fix: reduce trivy analysis, update CI images (#125)

.github/workflows/build.yml

@@ -39,7 +39,7 @@ jobs:
         architecture: ["amd64"]
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1
+        uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
         with:
           egress-policy: audit
           allowed-endpoints: >

.github/workflows/ci.yaml

@@ -22,7 +22,7 @@ jobs:
         arch: ['amd64']
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1
+        uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
         with:
           egress-policy: audit
           allowed-endpoints: >

.github/workflows/docker-vulnerabilities.yaml

@@ -1,8 +1,8 @@
 name: DockerVulnerabilities
 on:
-  push:
-    branches:
-      - main
+  schedule:
+    # At the end of every day
+    - cron: "0 0 * * *"
 
 jobs:
     docker-analysis:
@@ -18,7 +18,7 @@ jobs:
           security-events: write
         steps:
             - name: Harden Runner
-              uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1
+              uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
               with:
                 egress-policy: audit
                 allowed-endpoints: >
@@ -52,10 +52,9 @@ jobs:
               uses: actions/cache@v4
               with:
                 path: /tmp/.buildx-cache
-                key: ${{ runner.os }}-buildx-v1.0-service-node-${{ github.ref_name }}
+                key: ${{ runner.os }}-trivy-service-node-${{ matrix.arch }}-${{ github.ref_name }}
                 restore-keys: |
-                    ${{ runner.os }}-buildx-v1.0-service-node-
-
+                  ${{ runner.os }}-trivy-service-node-${{ matrix.arch }}-
             - name: Build and load
               run: |
                     docker buildx bake \
@@ -70,7 +69,7 @@ jobs:
                 DOCKER_TAG: analysis-latest
 
             - name: Scan vulnerabilities app image
-              uses: aquasecurity/trivy-action@7c2007bcb556501da015201bcba5aa14069b74e2 # v0.23.0
+              uses: aquasecurity/trivy-action@915b19bbe73b92a6cf82a1bc12b087c9a19a5fe2 # v0.28.0
               with:           
                 image-ref: 'pantosio/service-node-app:analysis-latest'
                 format: 'sarif'
@@ -85,7 +84,7 @@ jobs:
                 sarif_file: 'trivy-app-results.sarif'
 
             - name: Scan vulnerabilities worker image
-              uses: aquasecurity/trivy-action@7c2007bcb556501da015201bcba5aa14069b74e2 # v0.23.0
+              uses: aquasecurity/trivy-action@915b19bbe73b92a6cf82a1bc12b087c9a19a5fe2 # v0.28.0
               with:           
                 image-ref: 'pantosio/service-node-worker:analysis-latest'
                 format: 'sarif'

.github/workflows/publish-docker.yaml

@@ -34,7 +34,7 @@ jobs:
     permissions:
       id-token: write
     steps:
-      - uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1
+      - uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
         with:
           egress-policy: audit
       - uses: actions/checkout@v4
@@ -68,7 +68,7 @@ jobs:
           done
 
       - name: Login to Docker Hub
-        uses: docker/login-action@0d4c9c5ea7693da7b068278f7b52bda2a190a446 # v3.2.0
+        uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
         with:
           username: ${{ secrets.DOCKERHUB_USERNAME }}
           password: ${{ secrets.DOCKERHUB_TOKEN }}

.github/workflows/release.yaml

@@ -21,7 +21,7 @@ jobs:
       deployment_pypi_environment: ${{ steps.get-environment.outputs.deployment_pypi_environment }}
       deployment_url: ${{ steps.get-environment.outputs.deployment_url }}
     steps:
-      - uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1
+      - uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
         with:
           disable-sudo: true
           egress-policy: audit
@@ -78,7 +78,7 @@ jobs:
       contents: write
       id-token: write
     steps:
-      - uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1
+      - uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
         with:
           disable-sudo: true
           egress-policy: audit
@@ -148,7 +148,7 @@ jobs:
     permissions:
       id-token: write  # IMPORTANT: this permission is mandatory for trusted publishing
     steps:
-      - uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1
+      - uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
         with:
           disable-sudo: true
           egress-policy: audit
@@ -165,7 +165,7 @@ jobs:
           ls -lha dist
 
       - name: Publish package distributions to ${{ needs.define-environment.outputs.deployment_pypi_environment }}
-        uses: pypa/gh-action-pypi-publish@ec4db0b4ddc65acdf4bff5fa45ac92d78b56bdf0 # stable/v1.9.0
+        uses: pypa/gh-action-pypi-publish@f7600683efdcb7656dec5b29656edb7bc586e597 # stable/v1.10.3
         with:
           repository-url: ${{ needs.define-environment.outputs.deployment_pypi_environment == 'test-pypi' && 'https://test.pypi.org/legacy/' || 'https://upload.pypi.org/legacy/' }}
 
@@ -181,7 +181,7 @@ jobs:
     # Disable the job for the moment being
     runs-on: ubuntu-latest
     steps:
-      - uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1
+      - uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
         with:
           disable-sudo: true
           egress-policy: audit