diff --git a/.github/workflows/build-push-chart.yml b/.github/workflows/build-push-chart.yml index 23310249..ea93b010 100644 --- a/.github/workflows/build-push-chart.yml +++ b/.github/workflows/build-push-chart.yml @@ -15,7 +15,7 @@ name: Build/Push Image and Release Charts permissions: read-all jobs: setenv: - uses: ortelius/workflow-toolkit/.github/workflows/env-config-workflow.yml@f4838576b2f6cc71062002313e23e7be5c636158 + uses: ortelius/workflow-toolkit/.github/workflows/env-config-workflow.yml@9d6701c2bf14c91cacc3718682e6c11eb41ecbf9 with: gh_head_ref: ${{ github.head_ref }} gh_ref_name: ${{ github.ref_name }} @@ -27,7 +27,7 @@ jobs: permissions: id-token: write contents: write - uses: ortelius/workflow-toolkit/.github/workflows/container-release-workflow.yml@f4838576b2f6cc71062002313e23e7be5c636158 + uses: ortelius/workflow-toolkit/.github/workflows/container-release-workflow.yml@9d6701c2bf14c91cacc3718682e6c11eb41ecbf9 needs: setenv with: gh_repository_owner: ${{ github.repository_owner }} @@ -44,7 +44,7 @@ jobs: permissions: security-events: write statuses: write - uses: ortelius/workflow-toolkit/.github/workflows/trivy-scan-workflow.yml@f4838576b2f6cc71062002313e23e7be5c636158 + uses: ortelius/workflow-toolkit/.github/workflows/trivy-scan-workflow.yml@9d6701c2bf14c91cacc3718682e6c11eb41ecbf9 needs: - setenv - release @@ -56,7 +56,7 @@ jobs: helm: permissions: contents: write - uses: ortelius/workflow-toolkit/.github/workflows/helm-release-workflow.yml@f4838576b2f6cc71062002313e23e7be5c636158 + uses: ortelius/workflow-toolkit/.github/workflows/helm-release-workflow.yml@9d6701c2bf14c91cacc3718682e6c11eb41ecbf9 needs: - setenv - release @@ -76,7 +76,7 @@ jobs: GPG_KEY: ${{ secrets.GPG_KEY }} gh_token: ${{ secrets.HELM_INDEXER_TOKEN }} sbom: - uses: ortelius/workflow-toolkit/.github/workflows/sbom-generation-workflow.yml@f4838576b2f6cc71062002313e23e7be5c636158 + uses: ortelius/workflow-toolkit/.github/workflows/sbom-generation-workflow.yml@9d6701c2bf14c91cacc3718682e6c11eb41ecbf9 needs: - setenv - release diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index aa94e923..177ea149 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -29,11 +29,11 @@ jobs: uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: Initialize CodeQL - uses: github/codeql-action/init@9e8d0789d4a0fa9ceb6b1738f7e269594bdd67f0 # v3.28.9 + uses: github/codeql-action/init@b56ba49b26e50535fa1e7f7db0f4f7b4bf65d80d # v3.28.10 with: languages: "python" - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@9e8d0789d4a0fa9ceb6b1738f7e269594bdd67f0 # v3.28.9 + uses: github/codeql-action/analyze@b56ba49b26e50535fa1e7f7db0f4f7b4bf65d80d # v3.28.10 with: category: "/language:python" diff --git a/.github/workflows/mega-linter.yml b/.github/workflows/mega-linter.yml index b34ff8aa..88c474f2 100644 --- a/.github/workflows/mega-linter.yml +++ b/.github/workflows/mega-linter.yml @@ -51,7 +51,7 @@ jobs: # Upload MegaLinter artifacts - name: Archive production artifacts if: ${{ success() || failure() }} - uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0 + uses: actions/upload-artifact@4cec3d8aa04e39d1a68397de0c4cd6fb9dce8ec1 # v4.6.1 with: name: MegaLinter reports path: | @@ -62,7 +62,7 @@ jobs: - name: Create Pull Request with applied fixes id: cpr if: steps.ml.outputs.has_updated_sources == 1 && (env.APPLY_FIXES_EVENT == 'all' || env.APPLY_FIXES_EVENT == github.event_name) && env.APPLY_FIXES_MODE == 'pull_request' && (github.event_name == 'push' || github.event.pull_request.head.repo.full_name == github.repository) && !contains(github.event.head_commit.message, 'skip fix') - uses: peter-evans/create-pull-request@67ccf781d68cd99b580ae25a5c18a1cc84ffff1f # v7.0.6 + uses: peter-evans/create-pull-request@dd2324fc52d5d43c699a5636bcf19fceaa70c284 # v7.0.7 with: token: ${{ secrets.PAT || secrets.GITHUB_TOKEN }} commit-message: "[MegaLinter] Apply linters automatic fixes" diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml index f7a4a939..b2ed9eff 100644 --- a/.github/workflows/scorecard.yml +++ b/.github/workflows/scorecard.yml @@ -36,7 +36,7 @@ jobs: persist-credentials: false - name: "Run analysis" - uses: ossf/scorecard-action@62b2cac7ed8198b15735ed49ab1e5cf35480ba46 # v2.4.0 + uses: ossf/scorecard-action@f49aabe0b5af0936a0987cfb85d86b75731b0186 # v2.4.1 with: results_file: results.sarif results_format: sarif @@ -44,6 +44,6 @@ jobs: # Upload the results to GitHub's code scanning dashboard. - name: "Upload to code-scanning" - uses: github/codeql-action/upload-sarif@9e8d0789d4a0fa9ceb6b1738f7e269594bdd67f0 # v3.28.9 + uses: github/codeql-action/upload-sarif@b56ba49b26e50535fa1e7f7db0f4f7b4bf65d80d # v3.28.10 with: sarif_file: results.sarif diff --git a/Dockerfile b/Dockerfile index 8f098284..6c8e5895 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,4 +1,4 @@ -FROM cgr.dev/chainguard/python:latest-dev@sha256:9e7d10b641a219baa71afd8fec83ab8622a0486f7d8bdab4ed5536c361b1add1 AS builder +FROM cgr.dev/chainguard/python:latest-dev@sha256:524b6b99340e6f80a06bbb867369717d2153addbdc8028a9e6bbe0f62085ab4a AS builder COPY . /app @@ -9,7 +9,7 @@ ENV PATH=/home/nonroot/.local/bin:$PATH RUN wget -q -O - https://install.python-poetry.org | python - RUN poetry install --no-root; -FROM cgr.dev/chainguard/python:latest@sha256:b9328fd1f02d7836c7a75b0423ea9b0098e1cc10f6d3b9398bac5ebb4410f316 +FROM cgr.dev/chainguard/python:latest@sha256:cde301cd5f4e494b3ecb1d5b0c8370499482fbefd112b72afe87d4e6f29a0bc1 USER nonroot ENV DB_HOST localhost ENV DB_NAME postgres