diff --git a/.github/actions/generate-builder/action.yml b/.github/actions/generate-builder/action.yml index 250ea483bd..1fdbf5c4c3 100644 --- a/.github/actions/generate-builder/action.yml +++ b/.github/actions/generate-builder/action.yml @@ -76,7 +76,7 @@ runs: token: ${{ inputs.token }} - name: Set up Go environment - uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2 + uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0 with: go-version: ${{ inputs.go-version }} diff --git a/.github/actions/secure-builder-checkout/action.yaml b/.github/actions/secure-builder-checkout/action.yaml index 576e20fb94..2ebdc3c318 100644 --- a/.github/actions/secure-builder-checkout/action.yaml +++ b/.github/actions/secure-builder-checkout/action.yaml @@ -37,7 +37,7 @@ runs: # and has an associated release. This will require exceptions # for e2e tests. - name: Checkout the repository - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: repository: ${{ inputs.repository }} ref: ${{ inputs.ref }} diff --git a/.github/actions/secure-project-checkout-go/action.yml b/.github/actions/secure-project-checkout-go/action.yml index 0a9518dc12..ccd761c5fb 100644 --- a/.github/actions/secure-project-checkout-go/action.yml +++ b/.github/actions/secure-project-checkout-go/action.yml @@ -65,7 +65,7 @@ runs: fi - name: Set up Go environment - uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2 + uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0 with: go-version: ${{ steps.validate.outputs.go_version }} go-version-file: ${{ steps.validate.outputs.go_version_file }} diff --git a/.github/actions/secure-project-checkout-node/action.yml b/.github/actions/secure-project-checkout-node/action.yml index a458e426a8..a1df329adc 100644 --- a/.github/actions/secure-project-checkout-node/action.yml +++ b/.github/actions/secure-project-checkout-node/action.yml @@ -41,6 +41,6 @@ runs: path: ${{ inputs.path }} - name: Set up Node environment - uses: actions/setup-node@1e60f620b9541d16bece96c5465dc8ee9832be0b # v4.0.3 + uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v4.1.0 with: node-version: ${{ inputs.node-version }} diff --git a/.github/actions/secure-project-checkout/action.yaml b/.github/actions/secure-project-checkout/action.yaml index ab12781cd7..2daea036e5 100644 --- a/.github/actions/secure-project-checkout/action.yaml +++ b/.github/actions/secure-project-checkout/action.yaml @@ -40,7 +40,7 @@ runs: using: "composite" steps: - name: Checkout the repository - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: fetch-depth: ${{ inputs.fetch-depth }} ref: ${{ inputs.checkout-sha1 }} diff --git a/.github/actions/secure-upload-artifact/action.yml b/.github/actions/secure-upload-artifact/action.yml index 22e7d9f728..2fdd43c2b0 100644 --- a/.github/actions/secure-upload-artifact/action.yml +++ b/.github/actions/secure-upload-artifact/action.yml @@ -37,7 +37,7 @@ runs: path: "${{ inputs.path }}" - name: Upload the artifact - uses: actions/upload-artifact@89ef406dd8d7e03cfd12d9e0a4a378f454709029 # v4.3.5 + uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3 with: name: "${{ inputs.name }}" path: "${{ inputs.path }}" diff --git a/.github/workflows/builder_container-based_slsa3.yml b/.github/workflows/builder_container-based_slsa3.yml index 6fc2fd3190..fcd45baf12 100644 --- a/.github/workflows/builder_container-based_slsa3.yml +++ b/.github/workflows/builder_container-based_slsa3.yml @@ -209,7 +209,7 @@ jobs: allow-private-repository: ${{ inputs.rekor-log-public }} - name: Upload builder - uses: actions/upload-artifact@89ef406dd8d7e03cfd12d9e0a4a378f454709029 # v4.3.5 + uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3 with: name: "${{ env.BUILDER_BINARY }}-${{ needs.rng.outputs.value }}" path: "${{ env.BUILDER_BINARY }}" @@ -228,7 +228,7 @@ jobs: runs-on: ubuntu-latest needs: [rng, detect-env, generate-builder] steps: - - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: Checkout builder repository uses: slsa-framework/slsa-github-generator/.github/actions/secure-builder-checkout@main with: @@ -306,7 +306,7 @@ jobs: - id: auth name: Authenticate to Google Cloud if: inputs.gcp-workload-identity-provider != '' - uses: google-github-actions/auth@71fee32a0bb7e97b4d33d548e7d957010649d8fa # v2.1.3 + uses: google-github-actions/auth@6fc4af4b145ae7821d527454aa9bd537d1f2dc5f # v2.1.7 with: token_format: "access_token" workload_identity_provider: ${{ inputs.gcp-workload-identity-provider }} @@ -372,7 +372,7 @@ jobs: set-executable: true - name: Checkout the source repository - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: fetch-depth: 1 persist-credentials: false @@ -462,7 +462,7 @@ jobs: # TODO(https://github.com/slsa-framework/slsa-github-generator/issues/1655): Use a # secure upload or verify this against the SLSA layout file. id: upload-artifacts - uses: actions/upload-artifact@89ef406dd8d7e03cfd12d9e0a4a378f454709029 # v4.3.5 + uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3 with: name: ${{ steps.build.outputs.build-outputs-name }} path: /tmp/build-outputs-${{ needs.rng.outputs.value }} @@ -535,7 +535,7 @@ jobs: - name: Upload unsigned intoto attestations file for pull request if: ${{ github.event_name == 'pull_request' }} id: upload-unsigned - uses: actions/upload-artifact@89ef406dd8d7e03cfd12d9e0a4a378f454709029 # v4.3.5 + uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3 with: name: "${{ env.OUTPUT_FOLDER }}-${{ needs.rng.outputs.value }}" path: "attestations-${{ needs.rng.outputs.value }}" @@ -556,7 +556,7 @@ jobs: - name: Upload the signed attestations id: upload-signed if: ${{ github.event_name != 'pull_request' }} - uses: actions/upload-artifact@89ef406dd8d7e03cfd12d9e0a4a378f454709029 # v4.3.5 + uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3 with: name: "${{ env.OUTPUT_FOLDER }}-${{ needs.rng.outputs.value }}" path: "${{ env.OUTPUT_FOLDER }}-${{ needs.rng.outputs.value }}" @@ -598,7 +598,7 @@ jobs: path: "${{ needs.provenance.outputs.provenance-name }}" - name: Upload provenance new tag - uses: softprops/action-gh-release@c062e08bd532815e2082a85e87e3ef29c3e6d191 # v2.0.8 + uses: softprops/action-gh-release@01570a1f39cb168c169c802c3bceb9e93fb10974 # v2.1.0 if: startsWith(github.ref, 'refs/tags/') && inputs.upload-tag-name == '' id: release-new-tags with: @@ -609,7 +609,7 @@ jobs: draft: ${{ inputs.draft-release }} - name: Upload provenance tag name - uses: softprops/action-gh-release@c062e08bd532815e2082a85e87e3ef29c3e6d191 # v2.0.8 + uses: softprops/action-gh-release@01570a1f39cb168c169c802c3bceb9e93fb10974 # v2.1.0 if: inputs.upload-tag-name != '' with: prerelease: ${{ inputs.prerelease }} @@ -633,13 +633,13 @@ jobs: SLSA_OUTPUTS_NAME: ${{ needs.build.outputs.slsa-outputs-name }} RNG: ${{ needs.rng.outputs.value }} steps: - - uses: geekyeggo/delete-artifact@24928e75e6e6590170563b8ddae9fac674508aa1 # v5.0.0 + - uses: geekyeggo/delete-artifact@f275313e70c08f6120db482d7a6b98377786765b # v5.1.0 with: name: "${{ env.BUILD_DEFINITION_NAME }}-${{ env.RNG }}" useGlob: true - - uses: geekyeggo/delete-artifact@24928e75e6e6590170563b8ddae9fac674508aa1 # v5.0.0 + - uses: geekyeggo/delete-artifact@f275313e70c08f6120db482d7a6b98377786765b # v5.1.0 with: name: "${{ env.SLSA_OUTPUTS_NAME }}-${{ env.RNG }}" - - uses: geekyeggo/delete-artifact@24928e75e6e6590170563b8ddae9fac674508aa1 # v5.0.0 + - uses: geekyeggo/delete-artifact@f275313e70c08f6120db482d7a6b98377786765b # v5.1.0 with: name: "${{ env.BUILDER_BINARY }}-${{ env.RNG }}" diff --git a/.github/workflows/builder_go_slsa3.yml b/.github/workflows/builder_go_slsa3.yml index b24a603122..68e1b718b8 100644 --- a/.github/workflows/builder_go_slsa3.yml +++ b/.github/workflows/builder_go_slsa3.yml @@ -169,7 +169,7 @@ jobs: allow-private-repository: ${{ inputs.private-repository }} - name: Upload builder - uses: actions/upload-artifact@89ef406dd8d7e03cfd12d9e0a4a378f454709029 # v4.3.5 + uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3 with: name: "${{ env.BUILDER_BINARY }}-${{ needs.rng.outputs.value }}" path: "${{ env.BUILDER_BINARY }}" @@ -358,7 +358,7 @@ jobs: --workingDir "$UNTRUSTED_WORKING_DIR" - name: Upload the signed provenance - uses: actions/upload-artifact@89ef406dd8d7e03cfd12d9e0a4a378f454709029 # v4.3.5 + uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3 with: name: "${{ steps.sign-prov.outputs.signed-provenance-name }}" path: "${{ steps.sign-prov.outputs.signed-provenance-name }}" @@ -399,7 +399,7 @@ jobs: sha256: "${{ needs.provenance.outputs.go-provenance-sha256 }}" - name: Upload provenance - uses: softprops/action-gh-release@c062e08bd532815e2082a85e87e3ef29c3e6d191 # v2.0.8 + uses: softprops/action-gh-release@01570a1f39cb168c169c802c3bceb9e93fb10974 # v2.1.0 with: tag_name: ${{ inputs.upload-tag-name }} prerelease: ${{ inputs.prerelease }} diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index 3c2f537533..a67887cc1d 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -55,11 +55,11 @@ jobs: steps: - name: Checkout repository - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL - uses: github/codeql-action/init@afb54ba388a7dca6ecae48f608c4ff05ff4cc77a # v3.25.15 + uses: github/codeql-action/init@4f3212b61783c3c68e8309a0f18a699764811cda # v3.27.1 with: languages: ${{ matrix.language }} # If you wish to specify custom queries, you can do so here or in a config file. @@ -72,7 +72,7 @@ jobs: # Autobuild attempts to build any compiled languages (C/C++, C#, or Java). # If this step fails, then you should remove it and run the build manually (see below) - name: Autobuild - uses: github/codeql-action/autobuild@afb54ba388a7dca6ecae48f608c4ff05ff4cc77a # v3.25.15 + uses: github/codeql-action/autobuild@4f3212b61783c3c68e8309a0f18a699764811cda # v3.27.1 # Command-line programs to run using the OS shell. # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun @@ -85,7 +85,7 @@ jobs: # ./location_of_script_within_repo/buildscript.sh - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@afb54ba388a7dca6ecae48f608c4ff05ff4cc77a # v3.25.15 + uses: github/codeql-action/analyze@4f3212b61783c3c68e8309a0f18a699764811cda # v3.27.1 # NOTE: Checks that the matrix job above completes successfully. # This is necessary because the matrix strategy generates new jobs with diff --git a/.github/workflows/delegator_generic_slsa3.yml b/.github/workflows/delegator_generic_slsa3.yml index 3935e2ca0b..e225aa52b1 100644 --- a/.github/workflows/delegator_generic_slsa3.yml +++ b/.github/workflows/delegator_generic_slsa3.yml @@ -294,9 +294,9 @@ jobs: env: RNG: ${{ needs.rng.outputs.value }} steps: - - uses: geekyeggo/delete-artifact@24928e75e6e6590170563b8ddae9fac674508aa1 # v5.0.0 + - uses: geekyeggo/delete-artifact@f275313e70c08f6120db482d7a6b98377786765b # v5.1.0 with: name: "${{ env.RNG }}-${{ env.SLSA_PREDICATE_FILE }}" - - uses: geekyeggo/delete-artifact@24928e75e6e6590170563b8ddae9fac674508aa1 # v5.0.0 + - uses: geekyeggo/delete-artifact@f275313e70c08f6120db482d7a6b98377786765b # v5.1.0 with: name: "${{ env.RNG }}-${{ env.SLSA_ARTIFACTS_FILE }}" diff --git a/.github/workflows/delegator_lowperms-generic_slsa3.yml b/.github/workflows/delegator_lowperms-generic_slsa3.yml index bfee2d7e95..dee83b5d93 100644 --- a/.github/workflows/delegator_lowperms-generic_slsa3.yml +++ b/.github/workflows/delegator_lowperms-generic_slsa3.yml @@ -297,9 +297,9 @@ jobs: env: RNG: ${{ needs.rng.outputs.value }} steps: - - uses: geekyeggo/delete-artifact@24928e75e6e6590170563b8ddae9fac674508aa1 # v5.0.0 + - uses: geekyeggo/delete-artifact@f275313e70c08f6120db482d7a6b98377786765b # v5.1.0 with: name: "${{ env.RNG }}-${{ env.SLSA_PREDICATE_FILE }}" - - uses: geekyeggo/delete-artifact@24928e75e6e6590170563b8ddae9fac674508aa1 # v5.0.0 + - uses: geekyeggo/delete-artifact@f275313e70c08f6120db482d7a6b98377786765b # v5.1.0 with: name: "${{ env.RNG }}-${{ env.SLSA_ARTIFACTS_FILE }}" diff --git a/.github/workflows/e2e.create-container_based-predicate.schedule.yml b/.github/workflows/e2e.create-container_based-predicate.schedule.yml index cf98d6c223..df19967065 100644 --- a/.github/workflows/e2e.create-container_based-predicate.schedule.yml +++ b/.github/workflows/e2e.create-container_based-predicate.schedule.yml @@ -39,7 +39,7 @@ jobs: permissions: id-token: write # Needed to detect the current reusable repository and ref. steps: - - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: Detect the builder ref id: detect uses: slsa-framework/slsa-github-generator/.github/actions/detect-workflow-js@main @@ -71,7 +71,7 @@ jobs: contents: read issues: write steps: - - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: repository: slsa-framework/example-package ref: main @@ -85,7 +85,7 @@ jobs: contents: read issues: write steps: - - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: repository: slsa-framework/example-package ref: main diff --git a/.github/workflows/e2e.detect-workflow-js.schedule.yml b/.github/workflows/e2e.detect-workflow-js.schedule.yml index cb803f447c..f440f52842 100644 --- a/.github/workflows/e2e.detect-workflow-js.schedule.yml +++ b/.github/workflows/e2e.detect-workflow-js.schedule.yml @@ -33,7 +33,7 @@ jobs: id-token: write runs-on: ubuntu-latest steps: - - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - id: detect uses: ./.github/actions/detect-workflow-js - id: verify @@ -70,7 +70,7 @@ jobs: contents: read issues: write steps: - - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: repository: slsa-framework/example-package ref: main @@ -84,7 +84,7 @@ jobs: contents: read issues: write steps: - - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: repository: slsa-framework/example-package ref: main diff --git a/.github/workflows/e2e.sign-attestations.schedule.yml b/.github/workflows/e2e.sign-attestations.schedule.yml index b3d279e770..946e74538a 100644 --- a/.github/workflows/e2e.sign-attestations.schedule.yml +++ b/.github/workflows/e2e.sign-attestations.schedule.yml @@ -33,14 +33,14 @@ jobs: id-token: write runs-on: ubuntu-latest steps: - - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - id: setup uses: ./.github/actions/sign-attestations with: attestations: .github/actions/sign-attestations/testdata/attestations output-folder: outputs - name: Setup node - uses: actions/setup-node@1e60f620b9541d16bece96c5465dc8ee9832be0b # v4 + uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v4 with: node-version: 20 - name: install sigstore-js @@ -62,7 +62,7 @@ jobs: contents: read issues: write steps: - - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: repository: slsa-framework/example-package ref: main @@ -76,7 +76,7 @@ jobs: contents: read issues: write steps: - - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: repository: slsa-framework/example-package ref: main diff --git a/.github/workflows/e2e.upload-folder.schedule.yml b/.github/workflows/e2e.upload-folder.schedule.yml index cce2a8847e..382b1ba23d 100644 --- a/.github/workflows/e2e.upload-folder.schedule.yml +++ b/.github/workflows/e2e.upload-folder.schedule.yml @@ -37,7 +37,7 @@ jobs: sha256: ${{ steps.upload.outputs.sha256 }} sha256-noroot: ${{ steps.upload-noroot.outputs.sha256 }} steps: - - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: Create folder run: | set -euo pipefail @@ -100,7 +100,7 @@ jobs: needs: [secure-upload-folder] runs-on: ubuntu-latest steps: - - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: Download in new folder uses: ./.github/actions/secure-download-folder @@ -180,7 +180,7 @@ jobs: contents: read issues: write steps: - - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: repository: slsa-framework/example-package ref: main @@ -194,7 +194,7 @@ jobs: contents: read issues: write steps: - - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: repository: slsa-framework/example-package ref: main diff --git a/.github/workflows/generator_container_slsa3.yml b/.github/workflows/generator_container_slsa3.yml index 5ef7bcb1a3..348ee0d459 100644 --- a/.github/workflows/generator_container_slsa3.yml +++ b/.github/workflows/generator_container_slsa3.yml @@ -158,14 +158,14 @@ jobs: - id: auth name: Authenticate to Google Cloud if: inputs.gcp-workload-identity-provider != '' - uses: google-github-actions/auth@71fee32a0bb7e97b4d33d548e7d957010649d8fa # v2.1.3 + uses: google-github-actions/auth@6fc4af4b145ae7821d527454aa9bd537d1f2dc5f # v2.1.7 with: token_format: "access_token" workload_identity_provider: ${{ inputs.gcp-workload-identity-provider }} service_account: ${{ inputs.gcp-service-account }} - id: cosign-install - uses: sigstore/cosign-installer@59acb6260d9c0ba8f4a2f9d9b48431a222b68e20 # v3.5.0 + uses: sigstore/cosign-installer@dc72c7d5c4d10cd6bcb8cf6e3fd625a9e5e537da # v3.7.0 with: cosign-release: v2.2.3 continue-on-error: true diff --git a/.github/workflows/generator_generic_slsa3.yml b/.github/workflows/generator_generic_slsa3.yml index 3b3d58fb17..96732a0bb1 100644 --- a/.github/workflows/generator_generic_slsa3.yml +++ b/.github/workflows/generator_generic_slsa3.yml @@ -239,7 +239,7 @@ jobs: - name: Upload the signed provenance id: upload-prov continue-on-error: true - uses: actions/upload-artifact@89ef406dd8d7e03cfd12d9e0a4a378f454709029 # v4.3.5 + uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3 with: name: "${{ steps.sign-prov.outputs.provenance-name }}" path: "${{ steps.sign-prov.outputs.provenance-name }}" @@ -285,7 +285,7 @@ jobs: sha256: "${{ needs.generator.outputs.provenance-sha256 }}" - name: Upload provenance - uses: softprops/action-gh-release@c062e08bd532815e2082a85e87e3ef29c3e6d191 # v2.0.8 + uses: softprops/action-gh-release@01570a1f39cb168c169c802c3bceb9e93fb10974 # v2.1.0 id: release with: draft: ${{ inputs.draft-release }} diff --git a/.github/workflows/pre-submit.actions.yml b/.github/workflows/pre-submit.actions.yml index 6ead6c089f..eba9f47fc2 100644 --- a/.github/workflows/pre-submit.actions.yml +++ b/.github/workflows/pre-submit.actions.yml @@ -27,13 +27,13 @@ jobs: name: verify no checkout in Actions runs-on: ubuntu-latest steps: - - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - run: ./.github/workflows/scripts/pre-submit.actions/checkout.sh check-tscommon-tarball: runs-on: ubuntu-latest steps: - - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: Untar the package tarball working-directory: .github/actions/tscommon @@ -75,10 +75,10 @@ jobs: - .github/actions/verify-token - .github/actions/detect-workflow-js steps: - - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: Set Node.js 18 - uses: actions/setup-node@1e60f620b9541d16bece96c5465dc8ee9832be0b # v4.0.3 + uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v4.1.0 with: node-version: 18 @@ -98,7 +98,7 @@ jobs: fi # If index.js was different from expected, upload the expected version as an artifact - - uses: actions/upload-artifact@89ef406dd8d7e03cfd12d9e0a4a378f454709029 # v4.3.5 + - uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3 if: ${{ failure() && steps.diff.conclusion == 'failure' }} with: name: dist @@ -121,7 +121,7 @@ jobs: compute-sha256: runs-on: ubuntu-latest steps: - - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - run: | echo "foo" > artifact - id: compute-sha256 @@ -136,7 +136,7 @@ jobs: rng: runs-on: ubuntu-latest steps: - - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - run: | echo "foo" > artifact - id: rng @@ -150,10 +150,10 @@ jobs: references: runs-on: ubuntu-latest steps: - - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: path: __THIS_REPO__ - - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: repository: slsa-framework/example-package ref: main @@ -176,7 +176,7 @@ jobs: secure-project-checkout-go: runs-on: ubuntu-latest steps: - - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: path: __BUILDER_CHECKOUT_DIR__ @@ -189,7 +189,7 @@ jobs: secure-project-checkout-node: runs-on: ubuntu-latest steps: - - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: path: __BUILDER_CHECKOUT_DIR__ @@ -209,7 +209,7 @@ jobs: UPLOAD_FOLDER_NO_ROOT_NAME: "upload-root/upload-folder" DOWNLOAD_FOLDER_NO_ROOT_NAME: "download-root/download-folder" steps: - - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: Create folder run: | set -euo pipefail @@ -366,7 +366,7 @@ jobs: secure-download-artifact: runs-on: ubuntu-latest steps: - - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: path: __BUILDER_CHECKOUT_DIR__ @@ -393,7 +393,7 @@ jobs: secure-download-artifact-builder-name: runs-on: ubuntu-latest steps: - - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: path: __BUILDER_CHECKOUT_DIR__ @@ -426,7 +426,7 @@ jobs: secure-download-artifact-builder-repo-folder: runs-on: ubuntu-latest steps: - - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: path: __BUILDER_CHECKOUT_DIR__ @@ -460,7 +460,7 @@ jobs: secure-download-artifact-builder-repo-file: runs-on: ubuntu-latest steps: - - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: path: __BUILDER_CHECKOUT_DIR__ @@ -494,7 +494,7 @@ jobs: generate-builder-generic-compile: runs-on: ubuntu-latest steps: - - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - uses: ./.github/actions/generate-builder with: repository: "slsa-framework/slsa-github-generator" @@ -508,7 +508,7 @@ jobs: generate-builder-generic-no-compile: runs-on: ubuntu-latest steps: - - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: Detect the builder ref id: detect uses: ./.github/actions/detect-workflow-js @@ -526,7 +526,7 @@ jobs: generate-attestations: runs-on: ubuntu-latest steps: - - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: Test generate attestations id: generate uses: ./.github/actions/generate-attestations diff --git a/.github/workflows/pre-submit.apis.yml b/.github/workflows/pre-submit.apis.yml index f97a3c3899..f67be755fc 100644 --- a/.github/workflows/pre-submit.apis.yml +++ b/.github/workflows/pre-submit.apis.yml @@ -31,6 +31,6 @@ jobs: name: verify safe APIs runs-on: ubuntu-latest steps: - - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: Check safe file systems APIs run: ./.github/workflows/scripts/pre-submit.apis/verify-safefs.sh diff --git a/.github/workflows/pre-submit.delegators.yml b/.github/workflows/pre-submit.delegators.yml index bfe1c4f075..07b6d2818b 100644 --- a/.github/workflows/pre-submit.delegators.yml +++ b/.github/workflows/pre-submit.delegators.yml @@ -27,6 +27,6 @@ jobs: name: verify identical delegators runs-on: ubuntu-latest steps: - - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: Compare diff between the delegator workflows run: ./.github/workflows/scripts/pre-submit.delegators/compare-diff.sh diff --git a/.github/workflows/pre-submit.e2e.container-based.default.yml b/.github/workflows/pre-submit.e2e.container-based.default.yml index 699a17b28b..5dc9d90c73 100644 --- a/.github/workflows/pre-submit.e2e.container-based.default.yml +++ b/.github/workflows/pre-submit.e2e.container-based.default.yml @@ -45,7 +45,7 @@ jobs: HEAD_SHA: ${{ github.event.pull_request.head.sha }} GITHUB_HEAD_REPOSITORY: ${{ github.event.pull_request.head.repo.full_name }} steps: - - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 with: name: ${{ needs.build-container-based.outputs.build-outputs-name }} diff --git a/.github/workflows/pre-submit.e2e.generic.default.yml b/.github/workflows/pre-submit.e2e.generic.default.yml index b2c10a899c..f140535513 100644 --- a/.github/workflows/pre-submit.e2e.generic.default.yml +++ b/.github/workflows/pre-submit.e2e.generic.default.yml @@ -47,7 +47,7 @@ jobs: needs: [build] if: ${{ always() }} steps: - - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 with: name: ${{ needs.build.outputs.provenance-name }} @@ -77,7 +77,7 @@ jobs: runs-on: ubuntu-latest needs: [build-continue-no-error] steps: - - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 with: name: ${{ needs.build-continue-no-error.outputs.provenance-name }} @@ -108,7 +108,7 @@ jobs: runs-on: ubuntu-latest needs: [build, build-continue-invalid-subjects] steps: - - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 with: name: ${{ needs.build.outputs.provenance-name }} diff --git a/.github/workflows/pre-submit.e2e.go.config-ldflags-main-dir.yml b/.github/workflows/pre-submit.e2e.go.config-ldflags-main-dir.yml index 904c028df5..31cafd407d 100644 --- a/.github/workflows/pre-submit.e2e.go.config-ldflags-main-dir.yml +++ b/.github/workflows/pre-submit.e2e.go.config-ldflags-main-dir.yml @@ -64,7 +64,7 @@ jobs: needs: [build] if: ${{ always() }} steps: - - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 with: name: ${{ needs.build.outputs.go-binary-name }} diff --git a/.github/workflows/pre-submit.lint.yml b/.github/workflows/pre-submit.lint.yml index 76eca508ae..edb9ccb0a5 100644 --- a/.github/workflows/pre-submit.lint.yml +++ b/.github/workflows/pre-submit.lint.yml @@ -31,8 +31,8 @@ jobs: formatting: runs-on: ubuntu-latest steps: - - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - - uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + - uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0 with: go-version: "1.22.3" - uses: actions/setup-node@1a4442cacd436585916779262731d5b162bc6ec7 # v3.8.2 @@ -73,8 +73,8 @@ jobs: markdownlint: runs-on: ubuntu-latest steps: - - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - - uses: actions/setup-node@1e60f620b9541d16bece96c5465dc8ee9832be0b # v4.0.3 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + - uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v4.1.0 with: node-version: 20 - run: make markdownlint @@ -82,8 +82,8 @@ jobs: golangci-lint: runs-on: ubuntu-latest steps: - - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - - uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + - uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0 with: go-version-file: "go.mod" - env: @@ -106,7 +106,7 @@ jobs: shellcheck: runs-on: ubuntu-latest steps: - - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: shellcheck env: SHELLCHECK_VERSION: "0.10.0" @@ -146,7 +146,7 @@ jobs: yamllint: runs-on: ubuntu-latest steps: - - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - run: | set -euo pipefail @@ -159,8 +159,8 @@ jobs: eslint: runs-on: ubuntu-latest steps: - - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - - uses: actions/setup-node@1e60f620b9541d16bece96c5465dc8ee9832be0b # v4.0.3 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + - uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v4.1.0 with: node-version: 20 - run: make eslint @@ -168,8 +168,8 @@ jobs: renovate-config-validator: runs-on: ubuntu-latest steps: - - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - - uses: actions/setup-node@1e60f620b9541d16bece96c5465dc8ee9832be0b # v4.0.3 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + - uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v4.1.0 with: node-version: 20 - run: make renovate-config-validator diff --git a/.github/workflows/pre-submit.units.yml b/.github/workflows/pre-submit.units.yml index 049b39ea17..e70254e335 100644 --- a/.github/workflows/pre-submit.units.yml +++ b/.github/workflows/pre-submit.units.yml @@ -35,15 +35,15 @@ jobs: if: ${{ always() }} steps: - name: Checkout - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: setup-go - uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2 + uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0 with: go-version-file: "go.mod" - name: Set Node.js 16 - uses: actions/setup-node@1e60f620b9541d16bece96c5465dc8ee9832be0b # v4.0.3 + uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v4.1.0 with: node-version: 16 @@ -58,12 +58,12 @@ jobs: if: ${{ always() }} steps: - name: Checkout - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: path: generator - name: Checkout - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: path: verifier repository: slsa-framework/slsa-verifier diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index dd3ccfc980..4e4b5fcce7 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -34,10 +34,10 @@ jobs: name: pre release refs verification runs-on: ubuntu-latest steps: - - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: path: __THIS_REPO__ - - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: repository: slsa-framework/example-package ref: main diff --git a/.github/workflows/schedule.issue-reopener.yml b/.github/workflows/schedule.issue-reopener.yml index c47edfe355..c68a38c99b 100644 --- a/.github/workflows/schedule.issue-reopener.yml +++ b/.github/workflows/schedule.issue-reopener.yml @@ -27,6 +27,6 @@ jobs: permissions: issues: write steps: - - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: Issue Reopener - uses: ianlewis/todo-issue-reopener@339a05bfcc934adf6aa425b968a2d2f2af4f12ad # v1.2.1 + uses: ianlewis/todo-issue-reopener@1a99cfd93fb95eb4f212a1ebaf3e9ef8ba4c46f8 # v1.4.0 diff --git a/.github/workflows/scorecards.yml b/.github/workflows/scorecards.yml index 627da1a154..dbf632ea0d 100644 --- a/.github/workflows/scorecards.yml +++ b/.github/workflows/scorecards.yml @@ -39,7 +39,7 @@ jobs: steps: - name: "Checkout code" - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: persist-credentials: false @@ -63,7 +63,7 @@ jobs: # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF # format to the repository Actions tab. - name: "Upload artifact" - uses: actions/upload-artifact@89ef406dd8d7e03cfd12d9e0a4a378f454709029 # v4.3.5 + uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3 with: name: SARIF file path: results.sarif @@ -71,6 +71,6 @@ jobs: # Upload the results to GitHub's code scanning dashboard. - name: "Upload to code-scanning" - uses: github/codeql-action/upload-sarif@afb54ba388a7dca6ecae48f608c4ff05ff4cc77a # v3.25.15 + uses: github/codeql-action/upload-sarif@4f3212b61783c3c68e8309a0f18a699764811cda # v3.27.1 with: sarif_file: results.sarif diff --git a/.github/workflows/update-actions-dist-post-commit.yml b/.github/workflows/update-actions-dist-post-commit.yml index c5debf276c..b64909ad22 100644 --- a/.github/workflows/update-actions-dist-post-commit.yml +++ b/.github/workflows/update-actions-dist-post-commit.yml @@ -46,7 +46,7 @@ jobs: runs-on: ubuntu-latest steps: - name: checkout - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: repository: ${{ github.repository }} persist-credentials: false @@ -75,7 +75,7 @@ jobs: [ -z "$(cat changes.patch)" ] && RESULT=false || RESULT=true echo "patch_not_empty=$RESULT" >> "$GITHUB_OUTPUT" - name: upload - uses: actions/upload-artifact@89ef406dd8d7e03cfd12d9e0a4a378f454709029 # v4.3.5 + uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3 with: name: changes.patch path: changes.patch @@ -90,7 +90,7 @@ jobs: contents: write steps: - name: checkout - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: checkout-pr env: GH_TOKEN: ${{ github.token }} diff --git a/actions/gradle/publish/action.yml b/actions/gradle/publish/action.yml index 842b5d4532..a3cc41ea03 100644 --- a/actions/gradle/publish/action.yml +++ b/actions/gradle/publish/action.yml @@ -50,9 +50,9 @@ inputs: runs: using: "composite" steps: - - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: Set up JDK - uses: actions/setup-java@99b8673ff64fbf99d8d325f52d9a5bdedb8483e9 # v4.2.1 + uses: actions/setup-java@8df1039502a15bceb9433410b1a100fbe190c53b # v4.5.0 env: MAVEN_USERNAME: ${{ inputs.maven-username }} MAVEN_PASSWORD: ${{ inputs.maven-password }} diff --git a/actions/maven/publish/action.yml b/actions/maven/publish/action.yml index 34775f3fb0..6ce598c7d5 100644 --- a/actions/maven/publish/action.yml +++ b/actions/maven/publish/action.yml @@ -47,7 +47,7 @@ runs: - name: Checkout the project repository uses: slsa-framework/slsa-github-generator/.github/actions/secure-project-checkout@main # needed because we run javadoc and sources. - name: Set up Java for publishing to Maven Central Repository - uses: actions/setup-java@99b8673ff64fbf99d8d325f52d9a5bdedb8483e9 # v4.2.1 + uses: actions/setup-java@8df1039502a15bceb9433410b1a100fbe190c53b # v4.5.0 env: MAVEN_USERNAME: ${{ inputs.maven-username }} MAVEN_PASSWORD: ${{ inputs.maven-password }} diff --git a/internal/builders/bazel/action.yml b/internal/builders/bazel/action.yml index d5388162f5..ad53f1f6bc 100644 --- a/internal/builders/bazel/action.yml +++ b/internal/builders/bazel/action.yml @@ -53,7 +53,7 @@ runs: - name: Setup Java id: java - uses: actions/setup-java@99b8673ff64fbf99d8d325f52d9a5bdedb8483e9 # v4.2.1 + uses: actions/setup-java@8df1039502a15bceb9433410b1a100fbe190c53b # v4.5.0 with: distribution: "${{ fromJson(inputs.slsa-workflow-inputs).user-java-distribution }}" java-version: "${{ fromJson(inputs.slsa-workflow-inputs).user-java-version }}" diff --git a/internal/builders/gradle/action.yml b/internal/builders/gradle/action.yml index 52674ae484..756e1e20ce 100644 --- a/internal/builders/gradle/action.yml +++ b/internal/builders/gradle/action.yml @@ -56,9 +56,9 @@ on: runs: using: "composite" steps: - - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: Set up JDK - uses: actions/setup-java@99b8673ff64fbf99d8d325f52d9a5bdedb8483e9 # v4.2.1 + uses: actions/setup-java@8df1039502a15bceb9433410b1a100fbe190c53b # v4.5.0 with: distribution: temurin java-version: ${{ fromJson(inputs.slsa-workflow-inputs).jdk-version }} diff --git a/internal/builders/maven/action.yml b/internal/builders/maven/action.yml index 5aafd4f22b..87a926adb1 100644 --- a/internal/builders/maven/action.yml +++ b/internal/builders/maven/action.yml @@ -56,9 +56,9 @@ on: runs: using: "composite" steps: - - uses: actions/checkout@9a9194f87191a7e9055e3e9b95b8cfb13023bb08 # v 3.5.2 + - uses: actions/checkout@3b9b8c884f6b4bb4d5be2779c26374abadae0871 # v 3.5.2 - name: Set up JDK - uses: actions/setup-java@99b8673ff64fbf99d8d325f52d9a5bdedb8483e9 # v4.2.1 + uses: actions/setup-java@8df1039502a15bceb9433410b1a100fbe190c53b # v4.5.0 with: distribution: temurin java-version: ${{ fromJson(inputs.slsa-workflow-inputs).jdk-version }} diff --git a/internal/builders/nodejs/action.yml b/internal/builders/nodejs/action.yml index f7bfd7564d..de5f72a1d6 100644 --- a/internal/builders/nodejs/action.yml +++ b/internal/builders/nodejs/action.yml @@ -65,7 +65,7 @@ runs: # checkout ourselves. - name: Setup Node - uses: actions/setup-node@1e60f620b9541d16bece96c5465dc8ee9832be0b # v4.0.3 + uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v4.1.0 with: node-version: ${{ fromJson(inputs.slsa-workflow-inputs).node-version }} node-version-file: ${{ fromJson(inputs.slsa-workflow-inputs).node-version-file }}