diff --git a/.github/workflows/docker.yaml b/.github/workflows/docker.yaml index 97e93fd..8c5cbeb 100644 --- a/.github/workflows/docker.yaml +++ b/.github/workflows/docker.yaml @@ -39,8 +39,8 @@ jobs: (github.event_name == 'release' && github.event.action == 'published') runs-on: ubuntu-latest steps: - - uses: actions/checkout@v6 - - uses: docker/metadata-action@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: docker/metadata-action@030e881283bb7a6894de51c315a6bfe6a94e05cf # v6.0.0 id: meta with: images: | @@ -55,14 +55,14 @@ jobs: flavor: | latest=${{ github.ref == 'refs/heads/main' }} - name: Set up QEMU - uses: docker/setup-qemu-action@v4 + uses: docker/setup-qemu-action@ce360397dd3f832beb865e1373c09c0e9f86d70a # v4.0.0 with: platforms: arm64 - name: Set up Docker Buildx timeout-minutes: 5 - uses: docker/setup-buildx-action@v4 + uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0 - name: Login to GHCR - uses: docker/login-action@v4 + uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0 with: registry: ghcr.io username: ${{ github.actor }} @@ -70,7 +70,7 @@ jobs: - name: Build and push id: image timeout-minutes: 20 - uses: docker/build-push-action@v7 + uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7.1.0 with: context: . platforms: linux/amd64,linux/arm64 @@ -81,7 +81,7 @@ jobs: cache-from: type=gha cache-to: type=gha,mode=max - name: Install cosign - uses: sigstore/cosign-installer@v4.1.2 + uses: sigstore/cosign-installer@6f9f17788090df1f26f669e9d70d6ae9567deba6 # v4.1.2 - name: Sign image with cosign env: COSIGN_EXPERIMENTAL: 1 @@ -101,21 +101,21 @@ jobs: IFS=$'\n' read -ra TAGS <<< "${{ steps.meta.outputs.tags }}" echo "tag=${TAGS[0]}" >> $GITHUB_OUTPUT - name: Generate SBOM - uses: anchore/sbom-action@v0 + uses: anchore/sbom-action@e22c389904149dbc22b58101806040fa8d37a610 # v0.24.0 with: image: ${{ steps.first-tag.outputs.tag }} format: 'cyclonedx-json' output-file: 'sbom.cyclonedx.json' upload-release-assets: false - name: Attest SBOM - uses: actions/attest-sbom@v4 + uses: actions/attest-sbom@c604332985a26aa8cf1bdc465b92731239ec6b9e # v4.1.0 with: subject-name: ghcr.io/${{ github.repository_owner }}/${{ matrix.image.name }} subject-digest: ${{ steps.image.outputs.digest }} sbom-path: 'sbom.cyclonedx.json' push-to-registry: true - name: Attest provenance - uses: actions/attest-build-provenance@v4 + uses: actions/attest-build-provenance@a2bbfa25375fe432b6a289bc6b6cd05ecd0c4c32 # v4.1.0 with: subject-name: ghcr.io/${{ github.repository_owner }}/${{ matrix.image.name }} subject-digest: ${{ steps.image.outputs.digest }} diff --git a/.github/workflows/golang.yaml b/.github/workflows/golang.yaml index c889e67..0cb0bce 100644 --- a/.github/workflows/golang.yaml +++ b/.github/workflows/golang.yaml @@ -28,7 +28,7 @@ jobs: outputs: go-version: ${{ steps.get-go-version.outputs.version }} steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: get-go-version id: get-go-version run: | @@ -38,20 +38,20 @@ jobs: exit 1 fi echo "version=$GO_VERSION" >> $GITHUB_OUTPUT - - uses: actions/setup-go@v6 + - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0 with: go-version: ${{ steps.get-go-version.outputs.version }} - name: lint-license run: make lint-no-golangci - name: golangci-lint - uses: golangci/golangci-lint-action@v9 + uses: golangci/golangci-lint-action@1e7e51e771db61008b38414a730f564565cf7c20 # v9.2.0 test: needs: lint runs-on: ubuntu-latest steps: - - uses: actions/checkout@v6 - - uses: actions/setup-go@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0 with: go-version: ${{ needs.lint.outputs.go-version }} - name: Build diff --git a/.github/workflows/helm-lint.yaml b/.github/workflows/helm-lint.yaml index 3e5265e..9650fb4 100644 --- a/.github/workflows/helm-lint.yaml +++ b/.github/workflows/helm-lint.yaml @@ -16,7 +16,7 @@ jobs: lint: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Lint Helm charts run: | diff --git a/.github/workflows/helm-publish.yaml b/.github/workflows/helm-publish.yaml index 6cb6aa1..12f7b77 100644 --- a/.github/workflows/helm-publish.yaml +++ b/.github/workflows/helm-publish.yaml @@ -29,11 +29,11 @@ jobs: (github.event_name == 'release' && github.event.action == 'published') steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: fetch-depth: 0 - - uses: actions/setup-go@v6 + - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0 with: go-version-file: go.mod @@ -41,10 +41,10 @@ jobs: run: make manifests - name: Install cosign - uses: sigstore/cosign-installer@v4.1.2 + uses: sigstore/cosign-installer@6f9f17788090df1f26f669e9d70d6ae9567deba6 # v4.1.2 - name: Login to GHCR (Docker) - uses: docker/login-action@v4 + uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0 with: registry: ghcr.io username: ${{ github.actor }} diff --git a/renovate.json b/renovate.json index 01c3113..f951c38 100644 --- a/renovate.json +++ b/renovate.json @@ -1,6 +1,11 @@ { "$schema": "https://docs.renovatebot.com/renovate-schema.json", - "extends": ["config:recommended"], + "extends": ["config:recommended", "helpers:pinGitHubActionDigests"], + "minimumReleaseAge": "1 day", + "osvVulnerabilityAlerts": true, + "vulnerabilityAlerts": { + "minimumReleaseAge": "0" + }, "nix": { "enabled": true },