Bump anchore/scan-action from 3 to 4 (#8)

dependabot[bot] · fabasoad · web-flow · commit 9f8315cbc734 · 2024-08-03T17:51:37.000+09:00
* Bump anchore/scan-action from 3 to 4 Bumps [anchore/scan-action](https://github.com/anchore/scan-action) from 3 to 4. - [Release notes](https://github.com/anchore/scan-action/releases) - [Changelog](https://github.com/anchore/scan-action/blob/main/CHANGELOG.md) - [Commits](anchore/scan-action@v3...v4) --- updated-dependencies: - dependency-name: anchore/scan-action dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> * Bump gitleaks/gitleaks from 8.18.2 to 8.18.4 * Add fabasoad/pre-commit-grype hook --------- Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: fabasoad <fabasoad@gmail.com>
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -7,30 +7,6 @@ on: # yamllint disable-line rule:truthy
       - "v*.*.*"
 
 jobs:
-  create-release:
-    name: Create release
-    runs-on: ubuntu-latest
-    steps:
-      - name: Checkout ${{ github.repository }}
-        uses: actions/checkout@v4
-        with:
-          fetch-depth: 0
-      - name: Get changelog
-        id: changelog
-        uses: simbo/changes-since-last-release-action@v1
-      - name: Create release
-        uses: softprops/action-gh-release@v2
-        with:
-          tag_name: ${{ github.ref }}
-          name: ${{ github.ref_name }}
-          token: ${{ secrets.GITHUB_TOKEN }}
-          body: |
-            # Changelog
-
-            ${{ steps.changelog.outputs.log }}
-          draft: false
-          prerelease: false
-      - name: Bump tags
-        uses: fischerscode/tagger@v0
-        with:
-          prefix: v
+  github:
+    name: GitHub
+    uses: fabasoad/reusable-workflows/.github/workflows/wf-github-release.yml@main
diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml
@@ -7,45 +7,43 @@ on: # yamllint disable-line rule:truthy
     branches:
       - main
 
-defaults:
-  run:
-    shell: sh
-
 jobs:
-  code-scanning:
-    name: Code scanning
-    runs-on: ubuntu-latest
-    steps:
-      - name: Checkout ${{ github.repository }}
-        uses: actions/checkout@v4
-      - name: Initialize CodeQL
-        uses: github/codeql-action/init@v3
-        with:
-          languages: "javascript"
-      - name: Perform CodeQL Analysis
-        id: codeql-analysis
-        uses: github/codeql-action/analyze@v3
-      - name: Upload to GHAS
-        if: always()
-        uses: github/codeql-action/upload-sarif@v3
-        with:
-          category: "code-scanning"
-          sarif_file: "${{ steps.codeql-analysis.outputs.sarif-output }}"
-  directory-scanning:
-    name: Directory scanning
+  build-image:
+    name: Build image
     runs-on: ubuntu-latest
+    outputs:
+      artifact-name: "${{ steps.artifact.outputs.name }}"
     steps:
       - name: Checkout ${{ github.repository }}
         uses: actions/checkout@v4
-      - name: Scan current project
-        id: scan-directory
-        uses: anchore/scan-action@v3
+      - name: Build image
+        id: build-image
+        uses: docker/build-push-action@v6
         with:
-          by-cve: "true"
-          path: "."
-      - name: Upload to GHAS
+          push: false
+      - name: Save image
+        id: artifact
+        run: |
+          artifact_name="$(date +%s)"
+          archive_path="${RUNNER_TEMP}/${artifact_name}.tar"
+          docker save --output "${archive_path}" "${{ steps.build-image.outputs.digest }}"
+          echo "path=${archive_path}" >> "$GITHUB_OUTPUT"
+          echo "name=${artifact_name}" >> "$GITHUB_OUTPUT"
+      - name: Upload artifact
         if: always()
-        uses: github/codeql-action/upload-sarif@v3
+        uses: actions/upload-artifact@v4
         with:
-          category: "directory-scanning"
-          sarif_file: "${{ steps.scan-directory.outputs.sarif }}"
+          name: "${{ steps.artifact.outputs.name }}"
+          path: "${{ steps.artifact.outputs.path }}"
+          retention-days: "1"
+          compression-level: "0"
+  sast:
+    name: SAST
+    needs: ["build-image"]
+    permissions:
+      contents: read
+      security-events: write
+    uses: fabasoad/reusable-workflows/.github/workflows/wf-security-sast.yml@main
+    with:
+      image: true
+      image-artifact-name: "${{ needs.build-image.outputs.artifact-name }}"
diff --git a/.github/workflows/update-license.yml b/.github/workflows/update-license.yml
@@ -1,28 +1,11 @@
 ---
-name: Update license
+name: License
 
 on: # yamllint disable-line rule:truthy
   schedule:
     - cron: "0 5 1 1 *"
 
 jobs:
-  run:
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v4
-        with:
-          fetch-depth: 0
-      - uses: FantasticFiasco/action-update-license-year@v3
-        with:
-          token: ${{ secrets.GITHUB_TOKEN }}
-          assignees: ${{ github.repository_owner }}
-          labels: enhancement
-          prTitle: Update license copyright year to {{currentYear}}
-          prBody: |
-            ## Changelog
-
-            - Update license copyright year to {{currentYear}}
-
-            ---
-
-            Powered by [FantasticFiasco/action-update-license-year](https://github.com/FantasticFiasco/action-update-license-year)
+  maintenance:
+    name: Maintenance
+    uses: fabasoad/reusable-workflows/.github/workflows/wf-update-license.yml@main
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
@@ -5,22 +5,30 @@ minimum_pre_commit_version: 2.18.0
 repos:
   # Security
   - repo: https://github.com/Yelp/detect-secrets
-    rev: v1.4.0
+    rev: v1.5.0
     hooks:
       - id: detect-secrets
   - repo: https://github.com/gitleaks/gitleaks
-    rev: v8.18.2
+    rev: v8.18.4
     hooks:
       - id: gitleaks
+  - repo: https://github.com/fabasoad/pre-commit-grype
+    rev: v0.6.0
+    hooks:
+      - id: grype-dir
+        args:
+          - --grype-args=--by-cve --fail-on=low
+          - --hook-args=--log-level debug
+        stages: ["push"]
   # Dockerfile
   - repo: https://github.com/hadolint/hadolint
-    rev: v2.12.1-beta
+    rev: v2.13.0-beta
     hooks:
       - id: hadolint
         stages: ["push"]
   # Markdown
   - repo: https://github.com/igorshubovych/markdownlint-cli
-    rev: v0.39.0
+    rev: v0.41.0
     hooks:
       - id: markdownlint-fix
         stages: ["commit"]
@@ -32,11 +40,18 @@ repos:
         stages: ["push"]
   # GitHub Actions
   - repo: https://github.com/rhysd/actionlint
-    rev: v1.6.27
+    rev: v1.7.1
     hooks:
       - id: actionlint
         args: ["-pyflakes="]
-        stages: ["push"]
+        stages: ["commit"]
+  # Shell
+  - repo: https://github.com/openstack/bashate
+    rev: 2.1.1
+    hooks:
+      - id: bashate
+        args: ["-i", "E003,E006"]
+        stages: ["commit"]
   # Other
   - repo: https://github.com/pre-commit/mirrors-prettier
     rev: v3.1.0
