diff --git a/.github/workflows/cid-ossf.yml b/.github/workflows/cid-ossf.yml index 8a7fa93..02c64eb 100644 --- a/.github/workflows/cid-ossf.yml +++ b/.github/workflows/cid-ossf.yml @@ -1,4 +1,4 @@ -# cid-workflow-version: 0.0.17 +# cid-workflow-version: 0.0.23 # This file is generated by the CID Workflow GitHub App. # DO NOT EDIT! @@ -36,7 +36,7 @@ jobs: contents: read # required in private repos steps: - name: Harden Runner - uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 # v2.8.0 + uses: step-security/harden-runner@0d381219ddf674d61a7572ddd19d7941e271515c # v2.9.0 with: disable-telemetry: true disable-sudo: true @@ -60,25 +60,27 @@ jobs: repo1.maven.org:443 services.gradle.org:443 uploads.github.com:443 + api.securityscorecards.dev:443 + api.scorecard.dev:443 + api.deps.dev:443 api.osv.dev:443 www.bestpractices.dev:443 oss-fuzz-build-logs.storage.googleapis.com:443 rekor.sigstore.dev:443 fulcio.sigstore.dev:443 tuf-repo-cdn.sigstore.dev:443 - api.securityscorecards.dev:443 - name: Checkout - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 with: persist-credentials: false - name: OSSF Analysis - uses: ossf/scorecard-action@0864cf19026789058feabb7e87baa5f140aac736 # v2.3.1 + uses: ossf/scorecard-action@62b2cac7ed8198b15735ed49ab1e5cf35480ba46 # v2.4.0 with: results_file: results.sarif results_format: sarif publish_results: true # publish results to OpenSSF REST API - name: Upload Analysis Result - uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3 + uses: actions/upload-artifact@0b2256b8c012f0828dc542b3febcab082c67f72b # v4.3.4 with: name: SARIF file path: results.sarif diff --git a/.github/workflows/cid-pullrequest.yml b/.github/workflows/cid-pullrequest.yml index 6986f04..f4fa996 100644 --- a/.github/workflows/cid-pullrequest.yml +++ b/.github/workflows/cid-pullrequest.yml @@ -1,4 +1,4 @@ -# cid-workflow-version: 0.0.17 +# cid-workflow-version: 0.0.23 # This file is generated by the CID Workflow GitHub App. # DO NOT EDIT! @@ -79,10 +79,10 @@ env: EGRESS_POLICY_ALLOWED_ENDPOINTS_BUILD: "" EGRESS_POLICY_ALLOWED_ENDPOINTS_TEST: "" EGRESS_POLICY_ALLOWED_ENDPOINTS_SCAN: >- - semgrep.dev:443 - sonarcloud.io:443 api.sonarcloud.io:443 scanner.sonarcloud.io:443 + semgrep.dev:443 + sonarcloud.io:443 EGRESS_POLICY_ALLOWED_ENDPOINTS_PACKAGE: "" EGRESS_POLICY_ALLOWED_ENDPOINTS_PUBLISH: >- maven.pkg.github.com @@ -99,7 +99,7 @@ jobs: if: ${{ github.event.inputs.loglevel == 'debug' }} steps: - name: Harden Runner - uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 # v2.8.0 + uses: step-security/harden-runner@0d381219ddf674d61a7572ddd19d7941e271515c # v2.9.0 with: disable-telemetry: true disable-sudo: true @@ -110,7 +110,7 @@ jobs: with: version: ${{ env.CID_VERSION }} - name: checkout - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 with: fetch-depth: 0 - name: info @@ -132,7 +132,7 @@ jobs: timeout-minutes: 30 steps: - name: Harden Runner - uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 # v2.8.0 + uses: step-security/harden-runner@0d381219ddf674d61a7572ddd19d7941e271515c # v2.9.0 with: disable-telemetry: true disable-sudo: true @@ -143,7 +143,7 @@ jobs: with: version: ${{ env.CID_VERSION }} - name: checkout - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 with: fetch-depth: 0 - name: build @@ -153,7 +153,7 @@ jobs: run: | cid --log-level=${CID_LOGLEVEL:-info} workflow run "$CID_WORKFLOW" --stage build - name: upload artifacts - uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3 + uses: actions/upload-artifact@0b2256b8c012f0828dc542b3febcab082c67f72b # v4.3.4 with: name: build-${{ github.run_id }} path: .dist @@ -167,7 +167,7 @@ jobs: timeout-minutes: 30 steps: - name: Harden Runner - uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 # v2.8.0 + uses: step-security/harden-runner@0d381219ddf674d61a7572ddd19d7941e271515c # v2.9.0 with: disable-telemetry: true disable-sudo: true @@ -178,7 +178,7 @@ jobs: with: version: ${{ env.CID_VERSION }} - name: checkout - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 with: fetch-depth: 0 - name: test @@ -188,7 +188,7 @@ jobs: run: | cid --log-level=${CID_LOGLEVEL:-info} workflow run "$CID_WORKFLOW" --stage test - name: upload artifacts - uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3 + uses: actions/upload-artifact@0b2256b8c012f0828dc542b3febcab082c67f72b # v4.3.4 with: name: test-${{ github.run_id }} path: .dist @@ -204,7 +204,7 @@ jobs: timeout-minutes: 30 steps: - name: Harden Runner - uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 # v2.8.0 + uses: step-security/harden-runner@0d381219ddf674d61a7572ddd19d7941e271515c # v2.9.0 with: disable-telemetry: true disable-sudo: true @@ -215,17 +215,17 @@ jobs: with: version: ${{ env.CID_VERSION }} - name: checkout - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 with: fetch-depth: 0 - name: download artifacts > build - uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7 + uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 with: name: build-${{ github.run_id }} path: .dist continue-on-error: true - name: download artifacts > test - uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7 + uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 with: name: test-${{ github.run_id }} path: .dist diff --git a/.github/workflows/cid.yml b/.github/workflows/cid.yml index 7272fce..40eed21 100644 --- a/.github/workflows/cid.yml +++ b/.github/workflows/cid.yml @@ -1,4 +1,4 @@ -# cid-workflow-version: 0.0.17 +# cid-workflow-version: 0.0.23 # This file is generated by the CID Workflow GitHub App. # DO NOT EDIT! @@ -81,10 +81,10 @@ env: EGRESS_POLICY_ALLOWED_ENDPOINTS_BUILD: "" EGRESS_POLICY_ALLOWED_ENDPOINTS_TEST: "" EGRESS_POLICY_ALLOWED_ENDPOINTS_SCAN: >- - semgrep.dev:443 - sonarcloud.io:443 api.sonarcloud.io:443 scanner.sonarcloud.io:443 + semgrep.dev:443 + sonarcloud.io:443 EGRESS_POLICY_ALLOWED_ENDPOINTS_PACKAGE: "" EGRESS_POLICY_ALLOWED_ENDPOINTS_PUBLISH: >- maven.pkg.github.com @@ -101,7 +101,7 @@ jobs: if: ${{ github.event.inputs.loglevel == 'debug' }} steps: - name: Harden Runner - uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 # v2.8.0 + uses: step-security/harden-runner@0d381219ddf674d61a7572ddd19d7941e271515c # v2.9.0 with: disable-telemetry: true disable-sudo: true @@ -112,7 +112,7 @@ jobs: with: version: ${{ env.CID_VERSION }} - name: checkout - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 with: fetch-depth: 0 - name: info @@ -134,7 +134,7 @@ jobs: timeout-minutes: 30 steps: - name: Harden Runner - uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 # v2.8.0 + uses: step-security/harden-runner@0d381219ddf674d61a7572ddd19d7941e271515c # v2.9.0 with: disable-telemetry: true disable-sudo: true @@ -145,7 +145,7 @@ jobs: with: version: ${{ env.CID_VERSION }} - name: checkout - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 with: fetch-depth: 0 - name: build @@ -155,7 +155,7 @@ jobs: run: | cid --log-level=${CID_LOGLEVEL:-info} workflow run "$CID_WORKFLOW" --stage build - name: upload artifacts - uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3 + uses: actions/upload-artifact@0b2256b8c012f0828dc542b3febcab082c67f72b # v4.3.4 with: name: build-${{ github.run_id }} path: .dist @@ -169,7 +169,7 @@ jobs: timeout-minutes: 30 steps: - name: Harden Runner - uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 # v2.8.0 + uses: step-security/harden-runner@0d381219ddf674d61a7572ddd19d7941e271515c # v2.9.0 with: disable-telemetry: true disable-sudo: true @@ -180,7 +180,7 @@ jobs: with: version: ${{ env.CID_VERSION }} - name: checkout - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 with: fetch-depth: 0 - name: test @@ -190,7 +190,7 @@ jobs: run: | cid --log-level=${CID_LOGLEVEL:-info} workflow run "$CID_WORKFLOW" --stage test - name: upload artifacts - uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3 + uses: actions/upload-artifact@0b2256b8c012f0828dc542b3febcab082c67f72b # v4.3.4 with: name: test-${{ github.run_id }} path: .dist @@ -206,7 +206,7 @@ jobs: timeout-minutes: 30 steps: - name: Harden Runner - uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 # v2.8.0 + uses: step-security/harden-runner@0d381219ddf674d61a7572ddd19d7941e271515c # v2.9.0 with: disable-telemetry: true disable-sudo: true @@ -217,17 +217,17 @@ jobs: with: version: ${{ env.CID_VERSION }} - name: checkout - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 with: fetch-depth: 0 - name: download artifacts > build - uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7 + uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 with: name: build-${{ github.run_id }} path: .dist continue-on-error: true - name: download artifacts > test - uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7 + uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 with: name: test-${{ github.run_id }} path: .dist @@ -253,7 +253,7 @@ jobs: timeout-minutes: 30 steps: - name: Harden Runner - uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 # v2.8.0 + uses: step-security/harden-runner@0d381219ddf674d61a7572ddd19d7941e271515c # v2.9.0 with: disable-telemetry: true disable-sudo: true @@ -264,11 +264,11 @@ jobs: with: version: ${{ env.CID_VERSION }} - name: checkout - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 with: fetch-depth: 0 - name: download artifacts > build - uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7 + uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 with: name: build-${{ github.run_id }} path: .dist @@ -280,7 +280,7 @@ jobs: run: | cid --log-level=${CID_LOGLEVEL:-info} workflow run "$CID_WORKFLOW" --stage package - name: upload artifacts - uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3 + uses: actions/upload-artifact@0b2256b8c012f0828dc542b3febcab082c67f72b # v4.3.4 with: name: package-${{ github.run_id }} path: .dist @@ -300,7 +300,7 @@ jobs: timeout-minutes: 30 steps: - name: Harden Runner - uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 # v2.8.0 + uses: step-security/harden-runner@0d381219ddf674d61a7572ddd19d7941e271515c # v2.9.0 with: disable-telemetry: true disable-sudo: true @@ -311,11 +311,11 @@ jobs: with: version: ${{ env.CID_VERSION }} - name: checkout - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 with: fetch-depth: 0 - name: download artifacts > package - uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7 + uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 with: name: package-${{ github.run_id }} path: .dist