diff --git a/.github/workflows/clean-branch-cache.yml b/.github/workflows/clean-branch-cache.yml index 72ad7ef..377b25d 100644 --- a/.github/workflows/clean-branch-cache.yml +++ b/.github/workflows/clean-branch-cache.yml @@ -17,7 +17,7 @@ jobs: permissions: actions: write steps: - - uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0 + - uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4 with: disable-sudo-and-containers: ${{ inputs.disable-sudo }} egress-policy: block diff --git a/.github/workflows/docker-build-and-push.yml b/.github/workflows/docker-build-and-push.yml index 39b321f..f832c35 100644 --- a/.github/workflows/docker-build-and-push.yml +++ b/.github/workflows/docker-build-and-push.yml @@ -102,7 +102,7 @@ jobs: run: working-directory: ${{ inputs.working-directory }} steps: - - uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0 + - uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4 with: disable-sudo: ${{ inputs.disable-sudo }} egress-policy: block @@ -125,11 +125,11 @@ jobs: with: persist-credentials: false - uses: docker/setup-qemu-action@ce360397dd3f832beb865e1373c09c0e9f86d70a # v4.0.0 - - uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0 + - uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5 # v4.1.0 with: cache-binary: false - name: Log in to the Container registry - uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0 + uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4.2.0 if: inputs.push with: registry: ${{ inputs.registry }} @@ -138,7 +138,7 @@ jobs: - name: Extract metadata (tags, labels) for Docker id: metadata if: inputs.push - uses: docker/metadata-action@030e881283bb7a6894de51c315a6bfe6a94e05cf # v6.0.0 + uses: docker/metadata-action@80c7e94dd9b9319bd5eb7a0e0fe9291e23a2a2e9 # v6.1.0 with: images: ${{ inputs.registry }}/${{ inputs.image }} tags: ${{ inputs.tags }} @@ -146,7 +146,7 @@ jobs: - name: Build and push id: build if: inputs.push - uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7.1.0 + uses: docker/build-push-action@f9f3042f7e2789586610d6e8b85c8f03e5195baf # v7.2.0 with: annotations: ${{ steps.metadata.outputs.annotations }} cache-from: type=gha @@ -161,7 +161,7 @@ jobs: - name: Build push locally id: build-local if: ${{ !inputs.push }} - uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7.1.0 + uses: docker/build-push-action@f9f3042f7e2789586610d6e8b85c8f03e5195baf # v7.2.0 with: cache-from: type=gha cache-to: type=gha,mode=max @@ -214,7 +214,7 @@ jobs: create-storage-record: ${{ startsWith(inputs.registry, 'ghcr.io') }} sbom-path: ${{ inputs.working-directory }}/sbom.spdx.json - name: Install cosign - uses: sigstore/cosign-installer@cad07c2e89fa2edd6e2d7bab4c1aa38e53f76003 # v4.1.1 + uses: sigstore/cosign-installer@6f9f17788090df1f26f669e9d70d6ae9567deba6 # v4.1.2 if: inputs.push && inputs.sign-image - name: Sign image if: inputs.push && inputs.sign-image @@ -238,7 +238,7 @@ jobs: echo -n "$(cat ./trivy_results.sarif)" | reviewdog -reporter=github-check -f=sarif -level=warning -diff="git diff FETCH_HEAD" - name: Upload results if: ${{ inputs.scan-image && inputs.upload-sarif }} - uses: github/codeql-action/upload-sarif@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4.35.2 + uses: github/codeql-action/upload-sarif@7211b7c8077ea37d8641b6271f6a365a22a5fbfa # v4.36.0 with: sarif_file: ${{ inputs.working-directory }}/trivy_results.sarif category: container-security diff --git a/.github/workflows/gitleaks.yml b/.github/workflows/gitleaks.yml index bac398d..61a6662 100644 --- a/.github/workflows/gitleaks.yml +++ b/.github/workflows/gitleaks.yml @@ -25,7 +25,7 @@ jobs: runs-on: ${{ inputs.runs-on }} if: (github.actor != 'dependabot[bot]') steps: - - uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0 + - uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4 with: disable-sudo-and-containers: ${{ inputs.disable-sudo }} egress-policy: block diff --git a/.github/workflows/go-ci.yml b/.github/workflows/go-ci.yml index f069fc8..693630e 100644 --- a/.github/workflows/go-ci.yml +++ b/.github/workflows/go-ci.yml @@ -34,7 +34,7 @@ jobs: pull-requests: write checks: write steps: - - uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0 + - uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4 with: disable-sudo-and-containers: ${{ inputs.disable-sudo }} egress-policy: block @@ -70,7 +70,7 @@ jobs: run: working-directory: ${{ inputs.working-directory }} steps: - - uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0 + - uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4 with: disable-sudo-and-containers: ${{ inputs.disable-sudo }} egress-policy: block @@ -107,7 +107,7 @@ jobs: permissions: contents: write steps: - - uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0 + - uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4 with: disable-sudo-and-containers: ${{ inputs.disable-sudo }} egress-policy: block diff --git a/.github/workflows/go-security-scan.yml b/.github/workflows/go-security-scan.yml index defd0e0..a0fa0a9 100644 --- a/.github/workflows/go-security-scan.yml +++ b/.github/workflows/go-security-scan.yml @@ -33,7 +33,7 @@ jobs: env: GO111MODULE: on steps: - - uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0 + - uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4 with: disable-sudo: ${{ inputs.disable-sudo }} egress-policy: block @@ -61,7 +61,7 @@ jobs: run: | echo -n "$(cat ./gosec-results.sarif)" | reviewdog -reporter=github-check -f=sarif -level=error -diff="git diff FETCH_HEAD" - name: Upload results - uses: github/codeql-action/upload-sarif@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4.35.2 + uses: github/codeql-action/upload-sarif@7211b7c8077ea37d8641b6271f6a365a22a5fbfa # v4.36.0 with: sarif_file: '${{ inputs.working-directory }}/gosec-results.sarif' category: sast diff --git a/.github/workflows/infra-security-scan.yml b/.github/workflows/infra-security-scan.yml index 6aff560..61d8e00 100644 --- a/.github/workflows/infra-security-scan.yml +++ b/.github/workflows/infra-security-scan.yml @@ -34,7 +34,7 @@ jobs: run: working-directory: ${{ inputs.working-directory }} steps: - - uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0 + - uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4 with: disable-sudo: ${{ inputs.disable-sudo }} egress-policy: block @@ -64,7 +64,7 @@ jobs: enable_jobs_summary: true comments_with_queries: true - name: Upload SARIF file - uses: github/codeql-action/upload-sarif@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4.35.2 + uses: github/codeql-action/upload-sarif@7211b7c8077ea37d8641b6271f6a365a22a5fbfa # v4.36.0 with: sarif_file: ${{ inputs.working-directory }}/kics_results.sarif category: devops @@ -78,7 +78,7 @@ jobs: pull-requests: write security-events: write steps: - - uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0 + - uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4 with: disable-sudo: ${{ inputs.disable-sudo }} egress-policy: block @@ -118,7 +118,7 @@ jobs: run: | echo -n "$(cat ./zizmor_results.sarif)" | reviewdog -reporter=github-check -f=sarif -level=warning -diff="git diff FETCH_HEAD" - name: Upload SARIF file - uses: github/codeql-action/upload-sarif@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4.35.2 + uses: github/codeql-action/upload-sarif@7211b7c8077ea37d8641b6271f6a365a22a5fbfa # v4.36.0 with: sarif_file: zizmor_results.sarif category: github-actions diff --git a/.github/workflows/local-auto-tagger.yml b/.github/workflows/local-auto-tagger.yml index baa3311..69d5664 100644 --- a/.github/workflows/local-auto-tagger.yml +++ b/.github/workflows/local-auto-tagger.yml @@ -17,7 +17,7 @@ jobs: contents: write runs-on: ubuntu-latest steps: - - uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0 + - uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4 with: disable-sudo: true egress-policy: block diff --git a/.github/workflows/pulumi-preview.yml b/.github/workflows/pulumi-preview.yml index e430f22..d92a135 100644 --- a/.github/workflows/pulumi-preview.yml +++ b/.github/workflows/pulumi-preview.yml @@ -55,7 +55,7 @@ jobs: run: working-directory: ${{ inputs.working-directory }} steps: - - uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0 + - uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4 with: disable-sudo-and-containers: ${{ inputs.disable-sudo }} egress-policy: block @@ -120,7 +120,7 @@ jobs: with: path: ${{ env.PULUMI_HOME }}/plugins key: python-${{ inputs.python-version }}-venv-${{ hashFiles(format('{0}/poetry.lock', inputs.working-directory), format('{0}/uv.lock', inputs.working-directory)) }} - - uses: aws-actions/configure-aws-credentials@ec61189d14ec14c8efccab744f656cffd0e33f37 # v6.1.0 + - uses: aws-actions/configure-aws-credentials@acca2b1b2070338fb9fd1ca27ecee81d687e58e5 # v6.1.2 if: ${{ inputs.aws-role != '' }} with: role-to-assume: ${{ inputs.aws-role }} @@ -131,7 +131,7 @@ jobs: with: secret-ids: > ${{ inputs.aws-secrets-mapping }} - - uses: pulumi/actions@8582a9e8cc630786854029b4e09281acd6794b58 # v6.6.1 + - uses: pulumi/actions@8e5e406f4007fca908480587cb9893c07090f58d # v7.0.0 name: Pulumi Preview with: command: preview diff --git a/.github/workflows/pulumi-up.yml b/.github/workflows/pulumi-up.yml index 3ca16c0..40201ab 100644 --- a/.github/workflows/pulumi-up.yml +++ b/.github/workflows/pulumi-up.yml @@ -54,7 +54,7 @@ jobs: run: working-directory: ${{ inputs.working-directory }} steps: - - uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0 + - uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4 with: disable-sudo-and-containers: ${{ inputs.disable-sudo }} egress-policy: block @@ -119,7 +119,7 @@ jobs: with: path: ${{ env.PULUMI_HOME }}/plugins key: python-${{ inputs.python-version }}-venv-${{ hashFiles(format('{0}/poetry.lock', inputs.working-directory), format('{0}/uv.lock', inputs.working-directory)) }} - - uses: aws-actions/configure-aws-credentials@ec61189d14ec14c8efccab744f656cffd0e33f37 # v6.1.0 + - uses: aws-actions/configure-aws-credentials@acca2b1b2070338fb9fd1ca27ecee81d687e58e5 # v6.1.2 if: ${{ inputs.aws-role != '' }} with: role-to-assume: ${{ inputs.aws-role }} @@ -130,7 +130,7 @@ jobs: with: secret-ids: > ${{ inputs.aws-secrets-mapping }} - - uses: pulumi/actions@8582a9e8cc630786854029b4e09281acd6794b58 # v6.6.1 + - uses: pulumi/actions@8e5e406f4007fca908480587cb9893c07090f58d # v7.0.0 name: Pulumi Up with: command: up diff --git a/.github/workflows/python-ci.yml b/.github/workflows/python-ci.yml index 5442c66..941a7a1 100644 --- a/.github/workflows/python-ci.yml +++ b/.github/workflows/python-ci.yml @@ -31,7 +31,7 @@ jobs: run: working-directory: ${{ inputs.working-directory }} steps: - - uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0 + - uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4 with: disable-sudo-and-containers: ${{ inputs.disable-sudo }} egress-policy: block @@ -85,7 +85,7 @@ jobs: - run: uv sync --locked --all-extras --dev if: ${{ steps.cache-deps.outputs.cache-hit != 'true' && hashFiles(format('{0}/uv.lock', inputs.working-directory)) != '' }} - name: Install Task - uses: go-task/setup-task@3be4020d41929789a01026e0e427a4321ce0ad44 # v2.0.0 + uses: go-task/setup-task@01a4adf9db2d14c1de7a560f09170b6e0df736aa # v2.1.0 with: repo-token: ${{ github.token }} - name: Linting diff --git a/.github/workflows/rust-ci.yml b/.github/workflows/rust-ci.yml index d63e341..6eb0f71 100644 --- a/.github/workflows/rust-ci.yml +++ b/.github/workflows/rust-ci.yml @@ -52,7 +52,7 @@ jobs: run: working-directory: ${{ inputs.working-directory }} steps: - - uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0 + - uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4 with: disable-sudo-and-containers: ${{ inputs.disable-sudo }} egress-policy: block @@ -66,7 +66,7 @@ jobs: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - - uses: actions-rust-lang/setup-rust-toolchain@2b1f5e9b395427c92ee4e3331786ca3c37afe2d7 # v1.16.0 + - uses: actions-rust-lang/setup-rust-toolchain@46268bd060767258de96ed93c1251119784f2ab6 # v1.16.1 with: components: rustfmt toolchain: ${{ inputs.rust-version }} @@ -85,7 +85,7 @@ jobs: run: working-directory: ${{ inputs.working-directory }} steps: - - uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0 + - uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4 with: disable-sudo-and-containers: ${{ inputs.disable-sudo }} egress-policy: block @@ -99,7 +99,7 @@ jobs: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - - uses: actions-rust-lang/setup-rust-toolchain@2b1f5e9b395427c92ee4e3331786ca3c37afe2d7 # v1.16.0 + - uses: actions-rust-lang/setup-rust-toolchain@46268bd060767258de96ed93c1251119784f2ab6 # v1.16.1 with: toolchain: ${{ inputs.rust-version }} cache-workspaces: |- @@ -116,7 +116,7 @@ jobs: run: working-directory: ${{ inputs.working-directory }} steps: - - uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0 + - uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4 with: disable-sudo-and-containers: ${{ inputs.disable-sudo }} egress-policy: block @@ -132,7 +132,7 @@ jobs: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - - uses: actions-rust-lang/setup-rust-toolchain@2b1f5e9b395427c92ee4e3331786ca3c37afe2d7 # v1.16.0 + - uses: actions-rust-lang/setup-rust-toolchain@46268bd060767258de96ed93c1251119784f2ab6 # v1.16.1 with: components: clippy toolchain: ${{ inputs.rust-version }} @@ -153,7 +153,7 @@ jobs: run: | echo -n "$(cat ./clippy-results.sarif)" | reviewdog -reporter=github-check -f=sarif -level=warning -diff="git diff FETCH_HEAD" - name: Upload results - uses: github/codeql-action/upload-sarif@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4.35.2 + uses: github/codeql-action/upload-sarif@7211b7c8077ea37d8641b6271f6a365a22a5fbfa # v4.36.0 with: sarif_file: ${{ inputs.working-directory }}/clippy-results.sarif category: sast @@ -170,7 +170,7 @@ jobs: run: working-directory: ${{ inputs.working-directory }} steps: - - uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0 + - uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4 with: disable-sudo-and-containers: ${{ inputs.disable-sudo }} egress-policy: block @@ -204,7 +204,7 @@ jobs: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - - uses: aws-actions/configure-aws-credentials@ec61189d14ec14c8efccab744f656cffd0e33f37 # v6.1.0 + - uses: aws-actions/configure-aws-credentials@acca2b1b2070338fb9fd1ca27ecee81d687e58e5 # v6.1.2 if: ${{ inputs.aws-role != '' }} with: role-to-assume: ${{ inputs.aws-role }} @@ -214,7 +214,7 @@ jobs: uses: mlugg/setup-zig@d1434d08867e3ee9daa34448df10607b98908d29 # v2.2.1 with: version: latest - - uses: actions-rust-lang/setup-rust-toolchain@2b1f5e9b395427c92ee4e3331786ca3c37afe2d7 # v1.16.0 + - uses: actions-rust-lang/setup-rust-toolchain@46268bd060767258de96ed93c1251119784f2ab6 # v1.16.1 with: toolchain: ${{ inputs.rust-version }} cache-workspaces: |- diff --git a/.github/workflows/sast.yml b/.github/workflows/sast.yml index 7c53b0e..2c2d6f3 100644 --- a/.github/workflows/sast.yml +++ b/.github/workflows/sast.yml @@ -35,7 +35,7 @@ jobs: persist-credentials: false - name: 'Dependency Review' if: github.event_name == 'pull_request' && inputs.upload-sarif - uses: actions/dependency-review-action@2031cfc080254a8a887f58cffee85186f0e49e48 # v4.9.0 + uses: actions/dependency-review-action@a1d282b36b6f3519aa1f3fc636f609c47dddb294 # v5.0.0 with: fail-on-severity: moderate comment-summary-in-pr: on-failure @@ -58,7 +58,7 @@ jobs: run: | echo -n "$(cat ./sast-output.sarif)" | reviewdog -reporter=github-check -f=sarif -level=error -diff="git diff FETCH_HEAD" - name: Upload SARIF file - uses: github/codeql-action/upload-sarif@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4.35.2 + uses: github/codeql-action/upload-sarif@7211b7c8077ea37d8641b6271f6a365a22a5fbfa # v4.36.0 with: sarif_file: ./sast-output.sarif category: sast diff --git a/.github/workflows/terraform-ci.yml b/.github/workflows/terraform-ci.yml index d0593f2..d932c01 100644 --- a/.github/workflows/terraform-ci.yml +++ b/.github/workflows/terraform-ci.yml @@ -51,7 +51,7 @@ jobs: run: working-directory: ${{ inputs.working-directory }} steps: - - uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0 + - uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4 with: disable-sudo: ${{ inputs.disable-sudo }} egress-policy: audit @@ -63,7 +63,7 @@ jobs: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - - uses: aws-actions/configure-aws-credentials@ec61189d14ec14c8efccab744f656cffd0e33f37 # v6.1.0 + - uses: aws-actions/configure-aws-credentials@acca2b1b2070338fb9fd1ca27ecee81d687e58e5 # v6.1.2 if: ${{ inputs.aws-role != '' }} with: role-to-assume: ${{ inputs.aws-role }} @@ -77,9 +77,9 @@ jobs: path: ~/.terraform.d/plugin-cache key: terraform-providers-${{ hashFiles('**/.terraform.lock.hcl') }} restore-keys: terraform-providers- - - uses: hashicorp/setup-terraform@5e8dbf3c6d9deaf4193ca7a8fb23f2ac83bb6c85 # v4.0.0 + - uses: hashicorp/setup-terraform@dfe3c3f87815947d99a8997f908cb6525fc44e9e # v4.0.1 - name: Sops Binary Installer - uses: mdgreenwald/mozilla-sops-action@d9714e521cbaecdae64a89d2fdd576dd2aa97056 + uses: mdgreenwald/mozilla-sops-action@fe9db4c6a9f56efabf8855966e98c7ec9d09eb3e - name: Decrypt Secrets env: SOPS_AGE_KEY: ${{ secrets.sops-age-key }} @@ -123,7 +123,7 @@ jobs: run: | echo -n "$(cat ./trivy_results.sarif)" | reviewdog -reporter=github-check -f=sarif -level=error -diff="git diff FETCH_HEAD" - name: Upload results - uses: github/codeql-action/upload-sarif@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4.35.2 + uses: github/codeql-action/upload-sarif@7211b7c8077ea37d8641b6271f6a365a22a5fbfa # v4.36.0 with: sarif_file: ${{ inputs.working-directory }}/trivy_results.sarif category: devops @@ -142,7 +142,7 @@ jobs: run: working-directory: ${{ inputs.working-directory }} steps: - - uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0 + - uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4 with: disable-sudo-and-containers: ${{ inputs.disable-sudo }} egress-policy: audit @@ -151,7 +151,7 @@ jobs: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - - uses: aws-actions/configure-aws-credentials@ec61189d14ec14c8efccab744f656cffd0e33f37 # v6.1.0 + - uses: aws-actions/configure-aws-credentials@acca2b1b2070338fb9fd1ca27ecee81d687e58e5 # v6.1.2 if: ${{ inputs.aws-role != '' }} with: role-to-assume: ${{ inputs.aws-role }} @@ -165,9 +165,9 @@ jobs: path: ~/.terraform.d/plugin-cache key: terraform-providers-${{ hashFiles('**/.terraform.lock.hcl') }} restore-keys: terraform-providers- - - uses: hashicorp/setup-terraform@5e8dbf3c6d9deaf4193ca7a8fb23f2ac83bb6c85 # v4.0.0 + - uses: hashicorp/setup-terraform@dfe3c3f87815947d99a8997f908cb6525fc44e9e # v4.0.1 - name: Sops Binary Installer - uses: mdgreenwald/mozilla-sops-action@d9714e521cbaecdae64a89d2fdd576dd2aa97056 + uses: mdgreenwald/mozilla-sops-action@fe9db4c6a9f56efabf8855966e98c7ec9d09eb3e - name: Decrypt Secrets env: SOPS_AGE_KEY: ${{ secrets.sops-age-key }}