diff --git a/.github/workflows/_build-cached.yml b/.github/workflows/_build-cached.yml index 3b17bb2292..5d73b072c4 100644 --- a/.github/workflows/_build-cached.yml +++ b/.github/workflows/_build-cached.yml @@ -28,7 +28,7 @@ jobs: valid-cache: ${{ steps.cache_deps.outputs.cache-hit }} steps: - name: Harden Runner - uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4 + uses: step-security/harden-runner@bf7454d06d71f1098171f2acdf0cd4708d7b5920 # v2.20.0 continue-on-error: true with: egress-policy: audit @@ -57,7 +57,7 @@ jobs: - name: Lookup cache (no restore) id: cache_deps - uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5 + uses: actions/cache@55cc8345863c7cc4c66a329aec7e433d2d1c52a9 # v5 with: path: ${{ steps.set_outputs.outputs.cache-path }} key: ${{ steps.set_outputs.outputs.cache-key }} diff --git a/.github/workflows/_build-core.yml b/.github/workflows/_build-core.yml index 1c018d975b..6d29c83e86 100644 --- a/.github/workflows/_build-core.yml +++ b/.github/workflows/_build-core.yml @@ -32,7 +32,7 @@ jobs: steps: - name: Harden Runner - uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4 + uses: step-security/harden-runner@bf7454d06d71f1098171f2acdf0cd4708d7b5920 # v2.20.0 continue-on-error: true with: egress-policy: audit @@ -44,7 +44,7 @@ jobs: fetch-depth: 0 - name: load cached deps - uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5 + uses: actions/cache@55cc8345863c7cc4c66a329aec7e433d2d1c52a9 # v5 with: path: ${{ inputs.cache-path || format('{0}/deps/build', github.workspace) }} key: ${{ inputs.cache-key }} @@ -106,7 +106,7 @@ jobs: - name: Cache Homebrew downloads (macOS) if: runner.os == 'macOS' - uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5 + uses: actions/cache@55cc8345863c7cc4c66a329aec7e433d2d1c52a9 # v5 with: path: ~/Library/Caches/Homebrew/downloads key: brew-core-${{ inputs.os }}-${{ hashFiles('.github/workflows/_build-core.yml') }} diff --git a/.github/workflows/_build-deps.yml b/.github/workflows/_build-deps.yml index ef00fb4bad..21d175c094 100644 --- a/.github/workflows/_build-deps.yml +++ b/.github/workflows/_build-deps.yml @@ -32,7 +32,7 @@ jobs: date: steps: - name: Harden Runner - uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4 + uses: step-security/harden-runner@bf7454d06d71f1098171f2acdf0cd4708d7b5920 # v2.20.0 with: egress-policy: audit @@ -43,7 +43,7 @@ jobs: lfs: 'true' - name: load cached deps - uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5 + uses: actions/cache@55cc8345863c7cc4c66a329aec7e433d2d1c52a9 # v5 with: path: ${{ inputs.cache-path }} key: ${{ inputs.cache-key }} @@ -148,7 +148,7 @@ jobs: - name: Cache Homebrew downloads (macOS) if: startsWith(inputs.os, 'macos-') - uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5 + uses: actions/cache@55cc8345863c7cc4c66a329aec7e433d2d1c52a9 # v5 with: path: ~/Library/Caches/Homebrew/downloads key: brew-deps-${{ inputs.os }}-${{ hashFiles('.github/workflows/_build-deps.yml') }} diff --git a/.github/workflows/automation-ai-fix.yml b/.github/workflows/automation-ai-fix.yml index 5e01e13b82..3ac3b70b98 100644 --- a/.github/workflows/automation-ai-fix.yml +++ b/.github/workflows/automation-ai-fix.yml @@ -20,7 +20,7 @@ jobs: steps: - name: Harden Runner - uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4 + uses: step-security/harden-runner@bf7454d06d71f1098171f2acdf0cd4708d7b5920 # v2.20.0 with: egress-policy: audit @@ -193,7 +193,7 @@ jobs: - name: Cache build deps if: steps.changes.outputs.changed == 'true' - uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5 + uses: actions/cache@55cc8345863c7cc4c66a329aec7e433d2d1c52a9 # v5 with: path: deps/build/destdir key: autofix-deps-${{ hashFiles('deps/CMakeLists.txt', 'deps/**/*.cmake') }} diff --git a/.github/workflows/automation-assign-project.yml b/.github/workflows/automation-assign-project.yml index bfc016e9d6..f216bc4a35 100644 --- a/.github/workflows/automation-assign-project.yml +++ b/.github/workflows/automation-assign-project.yml @@ -20,7 +20,7 @@ jobs: if: github.event_name == 'issues' || github.event_name == 'pull_request' steps: - name: Harden Runner - uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4 + uses: step-security/harden-runner@bf7454d06d71f1098171f2acdf0cd4708d7b5920 # v2.20.0 with: egress-policy: block allowed-endpoints: | diff --git a/.github/workflows/automation-label-issues.yml b/.github/workflows/automation-label-issues.yml index e4a71291f6..9722ff3ec4 100644 --- a/.github/workflows/automation-label-issues.yml +++ b/.github/workflows/automation-label-issues.yml @@ -19,7 +19,7 @@ jobs: timeout-minutes: 10 steps: - name: Harden Runner - uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4 + uses: step-security/harden-runner@bf7454d06d71f1098171f2acdf0cd4708d7b5920 # v2.20.0 with: egress-policy: block allowed-endpoints: | diff --git a/.github/workflows/automation-label-prs.yml b/.github/workflows/automation-label-prs.yml index ade42c5bd6..9d35bf907a 100644 --- a/.github/workflows/automation-label-prs.yml +++ b/.github/workflows/automation-label-prs.yml @@ -16,12 +16,12 @@ jobs: timeout-minutes: 10 steps: - name: Harden Runner - uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 + uses: step-security/harden-runner@bf7454d06d71f1098171f2acdf0cd4708d7b5920 with: egress-policy: block allowed-endpoints: | api.github.com:443 - - uses: actions/labeler@f27b608878404679385c85cfa523b85ccb86e213 # v6.1.0 + - uses: actions/labeler@b8dd2d9be0f68b860e7dae5dae7d772984eacd6d # v6.2.0 with: repo-token: ${{ secrets.GITHUB_TOKEN }} configuration-path: .github/labeler.yml diff --git a/.github/workflows/cd-deploy-apt.yml b/.github/workflows/cd-deploy-apt.yml index 625fe6f43a..52161c7263 100644 --- a/.github/workflows/cd-deploy-apt.yml +++ b/.github/workflows/cd-deploy-apt.yml @@ -42,7 +42,7 @@ jobs: steps: - name: Harden Runner - uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4 + uses: step-security/harden-runner@bf7454d06d71f1098171f2acdf0cd4708d7b5920 # v2.20.0 with: egress-policy: audit diff --git a/.github/workflows/cd-deploy-aur.yml b/.github/workflows/cd-deploy-aur.yml index f7d5ff22fe..cfb9485432 100644 --- a/.github/workflows/cd-deploy-aur.yml +++ b/.github/workflows/cd-deploy-aur.yml @@ -42,7 +42,7 @@ jobs: steps: - name: Harden Runner - uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4 + uses: step-security/harden-runner@bf7454d06d71f1098171f2acdf0cd4708d7b5920 # v2.20.0 with: egress-policy: audit diff --git a/.github/workflows/cd-deploy-copr.yml b/.github/workflows/cd-deploy-copr.yml index d9352d6345..d17a262f62 100644 --- a/.github/workflows/cd-deploy-copr.yml +++ b/.github/workflows/cd-deploy-copr.yml @@ -55,7 +55,7 @@ jobs: steps: - name: Harden Runner - uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4 + uses: step-security/harden-runner@bf7454d06d71f1098171f2acdf0cd4708d7b5920 # v2.20.0 with: egress-policy: audit diff --git a/.github/workflows/cd-deploy-flatpak.yml b/.github/workflows/cd-deploy-flatpak.yml index 21d1ad75d1..84f618eb1d 100644 --- a/.github/workflows/cd-deploy-flatpak.yml +++ b/.github/workflows/cd-deploy-flatpak.yml @@ -29,7 +29,7 @@ jobs: steps: - name: Harden Runner - uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4 + uses: step-security/harden-runner@bf7454d06d71f1098171f2acdf0cd4708d7b5920 # v2.20.0 with: egress-policy: audit - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 diff --git a/.github/workflows/cd-deploy-homebrew.yml b/.github/workflows/cd-deploy-homebrew.yml index ab8361424c..6632130cc9 100644 --- a/.github/workflows/cd-deploy-homebrew.yml +++ b/.github/workflows/cd-deploy-homebrew.yml @@ -25,7 +25,7 @@ jobs: steps: - name: Harden Runner - uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4 + uses: step-security/harden-runner@bf7454d06d71f1098171f2acdf0cd4708d7b5920 # v2.20.0 with: # audit (not block) to match the other deploy workflows — block mode # rejected the checkout connection to github.com even though it was @@ -69,7 +69,7 @@ jobs: echo "sha_intel=$SHA_INTEL" >> "$GITHUB_OUTPUT" - name: Update Homebrew Cask via PR - uses: mislav/bump-homebrew-formula-action@ccf2332299a883f6af50a1d2d41e5df7904dd769 # v4 + uses: mislav/bump-homebrew-formula-action@f865c8b0dbebd6e263cc06782a0e974c61cf12d2 # v4 with: formula-name: bambu-studio formula-path: Casks/bambu-studio.rb diff --git a/.github/workflows/cd-deploy-ppa.yml b/.github/workflows/cd-deploy-ppa.yml index 83a7ff3865..f3d0fc1ad3 100644 --- a/.github/workflows/cd-deploy-ppa.yml +++ b/.github/workflows/cd-deploy-ppa.yml @@ -63,7 +63,7 @@ jobs: steps: - name: Harden Runner - uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4 + uses: step-security/harden-runner@bf7454d06d71f1098171f2acdf0cd4708d7b5920 # v2.20.0 with: egress-policy: audit diff --git a/.github/workflows/cd-deploy-winget.yml b/.github/workflows/cd-deploy-winget.yml index b0d0a5d699..01b7b57ff2 100644 --- a/.github/workflows/cd-deploy-winget.yml +++ b/.github/workflows/cd-deploy-winget.yml @@ -25,7 +25,7 @@ jobs: timeout-minutes: 15 steps: - name: Harden Runner - uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4 + uses: step-security/harden-runner@bf7454d06d71f1098171f2acdf0cd4708d7b5920 # v2.20.0 with: egress-policy: block allowed-endpoints: | diff --git a/.github/workflows/cd-nightly.yml b/.github/workflows/cd-nightly.yml index 7f37befab2..70c6f3e5b1 100644 --- a/.github/workflows/cd-nightly.yml +++ b/.github/workflows/cd-nightly.yml @@ -26,7 +26,7 @@ jobs: has_changes: ${{ steps.check.outputs.has_changes }} steps: - name: Harden Runner - uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4 + uses: step-security/harden-runner@bf7454d06d71f1098171f2acdf0cd4708d7b5920 # v2.20.0 with: egress-policy: block allowed-endpoints: > @@ -179,7 +179,7 @@ jobs: steps: - name: Harden Runner - uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4 + uses: step-security/harden-runner@bf7454d06d71f1098171f2acdf0cd4708d7b5920 # v2.20.0 with: egress-policy: audit @@ -275,7 +275,7 @@ jobs: steps: - name: Harden Runner - uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4 + uses: step-security/harden-runner@bf7454d06d71f1098171f2acdf0cd4708d7b5920 # v2.20.0 with: egress-policy: audit @@ -363,7 +363,7 @@ jobs: - name: Attest build provenance if: steps.check.outputs.n > 0 - uses: actions/attest-build-provenance@a2bbfa25375fe432b6a289bc6b6cd05ecd0c4c32 # v4.1.0 + uses: actions/attest-build-provenance@0f67c3f4856b2e3261c31976d6725780e5e4c373 # v4.1.1 with: subject-path: artifacts/** @@ -506,7 +506,7 @@ jobs: steps: - name: Harden Runner - uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4 + uses: step-security/harden-runner@bf7454d06d71f1098171f2acdf0cd4708d7b5920 # v2.20.0 with: egress-policy: audit diff --git a/.github/workflows/cd-packages.yml b/.github/workflows/cd-packages.yml index c00844ffa3..c057461252 100644 --- a/.github/workflows/cd-packages.yml +++ b/.github/workflows/cd-packages.yml @@ -62,7 +62,7 @@ jobs: steps: - name: Harden Runner - uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4 + uses: step-security/harden-runner@bf7454d06d71f1098171f2acdf0cd4708d7b5920 # v2.20.0 with: egress-policy: audit @@ -77,7 +77,7 @@ jobs: - name: Cache deps id: cache-deps - uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5 + uses: actions/cache@55cc8345863c7cc4c66a329aec7e433d2d1c52a9 # v5 with: path: deps/build/destdir key: pkg-deps-debian-trixie-${{ hashFiles('deps/CMakeLists.txt', 'deps/**/*.cmake') }} @@ -191,7 +191,7 @@ jobs: steps: - name: Harden Runner - uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4 + uses: step-security/harden-runner@bf7454d06d71f1098171f2acdf0cd4708d7b5920 # v2.20.0 with: egress-policy: audit @@ -206,7 +206,7 @@ jobs: - name: Cache deps id: cache-deps - uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5 + uses: actions/cache@55cc8345863c7cc4c66a329aec7e433d2d1c52a9 # v5 with: path: deps/build/destdir key: pkg-deps-fedora42_rpm-${{ hashFiles('deps/CMakeLists.txt', 'deps/**/*.cmake') }} @@ -261,7 +261,7 @@ jobs: steps: - name: Harden Runner - uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4 + uses: step-security/harden-runner@bf7454d06d71f1098171f2acdf0cd4708d7b5920 # v2.20.0 with: egress-policy: audit @@ -276,7 +276,7 @@ jobs: - name: Cache deps id: cache-deps - uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5 + uses: actions/cache@55cc8345863c7cc4c66a329aec7e433d2d1c52a9 # v5 with: path: deps/build/destdir key: pkg-deps-arch-${{ hashFiles('deps/CMakeLists.txt', 'deps/**/*.cmake') }} diff --git a/.github/workflows/cd-release-candidate.yml b/.github/workflows/cd-release-candidate.yml index ee7d00b95f..a5edac2a37 100644 --- a/.github/workflows/cd-release-candidate.yml +++ b/.github/workflows/cd-release-candidate.yml @@ -120,7 +120,7 @@ jobs: steps: - name: Harden Runner - uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4 + uses: step-security/harden-runner@bf7454d06d71f1098171f2acdf0cd4708d7b5920 # v2.20.0 with: egress-policy: audit @@ -211,7 +211,7 @@ jobs: steps: - name: Harden Runner - uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4 + uses: step-security/harden-runner@bf7454d06d71f1098171f2acdf0cd4708d7b5920 # v2.20.0 with: egress-policy: audit @@ -302,7 +302,7 @@ jobs: - name: Attest build provenance if: steps.check.outputs.n > 0 - uses: actions/attest-build-provenance@a2bbfa25375fe432b6a289bc6b6cd05ecd0c4c32 # v4.1.0 + uses: actions/attest-build-provenance@0f67c3f4856b2e3261c31976d6725780e5e4c373 # v4.1.1 with: subject-path: artifacts/** @@ -390,7 +390,7 @@ jobs: steps: - name: Harden Runner - uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4 + uses: step-security/harden-runner@bf7454d06d71f1098171f2acdf0cd4708d7b5920 # v2.20.0 with: egress-policy: audit diff --git a/.github/workflows/cd-release.yml b/.github/workflows/cd-release.yml index aa84e30647..d649077531 100644 --- a/.github/workflows/cd-release.yml +++ b/.github/workflows/cd-release.yml @@ -32,7 +32,7 @@ jobs: steps: - name: Harden Runner - uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4 + uses: step-security/harden-runner@bf7454d06d71f1098171f2acdf0cd4708d7b5920 # v2.20.0 with: egress-policy: block allowed-endpoints: > @@ -77,7 +77,7 @@ jobs: steps: - name: Harden Runner - uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4 + uses: step-security/harden-runner@bf7454d06d71f1098171f2acdf0cd4708d7b5920 # v2.20.0 with: egress-policy: audit @@ -245,7 +245,7 @@ jobs: steps: - name: Harden Runner - uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4 + uses: step-security/harden-runner@bf7454d06d71f1098171f2acdf0cd4708d7b5920 # v2.20.0 with: egress-policy: audit @@ -290,7 +290,7 @@ jobs: run: bash scripts/generate-checksums.sh release-assets/ - name: Attest build provenance - uses: actions/attest-build-provenance@a2bbfa25375fe432b6a289bc6b6cd05ecd0c4c32 # v4.1.0 + uses: actions/attest-build-provenance@0f67c3f4856b2e3261c31976d6725780e5e4c373 # v4.1.1 with: subject-path: release-assets/** @@ -347,7 +347,7 @@ jobs: steps: - name: Harden Runner - uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4 + uses: step-security/harden-runner@bf7454d06d71f1098171f2acdf0cd4708d7b5920 # v2.20.0 with: egress-policy: audit @@ -398,7 +398,7 @@ jobs: steps: - name: Harden Runner - uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4 + uses: step-security/harden-runner@bf7454d06d71f1098171f2acdf0cd4708d7b5920 # v2.20.0 with: egress-policy: audit diff --git a/.github/workflows/ci-arch-container.yml b/.github/workflows/ci-arch-container.yml index db052f4d30..d18dfd117b 100644 --- a/.github/workflows/ci-arch-container.yml +++ b/.github/workflows/ci-arch-container.yml @@ -29,7 +29,7 @@ jobs: steps: - name: Harden Runner - uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4 + uses: step-security/harden-runner@bf7454d06d71f1098171f2acdf0cd4708d7b5920 # v2.20.0 with: egress-policy: audit @@ -37,10 +37,10 @@ jobs: uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 - name: Set up Docker Buildx - uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5 # v4.1.0 + uses: docker/setup-buildx-action@bb05f3f5519dd87d3ba754cc423b652a5edd6d2c # v4.2.0 - name: Log in to ghcr.io - uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4.2.0 + uses: docker/login-action@af1e73f918a031802d376d3c8bbc3fe56130a9b0 # v4.4.0 with: registry: ghcr.io username: ${{ github.actor }} @@ -50,7 +50,7 @@ jobs: run: echo "IMAGE_OWNER=$(echo '${{ github.repository_owner }}' | tr '[:upper:]' '[:lower:]')" >> "$GITHUB_ENV" - name: Build and push - uses: docker/build-push-action@f9f3042f7e2789586610d6e8b85c8f03e5195baf # v7.2.0 + uses: docker/build-push-action@53b7df96c91f9c12dcc8a07bcb9ccacbed38856a # v7.3.0 with: context: docker file: docker/Dockerfile.archlinux diff --git a/.github/workflows/ci-debian-container.yml b/.github/workflows/ci-debian-container.yml index 9e59bc2257..54e7d01459 100644 --- a/.github/workflows/ci-debian-container.yml +++ b/.github/workflows/ci-debian-container.yml @@ -29,7 +29,7 @@ jobs: steps: - name: Harden Runner - uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4 + uses: step-security/harden-runner@bf7454d06d71f1098171f2acdf0cd4708d7b5920 # v2.20.0 with: egress-policy: audit @@ -37,10 +37,10 @@ jobs: uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 - name: Set up Docker Buildx - uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5 # v4.1.0 + uses: docker/setup-buildx-action@bb05f3f5519dd87d3ba754cc423b652a5edd6d2c # v4.2.0 - name: Log in to ghcr.io - uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4.2.0 + uses: docker/login-action@af1e73f918a031802d376d3c8bbc3fe56130a9b0 # v4.4.0 with: registry: ghcr.io username: ${{ github.actor }} @@ -50,7 +50,7 @@ jobs: run: echo "IMAGE_OWNER=$(echo '${{ github.repository_owner }}' | tr '[:upper:]' '[:lower:]')" >> "$GITHUB_ENV" - name: Build and push - uses: docker/build-push-action@f9f3042f7e2789586610d6e8b85c8f03e5195baf # v7.2.0 + uses: docker/build-push-action@53b7df96c91f9c12dcc8a07bcb9ccacbed38856a # v7.3.0 with: context: docker file: docker/Dockerfile.debian-trixie diff --git a/.github/workflows/ci-fedora-container.yml b/.github/workflows/ci-fedora-container.yml index 1cf0d4b79b..26dd14bc1c 100644 --- a/.github/workflows/ci-fedora-container.yml +++ b/.github/workflows/ci-fedora-container.yml @@ -29,7 +29,7 @@ jobs: steps: - name: Harden Runner - uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4 + uses: step-security/harden-runner@bf7454d06d71f1098171f2acdf0cd4708d7b5920 # v2.20.0 with: egress-policy: audit @@ -37,10 +37,10 @@ jobs: uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 - name: Set up Docker Buildx - uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5 # v4.1.0 + uses: docker/setup-buildx-action@bb05f3f5519dd87d3ba754cc423b652a5edd6d2c # v4.2.0 - name: Log in to ghcr.io - uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4.2.0 + uses: docker/login-action@af1e73f918a031802d376d3c8bbc3fe56130a9b0 # v4.4.0 with: registry: ghcr.io username: ${{ github.actor }} @@ -50,7 +50,7 @@ jobs: run: echo "IMAGE_OWNER=$(echo '${{ github.repository_owner }}' | tr '[:upper:]' '[:lower:]')" >> "$GITHUB_ENV" - name: Build and push - uses: docker/build-push-action@f9f3042f7e2789586610d6e8b85c8f03e5195baf # v7.2.0 + uses: docker/build-push-action@53b7df96c91f9c12dcc8a07bcb9ccacbed38856a # v7.3.0 with: context: docker file: docker/Dockerfile.fedora diff --git a/.github/workflows/ci-lint.yml b/.github/workflows/ci-lint.yml index 7114f5219c..fb99f92600 100644 --- a/.github/workflows/ci-lint.yml +++ b/.github/workflows/ci-lint.yml @@ -24,7 +24,7 @@ jobs: steps: - name: Harden Runner - uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4 + uses: step-security/harden-runner@bf7454d06d71f1098171f2acdf0cd4708d7b5920 # v2.20.0 with: egress-policy: audit - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 diff --git a/.github/workflows/ci-pull-request.yml b/.github/workflows/ci-pull-request.yml index 9bab8c3510..bed28abf52 100644 --- a/.github/workflows/ci-pull-request.yml +++ b/.github/workflows/ci-pull-request.yml @@ -28,7 +28,7 @@ jobs: code: ${{ steps.check.outputs.code }} steps: - name: Harden Runner - uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4 + uses: step-security/harden-runner@bf7454d06d71f1098171f2acdf0cd4708d7b5920 # v2.20.0 with: egress-policy: audit @@ -106,7 +106,7 @@ jobs: steps: - name: Harden Runner - uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4 + uses: step-security/harden-runner@bf7454d06d71f1098171f2acdf0cd4708d7b5920 # v2.20.0 with: egress-policy: audit @@ -120,7 +120,7 @@ jobs: - name: Cache deps id: cache-deps - uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5 + uses: actions/cache@55cc8345863c7cc4c66a329aec7e433d2d1c52a9 # v5 with: path: deps/build/destdir key: pkg-deps-debian-trixie_deb-${{ hashFiles('deps/CMakeLists.txt', 'deps/**/*.cmake') }} @@ -167,7 +167,7 @@ jobs: steps: - name: Harden Runner - uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4 + uses: step-security/harden-runner@bf7454d06d71f1098171f2acdf0cd4708d7b5920 # v2.20.0 with: egress-policy: audit @@ -182,7 +182,7 @@ jobs: - name: Cache deps id: cache-deps - uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5 + uses: actions/cache@55cc8345863c7cc4c66a329aec7e433d2d1c52a9 # v5 with: path: deps/build/destdir key: pkg-deps-fedora42_rpm-${{ hashFiles('deps/CMakeLists.txt', 'deps/**/*.cmake') }} diff --git a/.github/workflows/maintenance-stale.yml b/.github/workflows/maintenance-stale.yml index be790430a3..aea7b98511 100644 --- a/.github/workflows/maintenance-stale.yml +++ b/.github/workflows/maintenance-stale.yml @@ -17,12 +17,12 @@ jobs: timeout-minutes: 10 steps: - name: Harden Runner - uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4 + uses: step-security/harden-runner@bf7454d06d71f1098171f2acdf0cd4708d7b5920 # v2.20.0 with: egress-policy: block allowed-endpoints: | api.github.com:443 - - uses: actions/stale@eb5cf3af3ac0a1aa4c9c45633dd1ae542a27a899 # v10.3.0 + - uses: actions/stale@1e223db275d687790206a7acac4d1a11bd6fe629 # v10.4.0 with: repo-token: ${{ secrets.GITHUB_TOKEN }} stale-issue-message: > diff --git a/.github/workflows/maintenance-upstream-sync.yml b/.github/workflows/maintenance-upstream-sync.yml index e745750464..d195e9cfcd 100644 --- a/.github/workflows/maintenance-upstream-sync.yml +++ b/.github/workflows/maintenance-upstream-sync.yml @@ -17,7 +17,7 @@ jobs: steps: - name: Harden Runner - uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4 + uses: step-security/harden-runner@bf7454d06d71f1098171f2acdf0cd4708d7b5920 # v2.20.0 with: egress-policy: audit diff --git a/.github/workflows/maintenance-version-bump.yml b/.github/workflows/maintenance-version-bump.yml index f2a9484be0..3165376f1d 100644 --- a/.github/workflows/maintenance-version-bump.yml +++ b/.github/workflows/maintenance-version-bump.yml @@ -29,7 +29,7 @@ jobs: steps: - name: Harden Runner - uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4 + uses: step-security/harden-runner@bf7454d06d71f1098171f2acdf0cd4708d7b5920 # v2.20.0 with: egress-policy: block allowed-endpoints: | diff --git a/.github/workflows/security-codeql.yml b/.github/workflows/security-codeql.yml index 460556d612..6ade9540bf 100644 --- a/.github/workflows/security-codeql.yml +++ b/.github/workflows/security-codeql.yml @@ -39,7 +39,7 @@ jobs: steps: - name: Harden Runner - uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4 + uses: step-security/harden-runner@bf7454d06d71f1098171f2acdf0cd4708d7b5920 # v2.20.0 with: egress-policy: audit - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 @@ -47,7 +47,7 @@ jobs: submodules: false - name: Initialize CodeQL - uses: github/codeql-action/init@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4.36.2 + uses: github/codeql-action/init@99df26d4f13ea111d4ec1a7dddef6063f76b97e9 # v4.37.0 with: languages: ${{ matrix.language }} build-mode: manual @@ -80,6 +80,6 @@ jobs: --parallel 4 2>&1 | head -5000 || true - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4.36.2 + uses: github/codeql-action/analyze@99df26d4f13ea111d4ec1a7dddef6063f76b97e9 # v4.37.0 with: category: "/language:${{ matrix.language }}" diff --git a/.github/workflows/security-dependency-review.yml b/.github/workflows/security-dependency-review.yml index bd7a8c2d87..0b86cdee52 100644 --- a/.github/workflows/security-dependency-review.yml +++ b/.github/workflows/security-dependency-review.yml @@ -16,7 +16,7 @@ jobs: timeout-minutes: 10 steps: - name: Harden Runner - uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4 + uses: step-security/harden-runner@bf7454d06d71f1098171f2acdf0cd4708d7b5920 # v2.20.0 with: egress-policy: block # Use folded (>), NOT literal (|): harden-runner splits allowed-endpoints on diff --git a/.github/workflows/security-scorecard.yml b/.github/workflows/security-scorecard.yml index 7ae1f7aa11..312b625bf7 100644 --- a/.github/workflows/security-scorecard.yml +++ b/.github/workflows/security-scorecard.yml @@ -23,7 +23,7 @@ jobs: steps: - name: Harden Runner - uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4 + uses: step-security/harden-runner@bf7454d06d71f1098171f2acdf0cd4708d7b5920 # v2.20.0 with: # audit instead of block: scorecard-action runs in a Docker container # whose DNS (UDP) is blocked by egress-policy:block even for listed @@ -42,6 +42,6 @@ jobs: publish_results: true - name: Upload SARIF results - uses: github/codeql-action/upload-sarif@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4.36.2 + uses: github/codeql-action/upload-sarif@99df26d4f13ea111d4ec1a7dddef6063f76b97e9 # v4.37.0 with: sarif_file: results.sarif