1515 - cron : ' 0 1 * * *' # run at 1 AM UTC
1616 workflow_dispatch :
1717
18+ permissions :
19+ contents : read
20+
1821jobs :
1922 build :
2023 if : github.repository == 'eclipse-ditto/ditto'
2124 runs-on : ubuntu-latest
2225 steps :
26+ -
27+ name : Harden Runner
28+ uses : step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
29+ with :
30+ egress-policy : audit
2331 -
2432 name : Checkout
25- uses : actions/checkout@v6
33+ uses : actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
34+ with :
35+ persist-credentials : false
2636 -
2737 name : Set up QEMU
28- uses : docker/setup-qemu-action@v3
38+ uses : docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130 # v3.7.0
2939 -
3040 name : Set up Docker Buildx
3141 id : buildx
32- uses : docker/setup-buildx-action@v3 # setup buildx in order to do build and push multi-architecture images
42+ uses : docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0 # setup buildx in order to do build and push multi-architecture images
3343 -
3444 name : Inspect buildx builder
3545 run : |
4050 echo "Platforms: ${{ steps.buildx.outputs.platforms }}"
4151 -
4252 name : Login to Docker Hub
43- uses : docker/login-action@v2
53+ uses : docker/login-action@465a07811f14bebb1938fbed4728c6a1ff8901fc # v2.2.0
4454 with :
4555 username : eclipsedittobot
4656 password : ${{ secrets.DOCKER_HUB_TOKEN }}
5565 echo $IMAGE_TAG
5666 -
5767 name : Build and push ditto-policies
58- uses : docker/build-push-action@v4
68+ uses : docker/build-push-action@0a97817b6ade9f46837855d676c4cca3a2471fc9 # v4.2.1
5969 with :
6070 context : .
6171 file : dockerfile-release
7080 eclipse/ditto-policies:${{ env.IMAGE_TAG }}
7181 -
7282 name : Build and push ditto-things
73- uses : docker/build-push-action@v4
83+ uses : docker/build-push-action@0a97817b6ade9f46837855d676c4cca3a2471fc9 # v4.2.1
7484 with :
7585 context : .
7686 file : dockerfile-release
8595 eclipse/ditto-things:${{ env.IMAGE_TAG }}
8696 -
8797 name : Build and push ditto-gateway
88- uses : docker/build-push-action@v4
98+ uses : docker/build-push-action@0a97817b6ade9f46837855d676c4cca3a2471fc9 # v4.2.1
8999 with :
90100 context : .
91101 file : dockerfile-release
@@ -100,7 +110,7 @@ jobs:
100110 eclipse/ditto-gateway:${{ env.IMAGE_TAG }}
101111 -
102112 name : Build and push ditto-thingsearch
103- uses : docker/build-push-action@v4
113+ uses : docker/build-push-action@0a97817b6ade9f46837855d676c4cca3a2471fc9 # v4.2.1
104114 with :
105115 context : .
106116 file : dockerfile-release
@@ -115,7 +125,7 @@ jobs:
115125 eclipse/ditto-things-search:${{ env.IMAGE_TAG }}
116126 -
117127 name : Build and push ditto-connectivity
118- uses : docker/build-push-action@v4
128+ uses : docker/build-push-action@0a97817b6ade9f46837855d676c4cca3a2471fc9 # v4.2.1
119129 with :
120130 context : .
121131 file : dockerfile-release
@@ -131,7 +141,7 @@ jobs:
131141 eclipse/ditto-connectivity:${{ env.IMAGE_TAG }}
132142 -
133143 name : Use Node.js 18.x
134- uses : actions/setup-node@v6
144+ uses : actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
135145 with :
136146 node-version : 20
137147 -
@@ -144,7 +154,7 @@ jobs:
144154 working-directory : ./ui
145155 -
146156 name : Build and push ditto-ui image
147- uses : docker/build-push-action@v4
157+ uses : docker/build-push-action@0a97817b6ade9f46837855d676c4cca3a2471fc9 # v4.2.1
148158 with :
149159 context : ./ui
150160 file : ui/Dockerfile
@@ -155,7 +165,7 @@ jobs:
155165 eclipse/ditto-ui:${{ env.IMAGE_TAG }}
156166 -
157167 name : Run Trivy vulnerability scanner for ditto-policies
158- uses : aquasecurity/trivy-action@v0 .35.0
168+ uses : aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # 0 .35.0
159169 with :
160170 image-ref : ' docker.io/eclipse/ditto-policies:${{ env.IMAGE_TAG }}'
161171 format : ' table'
@@ -165,7 +175,7 @@ jobs:
165175 severity : ' CRITICAL'
166176 -
167177 name : Run Trivy vulnerability scanner for ditto-things
168- uses : aquasecurity/trivy-action@v0 .35.0
178+ uses : aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # 0 .35.0
169179 with :
170180 image-ref : ' docker.io/eclipse/ditto-things:${{ env.IMAGE_TAG }}'
171181 format : ' table'
@@ -175,7 +185,7 @@ jobs:
175185 severity : ' CRITICAL'
176186 -
177187 name : Run Trivy vulnerability scanner for ditto-gateway
178- uses : aquasecurity/trivy-action@v0 .35.0
188+ uses : aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # 0 .35.0
179189 with :
180190 image-ref : ' docker.io/eclipse/ditto-gateway:${{ env.IMAGE_TAG }}'
181191 format : ' table'
@@ -185,7 +195,7 @@ jobs:
185195 severity : ' CRITICAL'
186196 -
187197 name : Run Trivy vulnerability scanner for ditto-things-search
188- uses : aquasecurity/trivy-action@v0 .35.0
198+ uses : aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # 0 .35.0
189199 with :
190200 image-ref : ' docker.io/eclipse/ditto-things-search:${{ env.IMAGE_TAG }}'
191201 format : ' table'
@@ -195,7 +205,7 @@ jobs:
195205 severity : ' CRITICAL'
196206 -
197207 name : Run Trivy vulnerability scanner for ditto-connectivity
198- uses : aquasecurity/trivy-action@v0 .35.0
208+ uses : aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # 0 .35.0
199209 with :
200210 image-ref : ' docker.io/eclipse/ditto-connectivity:${{ env.IMAGE_TAG }}'
201211 format : ' table'
@@ -205,7 +215,7 @@ jobs:
205215 severity : ' CRITICAL'
206216 -
207217 name : Run Trivy vulnerability scanner for ditto-ui
208- uses : aquasecurity/trivy-action@v0 .35.0
218+ uses : aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # 0 .35.0
209219 with :
210220 image-ref : ' docker.io/eclipse/ditto-ui:${{ env.IMAGE_TAG }}'
211221 format : ' table'
0 commit comments