From bdef0cbf8dfa1ba8c7c3794a04186cffd7e17a2e Mon Sep 17 00:00:00 2001 From: Venelin Bakalov Date: Fri, 10 Jan 2025 12:58:21 +0200 Subject: [PATCH 1/3] Add commit hashes to action dependencies Signed-off-by: Venelin Bakalov --- .github/workflows/build.yml | 4 ++-- .github/workflows/release-drafter.yml | 2 +- .github/workflows/release.yml | 2 +- .github/workflows/trivy.yml | 2 +- 4 files changed, 5 insertions(+), 5 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index ba1fdd4de..0f6381563 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -35,7 +35,7 @@ jobs: node-version: ${{ matrix.node }} - name: Setup Maven Action - uses: s4u/setup-maven-action@v1.17.0 + uses: s4u/setup-maven-action@9a27433d289dd99d73851f653607c39d3444e8ba #v1.17.0 with: java-version: ${{ matrix.java }} java-distribution: "temurin" @@ -78,7 +78,7 @@ jobs: - name: Import GPG Key if: ${{ github.ref == 'refs/heads/main' }} - uses: crazy-max/ghaction-import-gpg@v6 + uses: crazy-max/ghaction-import-gpg@82a020f1f7f605c65dd2449b392a52c3fcfef7ef # v6 with: gpg_private_key: ${{ secrets.GPG_PRIVATE_KEY }} passphrase: ${{ secrets.GPG_PASSPHRASE }} diff --git a/.github/workflows/release-drafter.yml b/.github/workflows/release-drafter.yml index 2e637e7b7..a77154322 100644 --- a/.github/workflows/release-drafter.yml +++ b/.github/workflows/release-drafter.yml @@ -28,7 +28,7 @@ jobs: runs-on: ubuntu-latest steps: # Drafts your next Release notes as Pull Requests are merged into "main" - - uses: release-drafter/release-drafter@v6 + - uses: release-drafter/release-drafter@3f0f87098bd6b5c5b9a36d49c41d998ea58f9348 # v6 with: config-name: release-drafter.yml env: diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 290b34754..9c8424cbf 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -51,7 +51,7 @@ jobs: run: sudo apt-get install libxml2-utils - name: Setup Maven Action - uses: s4u/setup-maven-action@v1.17.0 + uses: s4u/setup-maven-action@9a27433d289dd99d73851f653607c39d3444e8ba #v1.17.0 with: java-version: 17 java-distribution: "temurin" diff --git a/.github/workflows/trivy.yml b/.github/workflows/trivy.yml index e7ac0bae7..575ba74ef 100644 --- a/.github/workflows/trivy.yml +++ b/.github/workflows/trivy.yml @@ -19,7 +19,7 @@ jobs: uses: actions/checkout@v4 - name: Run Trivy vulnerability scanner in fs mode - uses: aquasecurity/trivy-action@0.29.0 + uses: aquasecurity/trivy-action@18f2510ee396bbf400402947b394f2dd8c87dbb0 # 0.29.0 with: scan-type: 'fs' scan-ref: '.' From 2fc31ca3e2849d9b9d88c1b9e74afbc246a03f78 Mon Sep 17 00:00:00 2001 From: Venelin Bakalov Date: Fri, 10 Jan 2025 13:15:48 +0200 Subject: [PATCH 2/3] Extend trivy permissions Signed-off-by: Venelin Bakalov --- .github/workflows/trivy.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/trivy.yml b/.github/workflows/trivy.yml index 575ba74ef..541309bd6 100644 --- a/.github/workflows/trivy.yml +++ b/.github/workflows/trivy.yml @@ -11,6 +11,7 @@ jobs: runs-on: ubuntu-22.04 permissions: contents: write + actions: write env: TRIVY_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-db,aquasec/trivy-db,ghcr.io/aquasecurity/trivy-db TRIVY_JAVA_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-java-db,aquasec/trivy-java-db,ghcr.io/aquasecurity/trivy-java-db From 4551e5a90565e365428694c125c4bdaf729bf34a Mon Sep 17 00:00:00 2001 From: Venelin Bakalov Date: Fri, 10 Jan 2025 14:29:21 +0200 Subject: [PATCH 3/3] Bump setup mvn action to 1.18 Signed-off-by: Venelin Bakalov --- .github/workflows/build.yml | 2 +- .github/workflows/release.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 0f6381563..6d1ff78c9 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -35,7 +35,7 @@ jobs: node-version: ${{ matrix.node }} - name: Setup Maven Action - uses: s4u/setup-maven-action@9a27433d289dd99d73851f653607c39d3444e8ba #v1.17.0 + uses: s4u/setup-maven-action@4f7fb9d9675e899ca81c6161dadbba0189a4ebb1 #v1.18.0 with: java-version: ${{ matrix.java }} java-distribution: "temurin" diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 9c8424cbf..bef4e7880 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -51,7 +51,7 @@ jobs: run: sudo apt-get install libxml2-utils - name: Setup Maven Action - uses: s4u/setup-maven-action@9a27433d289dd99d73851f653607c39d3444e8ba #v1.17.0 + uses: s4u/setup-maven-action@4f7fb9d9675e899ca81c6161dadbba0189a4ebb1 #v1.18.0 with: java-version: 17 java-distribution: "temurin"