@@ -20,16 +20,21 @@ jobs:
2020 if : github.repository == 'eclipse-ditto/ditto'
2121 runs-on : ubuntu-latest
2222 steps :
23+ -
24+ name : Harden Runner
25+ uses : step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
26+ with :
27+ egress-policy : audit
2328 -
2429 name : Checkout
25- uses : actions/checkout@v6
30+ uses : actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
2631 -
2732 name : Set up QEMU
28- uses : docker/setup-qemu-action@v3
33+ uses : docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130 # v3.7.0
2934 -
3035 name : Set up Docker Buildx
3136 id : buildx
32- uses : docker/setup-buildx-action@v3 # setup buildx in order to do build and push multi-architecture images
37+ uses : docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0 # setup buildx in order to do build and push multi-architecture images
3338 -
3439 name : Inspect buildx builder
3540 run : |
4045 echo "Platforms: ${{ steps.buildx.outputs.platforms }}"
4146 -
4247 name : Login to Docker Hub
43- uses : docker/login-action@v2
48+ uses : docker/login-action@465a07811f14bebb1938fbed4728c6a1ff8901fc # v2.2.0
4449 with :
4550 username : eclipsedittobot
4651 password : ${{ secrets.DOCKER_HUB_TOKEN }}
5560 echo $IMAGE_TAG
5661 -
5762 name : Build and push ditto-policies
58- uses : docker/build-push-action@v4
63+ uses : docker/build-push-action@0a97817b6ade9f46837855d676c4cca3a2471fc9 # v4.2.1
5964 with :
6065 context : .
6166 file : dockerfile-release
7075 eclipse/ditto-policies:${{ env.IMAGE_TAG }}
7176 -
7277 name : Build and push ditto-things
73- uses : docker/build-push-action@v4
78+ uses : docker/build-push-action@0a97817b6ade9f46837855d676c4cca3a2471fc9 # v4.2.1
7479 with :
7580 context : .
7681 file : dockerfile-release
8590 eclipse/ditto-things:${{ env.IMAGE_TAG }}
8691 -
8792 name : Build and push ditto-gateway
88- uses : docker/build-push-action@v4
93+ uses : docker/build-push-action@0a97817b6ade9f46837855d676c4cca3a2471fc9 # v4.2.1
8994 with :
9095 context : .
9196 file : dockerfile-release
@@ -100,7 +105,7 @@ jobs:
100105 eclipse/ditto-gateway:${{ env.IMAGE_TAG }}
101106 -
102107 name : Build and push ditto-thingsearch
103- uses : docker/build-push-action@v4
108+ uses : docker/build-push-action@0a97817b6ade9f46837855d676c4cca3a2471fc9 # v4.2.1
104109 with :
105110 context : .
106111 file : dockerfile-release
@@ -115,7 +120,7 @@ jobs:
115120 eclipse/ditto-things-search:${{ env.IMAGE_TAG }}
116121 -
117122 name : Build and push ditto-connectivity
118- uses : docker/build-push-action@v4
123+ uses : docker/build-push-action@0a97817b6ade9f46837855d676c4cca3a2471fc9 # v4.2.1
119124 with :
120125 context : .
121126 file : dockerfile-release
@@ -131,7 +136,7 @@ jobs:
131136 eclipse/ditto-connectivity:${{ env.IMAGE_TAG }}
132137 -
133138 name : Use Node.js 18.x
134- uses : actions/setup-node@v6
139+ uses : actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
135140 with :
136141 node-version : 20
137142 -
@@ -144,7 +149,7 @@ jobs:
144149 working-directory : ./ui
145150 -
146151 name : Build and push ditto-ui image
147- uses : docker/build-push-action@v4
152+ uses : docker/build-push-action@0a97817b6ade9f46837855d676c4cca3a2471fc9 # v4.2.1
148153 with :
149154 context : ./ui
150155 file : ui/Dockerfile
@@ -155,7 +160,7 @@ jobs:
155160 eclipse/ditto-ui:${{ env.IMAGE_TAG }}
156161 -
157162 name : Run Trivy vulnerability scanner for ditto-policies
158- uses : aquasecurity/trivy-action@v0 .35.0
163+ uses : aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # 0 .35.0
159164 with :
160165 image-ref : ' docker.io/eclipse/ditto-policies:${{ env.IMAGE_TAG }}'
161166 format : ' table'
@@ -165,7 +170,7 @@ jobs:
165170 severity : ' CRITICAL'
166171 -
167172 name : Run Trivy vulnerability scanner for ditto-things
168- uses : aquasecurity/trivy-action@v0 .35.0
173+ uses : aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # 0 .35.0
169174 with :
170175 image-ref : ' docker.io/eclipse/ditto-things:${{ env.IMAGE_TAG }}'
171176 format : ' table'
@@ -175,7 +180,7 @@ jobs:
175180 severity : ' CRITICAL'
176181 -
177182 name : Run Trivy vulnerability scanner for ditto-gateway
178- uses : aquasecurity/trivy-action@v0 .35.0
183+ uses : aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # 0 .35.0
179184 with :
180185 image-ref : ' docker.io/eclipse/ditto-gateway:${{ env.IMAGE_TAG }}'
181186 format : ' table'
@@ -185,7 +190,7 @@ jobs:
185190 severity : ' CRITICAL'
186191 -
187192 name : Run Trivy vulnerability scanner for ditto-things-search
188- uses : aquasecurity/trivy-action@v0 .35.0
193+ uses : aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # 0 .35.0
189194 with :
190195 image-ref : ' docker.io/eclipse/ditto-things-search:${{ env.IMAGE_TAG }}'
191196 format : ' table'
@@ -195,7 +200,7 @@ jobs:
195200 severity : ' CRITICAL'
196201 -
197202 name : Run Trivy vulnerability scanner for ditto-connectivity
198- uses : aquasecurity/trivy-action@v0 .35.0
203+ uses : aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # 0 .35.0
199204 with :
200205 image-ref : ' docker.io/eclipse/ditto-connectivity:${{ env.IMAGE_TAG }}'
201206 format : ' table'
@@ -205,7 +210,7 @@ jobs:
205210 severity : ' CRITICAL'
206211 -
207212 name : Run Trivy vulnerability scanner for ditto-ui
208- uses : aquasecurity/trivy-action@v0 .35.0
213+ uses : aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # 0 .35.0
209214 with :
210215 image-ref : ' docker.io/eclipse/ditto-ui:${{ env.IMAGE_TAG }}'
211216 format : ' table'
0 commit comments