ci: update cid github actions workflow from 0.0.14 to 0.0.17

.github/workflows/cid-ossf.yml

@@ -1,10 +1,10 @@
-# cid-workflow-version: 0.0.14
+# cid-workflow-version: 0.0.17
 
 # This file is generated by the CID Workflow GitHub App.
 # DO NOT EDIT!
 
 # name
-name: OSSF Scorecard
+name: CID - OSSF Scorecard
 on:
   # For Branch-Protection check. Only the default branch is supported. See
   # https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection
@@ -13,8 +13,8 @@ on:
   # https://github.com/ossf/scorecard/blob/main/docs/checks.md#maintained
   schedule:
     - cron: '40 23 * * 5'
-  push:
-    branches: [ 'main' ]
+  # Allow manual triggering of the workflow
+  workflow_dispatch:
 
 # Read Permissions. See
 # https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions
@@ -36,25 +36,39 @@ jobs:
       contents: read # required in private repos
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
+        uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 # v2.8.0
         with:
+          disable-telemetry: true
           disable-sudo: true
           egress-policy: block
           allowed-endpoints: >-
             api.github.com:443
+            cdn01.quay.io:443
+            cdn02.quay.io:443
+            cdn03.quay.io:443
+            codeload.github.com:443
+            downloads.gradle.org:443
             github.com:443
+            jcenter.bintray.com:443
+            kotlinlang.org:443
             objects.githubusercontent.com:443
+            plugins-artifacts.gradle.org:443
+            plugins.gradle.org:443
+            quay.io:443
             raw.githubusercontent.com:443
+            repo.maven.apache.org:443
+            repo1.maven.org:443
+            services.gradle.org:443
+            uploads.github.com:443
             api.osv.dev:443
-            codeload.github.com:443
             www.bestpractices.dev:443
             oss-fuzz-build-logs.storage.googleapis.com:443
             rekor.sigstore.dev:443
             fulcio.sigstore.dev:443
             tuf-repo-cdn.sigstore.dev:443
             api.securityscorecards.dev:443
       - name: Checkout
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
         with:
           persist-credentials: false
       - name: OSSF Analysis
@@ -64,7 +78,7 @@ jobs:
           results_format: sarif
           publish_results: true # publish results to OpenSSF REST API
       - name: Upload Analysis Result
-        uses: actions/upload-artifact@1746f4ab65b179e0ea60a494b83293b640dd5bba # v4.3.2
+        uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
         with:
           name: SARIF file
           path: results.sarif

.github/workflows/cid-pullrequest.yml

@@ -1,10 +1,10 @@
-# cid-workflow-version: 0.0.14
+# cid-workflow-version: 0.0.17
 
 # This file is generated by the CID Workflow GitHub App.
 # DO NOT EDIT!
 
 # name
-name: cid-pullrequest
+name: CID - PullRequest
 
 # triggers
 on:
@@ -26,7 +26,6 @@ on:
     paths-ignore:
       - README.md
       - LICENSE
-      - .github/**
       - .gitignore
       - .editorconfig
       - renovate.json
@@ -63,6 +62,7 @@ env:
     cdn01.quay.io:443
     cdn02.quay.io:443
     cdn03.quay.io:443
+    codeload.github.com:443
     downloads.gradle.org:443
     github.com:443
     jcenter.bintray.com:443
@@ -98,17 +98,18 @@ jobs:
     if: ${{ github.event.inputs.loglevel == 'debug' }}
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
+        uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 # v2.8.0
         with:
+          disable-telemetry: true
           disable-sudo: true
           egress-policy: ${{ env.EGRESS_POLICY }}
           allowed-endpoints: ${{ env.EGRESS_POLICY_ALLOWED_ENDPOINTS }}
       - name: prepare environment
-        uses: cidverse/ghact-cid-setup@main
+        uses: cidverse/ghact-cid-setup@31e7177a4d98b05a05b4671f70df0ed199bfb9a1 # v0.1.0
         with:
           version: ${{ env.CID_VERSION }}
       - name: checkout
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
         with:
           fetch-depth: 0
       - name: info
@@ -130,17 +131,18 @@ jobs:
     timeout-minutes: 30
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
+        uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 # v2.8.0
         with:
+          disable-telemetry: true
           disable-sudo: true
           egress-policy: ${{ env.EGRESS_POLICY }}
           allowed-endpoints: ${{ env.EGRESS_POLICY_ALLOWED_ENDPOINTS }} ${{ env.EGRESS_POLICY_ALLOWED_ENDPOINTS_BUILD }}
       - name: prepare environment
-        uses: cidverse/ghact-cid-setup@main
+        uses: cidverse/ghact-cid-setup@31e7177a4d98b05a05b4671f70df0ed199bfb9a1 # v0.1.0
         with:
           version: ${{ env.CID_VERSION }}
       - name: checkout
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
         with:
           fetch-depth: 0
       - name: build
@@ -150,7 +152,7 @@ jobs:
         run: |
           cid --log-level=${CID_LOGLEVEL:-info} workflow run "$CID_WORKFLOW" --stage build
       - name: upload artifacts
-        uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1
+        uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
         with:
           name: build-${{ github.run_id }}
           path: .dist
@@ -164,17 +166,18 @@ jobs:
     timeout-minutes: 30
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
+        uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 # v2.8.0
         with:
+          disable-telemetry: true
           disable-sudo: true
           egress-policy: ${{ env.EGRESS_POLICY }}
           allowed-endpoints: ${{ env.EGRESS_POLICY_ALLOWED_ENDPOINTS }} ${{ env.EGRESS_POLICY_ALLOWED_ENDPOINTS_TEST }}
       - name: prepare environment
-        uses: cidverse/ghact-cid-setup@main
+        uses: cidverse/ghact-cid-setup@31e7177a4d98b05a05b4671f70df0ed199bfb9a1 # v0.1.0
         with:
           version: ${{ env.CID_VERSION }}
       - name: checkout
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
         with:
           fetch-depth: 0
       - name: test
@@ -184,7 +187,7 @@ jobs:
         run: |
           cid --log-level=${CID_LOGLEVEL:-info} workflow run "$CID_WORKFLOW" --stage test
       - name: upload artifacts
-        uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1
+        uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
         with:
           name: test-${{ github.run_id }}
           path: .dist
@@ -200,27 +203,28 @@ jobs:
     timeout-minutes: 30
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
+        uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 # v2.8.0
         with:
+          disable-telemetry: true
           disable-sudo: true
           egress-policy: ${{ env.EGRESS_POLICY }}
           allowed-endpoints: ${{ env.EGRESS_POLICY_ALLOWED_ENDPOINTS }} ${{ env.EGRESS_POLICY_ALLOWED_ENDPOINTS_SCAN }}
       - name: prepare environment
-        uses: cidverse/ghact-cid-setup@main
+        uses: cidverse/ghact-cid-setup@31e7177a4d98b05a05b4671f70df0ed199bfb9a1 # v0.1.0
         with:
           version: ${{ env.CID_VERSION }}
       - name: checkout
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
         with:
           fetch-depth: 0
       - name: download artifacts > build
-        uses: actions/download-artifact@c850b930e6ba138125429b7e5c93fc707a7f8427 # v4.1.4
+        uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7
         with:
           name: build-${{ github.run_id }}
           path: .dist
         continue-on-error: true
       - name: download artifacts > test
-        uses: actions/download-artifact@c850b930e6ba138125429b7e5c93fc707a7f8427 # v4.1.4
+        uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7
         with:
           name: test-${{ github.run_id }}
           path: .dist