From 7b5640a4bdd78d26de88b312bc710ca27b6f4a7f Mon Sep 17 00:00:00 2001 From: "cid-workflow[bot]" <142626371+cid-workflow[bot]@users.noreply.github.com> Date: Wed, 22 May 2024 21:15:19 +0200 Subject: [PATCH] ci: update cid github actions workflow from 0.0.14 to 0.0.17 (#62) Co-authored-by: cid-workflow[bot] <142626371+cid-workflow[bot]@users.noreply.github.com> --- .github/workflows/cid-ossf.yml | 30 +++++++++---- .github/workflows/cid-pullrequest.yml | 42 ++++++++++-------- .github/workflows/cid.yml | 62 +++++++++++++++------------ 3 files changed, 79 insertions(+), 55 deletions(-) diff --git a/.github/workflows/cid-ossf.yml b/.github/workflows/cid-ossf.yml index abbccf9..8a7fa93 100644 --- a/.github/workflows/cid-ossf.yml +++ b/.github/workflows/cid-ossf.yml @@ -1,10 +1,10 @@ -# cid-workflow-version: 0.0.14 +# cid-workflow-version: 0.0.17 # This file is generated by the CID Workflow GitHub App. # DO NOT EDIT! # name -name: OSSF Scorecard +name: CID - OSSF Scorecard on: # For Branch-Protection check. Only the default branch is supported. See # https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection @@ -13,8 +13,8 @@ on: # https://github.com/ossf/scorecard/blob/main/docs/checks.md#maintained schedule: - cron: '40 23 * * 5' - push: - branches: [ 'main' ] + # Allow manual triggering of the workflow + workflow_dispatch: # Read Permissions. See # https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions @@ -36,17 +36,31 @@ jobs: contents: read # required in private repos steps: - name: Harden Runner - uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 # v2.8.0 with: + disable-telemetry: true disable-sudo: true egress-policy: block allowed-endpoints: >- api.github.com:443 + cdn01.quay.io:443 + cdn02.quay.io:443 + cdn03.quay.io:443 + codeload.github.com:443 + downloads.gradle.org:443 github.com:443 + jcenter.bintray.com:443 + kotlinlang.org:443 objects.githubusercontent.com:443 + plugins-artifacts.gradle.org:443 + plugins.gradle.org:443 + quay.io:443 raw.githubusercontent.com:443 + repo.maven.apache.org:443 + repo1.maven.org:443 + services.gradle.org:443 + uploads.github.com:443 api.osv.dev:443 - codeload.github.com:443 www.bestpractices.dev:443 oss-fuzz-build-logs.storage.googleapis.com:443 rekor.sigstore.dev:443 @@ -54,7 +68,7 @@ jobs: tuf-repo-cdn.sigstore.dev:443 api.securityscorecards.dev:443 - name: Checkout - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 with: persist-credentials: false - name: OSSF Analysis @@ -64,7 +78,7 @@ jobs: results_format: sarif publish_results: true # publish results to OpenSSF REST API - name: Upload Analysis Result - uses: actions/upload-artifact@1746f4ab65b179e0ea60a494b83293b640dd5bba # v4.3.2 + uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3 with: name: SARIF file path: results.sarif diff --git a/.github/workflows/cid-pullrequest.yml b/.github/workflows/cid-pullrequest.yml index 9985abc..29621fc 100644 --- a/.github/workflows/cid-pullrequest.yml +++ b/.github/workflows/cid-pullrequest.yml @@ -1,10 +1,10 @@ -# cid-workflow-version: 0.0.14 +# cid-workflow-version: 0.0.17 # This file is generated by the CID Workflow GitHub App. # DO NOT EDIT! # name -name: cid-pullrequest +name: CID - PullRequest # triggers on: @@ -26,7 +26,6 @@ on: paths-ignore: - README.md - LICENSE - - .github/** - .gitignore - .editorconfig - renovate.json @@ -63,6 +62,7 @@ env: cdn01.quay.io:443 cdn02.quay.io:443 cdn03.quay.io:443 + codeload.github.com:443 downloads.gradle.org:443 github.com:443 jcenter.bintray.com:443 @@ -98,17 +98,18 @@ jobs: if: ${{ github.event.inputs.loglevel == 'debug' }} steps: - name: Harden Runner - uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 # v2.8.0 with: + disable-telemetry: true disable-sudo: true egress-policy: ${{ env.EGRESS_POLICY }} allowed-endpoints: ${{ env.EGRESS_POLICY_ALLOWED_ENDPOINTS }} - name: prepare environment - uses: cidverse/ghact-cid-setup@main + uses: cidverse/ghact-cid-setup@31e7177a4d98b05a05b4671f70df0ed199bfb9a1 # v0.1.0 with: version: ${{ env.CID_VERSION }} - name: checkout - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 with: fetch-depth: 0 - name: info @@ -130,17 +131,18 @@ jobs: timeout-minutes: 30 steps: - name: Harden Runner - uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 # v2.8.0 with: + disable-telemetry: true disable-sudo: true egress-policy: ${{ env.EGRESS_POLICY }} allowed-endpoints: ${{ env.EGRESS_POLICY_ALLOWED_ENDPOINTS }} ${{ env.EGRESS_POLICY_ALLOWED_ENDPOINTS_BUILD }} - name: prepare environment - uses: cidverse/ghact-cid-setup@main + uses: cidverse/ghact-cid-setup@31e7177a4d98b05a05b4671f70df0ed199bfb9a1 # v0.1.0 with: version: ${{ env.CID_VERSION }} - name: checkout - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 with: fetch-depth: 0 - name: build @@ -150,7 +152,7 @@ jobs: run: | cid --log-level=${CID_LOGLEVEL:-info} workflow run "$CID_WORKFLOW" --stage build - name: upload artifacts - uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1 + uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3 with: name: build-${{ github.run_id }} path: .dist @@ -164,17 +166,18 @@ jobs: timeout-minutes: 30 steps: - name: Harden Runner - uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 # v2.8.0 with: + disable-telemetry: true disable-sudo: true egress-policy: ${{ env.EGRESS_POLICY }} allowed-endpoints: ${{ env.EGRESS_POLICY_ALLOWED_ENDPOINTS }} ${{ env.EGRESS_POLICY_ALLOWED_ENDPOINTS_TEST }} - name: prepare environment - uses: cidverse/ghact-cid-setup@main + uses: cidverse/ghact-cid-setup@31e7177a4d98b05a05b4671f70df0ed199bfb9a1 # v0.1.0 with: version: ${{ env.CID_VERSION }} - name: checkout - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 with: fetch-depth: 0 - name: test @@ -184,7 +187,7 @@ jobs: run: | cid --log-level=${CID_LOGLEVEL:-info} workflow run "$CID_WORKFLOW" --stage test - name: upload artifacts - uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1 + uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3 with: name: test-${{ github.run_id }} path: .dist @@ -200,27 +203,28 @@ jobs: timeout-minutes: 30 steps: - name: Harden Runner - uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 # v2.8.0 with: + disable-telemetry: true disable-sudo: true egress-policy: ${{ env.EGRESS_POLICY }} allowed-endpoints: ${{ env.EGRESS_POLICY_ALLOWED_ENDPOINTS }} ${{ env.EGRESS_POLICY_ALLOWED_ENDPOINTS_SCAN }} - name: prepare environment - uses: cidverse/ghact-cid-setup@main + uses: cidverse/ghact-cid-setup@31e7177a4d98b05a05b4671f70df0ed199bfb9a1 # v0.1.0 with: version: ${{ env.CID_VERSION }} - name: checkout - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 with: fetch-depth: 0 - name: download artifacts > build - uses: actions/download-artifact@c850b930e6ba138125429b7e5c93fc707a7f8427 # v4.1.4 + uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7 with: name: build-${{ github.run_id }} path: .dist continue-on-error: true - name: download artifacts > test - uses: actions/download-artifact@c850b930e6ba138125429b7e5c93fc707a7f8427 # v4.1.4 + uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7 with: name: test-${{ github.run_id }} path: .dist diff --git a/.github/workflows/cid.yml b/.github/workflows/cid.yml index 61189fb..e21c340 100644 --- a/.github/workflows/cid.yml +++ b/.github/workflows/cid.yml @@ -1,10 +1,10 @@ -# cid-workflow-version: 0.0.14 +# cid-workflow-version: 0.0.17 # This file is generated by the CID Workflow GitHub App. # DO NOT EDIT! # name -name: cid-main +name: CID - DefaultBranch # triggers on: @@ -28,7 +28,6 @@ on: paths-ignore: - README.md - LICENSE - - .github/** - .gitignore - .editorconfig - renovate.json @@ -65,6 +64,7 @@ env: cdn01.quay.io:443 cdn02.quay.io:443 cdn03.quay.io:443 + codeload.github.com:443 downloads.gradle.org:443 github.com:443 jcenter.bintray.com:443 @@ -100,17 +100,18 @@ jobs: if: ${{ github.event.inputs.loglevel == 'debug' }} steps: - name: Harden Runner - uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 # v2.8.0 with: + disable-telemetry: true disable-sudo: true egress-policy: ${{ env.EGRESS_POLICY }} allowed-endpoints: ${{ env.EGRESS_POLICY_ALLOWED_ENDPOINTS }} - name: prepare environment - uses: cidverse/ghact-cid-setup@main + uses: cidverse/ghact-cid-setup@31e7177a4d98b05a05b4671f70df0ed199bfb9a1 # v0.1.0 with: version: ${{ env.CID_VERSION }} - name: checkout - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 with: fetch-depth: 0 - name: info @@ -132,17 +133,18 @@ jobs: timeout-minutes: 30 steps: - name: Harden Runner - uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 # v2.8.0 with: + disable-telemetry: true disable-sudo: true egress-policy: ${{ env.EGRESS_POLICY }} allowed-endpoints: ${{ env.EGRESS_POLICY_ALLOWED_ENDPOINTS }} ${{ env.EGRESS_POLICY_ALLOWED_ENDPOINTS_BUILD }} - name: prepare environment - uses: cidverse/ghact-cid-setup@main + uses: cidverse/ghact-cid-setup@31e7177a4d98b05a05b4671f70df0ed199bfb9a1 # v0.1.0 with: version: ${{ env.CID_VERSION }} - name: checkout - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 with: fetch-depth: 0 - name: build @@ -152,7 +154,7 @@ jobs: run: | cid --log-level=${CID_LOGLEVEL:-info} workflow run "$CID_WORKFLOW" --stage build - name: upload artifacts - uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1 + uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3 with: name: build-${{ github.run_id }} path: .dist @@ -166,17 +168,18 @@ jobs: timeout-minutes: 30 steps: - name: Harden Runner - uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 # v2.8.0 with: + disable-telemetry: true disable-sudo: true egress-policy: ${{ env.EGRESS_POLICY }} allowed-endpoints: ${{ env.EGRESS_POLICY_ALLOWED_ENDPOINTS }} ${{ env.EGRESS_POLICY_ALLOWED_ENDPOINTS_TEST }} - name: prepare environment - uses: cidverse/ghact-cid-setup@main + uses: cidverse/ghact-cid-setup@31e7177a4d98b05a05b4671f70df0ed199bfb9a1 # v0.1.0 with: version: ${{ env.CID_VERSION }} - name: checkout - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 with: fetch-depth: 0 - name: test @@ -186,7 +189,7 @@ jobs: run: | cid --log-level=${CID_LOGLEVEL:-info} workflow run "$CID_WORKFLOW" --stage test - name: upload artifacts - uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1 + uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3 with: name: test-${{ github.run_id }} path: .dist @@ -202,27 +205,28 @@ jobs: timeout-minutes: 30 steps: - name: Harden Runner - uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 # v2.8.0 with: + disable-telemetry: true disable-sudo: true egress-policy: ${{ env.EGRESS_POLICY }} allowed-endpoints: ${{ env.EGRESS_POLICY_ALLOWED_ENDPOINTS }} ${{ env.EGRESS_POLICY_ALLOWED_ENDPOINTS_SCAN }} - name: prepare environment - uses: cidverse/ghact-cid-setup@main + uses: cidverse/ghact-cid-setup@31e7177a4d98b05a05b4671f70df0ed199bfb9a1 # v0.1.0 with: version: ${{ env.CID_VERSION }} - name: checkout - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 with: fetch-depth: 0 - name: download artifacts > build - uses: actions/download-artifact@c850b930e6ba138125429b7e5c93fc707a7f8427 # v4.1.4 + uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7 with: name: build-${{ github.run_id }} path: .dist continue-on-error: true - name: download artifacts > test - uses: actions/download-artifact@c850b930e6ba138125429b7e5c93fc707a7f8427 # v4.1.4 + uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7 with: name: test-${{ github.run_id }} path: .dist @@ -248,21 +252,22 @@ jobs: timeout-minutes: 30 steps: - name: Harden Runner - uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 # v2.8.0 with: + disable-telemetry: true disable-sudo: true egress-policy: ${{ env.EGRESS_POLICY }} allowed-endpoints: ${{ env.EGRESS_POLICY_ALLOWED_ENDPOINTS }} ${{ env.EGRESS_POLICY_ALLOWED_ENDPOINTS_PACKAGE }} - name: prepare environment - uses: cidverse/ghact-cid-setup@main + uses: cidverse/ghact-cid-setup@31e7177a4d98b05a05b4671f70df0ed199bfb9a1 # v0.1.0 with: version: ${{ env.CID_VERSION }} - name: checkout - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 with: fetch-depth: 0 - name: download artifacts > build - uses: actions/download-artifact@c850b930e6ba138125429b7e5c93fc707a7f8427 # v4.1.4 + uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7 with: name: build-${{ github.run_id }} path: .dist @@ -274,7 +279,7 @@ jobs: run: | cid --log-level=${CID_LOGLEVEL:-info} workflow run "$CID_WORKFLOW" --stage package - name: upload artifacts - uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1 + uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3 with: name: package-${{ github.run_id }} path: .dist @@ -294,21 +299,22 @@ jobs: timeout-minutes: 30 steps: - name: Harden Runner - uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 # v2.8.0 with: + disable-telemetry: true disable-sudo: true egress-policy: ${{ env.EGRESS_POLICY }} allowed-endpoints: ${{ env.EGRESS_POLICY_ALLOWED_ENDPOINTS }} ${{ env.EGRESS_POLICY_ALLOWED_ENDPOINTS_PUBLISH }} - name: prepare environment - uses: cidverse/ghact-cid-setup@main + uses: cidverse/ghact-cid-setup@31e7177a4d98b05a05b4671f70df0ed199bfb9a1 # v0.1.0 with: version: ${{ env.CID_VERSION }} - name: checkout - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 with: fetch-depth: 0 - name: download artifacts > package - uses: actions/download-artifact@c850b930e6ba138125429b7e5c93fc707a7f8427 # v4.1.4 + uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7 with: name: package-${{ github.run_id }} path: .dist