diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 3fd7d2b..0b4f64b 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -39,7 +39,7 @@ jobs: architecture: ["amd64"] steps: - name: Harden Runner - uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1 + uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1 with: egress-policy: audit allowed-endpoints: > diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index ad46098..bccde19 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -22,7 +22,7 @@ jobs: arch: ['amd64'] steps: - name: Harden Runner - uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1 + uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1 with: egress-policy: audit allowed-endpoints: > diff --git a/.github/workflows/docker-vulnerabilities.yaml b/.github/workflows/docker-vulnerabilities.yaml index c116688..39bf1a4 100644 --- a/.github/workflows/docker-vulnerabilities.yaml +++ b/.github/workflows/docker-vulnerabilities.yaml @@ -1,8 +1,8 @@ name: DockerVulnerabilities on: - push: - branches: - - main + schedule: + # At the end of every day + - cron: "0 0 * * *" jobs: docker-analysis: @@ -18,7 +18,7 @@ jobs: security-events: write steps: - name: Harden Runner - uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1 + uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1 with: egress-policy: audit allowed-endpoints: > @@ -52,10 +52,9 @@ jobs: uses: actions/cache@v4 with: path: /tmp/.buildx-cache - key: ${{ runner.os }}-buildx-v1.0-service-node-${{ github.ref_name }} + key: ${{ runner.os }}-trivy-service-node-${{ matrix.arch }}-${{ github.ref_name }} restore-keys: | - ${{ runner.os }}-buildx-v1.0-service-node- - + ${{ runner.os }}-trivy-service-node-${{ matrix.arch }}- - name: Build and load run: | docker buildx bake \ @@ -70,7 +69,7 @@ jobs: DOCKER_TAG: analysis-latest - name: Scan vulnerabilities app image - uses: aquasecurity/trivy-action@7c2007bcb556501da015201bcba5aa14069b74e2 # v0.23.0 + uses: aquasecurity/trivy-action@915b19bbe73b92a6cf82a1bc12b087c9a19a5fe2 # v0.28.0 with: image-ref: 'pantosio/service-node-app:analysis-latest' format: 'sarif' @@ -85,7 +84,7 @@ jobs: sarif_file: 'trivy-app-results.sarif' - name: Scan vulnerabilities worker image - uses: aquasecurity/trivy-action@7c2007bcb556501da015201bcba5aa14069b74e2 # v0.23.0 + uses: aquasecurity/trivy-action@915b19bbe73b92a6cf82a1bc12b087c9a19a5fe2 # v0.28.0 with: image-ref: 'pantosio/service-node-worker:analysis-latest' format: 'sarif' diff --git a/.github/workflows/publish-docker.yaml b/.github/workflows/publish-docker.yaml index f17c65b..42ee7eb 100644 --- a/.github/workflows/publish-docker.yaml +++ b/.github/workflows/publish-docker.yaml @@ -34,7 +34,7 @@ jobs: permissions: id-token: write steps: - - uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1 + - uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1 with: egress-policy: audit - uses: actions/checkout@v4 @@ -68,7 +68,7 @@ jobs: done - name: Login to Docker Hub - uses: docker/login-action@0d4c9c5ea7693da7b068278f7b52bda2a190a446 # v3.2.0 + uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0 with: username: ${{ secrets.DOCKERHUB_USERNAME }} password: ${{ secrets.DOCKERHUB_TOKEN }} diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index 9268cf7..1828520 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -21,7 +21,7 @@ jobs: deployment_pypi_environment: ${{ steps.get-environment.outputs.deployment_pypi_environment }} deployment_url: ${{ steps.get-environment.outputs.deployment_url }} steps: - - uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1 + - uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1 with: disable-sudo: true egress-policy: audit @@ -78,7 +78,7 @@ jobs: contents: write id-token: write steps: - - uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1 + - uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1 with: disable-sudo: true egress-policy: audit @@ -148,7 +148,7 @@ jobs: permissions: id-token: write # IMPORTANT: this permission is mandatory for trusted publishing steps: - - uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1 + - uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1 with: disable-sudo: true egress-policy: audit @@ -165,7 +165,7 @@ jobs: ls -lha dist - name: Publish package distributions to ${{ needs.define-environment.outputs.deployment_pypi_environment }} - uses: pypa/gh-action-pypi-publish@ec4db0b4ddc65acdf4bff5fa45ac92d78b56bdf0 # stable/v1.9.0 + uses: pypa/gh-action-pypi-publish@f7600683efdcb7656dec5b29656edb7bc586e597 # stable/v1.10.3 with: repository-url: ${{ needs.define-environment.outputs.deployment_pypi_environment == 'test-pypi' && 'https://test.pypi.org/legacy/' || 'https://upload.pypi.org/legacy/' }} @@ -181,7 +181,7 @@ jobs: # Disable the job for the moment being runs-on: ubuntu-latest steps: - - uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1 + - uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1 with: disable-sudo: true egress-policy: audit