diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index cafca84a..bf75cfff 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -311,7 +311,7 @@ jobs: - name: Upload SARIF to GitHub Security if: always() - uses: github/codeql-action/upload-sarif@0d579ffd059c29b07949a3cce3983f0780820c98 # v4 + uses: github/codeql-action/upload-sarif@38697555549f1db7851b81482ff19f1fa5c4fedc # v4 with: sarif_file: trivy-results.sarif category: 'container-image' diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 71de891f..3ee84be2 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -48,11 +48,11 @@ jobs: uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Initialize CodeQL - uses: github/codeql-action/init@0d579ffd059c29b07949a3cce3983f0780820c98 # v4 + uses: github/codeql-action/init@38697555549f1db7851b81482ff19f1fa5c4fedc # v4 with: languages: ${{ matrix.language }} - name: Run CodeQL analysis - uses: github/codeql-action/analyze@0d579ffd059c29b07949a3cce3983f0780820c98 # v4 + uses: github/codeql-action/analyze@38697555549f1db7851b81482ff19f1fa5c4fedc # v4 with: category: '/language:${{ matrix.language }}' diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 28220b3e..a90fdac9 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -985,7 +985,7 @@ jobs: fi - name: Generate SBOM - uses: anchore/sbom-action@57aae528053a48a3f6235f2d9461b05fbcb7366d # v0.23.1 + uses: anchore/sbom-action@e22c389904149dbc22b58101806040fa8d37a610 # v0.24.0 with: image: ghcr.io/vig-os/devcontainer:${{ needs.validate.outputs.publish_version }} artifact-name: sbom-${{ needs.validate.outputs.publish_version }}.spdx.json @@ -1032,7 +1032,7 @@ jobs: push-to-registry: true - name: Attest SBOM - uses: actions/attest-sbom@07e74fc4e78d1aad915e867f9a094073a9f71527 # v4.0.0 + uses: actions/attest-sbom@c604332985a26aa8cf1bdc465b92731239ec6b9e # v4.1.0 with: subject-name: ghcr.io/vig-os/devcontainer subject-digest: ${{ steps.digest.outputs.digest }} diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml index 042bacde..f1524863 100644 --- a/.github/workflows/scorecard.yml +++ b/.github/workflows/scorecard.yml @@ -44,7 +44,7 @@ jobs: publish_results: true - name: Upload SARIF to GitHub Security - uses: github/codeql-action/upload-sarif@0d579ffd059c29b07949a3cce3983f0780820c98 # v4 + uses: github/codeql-action/upload-sarif@38697555549f1db7851b81482ff19f1fa5c4fedc # v4 with: sarif_file: results.sarif category: 'scorecard' diff --git a/.github/workflows/security-scan.yml b/.github/workflows/security-scan.yml index b2bf39fd..11afb43e 100644 --- a/.github/workflows/security-scan.yml +++ b/.github/workflows/security-scan.yml @@ -129,7 +129,7 @@ jobs: retention-days: 90 - name: Upload SARIF to GitHub Security - uses: github/codeql-action/upload-sarif@0d579ffd059c29b07949a3cce3983f0780820c98 # v4 + uses: github/codeql-action/upload-sarif@38697555549f1db7851b81482ff19f1fa5c4fedc # v4 with: sarif_file: trivy-results.sarif category: 'container-image-scheduled' diff --git a/.github/workflows/sync-issues.yml b/.github/workflows/sync-issues.yml index 60e2ec6e..e9cbda69 100644 --- a/.github/workflows/sync-issues.yml +++ b/.github/workflows/sync-issues.yml @@ -65,7 +65,7 @@ jobs: - name: Restore sync state (last synced timestamp) id: restore-state - uses: actions/cache/restore@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3 + uses: actions/cache/restore@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4 with: path: .sync-state key: sync-issues-state-${{ github.repository }} @@ -118,7 +118,7 @@ jobs: - name: Save sync state if: always() - uses: actions/cache/save@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3 + uses: actions/cache/save@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4 with: path: .sync-state key: sync-issues-state-${{ github.repository }}