diff --git a/.github/workflows/bakery-build-native.yml b/.github/workflows/bakery-build-native.yml index 144ca64ff..0a9d9f54e 100644 --- a/.github/workflows/bakery-build-native.yml +++ b/.github/workflows/bakery-build-native.yml @@ -93,7 +93,7 @@ jobs: steps: - name: Checkout - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Install uses: "posit-dev/images-shared/setup-bakery@main" @@ -131,7 +131,7 @@ jobs: steps: - name: Checkout - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Setup bakery uses: "posit-dev/images-shared/setup-bakery@main" @@ -142,7 +142,7 @@ jobs: uses: "posit-dev/images-shared/setup-goss@ci-native-multiplatform" - name: Set up Docker - uses: docker/setup-docker-action@v5 + uses: docker/setup-docker-action@1a6edb0ba9ac496f6850236981f15d8f9a82254d # v5.0.0 with: daemon-config: | { @@ -151,10 +151,10 @@ jobs: } } - name: Setup docker buildx - uses: docker/setup-buildx-action@v4 + uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0 - name: Setup ORAS CLI - uses: oras-project/setup-oras@v2 + uses: oras-project/setup-oras@38de303aac69abb66f3e6255b7198bff35f323e3 # v2.0.0 # Since secrets cannot be referenced in an `if` condition directly, # this step sets an output that we can reference later. @@ -168,7 +168,7 @@ jobs: echo "ecr=$HAS_AWS_ROLE" >> $GITHUB_OUTPUT - name: Login to GitHub Container Registry - uses: docker/login-action@v4 + uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0 with: registry: ghcr.io username: ${{ github.actor }} @@ -176,14 +176,14 @@ jobs: - name: Login to Docker Hub if: ${{ inputs.push && steps.filter-steps.outputs.docker-hub == 'true' }} - uses: docker/login-action@v4 + uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0 with: username: "posit" password: ${{ secrets.DOCKER_HUB_ACCESS_TOKEN }} - name: Configure AWS Credentials if: ${{ inputs.push && steps.filter-steps.outputs.ecr == 'true' }} - uses: aws-actions/configure-aws-credentials@v6 + uses: aws-actions/configure-aws-credentials@ec61189d14ec14c8efccab744f656cffd0e33f37 # v6.1.0 with: role-to-assume: ${{ secrets.AWS_ROLE }} aws-region: ${{ inputs.aws-region }} @@ -191,7 +191,7 @@ jobs: - name: Login to Amazon ECR if: ${{ inputs.push && steps.filter-steps.outputs.ecr == 'true' }} - uses: aws-actions/amazon-ecr-login@v2 + uses: aws-actions/amazon-ecr-login@f2e9fc6c2b355c1890b65e6f6f0e2ac3e6e22f78 # v2.1.2 - name: Normalize platform id: normalize-platform @@ -248,7 +248,7 @@ jobs: --metadata-file "./${IMAGE_NAME}-${IMAGE_VERSION}-${NORMALIZED_PLATFORM}-metadata.json" \ --context "$CONTEXT" - name: Upload Metadata - uses: actions/upload-artifact@v7 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 with: name: "${{ matrix.img.image }}-${{ matrix.img.version }}-${{ steps.normalize-platform.outputs.platform }}-metadata" path: "./${{ matrix.img.image }}-${{ matrix.img.version }}-${{ steps.normalize-platform.outputs.platform }}-metadata.json" @@ -270,7 +270,7 @@ jobs: steps: - name: Checkout - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Setup bakery uses: "posit-dev/images-shared/setup-bakery@main" @@ -278,7 +278,7 @@ jobs: version: ${{ inputs.version }} - name: Set up Docker - uses: docker/setup-docker-action@v5 + uses: docker/setup-docker-action@1a6edb0ba9ac496f6850236981f15d8f9a82254d # v5.0.0 with: daemon-config: | { @@ -299,7 +299,7 @@ jobs: echo "ecr=$HAS_AWS_ROLE" >> $GITHUB_OUTPUT - name: Login to GitHub Container Registry - uses: docker/login-action@v4 + uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0 with: registry: ghcr.io username: ${{ github.actor }} @@ -307,14 +307,14 @@ jobs: - name: Login to Docker Hub if: ${{ inputs.push && steps.filter-steps.outputs.docker-hub == 'true' }} - uses: docker/login-action@v4 + uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0 with: username: "posit" password: ${{ secrets.DOCKER_HUB_ACCESS_TOKEN }} - name: Configure AWS Credentials if: ${{ inputs.push && steps.filter-steps.outputs.ecr == 'true' }} - uses: aws-actions/configure-aws-credentials@v6 + uses: aws-actions/configure-aws-credentials@ec61189d14ec14c8efccab744f656cffd0e33f37 # v6.1.0 with: role-to-assume: ${{ secrets.AWS_ROLE }} aws-region: ${{ inputs.aws-region }} @@ -322,16 +322,16 @@ jobs: - name: Login to Amazon ECR if: ${{ inputs.push && steps.filter-steps.outputs.ecr == 'true' }} - uses: aws-actions/amazon-ecr-login@v2 + uses: aws-actions/amazon-ecr-login@f2e9fc6c2b355c1890b65e6f6f0e2ac3e6e22f78 # v2.1.2 - name: Setup docker buildx - uses: docker/setup-buildx-action@v4 + uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0 - name: Setup ORAS CLI - uses: oras-project/setup-oras@v2 + uses: oras-project/setup-oras@38de303aac69abb66f3e6255b7198bff35f323e3 # v2.0.0 - name: Download Metadata - uses: actions/download-artifact@v8 + uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 with: pattern: "${{ matrix.img.image }}-${{ matrix.img.version }}-*-metadata" merge-multiple: true @@ -365,7 +365,7 @@ jobs: steps: - name: Checkout - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Setup bakery uses: "posit-dev/images-shared/setup-bakery@main" diff --git a/.github/workflows/bakery-build.yml b/.github/workflows/bakery-build.yml index a31be6cd2..9f33329a1 100644 --- a/.github/workflows/bakery-build.yml +++ b/.github/workflows/bakery-build.yml @@ -83,7 +83,7 @@ jobs: steps: - name: Checkout - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Install uses: "posit-dev/images-shared/setup-bakery@main" @@ -113,7 +113,7 @@ jobs: steps: - name: Checkout - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Setup bakery uses: "posit-dev/images-shared/setup-bakery@main" @@ -124,7 +124,7 @@ jobs: uses: "posit-dev/images-shared/setup-goss@main" - name: Setup QEMU - uses: docker/setup-qemu-action@v4 + uses: docker/setup-qemu-action@ce360397dd3f832beb865e1373c09c0e9f86d70a # v4.0.0 # Since secrets cannot be referenced in an `if` condition directly, # this step sets an output that we can reference later. @@ -138,7 +138,7 @@ jobs: echo "ecr=$HAS_AWS_ROLE" >> $GITHUB_OUTPUT - name: Login to GitHub Container Registry - uses: docker/login-action@v4 + uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0 with: registry: ghcr.io username: ${{ github.actor }} @@ -146,14 +146,14 @@ jobs: - name: Login to Docker Hub if: ${{ inputs.push && steps.filter-steps.outputs.docker-hub == 'true' }} - uses: docker/login-action@v4 + uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0 with: username: "posit" password: ${{ secrets.DOCKER_HUB_ACCESS_TOKEN }} - name: Configure AWS Credentials if: ${{ inputs.push && steps.filter-steps.outputs.ecr == 'true' }} - uses: aws-actions/configure-aws-credentials@v6 + uses: aws-actions/configure-aws-credentials@ec61189d14ec14c8efccab744f656cffd0e33f37 # v6.1.0 with: role-to-assume: ${{ secrets.AWS_ROLE }} aws-region: ${{ inputs.aws-region }} @@ -161,10 +161,10 @@ jobs: - name: Login to Amazon ECR if: ${{ inputs.push && steps.filter-steps.outputs.ecr == 'true' }} - uses: aws-actions/amazon-ecr-login@v2 + uses: aws-actions/amazon-ecr-login@f2e9fc6c2b355c1890b65e6f6f0e2ac3e6e22f78 # v2.1.2 - name: Setup docker buildx - uses: docker/setup-buildx-action@v4 + uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0 - name: Build env: @@ -236,7 +236,7 @@ jobs: steps: - name: Checkout - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Setup bakery uses: "posit-dev/images-shared/setup-bakery@main" diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 780d242c5..ac0ba1982 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -29,9 +29,10 @@ jobs: - bakery - bakery-native - release + - zizmor steps: - - uses: re-actors/alls-green@release/v1 + - uses: re-actors/alls-green@05ac9388f0aebcb5727afa17fcccfecd6f8ec5fe # v1.2.2 with: jobs: ${{ toJSON(needs) }} @@ -44,7 +45,7 @@ jobs: runs-on: ubuntu-latest-8x steps: - name: Checkout - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: fetch-depth: 0 fetch-tags: true @@ -53,7 +54,7 @@ jobs: uses: ./setup-goss - name: Set up Docker - uses: docker/setup-docker-action@v5 + uses: docker/setup-docker-action@1a6edb0ba9ac496f6850236981f15d8f9a82254d # v5.0.0 with: daemon-config: | { @@ -63,26 +64,27 @@ jobs: } - name: Setup QEMU - uses: docker/setup-qemu-action@v4 + uses: docker/setup-qemu-action@ce360397dd3f832beb865e1373c09c0e9f86d70a # v4.0.0 with: platforms: linux/amd64,linux/arm64 - name: Setup docker buildx - uses: docker/setup-buildx-action@v4 + uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0 - name: Setup hadolint uses: ./setup-hadolint - name: Setup ORAS CLI - uses: oras-project/setup-oras@v2 + uses: oras-project/setup-oras@38de303aac69abb66f3e6255b7198bff35f323e3 # v2.0.0 - name: Add tools/ to path run: echo "${GITHUB_WORKSPACE}/tools" >> $GITHUB_PATH - name: Setup uv - uses: astral-sh/setup-uv@v7 + uses: astral-sh/setup-uv@37802adc94f370d6bfd71619e3f0bf239e1f3b78 # v7.6.0 with: python-version-file: "posit-bakery/pyproject.toml" + enable-cache: false - name: Install dependencies working-directory: ./posit-bakery @@ -113,7 +115,7 @@ jobs: always() && github.actor != 'dependabot[bot]' && github.event.pull_request.head.repo.fork != true - uses: EnricoMi/publish-unit-test-result-action@v2 + uses: EnricoMi/publish-unit-test-result-action@c950f6fb443cb5af20a377fd0dfaa78838901040 # v2.23.0 with: files: ./posit-bakery/results.xml @@ -142,6 +144,18 @@ jobs: dev-versions: include + zizmor: + name: Zizmor + runs-on: ubuntu-latest + permissions: + contents: read + security-events: write + steps: + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false + - uses: zizmorcore/zizmor-action@71321a20a9ded102f6e9ce5718a2fcec2c4f70d8 # v0.5.2 + with-macros-clean-caches: name: Clean Caches (with-macros suite) permissions: @@ -190,15 +204,16 @@ jobs: steps: - name: Checkout - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: fetch-depth: 0 fetch-tags: true - name: Setup uv - uses: astral-sh/setup-uv@v7 + uses: astral-sh/setup-uv@37802adc94f370d6bfd71619e3f0bf239e1f3b78 # v7.6.0 with: python-version-file: "posit-bakery/pyproject.toml" + enable-cache: false - name: Install dependencies working-directory: ./posit-bakery @@ -212,7 +227,7 @@ jobs: - name: Upload snapshot artifacts if: github.event_name == 'pull_request' - uses: actions/upload-artifact@v7 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 with: name: bakery-snapshot-pr${{ github.event.pull_request.number }} path: ./posit-bakery/dist diff --git a/.github/workflows/clean.yml b/.github/workflows/clean.yml index e6abcd842..c2df78579 100644 --- a/.github/workflows/clean.yml +++ b/.github/workflows/clean.yml @@ -83,7 +83,7 @@ jobs: steps: - name: Checkout - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Setup bakery uses: "posit-dev/images-shared/setup-bakery@main" @@ -91,7 +91,7 @@ jobs: version: ${{ inputs.version }} - name: Login to GitHub Container Registry - uses: docker/login-action@v4 + uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0 with: registry: ghcr.io username: ${{ github.actor }} @@ -129,7 +129,7 @@ jobs: steps: - name: Checkout - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Setup bakery uses: "posit-dev/images-shared/setup-bakery@main" @@ -137,7 +137,7 @@ jobs: version: ${{ inputs.version }} - name: Login to GitHub Container Registry - uses: docker/login-action@v4 + uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0 with: registry: ghcr.io username: ${{ github.actor }} diff --git a/.github/workflows/issues.yml b/.github/workflows/issues.yml index e32df8a30..ed6c1a8f7 100644 --- a/.github/workflows/issues.yml +++ b/.github/workflows/issues.yml @@ -15,20 +15,20 @@ jobs: steps: - name: GitHub App Token - uses: actions/create-github-app-token@v3 + uses: actions/create-github-app-token@f8d387b68d61c58ab83c6c016672934102569859 # v3.0.0 id: app-token with: app-id: ${{ secrets.APP_ID }} private-key: ${{ secrets.APP_PRIVATE_KEY }} - name: Add to Platform Carbon Project - uses: actions/add-to-project@v1.0.2 + uses: actions/add-to-project@244f685bbc3b7adfa8466e08b698b5577571133e # v1.0.2 with: github-token: ${{ steps.app-token.outputs.token }} project-url: https://github.com/orgs/posit-dev/projects/17 - name: Add Default Labels - uses: actions-ecosystem/action-add-labels@v1 + uses: actions-ecosystem/action-add-labels@18f1af5e3544586314bbe15c0273249c770b2daf # v1.1.3 with: github_token: ${{ steps.app-token.outputs.token }} labels: | diff --git a/.github/workflows/product-release.yml b/.github/workflows/product-release.yml index 5a6272427..ea1cb22b7 100644 --- a/.github/workflows/product-release.yml +++ b/.github/workflows/product-release.yml @@ -33,13 +33,13 @@ jobs: pull-requests: write steps: - name: GitHub App Token - uses: actions/create-github-app-token@v3 + uses: actions/create-github-app-token@f8d387b68d61c58ab83c6c016672934102569859 # v3.0.0 id: app-token with: app-id: ${{ secrets.APP_ID }} private-key: ${{ secrets.APP_PRIVATE_KEY }} - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: token: ${{ steps.app-token.outputs.token }} diff --git a/.github/zizmor.yml b/.github/zizmor.yml new file mode 100644 index 000000000..cac780951 --- /dev/null +++ b/.github/zizmor.yml @@ -0,0 +1,9 @@ +rules: + unpinned-uses: + config: + policies: + # First-party composite actions are kept at branch refs + # (e.g. @main) intentionally; SHA-pinning them would + # defeat the purpose of reusable shared actions. + "posit-dev/images-shared/*": ref-pin + "*": hash-pin diff --git a/setup-bakery/action.yml b/setup-bakery/action.yml index 0f63c5c13..143ec2492 100644 --- a/setup-bakery/action.yml +++ b/setup-bakery/action.yml @@ -15,10 +15,10 @@ runs: using: "composite" steps: - name: Setup uv - uses: astral-sh/setup-uv@v7 + uses: astral-sh/setup-uv@37802adc94f370d6bfd71619e3f0bf239e1f3b78 # v7.6.0 - name: Setup Python - uses: actions/setup-python@v6 + uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 with: python-version: "${{ inputs.python-version }}"