diff --git a/.github/workflows/build-matrix.yml b/.github/workflows/build-matrix.yml index cbcb42a2..40912313 100644 --- a/.github/workflows/build-matrix.yml +++ b/.github/workflows/build-matrix.yml @@ -49,7 +49,7 @@ jobs: go build -ldflags="-s -w" -o "ckb-${GOOS}-${GOARCH}${ext}" ./cmd/ckb - name: Upload artifact - uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 with: name: ckb-${{ matrix.os }}-${{ matrix.arch }} path: ckb-${{ matrix.os }}-${{ matrix.arch }}* diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 208e6629..759560d4 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -177,7 +177,7 @@ jobs: run: ./ckb version - name: Upload binary - uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 with: name: ckb-linux-amd64 path: ckb diff --git a/.github/workflows/ckb.yml b/.github/workflows/ckb.yml index 1cbc78e8..5003e463 100644 --- a/.github/workflows/ckb.yml +++ b/.github/workflows/ckb.yml @@ -95,7 +95,7 @@ jobs: # ─────────────────────────────────────────────────────────────────────── - name: Cache id: cache - uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5 + uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5 with: path: .ckb/ key: ckb-${{ runner.os }}-${{ hashFiles('go.sum') }}-${{ github.base_ref }} @@ -172,7 +172,7 @@ jobs: fi - name: Post Impact Comment - uses: marocchino/sticky-pull-request-comment@d4d6b0936434b21bc8345ad45a440c5f7d2c40ff # v3.0.3 + uses: marocchino/sticky-pull-request-comment@0ea0beb66eb9baf113663a64ec522f60e49231c0 # v3.0.4 with: header: ckb-impact path: impact.md @@ -377,7 +377,7 @@ jobs: # ─────────────────────────────────────────────────────────────────────── - name: Comment if: always() - uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 + uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 env: CACHE_HIT: ${{ steps.cache.outputs.cache-hit }} INDEX_MODE: ${{ steps.index.outputs.mode }} @@ -928,7 +928,7 @@ jobs: - name: Reviewers if: always() continue-on-error: true - uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 + uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 with: script: | const fs = require('fs'); @@ -954,14 +954,14 @@ jobs: # ─────────────────────────────────────────────────────────────────────── - name: Save Cache if: always() - uses: actions/cache/save@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5 + uses: actions/cache/save@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5 with: path: .ckb/ key: ckb-${{ runner.os }}-${{ hashFiles('go.sum') }}-${{ github.base_ref }} - name: Upload if: always() - uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 with: name: ckb-analysis path: '*.json' @@ -992,7 +992,7 @@ jobs: run: go install github.com/sourcegraph/scip-go/cmd/scip-go@latest - name: Cache - uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5 + uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5 with: path: .ckb/ key: ckb-${{ runner.os }}-refresh-${{ github.run_id }} @@ -1035,7 +1035,7 @@ jobs: echo "| Language Quality | $(jq '.overallQuality * 100 | floor' reports/languages.json)% |" >> $GITHUB_STEP_SUMMARY - name: Upload - uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 with: name: ckb-refresh path: reports/ diff --git a/.github/workflows/cov.yml b/.github/workflows/cov.yml index 17f80b4a..a1d6b988 100644 --- a/.github/workflows/cov.yml +++ b/.github/workflows/cov.yml @@ -69,7 +69,7 @@ jobs: - name: Upload coverage if: always() - uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 with: name: coverage path: | diff --git a/.github/workflows/nfr.yml b/.github/workflows/nfr.yml index 5920a549..ada0e724 100644 --- a/.github/workflows/nfr.yml +++ b/.github/workflows/nfr.yml @@ -39,7 +39,7 @@ jobs: exit 0 - name: Upload head results - uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 with: name: nfr-head path: nfr-output.txt @@ -72,7 +72,7 @@ jobs: exit 0 - name: Upload base results - uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 with: name: nfr-base path: nfr-output.txt @@ -270,7 +270,7 @@ jobs: - name: Comment on PR if: always() && github.event_name == 'pull_request' - uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 + uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 with: script: | const fs = require('fs'); @@ -308,7 +308,7 @@ jobs: - name: Upload NFR results if: always() - uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 with: name: nfr-results path: | diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index e3643bc6..eb6bd805 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -29,7 +29,7 @@ jobs: cache: true - name: Set up Node.js - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6 + uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6 with: node-version: '20' registry-url: 'https://registry.npmjs.org' @@ -79,7 +79,7 @@ jobs: run: go test -race ./... - name: Run GoReleaser - uses: goreleaser/goreleaser-action@ec59f474b9834571250b370d4735c50f8e2d1e29 # v7.0.0 + uses: goreleaser/goreleaser-action@e24998b8b67b290c2fa8b7c14fcfa7de2c5c9b8c # v7.1.0 with: version: '~> v2' args: release --clean diff --git a/.github/workflows/security-dependencies.yml b/.github/workflows/security-dependencies.yml index 10ed1783..9af6bbc4 100644 --- a/.github/workflows/security-dependencies.yml +++ b/.github/workflows/security-dependencies.yml @@ -142,7 +142,7 @@ jobs: - name: Upload Trivy SARIF if: inputs.scan_trivy && hashFiles('trivy-vuln.sarif') != '' - uses: github/codeql-action/upload-sarif@c10b8064de6f491fea524254123dbe5e09572f13 # v4 + uses: github/codeql-action/upload-sarif@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4 with: sarif_file: trivy-vuln.sarif category: trivy @@ -220,7 +220,7 @@ jobs: echo "| **Total** | **$TOTAL** |" >> $GITHUB_STEP_SUMMARY - name: Upload artifacts - uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 if: always() with: name: dependency-scan-results diff --git a/.github/workflows/security-gate.yml b/.github/workflows/security-gate.yml index 66fdba3a..6086b538 100644 --- a/.github/workflows/security-gate.yml +++ b/.github/workflows/security-gate.yml @@ -201,7 +201,7 @@ jobs: - name: PR Comment if: github.event_name == 'pull_request' - uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 + uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 with: script: | const fs = require('fs'); diff --git a/.github/workflows/security-sast-common.yml b/.github/workflows/security-sast-common.yml index 106796d7..0ee7eba2 100644 --- a/.github/workflows/security-sast-common.yml +++ b/.github/workflows/security-sast-common.yml @@ -91,14 +91,14 @@ jobs: - name: Upload SARIF if: hashFiles('semgrep.sarif') != '' - uses: github/codeql-action/upload-sarif@c10b8064de6f491fea524254123dbe5e09572f13 # v4 + uses: github/codeql-action/upload-sarif@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4 with: sarif_file: semgrep.sarif category: semgrep continue-on-error: true - name: Upload artifacts - uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 if: always() with: name: semgrep-results diff --git a/.github/workflows/security-sast-go.yml b/.github/workflows/security-sast-go.yml index 64da052f..5da71199 100644 --- a/.github/workflows/security-sast-go.yml +++ b/.github/workflows/security-sast-go.yml @@ -134,14 +134,14 @@ jobs: echo "| **Total** | **$FINDINGS** |" >> $GITHUB_STEP_SUMMARY - name: Upload SARIF - uses: github/codeql-action/upload-sarif@c10b8064de6f491fea524254123dbe5e09572f13 # v4 + uses: github/codeql-action/upload-sarif@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4 with: sarif_file: gosec.sarif category: gosec continue-on-error: true - name: Upload artifacts - uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 if: always() with: name: gosec-results diff --git a/.github/workflows/security-sast-python.yml b/.github/workflows/security-sast-python.yml index a48e0c94..d787ad22 100644 --- a/.github/workflows/security-sast-python.yml +++ b/.github/workflows/security-sast-python.yml @@ -134,14 +134,14 @@ jobs: - name: Upload SARIF if: hashFiles('bandit.sarif') != '' - uses: github/codeql-action/upload-sarif@c10b8064de6f491fea524254123dbe5e09572f13 # v4 + uses: github/codeql-action/upload-sarif@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4 with: sarif_file: bandit.sarif category: bandit continue-on-error: true - name: Upload artifacts - uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 if: always() with: name: bandit-results diff --git a/.github/workflows/security-secrets.yml b/.github/workflows/security-secrets.yml index f2df7323..b455a875 100644 --- a/.github/workflows/security-secrets.yml +++ b/.github/workflows/security-secrets.yml @@ -121,7 +121,7 @@ jobs: - name: Upload CKB SARIF to Code Scanning if: inputs.scan_ckb && steps.ckb_sarif.outputs.valid == 'true' - uses: github/codeql-action/upload-sarif@c10b8064de6f491fea524254123dbe5e09572f13 # v4 + uses: github/codeql-action/upload-sarif@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4 with: sarif_file: ckb-secrets.sarif category: ckb-secrets @@ -151,7 +151,7 @@ jobs: - name: Upload Gitleaks SARIF if: inputs.scan_gitleaks && hashFiles('gitleaks.sarif') != '' - uses: github/codeql-action/upload-sarif@c10b8064de6f491fea524254123dbe5e09572f13 # v4 + uses: github/codeql-action/upload-sarif@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4 with: sarif_file: gitleaks.sarif category: gitleaks @@ -217,7 +217,7 @@ jobs: echo "| **Total** | **$TOTAL** |" >> $GITHUB_STEP_SUMMARY - name: Upload artifacts - uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 if: always() with: name: secret-scan-results