diff --git a/.github/workflows/docker-build.yml b/.github/workflows/docker-build.yml index 50ef252..b2b391b 100644 --- a/.github/workflows/docker-build.yml +++ b/.github/workflows/docker-build.yml @@ -27,10 +27,10 @@ jobs: - name: Checkout uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - name: Install cosign - uses: sigstore/cosign-installer@cad07c2e89fa2edd6e2d7bab4c1aa38e53f76003 # v4.1.1 + uses: sigstore/cosign-installer@6f9f17788090df1f26f669e9d70d6ae9567deba6 # v4.1.2 - name: Docker meta id: meta - uses: docker/metadata-action@030e881283bb7a6894de51c315a6bfe6a94e05cf # v6 + uses: docker/metadata-action@80c7e94dd9b9319bd5eb7a0e0fe9291e23a2a2e9 # v6 with: # list of Docker images to use as base name for tags images: | @@ -47,17 +47,17 @@ jobs: type=sha,format=long type=raw,value=latest,enable={{is_default_branch}} - name: Set up QEMU - uses: docker/setup-qemu-action@ce360397dd3f832beb865e1373c09c0e9f86d70a # v4 + uses: docker/setup-qemu-action@06116385d9baf250c9f4dcb4858b16962ea869c3 # v4 - name: Set up Docker Buildx - uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4 + uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5 # v4 - name: Login to Docker Hub - uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4 + uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4 if: github.event_name != 'pull_request' with: username: ${{ secrets.DOCKERHUB_USERNAME }} password: ${{ secrets.DOCKERHUB_TOKEN }} - name: Login to GitHub Container Registry - uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4 + uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4 if: github.event_name != 'pull_request' with: registry: ghcr.io @@ -66,7 +66,7 @@ jobs: - name: Get Git commit timestamps run: echo "TIMESTAMP=$(git log -1 --pretty=%ct)" >> $GITHUB_ENV - name: Build Testimage - uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7 + uses: docker/build-push-action@f9f3042f7e2789586610d6e8b85c8f03e5195baf # v7 env: SOURCE_DATE_EPOCH: ${{ env.TIMESTAMP }} with: @@ -77,7 +77,7 @@ jobs: - name: Run small selftest on build container image run: docker run -v "./tests/selftest.sh:/selftest.sh" "${{ env.TEST_TAG }}" ./selftest.sh - name: Build and push - uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7 + uses: docker/build-push-action@f9f3042f7e2789586610d6e8b85c8f03e5195baf # v7 id: docker-build env: SOURCE_DATE_EPOCH: ${{ env.TIMESTAMP }} @@ -103,7 +103,7 @@ jobs: COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }} COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }} - name: Run Trivy vulnerability scanner - uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # master + uses: aquasecurity/trivy-action@bfa4b33a029b9aa80ddb784b45574c30e072c59e # master if: ${{ github.event_name != 'pull_request' }} with: image-ref: "ghcr.io/anotherstranger/borg-server:sha-${{ github.sha }}" @@ -111,7 +111,7 @@ jobs: output: "trivy-results.sarif" severity: "CRITICAL,HIGH" - name: Upload Trivy scan results to GitHub Security tab - uses: github/codeql-action/upload-sarif@c10b8064de6f491fea524254123dbe5e09572f13 # v4 + uses: github/codeql-action/upload-sarif@7211b7c8077ea37d8641b6271f6a365a22a5fbfa # v4 if: ${{ github.event_name != 'pull_request' }} with: sarif_file: "trivy-results.sarif" diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index ccde3e5..682a87e 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -19,7 +19,7 @@ jobs: with: fetch-depth: 0 - name: Setup Node.js - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6 + uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6 with: node-version: "lts/*" - name: Release diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml index d50b780..1621adb 100644 --- a/.github/workflows/security.yml +++ b/.github/workflows/security.yml @@ -19,13 +19,13 @@ jobs: - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - name: Run Trivy vulnerability scanner in repo mode - uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # 0.35.0 + uses: aquasecurity/trivy-action@ed142fd0673e97e23eac54620cfb913e5ce36c25 # v0.36.0 with: scan-type: 'fs' format: 'sarif' output: 'trivy-results-fs.sarif' severity: 'CRITICAL,HIGH,MEDIUM' - name: Upload Trivy scan results to GitHub Security tab - uses: github/codeql-action/upload-sarif@c10b8064de6f491fea524254123dbe5e09572f13 # v4 + uses: github/codeql-action/upload-sarif@7211b7c8077ea37d8641b6271f6a365a22a5fbfa # v4 with: sarif_file: 'trivy-results-fs.sarif' diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 90eb80b..c685806 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -8,7 +8,7 @@ repos: - id: end-of-file-fixer - id: check-added-large-files - repo: https://github.com/commitizen-tools/commitizen - rev: v4.13.9 + rev: v4.16.2 hooks: - id: commitizen stages: @@ -31,7 +31,7 @@ repos: - "-i" - "CHANGELOG.md" - repo: https://github.com/renovatebot/pre-commit-hooks - rev: 43.91.4 + rev: 43.150.0 hooks: - id: renovate-config-validator - repo: https://github.com/google/yamlfmt.git @@ -39,6 +39,6 @@ repos: hooks: - id: yamlfmt - repo: https://github.com/biomejs/pre-commit - rev: v2.4.9 + rev: v2.4.15 hooks: - id: biome-format diff --git a/Dockerfile b/Dockerfile index 3a03159..7ec4cf8 100644 --- a/Dockerfile +++ b/Dockerfile @@ -17,7 +17,7 @@ ARG BASH_VERSION="5.3.3-r1" ARG SHADOW_VERSION="4.18.0-r0" # renovate: datasource=repology depName=alpine_3_23/openssl versioning=loose -ARG OPENSSL_VERSION="3.5.5-r0" +ARG OPENSSL_VERSION="3.5.6-r0" # renovate: datasource=repology depName=alpine_3_23/pkgconf versioning=loose ARG PKG_CONF_VERSION="2.5.1-r0" @@ -40,7 +40,7 @@ ARG LZ4_VERSION="1.10.0-r0" # renovate: datasource=repology depName=alpine_3_23/linux-headers versioning=loose ARG LINUX_HEADERS_VERSION="6.16.12-r0" -FROM python:3.14.3-alpine3.23@sha256:faee120f7885a06fcc9677922331391fa690d911c020abb9e8025ff3d908e510 AS base +FROM python:3.14.5-alpine3.23@sha256:5a824eb82cc75361f98611f3cfc5091ea33f10a6ccea4d4ebdabbc523b9a1614 AS base ################################################################################ # BUILD BORGBACKUP FROM SOURCE USING PIP #