diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 6d5c28d8..0783c861 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -13,7 +13,7 @@ jobs: os: [ubuntu-20.04] runs-on: ${{ matrix.os }} steps: - - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 + - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b - name: Setup Golang uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index c6bf8009..223cd1b3 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -22,11 +22,11 @@ jobs: steps: - name: Checkout repository - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 + uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL - uses: github/codeql-action/init@8a470fddafa5cbb6266ee11b37ef4d8aae19c571 + uses: github/codeql-action/init@d39d31e687223d841ef683f52467bd88e9b21c14 with: languages: ${{ matrix.language }} @@ -36,4 +36,4 @@ jobs: go-version: '1.19' - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@8a470fddafa5cbb6266ee11b37ef4d8aae19c571 + uses: github/codeql-action/analyze@d39d31e687223d841ef683f52467bd88e9b21c14 diff --git a/.github/workflows/fossology-check.yml b/.github/workflows/fossology-check.yml index 87ac4fa0..e4deb949 100644 --- a/.github/workflows/fossology-check.yml +++ b/.github/workflows/fossology-check.yml @@ -9,7 +9,7 @@ jobs: name: Check license, copyright, keyword runs-on: ubuntu-22.04 steps: - - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 + - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b - run: | docker run --rm --name "fossologyscanner" -w "/opt/repo" -v ${PWD}:/opt/repo \ -e GITHUB_TOKEN=${{ github.token }} \ @@ -21,12 +21,12 @@ jobs: -e GITHUB_ACTIONS=true \ fossology/fossology:scanner "/bin/fossologyscanner" --report TEXT repo nomos ojo copyright keyword # Upload artifact - - uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 + - uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 with: name: scan-fossology-report path: ./results # Artifact download - - uses: actions/download-artifact@87c55149d96e628cc2ef7e6fc2aab372015aec85 + - uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e with: name: scan-fossology-report diff --git a/.github/workflows/go-fuzz-test.yml b/.github/workflows/go-fuzz-test.yml index 6f6ac6f2..beba16ab 100644 --- a/.github/workflows/go-fuzz-test.yml +++ b/.github/workflows/go-fuzz-test.yml @@ -13,7 +13,7 @@ jobs: os: [ubuntu-20.04] runs-on: ${{ matrix.os }} steps: - - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 + - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b - name: Setup Golang uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 diff --git a/.github/workflows/lint-vet-gofmt-staticcheck-analysis.yml b/.github/workflows/lint-vet-gofmt-staticcheck-analysis.yml index b12f5569..8ca2ca2a 100644 --- a/.github/workflows/lint-vet-gofmt-staticcheck-analysis.yml +++ b/.github/workflows/lint-vet-gofmt-staticcheck-analysis.yml @@ -8,7 +8,7 @@ jobs: lintvetanalysis: runs-on: ubuntu-20.04 steps: - - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 + - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b - name: Setup Golang uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml index 28fab701..46bce83a 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/publish.yml @@ -12,7 +12,7 @@ jobs: runs-on: ubuntu-20.04 steps: - name: Check out the repo - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 + uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b - name: Setup Golang uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 @@ -31,10 +31,10 @@ jobs: type=semver,pattern={{version}} - name: Set up Docker Buildx - uses: docker/setup-buildx-action@0d103c3126aa41d772a8362f6aa67afac040f80c + uses: docker/setup-buildx-action@d70bba72b1f3fd22344832f00baa16ece964efeb - name: Log in to Docker Hub - uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d + uses: docker/login-action@e92390c5fb421da1463c202d546fed0ec5c39f20 with: username: ${{ secrets.DOCKERHUB_USERNAME }} password: ${{ secrets.DOCKERHUB_PASSWORD }} @@ -45,7 +45,7 @@ jobs: cp configs/defdockerfiles/ubuntu_multistage Dockerfile - name: Build and push - uses: docker/build-push-action@4a13e500e55cf31b7a5d59a38ab2040ab0f42f56 + uses: docker/build-push-action@2cdde995de11925a030ce8070c3d77a52ffcf1c0 with: context: . build-args: TARGETVERSION=v${{ steps.meta.outputs.version }} @@ -63,7 +63,7 @@ jobs: steps: - name: Harden Runner - uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + uses: step-security/harden-runner@a4aa98b93cab29d9b1101a6143fb8bce00e2eac4 # v2.7.1 with: egress-policy: audit @@ -103,7 +103,7 @@ jobs: id-token: write # To sign the provenance. contents: write # To add assets to a release. - uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.9.0 + uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v2.0.0 with: base64-subjects: "${{ needs.generate_hashes.outputs.hashes }}" upload-assets: true # Optional: Upload to a new release diff --git a/.github/workflows/scorecards-analysis.yml b/.github/workflows/scorecards-analysis.yml index e7cdf84d..53f083d7 100644 --- a/.github/workflows/scorecards-analysis.yml +++ b/.github/workflows/scorecards-analysis.yml @@ -32,12 +32,12 @@ jobs: steps: - name: Harden Runner - uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + uses: step-security/harden-runner@a4aa98b93cab29d9b1101a6143fb8bce00e2eac4 # v2.7.1 with: egress-policy: audit - name: "Checkout code" - uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 # v3.1.0 + uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b with: persist-credentials: false @@ -64,7 +64,7 @@ jobs: # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF # format to the repository Actions tab. - name: "Upload artifact" - uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 + uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 with: name: SARIF file path: results.sarif @@ -72,6 +72,6 @@ jobs: # Upload the results to GitHub's code scanning dashboard. - name: "Upload to code-scanning" - uses: github/codeql-action/upload-sarif@8a470fddafa5cbb6266ee11b37ef4d8aae19c571 + uses: github/codeql-action/upload-sarif@d39d31e687223d841ef683f52467bd88e9b21c14 with: sarif_file: results.sarif \ No newline at end of file diff --git a/.github/workflows/test-suite.yml b/.github/workflows/test-suite.yml index 010bdf2f..5bc2abec 100644 --- a/.github/workflows/test-suite.yml +++ b/.github/workflows/test-suite.yml @@ -12,7 +12,7 @@ jobs: os: [ubuntu-20.04] runs-on: ${{ matrix.os }} steps: - - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 + - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b - name: Setup Golang uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 diff --git a/go.mod b/go.mod index 8035bf94..e3556900 100644 --- a/go.mod +++ b/go.mod @@ -26,7 +26,7 @@ require ( github.com/songgao/water v0.0.0-20200317203138-2b4b6d7c09d8 github.com/spf13/cast v1.4.1 github.com/spf13/pflag v1.0.5 - github.com/stretchr/testify v1.8.4 + github.com/stretchr/testify v1.9.0 github.com/vishvananda/netlink v1.2.1-beta.2 go.etcd.io/bbolt v1.3.9 gopkg.in/ini.v1 v1.67.0 @@ -88,10 +88,10 @@ require ( github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415 // indirect github.com/xeipuuv/gojsonschema v1.2.0 // indirect github.com/yusufpapurcu/wmi v1.2.2 // indirect - golang.org/x/crypto v0.14.0 // indirect - golang.org/x/net v0.17.0 // indirect + golang.org/x/crypto v0.21.0 // indirect + golang.org/x/net v0.23.0 // indirect golang.org/x/sync v0.5.0 // indirect - golang.org/x/sys v0.13.0 // indirect + golang.org/x/sys v0.18.0 // indirect golang.org/x/time v0.0.0-20220609170525-579cf78fd858 // indirect gopkg.in/yaml.v2 v2.4.0 // indirect )