diff --git a/.github/workflows/lib-build.yaml b/.github/workflows/lib-build.yaml index bbfea0f3f..ffdcfebb8 100644 --- a/.github/workflows/lib-build.yaml +++ b/.github/workflows/lib-build.yaml @@ -39,8 +39,8 @@ jobs: - intel-npu-demo builder: [buildah, docker] steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v4 - - uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v5 + - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v4 + - uses: actions/setup-go@924ae3a1cded613372ab5595356fb5720e22ba16 # v5 with: go-version-file: go.mod check-latest: true @@ -66,8 +66,8 @@ jobs: - intel-dsa-plugin builder: [docker] steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v4 - - uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v5 + - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v4 + - uses: actions/setup-go@924ae3a1cded613372ab5595356fb5720e22ba16 # v5 with: go-version-file: go.mod check-latest: true diff --git a/.github/workflows/lib-codeql.yaml b/.github/workflows/lib-codeql.yaml index 0eb946db9..a9aa98875 100644 --- a/.github/workflows/lib-codeql.yaml +++ b/.github/workflows/lib-codeql.yaml @@ -18,8 +18,8 @@ jobs: steps: - name: Checkout repository - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v4 - - uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v5 + uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v4 + - uses: actions/setup-go@924ae3a1cded613372ab5595356fb5720e22ba16 # v5 with: go-version-file: go.mod check-latest: true @@ -29,11 +29,11 @@ jobs: sudo apt-get update sudo apt-get install -y libze1 libze-dev - name: Initialize CodeQL - uses: github/codeql-action/init@c10b8064de6f491fea524254123dbe5e09572f13 # v3 + uses: github/codeql-action/init@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v3 with: languages: 'go' - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@c10b8064de6f491fea524254123dbe5e09572f13 # v3 + uses: github/codeql-action/analyze@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v3 with: category: "/language:go" diff --git a/.github/workflows/lib-e2e.yaml b/.github/workflows/lib-e2e.yaml index 109286fe8..58b89f4fb 100644 --- a/.github/workflows/lib-e2e.yaml +++ b/.github/workflows/lib-e2e.yaml @@ -35,7 +35,7 @@ jobs: SKIP: ${{ matrix.skip || '' }} steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v4 + - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v4 with: fetch-depth: 0 - name: Describe test environment diff --git a/.github/workflows/lib-publish.yaml b/.github/workflows/lib-publish.yaml index db7e37808..13370c37a 100644 --- a/.github/workflows/lib-publish.yaml +++ b/.github/workflows/lib-publish.yaml @@ -29,7 +29,7 @@ jobs: sudo systemctl stop clamav-freshclam.service sudo freshclam - name: Cache clamav databases - uses: actions/cache/save@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4 + uses: actions/cache/save@55cc8345863c7cc4c66a329aec7e433d2d1c52a9 # v6.1.0 with: path: /var/lib/clamav key: clamav-${{ github.run_id }} @@ -58,8 +58,8 @@ jobs: - intel-idxd-config-initcontainer - intel-npu-plugin steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v4 - - uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v5 + - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v4 + - uses: actions/setup-go@924ae3a1cded613372ab5595356fb5720e22ba16 # v5 with: go-version-file: go.mod check-latest: true @@ -70,7 +70,7 @@ jobs: run: | ORG=${{ inputs.registry }} TAG=${{ inputs.image_tag }} make ${IMAGE_NAME} BUILDER=docker - name: Trivy scan for image - uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # 0.35.0 + uses: aquasecurity/trivy-action@ed142fd0673e97e23eac54620cfb913e5ce36c25 # 0.36.0 with: scan-type: image image-ref: ${{ inputs.registry }}/${{ matrix.image }}:${{ inputs.image_tag }} @@ -80,7 +80,7 @@ jobs: sudo mkdir -p /var/lib/clamav sudo chmod a+rwx /var/lib/clamav - name: Retrieve AV database - uses: actions/cache/restore@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4 + uses: actions/cache/restore@55cc8345863c7cc4c66a329aec7e433d2d1c52a9 # v6.1.0 with: path: /var/lib/clamav key: clamav-${{ github.run_id }} @@ -100,7 +100,7 @@ jobs: if: ${{ !contains(fromJson(env.no_base_check), matrix.image) }} run: IMG=${{ inputs.registry }}/${{ matrix.image }}:${{ inputs.image_tag }} make test-image-base-layer BUILDER=docker - name: Login - uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0 + uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4.2.0 with: username: ${{ secrets.DOCKERHUB_USER }} password: ${{ secrets.DOCKERHUB_PASS }} @@ -113,7 +113,7 @@ jobs: echo "image_sha=$(docker inspect --format='{{index .RepoDigests 0}}' ${{ inputs.registry }}/${{ matrix.image }}:${{ inputs.image_tag }})" >> $GITHUB_OUTPUT - name: Install cosign if: ${{ inputs.image_tag != 'devel' }} - uses: sigstore/cosign-installer@cad07c2e89fa2edd6e2d7bab4c1aa38e53f76003 #v4.1.1 + uses: sigstore/cosign-installer@6f9f17788090df1f26f669e9d70d6ae9567deba6 #v4.1.2 - name: Keyless image sign if: ${{ inputs.image_tag != 'devel' }} run: | diff --git a/.github/workflows/lib-scorecard.yaml b/.github/workflows/lib-scorecard.yaml index e63f112d5..324180450 100644 --- a/.github/workflows/lib-scorecard.yaml +++ b/.github/workflows/lib-scorecard.yaml @@ -16,7 +16,7 @@ jobs: id-token: write steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v4 + - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v4 with: persist-credentials: false - name: "Analyze project" @@ -26,6 +26,6 @@ jobs: results_format: sarif publish_results: true - name: "Upload results to security" - uses: github/codeql-action/upload-sarif@c10b8064de6f491fea524254123dbe5e09572f13 # v3 + uses: github/codeql-action/upload-sarif@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v3 with: sarif_file: results.sarif diff --git a/.github/workflows/lib-trivy.yaml b/.github/workflows/lib-trivy.yaml index 3f3cdee2c..5073d9351 100644 --- a/.github/workflows/lib-trivy.yaml +++ b/.github/workflows/lib-trivy.yaml @@ -30,9 +30,9 @@ jobs: runs-on: ubuntu-24.04 steps: - name: Checkout - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v4 + uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v4 - name: Run Trivy in config mode for deployments - uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # 0.35.0 + uses: aquasecurity/trivy-action@ed142fd0673e97e23eac54620cfb913e5ce36c25 # 0.36.0 with: scan-type: config scan-ref: deployments/ @@ -48,9 +48,9 @@ jobs: runs-on: ubuntu-24.04 steps: - name: Checkout - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v4 + uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v4 - name: Run Trivy in config mode for dockerfiles - uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # 0.35.0 + uses: aquasecurity/trivy-action@ed142fd0673e97e23eac54620cfb913e5ce36c25 # 0.36.0 with: scan-type: config scan-ref: build/docker/ @@ -62,9 +62,9 @@ jobs: name: Scan licenses steps: - name: Checkout - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v4 + uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v4 - name: Run Trivy in fs mode - uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # 0.35.0 + uses: aquasecurity/trivy-action@ed142fd0673e97e23eac54620cfb913e5ce36c25 # 0.36.0 with: scan-type: fs scan-ref: . @@ -79,9 +79,9 @@ jobs: name: Scan vulnerabilities steps: - name: Checkout - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v4 + uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v4 - name: Run Trivy in fs mode - uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # 0.35.0 + uses: aquasecurity/trivy-action@ed142fd0673e97e23eac54620cfb913e5ce36c25 # 0.36.0 with: scan-type: fs scan-ref: . diff --git a/.github/workflows/lib-validate.yaml b/.github/workflows/lib-validate.yaml index 1fb0cdec2..ba5ef70e2 100644 --- a/.github/workflows/lib-validate.yaml +++ b/.github/workflows/lib-validate.yaml @@ -14,7 +14,7 @@ jobs: run: | sudo apt-get update sudo apt-get install -y python3-venv - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v4 + - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v4 with: fetch-depth: 0 - name: Set up doc directory @@ -34,8 +34,8 @@ jobs: name: lint runs-on: ubuntu-24.04 steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v4 - - uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v5 + - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v4 + - uses: actions/setup-go@924ae3a1cded613372ab5595356fb5720e22ba16 # v5 with: go-version-file: go.mod check-latest: true @@ -44,7 +44,7 @@ jobs: sudo apt-get update sudo apt-get install -y libze1 libze-dev - name: golangci-lint - uses: golangci/golangci-lint-action@1e7e51e771db61008b38414a730f564565cf7c20 # v7 + uses: golangci/golangci-lint-action@82606bf257cbaff209d206a39f5134f0cfbfd2ee # v7 with: version: v2.9.0 args: -v --timeout 5m @@ -52,8 +52,8 @@ jobs: name: Build and check device plugins runs-on: ubuntu-24.04 steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v4 - - uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v5 + - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v4 + - uses: actions/setup-go@924ae3a1cded613372ab5595356fb5720e22ba16 # v5 with: go-version-file: go.mod check-latest: true @@ -81,8 +81,8 @@ jobs: - 1.34.x - 1.35.x steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v4 - - uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v5 + - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v4 + - uses: actions/setup-go@924ae3a1cded613372ab5595356fb5720e22ba16 # v5 with: go-version-file: go.mod check-latest: true diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml index 9748f6d23..59cf05a24 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/publish.yml @@ -23,7 +23,7 @@ jobs: run: | sudo apt-get update sudo apt-get install -y python3-venv git - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v4 + - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v4 with: fetch-depth: 0 ref: main @@ -44,7 +44,7 @@ jobs: rm -rf _work/venv make vhtml mv _build/html/* $HOME/output/ - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v4 + - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v4 with: fetch-depth: 0 ref: release-0.32 @@ -55,7 +55,7 @@ jobs: rm -rf _work/venv make vhtml mv _build/html $HOME/output/0.32 - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v4 + - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v4 with: fetch-depth: 0 ref: release-0.34 @@ -66,7 +66,7 @@ jobs: rm -rf _work/venv make vhtml mv _build/html $HOME/output/0.34 - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v4 + - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v4 with: fetch-depth: 0 ref: release-0.35 diff --git a/.github/workflows/trivy-periodic.yaml b/.github/workflows/trivy-periodic.yaml index 2052f5047..e6fb17c01 100644 --- a/.github/workflows/trivy-periodic.yaml +++ b/.github/workflows/trivy-periodic.yaml @@ -18,11 +18,11 @@ jobs: name: Scan vulnerabilities steps: - name: Checkout - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v4 + uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v4 - name: Run Trivy in fs mode # Don't fail in case of vulnerabilities, report them in the next step continue-on-error: true - uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # 0.35.0 + uses: aquasecurity/trivy-action@ed142fd0673e97e23eac54620cfb913e5ce36c25 # 0.36.0 with: scan-type: fs scan-ref: . @@ -31,6 +31,6 @@ jobs: format: sarif output: trivy-report.sarif - name: Upload sarif report to GitHub Security tab - uses: github/codeql-action/upload-sarif@c10b8064de6f491fea524254123dbe5e09572f13 # v3 + uses: github/codeql-action/upload-sarif@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v3 with: sarif_file: trivy-report.sarif