diff --git a/.github/workflows/automatePR.yml b/.github/workflows/automatePR.yml index ab9e287f..601156b1 100644 --- a/.github/workflows/automatePR.yml +++ b/.github/workflows/automatePR.yml @@ -17,11 +17,11 @@ jobs: steps: - name: Harden Runner - uses: step-security/harden-runner@55d479fb1c5bcad5a4f9099a5d9f37c8857b2845 # v2.4.1 + uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1 with: egress-policy: audit - - uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b + - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 #v4.1.6 with: repository: step-security/secure-repo diff --git a/.github/workflows/code-review.yml b/.github/workflows/code-review.yml index c40f9f80..cc70c82e 100644 --- a/.github/workflows/code-review.yml +++ b/.github/workflows/code-review.yml @@ -11,7 +11,7 @@ jobs: pull-requests: read steps: - name: Harden Runner - uses: step-security/harden-runner@128a63446a954579617e875aaab7d2978154e969 # v2.4.0 + uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1 with: disable-sudo: true egress-policy: block diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 62d466be..e540ccc3 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -41,12 +41,12 @@ jobs: steps: - name: Harden Runner - uses: step-security/harden-runner@ebacdc22ef6c2cfb85ee5ded8f2e640f4c776dd5 + uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1 with: egress-policy: audit - name: Checkout repository - uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b + uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL diff --git a/.github/workflows/int.yml b/.github/workflows/int.yml index 5fc4494f..d1210f38 100644 --- a/.github/workflows/int.yml +++ b/.github/workflows/int.yml @@ -15,15 +15,15 @@ jobs: runs-on: ubuntu-latest steps: - name: Harden Runner - uses: step-security/harden-runner@ebacdc22ef6c2cfb85ee5ded8f2e640f4c776dd5 + uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1 with: egress-policy: audit - name: Checkout - uses: actions/checkout@629c2de402a417ea7690ca6ce3f33229e27606a5 + uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 with: fetch-depth: 0 - name: Set up Go - uses: actions/setup-go@37335c7bb261b353407cff977110895fa0b4f7d8 + uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1 with: go-version: 1.17 - name: Configure AWS Credentials diff --git a/.github/workflows/kb-test.yml b/.github/workflows/kb-test.yml index c129faa6..5819dc6a 100644 --- a/.github/workflows/kb-test.yml +++ b/.github/workflows/kb-test.yml @@ -25,11 +25,11 @@ jobs: objects.githubusercontent.com:443 golang.org:443 - name: Checkout - uses: actions/checkout@629c2de402a417ea7690ca6ce3f33229e27606a5 # v2 + uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 with: ref: ${{ github.event.pull_request.head.sha }} - name: Set up Go - uses: actions/setup-go@37335c7bb261b353407cff977110895fa0b4f7d8 # v2.1.3 + uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1 with: go-version: 1.17 - name: Run coverage diff --git a/.github/workflows/kbanalysis.yml b/.github/workflows/kbanalysis.yml index 6d846e15..30b021ad 100644 --- a/.github/workflows/kbanalysis.yml +++ b/.github/workflows/kbanalysis.yml @@ -22,11 +22,11 @@ jobs: steps: - name: Harden Runner - uses: step-security/harden-runner@ebacdc22ef6c2cfb85ee5ded8f2e640f4c776dd5 + uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1 with: egress-policy: audit - - uses: actions/checkout@d0651293c4a5a52e711f25b41b05b2212f385d28 + - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 with: repository: step-security/secure-repo diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 2ec3f2b4..50e2bc1d 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -17,15 +17,15 @@ jobs: runs-on: ubuntu-latest steps: - name: Harden Runner - uses: step-security/harden-runner@ebacdc22ef6c2cfb85ee5ded8f2e640f4c776dd5 + uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1 with: egress-policy: audit - name: Checkout - uses: actions/checkout@629c2de402a417ea7690ca6ce3f33229e27606a5 + uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 with: fetch-depth: 0 - name: Set up Go - uses: actions/setup-go@37335c7bb261b353407cff977110895fa0b4f7d8 + uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1 with: go-version: 1.17 diff --git a/.github/workflows/scorecards.yml b/.github/workflows/scorecards.yml index 54e09afb..7b2f0977 100644 --- a/.github/workflows/scorecards.yml +++ b/.github/workflows/scorecards.yml @@ -32,12 +32,12 @@ jobs: steps: - name: Harden Runner - uses: step-security/harden-runner@55d479fb1c5bcad5a4f9099a5d9f37c8857b2845 # v2.4.1 + uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1 with: egress-policy: audit - name: "Checkout code" - uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 # v3.1.0 + uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 with: persist-credentials: false diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 869959f5..3ca6a98c 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -9,18 +9,19 @@ on: permissions: # added using https://github.com/step-security/secure-repo contents: read -concurrency: - group: ${{ github.workflow }} + jobs: test: permissions: contents: read runs-on: ubuntu-latest steps: - - uses: step-security/harden-runner@ebacdc22ef6c2cfb85ee5ded8f2e640f4c776dd5 # v1 + - uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1 with: + egress-policy: audit allowed-endpoints: > api.github.com:443 + cli.codecov.io:443 codecov.io:443 uploader.codecov.io:443 github.com:443 @@ -30,15 +31,17 @@ jobs: objects.githubusercontent.com:443 golang.org:443 - name: Checkout - uses: actions/checkout@629c2de402a417ea7690ca6ce3f33229e27606a5 # v2 + uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 with: ref: ${{ github.event.pull_request.head.sha }} - name: Set up Go - uses: actions/setup-go@37335c7bb261b353407cff977110895fa0b4f7d8 # v2.1.3 + uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1 with: go-version: 1.17 - name: Run coverage run: go test ./... -coverpkg=./... -race -coverprofile=coverage.txt -covermode=atomic env: PAT: ${{ secrets.GITHUB_TOKEN }} - - uses: codecov/codecov-action@f32b3a3741e1053eb607407145bc9619351dc93b # v2 + - uses: codecov/codecov-action@125fc84a9a348dbcf27191600683ec096ec9021c # v4.4.1 + with: + token: ${{ secrets.CODECOV_TOKEN }} diff --git a/knowledge-base/actions/angular/dev-infra/github-actions/lock-closed/action-security.yml b/knowledge-base/actions/angular/dev-infra/github-actions/lock-closed/action-security.yml deleted file mode 100644 index 051053cd..00000000 --- a/knowledge-base/actions/angular/dev-infra/github-actions/lock-closed/action-security.yml +++ /dev/null @@ -1,2 +0,0 @@ -name: 'Lock Closed Issues' # angular/dev-infra/github-actions/lock-closed -# GITHUB_TOKEN not used diff --git a/knowledge-base/actions/devbotsxyz/xcode-notarize/action-security.yml b/knowledge-base/actions/devbotsxyz/xcode-notarize/action-security.yml deleted file mode 100644 index 08a07874..00000000 --- a/knowledge-base/actions/devbotsxyz/xcode-notarize/action-security.yml +++ /dev/null @@ -1,2 +0,0 @@ -name: 'Xcode Notarize' # devbotsxyz/xcode-notarize -# GITHUB_TOKEN not used diff --git a/knowledge-base/actions/devbotsxyz/xcode-staple/action-security.yml b/knowledge-base/actions/devbotsxyz/xcode-staple/action-security.yml deleted file mode 100644 index 62790b12..00000000 --- a/knowledge-base/actions/devbotsxyz/xcode-staple/action-security.yml +++ /dev/null @@ -1,2 +0,0 @@ -name: 'Xcode Staple' # devbotsxyz/xcode-staple -# GITHUB_TOKEN not used