diff --git a/.github/actions/generate-builder/action.yml b/.github/actions/generate-builder/action.yml index 54f8d4d42c..42e718678e 100644 --- a/.github/actions/generate-builder/action.yml +++ b/.github/actions/generate-builder/action.yml @@ -76,7 +76,7 @@ runs: token: ${{ inputs.token }} - name: Set up Go environment - uses: actions/setup-go@fac708d6674e30b6ba41289acaab6d4b75aa0753 # v4.0.1 + uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0 with: go-version: ${{ inputs.go-version }} diff --git a/.github/actions/secure-builder-checkout/action.yaml b/.github/actions/secure-builder-checkout/action.yaml index 064f12fa8d..71de1f5350 100644 --- a/.github/actions/secure-builder-checkout/action.yaml +++ b/.github/actions/secure-builder-checkout/action.yaml @@ -37,7 +37,7 @@ runs: # and has an associated release. This will require exceptions # for e2e tests. - name: Checkout the repository - uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0 + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: repository: ${{ inputs.repository }} ref: ${{ inputs.ref }} diff --git a/.github/actions/secure-project-checkout-go/action.yml b/.github/actions/secure-project-checkout-go/action.yml index 3d7d885a16..69680e3e79 100644 --- a/.github/actions/secure-project-checkout-go/action.yml +++ b/.github/actions/secure-project-checkout-go/action.yml @@ -65,7 +65,7 @@ runs: fi - name: Set up Go environment - uses: actions/setup-go@fac708d6674e30b6ba41289acaab6d4b75aa0753 # v4.0.1 + uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0 with: go-version: ${{ steps.validate.outputs.go_version }} go-version-file: ${{ steps.validate.outputs.go_version_file }} diff --git a/.github/actions/secure-project-checkout-node/action.yml b/.github/actions/secure-project-checkout-node/action.yml index 3cfdd3dd8f..5c9726e514 100644 --- a/.github/actions/secure-project-checkout-node/action.yml +++ b/.github/actions/secure-project-checkout-node/action.yml @@ -41,6 +41,6 @@ runs: path: ${{ inputs.path }} - name: Set up Node environment - uses: actions/setup-node@e33196f7422957bea03ed53f6fbb155025ffc7b8 # v3.7.0 + uses: actions/setup-node@5e21ff4d9bc1a8cf6de233a3057d20ec6b3fb69d # v3.8.1 with: node-version: ${{ inputs.node-version }} diff --git a/.github/actions/secure-project-checkout/action.yaml b/.github/actions/secure-project-checkout/action.yaml index 9bd09b7591..b592687178 100644 --- a/.github/actions/secure-project-checkout/action.yaml +++ b/.github/actions/secure-project-checkout/action.yaml @@ -40,7 +40,7 @@ runs: using: "composite" steps: - name: Checkout the repository - uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0 + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: fetch-depth: ${{ inputs.fetch-depth }} ref: ${{ inputs.checkout-sha1 }} diff --git a/.github/actions/secure-upload-artifact/action.yml b/.github/actions/secure-upload-artifact/action.yml index c4d54ad604..984b39a614 100644 --- a/.github/actions/secure-upload-artifact/action.yml +++ b/.github/actions/secure-upload-artifact/action.yml @@ -37,7 +37,7 @@ runs: path: "${{ inputs.path }}" - name: Upload the artifact - uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2 + uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3 with: name: "${{ inputs.name }}" path: "${{ inputs.path }}" diff --git a/.github/workflows/builder_container-based_slsa3.yml b/.github/workflows/builder_container-based_slsa3.yml index 063b7ee0f7..e560a0a73d 100644 --- a/.github/workflows/builder_container-based_slsa3.yml +++ b/.github/workflows/builder_container-based_slsa3.yml @@ -209,7 +209,7 @@ jobs: allow-private-repository: ${{ inputs.rekor-log-public }} - name: Upload builder - uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2 + uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3 with: name: "${{ env.BUILDER_BINARY }}-${{ needs.rng.outputs.value }}" path: "${{ env.BUILDER_BINARY }}" @@ -228,7 +228,7 @@ jobs: runs-on: ubuntu-latest needs: [rng, detect-env, generate-builder] steps: - - uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - name: Checkout builder repository uses: slsa-framework/slsa-github-generator/.github/actions/secure-builder-checkout@main with: @@ -372,7 +372,7 @@ jobs: set-executable: true - name: Checkout the source repository - uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0 + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: fetch-depth: 1 persist-credentials: false @@ -462,7 +462,7 @@ jobs: # TODO(https://github.com/slsa-framework/slsa-github-generator/issues/1655): Use a # secure upload or verify this against the SLSA layout file. id: upload-artifacts - uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2 + uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3 with: name: ${{ steps.build.outputs.build-outputs-name }} path: /tmp/build-outputs-${{ needs.rng.outputs.value }} @@ -535,7 +535,7 @@ jobs: - name: Upload unsigned intoto attestations file for pull request if: ${{ github.event_name == 'pull_request' }} id: upload-unsigned - uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2 + uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3 with: name: "${{ env.OUTPUT_FOLDER }}-${{ needs.rng.outputs.value }}" path: "attestations-${{ needs.rng.outputs.value }}" @@ -556,7 +556,7 @@ jobs: - name: Upload the signed attestations id: upload-signed if: ${{ github.event_name != 'pull_request' }} - uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2 + uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3 with: name: "${{ env.OUTPUT_FOLDER }}-${{ needs.rng.outputs.value }}" path: "${{ env.OUTPUT_FOLDER }}-${{ needs.rng.outputs.value }}" diff --git a/.github/workflows/builder_go_slsa3.yml b/.github/workflows/builder_go_slsa3.yml index 095a938218..75ee9ddee7 100644 --- a/.github/workflows/builder_go_slsa3.yml +++ b/.github/workflows/builder_go_slsa3.yml @@ -169,7 +169,7 @@ jobs: allow-private-repository: ${{ inputs.private-repository }} - name: Upload builder - uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2 + uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3 with: name: "${{ env.BUILDER_BINARY }}-${{ needs.rng.outputs.value }}" path: "${{ env.BUILDER_BINARY }}" @@ -358,7 +358,7 @@ jobs: --workingDir "$UNTRUSTED_WORKING_DIR" - name: Upload the signed provenance - uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2 + uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3 with: name: "${{ steps.sign-prov.outputs.signed-provenance-name }}" path: "${{ steps.sign-prov.outputs.signed-provenance-name }}" diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index 47a2343434..6dc5e5fecc 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -55,11 +55,11 @@ jobs: steps: - name: Checkout repository - uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0 + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL - uses: github/codeql-action/init@0ba4244466797eb048eb91a6cd43d5c03ca8bd05 # v2.21.2 + uses: github/codeql-action/init@49abf0ba24d0b7953cb586944e918a0b92074c80 # v2.22.4 with: languages: ${{ matrix.language }} # If you wish to specify custom queries, you can do so here or in a config file. @@ -72,7 +72,7 @@ jobs: # Autobuild attempts to build any compiled languages (C/C++, C#, or Java). # If this step fails, then you should remove it and run the build manually (see below) - name: Autobuild - uses: github/codeql-action/autobuild@0ba4244466797eb048eb91a6cd43d5c03ca8bd05 # v2.21.2 + uses: github/codeql-action/autobuild@49abf0ba24d0b7953cb586944e918a0b92074c80 # v2.22.4 # Command-line programs to run using the OS shell. # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun @@ -85,7 +85,7 @@ jobs: # ./location_of_script_within_repo/buildscript.sh - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@0ba4244466797eb048eb91a6cd43d5c03ca8bd05 # v2.21.2 + uses: github/codeql-action/analyze@49abf0ba24d0b7953cb586944e918a0b92074c80 # v2.22.4 # NOTE: Checks that the matrix job above completes successfully. # This is necessary because the matrix strategy generates new jobs with diff --git a/.github/workflows/e2e.create-container_based-predicate.schedule.yml b/.github/workflows/e2e.create-container_based-predicate.schedule.yml index 149ef224c6..f6bb413983 100644 --- a/.github/workflows/e2e.create-container_based-predicate.schedule.yml +++ b/.github/workflows/e2e.create-container_based-predicate.schedule.yml @@ -39,7 +39,7 @@ jobs: permissions: id-token: write # Needed to detect the current reusable repository and ref. steps: - - uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - name: Detect the builder ref id: detect uses: slsa-framework/slsa-github-generator/.github/actions/detect-workflow-js@main @@ -71,7 +71,7 @@ jobs: contents: read issues: write steps: - - uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: repository: slsa-framework/example-package ref: main @@ -85,7 +85,7 @@ jobs: contents: read issues: write steps: - - uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: repository: slsa-framework/example-package ref: main diff --git a/.github/workflows/e2e.detect-workflow-js.schedule.yml b/.github/workflows/e2e.detect-workflow-js.schedule.yml index 27c10de907..c261b75e29 100644 --- a/.github/workflows/e2e.detect-workflow-js.schedule.yml +++ b/.github/workflows/e2e.detect-workflow-js.schedule.yml @@ -33,7 +33,7 @@ jobs: id-token: write runs-on: ubuntu-latest steps: - - uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - id: detect uses: ./.github/actions/detect-workflow-js - id: verify @@ -70,7 +70,7 @@ jobs: contents: read issues: write steps: - - uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: repository: slsa-framework/example-package ref: main @@ -84,7 +84,7 @@ jobs: contents: read issues: write steps: - - uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: repository: slsa-framework/example-package ref: main diff --git a/.github/workflows/e2e.sign-attestations.schedule.yml b/.github/workflows/e2e.sign-attestations.schedule.yml index 8babbb6df2..ba488e8d22 100644 --- a/.github/workflows/e2e.sign-attestations.schedule.yml +++ b/.github/workflows/e2e.sign-attestations.schedule.yml @@ -33,14 +33,14 @@ jobs: id-token: write runs-on: ubuntu-latest steps: - - uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - id: setup uses: ./.github/actions/sign-attestations with: attestations: .github/actions/sign-attestations/testdata/attestations output-folder: outputs - name: Setup node - uses: actions/setup-node@e33196f7422957bea03ed53f6fbb155025ffc7b8 # v3 + uses: actions/setup-node@5e21ff4d9bc1a8cf6de233a3057d20ec6b3fb69d # v3 with: node-version: 16 - name: install sigstore-js @@ -62,7 +62,7 @@ jobs: contents: read issues: write steps: - - uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: repository: slsa-framework/example-package ref: main @@ -76,7 +76,7 @@ jobs: contents: read issues: write steps: - - uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: repository: slsa-framework/example-package ref: main diff --git a/.github/workflows/e2e.upload-folder.schedule.yml b/.github/workflows/e2e.upload-folder.schedule.yml index 573c655de7..98c182ca2b 100644 --- a/.github/workflows/e2e.upload-folder.schedule.yml +++ b/.github/workflows/e2e.upload-folder.schedule.yml @@ -37,7 +37,7 @@ jobs: sha256: ${{ steps.upload.outputs.sha256 }} sha256-noroot: ${{ steps.upload-noroot.outputs.sha256 }} steps: - - uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - name: Create folder run: | set -euo pipefail @@ -100,7 +100,7 @@ jobs: needs: [secure-upload-folder] runs-on: ubuntu-latest steps: - - uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - name: Download in new folder uses: ./.github/actions/secure-download-folder @@ -180,7 +180,7 @@ jobs: contents: read issues: write steps: - - uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: repository: slsa-framework/example-package ref: main @@ -194,7 +194,7 @@ jobs: contents: read issues: write steps: - - uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: repository: slsa-framework/example-package ref: main diff --git a/.github/workflows/generator_container_slsa3.yml b/.github/workflows/generator_container_slsa3.yml index 371c33c89c..f9983d061d 100644 --- a/.github/workflows/generator_container_slsa3.yml +++ b/.github/workflows/generator_container_slsa3.yml @@ -147,7 +147,7 @@ jobs: service_account: ${{ inputs.gcp-service-account }} - id: cosign-install - uses: sigstore/cosign-installer@6e04d228eb30da1757ee4e1dd75a0ec73a653e06 # v3.1.1 + uses: sigstore/cosign-installer@11086d25041f77fe8fe7b9ea4e48e3b9192b8f19 # v3.1.2 with: cosign-release: v2.0.0 continue-on-error: true diff --git a/.github/workflows/generator_generic_slsa3.yml b/.github/workflows/generator_generic_slsa3.yml index 49182c4ad9..cf787e07ed 100644 --- a/.github/workflows/generator_generic_slsa3.yml +++ b/.github/workflows/generator_generic_slsa3.yml @@ -251,7 +251,7 @@ jobs: - name: Upload the signed provenance id: upload-prov continue-on-error: true - uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2 + uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3 with: name: "${{ steps.sign-prov.outputs.provenance-name }}" path: "${{ steps.sign-prov.outputs.provenance-name }}" diff --git a/.github/workflows/pre-submit.actions.yml b/.github/workflows/pre-submit.actions.yml index cfb3e743dc..e93bf7c39e 100644 --- a/.github/workflows/pre-submit.actions.yml +++ b/.github/workflows/pre-submit.actions.yml @@ -27,13 +27,13 @@ jobs: name: verify no checkout in Actions runs-on: ubuntu-latest steps: - - uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - run: ./.github/workflows/scripts/pre-submit.actions/checkout.sh check-tscommon-tarball: runs-on: ubuntu-latest steps: - - uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - name: Untar the package tarball working-directory: .github/actions/tscommon @@ -75,10 +75,10 @@ jobs: - .github/actions/verify-token - .github/actions/detect-workflow-js steps: - - uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - name: Set Node.js 18 - uses: actions/setup-node@e33196f7422957bea03ed53f6fbb155025ffc7b8 # v3.7.0 + uses: actions/setup-node@5e21ff4d9bc1a8cf6de233a3057d20ec6b3fb69d # v3.8.1 with: node-version: 18 @@ -98,7 +98,7 @@ jobs: fi # If index.js was different from expected, upload the expected version as an artifact - - uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2 + - uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3 if: ${{ failure() && steps.diff.conclusion == 'failure' }} with: name: dist @@ -121,7 +121,7 @@ jobs: compute-sha256: runs-on: ubuntu-latest steps: - - uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - run: | echo "foo" > artifact - id: compute-sha256 @@ -136,7 +136,7 @@ jobs: rng: runs-on: ubuntu-latest steps: - - uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - run: | echo "foo" > artifact - id: rng @@ -150,10 +150,10 @@ jobs: references: runs-on: ubuntu-latest steps: - - uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: path: __THIS_REPO__ - - uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: repository: slsa-framework/example-package ref: main @@ -175,7 +175,7 @@ jobs: secure-project-checkout-go: runs-on: ubuntu-latest steps: - - uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: path: __BUILDER_CHECKOUT_DIR__ @@ -188,7 +188,7 @@ jobs: secure-project-checkout-node: runs-on: ubuntu-latest steps: - - uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: path: __BUILDER_CHECKOUT_DIR__ @@ -208,7 +208,7 @@ jobs: UPLOAD_FOLDER_NO_ROOT_NAME: "upload-root/upload-folder" DOWNLOAD_FOLDER_NO_ROOT_NAME: "download-root/download-folder" steps: - - uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - name: Create folder run: | set -euo pipefail @@ -365,7 +365,7 @@ jobs: secure-download-artifact: runs-on: ubuntu-latest steps: - - uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: path: __BUILDER_CHECKOUT_DIR__ @@ -392,7 +392,7 @@ jobs: secure-download-artifact-builder-name: runs-on: ubuntu-latest steps: - - uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: path: __BUILDER_CHECKOUT_DIR__ @@ -425,7 +425,7 @@ jobs: secure-download-artifact-builder-repo-folder: runs-on: ubuntu-latest steps: - - uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: path: __BUILDER_CHECKOUT_DIR__ @@ -459,7 +459,7 @@ jobs: secure-download-artifact-builder-repo-file: runs-on: ubuntu-latest steps: - - uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: path: __BUILDER_CHECKOUT_DIR__ @@ -493,7 +493,7 @@ jobs: generate-builder-generic-compile: runs-on: ubuntu-latest steps: - - uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - uses: ./.github/actions/generate-builder with: repository: "slsa-framework/slsa-github-generator" @@ -507,7 +507,7 @@ jobs: generate-builder-generic-no-compile: runs-on: ubuntu-latest steps: - - uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - name: Detect the builder ref id: detect uses: ./.github/actions/detect-workflow-js @@ -525,7 +525,7 @@ jobs: generate-attestations: runs-on: ubuntu-latest steps: - - uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - name: Test generate attestations id: generate uses: ./.github/actions/generate-attestations diff --git a/.github/workflows/pre-submit.apis.yml b/.github/workflows/pre-submit.apis.yml index 5bb7c25afb..81ee7c2d64 100644 --- a/.github/workflows/pre-submit.apis.yml +++ b/.github/workflows/pre-submit.apis.yml @@ -31,6 +31,6 @@ jobs: name: verify safe APIs runs-on: ubuntu-latest steps: - - uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - name: Check safe file systems APIs run: ./.github/workflows/scripts/pre-submit.apis/verify-safefs.sh diff --git a/.github/workflows/pre-submit.delegators.yml b/.github/workflows/pre-submit.delegators.yml index e3e815f54f..8bb86549eb 100644 --- a/.github/workflows/pre-submit.delegators.yml +++ b/.github/workflows/pre-submit.delegators.yml @@ -27,6 +27,6 @@ jobs: name: verify identical delegators runs-on: ubuntu-latest steps: - - uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - name: Compare diff between the delegator workflows run: ./.github/workflows/scripts/pre-submit.delegators/compare-diff.sh diff --git a/.github/workflows/pre-submit.e2e.container-based.default.yml b/.github/workflows/pre-submit.e2e.container-based.default.yml index 445b9cc054..4aad66f266 100644 --- a/.github/workflows/pre-submit.e2e.container-based.default.yml +++ b/.github/workflows/pre-submit.e2e.container-based.default.yml @@ -45,7 +45,7 @@ jobs: HEAD_SHA: ${{ github.event.pull_request.head.sha }} GITHUB_HEAD_REPOSITORY: ${{ github.event.pull_request.head.repo.full_name }} steps: - - uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - uses: actions/download-artifact@e9ef242655d12993efdcda9058dee2db83a2cb9b with: name: ${{ needs.build-container-based.outputs.build-outputs-name }} diff --git a/.github/workflows/pre-submit.e2e.generic.default.yml b/.github/workflows/pre-submit.e2e.generic.default.yml index 2c0ba0be4c..716d472720 100644 --- a/.github/workflows/pre-submit.e2e.generic.default.yml +++ b/.github/workflows/pre-submit.e2e.generic.default.yml @@ -46,7 +46,7 @@ jobs: needs: [build] if: ${{ always() }} steps: - - uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2 with: name: ${{ needs.build.outputs.provenance-name }} @@ -75,7 +75,7 @@ jobs: runs-on: ubuntu-latest needs: [build-continue-no-error] steps: - - uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2 with: name: ${{ needs.build-continue-no-error.outputs.provenance-name }} @@ -105,7 +105,7 @@ jobs: runs-on: ubuntu-latest needs: [build, build-continue-invalid-subjects] steps: - - uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2 with: name: ${{ needs.build.outputs.provenance-name }} diff --git a/.github/workflows/pre-submit.e2e.go.config-ldflags-main-dir.yml b/.github/workflows/pre-submit.e2e.go.config-ldflags-main-dir.yml index 287fa91042..f64fde5710 100644 --- a/.github/workflows/pre-submit.e2e.go.config-ldflags-main-dir.yml +++ b/.github/workflows/pre-submit.e2e.go.config-ldflags-main-dir.yml @@ -64,7 +64,7 @@ jobs: needs: [build] if: ${{ always() }} steps: - - uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2 with: name: ${{ needs.build.outputs.go-binary-name }} diff --git a/.github/workflows/pre-submit.lint.yml b/.github/workflows/pre-submit.lint.yml index 00ea428c85..d63e7ad7f5 100644 --- a/.github/workflows/pre-submit.lint.yml +++ b/.github/workflows/pre-submit.lint.yml @@ -31,8 +31,8 @@ jobs: markdownlint: runs-on: ubuntu-latest steps: - - uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0 - - uses: actions/setup-node@e33196f7422957bea03ed53f6fbb155025ffc7b8 # v3.7.0 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + - uses: actions/setup-node@5e21ff4d9bc1a8cf6de233a3057d20ec6b3fb69d # v3.8.1 with: node-version: 16 - run: make markdownlint @@ -42,10 +42,10 @@ jobs: runs-on: ubuntu-latest steps: - name: Setup Node.js 16 - uses: actions/setup-node@e33196f7422957bea03ed53f6fbb155025ffc7b8 # v3.7.0 + uses: actions/setup-node@5e21ff4d9bc1a8cf6de233a3057d20ec6b3fb69d # v3.8.1 with: node-version: 16 - - uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - run: make markdown-toc - name: markdown-toc run: ./.github/workflows/scripts/pre-submit.markdown/markdown-toc.sh @@ -53,8 +53,8 @@ jobs: golangci-lint: runs-on: ubuntu-latest steps: - - uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0 - - uses: actions/setup-go@fac708d6674e30b6ba41289acaab6d4b75aa0753 # v4.0.1 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + - uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0 with: go-version-file: "go.mod" - env: @@ -77,7 +77,7 @@ jobs: shellcheck: runs-on: ubuntu-latest steps: - - uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - name: shellcheck env: SHELLCHECK_VERSION: "0.8.0" @@ -117,7 +117,7 @@ jobs: yamllint: runs-on: ubuntu-latest steps: - - uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - env: YAMLLINT_VERSION: "1.26.3" run: | @@ -132,8 +132,8 @@ jobs: eslint: runs-on: ubuntu-latest steps: - - uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0 - - uses: actions/setup-node@e33196f7422957bea03ed53f6fbb155025ffc7b8 # v3.7.0 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + - uses: actions/setup-node@5e21ff4d9bc1a8cf6de233a3057d20ec6b3fb69d # v3.8.1 with: node-version: 16 - run: make eslint @@ -141,8 +141,8 @@ jobs: autogen: runs-on: ubuntu-latest steps: - - uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0 - - uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: repository: mbrukman/autogen ref: 9026b78e17573b5dda4bff79033c352443551dc5 diff --git a/.github/workflows/pre-submit.units.yml b/.github/workflows/pre-submit.units.yml index c77bf180b5..69f8b1054d 100644 --- a/.github/workflows/pre-submit.units.yml +++ b/.github/workflows/pre-submit.units.yml @@ -35,15 +35,15 @@ jobs: if: ${{ always() }} steps: - name: Checkout - uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0 + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - name: setup-go - uses: actions/setup-go@fac708d6674e30b6ba41289acaab6d4b75aa0753 # v4.0.1 + uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0 with: go-version-file: "go.mod" - name: Set Node.js 16 - uses: actions/setup-node@e33196f7422957bea03ed53f6fbb155025ffc7b8 # v3.7.0 + uses: actions/setup-node@5e21ff4d9bc1a8cf6de233a3057d20ec6b3fb69d # v3.8.1 with: node-version: 16 @@ -58,12 +58,12 @@ jobs: if: ${{ always() }} steps: - name: Checkout - uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0 + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: path: generator - name: Checkout - uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0 + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: path: verifier repository: slsa-framework/slsa-verifier diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 47ad17eec2..5e5e6b49b2 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -34,10 +34,10 @@ jobs: name: pre release refs verification runs-on: ubuntu-latest steps: - - uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: path: __THIS_REPO__ - - uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: repository: slsa-framework/example-package ref: main diff --git a/.github/workflows/scorecards.yml b/.github/workflows/scorecards.yml index 3dadbc293d..b6a72e6374 100644 --- a/.github/workflows/scorecards.yml +++ b/.github/workflows/scorecards.yml @@ -39,12 +39,12 @@ jobs: steps: - name: "Checkout code" - uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0 + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: persist-credentials: false - name: "Run analysis" - uses: ossf/scorecard-action@08b4669551908b1024bb425080c797723083c031 # v2.2.0 + uses: ossf/scorecard-action@483ef80eb98fb506c348f7d62e28055e49fe2398 # v2.3.0 with: results_file: results.sarif results_format: sarif @@ -63,7 +63,7 @@ jobs: # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF # format to the repository Actions tab. - name: "Upload artifact" - uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2 + uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3 with: name: SARIF file path: results.sarif @@ -71,6 +71,6 @@ jobs: # Upload the results to GitHub's code scanning dashboard. - name: "Upload to code-scanning" - uses: github/codeql-action/upload-sarif@0ba4244466797eb048eb91a6cd43d5c03ca8bd05 # v2.21.2 + uses: github/codeql-action/upload-sarif@49abf0ba24d0b7953cb586944e918a0b92074c80 # v2.22.4 with: sarif_file: results.sarif diff --git a/actions/gradle/publish/action.yml b/actions/gradle/publish/action.yml index d2475f9cb5..5fef2d7b46 100644 --- a/actions/gradle/publish/action.yml +++ b/actions/gradle/publish/action.yml @@ -50,9 +50,9 @@ inputs: runs: using: "composite" steps: - - uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - name: Set up JDK - uses: actions/setup-java@cd89f46ac9d01407894225f350157564c9c7cee2 # v3.12.0 + uses: actions/setup-java@0ab4596768b603586c0de567f2430c30f5b0d2b0 # v3.13.0 env: MAVEN_USERNAME: ${{ inputs.maven-username }} MAVEN_PASSWORD: ${{ inputs.maven-password }} diff --git a/actions/maven/publish/action.yml b/actions/maven/publish/action.yml index 9a3c77e458..e7e24fd0ad 100644 --- a/actions/maven/publish/action.yml +++ b/actions/maven/publish/action.yml @@ -47,7 +47,7 @@ runs: - name: Checkout the project repository uses: slsa-framework/slsa-github-generator/.github/actions/secure-project-checkout@main # needed because we run javadoc and sources. - name: Set up Java for publishing to Maven Central Repository - uses: actions/setup-java@cd89f46ac9d01407894225f350157564c9c7cee2 # v3.12.0 + uses: actions/setup-java@0ab4596768b603586c0de567f2430c30f5b0d2b0 # v3.13.0 env: MAVEN_USERNAME: ${{ inputs.maven-username }} MAVEN_PASSWORD: ${{ inputs.maven-password }} diff --git a/internal/builders/bazel/action.yml b/internal/builders/bazel/action.yml index f98ee51898..191ec0fa8f 100644 --- a/internal/builders/bazel/action.yml +++ b/internal/builders/bazel/action.yml @@ -53,7 +53,7 @@ runs: - name: Setup Java id: java - uses: actions/setup-java@cd89f46ac9d01407894225f350157564c9c7cee2 # v3.12.0 + uses: actions/setup-java@0ab4596768b603586c0de567f2430c30f5b0d2b0 # v3.13.0 with: distribution: "${{ fromJson(inputs.slsa-workflow-inputs).user-java-distribution }}" java-version: "${{ fromJson(inputs.slsa-workflow-inputs).user-java-version }}" diff --git a/internal/builders/gradle/action.yml b/internal/builders/gradle/action.yml index ef41da1690..1d7c29a31d 100644 --- a/internal/builders/gradle/action.yml +++ b/internal/builders/gradle/action.yml @@ -56,14 +56,14 @@ on: runs: using: "composite" steps: - - uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - name: Set up JDK - uses: actions/setup-java@cd89f46ac9d01407894225f350157564c9c7cee2 # v3.12.0 + uses: actions/setup-java@0ab4596768b603586c0de567f2430c30f5b0d2b0 # v3.13.0 with: distribution: temurin java-version: ${{ fromJson(inputs.slsa-workflow-inputs).jdk-version }} - name: Setup Gradle - uses: gradle/gradle-build-action@a4cf152f482c7ca97ef56ead29bf08bcd953284c # v2.7.0 + uses: gradle/gradle-build-action@842c587ad8aa4c68eeba24c396e15af4c2e9f30a # v2.9.0 - name: Run gradle builder id: run_gradle_builder shell: bash diff --git a/internal/builders/maven/action.yml b/internal/builders/maven/action.yml index 2d7697d8d2..bc3ad649ed 100644 --- a/internal/builders/maven/action.yml +++ b/internal/builders/maven/action.yml @@ -56,9 +56,9 @@ on: runs: using: "composite" steps: - - uses: actions/checkout@96f53100ba2a5449eb71d2e6604bbcd94b9449b5 # v 3.5.2 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v 3.5.2 - name: Set up JDK - uses: actions/setup-java@cd89f46ac9d01407894225f350157564c9c7cee2 # v3.12.0 + uses: actions/setup-java@0ab4596768b603586c0de567f2430c30f5b0d2b0 # v3.13.0 with: distribution: temurin java-version: ${{ fromJson(inputs.slsa-workflow-inputs).jdk-version }} diff --git a/internal/builders/nodejs/action.yml b/internal/builders/nodejs/action.yml index 1328dfb4be..f605d6207b 100644 --- a/internal/builders/nodejs/action.yml +++ b/internal/builders/nodejs/action.yml @@ -65,7 +65,7 @@ runs: # checkout ourselves. - name: Setup Node - uses: actions/setup-node@e33196f7422957bea03ed53f6fbb155025ffc7b8 # v3.7.0 + uses: actions/setup-node@5e21ff4d9bc1a8cf6de233a3057d20ec6b3fb69d # v3.8.1 with: node-version: ${{ fromJson(inputs.slsa-workflow-inputs).node-version }} node-version-file: ${{ fromJson(inputs.slsa-workflow-inputs).node-version-file }}