diff --git a/.github/workflows/ci-guardrails.yml b/.github/workflows/ci-guardrails.yml index 27b41ae..12dceda 100644 --- a/.github/workflows/ci-guardrails.yml +++ b/.github/workflows/ci-guardrails.yml @@ -23,7 +23,7 @@ jobs: steps: - name: Harden Runner - uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1 + uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3 with: disable-sudo-and-containers: false # needed for Zizmor's use of Docker egress-policy: block @@ -39,7 +39,7 @@ jobs: persist-credentials: false - name: Run zizmor - uses: zizmorcore/zizmor-action@b1d7e1fb5de872772f31590499237e7cce841e8e # v0.5.3 + uses: zizmorcore/zizmor-action@5f14fd08f7cf1cb1609c1e344975f152c7ee938d # v0.5.6 poutine: name: Analyze (Poutine) @@ -50,7 +50,7 @@ jobs: steps: - name: Harden Runner - uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1 + uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3 with: disable-sudo-and-containers: true egress-policy: block @@ -86,7 +86,7 @@ jobs: > poutine_results.sarif - name: Upload poutine SARIF file - uses: github/codeql-action/upload-sarif@68bde559dea0fdcac2102bfdf6230c5f70eb485e # v4.35.4 + uses: github/codeql-action/upload-sarif@9e0d7b8d25671d64c341c19c0152d693099fb5ba # v4.35.5 with: sarif_file: poutine_results.sarif @@ -96,7 +96,7 @@ jobs: steps: - name: Harden Runner - uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1 + uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3 with: disable-sudo-and-containers: false # needed for TruffleHog's use of Docker egress-policy: block @@ -128,7 +128,7 @@ jobs: steps: - name: Harden Runner - uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1 + uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3 with: disable-sudo-and-containers: true egress-policy: block @@ -157,7 +157,7 @@ jobs: steps: - name: Harden Runner - uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1 + uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3 with: disable-sudo-and-containers: true egress-policy: block @@ -178,7 +178,7 @@ jobs: steps: - name: Harden Runner - uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1 + uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3 with: disable-sudo-and-containers: true egress-policy: block diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 88fb6c7..646b88a 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -25,7 +25,7 @@ jobs: steps: - name: Harden Runner - uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1 + uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3 with: disable-sudo-and-containers: true egress-policy: block @@ -79,6 +79,6 @@ jobs: - name: Upload Trivy SARIF file if: always() - uses: github/codeql-action/upload-sarif@68bde559dea0fdcac2102bfdf6230c5f70eb485e # v4.35.4 + uses: github/codeql-action/upload-sarif@9e0d7b8d25671d64c341c19c0152d693099fb5ba # v4.35.5 with: sarif_file: trivy-results.sarif diff --git a/.github/workflows/maintenance-update-tool-versions.yml b/.github/workflows/maintenance-update-tool-versions.yml index b83afbf..af999a3 100644 --- a/.github/workflows/maintenance-update-tool-versions.yml +++ b/.github/workflows/maintenance-update-tool-versions.yml @@ -23,7 +23,7 @@ jobs: steps: - name: Harden Runner - uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1 + uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3 with: disable-sudo-and-containers: true egress-policy: block diff --git a/.github/workflows/prs-review.yml b/.github/workflows/prs-review.yml index e179d85..de498f6 100644 --- a/.github/workflows/prs-review.yml +++ b/.github/workflows/prs-review.yml @@ -18,7 +18,7 @@ jobs: pull-requests: write # Required to post review comments steps: - name: Harden Runner - uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1 + uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3 with: disable-sudo-and-containers: false # actionlint needs to run in a container egress-policy: block @@ -47,7 +47,7 @@ jobs: pull-requests: write # Required to post review comments steps: - name: Harden Runner - uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1 + uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3 with: disable-sudo-and-containers: true egress-policy: block @@ -84,7 +84,7 @@ jobs: pull-requests: write # Required to post review comments steps: - name: Harden Runner - uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1 + uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3 with: disable-sudo-and-containers: false # require sudo to install shellcheck egress-policy: block @@ -127,7 +127,7 @@ jobs: steps: - name: Harden Runner - uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1 + uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3 with: disable-sudo-and-containers: true egress-policy: block @@ -192,7 +192,7 @@ jobs: pull-requests: write # Required to post comments steps: - name: Harden Runner - uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1 + uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3 with: disable-sudo-and-containers: true egress-policy: block @@ -218,7 +218,7 @@ jobs: pull-requests: write # Required to post review comments steps: - name: Harden Runner - uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1 + uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3 with: disable-sudo-and-containers: false # markdownlint needs to run in a container egress-policy: block diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index e34d53c..3cd0ea1 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -34,7 +34,7 @@ jobs: steps: - name: Harden Runner - uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1 + uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3 with: disable-sudo-and-containers: true egress-policy: audit @@ -156,7 +156,7 @@ jobs: steps: - name: Harden Runner - uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1 + uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3 with: disable-sudo-and-containers: true egress-policy: audit diff --git a/.github/workflows/reusable-native-build.yml b/.github/workflows/reusable-native-build.yml index d33a88f..99ef02d 100644 --- a/.github/workflows/reusable-native-build.yml +++ b/.github/workflows/reusable-native-build.yml @@ -40,7 +40,7 @@ jobs: steps: - name: Harden Runner - uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1 + uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3 with: disable-sudo-and-containers: true egress-policy: block diff --git a/.github/workflows/sast.yml b/.github/workflows/sast.yml index 3ea0bbe..21a144b 100644 --- a/.github/workflows/sast.yml +++ b/.github/workflows/sast.yml @@ -27,7 +27,7 @@ jobs: steps: - name: Harden Runner - uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1 + uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3 with: disable-sudo-and-containers: true egress-policy: block @@ -44,16 +44,16 @@ jobs: persist-credentials: false - name: Initialize CodeQL - uses: github/codeql-action/init@68bde559dea0fdcac2102bfdf6230c5f70eb485e # v4.35.4 + uses: github/codeql-action/init@9e0d7b8d25671d64c341c19c0152d693099fb5ba # v4.35.5 with: languages: java-kotlin,actions queries: security-and-quality - name: Autobuild - uses: github/codeql-action/autobuild@68bde559dea0fdcac2102bfdf6230c5f70eb485e # v4.35.4 + uses: github/codeql-action/autobuild@9e0d7b8d25671d64c341c19c0152d693099fb5ba # v4.35.5 - name: Perform CodeQL analysis - uses: github/codeql-action/analyze@68bde559dea0fdcac2102bfdf6230c5f70eb485e # v4.35.4 + uses: github/codeql-action/analyze@9e0d7b8d25671d64c341c19c0152d693099fb5ba # v4.35.5 opengrep: name: Analyze (Opengrep) @@ -66,7 +66,7 @@ jobs: steps: - name: Harden Runner - uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1 + uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3 with: disable-sudo-and-containers: true egress-policy: block @@ -120,7 +120,7 @@ jobs: - name: Upload results to GitHub Code Scanning if: always() - uses: github/codeql-action/upload-sarif@68bde559dea0fdcac2102bfdf6230c5f70eb485e # v4.35.4 + uses: github/codeql-action/upload-sarif@9e0d7b8d25671d64c341c19c0152d693099fb5ba # v4.35.5 with: sarif_file: opengrep.sarif category: opengrep diff --git a/.github/workflows/site.yml b/.github/workflows/site.yml index 51f30e8..e6894fd 100644 --- a/.github/workflows/site.yml +++ b/.github/workflows/site.yml @@ -32,7 +32,7 @@ jobs: steps: - name: Harden Runner - uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1 + uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3 with: disable-sudo-and-containers: true egress-policy: block