diff --git a/.github/workflows/benchmark.yml b/.github/workflows/benchmark.yml index 7ba702bab..2d5fa4ea2 100644 --- a/.github/workflows/benchmark.yml +++ b/.github/workflows/benchmark.yml @@ -29,7 +29,7 @@ jobs: fetch-depth: 0 - name: Post "benchmark running" comment - uses: actions/github-script@v9 + uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9 with: script: | const marker = ''; @@ -70,7 +70,7 @@ jobs: - name: Install benchstat run: | - GOBIN="$PWD/.bin" go install golang.org/x/perf/cmd/benchstat@latest + GOBIN="$PWD/.bin" go install golang.org/x/perf/cmd/benchstat@v0.0.0-20260409210113-8e83ce0f7b1c echo "$PWD/.bin" >> "$GITHUB_PATH" - name: Prepare base worktree @@ -138,7 +138,7 @@ jobs: retention-days: 14 - name: Post report to PR - uses: actions/github-script@v9 + uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9 with: script: | const fs = require('fs'); diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index ebd48c548..8c62c5306 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -5,12 +5,15 @@ on: - main permissions: - contents: write - id-token: write + contents: read jobs: semantic-release: runs-on: ubuntu-latest + permissions: + contents: write + issues: write + pull-requests: write outputs: release-version: ${{ steps.semantic.outputs.release-version }} new-release-published: ${{ steps.semantic.outputs.new-release-published }} @@ -23,6 +26,8 @@ jobs: binary: runs-on: ubuntu-latest needs: semantic-release + permissions: + contents: write steps: - name: Harden Runner uses: step-security/harden-runner@6c3c2f2c1c457b00c10c4848d6f5491db3b629df # v2.18.0 @@ -61,6 +66,9 @@ jobs: docker: needs: semantic-release runs-on: ubuntu-latest + permissions: + contents: read + id-token: write steps: - name: Harden Runner uses: step-security/harden-runner@6c3c2f2c1c457b00c10c4848d6f5491db3b629df # v2.18.0 diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index ed06140f5..5558a99a7 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -17,7 +17,7 @@ jobs: - name: Checkout code uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Install deps - uses: flanksource/deps@v1.0.28 + uses: flanksource/deps@f04324f706a671af0fd0b1d7f9a708c9ec1643f4 # v1.0.28 with: tools: | bun @@ -48,7 +48,7 @@ jobs: - name: Checkout code uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Install deps - uses: flanksource/deps@v1.0.28 + uses: flanksource/deps@f04324f706a671af0fd0b1d7f9a708c9ec1643f4 # v1.0.28 with: tools: | bun @@ -99,7 +99,7 @@ jobs: - name: Checkout code uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Install deps - uses: flanksource/deps@v1.0.28 + uses: flanksource/deps@f04324f706a671af0fd0b1d7f9a708c9ec1643f4 # v1.0.28 with: tools: | bun @@ -147,7 +147,7 @@ jobs: restore-keys: | cache- - name: Install deps - uses: flanksource/deps@v1.0.28 + uses: flanksource/deps@f04324f706a671af0fd0b1d7f9a708c9ec1643f4 # v1.0.28 with: tools: | bun @@ -238,7 +238,7 @@ jobs: - name: Checkout code uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Install deps - uses: flanksource/deps@v1.0.28 + uses: flanksource/deps@f04324f706a671af0fd0b1d7f9a708c9ec1643f4 # v1.0.28 with: tools: | bun @@ -276,7 +276,7 @@ jobs: - name: Checkout code uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Install deps - uses: flanksource/deps@v1.0.28 + uses: flanksource/deps@f04324f706a671af0fd0b1d7f9a708c9ec1643f4 # v1.0.28 with: tools: | etcd@v3.5.23 diff --git a/build/Dockerfile b/build/Dockerfile index e1cc64196..6fb2bd230 100644 --- a/build/Dockerfile +++ b/build/Dockerfile @@ -8,7 +8,7 @@ COPY Makefile /app COPY external/diffgen /app/external/diffgen RUN make rust-diffgen -FROM golang:1.26-bookworm AS builder-base +FROM golang:1.26-bookworm@sha256:4f4ab2c90005e7e63cb631f0b4427f05422f241622ee3ec4727cc5febbf83e34 AS builder-base WORKDIR /app ARG VERSION diff --git a/build/Dockerfile.debug b/build/Dockerfile.debug index 1d88ccfde..5f9092367 100644 --- a/build/Dockerfile.debug +++ b/build/Dockerfile.debug @@ -5,7 +5,7 @@ COPY Makefile /app COPY external/diffgen /app/external/diffgen RUN make rust-diffgen -FROM golang:1.26-bookworm AS builder +FROM golang:1.26-bookworm@sha256:4f4ab2c90005e7e63cb631f0b4427f05422f241622ee3ec4727cc5febbf83e34 AS builder WORKDIR /app ARG VERSION diff --git a/scrapers/file/file.go b/scrapers/file/file.go index 75bde9aef..fee0ec905 100644 --- a/scrapers/file/file.go +++ b/scrapers/file/file.go @@ -1,7 +1,7 @@ package file import ( - "crypto/md5" + "crypto/sha256" "encoding/hex" "net/url" "os" @@ -57,7 +57,7 @@ func convertToLocalPath(uri string) string { if err != nil { return uri } - hash := md5.Sum([]byte(uri)) + hash := sha256.Sum256([]byte(stripSecrets(uri))) p := "" if _uri.Host != "" { p = _uri.Host + "-" diff --git a/scrapers/file/file_test.go b/scrapers/file/file_test.go index 8743d06fc..3ca0192e0 100644 --- a/scrapers/file/file_test.go +++ b/scrapers/file/file_test.go @@ -30,9 +30,9 @@ var _ = Describe("convertToLocalPath", func() { func(input, expected string) { Expect(convertToLocalPath(input)).To(Equal(expected)) }, - Entry("file:// prefix", "file://foo", "foo-ecf5c8ee"), - Entry("git:: prefix", "git::foo", "foo-b943d8a5"), - Entry("git:: with URL and query", "git::https://foo/path?query=abc", "foo-path-8f49fbdc"), - Entry("plain path", "foo", "foo-acbd18db"), + Entry("file:// prefix", "file://foo", "foo-2c26b46b"), + Entry("git:: prefix", "git::foo", "foo-2c26b46b"), + Entry("git:: with URL and query", "git::https://foo/path?query=abc", "foo-path-90c2b34a"), + Entry("plain path", "foo", "foo-2c26b46b"), ) })