diff --git a/.github/dependabot.yml b/.github/dependabot.yml new file mode 100644 index 0000000..baf88f0 --- /dev/null +++ b/.github/dependabot.yml @@ -0,0 +1,21 @@ +version: 2 +updates: + - package-ecosystem: github-actions + directory: / + schedule: + interval: daily + + - package-ecosystem: gomod + directory: /buildboxes/alpine + schedule: + interval: daily + + - package-ecosystem: gomod + directory: /buildboxes/ubuntu + schedule: + interval: daily + + - package-ecosystem: gomod + directory: / + schedule: + interval: daily diff --git a/.github/workflows/_build-and-cache.yml b/.github/workflows/_build-and-cache.yml index 53717de..77a11b5 100644 --- a/.github/workflows/_build-and-cache.yml +++ b/.github/workflows/_build-and-cache.yml @@ -41,20 +41,25 @@ jobs: options: --privileged steps: + - name: Harden Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + egress-policy: audit + - name: Git clone - uses: actions/checkout@v4 + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: ref: ${{ github.base_ref }} - name: Restore any cached build artifacts (musl-aarch64) - uses: actions/cache/restore@v4 + uses: actions/cache/restore@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2 id: restore-musl-aarch64 with: key: "build-cache-${{ inputs.package-name }}-${{ inputs.package-version }}-musl-aarch64" path: "/usr/bin/${{ inputs.package-name }}_musl_arm64" - name: Restore any cached build artifacts (musl-x86_64) - uses: actions/cache/restore@v4 + uses: actions/cache/restore@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2 id: restore-musl-x86_64 with: key: "build-cache-${{ inputs.package-name }}-${{ inputs.package-version }}-musl-x86_64" @@ -86,7 +91,7 @@ jobs: goreleaser release --clean --nightly --skip=announce,publish,validate --verbose - name: Cache the packages - uses: actions/cache/save@v4 + uses: actions/cache/save@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2 id: cache-packages with: key: "${{ inputs.package-name }}-${{ inputs.package-version }}" diff --git a/.github/workflows/_build-musl.yml b/.github/workflows/_build-musl.yml index d126f53..1f82657 100644 --- a/.github/workflows/_build-musl.yml +++ b/.github/workflows/_build-musl.yml @@ -39,13 +39,18 @@ jobs: - arm64 steps: + - name: Harden Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + egress-policy: audit + - name: Git clone - uses: actions/checkout@v4 + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: ref: ${{ github.base_ref }} - name: Set up QEMU - uses: docker/setup-qemu-action@v3 + uses: docker/setup-qemu-action@68827325e0b33c7199eb31dd4e31fbe9023e06e3 # v3.0.0 with: platforms: ${{ matrix.arch }} @@ -65,7 +70,7 @@ jobs: cp -vf "${{ github.workspace }}/builds/usr/bin/${{ inputs.package-name }}_musl_${{ matrix.arch }}" /usr/local/bin/${{ inputs.package-name }}_musl_${{ matrix.arch }} - name: Cache the packages - uses: actions/cache/save@v4 + uses: actions/cache/save@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2 id: cache-packages with: key: "build-cache-${{ inputs.package-name }}-${{ inputs.package-version }}-musl-${{ matrix.arch }}" diff --git a/.github/workflows/build-1password-cli.yml b/.github/workflows/build-1password-cli.yml index f63163b..f48dd1e 100644 --- a/.github/workflows/build-1password-cli.yml +++ b/.github/workflows/build-1password-cli.yml @@ -50,6 +50,11 @@ jobs: package_version: ${{ steps.lookup_version.outputs.package_version }} steps: + - name: Harden Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + egress-policy: audit + - name: Lookup latest version of package id: lookup_version env: @@ -58,7 +63,7 @@ jobs: echo "package_version=$(curl -sSLf https://app-updates.agilebits.com/check/1/0/CLI2/en/2000001/N | jq -Mr '.version')" >> $GITHUB_OUTPUT - name: Check to see if we've already built this version - uses: actions/cache/restore@v4 + uses: actions/cache/restore@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2 id: check with: key: "1password-cli-${{ steps.lookup_version.outputs.package_version }}" @@ -81,8 +86,13 @@ jobs: options: --privileged steps: + - name: Harden Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + egress-policy: audit + - name: Git clone - uses: actions/checkout@v4 + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: ref: ${{ github.base_ref }} @@ -112,7 +122,7 @@ jobs: goreleaser release --clean --nightly --skip=announce,publish,validate --verbose - name: Cache the packages - uses: actions/cache/save@v4 + uses: actions/cache/save@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2 id: cache-packages with: key: "1password-cli-${{ needs.lookup.outputs.package_version }}" diff --git a/.github/workflows/build-actionlint.yml b/.github/workflows/build-actionlint.yml index 04bbd62..a955fdc 100644 --- a/.github/workflows/build-actionlint.yml +++ b/.github/workflows/build-actionlint.yml @@ -57,6 +57,11 @@ jobs: package_version: ${{ steps.lookup_version.outputs.package_version }} steps: + - name: Harden Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + egress-policy: audit + - name: Lookup latest version of package id: lookup_version env: @@ -65,7 +70,7 @@ jobs: echo "package_version=$(download-asset latest-tag -r 'rhysd/actionlint' -s)" >> $GITHUB_OUTPUT - name: Check to see if we've already built this version - uses: actions/cache/restore@v4 + uses: actions/cache/restore@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2 id: check with: key: "actionlint-${{ steps.lookup_version.outputs.package_version }}" diff --git a/.github/workflows/build-aws-vault.yml b/.github/workflows/build-aws-vault.yml index 026550c..e4972d1 100644 --- a/.github/workflows/build-aws-vault.yml +++ b/.github/workflows/build-aws-vault.yml @@ -57,6 +57,11 @@ jobs: package_version: ${{ steps.lookup_version.outputs.package_version }} steps: + - name: Harden Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + egress-policy: audit + - name: Lookup latest version of package id: lookup_version env: @@ -65,7 +70,7 @@ jobs: echo "package_version=$(download-asset latest-tag -r '99designs/aws-vault' -s)" >> $GITHUB_OUTPUT - name: Check to see if we've already built this version - uses: actions/cache/restore@v4 + uses: actions/cache/restore@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2 id: check with: key: "aws-vault-${{ steps.lookup_version.outputs.package_version }}" diff --git a/.github/workflows/build-chamber.yml b/.github/workflows/build-chamber.yml index ef2bb50..6d21845 100644 --- a/.github/workflows/build-chamber.yml +++ b/.github/workflows/build-chamber.yml @@ -57,6 +57,11 @@ jobs: package_version: ${{ steps.lookup_version.outputs.package_version }} steps: + - name: Harden Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + egress-policy: audit + - name: Lookup latest version of package id: lookup_version env: @@ -65,7 +70,7 @@ jobs: echo "package_version=$(download-asset latest-tag -r 'segmentio/chamber' -s)" >> $GITHUB_OUTPUT - name: Check to see if we've already built this version - uses: actions/cache/restore@v4 + uses: actions/cache/restore@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2 id: check with: key: "chamber-${{ steps.lookup_version.outputs.package_version }}" diff --git a/.github/workflows/build-cloud-nuke.yml b/.github/workflows/build-cloud-nuke.yml index 3a55299..c578653 100644 --- a/.github/workflows/build-cloud-nuke.yml +++ b/.github/workflows/build-cloud-nuke.yml @@ -57,6 +57,11 @@ jobs: package_version: ${{ steps.lookup_version.outputs.package_version }} steps: + - name: Harden Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + egress-policy: audit + - name: Lookup latest version of package id: lookup_version env: @@ -65,7 +70,7 @@ jobs: echo "package_version=$(download-asset latest-tag -r 'gruntwork-io/cloud-nuke' -s)" >> $GITHUB_OUTPUT - name: Check to see if we've already built this version - uses: actions/cache/restore@v4 + uses: actions/cache/restore@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2 id: check with: key: "cloud-nuke-${{ steps.lookup_version.outputs.package_version }}" diff --git a/.github/workflows/build-cosign.yml b/.github/workflows/build-cosign.yml index 51f04ae..941f06e 100644 --- a/.github/workflows/build-cosign.yml +++ b/.github/workflows/build-cosign.yml @@ -57,6 +57,11 @@ jobs: package_version: ${{ steps.lookup_version.outputs.package_version }} steps: + - name: Harden Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + egress-policy: audit + - name: Lookup latest version of package id: lookup_version env: @@ -65,7 +70,7 @@ jobs: echo "package_version=$(download-asset latest-tag -r 'sigstore/cosign' -s)" >> $GITHUB_OUTPUT - name: Check to see if we've already built this version - uses: actions/cache/restore@v4 + uses: actions/cache/restore@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2 id: check with: key: "cosign-${{ steps.lookup_version.outputs.package_version }}" diff --git a/.github/workflows/build-direnv.yml b/.github/workflows/build-direnv.yml index b065f8d..3eb2593 100644 --- a/.github/workflows/build-direnv.yml +++ b/.github/workflows/build-direnv.yml @@ -57,6 +57,11 @@ jobs: package_version: ${{ steps.lookup_version.outputs.package_version }} steps: + - name: Harden Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + egress-policy: audit + - name: Lookup latest version of package id: lookup_version env: @@ -65,7 +70,7 @@ jobs: echo "package_version=$(download-asset latest-tag -r 'direnv/direnv' -s)" >> $GITHUB_OUTPUT - name: Check to see if we've already built this version - uses: actions/cache/restore@v4 + uses: actions/cache/restore@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2 id: check with: key: "direnv-${{ steps.lookup_version.outputs.package_version }}" diff --git a/.github/workflows/build-dive.yml b/.github/workflows/build-dive.yml index 2c81df9..4242a76 100644 --- a/.github/workflows/build-dive.yml +++ b/.github/workflows/build-dive.yml @@ -57,6 +57,11 @@ jobs: package_version: ${{ steps.lookup_version.outputs.package_version }} steps: + - name: Harden Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + egress-policy: audit + - name: Lookup latest version of package id: lookup_version env: @@ -65,7 +70,7 @@ jobs: echo "package_version=$(download-asset latest-tag -r 'wagoodman/dive' -s)" >> $GITHUB_OUTPUT - name: Check to see if we've already built this version - uses: actions/cache/restore@v4 + uses: actions/cache/restore@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2 id: check with: key: "dive-${{ steps.lookup_version.outputs.package_version }}" diff --git a/.github/workflows/build-driftwood.yml b/.github/workflows/build-driftwood.yml index 1461f2c..cb0cc33 100644 --- a/.github/workflows/build-driftwood.yml +++ b/.github/workflows/build-driftwood.yml @@ -57,6 +57,11 @@ jobs: package_version: ${{ steps.lookup_version.outputs.package_version }} steps: + - name: Harden Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + egress-policy: audit + - name: Lookup latest version of package id: lookup_version env: @@ -65,7 +70,7 @@ jobs: echo "package_version=$(download-asset latest-tag -r 'trufflesecurity/driftwood' -s)" >> $GITHUB_OUTPUT - name: Check to see if we've already built this version - uses: actions/cache/restore@v4 + uses: actions/cache/restore@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2 id: check with: key: "driftwood-${{ steps.lookup_version.outputs.package_version }}" diff --git a/.github/workflows/build-editorconfig-checker.yml b/.github/workflows/build-editorconfig-checker.yml index c3b363b..ea790b1 100644 --- a/.github/workflows/build-editorconfig-checker.yml +++ b/.github/workflows/build-editorconfig-checker.yml @@ -57,6 +57,11 @@ jobs: package_version: ${{ steps.lookup_version.outputs.package_version }} steps: + - name: Harden Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + egress-policy: audit + - name: Lookup latest version of package id: lookup_version env: @@ -65,7 +70,7 @@ jobs: echo "package_version=$(download-asset latest-tag -r 'editorconfig-checker/editorconfig-checker' -s)" >> $GITHUB_OUTPUT - name: Check to see if we've already built this version - uses: actions/cache/restore@v4 + uses: actions/cache/restore@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2 id: check with: key: "editorconfig-checker-${{ steps.lookup_version.outputs.package_version }}" diff --git a/.github/workflows/build-eza.yml b/.github/workflows/build-eza.yml index 7e5542f..7aee4ee 100644 --- a/.github/workflows/build-eza.yml +++ b/.github/workflows/build-eza.yml @@ -57,6 +57,11 @@ jobs: package_version: ${{ steps.lookup_version.outputs.package_version }} steps: + - name: Harden Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + egress-policy: audit + - name: Lookup latest version of package id: lookup_version env: @@ -65,7 +70,7 @@ jobs: echo "package_version=$(download-asset latest-tag -r 'eza-community/eza' -s)" >> $GITHUB_OUTPUT - name: Check to see if we've already built this version - uses: actions/cache/restore@v4 + uses: actions/cache/restore@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2 id: check with: key: "eza-${{ steps.lookup_version.outputs.package_version }}" diff --git a/.github/workflows/build-fd.yml b/.github/workflows/build-fd.yml index b97fa34..7a75cd1 100644 --- a/.github/workflows/build-fd.yml +++ b/.github/workflows/build-fd.yml @@ -57,6 +57,11 @@ jobs: package_version: ${{ steps.lookup_version.outputs.package_version }} steps: + - name: Harden Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + egress-policy: audit + - name: Lookup latest version of package id: lookup_version env: @@ -65,7 +70,7 @@ jobs: echo "package_version=$(download-asset latest-tag -r 'sharkdp/fd' -s)" >> $GITHUB_OUTPUT - name: Check to see if we've already built this version - uses: actions/cache/restore@v4 + uses: actions/cache/restore@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2 id: check with: key: "fd-${{ steps.lookup_version.outputs.package_version }}" diff --git a/.github/workflows/build-freeze.yml b/.github/workflows/build-freeze.yml index cde659f..bc53963 100644 --- a/.github/workflows/build-freeze.yml +++ b/.github/workflows/build-freeze.yml @@ -57,6 +57,11 @@ jobs: package_version: ${{ steps.lookup_version.outputs.package_version }} steps: + - name: Harden Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + egress-policy: audit + - name: Lookup latest version of package id: lookup_version env: @@ -65,7 +70,7 @@ jobs: echo "package_version=$(download-asset latest-tag -r 'charmbracelet/freeze' -s)" >> $GITHUB_OUTPUT - name: Check to see if we've already built this version - uses: actions/cache/restore@v4 + uses: actions/cache/restore@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2 id: check with: key: "freeze-${{ steps.lookup_version.outputs.package_version }}" diff --git a/.github/workflows/build-fzf.yml b/.github/workflows/build-fzf.yml index b90ddb6..1fa5096 100644 --- a/.github/workflows/build-fzf.yml +++ b/.github/workflows/build-fzf.yml @@ -57,6 +57,11 @@ jobs: package_version: ${{ steps.lookup_version.outputs.package_version }} steps: + - name: Harden Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + egress-policy: audit + - name: Lookup latest version of package id: lookup_version env: @@ -65,7 +70,7 @@ jobs: echo "package_version=$(download-asset latest-tag -r 'junegunn/fzf' -s)" >> $GITHUB_OUTPUT - name: Check to see if we've already built this version - uses: actions/cache/restore@v4 + uses: actions/cache/restore@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2 id: check with: key: "fzf-${{ steps.lookup_version.outputs.package_version }}" diff --git a/.github/workflows/build-gama.yml b/.github/workflows/build-gama.yml index a4c8694..cb3a79d 100644 --- a/.github/workflows/build-gama.yml +++ b/.github/workflows/build-gama.yml @@ -57,6 +57,11 @@ jobs: package_version: ${{ steps.lookup_version.outputs.package_version }} steps: + - name: Harden Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + egress-policy: audit + - name: Lookup latest version of package id: lookup_version env: @@ -65,7 +70,7 @@ jobs: echo "package_version=$(download-asset latest-tag -r 'termkit/gama' -s)" >> $GITHUB_OUTPUT - name: Check to see if we've already built this version - uses: actions/cache/restore@v4 + uses: actions/cache/restore@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2 id: check with: key: "gama-${{ steps.lookup_version.outputs.package_version }}" diff --git a/.github/workflows/build-gh.yml b/.github/workflows/build-gh.yml index ab520b5..0ae69ee 100644 --- a/.github/workflows/build-gh.yml +++ b/.github/workflows/build-gh.yml @@ -57,6 +57,11 @@ jobs: package_version: ${{ steps.lookup_version.outputs.package_version }} steps: + - name: Harden Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + egress-policy: audit + - name: Lookup latest version of package id: lookup_version env: @@ -65,7 +70,7 @@ jobs: echo "package_version=$(download-asset latest-tag -r 'cli/cli' -s)" >> $GITHUB_OUTPUT - name: Check to see if we've already built this version - uses: actions/cache/restore@v4 + uses: actions/cache/restore@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2 id: check with: key: "gh-${{ steps.lookup_version.outputs.package_version }}" diff --git a/.github/workflows/build-git-cliff.yml b/.github/workflows/build-git-cliff.yml index 3d01807..56ba6c1 100644 --- a/.github/workflows/build-git-cliff.yml +++ b/.github/workflows/build-git-cliff.yml @@ -57,6 +57,11 @@ jobs: package_version: ${{ steps.lookup_version.outputs.package_version }} steps: + - name: Harden Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + egress-policy: audit + - name: Lookup latest version of package id: lookup_version env: @@ -65,7 +70,7 @@ jobs: echo "package_version=$(download-asset latest-tag -r 'orhun/git-cliff' -s)" >> $GITHUB_OUTPUT - name: Check to see if we've already built this version - uses: actions/cache/restore@v4 + uses: actions/cache/restore@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2 id: check with: key: "git-cliff-${{ steps.lookup_version.outputs.package_version }}" diff --git a/.github/workflows/build-glow.yml b/.github/workflows/build-glow.yml index 807bc8a..becfd70 100644 --- a/.github/workflows/build-glow.yml +++ b/.github/workflows/build-glow.yml @@ -57,6 +57,11 @@ jobs: package_version: ${{ steps.lookup_version.outputs.package_version }} steps: + - name: Harden Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + egress-policy: audit + - name: Lookup latest version of package id: lookup_version env: @@ -65,7 +70,7 @@ jobs: echo "package_version=$(download-asset latest-tag -r 'charmbracelet/glow' -s)" >> $GITHUB_OUTPUT - name: Check to see if we've already built this version - uses: actions/cache/restore@v4 + uses: actions/cache/restore@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2 id: check with: key: "glow-${{ steps.lookup_version.outputs.package_version }}" diff --git a/.github/workflows/build-gocovsh.yml b/.github/workflows/build-gocovsh.yml index 2b4e60a..86bcb2a 100644 --- a/.github/workflows/build-gocovsh.yml +++ b/.github/workflows/build-gocovsh.yml @@ -57,6 +57,11 @@ jobs: package_version: ${{ steps.lookup_version.outputs.package_version }} steps: + - name: Harden Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + egress-policy: audit + - name: Lookup latest version of package id: lookup_version env: @@ -65,7 +70,7 @@ jobs: echo "package_version=$(download-asset latest-tag -r 'orlangure/gocovsh' -s)" >> $GITHUB_OUTPUT - name: Check to see if we've already built this version - uses: actions/cache/restore@v4 + uses: actions/cache/restore@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2 id: check with: key: "gocovsh-${{ steps.lookup_version.outputs.package_version }}" diff --git a/.github/workflows/build-golangci-lint.yml b/.github/workflows/build-golangci-lint.yml index b64daba..06195aa 100644 --- a/.github/workflows/build-golangci-lint.yml +++ b/.github/workflows/build-golangci-lint.yml @@ -57,6 +57,11 @@ jobs: package_version: ${{ steps.lookup_version.outputs.package_version }} steps: + - name: Harden Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + egress-policy: audit + - name: Lookup latest version of package id: lookup_version env: @@ -65,7 +70,7 @@ jobs: echo "package_version=$(download-asset latest-tag -r 'golangci/golangci-lint' -s)" >> $GITHUB_OUTPUT - name: Check to see if we've already built this version - uses: actions/cache/restore@v4 + uses: actions/cache/restore@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2 id: check with: key: "golangci-lint-${{ steps.lookup_version.outputs.package_version }}" diff --git a/.github/workflows/build-golines.yml b/.github/workflows/build-golines.yml index 1431133..0dd27fd 100644 --- a/.github/workflows/build-golines.yml +++ b/.github/workflows/build-golines.yml @@ -57,6 +57,11 @@ jobs: package_version: ${{ steps.lookup_version.outputs.package_version }} steps: + - name: Harden Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + egress-policy: audit + - name: Lookup latest version of package id: lookup_version env: @@ -65,7 +70,7 @@ jobs: echo "package_version=$(download-asset latest-tag -r 'segmentio/golines' -s)" >> $GITHUB_OUTPUT - name: Check to see if we've already built this version - uses: actions/cache/restore@v4 + uses: actions/cache/restore@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2 id: check with: key: "golines-${{ steps.lookup_version.outputs.package_version }}" diff --git a/.github/workflows/build-goplicate.yml b/.github/workflows/build-goplicate.yml index a9f7bde..f3f8bca 100644 --- a/.github/workflows/build-goplicate.yml +++ b/.github/workflows/build-goplicate.yml @@ -57,6 +57,11 @@ jobs: package_version: ${{ steps.lookup_version.outputs.package_version }} steps: + - name: Harden Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + egress-policy: audit + - name: Lookup latest version of package id: lookup_version env: @@ -65,7 +70,7 @@ jobs: echo "package_version=$(download-asset latest-tag -r 'ilaif/goplicate' -s)" >> $GITHUB_OUTPUT - name: Check to see if we've already built this version - uses: actions/cache/restore@v4 + uses: actions/cache/restore@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2 id: check with: key: "goplicate-${{ steps.lookup_version.outputs.package_version }}" diff --git a/.github/workflows/build-goreleaser-pro.yml b/.github/workflows/build-goreleaser-pro.yml index 24d6e9e..6119306 100644 --- a/.github/workflows/build-goreleaser-pro.yml +++ b/.github/workflows/build-goreleaser-pro.yml @@ -57,6 +57,11 @@ jobs: package_version: ${{ steps.lookup_version.outputs.package_version }} steps: + - name: Harden Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + egress-policy: audit + - name: Lookup latest version of package id: lookup_version env: @@ -65,7 +70,7 @@ jobs: echo "package_version=$(download-asset latest-tag -r 'goreleaser/goreleaser-pro' -s | sed -r "s,-pro$,,")" >> $GITHUB_OUTPUT - name: Check to see if we've already built this version - uses: actions/cache/restore@v4 + uses: actions/cache/restore@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2 id: check with: key: "goreleaser-pro-${{ steps.lookup_version.outputs.package_version }}" diff --git a/.github/workflows/build-goreleaser.yml b/.github/workflows/build-goreleaser.yml index 3ed974b..b682467 100644 --- a/.github/workflows/build-goreleaser.yml +++ b/.github/workflows/build-goreleaser.yml @@ -57,6 +57,11 @@ jobs: package_version: ${{ steps.lookup_version.outputs.package_version }} steps: + - name: Harden Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + egress-policy: audit + - name: Lookup latest version of package id: lookup_version env: @@ -65,7 +70,7 @@ jobs: echo "package_version=$(download-asset latest-tag -r 'goreleaser/goreleaser' -s)" >> $GITHUB_OUTPUT - name: Check to see if we've already built this version - uses: actions/cache/restore@v4 + uses: actions/cache/restore@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2 id: check with: key: "goreleaser-${{ steps.lookup_version.outputs.package_version }}" diff --git a/.github/workflows/build-gosec.yml b/.github/workflows/build-gosec.yml index 27ada2c..97ec566 100644 --- a/.github/workflows/build-gosec.yml +++ b/.github/workflows/build-gosec.yml @@ -57,6 +57,11 @@ jobs: package_version: ${{ steps.lookup_version.outputs.package_version }} steps: + - name: Harden Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + egress-policy: audit + - name: Lookup latest version of package id: lookup_version env: @@ -65,7 +70,7 @@ jobs: echo "package_version=$(download-asset latest-tag -r 'securego/gosec' -s)" >> $GITHUB_OUTPUT - name: Check to see if we've already built this version - uses: actions/cache/restore@v4 + uses: actions/cache/restore@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2 id: check with: key: "gosec-${{ steps.lookup_version.outputs.package_version }}" diff --git a/.github/workflows/build-gotestsum.yml b/.github/workflows/build-gotestsum.yml index 87fff18..acc144e 100644 --- a/.github/workflows/build-gotestsum.yml +++ b/.github/workflows/build-gotestsum.yml @@ -57,6 +57,11 @@ jobs: package_version: ${{ steps.lookup_version.outputs.package_version }} steps: + - name: Harden Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + egress-policy: audit + - name: Lookup latest version of package id: lookup_version env: @@ -65,7 +70,7 @@ jobs: echo "package_version=$(download-asset latest-tag -r 'gotestyourself/gotestsum' -s)" >> $GITHUB_OUTPUT - name: Check to see if we've already built this version - uses: actions/cache/restore@v4 + uses: actions/cache/restore@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2 id: check with: key: "gotestsum-${{ steps.lookup_version.outputs.package_version }}" diff --git a/.github/workflows/build-gum.yml b/.github/workflows/build-gum.yml index b11b457..46203c7 100644 --- a/.github/workflows/build-gum.yml +++ b/.github/workflows/build-gum.yml @@ -57,6 +57,11 @@ jobs: package_version: ${{ steps.lookup_version.outputs.package_version }} steps: + - name: Harden Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + egress-policy: audit + - name: Lookup latest version of package id: lookup_version env: @@ -65,7 +70,7 @@ jobs: echo "package_version=$(download-asset latest-tag -r 'charmbracelet/gum' -s)" >> $GITHUB_OUTPUT - name: Check to see if we've already built this version - uses: actions/cache/restore@v4 + uses: actions/cache/restore@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2 id: check with: key: "gum-${{ steps.lookup_version.outputs.package_version }}" diff --git a/.github/workflows/build-hadolint.yml b/.github/workflows/build-hadolint.yml index b78861b..b3d139f 100644 --- a/.github/workflows/build-hadolint.yml +++ b/.github/workflows/build-hadolint.yml @@ -57,6 +57,11 @@ jobs: package_version: ${{ steps.lookup_version.outputs.package_version }} steps: + - name: Harden Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + egress-policy: audit + - name: Lookup latest version of package id: lookup_version env: @@ -65,7 +70,7 @@ jobs: echo "package_version=$(download-asset latest-tag -r 'hadolint/hadolint' -s)" >> $GITHUB_OUTPUT - name: Check to see if we've already built this version - uses: actions/cache/restore@v4 + uses: actions/cache/restore@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2 id: check with: key: "hadolint-${{ steps.lookup_version.outputs.package_version }}" diff --git a/.github/workflows/build-hcledit.yml b/.github/workflows/build-hcledit.yml index ffbb2a7..f68ea38 100644 --- a/.github/workflows/build-hcledit.yml +++ b/.github/workflows/build-hcledit.yml @@ -57,6 +57,11 @@ jobs: package_version: ${{ steps.lookup_version.outputs.package_version }} steps: + - name: Harden Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + egress-policy: audit + - name: Lookup latest version of package id: lookup_version env: @@ -65,7 +70,7 @@ jobs: echo "package_version=$(download-asset latest-tag -r 'minamijoyo/hcledit' -s)" >> $GITHUB_OUTPUT - name: Check to see if we've already built this version - uses: actions/cache/restore@v4 + uses: actions/cache/restore@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2 id: check with: key: "hcledit-${{ steps.lookup_version.outputs.package_version }}" diff --git a/.github/workflows/build-hugo.yml b/.github/workflows/build-hugo.yml index 9188684..50adb28 100644 --- a/.github/workflows/build-hugo.yml +++ b/.github/workflows/build-hugo.yml @@ -57,6 +57,11 @@ jobs: package_version: ${{ steps.lookup_version.outputs.package_version }} steps: + - name: Harden Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + egress-policy: audit + - name: Lookup latest version of package id: lookup_version env: @@ -65,7 +70,7 @@ jobs: echo "package_version=$(download-asset latest-tag -r 'gohugoio/hugo' -s)" >> $GITHUB_OUTPUT - name: Check to see if we've already built this version - uses: actions/cache/restore@v4 + uses: actions/cache/restore@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2 id: check with: key: "hugo-${{ steps.lookup_version.outputs.package_version }}" diff --git a/.github/workflows/build-iamlive.yml b/.github/workflows/build-iamlive.yml index 13d2d00..8b9633b 100644 --- a/.github/workflows/build-iamlive.yml +++ b/.github/workflows/build-iamlive.yml @@ -57,6 +57,11 @@ jobs: package_version: ${{ steps.lookup_version.outputs.package_version }} steps: + - name: Harden Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + egress-policy: audit + - name: Lookup latest version of package id: lookup_version env: @@ -65,7 +70,7 @@ jobs: echo "package_version=$(download-asset latest-tag -r 'iann0036/iamlive' -s)" >> $GITHUB_OUTPUT - name: Check to see if we've already built this version - uses: actions/cache/restore@v4 + uses: actions/cache/restore@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2 id: check with: key: "iamlive-${{ steps.lookup_version.outputs.package_version }}" diff --git a/.github/workflows/build-infracost.yml b/.github/workflows/build-infracost.yml index 5a7f7b6..87ee0f2 100644 --- a/.github/workflows/build-infracost.yml +++ b/.github/workflows/build-infracost.yml @@ -57,6 +57,11 @@ jobs: package_version: ${{ steps.lookup_version.outputs.package_version }} steps: + - name: Harden Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + egress-policy: audit + - name: Lookup latest version of package id: lookup_version env: @@ -65,7 +70,7 @@ jobs: echo "package_version=$(download-asset latest-tag -r 'infracost/infracost' -s)" >> $GITHUB_OUTPUT - name: Check to see if we've already built this version - uses: actions/cache/restore@v4 + uses: actions/cache/restore@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2 id: check with: key: "infracost-${{ steps.lookup_version.outputs.package_version }}" diff --git a/.github/workflows/build-jp.yml b/.github/workflows/build-jp.yml index 1602765..85cb095 100644 --- a/.github/workflows/build-jp.yml +++ b/.github/workflows/build-jp.yml @@ -57,6 +57,11 @@ jobs: package_version: ${{ steps.lookup_version.outputs.package_version }} steps: + - name: Harden Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + egress-policy: audit + - name: Lookup latest version of package id: lookup_version env: @@ -65,7 +70,7 @@ jobs: echo "package_version=$(download-asset latest-tag -r 'jmespath-community/jp' -s)" >> $GITHUB_OUTPUT - name: Check to see if we've already built this version - uses: actions/cache/restore@v4 + uses: actions/cache/restore@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2 id: check with: key: "jp-${{ steps.lookup_version.outputs.package_version }}" diff --git a/.github/workflows/build-jq.yml b/.github/workflows/build-jq.yml index d09df09..f8d2cc1 100644 --- a/.github/workflows/build-jq.yml +++ b/.github/workflows/build-jq.yml @@ -57,6 +57,11 @@ jobs: package_version: ${{ steps.lookup_version.outputs.package_version }} steps: + - name: Harden Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + egress-policy: audit + - name: Lookup latest version of package id: lookup_version env: @@ -65,7 +70,7 @@ jobs: echo "package_version=$(download-asset latest-tag -r 'jqlang/jq' -s | sed -r "s,^jq-,,")" >> $GITHUB_OUTPUT - name: Check to see if we've already built this version - uses: actions/cache/restore@v4 + uses: actions/cache/restore@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2 id: check with: key: "jq-${{ steps.lookup_version.outputs.package_version }}" diff --git a/.github/workflows/build-lefthook.yml b/.github/workflows/build-lefthook.yml index 2d9ed4d..4924f61 100644 --- a/.github/workflows/build-lefthook.yml +++ b/.github/workflows/build-lefthook.yml @@ -57,6 +57,11 @@ jobs: package_version: ${{ steps.lookup_version.outputs.package_version }} steps: + - name: Harden Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + egress-policy: audit + - name: Lookup latest version of package id: lookup_version env: @@ -65,7 +70,7 @@ jobs: echo "package_version=$(download-asset latest-tag -r 'evilmartians/lefthook' -s)" >> $GITHUB_OUTPUT - name: Check to see if we've already built this version - uses: actions/cache/restore@v4 + uses: actions/cache/restore@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2 id: check with: key: "lefthook-${{ steps.lookup_version.outputs.package_version }}" diff --git a/.github/workflows/build-licensei.yml b/.github/workflows/build-licensei.yml index 96e876f..d0ca138 100644 --- a/.github/workflows/build-licensei.yml +++ b/.github/workflows/build-licensei.yml @@ -57,6 +57,11 @@ jobs: package_version: ${{ steps.lookup_version.outputs.package_version }} steps: + - name: Harden Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + egress-policy: audit + - name: Lookup latest version of package id: lookup_version env: @@ -65,7 +70,7 @@ jobs: echo "package_version=$(download-asset latest-tag -r 'goph/licensei' -s)" >> $GITHUB_OUTPUT - name: Check to see if we've already built this version - uses: actions/cache/restore@v4 + uses: actions/cache/restore@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2 id: check with: key: "licensei-${{ steps.lookup_version.outputs.package_version }}" diff --git a/.github/workflows/build-lychee.yml b/.github/workflows/build-lychee.yml index dbc682b..d1037f2 100644 --- a/.github/workflows/build-lychee.yml +++ b/.github/workflows/build-lychee.yml @@ -57,6 +57,11 @@ jobs: package_version: ${{ steps.lookup_version.outputs.package_version }} steps: + - name: Harden Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + egress-policy: audit + - name: Lookup latest version of package id: lookup_version env: @@ -65,7 +70,7 @@ jobs: echo "package_version=$(download-asset latest-tag -r 'lycheeverse/lychee' -s)" >> $GITHUB_OUTPUT - name: Check to see if we've already built this version - uses: actions/cache/restore@v4 + uses: actions/cache/restore@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2 id: check with: key: "lychee-${{ steps.lookup_version.outputs.package_version }}" diff --git a/.github/workflows/build-nfpm.yml b/.github/workflows/build-nfpm.yml index e3beddc..39539ae 100644 --- a/.github/workflows/build-nfpm.yml +++ b/.github/workflows/build-nfpm.yml @@ -57,6 +57,11 @@ jobs: package_version: ${{ steps.lookup_version.outputs.package_version }} steps: + - name: Harden Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + egress-policy: audit + - name: Lookup latest version of package id: lookup_version env: @@ -65,7 +70,7 @@ jobs: echo "package_version=$(download-asset latest-tag -r 'goreleaser/nfpm' -s)" >> $GITHUB_OUTPUT - name: Check to see if we've already built this version - uses: actions/cache/restore@v4 + uses: actions/cache/restore@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2 id: check with: key: "nfpm-${{ steps.lookup_version.outputs.package_version }}" diff --git a/.github/workflows/build-osv-scanner.yml b/.github/workflows/build-osv-scanner.yml index d591a71..509792e 100644 --- a/.github/workflows/build-osv-scanner.yml +++ b/.github/workflows/build-osv-scanner.yml @@ -57,6 +57,11 @@ jobs: package_version: ${{ steps.lookup_version.outputs.package_version }} steps: + - name: Harden Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + egress-policy: audit + - name: Lookup latest version of package id: lookup_version env: @@ -65,7 +70,7 @@ jobs: echo "package_version=$(download-asset latest-tag -r 'google/osv-scanner' -s)" >> $GITHUB_OUTPUT - name: Check to see if we've already built this version - uses: actions/cache/restore@v4 + uses: actions/cache/restore@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2 id: check with: key: "osv-scanner-${{ steps.lookup_version.outputs.package_version }}" diff --git a/.github/workflows/build-pandoc3.yml b/.github/workflows/build-pandoc3.yml index 9302b8b..5d838c5 100644 --- a/.github/workflows/build-pandoc3.yml +++ b/.github/workflows/build-pandoc3.yml @@ -57,6 +57,11 @@ jobs: package_version: ${{ steps.lookup_version.outputs.package_version }} steps: + - name: Harden Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + egress-policy: audit + - name: Lookup latest version of package id: lookup_version env: @@ -65,7 +70,7 @@ jobs: echo "package_version=$(download-asset latest-tag -r 'jgm/pandoc' -s | sed -r 's,3\.,,')" >> $GITHUB_OUTPUT - name: Check to see if we've already built this version - uses: actions/cache/restore@v4 + uses: actions/cache/restore@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2 id: check with: key: "pandoc3-${{ steps.lookup_version.outputs.package_version }}" diff --git a/.github/workflows/build-shellcheck.yml b/.github/workflows/build-shellcheck.yml index c959a9f..5c71871 100644 --- a/.github/workflows/build-shellcheck.yml +++ b/.github/workflows/build-shellcheck.yml @@ -57,6 +57,11 @@ jobs: package_version: ${{ steps.lookup_version.outputs.package_version }} steps: + - name: Harden Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + egress-policy: audit + - name: Lookup latest version of package id: lookup_version env: @@ -65,7 +70,7 @@ jobs: echo "package_version=$(download-asset latest-tag -r 'koalaman/shellcheck' -s)" >> $GITHUB_OUTPUT - name: Check to see if we've already built this version - uses: actions/cache/restore@v4 + uses: actions/cache/restore@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2 id: check with: key: "shellcheck-${{ steps.lookup_version.outputs.package_version }}" diff --git a/.github/workflows/build-shfmt.yml b/.github/workflows/build-shfmt.yml index 45f670b..da89b1d 100644 --- a/.github/workflows/build-shfmt.yml +++ b/.github/workflows/build-shfmt.yml @@ -57,6 +57,11 @@ jobs: package_version: ${{ steps.lookup_version.outputs.package_version }} steps: + - name: Harden Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + egress-policy: audit + - name: Lookup latest version of package id: lookup_version env: @@ -65,7 +70,7 @@ jobs: echo "package_version=$(download-asset latest-tag -r 'mvdan/sh' -s)" >> $GITHUB_OUTPUT - name: Check to see if we've already built this version - uses: actions/cache/restore@v4 + uses: actions/cache/restore@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2 id: check with: key: "shfmt-${{ steps.lookup_version.outputs.package_version }}" diff --git a/.github/workflows/build-sops.yml b/.github/workflows/build-sops.yml index b08891d..7099421 100644 --- a/.github/workflows/build-sops.yml +++ b/.github/workflows/build-sops.yml @@ -57,6 +57,11 @@ jobs: package_version: ${{ steps.lookup_version.outputs.package_version }} steps: + - name: Harden Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + egress-policy: audit + - name: Lookup latest version of package id: lookup_version env: @@ -65,7 +70,7 @@ jobs: echo "package_version=$(download-asset latest-tag -r 'getsops/sops' -s)" >> $GITHUB_OUTPUT - name: Check to see if we've already built this version - uses: actions/cache/restore@v4 + uses: actions/cache/restore@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2 id: check with: key: "sops-${{ steps.lookup_version.outputs.package_version }}" diff --git a/.github/workflows/build-syft.yml b/.github/workflows/build-syft.yml index 172e47b..0a2f636 100644 --- a/.github/workflows/build-syft.yml +++ b/.github/workflows/build-syft.yml @@ -57,6 +57,11 @@ jobs: package_version: ${{ steps.lookup_version.outputs.package_version }} steps: + - name: Harden Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + egress-policy: audit + - name: Lookup latest version of package id: lookup_version env: @@ -65,7 +70,7 @@ jobs: echo "package_version=$(download-asset latest-tag -r 'anchore/syft' -s)" >> $GITHUB_OUTPUT - name: Check to see if we've already built this version - uses: actions/cache/restore@v4 + uses: actions/cache/restore@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2 id: check with: key: "syft-${{ steps.lookup_version.outputs.package_version }}" diff --git a/.github/workflows/build-tenv.yml b/.github/workflows/build-tenv.yml index 0f13e74..9daffdd 100644 --- a/.github/workflows/build-tenv.yml +++ b/.github/workflows/build-tenv.yml @@ -57,6 +57,11 @@ jobs: package_version: ${{ steps.lookup_version.outputs.package_version }} steps: + - name: Harden Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + egress-policy: audit + - name: Lookup latest version of package id: lookup_version env: @@ -65,7 +70,7 @@ jobs: echo "package_version=$(download-asset latest-tag -r 'tofuutils/tenv' -s)" >> $GITHUB_OUTPUT - name: Check to see if we've already built this version - uses: actions/cache/restore@v4 + uses: actions/cache/restore@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2 id: check with: key: "tenv-${{ steps.lookup_version.outputs.package_version }}" diff --git a/.github/workflows/build-terraform-docs.yml b/.github/workflows/build-terraform-docs.yml index b135d51..b3c7406 100644 --- a/.github/workflows/build-terraform-docs.yml +++ b/.github/workflows/build-terraform-docs.yml @@ -57,6 +57,11 @@ jobs: package_version: ${{ steps.lookup_version.outputs.package_version }} steps: + - name: Harden Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + egress-policy: audit + - name: Lookup latest version of package id: lookup_version env: @@ -65,7 +70,7 @@ jobs: echo "package_version=$(download-asset latest-tag -r 'terraform-docs/terraform-docs' -s)" >> $GITHUB_OUTPUT - name: Check to see if we've already built this version - uses: actions/cache/restore@v4 + uses: actions/cache/restore@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2 id: check with: key: "terraform-docs-${{ steps.lookup_version.outputs.package_version }}" diff --git a/.github/workflows/build-tflint.yml b/.github/workflows/build-tflint.yml index 032d4a6..f6a52f7 100644 --- a/.github/workflows/build-tflint.yml +++ b/.github/workflows/build-tflint.yml @@ -57,6 +57,11 @@ jobs: package_version: ${{ steps.lookup_version.outputs.package_version }} steps: + - name: Harden Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + egress-policy: audit + - name: Lookup latest version of package id: lookup_version env: @@ -65,7 +70,7 @@ jobs: echo "package_version=$(download-asset latest-tag -r 'terraform-linters/tflint' -s)" >> $GITHUB_OUTPUT - name: Check to see if we've already built this version - uses: actions/cache/restore@v4 + uses: actions/cache/restore@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2 id: check with: key: "tflint-${{ steps.lookup_version.outputs.package_version }}" diff --git a/.github/workflows/build-tfschema.yml b/.github/workflows/build-tfschema.yml index 275ff12..f22f992 100644 --- a/.github/workflows/build-tfschema.yml +++ b/.github/workflows/build-tfschema.yml @@ -57,6 +57,11 @@ jobs: package_version: ${{ steps.lookup_version.outputs.package_version }} steps: + - name: Harden Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + egress-policy: audit + - name: Lookup latest version of package id: lookup_version env: @@ -65,7 +70,7 @@ jobs: echo "package_version=$(download-asset latest-tag -r 'minamijoyo/tfschema' -s)" >> $GITHUB_OUTPUT - name: Check to see if we've already built this version - uses: actions/cache/restore@v4 + uses: actions/cache/restore@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2 id: check with: key: "tfschema-${{ steps.lookup_version.outputs.package_version }}" diff --git a/.github/workflows/build-tomljson.yml b/.github/workflows/build-tomljson.yml index 8a2865d..6e89289 100644 --- a/.github/workflows/build-tomljson.yml +++ b/.github/workflows/build-tomljson.yml @@ -57,6 +57,11 @@ jobs: package_version: ${{ steps.lookup_version.outputs.package_version }} steps: + - name: Harden Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + egress-policy: audit + - name: Lookup latest version of package id: lookup_version env: @@ -65,7 +70,7 @@ jobs: echo "package_version=$(download-asset latest-tag -r 'pelletier/go-toml' -s)" >> $GITHUB_OUTPUT - name: Check to see if we've already built this version - uses: actions/cache/restore@v4 + uses: actions/cache/restore@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2 id: check with: key: "tomljson-${{ steps.lookup_version.outputs.package_version }}" diff --git a/.github/workflows/build-trivy.yml b/.github/workflows/build-trivy.yml index e46ab20..df24fe4 100644 --- a/.github/workflows/build-trivy.yml +++ b/.github/workflows/build-trivy.yml @@ -57,6 +57,11 @@ jobs: package_version: ${{ steps.lookup_version.outputs.package_version }} steps: + - name: Harden Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + egress-policy: audit + - name: Lookup latest version of package id: lookup_version env: @@ -65,7 +70,7 @@ jobs: echo "package_version=$(download-asset latest-tag -r 'aquasecurity/trivy' -s)" >> $GITHUB_OUTPUT - name: Check to see if we've already built this version - uses: actions/cache/restore@v4 + uses: actions/cache/restore@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2 id: check with: key: "trivy-${{ steps.lookup_version.outputs.package_version }}" diff --git a/.github/workflows/build-trufflehog.yml b/.github/workflows/build-trufflehog.yml index 2674697..519b2a3 100644 --- a/.github/workflows/build-trufflehog.yml +++ b/.github/workflows/build-trufflehog.yml @@ -57,6 +57,11 @@ jobs: package_version: ${{ steps.lookup_version.outputs.package_version }} steps: + - name: Harden Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + egress-policy: audit + - name: Lookup latest version of package id: lookup_version env: @@ -65,7 +70,7 @@ jobs: echo "package_version=$(download-asset latest-tag -r 'trufflesecurity/trufflehog' -s)" >> $GITHUB_OUTPUT - name: Check to see if we've already built this version - uses: actions/cache/restore@v4 + uses: actions/cache/restore@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2 id: check with: key: "trufflehog-${{ steps.lookup_version.outputs.package_version }}" diff --git a/.github/workflows/build-woke.yml b/.github/workflows/build-woke.yml index 5f4663d..f307dda 100644 --- a/.github/workflows/build-woke.yml +++ b/.github/workflows/build-woke.yml @@ -57,6 +57,11 @@ jobs: package_version: ${{ steps.lookup_version.outputs.package_version }} steps: + - name: Harden Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + egress-policy: audit + - name: Lookup latest version of package id: lookup_version env: @@ -65,7 +70,7 @@ jobs: echo "package_version=$(download-asset latest-tag -r 'get-woke/woke' -s)" >> $GITHUB_OUTPUT - name: Check to see if we've already built this version - uses: actions/cache/restore@v4 + uses: actions/cache/restore@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2 id: check with: key: "woke-${{ steps.lookup_version.outputs.package_version }}" diff --git a/.github/workflows/build-yamlfmt.yml b/.github/workflows/build-yamlfmt.yml index d829047..1a39480 100644 --- a/.github/workflows/build-yamlfmt.yml +++ b/.github/workflows/build-yamlfmt.yml @@ -57,6 +57,11 @@ jobs: package_version: ${{ steps.lookup_version.outputs.package_version }} steps: + - name: Harden Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + egress-policy: audit + - name: Lookup latest version of package id: lookup_version env: @@ -65,7 +70,7 @@ jobs: echo "package_version=$(download-asset latest-tag -r 'google/yamlfmt' -s)" >> $GITHUB_OUTPUT - name: Check to see if we've already built this version - uses: actions/cache/restore@v4 + uses: actions/cache/restore@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2 id: check with: key: "yamlfmt-${{ steps.lookup_version.outputs.package_version }}" diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml new file mode 100644 index 0000000..3f34562 --- /dev/null +++ b/.github/workflows/dependency-review.yml @@ -0,0 +1,27 @@ +# Dependency Review Action +# +# This Action will scan dependency manifest files that change as part of a Pull Request, +# surfacing known-vulnerable versions of the packages declared or updated in the PR. +# Once installed, if the workflow run is marked as required, +# PRs introducing known-vulnerable packages will be blocked from merging. +# +# Source repository: https://github.com/actions/dependency-review-action +name: 'Dependency Review' +on: [pull_request] + +permissions: + contents: read + +jobs: + dependency-review: + runs-on: ubuntu-latest + steps: + - name: Harden Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + egress-policy: audit + + - name: 'Checkout Repository' + uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 + - name: 'Dependency Review' + uses: actions/dependency-review-action@0efb1d1d84fc9633afcdaad14c485cbbc90ef46c # v2.5.1 diff --git a/.github/workflows/generate-apk-meta.yml b/.github/workflows/generate-apk-meta.yml index 4cb1834..d3bc296 100644 --- a/.github/workflows/generate-apk-meta.yml +++ b/.github/workflows/generate-apk-meta.yml @@ -40,6 +40,11 @@ jobs: options: --privileged steps: + - name: Harden Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + egress-policy: audit + - name: Mount s3fs and generate metadata env: AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} diff --git a/.github/workflows/generate-deb-meta.yml b/.github/workflows/generate-deb-meta.yml index ec0c8b8..3e86097 100644 --- a/.github/workflows/generate-deb-meta.yml +++ b/.github/workflows/generate-deb-meta.yml @@ -40,8 +40,13 @@ jobs: options: --privileged steps: + - name: Harden Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + egress-policy: audit + - name: Git clone - uses: actions/checkout@v4 + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: ref: ${{ github.base_ref }} diff --git a/.github/workflows/generate-rpm-meta.yml b/.github/workflows/generate-rpm-meta.yml index 51102bc..1ab63c6 100644 --- a/.github/workflows/generate-rpm-meta.yml +++ b/.github/workflows/generate-rpm-meta.yml @@ -40,6 +40,11 @@ jobs: options: --privileged steps: + - name: Harden Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + egress-policy: audit + - name: Mount s3fs and generate metadata env: AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} diff --git a/.github/workflows/rebuild-all-images.yml b/.github/workflows/rebuild-all-images.yml index 0f520b3..4927261 100644 --- a/.github/workflows/rebuild-all-images.yml +++ b/.github/workflows/rebuild-all-images.yml @@ -47,28 +47,33 @@ jobs: # Steps represent a sequence of tasks that will be executed as part of the job. steps: + - name: Harden Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + egress-policy: audit + - name: Git clone - uses: actions/checkout@v4 + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: ref: ${{ github.base_ref }} - name: Set up QEMU - uses: docker/setup-qemu-action@v3 + uses: docker/setup-qemu-action@68827325e0b33c7199eb31dd4e31fbe9023e06e3 # v3.0.0 - name: Docker Setup Buildx - uses: docker/setup-buildx-action@v3 + uses: docker/setup-buildx-action@d70bba72b1f3fd22344832f00baa16ece964efeb # v3.3.0 with: version: latest platforms: linux/amd64,linux/arm64 - name: Login to Docker Hub - uses: docker/login-action@v3 + uses: docker/login-action@e92390c5fb421da1463c202d546fed0ec5c39f20 # v3.1.0 with: username: ${{ secrets.DOCKERHUB_USERNAME }} password: ${{ secrets.DOCKERHUB_TOKEN }} - name: Login to GitHub Container Registry - uses: docker/login-action@v3 + uses: docker/login-action@e92390c5fb421da1463c202d546fed0ec5c39f20 # v3.1.0 with: registry: ${{ env.REGISTRY }} username: ${{ github.actor }} diff --git a/.github/workflows/rebuild-images.yml b/.github/workflows/rebuild-images.yml index 4f0ee22..4996539 100644 --- a/.github/workflows/rebuild-images.yml +++ b/.github/workflows/rebuild-images.yml @@ -44,8 +44,13 @@ jobs: dockerfiles: ${{ steps.changed_files.outputs.dockerfiles }} steps: + - name: Harden Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + egress-policy: audit + - name: Git clone - uses: actions/checkout@v4 + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: ref: ${{ github.base_ref }} fetch-depth: 0 @@ -74,28 +79,33 @@ jobs: # Steps represent a sequence of tasks that will be executed as part of the job. steps: + - name: Harden Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + egress-policy: audit + - name: Git clone - uses: actions/checkout@v4 + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: ref: ${{ github.base_ref }} - name: Set up QEMU - uses: docker/setup-qemu-action@v3 + uses: docker/setup-qemu-action@68827325e0b33c7199eb31dd4e31fbe9023e06e3 # v3.0.0 - name: Docker Setup Buildx - uses: docker/setup-buildx-action@v3 + uses: docker/setup-buildx-action@d70bba72b1f3fd22344832f00baa16ece964efeb # v3.3.0 with: version: latest platforms: linux/amd64,linux/arm64 - name: Login to Docker Hub - uses: docker/login-action@v3 + uses: docker/login-action@e92390c5fb421da1463c202d546fed0ec5c39f20 # v3.1.0 with: username: ${{ secrets.DOCKERHUB_USERNAME }} password: ${{ secrets.DOCKERHUB_TOKEN }} - name: Login to GitHub Container Registry - uses: docker/login-action@v3 + uses: docker/login-action@e92390c5fb421da1463c202d546fed0ec5c39f20 # v3.1.0 with: registry: ${{ env.REGISTRY }} username: ${{ github.actor }} diff --git a/.github/workflows/scorecards.yml b/.github/workflows/scorecards.yml new file mode 100644 index 0000000..555653a --- /dev/null +++ b/.github/workflows/scorecards.yml @@ -0,0 +1,76 @@ +# This workflow uses actions that are not certified by GitHub. They are provided +# by a third-party and are governed by separate terms of service, privacy +# policy, and support documentation. + +name: Scorecard supply-chain security +on: + # For Branch-Protection check. Only the default branch is supported. See + # https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection + branch_protection_rule: + # To guarantee Maintained check is occasionally updated. See + # https://github.com/ossf/scorecard/blob/main/docs/checks.md#maintained + schedule: + - cron: '20 7 * * 2' + push: + branches: ["main"] + +# Declare default permissions as read only. +permissions: read-all + +jobs: + analysis: + name: Scorecard analysis + runs-on: ubuntu-latest + permissions: + # Needed to upload the results to code-scanning dashboard. + security-events: write + # Needed to publish results and get a badge (see publish_results below). + id-token: write + contents: read + actions: read + + steps: + - name: Harden Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + egress-policy: audit + + - name: "Checkout code" + uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 + with: + persist-credentials: false + + - name: "Run analysis" + uses: ossf/scorecard-action@99c53751e09b9529366343771cc321ec74e9bd3d # v2.0.6 + with: + results_file: results.sarif + results_format: sarif + # (Optional) "write" PAT token. Uncomment the `repo_token` line below if: + # - you want to enable the Branch-Protection check on a *public* repository, or + # - you are installing Scorecards on a *private* repository + # To create the PAT, follow the steps in https://github.com/ossf/scorecard-action#authentication-with-pat. + # repo_token: ${{ secrets.SCORECARD_TOKEN }} + + # Public repositories: + # - Publish results to OpenSSF REST API for easy access by consumers + # - Allows the repository to include the Scorecard badge. + # - See https://github.com/ossf/scorecard-action#publishing-results. + # For private repositories: + # - `publish_results` will always be set to `false`, regardless + # of the value entered here. + publish_results: true + + # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF + # format to the repository Actions tab. + - name: "Upload artifact" + uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3 + with: + name: SARIF file + path: results.sarif + retention-days: 5 + + # Upload the results to GitHub's code scanning dashboard. + - name: "Upload to code-scanning" + uses: github/codeql-action/upload-sarif@ffd3158cb9024ebd018dbf20756f28befbd168c7 # v2.24.10 + with: + sarif_file: results.sarif diff --git a/.github/workflows/upload-to-s3.yml b/.github/workflows/upload-to-s3.yml index e1884d6..0c35dca 100644 --- a/.github/workflows/upload-to-s3.yml +++ b/.github/workflows/upload-to-s3.yml @@ -45,8 +45,13 @@ jobs: options: --privileged steps: + - name: Harden Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + egress-policy: audit + - name: Restore the cached packages from the previous stage - uses: actions/cache/restore@v4 + uses: actions/cache/restore@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2 id: cache with: key: "${{ inputs.package-name }}-${{ inputs.package-version }}" diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml new file mode 100644 index 0000000..162d684 --- /dev/null +++ b/.pre-commit-config.yaml @@ -0,0 +1,14 @@ +repos: +- repo: https://github.com/golangci/golangci-lint + rev: v1.52.2 + hooks: + - id: golangci-lint +- repo: https://github.com/jumanjihouse/pre-commit-hooks + rev: 3.0.0 + hooks: + - id: shellcheck +- repo: https://github.com/pre-commit/pre-commit-hooks + rev: v4.4.0 + hooks: + - id: end-of-file-fixer + - id: trailing-whitespace