directory }}/archive.7z

2
.github/actions/build_cli/action.yml vendored
View File

@ -79,7 +79,7 @@ runs:
# once it has the functionality
- name: Install Cosign
if: inputs.cosignPublicKey != '' && inputs.cosignPrivateKey != '' && inputs.cosignPassword != ''
uses: sigstore/cosign-installer@dc72c7d5c4d10cd6bcb8cf6e3fd625a9e5e537da # v3.7.0
uses: sigstore/cosign-installer@d7d6bc7722e3daa8354c50bcb52f4837da5e9b6a # v3.8.1
- name: Install Rekor
if: inputs.cosignPublicKey != '' && inputs.cosignPrivateKey != '' && inputs.cosignPassword != ''

4
.github/actions/build_micro_service/action.yml vendored
View File

@ -42,7 +42,7 @@ runs:
- name: Docker metadata
id: meta
uses: docker/metadata-action@369eb591f429131d6889c46b94e711f089e6ca96 # v5.6.1
uses: docker/metadata-action@902fa8ec7d6ecbf8d84d538b9b233a880e428804 # v5.7.0
with:
images: |
ghcr.io/${{ github.repository }}/${{ inputs.name }}
@ -62,7 +62,7 @@ runs:
- name: Build and push container image
id: build-micro-service
uses: docker/build-push-action@ca877d9245402d1537745e0e356eab47c3520991 # v6.13.0
uses: docker/build-push-action@471d1dc4e07e5cdedd4c2171150001c434f0b7a4 # v6.15.0
with:
context: .
file: ${{ inputs.dockerfile }}

4
.github/actions/cdbg_deploy/action.yml vendored
View File

@ -61,7 +61,7 @@ runs:
- name: Login to AWS (IAM service principal)
if: inputs.cloudProvider == 'aws'
uses: aws-actions/configure-aws-credentials@4fc4975a852c8cd99761e2de1f4ba73402e44dd9 # v4.0.3
uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722 # v4.1.0
with:
role-to-assume: arn:aws:iam::795746500882:role/GithubActionsE2EIAM
aws-region: eu-central-1
@ -80,7 +80,7 @@ runs:
- name: Login to AWS (Cluster service principal)
if: inputs.cloudProvider == 'aws'
uses: aws-actions/configure-aws-credentials@4fc4975a852c8cd99761e2de1f4ba73402e44dd9 # v4.0.3
uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722 # v4.1.0
with:
role-to-assume: arn:aws:iam::795746500882:role/GithubActionsE2ECluster
aws-region: eu-central-1

2
.github/actions/constellation_destroy/action.yml vendored
View File

@ -67,7 +67,7 @@ runs:
- name: Login to AWS (Cluster role)
if: inputs.cloudProvider == 'aws'
uses: aws-actions/configure-aws-credentials@4fc4975a852c8cd99761e2de1f4ba73402e44dd9 # v4.0.3
uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722 # v4.1.0
with:
role-to-assume: arn:aws:iam::795746500882:role/GithubActionsE2ECluster
aws-region: eu-central-1

2
.github/actions/constellation_iam_destroy/action.yml vendored
View File

@ -23,7 +23,7 @@ runs:
- name: Login to AWS (IAM role)
if: inputs.cloudProvider == 'aws'
uses: aws-actions/configure-aws-credentials@4fc4975a852c8cd99761e2de1f4ba73402e44dd9 # v4.0.3
uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722 # v4.1.0
with:
role-to-assume: arn:aws:iam::795746500882:role/GithubActionsE2EIAM
aws-region: eu-central-1

2
.github/actions/container_registry_login/action.yml vendored
View File

@ -17,7 +17,7 @@ runs:
steps:
- name: Use docker for logging in
if: runner.os != 'macOS'
uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
with:
registry: ${{ inputs.registry }}
username: ${{ inputs.username }}

2
.github/actions/container_sbom/action.yml vendored
View File

@ -19,7 +19,7 @@ runs:
steps:
- name: Install Cosign
if: inputs.cosignPublicKey != '' && inputs.cosignPrivateKey != '' && inputs.cosignPassword != ''
uses: sigstore/cosign-installer@dc72c7d5c4d10cd6bcb8cf6e3fd625a9e5e537da # v3.7.0
uses: sigstore/cosign-installer@d7d6bc7722e3daa8354c50bcb52f4837da5e9b6a # v3.8.1
- name: Download Syft & Grype
uses: ./.github/actions/install_syft_grype

2
.github/actions/deploy_logcollection/action.yml vendored
View File

@ -67,7 +67,7 @@ runs:
# Make sure that helm is installed
# This is not always the case, e.g. on MacOS runners
- name: Install Helm
uses: azure/setup-helm@fe7b79cd5ee1e45176fcad797de68ecaf3ca4814 # v4.2.0
uses: azure/setup-helm@b9e51907a09c216f16ebe8536097933489208112 # v4.3.0
with:
version: v3.9.0

20
.github/actions/download_release_binaries/action.yml vendored
View File

@ -5,51 +5,51 @@ runs:
using: "composite"
steps:
- name: Download CLI binaries darwin-amd64
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
uses: actions/download-artifact@95815c38cf2ff2164869cbab79da8d1f422bc89e # v4.2.1
with:
name: constellation-darwin-amd64
- name: Download CLI binaries darwin-arm64
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
uses: actions/download-artifact@95815c38cf2ff2164869cbab79da8d1f422bc89e # v4.2.1
with:
name: constellation-darwin-arm64
- name: Download CLI binaries linux-amd64
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
uses: actions/download-artifact@95815c38cf2ff2164869cbab79da8d1f422bc89e # v4.2.1
with:
name: constellation-linux-amd64
- name: Download CLI binaries linux-arm64
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
uses: actions/download-artifact@95815c38cf2ff2164869cbab79da8d1f422bc89e # v4.2.1
with:
name: constellation-linux-arm64
- name: Download CLI binaries windows-amd64
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
uses: actions/download-artifact@95815c38cf2ff2164869cbab79da8d1f422bc89e # v4.2.1
with:
name: constellation-windows-amd64
- name: Download Terraform module
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
uses: actions/download-artifact@95815c38cf2ff2164869cbab79da8d1f422bc89e # v4.2.1
with:
name: terraform-module
- name: Download Terraform provider binary darwin-amd64
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
uses: actions/download-artifact@95815c38cf2ff2164869cbab79da8d1f422bc89e # v4.2.1
with:
name: terraform-provider-constellation-darwin-amd64
- name: Download Terraform provider binary darwin-arm64
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
uses: actions/download-artifact@95815c38cf2ff2164869cbab79da8d1f422bc89e # v4.2.1
with:
name: terraform-provider-constellation-darwin-arm64
- name: Download Terraform provider binary linux-amd64
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
uses: actions/download-artifact@95815c38cf2ff2164869cbab79da8d1f422bc89e # v4.2.1
with:
name: terraform-provider-constellation-linux-amd64
- name: Download Terraform provider binary linux-arm64
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
uses: actions/download-artifact@95815c38cf2ff2164869cbab79da8d1f422bc89e # v4.2.1
with:
name: terraform-provider-constellation-linux-arm64

2
.github/actions/e2e_attestationconfigapi/action.yml vendored
View File

@ -19,7 +19,7 @@ runs:
uses: ./.github/actions/setup_bazel_nix
- name: Login to AWS
uses: aws-actions/configure-aws-credentials@4fc4975a852c8cd99761e2de1f4ba73402e44dd9 # v4.0.3
uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722 # v4.1.0
with:
role-to-assume: arn:aws:iam::795746500882:role/GithubTestResourceAPI
aws-region: eu-west-1

4
.github/actions/e2e_benchmark/action.yml vendored
View File

@ -32,7 +32,7 @@ runs:
steps:
- name: Setup python
uses: actions/setup-python@42375524e23c412d93fb67b49958b491fce71c38 # v5.4.0
uses: actions/setup-python@8d9ed9ac5c53483de85588cdf95a591a75ab9f55 # v5.5.0
with:
python-version: "3.10"
@ -166,7 +166,7 @@ runs:
encryptionSecret: ${{ inputs.encryptionSecret }}
- name: Assume AWS role to retrieve and update benchmarks in S3
uses: aws-actions/configure-aws-credentials@4fc4975a852c8cd99761e2de1f4ba73402e44dd9 # v4.0.3
uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722 # v4.1.0
with:
role-to-assume: arn:aws:iam::795746500882:role/GithubActionUpdateBenchmarks
aws-region: us-east-2

2
.github/actions/e2e_cleanup_timeframe/action.yml vendored
View File

@ -22,7 +22,7 @@ runs:
using: "composite"
steps:
- name: Authenticate AWS
uses: aws-actions/configure-aws-credentials@4fc4975a852c8cd99761e2de1f4ba73402e44dd9 # v4.0.3
uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722 # v4.1.0
with:
role-to-assume: arn:aws:iam::795746500882:role/GithubActionsE2EDestroy
aws-region: eu-central-1

2
.github/actions/e2e_sonobuoy/action.yml vendored
View File

@ -70,7 +70,7 @@ runs:
- name: Publish test results
if: (!env.ACT) && contains(inputs.sonobuoyTestSuiteCmd, '--plugin e2e')
uses: mikepenz/action-junit-report@ee6b445351cd81e2f73a16a0e52d598aeac2197f # v5.3.0
uses: mikepenz/action-junit-report@97744eca465b8df9e6e33271cb155003f85327f1 # v5.5.0
with:
report_paths: "**/junit_01.xml"
fail_on_failure: true

4
.github/actions/e2e_test/action.yml vendored
View File

@ -225,7 +225,7 @@ runs:
- name: Login to AWS (IAM role)
if: inputs.cloudProvider == 'aws'
uses: aws-actions/configure-aws-credentials@4fc4975a852c8cd99761e2de1f4ba73402e44dd9 # v4.0.3
uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722 # v4.1.0
with:
role-to-assume: arn:aws:iam::795746500882:role/GithubActionsE2EIAM
aws-region: eu-central-1
@ -290,7 +290,7 @@ runs:
- name: Login to AWS (Cluster role)
if: inputs.cloudProvider == 'aws'
uses: aws-actions/configure-aws-credentials@4fc4975a852c8cd99761e2de1f4ba73402e44dd9 # v4.0.3
uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722 # v4.1.0
with:
role-to-assume: arn:aws:iam::795746500882:role/GithubActionsE2ECluster
aws-region: eu-central-1

2
.github/actions/e2e_verify/action.yml vendored
View File

@ -82,7 +82,7 @@ runs:
- name: Login to AWS
if: github.ref_name == 'main'
uses: aws-actions/configure-aws-credentials@4fc4975a852c8cd99761e2de1f4ba73402e44dd9 # v4.0.3
uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722 # v4.1.0
with:
role-to-assume: arn:aws:iam::795746500882:role/GitHubConstellationImagePipeline
aws-region: eu-central-1

2
.github/actions/find_latest_image/action.yml vendored
View File

@ -38,7 +38,7 @@ runs:
- name: Login to AWS
if: inputs.imageVersion == ''
uses: aws-actions/configure-aws-credentials@4fc4975a852c8cd99761e2de1f4ba73402e44dd9 # v4.0.3
uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722 # v4.1.0
with:
role-to-assume: arn:aws:iam::795746500882:role/GithubConstellationVersionsAPIRead
aws-region: eu-central-1

2
.github/actions/publish_helmchart/action.yml vendored
View File

@ -29,7 +29,7 @@ runs:
echo version=$(yq eval ".version" ${{ inputs.chartPath }}/Chart.yaml) | tee -a $GITHUB_OUTPUT
- name: Create pull request
uses: peter-evans/create-pull-request@67ccf781d68cd99b580ae25a5c18a1cc84ffff1f # v7.0.6
uses: peter-evans/create-pull-request@271a8d0340265f705b14b6d32b9829c1cb33d45e # v7.0.8
with:
path: helm
branch: "release/s3proxy/${{ steps.update-chart-version.outputs.version }}"

2
.github/actions/select_image/action.yml vendored
View File

@ -18,7 +18,7 @@ runs:
using: "composite"
steps:
- name: Login to AWS
uses: aws-actions/configure-aws-credentials@4fc4975a852c8cd99761e2de1f4ba73402e44dd9 # v4.0.3
uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722 # v4.1.0
with:
role-to-assume: arn:aws:iam::795746500882:role/GithubConstellationVersionsAPIRead
aws-region: eu-central-1

2
.github/actions/upload_terraform_module/action.yml vendored
View File

@ -15,7 +15,7 @@ runs:
zip -r terraform-module.zip terraform-module
- name: Upload artifact
uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
with:
name: terraform-module
path: terraform-module.zip

2
.github/workflows/aws-snp-launchmeasurement.yml vendored
View File

@ -21,7 +21,7 @@ jobs:
- name: Download Firmware release
id: download-firmware
uses: robinraju/release-downloader@a96f54c1b5f5e09e47d9504526e96febd949d4c2 # v1.11
uses: robinraju/release-downloader@daf26c55d821e836577a15f77d86ddc078948b05 # v1.12
with:
repository: aws/uefi
latest: true

8
.github/workflows/build-ccm-gcp.yml vendored
View File

@ -29,9 +29,9 @@ jobs:
fetch-depth: 0
- name: Setup Go environment
uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34 # v5.3.0
uses: actions/setup-go@0aaccfd150d50ccaeb58ebd88d36e91967a5f35b # v5.4.0
with:
go-version: "1.23.6"
go-version: "1.24.1"
cache: false
- name: Install Crane
@ -76,7 +76,7 @@ jobs:
- name: Docker meta
id: meta
uses: docker/metadata-action@369eb591f429131d6889c46b94e711f089e6ca96 # v5.6.1
uses: docker/metadata-action@902fa8ec7d6ecbf8d84d538b9b233a880e428804 # v5.7.0
with:
images: |
ghcr.io/edgelesssys/cloud-provider-gcp
@ -113,7 +113,7 @@ jobs:
- name: Build and push container image
id: build
uses: docker/build-push-action@ca877d9245402d1537745e0e356eab47c3520991 # v6.13.0
uses: docker/build-push-action@471d1dc4e07e5cdedd4c2171150001c434f0b7a4 # v6.15.0
with:
context: ./cloud-provider-gcp
push: ${{ github.ref_name == 'main' }}

4
.github/workflows/build-gcp-guest-agent.yml vendored
View File

@ -85,7 +85,7 @@ jobs:
- name: Docker meta
id: meta
if: steps.needs-build.outputs.out == 'true'
uses: docker/metadata-action@369eb591f429131d6889c46b94e711f089e6ca96 # v5.6.1
uses: docker/metadata-action@902fa8ec7d6ecbf8d84d538b9b233a880e428804 # v5.7.0
with:
images: |
${{ env.REGISTRY }}/edgelesssys/gcp-guest-agent
@ -114,7 +114,7 @@ jobs:
- name: Build and push container image
if: steps.needs-build.outputs.out == 'true'
id: build
uses: docker/build-push-action@ca877d9245402d1537745e0e356eab47c3520991 # v6.13.0
uses: docker/build-push-action@471d1dc4e07e5cdedd4c2171150001c434f0b7a4 # v6.15.0
with:
context: ./guest-agent
file: ./constellation/3rdparty/gcp-guest-agent/Dockerfile

6
.github/workflows/build-os-image-scheduled.yml vendored
View File

@ -65,9 +65,9 @@ jobs:
token: ${{ secrets.CI_COMMIT_PUSH_PR }}
- name: Setup Go environment
uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34 # v5.3.0
uses: actions/setup-go@0aaccfd150d50ccaeb58ebd88d36e91967a5f35b # v5.4.0
with:
go-version: "1.23.6"
go-version: "1.24.1"
cache: false
- name: Determine version
@ -97,7 +97,7 @@ jobs:
run: rm -f internal/attestation/measurements/measurement-generator/generate
- name: Create pull request
uses: peter-evans/create-pull-request@67ccf781d68cd99b580ae25a5c18a1cc84ffff1f # v7.0.6
uses: peter-evans/create-pull-request@271a8d0340265f705b14b6d32b9829c1cb33d45e # v7.0.8
with:
branch: "image/automated/update-measurements-${{ github.run_number }}"
base: main

2
.github/workflows/build-os-image.yml vendored
View File

@ -147,7 +147,7 @@ jobs:
useCache: "false"
- name: Login to AWS
uses: aws-actions/configure-aws-credentials@4fc4975a852c8cd99761e2de1f4ba73402e44dd9 # v4.0.3
uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722 # v4.1.0
with:
role-to-assume: arn:aws:iam::795746500882:role/GitHubConstellationImagePipeline
aws-region: eu-central-1

2
.github/workflows/check-links.yml vendored
View File

@ -25,7 +25,7 @@ jobs:
ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}
- name: Link Checker
uses: lycheeverse/lychee-action@f796c8b7d468feb9b8c0a46da3fac0af6874d374 # v2.2.0
uses: lycheeverse/lychee-action@f613c4a64e50d792e0b31ec34bbcbba12263c6a6 # v2.3.0
with:
args: "--config ./.lychee.toml './**/*.md' './**/*.html'"
fail: true

8
.github/workflows/codeql.yml vendored
View File

@ -38,13 +38,13 @@ jobs:
- name: Setup Go environment
if: matrix.language == 'go'
uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34 # v5.3.0
uses: actions/setup-go@0aaccfd150d50ccaeb58ebd88d36e91967a5f35b # v5.4.0
with:
go-version: "1.23.6"
go-version: "1.24.1"
cache: false
- name: Initialize CodeQL
uses: github/codeql-action/init@dd746615b3b9d728a6a37ca2045b68ca76d4841a # v3.28.8
uses: github/codeql-action/init@1b549b9259bda1cb5ddde3b41741a82a2d15a841 # v3.28.13
with:
languages: ${{ matrix.language }}
@ -63,6 +63,6 @@ jobs:
echo "::endgroup::"
- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@dd746615b3b9d728a6a37ca2045b68ca76d4841a # v3.28.8
uses: github/codeql-action/analyze@1b549b9259bda1cb5ddde3b41741a82a2d15a841 # v3.28.13
with:
category: "/language:${{ matrix.language }}"

28
.github/workflows/draft-release.yml vendored
View File

@ -92,7 +92,7 @@ jobs:
cosignPassword: ${{ inputs.key == 'release' && secrets.COSIGN_PASSWORD || secrets.COSIGN_DEV_PASSWORD }}
- name: Upload CLI as artifact (unix)
uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
if : ${{ matrix.os != 'windows' }}
with:
name: constellation-${{ matrix.os }}-${{ matrix.arch }}
@ -101,7 +101,7 @@ jobs:
build/constellation-${{ matrix.os }}-${{ matrix.arch }}.sig
- name: Upload CLI as artifact (windows)
uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
if : ${{ matrix.os == 'windows' }}
with:
name: constellation-${{ matrix.os }}-${{ matrix.arch }}
@ -149,7 +149,7 @@ jobs:
targetArch: ${{ matrix.arch }}
- name: Upload Terraform Provider Binary as artifact (unix)
uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
if : ${{ matrix.os != 'windows' }}
with:
name: terraform-provider-constellation-${{ matrix.os }}-${{ matrix.arch }}
@ -157,7 +157,7 @@ jobs:
build/terraform-provider-constellation-${{ matrix.os }}-${{ matrix.arch }}
- name: Upload Terraform Provider Binary as artifact (windows)
uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
if : ${{ matrix.os == 'windows' }}
with:
name: terraform-provider-constellation-${{ matrix.os }}-${{ matrix.arch }}
@ -227,7 +227,7 @@ jobs:
uses: ./.github/actions/download_release_binaries
- name: Download CLI SBOM
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
uses: actions/download-artifact@95815c38cf2ff2164869cbab79da8d1f422bc89e # v4.2.1
with:
name: constellation.spdx.sbom
@ -261,7 +261,7 @@ jobs:
ref: ${{ inputs.ref || github.head_ref }}
- name: Install Cosign
uses: sigstore/cosign-installer@dc72c7d5c4d10cd6bcb8cf6e3fd625a9e5e537da # v3.7.0
uses: sigstore/cosign-installer@d7d6bc7722e3daa8354c50bcb52f4837da5e9b6a # v3.8.1
- name: Download Syft & Grype
uses: ./.github/actions/install_syft_grype
@ -296,13 +296,13 @@ jobs:
COSIGN_PASSWORD: ${{ inputs.key == 'release' && secrets.COSIGN_PASSWORD || secrets.COSIGN_DEV_PASSWORD }}
- name: Upload Constellation CLI SBOM
uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
with:
name: constellation.spdx.sbom
path: constellation.spdx.sbom
- name: Upload Constellation CLI SBOM's signature
uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
with:
name: constellation.spdx.sbom.sig
path: constellation.spdx.sbom.sig
@ -316,7 +316,7 @@ jobs:
- provenance-subjects
# This must not be pinned to digest. See:
# https://github.com/slsa-framework/slsa-github-generator#referencing-slsa-builders-and-generators
uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v2.0.0
uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v2.1.0
with:
base64-subjects: "${{ needs.provenance-subjects.outputs.provenance-subjects }}"
@ -340,12 +340,12 @@ jobs:
uses: ./.github/actions/download_release_binaries
- name: Download CLI SBOM
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
uses: actions/download-artifact@95815c38cf2ff2164869cbab79da8d1f422bc89e # v4.2.1
with:
name: constellation.spdx.sbom
- name: Download provenance
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
uses: actions/download-artifact@95815c38cf2ff2164869cbab79da8d1f422bc89e # v4.2.1
with:
name: ${{ needs.provenance.outputs.provenance-name }}
@ -418,17 +418,17 @@ jobs:
uses: ./.github/actions/download_release_binaries
- name: Download CLI SBOM
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
uses: actions/download-artifact@95815c38cf2ff2164869cbab79da8d1f422bc89e # v4.2.1
with:
name: constellation.spdx.sbom
- name: Download Constellation CLI SBOM's signature
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
uses: actions/download-artifact@95815c38cf2ff2164869cbab79da8d1f422bc89e # v4.2.1
with:
name: constellation.spdx.sbom.sig
- name: Download Constellation provenance
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
uses: actions/download-artifact@95815c38cf2ff2164869cbab79da8d1f422bc89e # v4.2.1
with:
name: ${{ needs.provenance.outputs.provenance-name }}

2
.github/workflows/e2e-test-provider-example.yml vendored
View File

@ -154,7 +154,7 @@ jobs:
- name: Login to AWS (IAM + Cluster role)
if: steps.determine.outputs.cloudProvider == 'aws'
uses: aws-actions/configure-aws-credentials@4fc4975a852c8cd99761e2de1f4ba73402e44dd9 # v4.0.3
uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722 # v4.1.0
with:
role-to-assume: arn:aws:iam::795746500882:role/GithubActionsE2ETerraform
aws-region: eu-central-1

10
.github/workflows/e2e-upgrade.yml vendored
View File

@ -268,13 +268,13 @@ jobs:
push: true
- name: Upload CLI binary # is needed for the cleanup step
uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
with:
name: constellation-upgrade-${{ inputs.attestationVariant }}
path: build/constellation
- name: Login to AWS
uses: aws-actions/configure-aws-credentials@4fc4975a852c8cd99761e2de1f4ba73402e44dd9 # v4.0.3
uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722 # v4.1.0
with:
role-to-assume: arn:aws:iam::795746500882:role/GithubConstellationVersionsAPIRead
aws-region: eu-central-1
@ -296,7 +296,7 @@ jobs:
- name: Login to AWS (IAM role)
if: needs.generate-input-parameters.outputs.cloudProvider == 'aws'
uses: aws-actions/configure-aws-credentials@4fc4975a852c8cd99761e2de1f4ba73402e44dd9 # v4.0.3
uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722 # v4.1.0
with:
role-to-assume: arn:aws:iam::795746500882:role/GithubActionsE2EIAM
aws-region: eu-central-1
@ -347,7 +347,7 @@ jobs:
- name: Login to AWS (Cluster role)
if: always() && needs.generate-input-parameters.outputs.cloudProvider == 'aws'
uses: aws-actions/configure-aws-credentials@4fc4975a852c8cd99761e2de1f4ba73402e44dd9 # v4.0.3
uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722 # v4.1.0
with:
role-to-assume: arn:aws:iam::795746500882:role/GithubActionsE2ECluster
aws-region: eu-central-1
@ -424,7 +424,7 @@ jobs:
ref: ${{ inputs.gitRef }}
- name: Download CLI
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
uses: actions/download-artifact@95815c38cf2ff2164869cbab79da8d1f422bc89e # v4.2.1
with:
name: constellation-upgrade-${{ inputs.attestationVariant }}
path: build

4
.github/workflows/e2e-windows.yml vendored
View File

@ -45,7 +45,7 @@ jobs:
push: true
- name: Upload CLI artifact
uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
with:
path: build/constellation.exe
name: "constell-exe"
@ -61,7 +61,7 @@ jobs:
ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}
- name: Download CLI artifact
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
uses: actions/download-artifact@95815c38cf2ff2164869cbab79da8d1f422bc89e # v4.2.1
with:
name: "constell-exe"

2
.github/workflows/on-release.yml vendored
View File

@ -142,7 +142,7 @@ jobs:
- uses: ./.github/actions/setup_bazel_nix
- name: Login to AWS
uses: aws-actions/configure-aws-credentials@4fc4975a852c8cd99761e2de1f4ba73402e44dd9 # v4.0.3
uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722 # v4.1.0
with:
role-to-assume: arn:aws:iam::795746500882:role/GitHubConstellationImagePipeline
aws-region: eu-central-1

2
.github/workflows/purge-main.yml vendored
View File

@ -23,7 +23,7 @@ jobs:
ref: ${{ github.head_ref }}
- name: Login to AWS
uses: aws-actions/configure-aws-credentials@4fc4975a852c8cd99761e2de1f4ba73402e44dd9 # v4.0.3
uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722 # v4.1.0
with:
role-to-assume: arn:aws:iam::795746500882:role/GithubConstellationVersionsAPIRead
aws-region: eu-central-1

6
.github/workflows/release.yml vendored
View File

@ -118,7 +118,7 @@ jobs:
sed -i 's/fromVersion: \["[^"]*"\]/fromVersion: ["${{ inputs.version }}"]/g' .github/workflows/e2e-test-weekly.yml
- name: Create docs pull request
uses: peter-evans/create-pull-request@67ccf781d68cd99b580ae25a5c18a1cc84ffff1f # v7.0.6
uses: peter-evans/create-pull-request@271a8d0340265f705b14b6d32b9829c1cb33d45e # v7.0.8
with:
branch: ${{ env.BRANCH }}
base: main
@ -266,9 +266,9 @@ jobs:
ref: ${{ needs.verify-inputs.outputs.WORKING_BRANCH }}
- name: Setup Go environment
uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34 # v5.3.0
uses: actions/setup-go@0aaccfd150d50ccaeb58ebd88d36e91967a5f35b # v5.4.0
with:
go-version: "1.23.6"
go-version: "1.24.1"
cache: true
- name: Build generateMeasurements tool

12
.github/workflows/reproducible-builds.yml vendored
View File

@ -81,13 +81,13 @@ jobs:
run: shasum -a 256 "${binary}" | tee "${binary}.sha256"
- name: Upload binary artifact
uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
with:
name: "binaries-${{ matrix.target }}-${{ matrix.runner }}-${{ matrix.deps }}"
path: "${{ env.binary }}"
- name: Upload hash artifact
uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
with:
name: "sha256sums-${{ matrix.target }}-${{ matrix.runner }}-${{ matrix.deps }}"
path: "${{ env.binary }}.sha256"
@ -146,13 +146,13 @@ jobs:
run: shasum -a 256 "${binary}" | tee "${binary}.sha256"
- name: Upload binary artifact
uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
with:
name: "osimages-${{ matrix.target }}-${{ matrix.runner }}"
path: "${{ env.binary }}"
- name: Upload hash artifact
uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
with:
name: "sha256sums-${{ matrix.target }}-${{ matrix.runner }}"
path: "${{ env.binary }}.sha256"
@ -175,7 +175,7 @@ jobs:
ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}
- name: Download binaries
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
uses: actions/download-artifact@95815c38cf2ff2164869cbab79da8d1f422bc89e # v4.2.1
with:
pattern: "binaries-${{ matrix.target }}-*"
merge-multiple: true
@ -209,7 +209,7 @@ jobs:
ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}
- name: Download os images
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
uses: actions/download-artifact@95815c38cf2ff2164869cbab79da8d1f422bc89e # v4.2.1
with:
pattern: "osimages-${{ matrix.target }}-*"
merge-multiple: true

6
.github/workflows/scorecard.yml vendored
View File

@ -23,20 +23,20 @@ jobs:
persist-credentials: false
- name: Run analysis
uses: ossf/scorecard-action@62b2cac7ed8198b15735ed49ab1e5cf35480ba46 # v2.4.0
uses: ossf/scorecard-action@f49aabe0b5af0936a0987cfb85d86b75731b0186 # v2.4.1
with:
results_file: results.sarif
results_format: sarif
publish_results: true
- name: Upload artifact
uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
with:
name: SARIF file
path: results.sarif
retention-days: 5
- name: Upload to code-scanning
uses: github/codeql-action/upload-sarif@dd746615b3b9d728a6a37ca2045b68ca76d4841a # v3.28.8
uses: github/codeql-action/upload-sarif@1b549b9259bda1cb5ddde3b41741a82a2d15a841 # v3.28.13
with:
sarif_file: results.sarif

2
.github/workflows/sync-terraform-docs.yml vendored
View File

@ -40,7 +40,7 @@ jobs:
- name: Create pull request
id: create-pull-request
uses: peter-evans/create-pull-request@67ccf781d68cd99b580ae25a5c18a1cc84ffff1f # v7.0.6
uses: peter-evans/create-pull-request@271a8d0340265f705b14b6d32b9829c1cb33d45e # v7.0.8
with:
path: terraform-provider-constellation
branch: "feat/docs/update"

4
.github/workflows/test-operator-codegen.yml vendored
View File

@ -26,9 +26,9 @@ jobs:
ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}
- name: Setup Go environment
uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34 # v5.3.0
uses: actions/setup-go@0aaccfd150d50ccaeb58ebd88d36e91967a5f35b # v5.4.0
with:
go-version: "1.23.6"
go-version: "1.24.1"
cache: true
- name: Run code generation

2
.github/workflows/test-tidy.yml vendored
View File

@ -37,7 +37,7 @@ jobs:
- name: Assume AWS role to upload Bazel dependencies to S3
if: startsWith(github.head_ref, 'renovate/')
uses: aws-actions/configure-aws-credentials@4fc4975a852c8cd99761e2de1f4ba73402e44dd9 # v4.0.3
uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722 # v4.1.0
with:
role-to-assume: arn:aws:iam::795746500882:role/GithubConstellationMirrorWrite
aws-region: eu-central-1

2
.github/workflows/test-unittest.yml vendored
View File

@ -49,7 +49,7 @@ jobs:
rm -rf awscliv2.zip aws
- name: Login to AWS (IAM role)
uses: aws-actions/configure-aws-credentials@4fc4975a852c8cd99761e2de1f4ba73402e44dd9 # v4.0.3
uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722 # v4.1.0
with:
role-to-assume: arn:aws:iam::795746500882:role/GithubActionGocoverage
aws-region: eu-central-1

4
.github/workflows/update-rpms.yml vendored
View File

@ -18,7 +18,7 @@ jobs:
token: ${{ secrets.CI_COMMIT_PUSH_PR }}
- name: Assume AWS role to upload Bazel dependencies to S3
uses: aws-actions/configure-aws-credentials@4fc4975a852c8cd99761e2de1f4ba73402e44dd9 # v4.0.3
uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722 # v4.1.0
with:
role-to-assume: arn:aws:iam::795746500882:role/GithubConstellationMirrorWrite
aws-region: eu-central-1
@ -39,7 +39,7 @@ jobs:
fi
- name: Create pull request
uses: peter-evans/create-pull-request@67ccf781d68cd99b580ae25a5c18a1cc84ffff1f # v7.0.6
uses: peter-evans/create-pull-request@271a8d0340265f705b14b6d32b9829c1cb33d45e # v7.0.8
with:
branch: "image/automated/update-rpms-${{ github.run_number }}"
base: main

6
.github/workflows/versionsapi.yml vendored
View File

@ -149,21 +149,21 @@ jobs:
- name: Login to AWS without write access
if: steps.check-rights.outputs.write == 'false'
uses: aws-actions/configure-aws-credentials@4fc4975a852c8cd99761e2de1f4ba73402e44dd9 # v4.0.3
uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722 # v4.1.0
with:
role-to-assume: arn:aws:iam::795746500882:role/GithubConstellationVersionsAPIRead
aws-region: eu-central-1
- name: Login to AWS with write access
if: steps.check-rights.outputs.write == 'true' && steps.check-rights.outputs.auth == 'false'
uses: aws-actions/configure-aws-credentials@4fc4975a852c8cd99761e2de1f4ba73402e44dd9 # v4.0.3
uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722 # v4.1.0
with:
role-to-assume: arn:aws:iam::795746500882:role/GithubConstellationVersionsAPIWrite
aws-region: eu-central-1
- name: Login to AWS with write and image remove access
if: steps.check-rights.outputs.write == 'true' && steps.check-rights.outputs.auth == 'true'
uses: aws-actions/configure-aws-credentials@4fc4975a852c8cd99761e2de1f4ba73402e44dd9 # v4.0.3
uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722 # v4.1.0
with:
role-to-assume: arn:aws:iam::795746500882:role/GithubConstellationVersionsAPIRemove
aws-region: eu-central-1