Merge e6d3905489 into 1c0c7d6227

ci: disable e2e-attestationconfigapi on PRs (#2937 )
This workflow touches shared state by deleting all objects of a bucket and then uploading a signed blob of data to that S3 bucket under a fixed name. It also does so multiple times in a row, while invalidating the cloudfront cache and checking if the uploaded object exists. All runs of this workflow share the same bucket. Since this pipeline runs on any modification of go.mod, it is very prone to race condition between PRs (or PRs and main).
2024-05-08 15:03:06 +02:00 · 2024-05-08 14:59:03 +02:00 · 2024-05-08 14:33:35 +02:00 · 2024-05-08 11:34:31 +02:00 · 2024-05-08 10:34:10 +02:00 · 2024-05-03 14:34:13 +02:00
61 changed files with 269 additions and 224 deletions
--- a/.github/actions/artifact_download/action.yml
+++ b/.github/actions/artifact_download/action.yml
@ -16,11 +16,11 @@ inputs:
 runs:
  using: "composite"
  steps:
-    - name: Install unzip
+    - name: Install 7zip
      uses: ./.github/actions/setup_bazel_nix
      with:
        nixTools: |
-          unzip
+          _7zz

    - name: Create temporary directory
      id: tempdir
@ -28,7 +28,7 @@ runs:
      run: echo "directory=$(mktemp -d)" >> "$GITHUB_OUTPUT"

    - name: Download the artifact
-      uses: actions/download-artifact@eaceaf801fd36c7dee90939fad912460b18a1ffe # v4.1.2
+      uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7
      with:
        name: ${{ inputs.name }}
        path: ${{ steps.tempdir.outputs.directory }}
@ -37,4 +37,4 @@ runs:
      shell: bash
      run: |
        mkdir -p ${{ inputs.path }}
-        unzip -P '${{ inputs.encryptionSecret }}' -qq -d ${{ inputs.path }} ${{ steps.tempdir.outputs.directory }}/archive.zip
+        7zz x -p'${{ inputs.encryptionSecret }}' -t7z -o"${{ inputs.path }}" ${{ steps.tempdir.outputs.directory }}/archive.7z
--- a/.github/actions/artifact_upload/action.yml
+++ b/.github/actions/artifact_upload/action.yml
@ -22,13 +22,51 @@ inputs:
 runs:
  using: "composite"
  steps:
-    - name: Install zip
+    - name: Install 7zip
      uses: ./.github/actions/setup_bazel_nix
      with:
        nixTools: |
-          zip
+          _7zz

    - name: Create temporary directory
      id: tempdir
      shell: bash
      run: echo "directory=$(mktemp -d)" >> "$GITHUB_OUTPUT"
+
+    - name: Create archive
+      shell: bash
+      run: |
+        shopt -s extglob
+        paths="${{ inputs.path }}"
+        paths=${paths%$'\n'} # Remove trailing newline
+        # Check if any file matches the given pattern(s).
+        something_exists=false
+        for pattern in ${paths}
+        do
+          if compgen -G "${pattern}" > /dev/null; then
+            something_exists=true
+          fi
+        done
+        # Create an archive if files exist.
+        # Don't create an archive file if no files are found
+        # and warn.
+        if ! ${something_exists}
+        then
+          echo "::warning:: No files/directories found with the provided path(s): ${paths}. No artifact will be uploaded."
+          exit 0
+        fi
+        for target in ${paths}
+        do
+          pushd "$(dirname "${target}")" || exit 1
+          7zz a -p'${{ inputs.encryptionSecret }}' -t7z -ms=on -mhe=on "${{ steps.tempdir.outputs.directory }}/archive.7z" "$(basename "${target}")"
+          popd || exit 1
+        done
+
+    - name: Upload archive as artifact
+      uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
+      with:
+        name: ${{ inputs.name }}
+        path: ${{ steps.tempdir.outputs.directory }}/archive.7z
+        retention-days: ${{ inputs.retention-days }}
+        if-no-files-found: ignore
+        overwrite: ${{ inputs.overwrite }}
--- a/.github/actions/build_cli/action.yml
+++ b/.github/actions/build_cli/action.yml
@ -79,7 +79,7 @@ runs:
    # once it has the functionality
    - name: Install Cosign
      if: inputs.cosignPublicKey != '' && inputs.cosignPrivateKey != '' && inputs.cosignPassword != ''
-      uses: sigstore/cosign-installer@e1523de7571e31dbe865fd2e80c5c7c23ae71eb4 # v3.4.0
+      uses: sigstore/cosign-installer@59acb6260d9c0ba8f4a2f9d9b48431a222b68e20 # v3.5.0

    - name: Install Rekor
      if: inputs.cosignPublicKey != '' && inputs.cosignPrivateKey != '' && inputs.cosignPassword != ''
--- a/.github/actions/build_micro_service/action.yml
+++ b/.github/actions/build_micro_service/action.yml
@ -62,7 +62,7 @@ runs:

    - name: Build and push container image
      id: build-micro-service
-      uses: docker/build-push-action@4a13e500e55cf31b7a5d59a38ab2040ab0f42f56 # v5.1.0
+      uses: docker/build-push-action@2cdde995de11925a030ce8070c3d77a52ffcf1c0 # v5.3.0
      with:
        context: .
        file: ${{ inputs.dockerfile }}
--- a/.github/actions/container_registry_login/action.yml
+++ b/.github/actions/container_registry_login/action.yml
@ -17,7 +17,7 @@ runs:
  steps:
    - name: Use docker for logging in
      if: runner.os != 'macOS'
-      uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0
+      uses: docker/login-action@e92390c5fb421da1463c202d546fed0ec5c39f20 # v3.1.0
      with:
        registry: ${{ inputs.registry }}
        username: ${{ inputs.username }}
--- a/.github/actions/container_sbom/action.yml
+++ b/.github/actions/container_sbom/action.yml
@ -19,7 +19,7 @@ runs:
  steps:
    - name: Install Cosign
      if: inputs.cosignPublicKey != '' && inputs.cosignPrivateKey != '' && inputs.cosignPassword != ''
-      uses: sigstore/cosign-installer@e1523de7571e31dbe865fd2e80c5c7c23ae71eb4 # v3.4.0
+      uses: sigstore/cosign-installer@59acb6260d9c0ba8f4a2f9d9b48431a222b68e20 # v3.5.0

    - name: Download Syft & Grype
      uses: ./.github/actions/install_syft_grype
--- a/.github/actions/deploy_logcollection/action.yml
+++ b/.github/actions/deploy_logcollection/action.yml
@ -67,7 +67,7 @@ runs:
    # Make sure that helm is installed
    # This is not always the case, e.g. on MacOS runners
    - name: Install Helm
-      uses: azure/setup-helm@29960d0f5f19214b88e1d9ba750a9914ab0f1a2f # v4.0.0
+      uses: azure/setup-helm@fe7b79cd5ee1e45176fcad797de68ecaf3ca4814 # v4.2.0
      with:
        version: v3.9.0

--- a/.github/actions/download_release_binaries/action.yml
+++ b/.github/actions/download_release_binaries/action.yml
@ -5,51 +5,51 @@ runs:
  using: "composite"
  steps:
    - name: Download CLI binaries darwin-amd64
-      uses: actions/download-artifact@eaceaf801fd36c7dee90939fad912460b18a1ffe # v4.1.2
+      uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7
      with:
        name: constellation-darwin-amd64

    - name: Download CLI binaries darwin-arm64
-      uses: actions/download-artifact@eaceaf801fd36c7dee90939fad912460b18a1ffe # v4.1.2
+      uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7
      with:
        name: constellation-darwin-arm64

    - name: Download CLI binaries linux-amd64
-      uses: actions/download-artifact@eaceaf801fd36c7dee90939fad912460b18a1ffe # v4.1.2
+      uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7
      with:
        name: constellation-linux-amd64

    - name: Download CLI binaries linux-arm64
-      uses: actions/download-artifact@eaceaf801fd36c7dee90939fad912460b18a1ffe # v4.1.2
+      uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7
      with:
        name: constellation-linux-arm64

    - name: Download CLI binaries windows-amd64
-      uses: actions/download-artifact@eaceaf801fd36c7dee90939fad912460b18a1ffe # v4.1.2
+      uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7
      with:
        name: constellation-windows-amd64

    - name: Download Terraform module
-      uses: actions/download-artifact@eaceaf801fd36c7dee90939fad912460b18a1ffe # v4.1.2
+      uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7
      with:
        name: terraform-module

    - name: Download Terraform provider binary darwin-amd64
-      uses: actions/download-artifact@eaceaf801fd36c7dee90939fad912460b18a1ffe # v4.1.2
+      uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7
      with:
        name: terraform-provider-constellation-darwin-amd64

    - name: Download Terraform provider binary darwin-arm64
-      uses: actions/download-artifact@eaceaf801fd36c7dee90939fad912460b18a1ffe # v4.1.2
+      uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7
      with:
        name: terraform-provider-constellation-darwin-arm64

    - name: Download Terraform provider binary linux-amd64
-      uses: actions/download-artifact@eaceaf801fd36c7dee90939fad912460b18a1ffe # v4.1.2
+      uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7
      with:
        name: terraform-provider-constellation-linux-amd64

    - name: Download Terraform provider binary linux-arm64
-      uses: actions/download-artifact@eaceaf801fd36c7dee90939fad912460b18a1ffe # v4.1.2
+      uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7
      with:
        name: terraform-provider-constellation-linux-arm64
--- a/.github/actions/e2e_benchmark/action.yml
+++ b/.github/actions/e2e_benchmark/action.yml
@ -33,7 +33,7 @@ runs:

  steps:
    - name: Setup python
-      uses: actions/setup-python@0a5c61591373683505ea898e09a3ea4f39ef2b9c # v5.0.0
+      uses: actions/setup-python@82c7e631bb3cdc910f68e0081d67478d79c6982d # v5.1.0
      with:
        python-version: "3.10"

@ -49,7 +49,7 @@ runs:
        install kubestr /usr/local/bin

    - name: Checkout k8s-bench-suite
-      uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+      uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
      with:
        fetch-depth: 0
        repository: "edgelesssys/k8s-bench-suite"
--- a/.github/actions/e2e_cleanup_timeframe/action.yml
+++ b/.github/actions/e2e_cleanup_timeframe/action.yml
@ -31,11 +31,11 @@ runs:
      with:
        service_account: "destroy-e2e@constellation-e2e.iam.gserviceaccount.com"

-    - name: Install unzip
+    - name: Install 7zip
      uses: ./.github/actions/setup_bazel_nix
      with:
        nixTools: |
-          unzip
+          _7zz
    - name: Run cleanup
      run: ./.github/actions/e2e_cleanup_timeframe/e2e-cleanup.sh
      shell: bash
--- a/.github/actions/e2e_cleanup_timeframe/e2e-cleanup.sh
+++ b/.github/actions/e2e_cleanup_timeframe/e2e-cleanup.sh
@ -3,7 +3,7 @@
 # get_e2e_test_ids_on_date gets all workflow IDs of workflows that contain "e2e" on a specific date.
 function get_e2e_test_ids_on_date {
  ids="$(gh run list --created "$1" --status failure --json createdAt,workflowName,databaseId --jq '.[] | select(.workflowName | contains("e2e") and (contains("MiniConstellation") | not)) | .databaseId' -L1000 -R edgelesssys/constellation || exit 1)"
-  echo "$ids"
+  echo "${ids}"
 }

 # download_tfstate_artifact downloads all artifacts matching the pattern terraform-state-* from a given workflow ID.
@ -13,7 +13,7 @@ function download_tfstate_artifact {

 # delete_resources runs terraform destroy on the constellation-terraform subfolder of a given folder.
 function delete_resources {
-  if [ -d "$1/constellation-terraform" ]; then
+  if [[ -d "$1/constellation-terraform" ]]; then
    cd "$1/constellation-terraform" || exit 1
    terraform init > /dev/null || exit 1 # first, install plugins
    terraform destroy -auto-approve || exit 1
@ -23,7 +23,7 @@ function delete_resources {

 # delete_iam_config runs terraform destroy on the constellation-iam-terraform subfolder of a given folder.
 function delete_iam_config {
-  if [ -d "$1/constellation-iam-terraform" ]; then
+  if [[ -d "$1/constellation-iam-terraform" ]]; then
    cd "$1/constellation-iam-terraform" || exit 1
    terraform init > /dev/null || exit 1 # first, install plugins
    terraform destroy -auto-approve || exit 1
@ -32,12 +32,12 @@ function delete_iam_config {
 }

 # check if the password for artifact decryption was given
-if [[ -z $ENCRYPTION_SECRET ]]; then
+if [[ -z ${ENCRYPTION_SECRET} ]]; then
  echo "ENCRYPTION_SECRET is not set. Please set an environment variable with that secret."
  exit 1
 fi

-artifact_pwd=$ENCRYPTION_SECRET
+artifact_pwd=${ENCRYPTION_SECRET}

 shopt -s nullglob

@ -46,9 +46,9 @@ end_date=$(date --date "-7 day" "+%Y-%m-%d")
 dates_to_clean=()

 # get all dates of the last week
-while [[ $end_date != "$start_date" ]]; do
-  dates_to_clean+=("$end_date")
-  end_date=$(date --date "$end_date +1 day" "+%Y-%m-%d")
+while [[ ${end_date} != "${start_date}" ]]; do
+  dates_to_clean+=("${end_date}")
+  end_date=$(date --date "${end_date} +1 day" "+%Y-%m-%d")
 done

 echo "[*] retrieving run IDs for cleanup"
@ -65,33 +65,33 @@ mapfile -td " " database_ids < <(echo "${database_ids[@]}")

 echo "[*] downloading terraform state artifacts"
 for id in "${database_ids[@]}"; do
-  if [[ $id == *[^[:space:]]* ]]; then
-    echo "    downloading from workflow $id"
-    download_tfstate_artifact "$id"
+  if [[ ${id} == *[^[:space:]]* ]]; then
+    echo "    downloading from workflow ${id}"
+    download_tfstate_artifact "${id}"
  fi
 done

 echo "[*] extracting artifacts"
 for directory in ./terraform-state-*; do
-  echo "    extracting $directory"
+  echo "    extracting ${directory}"

  # extract and decrypt the artifact
-  unzip -d "${directory}" -P "$artifact_pwd" "$directory/archive.zip" > /dev/null || exit 1
+  7zz x -t7z -p"${artifact_pwd}" -o"${directory}" "${directory}/archive.7z" > /dev/null || exit 1
 done

 # create terraform caching directory
-mkdir "$HOME/tf_plugin_cache"
-export TF_PLUGIN_CACHE_DIR="$HOME/tf_plugin_cache"
-echo "[*] created terraform cache directory $TF_PLUGIN_CACHE_DIR"
+mkdir "${HOME}/tf_plugin_cache"
+export TF_PLUGIN_CACHE_DIR="${HOME}/tf_plugin_cache"
+echo "[*] created terraform cache directory ${TF_PLUGIN_CACHE_DIR}"

 echo "[*] deleting resources"
 for directory in ./terraform-state-*; do
-  echo "    deleting resources in $directory"
-  delete_resources "$directory"
-  echo "    deleting IAM configuration in $directory"
-  delete_iam_config "$directory"
-  echo "    deleting directory $directory"
-  rm -rf "$directory"
+  echo "    deleting resources in ${directory}"
+  delete_resources "${directory}"
+  echo "    deleting IAM configuration in ${directory}"
+  delete_iam_config "${directory}"
+  echo "    deleting directory ${directory}"
+  rm -rf "${directory}"
 done

 exit 0
--- a/.github/actions/e2e_mini/action.yml
+++ b/.github/actions/e2e_mini/action.yml
@ -25,7 +25,7 @@ runs:
  using: "composite"
  steps:
    - name: Install terraform
-      uses: hashicorp/setup-terraform@a1502cd9e758c50496cc9ac5308c4843bcd56d36 # v3.0.0
+      uses: hashicorp/setup-terraform@651471c36a6092792c552e8b1bef71e592b462d8 # v3.1.1
      with:
        terraform_wrapper: false

--- a/.github/actions/e2e_sonobuoy/action.yml
+++ b/.github/actions/e2e_sonobuoy/action.yml
@ -64,7 +64,7 @@ runs:

    - name: Publish test results
      if: (!env.ACT) && contains(inputs.sonobuoyTestSuiteCmd, '--plugin e2e')
-      uses: mikepenz/action-junit-report@5f47764eec0e1c1f19f40c8e60a5ba47e47015c5 # v4.1.0
+      uses: mikepenz/action-junit-report@9379f0ccddcab154835d4e2487555ee79614fe95 # v4.2.1
      with:
        report_paths: "**/junit_01.xml"
        fail_on_failure: true
--- a/.github/actions/find_latest_image/action.yml
+++ b/.github/actions/find_latest_image/action.yml
@ -26,13 +26,13 @@ runs:
  steps:
    - name: Checkout head
      if: inputs.imageVersion == '' && inputs.git-ref == 'head'
-      uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+      uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
      with:
        ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}

    - name: Checkout ref
      if: inputs.imageVersion == '' && inputs.git-ref != 'head'
-      uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+      uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
      with:
        ref: ${{ inputs.git-ref }}

--- a/.github/actions/login_gcp/action.yml
+++ b/.github/actions/login_gcp/action.yml
@ -20,7 +20,7 @@ runs:
        echo "GOOGLE_CLOUD_PROJECT=" >> "$GITHUB_ENV"

    - name: Authorize GCP access
-      uses: google-github-actions/auth@a6e2e39c0a0331da29f7fd2c2a20a427e8d3ad1f # v2.1.1
+      uses: google-github-actions/auth@55bd3a7c6e2ae7cf1877fd1ccb9d54c0503c457c # v2.1.2
      with:
        workload_identity_provider: projects/796962942582/locations/global/workloadIdentityPools/constellation-ci-pool/providers/constellation-ci-provider
        service_account: ${{ inputs.service_account }}
--- a/.github/actions/publish_helmchart/action.yml
+++ b/.github/actions/publish_helmchart/action.yml
@ -13,7 +13,7 @@ runs:
  using: "composite"
  steps:
    - name: Checkout
-      uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+      uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
      with:
        repository: edgelesssys/helm
        ref: main
@ -29,7 +29,7 @@ runs:
        echo version=$(yq eval ".version" ${{ inputs.chartPath }}/Chart.yaml) | tee -a $GITHUB_OUTPUT

    - name: Create pull request
-      uses: peter-evans/create-pull-request@b1ddad2c994a25fbc81a28b3ec0e368bb2021c50 # v6.0.0
+      uses: peter-evans/create-pull-request@6d6857d36972b65feb161a90e484f2984215f83e # v6.0.5
      with:
        path: helm
        branch: "release/s3proxy/${{ steps.update-chart-version.outputs.version }}"
--- a/.github/actions/update_tfstate/action.yml
+++ b/.github/actions/update_tfstate/action.yml
@ -1,5 +1,5 @@
 name: Update TFState
-description: "Update the terraform state artifact."
+description: "Update the terraform state artifact. We use this to either delete an artifact if the e2e test was cleaned up successfully or to update the artifact with the latest terraform state."

 inputs:
  name:
@ -11,33 +11,29 @@ inputs:
  encryptionSecret:
    description: "The encryption secret for the artifacts."
    required: true
-  skipDeletion:
-    description: "Don't try to delete the artifact before updating. You should only use this if you know that no artifact exists."
-    default: "false"
-    required: false

 runs:
  using: "composite"
  steps:
-    - name: Check if tfstate should be deleted
-      if: always() && inputs.skipDeletion == 'false'
+    - name: Check if uploaded tfstate can be deleted
+      if: always()
      shell: bash
      run: |
-        if [[ -d constellation-terraform ]] || [[ -d constellation-iam-terraform ]]; then
+        if [[ ! -d constellation-terraform ]] && [[ ! -d constellation-iam-terraform ]]; then
          echo "DELETE_TF_STATE=true" >> "$GITHUB_ENV"
        else
          echo "DELETE_TF_STATE=false" >> "$GITHUB_ENV"
        fi

    - name: Delete tfstate artifact if necessary
-      if: always() && env.DELETE_TF_STATE == 'true' && inputs.skipDeletion == 'false'
+      if: always() && env.DELETE_TF_STATE == 'true'
      uses: ./.github/actions/artifact_delete
      with:
        name: ${{ inputs.name }}
        workflowID: ${{ inputs.runID }}

-    - name: Prepare terraform state folders
-      if: always()
+    - name: Prepare left over terraform state folders
+      if: always() && env.DELETE_TF_STATE == 'false'
      shell: bash
      run: |
        rm -rf to-zip/*
--- a/.github/actions/upload_terraform_module/action.yml
+++ b/.github/actions/upload_terraform_module/action.yml
@ -15,7 +15,7 @@ runs:
        zip -r terraform-module.zip terraform-module

    - name: Upload artifact
-      uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1
+      uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
      with:
        name: terraform-module
        path: terraform-module.zip
--- a/.github/actions/versionsapi/Dockerfile
+++ b/.github/actions/versionsapi/Dockerfile
@ -1,4 +1,4 @@
-FROM golang:1.22.2@sha256:c4fb952e712efd8f787bcd8e53fd66d1d83b7dc26adabc218e9eac1dbf776bdf as builder
+FROM golang:1.22.3@sha256:b1e05e2c918f52c59d39ce7d5844f73b2f4511f7734add8bb98c9ecdd4443365 as builder

 # Download project root dependencies
 WORKDIR /workspace
--- a/.github/workflows/assign_reviewer.yml
+++ b/.github/workflows/assign_reviewer.yml
@ -12,7 +12,7 @@ jobs:
    runs-on: ubuntu-latest
    if: ${{ github.event.label.name == 'dependencies'}}
    steps:
-    - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+    - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
    - name: Pick assignee
      id: pick-assignee
      uses: ./.github/actions/pick_assignee
--- a/.github/workflows/aws-snp-launchmeasurement.yml
+++ b/.github/workflows/aws-snp-launchmeasurement.yml
@ -11,7 +11,7 @@ jobs:
    runs-on: ubuntu-22.04
    steps:
    - name: Checkout repository
-      uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+      uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
      with:
        ref: ${{ github.head_ref }}
        path: constellation
@ -27,7 +27,7 @@ jobs:

    - name: Download Firmware release
      id: download-firmware
-      uses: robinraju/release-downloader@368754b9c6f47c345fcfbf42bcb577c2f0f5f395 # v1.9
+      uses: robinraju/release-downloader@c39a3b234af58f0cf85888573d361fb6fa281534 # v1.10
      with:
        repository: aws/uefi
        latest: true
@ -50,7 +50,7 @@ jobs:
        echo "ovmfPath=${ovmfPath}" | tee -a "$GITHUB_OUTPUT"
        popd || exit 1

-    - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+    - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
      with:
        repository: virtee/sev-snp-measure-go.git
        ref: e42b6f8991ed5a671d5d1e02a6b61f6373f9f8d8
--- a/.github/workflows/build-binaries.yml
+++ b/.github/workflows/build-binaries.yml
@ -22,7 +22,7 @@ jobs:
    runs-on: [arc-runner-set]
    steps:
      - name: Checkout
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
        with:
          ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}

--- a/.github/workflows/build-ccm-gcp.yml
+++ b/.github/workflows/build-ccm-gcp.yml
@ -19,19 +19,19 @@ jobs:
      latest: ${{ steps.find-latest.outputs.latest }}
    steps:
      - name: Checkout Constellation
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4

      - name: Checkout kubernetes/cloud-provider-gcp
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
        with:
          repository: "kubernetes/cloud-provider-gcp"
          path: "cloud-provider-gcp"
          fetch-depth: 0

      - name: Setup Go environment
-        uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
+        uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1
        with:
-          go-version: "1.22.2"
+          go-version: "1.22.3"
          cache: false

      - name: Install Crane
@ -65,10 +65,10 @@ jobs:
        version: ${{ fromJson(needs.find-ccm-versions.outputs.versions) }}
    steps:
      - name: Checkout Constellation
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4

      - name: Checkout kubernetes/cloud-provider-gcp
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
        with:
          repository: "kubernetes/cloud-provider-gcp"
          path: "cloud-provider-gcp"
@ -113,7 +113,7 @@ jobs:

      - name: Build and push container image
        id: build
-        uses: docker/build-push-action@4a13e500e55cf31b7a5d59a38ab2040ab0f42f56 # v5.1.0
+        uses: docker/build-push-action@2cdde995de11925a030ce8070c3d77a52ffcf1c0 # v5.3.0
        with:
          context: ./cloud-provider-gcp
          push: ${{ github.ref_name == 'main' }}
--- a/.github/workflows/build-gcp-guest-agent.yml
+++ b/.github/workflows/build-gcp-guest-agent.yml
@ -69,7 +69,7 @@ jobs:

      - name: Checkout GoogleCloudPlatform/guest-agent
        if: steps.needs-build.outputs.out == 'true'
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
        with:
          repository: "GoogleCloudPlatform/guest-agent"
          ref: refs/tags/${{ steps.latest-release.outputs.latest }}
@ -77,7 +77,7 @@ jobs:

      - name: Checkout Constellation
        if: steps.needs-build.outputs.out == 'true'
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
        with:
          path: "constellation"
          ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}
@ -114,7 +114,7 @@ jobs:
      - name: Build and push container image
        if: steps.needs-build.outputs.out == 'true'
        id: build
-        uses: docker/build-push-action@4a13e500e55cf31b7a5d59a38ab2040ab0f42f56 # v5.1.0
+        uses: docker/build-push-action@2cdde995de11925a030ce8070c3d77a52ffcf1c0 # v5.3.0
        with:
          context: ./guest-agent
          file: ./constellation/3rdparty/gcp-guest-agent/Dockerfile
--- a/.github/workflows/build-libvirt-container.yml
+++ b/.github/workflows/build-libvirt-container.yml
@ -19,7 +19,7 @@ jobs:
      packages: write
    steps:
      - name: Checkout
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4

      - name: Setup bazel
        uses: ./.github/actions/setup_bazel_nix
--- a/.github/workflows/build-logcollector-images.yml
+++ b/.github/workflows/build-logcollector-images.yml
@ -20,7 +20,7 @@ jobs:
    steps:
      - name: Check out repository
        id: checkout
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
        with:
          ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}

--- a/.github/workflows/build-os-image-scheduled.yml
+++ b/.github/workflows/build-os-image-scheduled.yml
@ -62,14 +62,14 @@ jobs:
    runs-on: ubuntu-22.04
    steps:
      - name: Checkout
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
        with:
          ref: ${{ github.head_ref }}

      - name: Setup Go environment
-        uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
+        uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1
        with:
-          go-version: "1.22.2"
+          go-version: "1.22.3"
          cache: false

      - name: Determine version
@ -99,7 +99,7 @@ jobs:
        run: rm -f internal/attestation/measurements/measurement-generator/generate

      - name: Create pull request
-        uses: peter-evans/create-pull-request@b1ddad2c994a25fbc81a28b3ec0e368bb2021c50 # v6.0.0
+        uses: peter-evans/create-pull-request@6d6857d36972b65feb161a90e484f2984215f83e # v6.0.5
        with:
          branch: "image/automated/update-measurements-${{ github.run_number }}"
          base: main
@ -121,7 +121,7 @@ jobs:
    runs-on: ubuntu-22.04
    steps:
      - name: Checkout
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
        with:
          ref: ${{ github.head_ref }}

--- a/.github/workflows/build-os-image.yml
+++ b/.github/workflows/build-os-image.yml
@ -59,7 +59,7 @@ jobs:
      cliApiBasePath: ${{ steps.image-version.outputs.cliApiBasePath }}
    steps:
      - name: Checkout
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
        with:
          ref: ${{ inputs.ref || github.head_ref }}

@ -138,7 +138,7 @@ jobs:
      contents: read
    steps:
      - name: Checkout
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
        with:
          ref: ${{ inputs.ref || github.head_ref }}

--- a/.github/workflows/build-versionsapi-ci-image.yml
+++ b/.github/workflows/build-versionsapi-ci-image.yml
@ -20,7 +20,7 @@ jobs:
    steps:
      - name: Check out repository
        id: checkout
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
        with:
          ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}

--- a/.github/workflows/check-links.yml
+++ b/.github/workflows/check-links.yml
@ -20,12 +20,12 @@ jobs:
    runs-on: ubuntu-22.04
    steps:
      - name: Checkout
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
        with:
          ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}

      - name: Link Checker
-        uses: lycheeverse/lychee-action@c053181aa0c3d17606addfe97a9075a32723548a # v1.9.3
+        uses: lycheeverse/lychee-action@2b973e86fc7b1f6b36a93795fe2c9c6ae1118621 # v1.10.0
        with:
          args: "--config ./.lychee.toml './**/*.md' './**/*.html'"
          fail: true
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@ -34,17 +34,17 @@ jobs:

    steps:
      - name: Checkout repository
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4

      - name: Setup Go environment
        if: matrix.language == 'go'
-        uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
+        uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1
        with:
-          go-version: "1.22.2"
+          go-version: "1.22.3"
          cache: false

      - name: Initialize CodeQL
-        uses: github/codeql-action/init@cf7e9f23492505046de9a37830c3711dd0f25bb3 # v2.16.2
+        uses: github/codeql-action/init@ceaec5c11a131e0d282ff3b6f095917d234caace # v2.25.3
        with:
          languages: ${{ matrix.language }}

@ -63,6 +63,6 @@ jobs:
          echo "::endgroup::"

      - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@cf7e9f23492505046de9a37830c3711dd0f25bb3 # v2.16.2
+        uses: github/codeql-action/analyze@ceaec5c11a131e0d282ff3b6f095917d234caace # v2.25.3
        with:
          category: "/language:${{ matrix.language }}"
--- a/.github/workflows/docs-vale.yml
+++ b/.github/workflows/docs-vale.yml
@ -16,12 +16,12 @@ jobs:
    runs-on: ubuntu-22.04
    steps:
      - name: Checkout
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
        with:
          ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}

      - name: Vale
-        uses: errata-ai/vale-action@3f7188c866bcb3259339a09f517d7c4a8838303c # tag=reviewdog
+        uses: errata-ai/vale-action@38bf078c328061f59879b347ca344a718a736018 # tag=reviewdog
        with:
          files: docs/docs
          fail_on_error: true
--- a/.github/workflows/draft-release.yml
+++ b/.github/workflows/draft-release.yml
@ -72,7 +72,7 @@ jobs:
    steps:
      - name: Checkout
        id: checkout
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
        with:
          ref: ${{ inputs.ref || github.head_ref }}

@ -92,7 +92,7 @@ jobs:
          cosignPassword: ${{ inputs.key == 'release' && secrets.COSIGN_PASSWORD || secrets.COSIGN_DEV_PASSWORD }}

      - name: Upload CLI as artifact (unix)
-        uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1
+        uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
        if : ${{ matrix.os != 'windows' }}
        with:
          name: constellation-${{ matrix.os }}-${{ matrix.arch }}
@ -101,7 +101,7 @@ jobs:
            build/constellation-${{ matrix.os }}-${{ matrix.arch }}.sig

      - name: Upload CLI as artifact (windows)
-        uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1
+        uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
        if : ${{ matrix.os == 'windows' }}
        with:
          name: constellation-${{ matrix.os }}-${{ matrix.arch }}
@ -133,7 +133,7 @@ jobs:
    steps:
      - name: Checkout
        id: checkout
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
        with:
          ref: ${{ inputs.ref || github.head_ref }}

@ -149,7 +149,7 @@ jobs:
          targetArch: ${{ matrix.arch }}

      - name: Upload Terraform Provider Binary as artifact (unix)
-        uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1
+        uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
        if : ${{ matrix.os != 'windows' }}
        with:
          name: terraform-provider-constellation-${{ matrix.os }}-${{ matrix.arch }}
@ -157,7 +157,7 @@ jobs:
            build/terraform-provider-constellation-${{ matrix.os }}-${{ matrix.arch }}

      - name: Upload Terraform Provider Binary as artifact (windows)
-        uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1
+        uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
        if : ${{ matrix.os == 'windows' }}
        with:
          name: terraform-provider-constellation-${{ matrix.os }}-${{ matrix.arch }}
@ -169,7 +169,7 @@ jobs:
    steps:
      - name: Checkout
        id: checkout
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
        with:
          ref: ${{ inputs.ref || github.head_ref }}

@ -187,7 +187,7 @@ jobs:
    steps:
      - name: Checkout
        id: checkout
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
        with:
          ref: ${{ inputs.ref || github.head_ref }}

@ -219,7 +219,7 @@ jobs:
    steps:
      - name: Checkout
        id: checkout
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
        with:
          ref: ${{ inputs.ref || github.head_ref }}

@ -227,7 +227,7 @@ jobs:
        uses: ./.github/actions/download_release_binaries

      - name: Download CLI SBOM
-        uses: actions/download-artifact@eaceaf801fd36c7dee90939fad912460b18a1ffe # v4.1.2
+        uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7
        with:
          name: constellation.spdx.sbom

@ -256,12 +256,12 @@ jobs:
    steps:
      - name: Checkout
        id: checkout
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
        with:
          ref: ${{ inputs.ref || github.head_ref }}

      - name: Install Cosign
-        uses: sigstore/cosign-installer@e1523de7571e31dbe865fd2e80c5c7c23ae71eb4 # v3.4.0
+        uses: sigstore/cosign-installer@59acb6260d9c0ba8f4a2f9d9b48431a222b68e20 # v3.5.0

      - name: Download Syft & Grype
        uses: ./.github/actions/install_syft_grype
@ -296,13 +296,13 @@ jobs:
          COSIGN_PASSWORD: ${{ inputs.key == 'release' && secrets.COSIGN_PASSWORD || secrets.COSIGN_DEV_PASSWORD }}

      - name: Upload Constellation CLI SBOM
-        uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1
+        uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
        with:
          name: constellation.spdx.sbom
          path: constellation.spdx.sbom

      - name: Upload Constellation CLI SBOM's signature
-        uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1
+        uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
        with:
          name: constellation.spdx.sbom.sig
          path: constellation.spdx.sbom.sig
@ -332,7 +332,7 @@ jobs:
    steps:
      - name: Checkout
        id: checkout
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
        with:
          ref: ${{ inputs.ref || github.head_ref }}

@ -340,7 +340,7 @@ jobs:
        uses: ./.github/actions/download_release_binaries

      - name: Download CLI SBOM
-        uses: actions/download-artifact@eaceaf801fd36c7dee90939fad912460b18a1ffe # v4.1.2
+        uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7
        with:
          name: constellation.spdx.sbom

@ -407,7 +407,7 @@ jobs:
    steps:
      - name: Checkout
        id: checkout
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
        with:
          ref: ${{ inputs.ref || github.head_ref }}

@ -420,12 +420,12 @@ jobs:
        uses: ./.github/actions/download_release_binaries

      - name: Download CLI SBOM
-        uses: actions/download-artifact@eaceaf801fd36c7dee90939fad912460b18a1ffe # v4.1.2
+        uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7
        with:
          name: constellation.spdx.sbom

      - name: Download Constellation CLI SBOM's signature
-        uses: actions/download-artifact@eaceaf801fd36c7dee90939fad912460b18a1ffe # v4.1.2
+        uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7
        with:
          name: constellation.spdx.sbom.sig

--- a/.github/workflows/e2e-attestationconfigapi.yml
+++ b/.github/workflows/e2e-attestationconfigapi.yml
@ -10,11 +10,6 @@ on:
      - "internal/api/**"
      - ".github/workflows/e2e-attestationconfigapi.yml"
      - "go.mod"
-  pull_request:
-    paths:
-      - "internal/api/**"
-      - ".github/workflows/e2e-attestationconfigapi.yml"
-      - "go.mod"

 jobs:
  e2e-api:
@ -31,7 +26,7 @@ jobs:
    steps:
      - name: Checkout
        id: checkout
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
        with:
          # Don't trigger in forks, use head on pull requests, use default otherwise.
          ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || github.event.pull_request.head.sha || '' }}
--- a/.github/workflows/e2e-cleanup-weekly.yml
+++ b/.github/workflows/e2e-cleanup-weekly.yml
@ -14,7 +14,7 @@ jobs:
      id-token: write
    steps:
      - name: Checkout
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4

      - name: Cleanup
        uses: ./.github/actions/e2e_cleanup_timeframe
--- a/.github/workflows/e2e-mini.yml
+++ b/.github/workflows/e2e-mini.yml
@ -29,7 +29,7 @@ jobs:
    steps:
      - name: Checkout
        id: checkout
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
        with:
          ref: ${{ inputs.ref || github.event.workflow_run.head_branch || github.head_ref }}

--- a/.github/workflows/e2e-test-daily.yml
+++ b/.github/workflows/e2e-test-daily.yml
@ -21,7 +21,7 @@ jobs:
      image-release-stable: ${{ steps.relabel-output.outputs.image-release-stable }}
    steps:
      - name: Checkout
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
        with:
          ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}

@ -65,7 +65,7 @@ jobs:
    needs: [find-latest-image]
    steps:
      - name: Check out repository
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
        with:
          fetch-depth: 0
          ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}
@ -165,7 +165,7 @@ jobs:
    steps:
      - name: Checkout
        id: checkout
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
        with:
          ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}

--- a/.github/workflows/e2e-test-release.yml
+++ b/.github/workflows/e2e-test-release.yml
@ -311,7 +311,7 @@ jobs:
        run: brew install coreutils kubectl bash

      - name: Checkout
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
        with:
          fetch-depth: 0
          ref: ${{ inputs.ref || github.head_ref }}
--- a/.github/workflows/e2e-test-weekly.yml
+++ b/.github/workflows/e2e-test-weekly.yml
@ -22,7 +22,7 @@ jobs:
      image-main-nightly: ${{ steps.relabel-output.outputs.image-main-nightly }}
    steps:
      - name: Checkout
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
        with:
          ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}

@ -313,7 +313,7 @@ jobs:
    needs: [find-latest-image]
    steps:
      - name: Check out repository
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
        with:
          fetch-depth: 0
          ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}
@ -438,7 +438,7 @@ jobs:
    steps:
      - name: Checkout
        id: checkout
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
        with:
          ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}

--- a/.github/workflows/e2e-test.yml
+++ b/.github/workflows/e2e-test.yml
@ -174,13 +174,13 @@ jobs:
    steps:
      - name: Checkout head
        if: inputs.git-ref == 'head'
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
        with:
          ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}

      - name: Checkout ref
        if: inputs.git-ref != 'head'
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
        with:
          ref: ${{ inputs.git-ref }}

@ -211,13 +211,13 @@ jobs:

      - name: Checkout head
        if: inputs.git-ref == 'head'
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
        with:
          ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}

      - name: Checkout ref
        if: inputs.git-ref != 'head'
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
        with:
          ref: ${{ inputs.git-ref }}

--- a/.github/workflows/e2e-upgrade.yml
+++ b/.github/workflows/e2e-upgrade.yml
@ -135,14 +135,14 @@ jobs:
    steps:
      - name: Checkout
        if: inputs.gitRef == 'head'
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
        with:
          fetch-depth: 0
          ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}

      - name: Checkout ref
        if: inputs.gitRef != 'head'
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
        with:
          fetch-depth: 0
          ref: ${{ inputs.gitRef }}
@ -173,7 +173,7 @@ jobs:
          push: true

      - name: Upload CLI binary
-        uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1
+        uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
        with:
          name: constellation-upgrade-${{ inputs.attestationVariant }}
          path: build/constellation
@ -193,14 +193,14 @@ jobs:
    steps:
      - name: Checkout
        if: inputs.gitRef == 'head'
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
        with:
          fetch-depth: 0
          ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}

      - name: Checkout ref
        if: inputs.gitRef != 'head'
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
        with:
          fetch-depth: 0
          ref: ${{ inputs.gitRef }}
@ -281,14 +281,14 @@ jobs:
    steps:
      - name: Checkout
        if: inputs.gitRef == 'head'
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
        with:
          fetch-depth: 0
          ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}

      - name: Checkout ref
        if: inputs.gitRef != 'head'
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
        with:
          fetch-depth: 0
          ref: ${{ inputs.gitRef }}
@ -336,7 +336,7 @@ jobs:
          azure_credentials: ${{ secrets.AZURE_E2E_IAM_CREDENTIALS }}

      - name: Download CLI
-        uses: actions/download-artifact@eaceaf801fd36c7dee90939fad912460b18a1ffe # v4.1.2
+        uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7
        with:
          name: constellation-upgrade-${{ inputs.attestationVariant }}
          path: build
@ -448,20 +448,20 @@ jobs:
    steps:
      - name: Checkout
        if: inputs.gitRef == 'head'
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
        with:
          fetch-depth: 0
          ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}

      - name: Checkout ref
        if: inputs.gitRef != 'head'
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
        with:
          fetch-depth: 0
          ref: ${{ inputs.gitRef }}

      - name: Download CLI
-        uses: actions/download-artifact@eaceaf801fd36c7dee90939fad912460b18a1ffe # v4.1.2
+        uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7
        with:
          name: constellation-upgrade-${{ inputs.attestationVariant }}
          path: build
--- a/.github/workflows/e2e-windows.yml
+++ b/.github/workflows/e2e-windows.yml
@ -21,7 +21,7 @@ jobs:
      packages: write
    steps:
      - name: Checkout
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
        with:
          ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}

@ -48,7 +48,7 @@ jobs:
          push: true

      - name: Upload CLI artifact
-        uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1
+        uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
        with:
          path: build/constellation.exe
          name: "constell-exe"
@ -59,12 +59,12 @@ jobs:
    needs: build-cli
    steps:
      - name: Checkout
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
        with:
          ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}

      - name: Download CLI artifact
-        uses: actions/download-artifact@eaceaf801fd36c7dee90939fad912460b18a1ffe # v4.1.2
+        uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7
        with:
          name: "constell-exe"

@ -189,7 +189,7 @@ jobs:
      inputs.scheduled
    steps:
      - name: Checkout
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
        with:
          ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}

--- a/.github/workflows/on-release.yml
+++ b/.github/workflows/on-release.yml
@ -26,7 +26,7 @@ jobs:
      WORKING_BRANCH: ${{ env.WORKING_BRANCH }}
    steps:
      - name: Checkout
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
        with:
          fetch-depth: 0 # fetch all history

@ -49,7 +49,7 @@ jobs:
      latest: ${{ steps.input-passthrough.outputs.latest }}${{ steps.check-last-release.outputs.latest }}
    steps:
      - name: Checkout
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4

      - name: Override latest
        if: github.event.inputs.latest == 'true'
@ -123,7 +123,7 @@ jobs:
      contents: write
    steps:
      - name: Checkout
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4

      - name: Remove temporary branch
        run: git push origin --delete "${{needs.complete-release-branch-transaction.outputs.WORKING_BRANCH}}"
@ -137,7 +137,7 @@ jobs:
      contents: read
    steps:
      - name: Checkout
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4

      - uses: ./.github/actions/setup_bazel_nix
        with:
--- a/.github/workflows/purge-main.yml
+++ b/.github/workflows/purge-main.yml
@ -18,7 +18,7 @@ jobs:
      contents: read
    steps:
      - name: Checkout
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
        with:
          ref: ${{ github.head_ref }}

--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@ -33,7 +33,7 @@ jobs:
      RELEASE_BRANCH: ${{ steps.version-info.outputs.RELEASE_BRANCH }}
      WORKING_BRANCH: ${{ steps.version-info.outputs.WORKING_BRANCH }}
    steps:
-      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+      - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4

      - name: Working branch
        run: echo "WORKING_BRANCH=$(git branch --show-current)" | tee -a "$GITHUB_ENV"
@ -85,7 +85,7 @@ jobs:
      MAJOR_MINOR: ${{ needs.verify-inputs.outputs.MAJOR_MINOR }}
      BRANCH: docs/${{ needs.verify-inputs.outputs.MAJOR_MINOR }}
    steps:
-      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+      - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
        with:
          ref: main

@ -96,7 +96,7 @@ jobs:
          npm run docusaurus docs:version "${MAJOR_MINOR}"

      - name: Create docs pull request
-        uses: peter-evans/create-pull-request@b1ddad2c994a25fbc81a28b3ec0e368bb2021c50 # v6.0.0
+        uses: peter-evans/create-pull-request@6d6857d36972b65feb161a90e484f2984215f83e # v6.0.5
        with:
          branch: ${{ env.BRANCH }}
          base: main
@ -123,7 +123,7 @@ jobs:
      WORKING_BRANCH: ${{ needs.verify-inputs.outputs.WORKING_BRANCH }}
    steps:
      - name: Checkout
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
        with:
          ref: ${{ needs.verify-inputs.outputs.WORKING_BRANCH }}

@ -161,7 +161,7 @@ jobs:
      WITHOUT_V: ${{ needs.verify-inputs.outputs.WITHOUT_V }}
    steps:
      - name: Checkout
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
        with:
          ref: ${{ needs.verify-inputs.outputs.WORKING_BRANCH }}

@ -226,14 +226,14 @@ jobs:
      WITHOUT_V: ${{ needs.verify-inputs.outputs.WITHOUT_V }}
    steps:
      - name: Checkout
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
        with:
          ref: ${{ needs.verify-inputs.outputs.WORKING_BRANCH }}

      - name: Setup Go environment
-        uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
+        uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1
        with:
-          go-version: "1.22.2"
+          go-version: "1.22.3"
          cache: true

      - name: Build generateMeasurements tool
--- a/.github/workflows/reproducible-builds.yml
+++ b/.github/workflows/reproducible-builds.yml
@ -31,7 +31,7 @@ jobs:
    runs-on: ${{ matrix.runner }}
    steps:
      - name: Checkout
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
        with:
          ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}

@ -60,13 +60,13 @@ jobs:
        run: shasum -a 256 "${binary}" | tee "${binary}.sha256"

      - name: Upload binary artifact
-        uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1
+        uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
        with:
          name: "binaries-${{ matrix.target }}-${{ matrix.runner }}"
          path: "${{ env.binary }}"

      - name: Upload hash artifact
-        uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1
+        uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
        with:
          name: "sha256sums-${{ matrix.target }}-${{ matrix.runner }}"
          path: "${{ env.binary }}.sha256"
@ -87,7 +87,7 @@ jobs:
    runs-on: ${{ matrix.runner }}
    steps:
      - name: Checkout
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
        with:
          ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}

@ -116,13 +116,13 @@ jobs:
        run: shasum -a 256 "${binary}" | tee "${binary}.sha256"

      - name: Upload binary artifact
-        uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1
+        uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
        with:
          name: "osimages-${{ matrix.target }}-${{ matrix.runner }}"
          path: "${{ env.binary }}"

      - name: Upload hash artifact
-        uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1
+        uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
        with:
          name: "sha256sums-${{ matrix.target }}-${{ matrix.runner }}"
          path: "${{ env.binary }}.sha256"
@ -145,7 +145,7 @@ jobs:
          ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}

      - name: Download binaries
-        uses: actions/download-artifact@eaceaf801fd36c7dee90939fad912460b18a1ffe # v4.1.2
+        uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7
        with:
          pattern: "binaries-${{ matrix.target }}-*"
          merge-multiple: true
@ -179,7 +179,7 @@ jobs:
          ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}

      - name: Download os images
-        uses: actions/download-artifact@eaceaf801fd36c7dee90939fad912460b18a1ffe # v4.1.2
+        uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7
        with:
          pattern: "osimages-${{ matrix.target }}-*"
          merge-multiple: true
--- a/.github/workflows/scorecard.yml
+++ b/.github/workflows/scorecard.yml
@ -18,7 +18,7 @@ jobs:

    steps:
      - name: Checkout
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
        with:
          persist-credentials: false

@ -30,13 +30,13 @@ jobs:
          publish_results: true

      - name: Upload artifact
-        uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1
+        uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
        with:
          name: SARIF file
          path: results.sarif
          retention-days: 5

      - name: Upload to code-scanning
-        uses: github/codeql-action/upload-sarif@cf7e9f23492505046de9a37830c3711dd0f25bb3 # v2.16.2
+        uses: github/codeql-action/upload-sarif@ceaec5c11a131e0d282ff3b6f095917d234caace # v2.25.3
        with:
          sarif_file: results.sarif
--- a/.github/workflows/sync-terraform-docs.yml
+++ b/.github/workflows/sync-terraform-docs.yml
@ -18,14 +18,14 @@ jobs:
      pull-requests: write
    steps:
      - name: Checkout constellation repo
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
        with:
          ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}
          fetch-depth: 0
          path: constellation

      - name: Checkout terraform-provider-constellation repo
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
        with:
          repository: edgelesssys/terraform-provider-constellation
          ref: main
@ -40,7 +40,7 @@ jobs:

      - name: Create pull request
        id: create-pull-request
-        uses: peter-evans/create-pull-request@b1ddad2c994a25fbc81a28b3ec0e368bb2021c50 # v6.0.0
+        uses: peter-evans/create-pull-request@6d6857d36972b65feb161a90e484f2984215f83e # v6.0.5
        with:
          path: terraform-provider-constellation
          branch: "feat/docs/update"
--- a/.github/workflows/test-integration.yml
+++ b/.github/workflows/test-integration.yml
@ -25,7 +25,7 @@ jobs:
      CTEST_OUTPUT_ON_FAILURE: True
    steps:
      - name: Checkout
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
        with:
          ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}

--- a/.github/workflows/test-operator-codegen.yml
+++ b/.github/workflows/test-operator-codegen.yml
@ -21,14 +21,14 @@ jobs:
    runs-on: ubuntu-22.04
    steps:
      - name: Checkout
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
        with:
          ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}

      - name: Setup Go environment
-        uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
+        uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1
        with:
-          go-version: "1.22.2"
+          go-version: "1.22.3"
          cache: true

      - name: Run code generation
--- a/.github/workflows/test-tfsec.yml
+++ b/.github/workflows/test-tfsec.yml
@ -23,7 +23,7 @@ jobs:
      pull-requests: write
    steps:
      - name: Checkout
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
        with:
          ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}

--- a/.github/workflows/test-tidy.yml
+++ b/.github/workflows/test-tidy.yml
@ -17,7 +17,7 @@ jobs:
      contents: read
    steps:
      - name: Checkout
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
        with:
          ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}
          # No token available for forks, so we can't push changes
--- a/.github/workflows/test-unittest.yml
+++ b/.github/workflows/test-unittest.yml
@ -30,7 +30,7 @@ jobs:
      pull-requests: write
    steps:
      - name: Checkout
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
        with:
          ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}
          fetch-depth: 0
--- a/.github/workflows/update-rpms.yml
+++ b/.github/workflows/update-rpms.yml
@ -13,7 +13,7 @@ jobs:
      contents: read
    steps:
      - name: Checkout
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4

      - name: Assume AWS role to upload Bazel dependencies to S3
        uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
@ -40,7 +40,7 @@ jobs:
          fi

      - name: Create pull request
-        uses: peter-evans/create-pull-request@b1ddad2c994a25fbc81a28b3ec0e368bb2021c50 # v6.0.0
+        uses: peter-evans/create-pull-request@6d6857d36972b65feb161a90e484f2984215f83e # v6.0.5
        with:
          branch: "image/automated/update-rpms-${{ github.run_number }}"
          base: main
--- a/.github/workflows/versionsapi.yml
+++ b/.github/workflows/versionsapi.yml
@ -115,7 +115,7 @@ jobs:
    steps:
      - name: Check out repository
        id: checkout
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
        with:
          ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}

--- a/3rdparty/gcp-guest-agent/Dockerfile
+++ b/3rdparty/gcp-guest-agent/Dockerfile
@ -6,7 +6,7 @@ RUN apt-get update && apt-get install -y \
    git

 # Install Go
-ARG GO_VER=1.22.2
+ARG GO_VER=1.22.3
 RUN wget -q https://go.dev/dl/go${GO_VER}.linux-amd64.tar.gz && \
    tar -C /usr/local -xzf go${GO_VER}.linux-amd64.tar.gz && \
    rm go${GO_VER}.linux-amd64.tar.gz
--- a/WORKSPACE.bazel
+++ b/WORKSPACE.bazel
@ -170,7 +170,7 @@ load("@io_bazel_rules_go//go:deps.bzl", "go_download_sdk", "go_register_toolchai
 go_download_sdk(
    name = "go_sdk",
    patches = ["//3rdparty/bazel/org_golang:go_tls_max_handshake_size.patch"],
-    version = "1.22.2",
+    version = "1.22.3",
 )

 go_rules_dependencies()
--- a/dev-docs/workflows/bump-go-version.md
+++ b/dev-docs/workflows/bump-go-version.md
@ -1,4 +1,5 @@
 # Bump Go version
+
 `govulncheck` from the bazel `check` target will fail if our code is vulnerable, which is often the case when a patch version was released with security fixes.

 ## Steps
@ -6,5 +7,13 @@
 Replace "1.xx.x" with the new version in [WORKSPACE.bazel](/WORKSPACE.bazel):

 ```starlark
-go_register_toolchains(version = "1.xx.x")
+load("@io_bazel_rules_go//go:deps.bzl", "go_download_sdk", "go_register_toolchains", "go_rules_dependencies")
+
+go_download_sdk(
+    name = "go_sdk",
+    patches = ["//3rdparty/bazel/org_golang:go_tls_max_handshake_size.patch"],
+    version = "1.xx.x", <--- Replace this one
+              ~~~~~~~~
+)
+
 ```
--- a/go.work
+++ b/go.work
@ -1,6 +1,6 @@
-go 1.22.2
+go 1.22.3

-toolchain go1.22.2
+toolchain go1.22.3

 use (
 	.
--- a/internal/constellation/helm/overrides.go
+++ b/internal/constellation/helm/overrides.go
@ -33,14 +33,6 @@ import (
 // Also, the charts are not rendered correctly without all of these values.
 func extraCiliumValues(provider cloudprovider.Provider, conformanceMode bool, output state.Infrastructure) map[string]any {
 	extraVals := map[string]any{}
-	if conformanceMode {
-		extraVals["kubeProxyReplacementHealthzBindAddr"] = ""
-		extraVals["kubeProxyReplacement"] = "partial"
-		extraVals["sessionAffinity"] = true
-		extraVals["cni"] = map[string]any{
-			"chainingMode": "portmap",
-		}
-	}

 	strictMode := map[string]any{}
 	// TODO(@3u13r): Once we are able to set the subnet of the load balancer VMs
@ -75,6 +67,21 @@ func extraCiliumValues(provider cloudprovider.Provider, conformanceMode bool, ou
 		},
 	}

+	if conformanceMode {
+		extraVals["kubeProxyReplacementHealthzBindAddr"] = ""
+		extraVals["kubeProxyReplacement"] = "false"
+		extraVals["sessionAffinity"] = true
+		extraVals["cni"] = map[string]any{
+			"chainingMode": "portmap",
+		}
+		extraVals["ipMasqAgent"] = map[string]any{
+			"enabled": false,
+		}
+		extraVals["bpf"] = map[string]any{
+			"masquerade": false,
+		}
+	}
+
 	return extraVals
 }

--- a/renovate.json5
+++ b/renovate.json5
@ -42,44 +42,44 @@
      "prPriority": -30,
    },
    {
-      "matchPackagePatterns": ["^k8s.io", "^sigs.k8s.io"],
+      "matchDepPatterns": ["^k8s.io", "^sigs.k8s.io"],
      "groupName": "K8s dependencies",
    },
    {
-      "matchPackagePatterns": ["^go.etcd.io/etcd"],
+      "matchDepPatterns": ["^go.etcd.io/etcd"],
      "groupName": "etcd dependencies",
    },
    {
-      "matchPackagePatterns": ["^github.com/hashicorp/go-kms-wrapping"],
+      "matchDepPatterns": ["^github.com/hashicorp/go-kms-wrapping"],
      "groupName": "github.com/hashicorp/go-kms-wrapping",
    },
    {
-      "matchPackagePatterns": ["^github.com/aws/aws-sdk-go-v2"],
+      "matchDepPatterns": ["^github.com/aws/aws-sdk-go-v2"],
      "groupName": "AWS SDK",
      "prPriority": -10,
    },
    {
-      "matchPackagePatterns": [
+      "matchDepPatterns": [
        "^github.com/Azure/",
        "^github.com/AzureAD/microsoft-authentication-library-for-go",
      ],
      "groupName": "Azure SDK",
    },
    {
-      "matchPackagePatterns": ["^cloud.google.com/go"],
+      "matchDepPatterns": ["^cloud.google.com/go"],
      "groupName": "Google SDK",
    },
    {
-      "matchPackagePatterns": ["^google.golang.org/genproto"],
+      "matchDepPatterns": ["^google.golang.org/genproto"],
      "prPriority": -10,
    },
    {
-      "matchPackagePatterns": ["^libvirt.org/go"],
+      "matchDepPatterns": ["^libvirt.org/go"],
      "groupName": "libvirt.org/go",
    },
    {
      "matchManagers": ["bazelisk", "bazel", "bazel-module"],
-      "matchPackageNames": ["bazel", "io_bazel_rules_go", "bazel_gazelle"],
+      "matchDepNames": ["bazel", "io_bazel_rules_go", "bazel_gazelle"],
      "groupName": "bazel (core)",
    },
    {
@ -105,14 +105,14 @@
      ],
    },
    {
-      "matchPackageNames": ["kubernetes/kubernetes"],
+      "matchDepNames": ["kubernetes/kubernetes"],
      // example match: v1.2.3 (1.2 -> compatibility, 3 -> patch)
      "versioning": "regex:^(?<compatibility>v?\\d+\\.\\d+\\.)(?<patch>\\d+)$",
      "groupName": "Kubernetes versions",
      "prPriority": 15,
    },
    {
-      "matchPackageNames": [
+      "matchDepNames": [
        "registry.k8s.io/provider-aws/cloud-controller-manager",
      ],
      // example match: v1.2.3 (1.2 -> compatibility, 3 -> patch)
@ -121,7 +121,7 @@
      "prPriority": 15,
    },
    {
-      "matchPackageNames": [
+      "matchDepNames": [
        "mcr.microsoft.com/oss/kubernetes/azure-cloud-controller-manager",
        "mcr.microsoft.com/oss/kubernetes/azure-cloud-node-manager",
      ],
@ -131,7 +131,7 @@
      "prPriority": 15,
    },
    {
-      "matchPackageNames": [
+      "matchDepNames": [
        "docker.io/k8scloudprovider/openstack-cloud-controller-manager",
      ],
      // example match: v1.2.3 (1.2 -> compatibility, 3 -> patch)
@ -140,14 +140,14 @@
      "prPriority": 15,
    },
    {
-      "matchPackageNames": ["registry.k8s.io/autoscaling/cluster-autoscaler"],
+      "matchDepNames": ["registry.k8s.io/autoscaling/cluster-autoscaler"],
      // example match: v1.2.3 (1.2 -> compatibility, 3 -> patch)
      "versioning": "regex:^(?<compatibility>v?\\d+\\.\\d+\\.)(?<patch>\\d+)$",
      "groupName": "K8s constrained GCP versions",
      "prPriority": 15,
    },
    {
-      "matchPackageNames": ["ghcr.io/edgelesssys/cloud-provider-gcp"],
+      "matchDepNames": ["ghcr.io/edgelesssys/cloud-provider-gcp"],
      // example match: v1.2.3 (1. -> compatibility, 2 -> minor, 3 -> patch)
      "versioning": "regex:^(?<compatibility>v\\d+\\.)(?<minor>\\d+)\\.(?<patch>\\d+)$",
      "groupName": "cloud-provider-gcp (K8s version constrained)",
@ -166,7 +166,7 @@
      "prPriority": 20,
    },
    {
-      "matchPackageNames": [
+      "matchDepNames": [
        "registry.k8s.io/kas-network-proxy/proxy-agent",
        "registry.k8s.io/kas-network-proxy/proxy-server",
      ],
@ -175,7 +175,7 @@
      "prPriority": 15,
    },
    {
-      "matchPackageNames": ["^k8s.io/client-go"],
+      "matchDepNames": ["^k8s.io/client-go"],
      "matchUpdateTypes": ["major"],
      "enabled": false,
    },
@ -185,11 +185,11 @@
    },
    {
      "matchManagers": ["github-actions"],
-      "matchPackageNames": ["slsa-framework/slsa-github-generator"],
+      "matchDepNames": ["slsa-framework/slsa-github-generator"],
      "pinDigests": false,
    },
    {
-      "matchPackagePatterns": ["_(darwin|linux)_(arm64|amd64)$"],
+      "matchDepPatterns": ["_(darwin|linux)_(arm64|amd64)$"],
      "additionalBranchPrefix": "{{packageName}}-",
      "groupName": "{{packageName}}",
    },
Author	SHA1	Message	Date
3u13r	e4ae82b766	Merge `e6d3905489` into `1c0c7d6227`	2024-05-08 15:03:06 +02:00
Malte Poll	1c0c7d6227	ci: disable e2e-attestationconfigapi on PRs (#2937 ) This workflow touches shared state by deleting all objects of a bucket and then uploading a signed blob of data to that S3 bucket under a fixed name. It also does so multiple times in a row, while invalidating the cloudfront cache and checking if the uploaded object exists. All runs of this workflow share the same bucket. Since this pipeline runs on any modification of go.mod, it is very prone to race condition between PRs (or PRs and main).	2024-05-08 14:59:03 +02:00
renovate[bot]	adf03ad76c	deps: update GitHub action dependencies (#3070 ) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>	2024-05-08 14:33:35 +02:00
Daniel Weiße	86c45d1d5f	deps: update to Go 1.22.3 (#3069 ) * Update renovate syntax * Update to Go 1.22.3 --------- Signed-off-by: Daniel Weiße <dw@edgeless.systems>	2024-05-08 11:34:31 +02:00
Daniel Weiße	a15cf54477	ci: use 7zip for creating archives (#3068 ) * Use 7zip for creating and processing encrypted archives * Switch to .7z file extension * Fix shell check issues * Fix tfstate update logic --------- Signed-off-by: Daniel Weiße <dw@edgeless.systems>	2024-05-08 10:34:10 +02:00
Leonard Cohnen	e6d3905489	helm: disable cilium ipmasq agent when in conformance mode	2024-05-03 14:34:13 +02:00