diff --git a/.github/workflows/build_external_container_images.yaml b/.github/workflows/build_external_container_images.yaml index 92ebe19c8..7876dbfcb 100644 --- a/.github/workflows/build_external_container_images.yaml +++ b/.github/workflows/build_external_container_images.yaml @@ -77,10 +77,10 @@ jobs: steps: - name: Checkout repository - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 - name: Checkout Bitnami containers repository - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 with: repository: bitnami/containers path: ${{ env.BITNAMI_PATH }} @@ -100,10 +100,10 @@ jobs: echo "Extracted ${{ matrix.image.name }} version: $VERSION" - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 + uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3 - name: Log in to the Container registry - uses: docker/login-action@v3 + uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3 with: registry: ${{ env.REGISTRY }} username: ${{ github.actor }} @@ -111,7 +111,7 @@ jobs: - name: Extract metadata id: meta - uses: docker/metadata-action@v5 + uses: docker/metadata-action@c299e40c65443455700f0fdfc63efafe5b349051 # v5 with: images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} tags: | @@ -121,7 +121,7 @@ jobs: - name: Build and push Docker image id: build - uses: docker/build-push-action@v5 + uses: docker/build-push-action@ca052bb54ab0790a636c9b5f226502c73d547a25 # v5 with: context: ${{ env.BITNAMI_PATH }}/${{ matrix.image.path }} platforms: linux/amd64,linux/arm64 @@ -130,7 +130,7 @@ jobs: labels: ${{ steps.meta.outputs.labels }} - name: Install Cosign - uses: sigstore/cosign-installer@v3 + uses: sigstore/cosign-installer@398d4b0eeef1380460a10c8013a76f728fb906ac # v3 with: cosign-release: "v2.4.1" diff --git a/.github/workflows/contracts/chainloop-chainloop-github-release.yaml b/.github/workflows/contracts/chainloop-chainloop-github-release.yaml deleted file mode 100644 index 67c0fb725..000000000 --- a/.github/workflows/contracts/chainloop-chainloop-github-release.yaml +++ /dev/null @@ -1,19 +0,0 @@ -# contract used in release workflow -apiVersion: chainloop.dev/v1 -kind: Contract -metadata: - name: chainloop-chainloop-github-release - description: Contract for Chainloop GitHub release workflow -spec: - policies: - attestation: - - ref: source-commit - with: - check_signature: yes - policyGroups: - - ref: slsa-checks - with: - runner: GITHUB_ACTION - - ref: vulnerability-management - with: - severity: "HIGH" diff --git a/.github/workflows/package_chart.yaml b/.github/workflows/package_chart.yaml index 7cf5b0e67..3cfa8c146 100644 --- a/.github/workflows/package_chart.yaml +++ b/.github/workflows/package_chart.yaml @@ -36,7 +36,7 @@ jobs: uses: azure/setup-helm@5119fcb9089d432beecbf79bb2c7915207344b78 # v3.5 - name: Install Cosign - uses: sigstore/cosign-installer@v3.7.0 + uses: sigstore/cosign-installer@dc72c7d5c4d10cd6bcb8cf6e3fd625a9e5e537da # v3.7.0 with: cosign-release: "v2.4.1" diff --git a/.github/workflows/scm_configuration_check.yaml b/.github/workflows/scm_configuration_check.yaml index f8101ff7e..9cd4e9949 100644 --- a/.github/workflows/scm_configuration_check.yaml +++ b/.github/workflows/scm_configuration_check.yaml @@ -21,7 +21,7 @@ jobs: GITHUB_TOKEN: ${{ github.token }} steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 - name: Install Chainloop run: | @@ -33,7 +33,7 @@ jobs: - name: Generate a token id: generate-token - uses: actions/create-github-app-token@v2 + uses: actions/create-github-app-token@fee1f7d63c2ff003460e3d139729b119787bc349 # v2 with: app-id: ${{ vars.CHAINLOOP_GATHERER_APP_ID }} private-key: ${{ secrets.GATHERER_APP_PRIVATE_KEY }} diff --git a/.github/workflows/secrets-scan-daily.yml b/.github/workflows/secrets-scan-daily.yml index 601a0a5ed..60ba52b99 100644 --- a/.github/workflows/secrets-scan-daily.yml +++ b/.github/workflows/secrets-scan-daily.yml @@ -20,7 +20,7 @@ jobs: CHAINLOOP_PROJECT_NAME: "chainloop" steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 - name: Install Chainloop run: | diff --git a/.github/workflows/sync_contracts.yml b/.github/workflows/sync_contracts.yml index e4090ec64..da218bce8 100644 --- a/.github/workflows/sync_contracts.yml +++ b/.github/workflows/sync_contracts.yml @@ -18,7 +18,7 @@ jobs: CHAINLOOP_TOKEN: ${{ secrets.CHAINLOOP_TOKEN }} steps: - name: Checkout repository - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 - name: Install Chainloop run: | curl -sfL https://dl.chainloop.dev/cli/install.sh | bash -s