diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml index 3139cfaf..7609318b 100644 --- a/.github/workflows/docker.yml +++ b/.github/workflows/docker.yml @@ -48,7 +48,7 @@ jobs: steps: - name: Checkout code # see https://github.com/actions/checkout - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false fetch-depth: 0 @@ -56,11 +56,11 @@ jobs: run: mkdir "$REPORTS_DIR" - name: Setup python ${{ env.PYTHON_VERSION }} # see https://github.com/actions/setup-python - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6 + uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 with: python-version: ${{ env.PYTHON_VERSION }} - name: Setup poetry ${{ env.POETRY_VERSION }} - # see https://github.com/marketplace/actions/setup-poetry + # see https://github.com/Gr1N/setup-poetry uses: Gr1N/setup-poetry@48b0f77c8c1b1b19cb962f0f00dff7b4be8f81ec # v9 with: poetry-version: ${{ env.POETRY_VERSION }} @@ -77,7 +77,7 @@ jobs: !failure() && !cancelled() && steps.after-release.outputs.released # see https://github.com/actions/upload-artifact - uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6 + uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0 with: name: ${{ env.RUN_ARTIFACT_PYTHON_DIST }} path: ${{ env.DIST_SOURCE_DIR }}/ @@ -109,7 +109,7 @@ jobs: - name: Artifact reports if: ${{ ! cancelled() }} # see https://github.com/actions/upload-artifact - uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6 + uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0 with: name: ${{ env.REPORTS_ARTIFACT }} path: ${{ env.REPORTS_DIR }} diff --git a/.github/workflows/python.yml b/.github/workflows/python.yml index c9bd2917..d4057b24 100644 --- a/.github/workflows/python.yml +++ b/.github/workflows/python.yml @@ -52,16 +52,16 @@ jobs: steps: - name: Checkout # see https://github.com/actions/checkout - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: Setup Python Environment # see https://github.com/actions/setup-python - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6 + uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 with: python-version: ${{ env.PYTHON_VERSION_DEFAULT }} - name: Install poetry - # see https://github.com/marketplace/actions/setup-poetry + # see https://github.com/Gr1N/setup-poetry uses: Gr1N/setup-poetry@48b0f77c8c1b1b19cb962f0f00dff7b4be8f81ec # v9 with: poetry-version: ${{ env.POETRY_VERSION }} @@ -77,16 +77,16 @@ jobs: steps: - name: Checkout # see https://github.com/actions/checkout - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: Setup Python Environment # see https://github.com/actions/setup-python - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6 + uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 with: python-version: ${{ env.PYTHON_VERSION_DEFAULT }} - name: Install poetry - # see https://github.com/marketplace/actions/setup-poetry + # see https://github.com/Gr1N/setup-poetry uses: Gr1N/setup-poetry@48b0f77c8c1b1b19cb962f0f00dff7b4be8f81ec # v9 with: poetry-version: ${{ env.POETRY_VERSION }} @@ -102,16 +102,16 @@ jobs: steps: - name: Checkout # see https://github.com/actions/checkout - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: Setup Python Environment # see https://github.com/actions/setup-python - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6 + uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 with: python-version: ${{ env.PYTHON_VERSION_DEFAULT }} - name: Install poetry - # see https://github.com/marketplace/actions/setup-poetry + # see https://github.com/Gr1N/setup-poetry uses: Gr1N/setup-poetry@48b0f77c8c1b1b19cb962f0f00dff7b4be8f81ec # v9 with: poetry-version: ${{ env.POETRY_VERSION }} @@ -137,16 +137,16 @@ jobs: steps: - name: Checkout # see https://github.com/actions/checkout - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: Setup Python Environment # see https://github.com/actions/setup-python - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6 + uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 with: python-version: ${{ matrix.python-version }} - name: Install poetry - # see https://github.com/marketplace/actions/setup-poetry + # see https://github.com/Gr1N/setup-poetry uses: Gr1N/setup-poetry@48b0f77c8c1b1b19cb962f0f00dff7b4be8f81ec # v9 with: poetry-version: ${{ env.POETRY_VERSION }} @@ -162,16 +162,16 @@ jobs: steps: - name: Checkout # see https://github.com/actions/checkout - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: Setup Python Environment # see https://github.com/actions/setup-python - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6 + uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 with: python-version: ${{ env.PYTHON_VERSION_DEFAULT }} - name: Install poetry - # see https://github.com/marketplace/actions/setup-poetry + # see https://github.com/Gr1N/setup-poetry uses: Gr1N/setup-poetry@48b0f77c8c1b1b19cb962f0f00dff7b4be8f81ec # v9 with: poetry-version: ${{ env.POETRY_VERSION }} @@ -197,12 +197,12 @@ jobs: steps: - name: Checkout # see https://github.com/actions/checkout - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: Setup Python Environment # see https://github.com/actions/setup-python - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6 + uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 with: python-version: ${{ env.PYTHON_VERSION_DEFAULT }} - name: Install self @@ -236,14 +236,14 @@ jobs: steps: - name: Checkout # see https://github.com/actions/checkout - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: Create reports directory run: mkdir ${{ env.REPORTS_DIR }} - name: Setup Python Environment # see https://github.com/actions/setup-python - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6 + uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 with: python-version: ${{ matrix.python-version }} - name: craft PY_UT_ARGS @@ -256,7 +256,7 @@ jobs: with open(os.environ['GITHUB_ENV'], 'a') as env_file: env_file.write(f'PY_UT_ARGS={" ".join(PY_UT_ARGS)}\n') - name: Install poetry - # see https://github.com/marketplace/actions/setup-poetry + # see https://github.com/Gr1N/setup-poetry uses: Gr1N/setup-poetry@48b0f77c8c1b1b19cb962f0f00dff7b4be8f81ec # v9 with: poetry-version: ${{ env.POETRY_VERSION }} @@ -276,7 +276,7 @@ jobs: - name: Artifact reports if: ${{ ! cancelled() }} # see https://github.com/actions/upload-artifact - uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6 + uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0 with: name: '${{ env.TESTS_REPORTS_ARTIFACT }}_bnt_${{ matrix.os }}_py${{ matrix.python-version }}' path: ${{ env.REPORTS_DIR }} @@ -290,7 +290,7 @@ jobs: steps: - name: fetch test artifacts # see https://github.com/actions/download-artifact - uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7 + uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0 with: pattern: '${{ env.TESTS_REPORTS_ARTIFACT }}_bnt_*' merge-multiple: true @@ -301,7 +301,7 @@ jobs: ## see https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#example-using-secrets if: ${{ env.CODACY_PROJECT_TOKEN != '' }} # see https://github.com/codacy/codacy-coverage-reporter-action - uses: codacy/codacy-coverage-reporter-action@89d6c85cfafaec52c72b6c5e8b2878d33104c699 # v1 + uses: codacy/codacy-coverage-reporter-action@89d6c85cfafaec52c72b6c5e8b2878d33104c699 # v1.3.0 with: project-token: ${{ env.CODACY_PROJECT_TOKEN }} coverage-reports: ${{ env.REPORTS_DIR }}/coverage/* diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 5928733e..d0e449f7 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -71,16 +71,16 @@ jobs: steps: - name: Checkout code # see https://github.com/actions/checkout - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: Setup Python Environment # see https://github.com/actions/setup-python - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6 + uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 with: python-version: ${{ env.PYTHON_VERSION_DEFAULT }} - name: Install poetry - # see https://github.com/marketplace/actions/setup-poetry + # see https://github.com/Gr1N/setup-poetry uses: Gr1N/setup-poetry@48b0f77c8c1b1b19cb962f0f00dff7b4be8f81ec # v9 with: poetry-version: ${{ env.POETRY_VERSION }} @@ -96,16 +96,16 @@ jobs: steps: - name: Checkout # see https://github.com/actions/checkout - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: Setup Python Environment # see https://github.com/actions/setup-python - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6 + uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 with: python-version: ${{ env.PYTHON_VERSION_DEFAULT }} - name: Install poetry - # see https://github.com/marketplace/actions/setup-poetry + # see https://github.com/Gr1N/setup-poetry uses: Gr1N/setup-poetry@48b0f77c8c1b1b19cb962f0f00dff7b4be8f81ec # v9 with: poetry-version: ${{ env.POETRY_VERSION }} @@ -136,18 +136,18 @@ jobs: steps: - name: Checkout code # see https://github.com/actions/checkout - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false fetch-depth: 0 - name: Setup python # see https://github.com/actions/setup-python - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6 + uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 with: python-version: ${{ env.PYTHON_VERSION_DEFAULT }} - name: Install and configure Poetry - # See https://github.com/marketplace/actions/install-poetry-action - uses: snok/install-poetry@76e04a911780d5b312d89783f7b1cd627778900a # v1 + # See https://github.com/snok/install-poetry + uses: snok/install-poetry@76e04a911780d5b312d89783f7b1cd627778900a # v1.4.1 with: version: ${{ env.POETRY_VERSION }} virtualenvs-create: true @@ -172,7 +172,7 @@ jobs: !failure() && !cancelled() && steps.release.outputs.released == 'true' # see https://github.com/pypa/gh-action-pypi-publish - uses: pypa/gh-action-pypi-publish@cef221092ed1bacb1cc03d23a2d87d1d172e277b # release/v1 + uses: pypa/gh-action-pypi-publish@cef221092ed1bacb1cc03d23a2d87d1d172e277b # v1.14.0 with: attestations: true - name: Publish package distributions to GitHub Releases @@ -180,7 +180,7 @@ jobs: !failure() && !cancelled() && steps.release.outputs.released == 'true' # see https://python-semantic-release.readthedocs.io/en/latest/automatic-releases/github-actions.html#python-semantic-release-publish-action - uses: python-semantic-release/publish-action@310a9983a0ae878b29f3aac778d7c77c1db27378 # v10 + uses: python-semantic-release/publish-action@310a9983a0ae878b29f3aac778d7c77c1db27378 # v10.5.3 with: github_token: ${{ secrets.GITHUB_TOKEN }} tag: ${{ steps.release.outputs.tag }} @@ -189,7 +189,7 @@ jobs: !failure() && !cancelled() && steps.release.outputs.released == 'true' # see https://github.com/actions/upload-artifact - uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6 + uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0 with: name: ${{ env.DIST_ARTIFACT }} path: ${{ env.DIST_DIR }}/ @@ -225,7 +225,7 @@ jobs: echo "GHCR_REPO=${GHCR_REPO@L}" >> "${GITHUB_ENV}" - name: Checkout code (${{ env.TAG }}) # see https://github.com/actions/checkout - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false ref: ${{ needs.release-PyPI.outputs.tag }} @@ -235,7 +235,7 @@ jobs: mkdir "$DIST_DIR" - name: Fetch python dist artifact # see https://github.com/actions/download-artifact - uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7 + uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0 with: name: ${{ env.DIST_ARTIFACT }} path: ${{ env.DIST_DIR }}/ @@ -268,15 +268,15 @@ jobs: - name: Artifact reports if: ${{ ! cancelled() }} # see https://github.com/actions/upload-artifact - uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6 + uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0 with: name: ${{ env.ARTIFACT_DOCKER_SBOM }} path: ${{ env.REPORTS_DIR }}/*.bom.* if-no-files-found: error # publish AFTER the boms were build, as the bom-generation is kind of a test if the image works - name: Login to DockerHub - # see hhttps://github.com/docker/login-action?tab=readme-ov-file#docker-hub - uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3 + # see https://github.com/docker/login-action?tab=readme-ov-file#docker-hub + uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0 with: username: ${{ secrets.DOCKERHUB_USERNAME }} password: ${{ secrets.DOCKERHUB_TOKEN }} @@ -289,7 +289,7 @@ jobs: # region publish to GHCR - name: Login to GHCR # see https://github.com/docker/login-action#github-container-registry - uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3 + uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0 with: registry: ghcr.io username: ${{ github.actor }} diff --git a/.github/workflows/zizmor.yml b/.github/workflows/zizmor.yml index 1e27a0ce..4802b749 100644 --- a/.github/workflows/zizmor.yml +++ b/.github/workflows/zizmor.yml @@ -17,31 +17,26 @@ # For details of what checks are run for PRs please refer below # docs: https://docs.github.com/en/actions/reference/workflow-syntax-for-github-actions - -name: Workflow Security Analysis +name: Zizmor on: - pull_request: - paths: - - '.github/workflows/**' - - '.github/dependabot.yml' push: - paths: - - ".github/workflows/**" - - ".github/dependabot.yml" + branches: ['master', 'main'] + pull_request: + branches: ['**'] + workflow_dispatch: schedule: - # weekly scan: every Saturday at 00:00 UTC - cron: '0 0 * * 6' +permissions: {} + concurrency: group: '${{ github.workflow }}-${{ github.ref }}' cancel-in-progress: true -permissions: {} - jobs: zizmor: - name: Harden GitHub Workflows (zizmor) + name: Zizmor runs-on: ubuntu-latest timeout-minutes: 10 permissions: @@ -49,12 +44,12 @@ jobs: steps: - name: Checkout # see https://github.com/actions/checkout - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: Run zizmor 🌈 # see https://github.com/zizmorcore/zizmor-action - uses: zizmorcore/zizmor-action@b1d7e1fb5de872772f31590499237e7cce841e8e # v0.5.3 + uses: zizmorcore/zizmor-action@5f14fd08f7cf1cb1609c1e344975f152c7ee938d # v0.5.6 with: # advanced-security: false => emit findings as workflow-command annotations (::error file=…) rather than # uploading a SARIF report to GitHub's Security tab.