diff --git a/.github/workflows/continuous-integration.yml b/.github/workflows/continuous-integration.yml index 071d064..a934abb 100644 --- a/.github/workflows/continuous-integration.yml +++ b/.github/workflows/continuous-integration.yml @@ -8,17 +8,17 @@ jobs: if: github.ref == 'refs/heads/master' steps: - name: Checkout - uses: actions/checkout@v2 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: - fetch-depth: 0 # This causes all history to be fetched, which is required for calculate-version to function + fetch-depth: 0 # This causes all history to be fetched, which is required for calculate-version to function - name: Install Python 3.9 - uses: actions/setup-python@v5 + uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0 with: python-version: 3.9 - name: Upgrade python pip - run: python -m pip install --upgrade pip + run: python -m pip install --upgrade pip - name: Install git run: pip install gitpython @@ -34,7 +34,7 @@ jobs: - name: Create release (master only) id: create-release if: github.ref == 'refs/heads/master' - uses: actions/create-release@v1 + uses: actions/create-release@0cb9c9b65d5d1901c1f53e5e66eaf4afd303e70e # v1.1.4 continue-on-error: true env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/dependabot-auto-merge.yml b/.github/workflows/dependabot-auto-merge.yml index 5db4df6..9cd7b95 100644 --- a/.github/workflows/dependabot-auto-merge.yml +++ b/.github/workflows/dependabot-auto-merge.yml @@ -19,7 +19,7 @@ jobs: steps: - name: Fetch Dependabot metadata id: meta - uses: dependabot/fetch-metadata@v2 + uses: dependabot/fetch-metadata@21025c705c08248db411dc16f3619e6b5f9ea21a # v2.5.0 with: github-token: ${{ secrets.GITHUB_TOKEN }} @@ -34,4 +34,4 @@ jobs: run: gh pr merge --auto --squash "$PR_URL" env: PR_URL: ${{ github.event.pull_request.html_url }} - GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} \ No newline at end of file + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/sbom.yml b/.github/workflows/sbom.yml index 7b57a5d..341a437 100644 --- a/.github/workflows/sbom.yml +++ b/.github/workflows/sbom.yml @@ -24,10 +24,10 @@ jobs: contents: write steps: - name: Checkout - uses: actions/checkout@v5 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Setup Python 3.13 - uses: actions/setup-python@v5 + uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0 with: python-version: "3.13" @@ -56,7 +56,7 @@ jobs: chmod +x syft # Add to PATH for subsequent steps - echo "$(pwd)" >> $GITHUB_PATH + echo "$(pwd)" >> $GITHUB_PATH - name: Create SBOM run: bash scripts/create-sbom.sh terraform python tflint @@ -69,7 +69,7 @@ jobs: python .github/scripts/sbom_json_to_csv.py sbom.json SBOM_${REPO_NAME}.csv - name: Upload SBOM CSV as artifact - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 with: name: sbom-csv path: SBOM_${{ github.event.repository.name }}.csv @@ -81,8 +81,6 @@ jobs: - name: Scan SBOM for Vulnerabilities (JSON) run: | grype sbom:sbom.json -o json > grype-report.json - - - name: Convert Grype JSON to CSV run: | @@ -90,9 +88,8 @@ jobs: REPO_NAME=$(basename $GITHUB_REPOSITORY) python .github/scripts/grype_json_to_csv.py grype-report.json grype-report-${REPO_NAME}.csv - - name: Upload Vulnerability Report - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 with: name: grype-report path: grype-report-${{ github.event.repository.name }}.csv @@ -104,7 +101,7 @@ jobs: python .github/scripts/sbom_packages_to_csv.py sbom.json $REPO_NAME - name: Upload Package Inventory CSV - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 with: name: sbom-packages - path: sbom-packages-${{ github.event.repository.name }}.csv \ No newline at end of file + path: sbom-packages-${{ github.event.repository.name }}.csv