From cc668510cd2537d754c03cecb3dcef3cefe29976 Mon Sep 17 00:00:00 2001 From: Sam Ainsworth Date: Fri, 27 Oct 2023 10:03:03 +0100 Subject: [PATCH 1/4] UML-3040 Create dev envs only on PR (#2384) --- .github/workflows/pull-request-path.yml | 28 +++++++++++++------------ 1 file changed, 15 insertions(+), 13 deletions(-) diff --git a/.github/workflows/pull-request-path.yml b/.github/workflows/pull-request-path.yml index c5840b1d5d..d1c86ca08e 100644 --- a/.github/workflows/pull-request-path.yml +++ b/.github/workflows/pull-request-path.yml @@ -1,4 +1,4 @@ -name: "[Workflow] All branch based pushes" +name: "[Workflow] PR Environment" concurrency: group: ${{ github.ref }}-${{ github.workflow }} @@ -8,15 +8,10 @@ defaults: shell: bash on: - push: + pull_request: branches: - - '*' # matches every branch that doesn't contain a '/' - - '*/*' # matches every branch containing a single '/' - - '**' # matches every branch - - '!main' # reverse match main - - '!dependabot/**' # reverse match dependabot PRs - - 'dependabot/docker/**' # match dependabot PRs that update docker - - 'dependabot/pip/**' # match dependabot PRs that update pip + - main + permissions: contents: write @@ -31,6 +26,9 @@ permissions: statuses: none jobs: + workspace_name: + uses: ministryofjustice/opg-github-workflows/.github/workflows/data-parse-workspace.yml@383650d409aad063a69ce6cc3a013ac538cc1508 + workflow_variables: runs-on: ubuntu-latest name: output workflow variables @@ -79,8 +77,9 @@ jobs: uses: ./.github/workflows/_lint-terraform.yml needs: - workflow_variables + - workspace_name with: - workspace: ${{ needs.workflow_variables.outputs.parsed_branch }} + workspace: ${{ needs.workspace_name.outputs.name }} secrets: inherit if: | always() && @@ -148,8 +147,9 @@ jobs: - docker_build_scan_push - terraform_lint - workflow_variables + - workspace_name with: - workspace: ${{ needs.workflow_variables.outputs.parsed_branch }} + workspace: ${{ needs.workspace_name.outputs.name }} terraform_path: environment container_version: ${{ needs.workflow_variables.outputs.parsed_branch }}-${{ needs.workflow_variables.outputs.short_sha }} apply: true @@ -201,8 +201,9 @@ jobs: needs: - seed_dynamodb - workflow_variables + - workspace_name with: - workspace: ${{ needs.workflow_variables.outputs.parsed_branch }} + workspace: ${{ needs.workspace_name.outputs.name }} secrets: inherit if: | always() && @@ -259,12 +260,13 @@ jobs: - ecr_scan_results - slack_notify - workflow_variables + - workspace_name steps: - name: workflow has ended without issue run: | echo "${{ needs.workflow_variables.outputs.parsed_branch }} PR environment tested, built and deployed" echo "Tag Used: ${{ needs.workflow_variables.outputs.parsed_branch }}-${{ needs.workflow_variables.outputs.short_sha }}" - echo "URL: https://${{ needs.workflow_variables.outputs.parsed_branch }}.use-lasting-power-of-attorney.service.gov.uk" + echo "URL: https://${{ needs.workspace_name.outputs.name }}.use-lasting-power-of-attorney.service.gov.uk" if: | always() && needs.ecr_scan_results.result == 'success' && From 1c240199d2ec0fbd0a2f84b681505b9d515077cc Mon Sep 17 00:00:00 2001 From: Sam Ainsworth Date: Fri, 27 Oct 2023 11:46:21 +0100 Subject: [PATCH 2/4] UML-3149 Correct Secrets Manager lookup (#2386) --- .pre-commit-config.yaml | 1 - terraform/environment/region/data_sources.tf | 2 +- 2 files changed, 1 insertion(+), 2 deletions(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index b484a820b7..8ab0b2fd6d 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -11,7 +11,6 @@ repos: rev: v1.76.0 hooks: - id: terraform_fmt - - id: terraform_validate - repo: https://github.com/awslabs/git-secrets rev: master hooks: diff --git a/terraform/environment/region/data_sources.tf b/terraform/environment/region/data_sources.tf index 45826cd91d..c35b917b00 100644 --- a/terraform/environment/region/data_sources.tf +++ b/terraform/environment/region/data_sources.tf @@ -44,7 +44,7 @@ data "aws_kms_alias" "sessions_actor" { } data "aws_kms_alias" "secrets_manager" { - name = "alias/secrets_manager_encryption" + name = "alias/secrets_manager_encryption-mrk" provider = aws.region } From 39f52fcafbd7e68eb2264963c99359c18a3ae2cd Mon Sep 17 00:00:00 2001 From: Sam Ainsworth Date: Fri, 27 Oct 2023 15:16:40 +0100 Subject: [PATCH 3/4] UML-3152 Handle UNTRIAGED severity in ECR (#2389) --- scripts/pipeline/check_ecr_scan_results/aws_ecr_scan_results.py | 1 + 1 file changed, 1 insertion(+) diff --git a/scripts/pipeline/check_ecr_scan_results/aws_ecr_scan_results.py b/scripts/pipeline/check_ecr_scan_results/aws_ecr_scan_results.py index 63bc1382c3..09c73c3010 100755 --- a/scripts/pipeline/check_ecr_scan_results/aws_ecr_scan_results.py +++ b/scripts/pipeline/check_ecr_scan_results/aws_ecr_scan_results.py @@ -177,6 +177,7 @@ def post_to_slack(cls, slack_webhook, report): def ci_check_and_output(self, report): severity_dict = { + "UNTRIAGED": 0, "LOW": 0, "MEDIUM": 0, "HIGH": 0, From d402505e38cb0ee6ebae827627e60fc3d4a17156 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Fri, 27 Oct 2023 15:33:07 +0100 Subject: [PATCH 4/4] Renovate Update GitHub Actions (#2388) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> --- .github/workflows/_build-and-push.yml | 10 +++++----- .github/workflows/_codecov.yml | 2 +- .github/workflows/_ecr-scanning.yml | 6 +++--- .github/workflows/_lint-terraform.yml | 4 ++-- .github/workflows/_node-build.yml | 8 ++++---- .github/workflows/_node-test.yml | 6 +++--- .github/workflows/_run-behat-tests.yml | 8 ++++---- .github/workflows/_run-terraform.yml | 8 ++++---- .github/workflows/_seed-database.yml | 6 +++--- .github/workflows/_slack-notification.yml | 4 ++-- .github/workflows/path-to-live.yml | 6 +++--- .github/workflows/pull-request-path.yml | 6 +++--- .github/workflows/scheduled-codeql-analysis.yml | 2 +- .github/workflows/scheduled-package-scan.yml | 2 +- .github/workflows/scheduled-tfsec.yml | 2 +- .github/workflows/scheduled-update-demo.yml | 2 +- .github/workflows/scheduled-workspace-cleanup.yml | 6 +++--- .github/workflows/statistics.yml | 2 +- .github/workflows/workflow-deploy-ref-to-env.yml | 6 +++--- 19 files changed, 48 insertions(+), 48 deletions(-) diff --git a/.github/workflows/_build-and-push.yml b/.github/workflows/_build-and-push.yml index 18950f7598..464cc91f08 100644 --- a/.github/workflows/_build-and-push.yml +++ b/.github/workflows/_build-and-push.yml @@ -71,11 +71,11 @@ jobs: run_integration_tests: 'false' artifact_to_dl: '' steps: - - uses: actions/checkout@f095bcc56b7c2baf48f3ac70d6d6782f4f553222 # pin@v3 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # pin@v3 - name: cache node modules id: cache-npm - uses: actions/cache@04f198bf0b2a39f7230a4304bf07747a0bddf146 # pin@v3.0.8 + uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84 # pin@v3.0.8 env: cache-name: cache-node-modules with: @@ -94,7 +94,7 @@ jobs: inputs.specific_path == 'all' || inputs.specific_path == matrix.svc_prefix - name: configure aws credentials - uses: aws-actions/configure-aws-credentials@375a690dc0af3921541e5f427167f333d7e85f67 # pin@v1.7.0 + uses: aws-actions/configure-aws-credentials@e6c766a518826746395987edb73a1a5767d0b602 # pin@v1.7.0 with: aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID_ACTIONS }} aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY_ACTIONS }} @@ -148,7 +148,7 @@ jobs: - name: ecr login id: login_ecr - uses: aws-actions/amazon-ecr-login@b5f9031d829ac39b7fd26092019aeca3ee6b3ebd # pin@v1.5.1 + uses: aws-actions/amazon-ecr-login@f8672cc4c5410eabbb9df3d9bb4c7ad01fc4cc3e # pin@v1.5.1 with: registries: 311462405659 if: | @@ -214,7 +214,7 @@ jobs: (inputs.specific_path == 'all' || inputs.specific_path == matrix.svc_prefix) - name: archive test results - uses: actions/upload-artifact@65d862660abb392b8c4a3d1195a2108db131dd05 # pin@v3.1.0 + uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # pin@v3.1.0 with: name: service-${{ matrix.svc_prefix }} path: build/service-${{ matrix.svc_prefix }} diff --git a/.github/workflows/_codecov.yml b/.github/workflows/_codecov.yml index 6197698c28..8bef0667e5 100644 --- a/.github/workflows/_codecov.yml +++ b/.github/workflows/_codecov.yml @@ -15,7 +15,7 @@ jobs: code_coverage: runs-on: ubuntu-latest steps: - - uses: actions/checkout@f095bcc56b7c2baf48f3ac70d6d6782f4f553222 # pin@v3 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # pin@v3 - name: download artifact for front tests uses: actions/download-artifact@e9ef242655d12993efdcda9058dee2db83a2cb9b with: diff --git a/.github/workflows/_ecr-scanning.yml b/.github/workflows/_ecr-scanning.yml index 6f38e463e2..d8b0e3cbbd 100644 --- a/.github/workflows/_ecr-scanning.yml +++ b/.github/workflows/_ecr-scanning.yml @@ -15,10 +15,10 @@ jobs: ecr-scan-results: runs-on: ubuntu-latest steps: - - uses: actions/checkout@f095bcc56b7c2baf48f3ac70d6d6782f4f553222 # pin@v3 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # pin@v3 - name: configure AWS credentials ECR scan results - uses: aws-actions/configure-aws-credentials@375a690dc0af3921541e5f427167f333d7e85f67 # pin@v1.7.0 + uses: aws-actions/configure-aws-credentials@e6c766a518826746395987edb73a1a5767d0b602 # pin@v1.7.0 with: aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID_ACTIONS }} aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY_ACTIONS }} @@ -27,7 +27,7 @@ jobs: role-session-name: OPGUseAnLPAECRScanGithubAction - name: install python - uses: actions/setup-python@bd6b4b6205c4dbad673328db7b31b7fab9e241c0 # pin@v4.2.0 + uses: actions/setup-python@e8111cec9d3dc15220d8a3b638f08419f57b906a # pin@v4.2.0 with: python-version: '3.10' cache: 'pip' diff --git a/.github/workflows/_lint-terraform.yml b/.github/workflows/_lint-terraform.yml index 8c1f29e8b7..28dfdecd8f 100644 --- a/.github/workflows/_lint-terraform.yml +++ b/.github/workflows/_lint-terraform.yml @@ -20,14 +20,14 @@ jobs: - folder: 'environment' - folder: 'account' steps: - - uses: actions/checkout@f095bcc56b7c2baf48f3ac70d6d6782f4f553222 # pin@v3 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # pin@v3 - uses: hashicorp/setup-terraform@8fa54e78fa196965551aa8c4a4eae3aee5568620 # pin@v2.0.0 with: terraform_version: 1.5.6 - name: configure AWS credentials for terraform - uses: aws-actions/configure-aws-credentials@375a690dc0af3921541e5f427167f333d7e85f67 # pin@v1.7.0 + uses: aws-actions/configure-aws-credentials@e6c766a518826746395987edb73a1a5767d0b602 # pin@v1.7.0 with: aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID_ACTIONS }} aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY_ACTIONS }} diff --git a/.github/workflows/_node-build.yml b/.github/workflows/_node-build.yml index cc35720e84..c0a4993ac5 100644 --- a/.github/workflows/_node-build.yml +++ b/.github/workflows/_node-build.yml @@ -11,13 +11,13 @@ jobs: build-web: runs-on: ubuntu-latest steps: - - uses: actions/checkout@f095bcc56b7c2baf48f3ac70d6d6782f4f553222 # pin@v3 - - uses: actions/setup-node@869f4dd0c7f320ae834c2724d92a364de3893c24 # pin@v3.6.0 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # pin@v3 + - uses: actions/setup-node@8f152de45cc393bb48ce5d89d36b731f54556e65 # pin@v3.6.0 with: node-version-file: '.nvmrc' - name: cache node modules id: cache-npm - uses: actions/cache@04f198bf0b2a39f7230a4304bf07747a0bddf146 # pin@v3.0.8 + uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84 # pin@v3.0.8 env: cache-name: cache-node-modules with: @@ -33,7 +33,7 @@ jobs: cd service-front/web/ npm run build - name: archive dist - uses: actions/upload-artifact@65d862660abb392b8c4a3d1195a2108db131dd05 # pin@v3.1.0 + uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # pin@v3.1.0 with: name: dist-web path: service-front/web/dist/ diff --git a/.github/workflows/_node-test.yml b/.github/workflows/_node-test.yml index 5dc6c7bd0e..bad633d8f1 100644 --- a/.github/workflows/_node-test.yml +++ b/.github/workflows/_node-test.yml @@ -11,13 +11,13 @@ jobs: unit-test: runs-on: ubuntu-latest steps: - - uses: actions/checkout@f095bcc56b7c2baf48f3ac70d6d6782f4f553222 # pin@v3 - - uses: actions/setup-node@869f4dd0c7f320ae834c2724d92a364de3893c24 # pin@v3.6.0 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # pin@v3 + - uses: actions/setup-node@8f152de45cc393bb48ce5d89d36b731f54556e65 # pin@v3.6.0 with: node-version-file: '.nvmrc' - name: cache node modules id: cache-npm - uses: actions/cache@04f198bf0b2a39f7230a4304bf07747a0bddf146 # pin@v3.0.8 + uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84 # pin@v3.0.8 env: cache-name: cache-node-modules with: diff --git a/.github/workflows/_run-behat-tests.yml b/.github/workflows/_run-behat-tests.yml index 8d24af368e..0625ce417f 100644 --- a/.github/workflows/_run-behat-tests.yml +++ b/.github/workflows/_run-behat-tests.yml @@ -16,10 +16,10 @@ jobs: build-web: runs-on: ubuntu-latest steps: - - uses: actions/checkout@f095bcc56b7c2baf48f3ac70d6d6782f4f553222 # pin@v3 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # pin@v3 - name: install python - uses: actions/setup-python@bd6b4b6205c4dbad673328db7b31b7fab9e241c0 # pin@v4.2.0 + uses: actions/setup-python@e8111cec9d3dc15220d8a3b638f08419f57b906a # pin@v4.2.0 with: python-version: '3.10' cache: 'pip' @@ -51,7 +51,7 @@ jobs: path: terraform/environment - name: configure aws credentials - uses: aws-actions/configure-aws-credentials@375a690dc0af3921541e5f427167f333d7e85f67 # pin@v1.7.0 + uses: aws-actions/configure-aws-credentials@e6c766a518826746395987edb73a1a5767d0b602 # pin@v1.7.0 with: aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID_ACTIONS }} aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY_ACTIONS }} @@ -86,7 +86,7 @@ jobs: vendor/bin/behat - name: archive failed test screenshots - uses: actions/upload-artifact@65d862660abb392b8c4a3d1195a2108db131dd05 # pin@v3.1.0 + uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # pin@v3.1.0 with: name: behat-screenshots path: tests/smoke/failed_step_screenshots diff --git a/.github/workflows/_run-terraform.yml b/.github/workflows/_run-terraform.yml index e01b86f9dc..225aad38fe 100644 --- a/.github/workflows/_run-terraform.yml +++ b/.github/workflows/_run-terraform.yml @@ -58,7 +58,7 @@ jobs: echo "admin-tag=$(echo ${TAG})" >> $GITHUB_OUTPUT fi - - uses: actions/checkout@f095bcc56b7c2baf48f3ac70d6d6782f4f553222 # pin@v3 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # pin@v3 with: fetch-depth: '0' @@ -69,7 +69,7 @@ jobs: terraform_version: 1.5.6 - name: configure AWS credentials for getting pagerduty token - uses: aws-actions/configure-aws-credentials@375a690dc0af3921541e5f427167f333d7e85f67 # pin@v1.7.0 + uses: aws-actions/configure-aws-credentials@e6c766a518826746395987edb73a1a5767d0b602 # pin@v1.7.0 with: aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID_ACTIONS }} aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY_ACTIONS }} @@ -86,7 +86,7 @@ jobs: echo TF_VAR_pagerduty_token=$TF_VAR_pagerduty_token >> $GITHUB_ENV - name: configure AWS credentials for terraform - uses: aws-actions/configure-aws-credentials@375a690dc0af3921541e5f427167f333d7e85f67 # pin@v1.7.0 + uses: aws-actions/configure-aws-credentials@e6c766a518826746395987edb73a1a5767d0b602 # pin@v1.7.0 with: aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID_ACTIONS }} aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY_ACTIONS }} @@ -145,7 +145,7 @@ jobs: - name: upload environment cluster config file if: inputs.terraform_path == 'environment' - uses: actions/upload-artifact@65d862660abb392b8c4a3d1195a2108db131dd05 # pin@v3.1.0 + uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # pin@v3.1.0 with: name: environment_config_file path: terraform/environment/cluster_config.json diff --git a/.github/workflows/_seed-database.yml b/.github/workflows/_seed-database.yml index 4831860c00..df1ed2e837 100644 --- a/.github/workflows/_seed-database.yml +++ b/.github/workflows/_seed-database.yml @@ -5,12 +5,12 @@ jobs: terraform_workflow: runs-on: ubuntu-latest steps: - - uses: actions/checkout@f095bcc56b7c2baf48f3ac70d6d6782f4f553222 # pin@v3 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # pin@v3 with: fetch-depth: '0' - name: configure AWS credentials for terraform - uses: aws-actions/configure-aws-credentials@375a690dc0af3921541e5f427167f333d7e85f67 # pin@v1.7.0 + uses: aws-actions/configure-aws-credentials@e6c766a518826746395987edb73a1a5767d0b602 # pin@v1.7.0 with: aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID_ACTIONS }} aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY_ACTIONS }} @@ -25,7 +25,7 @@ jobs: path: terraform/environment - name: install python - uses: actions/setup-python@bd6b4b6205c4dbad673328db7b31b7fab9e241c0 # pin@v4.2.0 + uses: actions/setup-python@e8111cec9d3dc15220d8a3b638f08419f57b906a # pin@v4.2.0 with: python-version: '3.10' cache: 'pip' diff --git a/.github/workflows/_slack-notification.yml b/.github/workflows/_slack-notification.yml index 220b24e13d..a60b2da585 100644 --- a/.github/workflows/_slack-notification.yml +++ b/.github/workflows/_slack-notification.yml @@ -24,10 +24,10 @@ jobs: send-slack-notification: runs-on: ubuntu-latest steps: - - uses: actions/checkout@f095bcc56b7c2baf48f3ac70d6d6782f4f553222 # pin@v3 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # pin@v3 - name: install python - uses: actions/setup-python@bd6b4b6205c4dbad673328db7b31b7fab9e241c0 # pin@v4.2.0 + uses: actions/setup-python@e8111cec9d3dc15220d8a3b638f08419f57b906a # pin@v4.2.0 with: python-version: '3.10' cache: 'pip' diff --git a/.github/workflows/path-to-live.yml b/.github/workflows/path-to-live.yml index 0b9b833819..51f0a2f0cb 100644 --- a/.github/workflows/path-to-live.yml +++ b/.github/workflows/path-to-live.yml @@ -31,7 +31,7 @@ jobs: outputs: short_sha: ${{ steps.variables.outputs.short_sha }} steps: - - uses: actions/checkout@f095bcc56b7c2baf48f3ac70d6d6782f4f553222 # pin@v3 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # pin@v3 - name: extract variables for workflow id: variables run: | @@ -79,7 +79,7 @@ jobs: - workflow_variables runs-on: ubuntu-latest steps: - - uses: actions/checkout@f095bcc56b7c2baf48f3ac70d6d6782f4f553222 # pin@v3 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # pin@v3 - name: download artifact for front tests uses: actions/download-artifact@e9ef242655d12993efdcda9058dee2db83a2cb9b with: @@ -187,7 +187,7 @@ jobs: needs: - terraform_apply_production steps: - - uses: actions/checkout@f095bcc56b7c2baf48f3ac70d6d6782f4f553222 # pin@v3 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # pin@v3 with: fetch-depth: '0' - name: download cluster_config diff --git a/.github/workflows/pull-request-path.yml b/.github/workflows/pull-request-path.yml index d1c86ca08e..f913f5513e 100644 --- a/.github/workflows/pull-request-path.yml +++ b/.github/workflows/pull-request-path.yml @@ -37,18 +37,18 @@ jobs: short_sha: ${{ steps.variables.outputs.short_sha }} specific_path: ${{ steps.variables.outputs.path }} steps: - - uses: actions/checkout@f095bcc56b7c2baf48f3ac70d6d6782f4f553222 # pin@v3 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # pin@v3 with: fetch-depth: 2 - name: get changed files in the admin folder id: changed-files-admin - uses: tj-actions/changed-files@6e4b6b77a3fd4d60bd02608dba69c7eae38a117f + uses: tj-actions/changed-files@1864dc5311069c2319e40ddda20ebf24336dcba9 with: files: | service-admin/** - name: get changed files in the terraform folder id: changed-files-terraform - uses: tj-actions/changed-files@6e4b6b77a3fd4d60bd02608dba69c7eae38a117f + uses: tj-actions/changed-files@1864dc5311069c2319e40ddda20ebf24336dcba9 with: files: | terraform/** diff --git a/.github/workflows/scheduled-codeql-analysis.yml b/.github/workflows/scheduled-codeql-analysis.yml index 61b360a086..5e43fedd29 100644 --- a/.github/workflows/scheduled-codeql-analysis.yml +++ b/.github/workflows/scheduled-codeql-analysis.yml @@ -30,7 +30,7 @@ jobs: steps: - name: Checkout repository - uses: actions/checkout@f095bcc56b7c2baf48f3ac70d6d6782f4f553222 # pin@v3 + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # pin@v3 # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL diff --git a/.github/workflows/scheduled-package-scan.yml b/.github/workflows/scheduled-package-scan.yml index e2d386bdc0..96ecd849fe 100644 --- a/.github/workflows/scheduled-package-scan.yml +++ b/.github/workflows/scheduled-package-scan.yml @@ -9,5 +9,5 @@ jobs: run: runs-on: ubuntu-latest steps: - - uses: actions/checkout@f095bcc56b7c2baf48f3ac70d6d6782f4f553222 # pin@v3 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # pin@v3 - uses: ministryofjustice/opg-repository-scanner@latest diff --git a/.github/workflows/scheduled-tfsec.yml b/.github/workflows/scheduled-tfsec.yml index 2ae07f1849..b95460c49f 100644 --- a/.github/workflows/scheduled-tfsec.yml +++ b/.github/workflows/scheduled-tfsec.yml @@ -13,7 +13,7 @@ jobs: contents: read security-events: write steps: - - uses: actions/checkout@f095bcc56b7c2baf48f3ac70d6d6782f4f553222 # pin@v3 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # pin@v3 with: persist-credentials: false diff --git a/.github/workflows/scheduled-update-demo.yml b/.github/workflows/scheduled-update-demo.yml index dca9acafe9..2225abb011 100644 --- a/.github/workflows/scheduled-update-demo.yml +++ b/.github/workflows/scheduled-update-demo.yml @@ -43,7 +43,7 @@ jobs: - seed_dynamodb steps: - name: configure AWS credentials for ecs update - uses: aws-actions/configure-aws-credentials@375a690dc0af3921541e5f427167f333d7e85f67 # pin@v1.7.0 + uses: aws-actions/configure-aws-credentials@e6c766a518826746395987edb73a1a5767d0b602 # pin@v1.7.0 with: aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID_ACTIONS }} aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY_ACTIONS }} diff --git a/.github/workflows/scheduled-workspace-cleanup.yml b/.github/workflows/scheduled-workspace-cleanup.yml index eebecb1d19..79e32ebb0a 100644 --- a/.github/workflows/scheduled-workspace-cleanup.yml +++ b/.github/workflows/scheduled-workspace-cleanup.yml @@ -21,7 +21,7 @@ jobs: terraform_environment_cleanup: runs-on: ubuntu-latest steps: - - uses: actions/checkout@f095bcc56b7c2baf48f3ac70d6d6782f4f553222 # pin@v3 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # pin@v3 - uses: hashicorp/setup-terraform@8fa54e78fa196965551aa8c4a4eae3aee5568620 # pin@v2 with: terraform_version: 1.5.6 @@ -32,7 +32,7 @@ jobs: ssh-private-key: ${{ secrets.USE_AN_LPA_DEPLOY_KEY_PRIVATE_KEY }} - name: configure AWS credentials for getting pagerduty token - uses: aws-actions/configure-aws-credentials@375a690dc0af3921541e5f427167f333d7e85f67 # pin@v1.7.0 + uses: aws-actions/configure-aws-credentials@e6c766a518826746395987edb73a1a5767d0b602 # pin@v1.7.0 with: aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID_ACTIONS }} aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY_ACTIONS }} @@ -49,7 +49,7 @@ jobs: echo TF_VAR_pagerduty_token=$TF_VAR_pagerduty_token >> $GITHUB_ENV - name: configure AWS credentials for terraform - uses: aws-actions/configure-aws-credentials@375a690dc0af3921541e5f427167f333d7e85f67 # pin@v1.7.0 + uses: aws-actions/configure-aws-credentials@e6c766a518826746395987edb73a1a5767d0b602 # pin@v1.7.0 with: aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID_ACTIONS }} aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY_ACTIONS }} diff --git a/.github/workflows/statistics.yml b/.github/workflows/statistics.yml index 336d26950f..38bf8493f7 100644 --- a/.github/workflows/statistics.yml +++ b/.github/workflows/statistics.yml @@ -29,7 +29,7 @@ jobs: role-duration-seconds: 1800 role-session-name: OPGGetServiceStats - name: Set up Python - uses: actions/setup-python@v4.2.0 + uses: actions/setup-python@v4.7.1 with: python-version: 3.11.5 - name: Install requirements diff --git a/.github/workflows/workflow-deploy-ref-to-env.yml b/.github/workflows/workflow-deploy-ref-to-env.yml index 44122984fc..f04974fc57 100644 --- a/.github/workflows/workflow-deploy-ref-to-env.yml +++ b/.github/workflows/workflow-deploy-ref-to-env.yml @@ -53,20 +53,20 @@ jobs: short_sha: ${{ steps.variables.outputs.short_sha }} specific_path: ${{ steps.variables.outputs.path }} steps: - - uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # pin@v4 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # pin@v4 with: fetch-depth: 2 ref: ${{ inputs.git_ref }} - name: get changed files in the admin folder id: changed-files-admin - uses: tj-actions/changed-files@6e4b6b77a3fd4d60bd02608dba69c7eae38a117f + uses: tj-actions/changed-files@1864dc5311069c2319e40ddda20ebf24336dcba9 with: files: | service-admin/** - name: get changed files in the terraform folder id: changed-files-terraform - uses: tj-actions/changed-files@6e4b6b77a3fd4d60bd02608dba69c7eae38a117f + uses: tj-actions/changed-files@1864dc5311069c2319e40ddda20ebf24336dcba9 with: files: | terraform/**