From a3c06f1cf522d7fdc2aa3de2f36659b01fa7c167 Mon Sep 17 00:00:00 2001 From: sbylica-splunk Date: Fri, 10 Jul 2026 11:14:41 +0200 Subject: [PATCH 1/2] fix: pinned commit SHAs and hid github token in ci-main --- .github/workflows/agreements.yaml | 4 +-- .github/workflows/cd-baremtal.yaml | 6 ++-- .github/workflows/cd-docs-pdf.yaml | 4 +-- .github/workflows/cd-ghcr.io.yaml | 6 ++-- .github/workflows/cd-oci-container.yaml | 4 +-- .github/workflows/cd-pages.yaml | 12 +++---- .github/workflows/ci-lite.yaml | 38 ++++++++++---------- .github/workflows/ci-main.yaml | 48 +++++++++++++------------ .github/workflows/mike.yaml | 6 ++-- .github/workflows/rebase.yaml | 4 +-- .github/workflows/update-tags.yaml | 4 +-- 11 files changed, 69 insertions(+), 67 deletions(-) diff --git a/.github/workflows/agreements.yaml b/.github/workflows/agreements.yaml index f52bcb8b53..03b36304e9 100644 --- a/.github/workflows/agreements.yaml +++ b/.github/workflows/agreements.yaml @@ -24,7 +24,7 @@ jobs: - name: "CLA Assistant" if: (github.event.comment.body == 'recheck' || github.event.comment.body == 'I have read the CLA Document and I hereby sign the CLA') || github.event_name == 'pull_request_target' # Alpha Release - uses: contributor-assistant/github-action@v2.6.1 + uses: contributor-assistant/github-action@ca4a40a7d1004f18d9960b404b97e5f30a505a08 # v2.6.1 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # the below token should have repo scope and must be manually added by you in the repository's secret @@ -54,7 +54,7 @@ jobs: - name: "COC Assistant" if: (github.event.comment.body == 'recheck' || github.event.comment.body == 'I have read the Code of Conduct and I hereby accept the Terms') || github.event_name == 'pull_request_target' # Alpha Release - uses: contributor-assistant/github-action@v2.6.1 + uses: contributor-assistant/github-action@ca4a40a7d1004f18d9960b404b97e5f30a505a08 # v2.6.1 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # the below token should have repo scope and must be manually added by you in the repository's secret diff --git a/.github/workflows/cd-baremtal.yaml b/.github/workflows/cd-baremtal.yaml index bd154b0b26..5ce9054ff3 100644 --- a/.github/workflows/cd-baremtal.yaml +++ b/.github/workflows/cd-baremtal.yaml @@ -30,10 +30,10 @@ jobs: name: Release runs-on: ubuntu-latest steps: - - uses: actions/checkout@v7 + - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: submodules: false - - uses: actions/setup-python@v6 + - uses: actions/setup-python@ece7cb06caefa5fff74198d8649806c4678c61a1 # v6.3.0 with: python-version: '3.14' # Version range or exact version of a Python version to use, using SemVer's version range syntax architecture: 'x64' # optional x64 or x86. Defaults to x64 if not specified @@ -55,6 +55,6 @@ jobs: tar rvf /tmp/baremetal.tar -C package/shared test_parsers sha512sum -b /tmp/baremetal.tar > /tmp/baremetal_checksum.txt - name: Release - uses: softprops/action-gh-release@v3 + uses: softprops/action-gh-release@718ea10b132b3b2eba29c1007bb80653f286566b # v3.0.1 with: files: /tmp/baremetal.tar, /tmp/baremetal_checksum.txt diff --git a/.github/workflows/cd-docs-pdf.yaml b/.github/workflows/cd-docs-pdf.yaml index c9d1612b43..ef6728a46d 100644 --- a/.github/workflows/cd-docs-pdf.yaml +++ b/.github/workflows/cd-docs-pdf.yaml @@ -32,7 +32,7 @@ jobs: name: Release runs-on: ubuntu-latest steps: - - uses: actions/checkout@v7 + - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: submodules: false - id: doc-files @@ -42,6 +42,6 @@ jobs: sudo apt-get install -y pandoc texlive librsvg2-bin texlive-latex-extra pandoc -s --pdf-engine=pdflatex -o /tmp/SC4S_docs.pdf $(find . -type f -name "*.md") - name: Release - uses: softprops/action-gh-release@v3 + uses: softprops/action-gh-release@718ea10b132b3b2eba29c1007bb80653f286566b # v3.0.1 with: files: /tmp/SC4S_docs.pdf diff --git a/.github/workflows/cd-ghcr.io.yaml b/.github/workflows/cd-ghcr.io.yaml index bb621550fb..2c9145f11b 100644 --- a/.github/workflows/cd-ghcr.io.yaml +++ b/.github/workflows/cd-ghcr.io.yaml @@ -36,7 +36,7 @@ jobs: matrix: container: [container3, container3lite] steps: - - uses: actions/checkout@v7 + - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: submodules: false - name: Setup regctl @@ -44,14 +44,14 @@ jobs: curl --proto "=https" --tlsv1.2 -sSf -L https://github.com/regclient/regclient/releases/download/v0.4.7/regctl-linux-amd64 >/tmp/regctl chmod 755 /tmp/regctl - name: Login to GitHub Packages Docker Registry - uses: docker/login-action@v4 + uses: docker/login-action@af1e73f918a031802d376d3c8bbc3fe56130a9b0 # v4.4.0 with: registry: ghcr.io username: ${{ github.actor }} password: ${{ secrets.GITHUB_TOKEN }} - name: Docker meta id: docker_action_meta - uses: docker/metadata-action@v6 + uses: docker/metadata-action@dc802804100637a589fabce1cb79ff13a1411302 # v6.2.0 with: images: ghcr.io/${{ github.repository }}/${{ matrix.container }} tags: | diff --git a/.github/workflows/cd-oci-container.yaml b/.github/workflows/cd-oci-container.yaml index da646c2144..21bd364e46 100644 --- a/.github/workflows/cd-oci-container.yaml +++ b/.github/workflows/cd-oci-container.yaml @@ -30,7 +30,7 @@ jobs: name: Release runs-on: ubuntu-latest steps: - - uses: actions/checkout@v7 + - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: submodules: false - id: Pull @@ -43,6 +43,6 @@ jobs: sha512sum -b /tmp/oci_container.tar.gz > /tmp/oci_container_checksum.txt - name: Release - uses: softprops/action-gh-release@v3 + uses: softprops/action-gh-release@718ea10b132b3b2eba29c1007bb80653f286566b # v3.0.1 with: files: /tmp/oci_container.tar.gz, /tmp/oci_container_checksum.txt diff --git a/.github/workflows/cd-pages.yaml b/.github/workflows/cd-pages.yaml index 5abb49985f..d89c823288 100644 --- a/.github/workflows/cd-pages.yaml +++ b/.github/workflows/cd-pages.yaml @@ -23,13 +23,13 @@ jobs: sudo docker image prune --all --force df -h - name: Checkout - uses: actions/checkout@v7 + uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: fetch-depth: 0 - - uses: oleksiyrudenko/gha-git-credentials@v2.1.2 + - uses: oleksiyrudenko/gha-git-credentials@8bb1fe6d543b2233ef1856cd3b0181f5abbd4d6a # v2.1.2 with: token: "${{ secrets.GITHUB_TOKEN }}" - - uses: actions/setup-python@v6 + - uses: actions/setup-python@ece7cb06caefa5fff74198d8649806c4678c61a1 # v6.3.0 with: python-version: '3.14' # Version range or exact version of a Python version to use, using SemVer's version range syntax architecture: 'x64' # optional x64 or x86. Defaults to x64 if not specified @@ -50,11 +50,11 @@ jobs: pages: write steps: - name: Checkout - uses: actions/checkout@v7 + uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: fetch-depth: 0 - name: Install Helm - uses: azure/setup-helm@v5 + uses: azure/setup-helm@9bc31f4ebc9c6b171d7bfbaa5d006ae7abdb4310 # v5.0.1 with: version: v4.2.3 - name: Upload @@ -73,7 +73,7 @@ jobs: helm repo index /tmp/package --url https://github.com/splunk/splunk-connect-for-syslog/releases/download/$VERSION --merge /tmp/origin/index.yaml cp /tmp/package/index.yaml /tmp/index/ - name: Deploy - uses: peaceiris/actions-gh-pages@v4 + uses: peaceiris/actions-gh-pages@84c30a85c19949d7eee79c4ff27748b70285e453 # v4.1.0 with: github_token: ${{ secrets.GITHUB_TOKEN }} publish_dir: /tmp/index diff --git a/.github/workflows/ci-lite.yaml b/.github/workflows/ci-lite.yaml index b9d5a29825..0de0eac166 100644 --- a/.github/workflows/ci-lite.yaml +++ b/.github/workflows/ci-lite.yaml @@ -43,16 +43,16 @@ jobs: contents: write steps: - name: Checkout - uses: actions/checkout@v7 + uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: submodules: false persist-credentials: false - - uses: actions/setup-node@v6.4.0 + - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 with: node-version: "24" - name: Semantic Release id: version - uses: cycjimmy/semantic-release-action@v6 + uses: cycjimmy/semantic-release-action@b12c8f6015dc215fe37bc154d4ad456dd3833c90 # v6.0.0 with: semantic_version: 18 extra_plugins: | @@ -66,7 +66,7 @@ jobs: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Docker meta id: docker_action_meta - uses: docker/metadata-action@v6 + uses: docker/metadata-action@dc802804100637a589fabce1cb79ff13a1411302 # v6.2.0 with: images: ghcr.io/${{ github.repository }}/container3lite tags: | @@ -80,13 +80,13 @@ jobs: type=ref,event=tag - name: matrix id: matrix - uses: splunk/addonfactory-test-matrix-action@v3.2.1 + uses: splunk/addonfactory-test-matrix-action@29f2f42141dd4fa19a72eb5a9e3381df64e0af81 # v3.2.1 security-fossa-scan: continue-on-error: true runs-on: ubuntu-latest steps: - - uses: actions/checkout@v7 + - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 - name: run fossa anlyze and create report run: | curl -H 'Cache-Control: no-cache' https://raw.githubusercontent.com/fossas/fossa-cli/master/install-latest.sh | bash @@ -95,7 +95,7 @@ jobs: env: FOSSA_API_KEY: ${{ secrets.FOSSA_API_KEY }} - name: upload THIRDPARTY file - uses: actions/upload-artifact@v7 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 with: name: THIRDPARTY path: /tmp/THIRDPARTY @@ -119,23 +119,23 @@ jobs: # To use this repository's private action, # you must check out the repository - name: Checkout - uses: actions/checkout@v7 + uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: submodules: false persist-credentials: false - name: Set up QEMU - uses: docker/setup-qemu-action@v4 + uses: docker/setup-qemu-action@96fe6ef7f33517b61c61be40b68a1882f3264fb8 # v4.2.0 - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v4 + uses: docker/setup-buildx-action@bb05f3f5519dd87d3ba754cc423b652a5edd6d2c # v4.2.0 - name: Login to GitHub Packages Docker Registry - uses: docker/login-action@v4 + uses: docker/login-action@af1e73f918a031802d376d3c8bbc3fe56130a9b0 # v4.4.0 with: registry: ghcr.io username: ${{ github.actor }} password: ${{ secrets.GITHUB_TOKEN }} - name: Build and push action id: docker_action_build - uses: docker/build-push-action@v7 + uses: docker/build-push-action@53b7df96c91f9c12dcc8a07bcb9ccacbed38856a # v7.3.0 with: context: . provenance: false @@ -162,7 +162,7 @@ jobs: steps: # To use .trivyignore file, you must check out the repository - name: Checkout - uses: actions/checkout@v7 + uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: submodules: false persist-credentials: false @@ -233,7 +233,7 @@ jobs: SC4S_USE_VPS_CACHE: "yes" steps: - name: Checkout - uses: actions/checkout@v7 + uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: submodules: false persist-credentials: false @@ -287,7 +287,7 @@ jobs: steps: - name: Checkout - uses: actions/checkout@v7 + uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: submodules: false persist-credentials: false @@ -343,7 +343,7 @@ jobs: steps: - name: Checkout - uses: actions/checkout@v7 + uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: submodules: false persist-credentials: false @@ -384,7 +384,7 @@ jobs: HEALTHCHECK_MAX_QUEUE_SIZE: 10000 steps: - name: Checkout - uses: actions/checkout@v7 + uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: submodules: false persist-credentials: false @@ -404,7 +404,7 @@ jobs: image: python:3.14-bookworm steps: - name: Checkout - uses: actions/checkout@v7 + uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: submodules: false persist-credentials: false @@ -436,7 +436,7 @@ jobs: options: --privileged steps: - name: Checkout - uses: actions/checkout@v7 + uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: submodules: false persist-credentials: false diff --git a/.github/workflows/ci-main.yaml b/.github/workflows/ci-main.yaml index 090b736def..b4732a4c32 100644 --- a/.github/workflows/ci-main.yaml +++ b/.github/workflows/ci-main.yaml @@ -42,16 +42,16 @@ jobs: contents: write steps: - name: Checkout - uses: actions/checkout@v7 + uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: submodules: false persist-credentials: false - - uses: actions/setup-node@v6.4.0 + - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 with: node-version: "24" - name: Semantic Release id: version - uses: cycjimmy/semantic-release-action@v6 + uses: cycjimmy/semantic-release-action@b12c8f6015dc215fe37bc154d4ad456dd3833c90 # v6.0.0 with: semantic_version: 18 extra_plugins: | @@ -65,7 +65,7 @@ jobs: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Docker meta id: docker_action_meta - uses: docker/metadata-action@v6 + uses: docker/metadata-action@dc802804100637a589fabce1cb79ff13a1411302 # v6.2.0 with: images: ghcr.io/${{ github.repository }}/container3 tags: | @@ -79,13 +79,13 @@ jobs: type=ref,event=tag - name: matrix id: matrix - uses: splunk/addonfactory-test-matrix-action@v3.2.1 + uses: splunk/addonfactory-test-matrix-action@29f2f42141dd4fa19a72eb5a9e3381df64e0af81 # v3.2.1 security-fossa-scan: continue-on-error: true runs-on: ubuntu-latest steps: - - uses: actions/checkout@v7 + - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 - name: run fossa anlyze and create report run: | curl -H 'Cache-Control: no-cache' https://raw.githubusercontent.com/fossas/fossa-cli/master/install-latest.sh | bash @@ -94,7 +94,7 @@ jobs: env: FOSSA_API_KEY: ${{ secrets.FOSSA_API_KEY }} - name: upload THIRDPARTY file - uses: actions/upload-artifact@v7 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 with: name: THIRDPARTY path: /tmp/THIRDPARTY @@ -118,23 +118,23 @@ jobs: # To use this repository's private action, # you must check out the repository - name: Checkout - uses: actions/checkout@v7 + uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: submodules: false persist-credentials: false - name: Set up QEMU - uses: docker/setup-qemu-action@v4 + uses: docker/setup-qemu-action@96fe6ef7f33517b61c61be40b68a1882f3264fb8 # v4.2.0 - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v4 + uses: docker/setup-buildx-action@bb05f3f5519dd87d3ba754cc423b652a5edd6d2c # v4.2.0 - name: Login to GitHub Packages Docker Registry - uses: docker/login-action@v4 + uses: docker/login-action@af1e73f918a031802d376d3c8bbc3fe56130a9b0 # v4.4.0 with: registry: ghcr.io username: ${{ github.actor }} password: ${{ secrets.GITHUB_TOKEN }} - name: Build and push action id: docker_action_build - uses: docker/build-push-action@v7 + uses: docker/build-push-action@53b7df96c91f9c12dcc8a07bcb9ccacbed38856a # v7.3.0 with: context: . provenance: false @@ -161,7 +161,7 @@ jobs: steps: # To use .trivyignore file, you must check out the repository - name: Checkout - uses: actions/checkout@v7 + uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: submodules: false persist-credentials: false @@ -233,7 +233,7 @@ jobs: steps: - name: Checkout - uses: actions/checkout@v7 + uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: submodules: false persist-credentials: false @@ -288,7 +288,7 @@ jobs: steps: - name: Checkout - uses: actions/checkout@v7 + uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: submodules: false persist-credentials: false @@ -344,7 +344,7 @@ jobs: steps: - name: Checkout - uses: actions/checkout@v7 + uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: submodules: false persist-credentials: false @@ -385,7 +385,7 @@ jobs: HEALTHCHECK_MAX_QUEUE_SIZE: 10000 steps: - name: Checkout - uses: actions/checkout@v7 + uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: submodules: false persist-credentials: false @@ -405,7 +405,7 @@ jobs: image: python:3.14-bookworm steps: - name: Checkout - uses: actions/checkout@v7 + uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: submodules: false persist-credentials: false @@ -437,7 +437,7 @@ jobs: options: --privileged steps: - name: Checkout - uses: actions/checkout@v7 + uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: submodules: false persist-credentials: false @@ -473,16 +473,16 @@ jobs: permissions: contents: write steps: - - uses: actions/checkout@v7 + - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: submodules: false persist-credentials: false - - uses: actions/setup-node@v6.4.0 + - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 with: node-version: "24" - name: Semantic Release id: version - uses: cycjimmy/semantic-release-action@v6 + uses: cycjimmy/semantic-release-action@b12c8f6015dc215fe37bc154d4ad456dd3833c90 # v6.0.0 with: semantic_version: 18 extra_plugins: | @@ -495,8 +495,10 @@ jobs: GITHUB_TOKEN: ${{ secrets.GH_TOKEN_ADMIN }} - name: Fast-forward develop to release branch if: steps.version.outputs.new_release_published == 'true' + env: + GITHUB_TOKEN: ${{ secrets.GH_TOKEN_ADMIN }} run: | - git remote set-url origin https://x-access-token:${{ secrets.GH_TOKEN_ADMIN }}@github.com/${{ github.repository }} + git remote set-url origin https://x-access-token:${GITHUB_TOKEN}@github.com/${{ github.repository }} git config user.name "github-actions[bot]" git config user.email "github-actions[bot]@users.noreply.github.com" git fetch origin develop ${{ github.ref_name }} diff --git a/.github/workflows/mike.yaml b/.github/workflows/mike.yaml index aa06259042..d8045b484c 100644 --- a/.github/workflows/mike.yaml +++ b/.github/workflows/mike.yaml @@ -19,13 +19,13 @@ jobs: pages: write steps: - name: Checkout - uses: actions/checkout@v7 + uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: fetch-depth: 0 - - uses: oleksiyrudenko/gha-git-credentials@v2.1.2 + - uses: oleksiyrudenko/gha-git-credentials@8bb1fe6d543b2233ef1856cd3b0181f5abbd4d6a # v2.1.2 with: token: "${{ secrets.GITHUB_TOKEN }}" - - uses: actions/setup-python@v6 + - uses: actions/setup-python@ece7cb06caefa5fff74198d8649806c4678c61a1 # v6.3.0 with: python-version: "3.14" # Version range or exact version of a Python version to use, using SemVer's version range syntax architecture: "x64" # optional x64 or x86. Defaults to x64 if not specified diff --git a/.github/workflows/rebase.yaml b/.github/workflows/rebase.yaml index b4e263ee1e..7169a69ce8 100644 --- a/.github/workflows/rebase.yaml +++ b/.github/workflows/rebase.yaml @@ -14,11 +14,11 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout the latest code - uses: actions/checkout@v7 + uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: token: ${{ secrets.GHCR_PAT }} fetch-depth: 0 # otherwise, you will fail to push refs to dest repo - name: Automatic Rebase - uses: cirrus-actions/rebase@1.8 + uses: cirrus-actions/rebase@b87d48154a87a85666003575337e27b8cd65f691 # 1.8 env: GITHUB_TOKEN: ${{ secrets.GHCR_PAT }} diff --git a/.github/workflows/update-tags.yaml b/.github/workflows/update-tags.yaml index b5b851b752..2a113ca3a3 100644 --- a/.github/workflows/update-tags.yaml +++ b/.github/workflows/update-tags.yaml @@ -15,7 +15,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@v7 + uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 - name: Update Semver Tags - uses: tchupp/actions-update-semver-tags@v1 + uses: tchupp/actions-update-semver-tags@bc82481a87e4e95cd38bab00d566bcc49cea970f # v1.0.2 From 84956f039616fe018c1f4a5b6883f1484dd2ee88 Mon Sep 17 00:00:00 2001 From: sbylica-splunk Date: Fri, 10 Jul 2026 11:19:59 +0200 Subject: [PATCH 2/2] fix: pinned trivy to the latest release --- .github/workflows/ci-lite.yaml | 2 +- .github/workflows/ci-main.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci-lite.yaml b/.github/workflows/ci-lite.yaml index 0de0eac166..93e1bc90c5 100644 --- a/.github/workflows/ci-lite.yaml +++ b/.github/workflows/ci-lite.yaml @@ -167,7 +167,7 @@ jobs: submodules: false persist-credentials: false - name: Run docker vulnerability scanner - uses: aquasecurity/trivy-action@master + uses: aquasecurity/trivy-action@ed142fd0673e97e23eac54620cfb913e5ce36c25 # v0.36.0 with: image-ref: ${{ needs.meta.outputs.container_base }} format: 'table' diff --git a/.github/workflows/ci-main.yaml b/.github/workflows/ci-main.yaml index b4732a4c32..cf3fca9dd7 100644 --- a/.github/workflows/ci-main.yaml +++ b/.github/workflows/ci-main.yaml @@ -166,7 +166,7 @@ jobs: submodules: false persist-credentials: false - name: Run docker vulnerability scanner - uses: aquasecurity/trivy-action@master + uses: aquasecurity/trivy-action@ed142fd0673e97e23eac54620cfb913e5ce36c25 # v0.36.0 with: image-ref: ${{ needs.meta.outputs.container_base }} format: 'table'