diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 73f06b5..e303ab5 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -21,7 +21,7 @@ jobs: contents: read security-events: write # Code Scanning: upload SARIF from OSV (codeql-action/upload-sarif) steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 with: persist-credentials: false diff --git a/.github/workflows/release-please.yml b/.github/workflows/release-please.yml index 23f9d07..78244ef 100644 --- a/.github/workflows/release-please.yml +++ b/.github/workflows/release-please.yml @@ -19,13 +19,13 @@ jobs: contents: write # Create releases, tags, and release branches pull-requests: write # Open and update pin README pull requests steps: - - uses: googleapis/release-please-action@5c625bfb5d1ff62eadeeb3772007f7f66fdcf071 # v4.4.1 + - uses: googleapis/release-please-action@45996ed1f6d02564a971a2fa1b5860e934307cf7 # v5.0.0 id: release with: release-type: simple # Move major version tag (e.g. v1) after a release is cut - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 if: ${{ steps.release.outputs.release_created }} with: persist-credentials: false diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml index 781fe98..99a0d50 100644 --- a/.github/workflows/scorecard.yml +++ b/.github/workflows/scorecard.yml @@ -25,7 +25,7 @@ jobs: actions: read # Required by Scorecard to evaluate workflow security posture steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 with: persist-credentials: false diff --git a/action.yml b/action.yml index 79c368b..281031e 100644 --- a/action.yml +++ b/action.yml @@ -108,7 +108,7 @@ runs: id: zizmor if: ${{ inputs.enable_zizmor != 'false' }} continue-on-error: true - uses: zizmorcore/zizmor-action@b1d7e1fb5de872772f31590499237e7cce841e8e # v0.5.3 + uses: zizmorcore/zizmor-action@5f14fd08f7cf1cb1609c1e344975f152c7ee938d # v0.5.6 with: persona: ${{ inputs.zizmor_persona }} min-severity: ${{ inputs.zizmor_min_severity }} @@ -140,7 +140,7 @@ runs: id: osv if: ${{ inputs.enable_osv != 'false' }} continue-on-error: true - uses: google/osv-scanner-action/osv-scanner-action@c51854704019a247608d928f370c98740469d4b5 # v2.3.5 + uses: google/osv-scanner-action/osv-scanner-action@9a498708959aeaef5ef730655706c5a1df1edbc2 # v2.3.8 with: scan-args: ${{ steps.osv-args.outputs.args }} @@ -159,7 +159,7 @@ runs: - name: Upload osv-scanner SARIF to Code Scanning if: ${{ always() && inputs.enable_osv != 'false' && inputs.osv_upload_sarif == 'true' && steps.osv-sarif.outputs.upload == 'true' }} - uses: github/codeql-action/upload-sarif@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4.35.2 + uses: github/codeql-action/upload-sarif@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4.36.2 with: sarif_file: ${{ inputs.osv_results_file_name }} category: osv-scanner @@ -195,7 +195,7 @@ runs: - name: Upload Scorecard SARIF to Code Scanning if: ${{ always() && inputs.enable_scorecard == 'true' }} - uses: github/codeql-action/upload-sarif@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4.35.2 + uses: github/codeql-action/upload-sarif@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4.36.2 with: sarif_file: scorecard.sarif category: scorecard