diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index e9f53f6b..87177f1d 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -233,7 +233,7 @@ jobs: - name: 🔒 Log in to the GitHub Container Registry if: github.event_name != 'pull_request' - uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4.2.0 + uses: docker/login-action@af1e73f918a031802d376d3c8bbc3fe56130a9b0 # v4.4.0 with: registry: ${{ env.REGISTRY }} username: ${{ github.actor }} @@ -262,7 +262,7 @@ jobs: - name: 📊 Extract metadata (tags, labels) for Docker id: meta - uses: docker/metadata-action@80c7e94dd9b9319bd5eb7a0e0fe9291e23a2a2e9 # v6.1.0 + uses: docker/metadata-action@dc802804100637a589fabce1cb79ff13a1411302 # v6.2.0 with: images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}/${{ matrix.name }} tags: | @@ -272,7 +272,7 @@ jobs: type=schedule,pattern={{date 'YYYYMMDD'}} - name: 🔧 Set up Docker Buildx - uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5 # v4.1.0 + uses: docker/setup-buildx-action@bb05f3f5519dd87d3ba754cc423b652a5edd6d2c # v4.2.0 with: platforms: linux/amd64 driver-opts: | @@ -280,7 +280,7 @@ jobs: network=host - name: 🚀 Build and push Docker image to GitHub Container Registry - discogsography/${{ matrix.name }} - uses: docker/build-push-action@f9f3042f7e2789586610d6e8b85c8f03e5195baf # v7.2.0 + uses: docker/build-push-action@53b7df96c91f9c12dcc8a07bcb9ccacbed38856a # v7.3.0 with: context: . file: ${{ matrix.name }}/Dockerfile diff --git a/.github/workflows/claude-code-review.yml b/.github/workflows/claude-code-review.yml index 14062682..c17c51cd 100644 --- a/.github/workflows/claude-code-review.yml +++ b/.github/workflows/claude-code-review.yml @@ -29,7 +29,7 @@ jobs: - name: Run Claude Code Review id: claude-review - uses: anthropics/claude-code-action@a92e7c70a4da9793dc164451d829089dc057a464 # v1.0.159 + uses: anthropics/claude-code-action@558b1d6cab4085c7753fe402c10bef0fbb92ac7a # v1.0.165 with: claude_code_oauth_token: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }} plugin_marketplaces: 'https://github.com/anthropics/claude-code.git' diff --git a/.github/workflows/claude.yml b/.github/workflows/claude.yml index 0d010129..0ac89620 100644 --- a/.github/workflows/claude.yml +++ b/.github/workflows/claude.yml @@ -33,7 +33,7 @@ jobs: - name: Run Claude Code id: claude - uses: anthropics/claude-code-action@a92e7c70a4da9793dc164451d829089dc057a464 # v1.0.159 + uses: anthropics/claude-code-action@558b1d6cab4085c7753fe402c10bef0fbb92ac7a # v1.0.165 with: claude_code_oauth_token: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }} diff --git a/.github/workflows/docker-validate.yml b/.github/workflows/docker-validate.yml index 3fbf93e9..13511d4d 100644 --- a/.github/workflows/docker-validate.yml +++ b/.github/workflows/docker-validate.yml @@ -33,7 +33,7 @@ jobs: uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 - name: 🔧 Set up Docker Buildx - uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5 # v4.1.0 + uses: docker/setup-buildx-action@bb05f3f5519dd87d3ba754cc423b652a5edd6d2c # v4.2.0 - name: 🔍 Validate Dockerfile with hadolint uses: hadolint/hadolint-action@2332a7b74a6de0dda2e2221d575162eba76ba5e5 # v3.3.0 diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml index d34f5f4e..189068b4 100644 --- a/.github/workflows/security.yml +++ b/.github/workflows/security.yml @@ -88,7 +88,7 @@ jobs: if: always() - name: 📤 Upload SARIF to GitHub Advanced Security - uses: github/codeql-action/upload-sarif@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4.36.2 + uses: github/codeql-action/upload-sarif@54f647b7e1bb85c95cddabcd46b0c578ec92bc1a # v4.36.3 with: sarif_file: semgrep.sarif if: always() @@ -122,7 +122,7 @@ jobs: ${{ runner.os }}-cargo- - name: 📦 Install cargo-audit and cargo-deny - uses: taiki-e/install-action@9bcaee1dcae34154180f412e2fa69355a7cda9f6 # v2.82.6 + uses: taiki-e/install-action@4684b8405694ae9dd42c9f39ba901a70ae83f4a3 # v2.82.9 with: tool: cargo-audit,cargo-deny @@ -149,7 +149,7 @@ jobs: fetch-depth: 0 # Full history required for comprehensive secret scanning - name: 🔑 Run TruffleHog (secret detection) - uses: trufflesecurity/trufflehog@f446421baf832d6356c42c1743d99abff52ff334 # v3.95.7 + uses: trufflesecurity/trufflehog@00155c9dc586f34d189adc83d3ac2698c2ec551f # v3.95.8 with: path: ./ extra_args: --only-verified @@ -173,7 +173,7 @@ jobs: severity: HIGH,CRITICAL - name: 📤 Upload trivy SARIF results to GitHub Security tab - uses: github/codeql-action/upload-sarif@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4.36.2 + uses: github/codeql-action/upload-sarif@54f647b7e1bb85c95cddabcd46b0c578ec92bc1a # v4.36.3 if: always() with: sarif_file: trivy-results.sarif diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 54b46536..64b67a47 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -548,7 +548,7 @@ jobs: - name: 📦 Install cargo-llvm-cov if: steps.check-rust.outputs.exists == 'true' - uses: taiki-e/install-action@9bcaee1dcae34154180f412e2fa69355a7cda9f6 # v2.82.6 + uses: taiki-e/install-action@4684b8405694ae9dd42c9f39ba901a70ae83f4a3 # v2.82.9 with: tool: cargo-llvm-cov