diff --git a/.github/workflows/fossa.yml b/.github/workflows/fossa.yml index ffc27fb78..aaa459317 100644 --- a/.github/workflows/fossa.yml +++ b/.github/workflows/fossa.yml @@ -20,7 +20,7 @@ jobs: # The FOSSA token is shared between all repos in NeuVector's GH org. It can # be used directly and there is no need to request specific access to EIO. - name: Read FOSSA token - uses: rancher-eio/read-vault-secrets@7282bf97898cd1c16c89f837e0bb442e6d384c89 # v3 + uses: rancher-eio/read-vault-secrets@0da85151ad1f19ed7986c41587e45aac1ace74b6 # v3 with: secrets: | secret/data/github/org/neuvector/fossa/credentials token | FOSSA_API_KEY_PUSH_ONLY diff --git a/.github/workflows/golangci-lint.yml b/.github/workflows/golangci-lint.yml index bfe6d7059..314b307e0 100644 --- a/.github/workflows/golangci-lint.yml +++ b/.github/workflows/golangci-lint.yml @@ -15,10 +15,10 @@ jobs: - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: fetch-depth: 0 - - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0 + - uses: actions/setup-go@924ae3a1cded613372ab5595356fb5720e22ba16 # v6.5.0 with: go-version-file: "go.mod" - name: golangci-lint - uses: golangci/golangci-lint-action@1e7e51e771db61008b38414a730f564565cf7c20 # v9.2.0 + uses: golangci/golangci-lint-action@ba0d7d2ec06a0ea1cb5fa41b2e4a3ab91d21278a # v9.3.0 with: - version: v2.9.0 + version: v2.12.2 diff --git a/.github/workflows/govulncheck.yml b/.github/workflows/govulncheck.yml index 3286a036a..cb0c41c0a 100644 --- a/.github/workflows/govulncheck.yml +++ b/.github/workflows/govulncheck.yml @@ -20,7 +20,7 @@ jobs: with: persist-credentials: false - name: Install Golang - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0 + uses: actions/setup-go@924ae3a1cded613372ab5595356fb5720e22ba16 # v6.5.0 with: go-version-file: "go.mod" check-latest: true # Always check for the latest patch release diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 57d23ac03..707c92657 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -20,7 +20,7 @@ jobs: - name: Checkout code uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7 - name: Load Secrets from Vault - uses: rancher-eio/read-vault-secrets@7282bf97898cd1c16c89f837e0bb442e6d384c89 # v3 + uses: rancher-eio/read-vault-secrets@0da85151ad1f19ed7986c41587e45aac1ace74b6 # v3 with: secrets: | secret/data/github/repo/${{ github.repository }}/dockerhub/rancher/credentials username | RANCHER_DOCKER_USERNAME ; @@ -38,7 +38,7 @@ jobs: run: | wget https://${{ secrets.VULNDB_SERVER }}/${TAG}/cvedb.regular -O data/cvedb.regular - name: Publish neuvector manifest - uses: rancher/ecm-distro-tools/actions/publish-image@a7a867a6376bf4a1cee397558f3c85393769f069 # v0.69.4 + uses: rancher/ecm-distro-tools/actions/publish-image@e9b6789032dbe9e289ccc6f7532da8fd349922b3 # v0.75.0 with: push-to-public: true push-to-prime: false @@ -51,7 +51,7 @@ jobs: public-username: ${{ env.DOCKER_USERNAME }} public-password: ${{ env.DOCKER_PASSWORD }} - name: Publish rancher manifest - uses: rancher/ecm-distro-tools/actions/publish-image@a7a867a6376bf4a1cee397558f3c85393769f069 # v0.69.4 + uses: rancher/ecm-distro-tools/actions/publish-image@e9b6789032dbe9e289ccc6f7532da8fd349922b3 # v0.75.0 env: IMAGE_PREFIX: neuvector- with: @@ -81,7 +81,7 @@ jobs: - name: Checkout code uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7 - name: Load Secrets from Vault - uses: rancher-eio/read-vault-secrets@7282bf97898cd1c16c89f837e0bb442e6d384c89 # v3 + uses: rancher-eio/read-vault-secrets@0da85151ad1f19ed7986c41587e45aac1ace74b6 # v3 with: secrets: | secret/data/github/repo/${{ github.repository }}/dockerhub/rancher/credentials username | RANCHER_DOCKER_USERNAME ; @@ -103,7 +103,7 @@ jobs: fi - name: Login to registry if: env.UPDATE_MUTABLE_TAG == 'True' - uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4 + uses: docker/login-action@af1e73f918a031802d376d3c8bbc3fe56130a9b0 # v4 with: registry: docker.io username: ${{ env.DOCKER_USERNAME }} @@ -114,7 +114,7 @@ jobs: docker buildx imagetools create --tag docker.io/${{ github.repository_owner }}/scanner:6 docker.io/${{ github.repository_owner }}/scanner:${TAG} - name: Login to registry if: env.UPDATE_MUTABLE_TAG == 'True' - uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4 + uses: docker/login-action@af1e73f918a031802d376d3c8bbc3fe56130a9b0 # v4 with: registry: ${{ env.PRIME_REGISTRY }} username: ${{ env.PRIME_REGISTRY_USERNAME }} @@ -125,7 +125,7 @@ jobs: docker buildx imagetools create --tag ${PRIME_REGISTRY}/rancher/neuvector-scanner:6 ${PRIME_REGISTRY}/rancher/neuvector-scanner:${TAG} - name: Login to registry if: env.UPDATE_MUTABLE_TAG == 'True' - uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4 + uses: docker/login-action@af1e73f918a031802d376d3c8bbc3fe56130a9b0 # v4 with: registry: docker.io username: ${{ env.RANCHER_DOCKER_USERNAME }} diff --git a/.github/workflows/renovate-vault.yml b/.github/workflows/renovate-vault.yml index 86966438e..a43ab5fde 100644 --- a/.github/workflows/renovate-vault.yml +++ b/.github/workflows/renovate-vault.yml @@ -22,7 +22,7 @@ permissions: jobs: call-workflow: - uses: rancher/renovate-config/.github/workflows/renovate-vault.yml@ca9c958fbffc610174a76e09c559f6c5d8af913a # release + uses: rancher/renovate-config/.github/workflows/renovate-vault.yml@de9ca81f299efaaeac1890bf71c8d6c3598f81a8 # release with: logLevel: ${{ inputs.logLevel || 'info' }} overrideSchedule: ${{ github.event.inputs.overrideSchedule == 'true' && '{''schedule'':null}' || '' }} diff --git a/.github/workflows/unitest.yaml b/.github/workflows/unitest.yaml index bbfea0083..8f2bcb8a9 100644 --- a/.github/workflows/unitest.yaml +++ b/.github/workflows/unitest.yaml @@ -9,7 +9,7 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7 - - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6 + - uses: actions/setup-go@924ae3a1cded613372ab5595356fb5720e22ba16 # v6 with: go-version-file: "go.mod" - run: | diff --git a/.github/workflows/updatecli.yml b/.github/workflows/updatecli.yml index 6a6184f36..efe3a7546 100644 --- a/.github/workflows/updatecli.yml +++ b/.github/workflows/updatecli.yml @@ -28,7 +28,7 @@ jobs: persist-credentials: false - name: Install Updatecli in the runner - uses: updatecli/updatecli-action@e71be7554f3f940bc439cf720b3e4e379823c562 # v3.2.0 + uses: updatecli/updatecli-action@5bda7da77bf4d181bce5f807d73d832b62062acf # v3.3.0 - name: Run Updatecli (dryrun) if: github.ref != 'refs/heads/main'