diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 1ba252d6..753e70ce 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -70,7 +70,7 @@ jobs: # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL - uses: github/codeql-action/init@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 + uses: github/codeql-action/init@7211b7c8077ea37d8641b6271f6a365a22a5fbfa with: languages: ${{ matrix.language }} build-mode: ${{ matrix.build-mode }} @@ -98,6 +98,6 @@ jobs: exit 1 - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 + uses: github/codeql-action/analyze@7211b7c8077ea37d8641b6271f6a365a22a5fbfa with: category: "/language:${{matrix.language}}" diff --git a/.github/workflows/enforce-changelog-entry.yaml b/.github/workflows/enforce-changelog-entry.yaml index 49d5cc78..db029ea6 100644 --- a/.github/workflows/enforce-changelog-entry.yaml +++ b/.github/workflows/enforce-changelog-entry.yaml @@ -11,7 +11,7 @@ jobs: changelog: runs-on: ubuntu-latest steps: - - uses: dangoslen/changelog-enforcer@204e7d3ef26579f4cd0fd759c57032656fdf23c7 # v3.6.1 + - uses: dangoslen/changelog-enforcer@8b5e9dc3121363bb7c0115f8533404d92af382de # v3.7.0 with: skipLabels: 'Skip-Changelog,dependencies,tests' - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 diff --git a/.github/workflows/main.yaml b/.github/workflows/main.yaml index 4f8c0749..064e0186 100644 --- a/.github/workflows/main.yaml +++ b/.github/workflows/main.yaml @@ -37,7 +37,7 @@ jobs: run: make test-unit - name: upload coverage to codecov - uses: codecov/codecov-action@57e3a136b779b570ffcdbf80b3bdc90e7fab3de2 # v6.0.0 + uses: codecov/codecov-action@e79a6962e0d4c0c17b229090214935d2e33f8354 # v6.0.1 with: files: ./coverageunit.out flags: unit @@ -74,7 +74,7 @@ jobs: run: make test-storage - name: upload coverage to codecov - uses: codecov/codecov-action@57e3a136b779b570ffcdbf80b3bdc90e7fab3de2 # v6.0.0 + uses: codecov/codecov-action@e79a6962e0d4c0c17b229090214935d2e33f8354 # v6.0.1 with: files: ./coverageunit.out flags: storage @@ -111,7 +111,7 @@ jobs: run: make test-matrix - name: upload coverage to codecov - uses: codecov/codecov-action@57e3a136b779b570ffcdbf80b3bdc90e7fab3de2 # v6.0.0 + uses: codecov/codecov-action@e79a6962e0d4c0c17b229090214935d2e33f8354 # v6.0.1 with: files: ./coverageunit.out flags: matrix @@ -153,7 +153,7 @@ jobs: make test-bench | tee bench_output.txt - name: Get benchmark as JSON - uses: benchmark-action/github-action-benchmark@a60cea5bc7b49e15c1f58f411161f99e0df48372 # v1.22.0 + uses: benchmark-action/github-action-benchmark@52576c92bccf6ac60c8223ec7eb2565637cae9ba # v1.22.1 with: # What benchmark tool the output.txt came from tool: 'go' diff --git a/.github/workflows/pull_request.yaml b/.github/workflows/pull_request.yaml index 65a20ce6..8df6f45f 100644 --- a/.github/workflows/pull_request.yaml +++ b/.github/workflows/pull_request.yaml @@ -19,7 +19,7 @@ jobs: cache-dependency-path: './go.sum' check-latest: true - name: golangci-lint - uses: golangci/golangci-lint-action@1e7e51e771db61008b38414a730f564565cf7c20 # v9.2.0 + uses: golangci/golangci-lint-action@82606bf257cbaff209d206a39f5134f0cfbfd2ee # v9.2.1 with: version: latest args: -v -c .golangci.yaml @@ -55,7 +55,7 @@ jobs: run: make test-unit - name: upload coverage to codecov - uses: codecov/codecov-action@57e3a136b779b570ffcdbf80b3bdc90e7fab3de2 # v6.0.0 + uses: codecov/codecov-action@e79a6962e0d4c0c17b229090214935d2e33f8354 # v6.0.1 with: files: ./coverageunit.out flags: unit @@ -94,7 +94,7 @@ jobs: run: make test-storage - name: upload coverage to codecov - uses: codecov/codecov-action@57e3a136b779b570ffcdbf80b3bdc90e7fab3de2 # v6.0.0 + uses: codecov/codecov-action@e79a6962e0d4c0c17b229090214935d2e33f8354 # v6.0.1 with: files: ./coverageunit.out flags: storage @@ -133,7 +133,7 @@ jobs: run: make test-matrix - name: upload coverage to codecov - uses: codecov/codecov-action@57e3a136b779b570ffcdbf80b3bdc90e7fab3de2 # v6.0.0 + uses: codecov/codecov-action@e79a6962e0d4c0c17b229090214935d2e33f8354 # v6.0.1 with: files: ./coverageunit.out flags: matrix @@ -182,7 +182,7 @@ jobs: cache-dependency-path: './go.sum' check-latest: true - - uses: sigstore/cosign-installer@cad07c2e89fa2edd6e2d7bab4c1aa38e53f76003 # v4.1.1 + - uses: sigstore/cosign-installer@6f9f17788090df1f26f669e9d70d6ae9567deba6 # v4.1.2 if: steps.changes.outputs.release == 'true' || github.event_name == 'merge_group' - uses: anchore/sbom-action/download-syft@e22c389904149dbc22b58101806040fa8d37a610 # v0.24.0 @@ -190,7 +190,7 @@ jobs: - name: Dry Run GoReleaser if: steps.changes.outputs.release == 'true' || github.event_name == 'merge_group' - uses: goreleaser/goreleaser-action@e24998b8b67b290c2fa8b7c14fcfa7de2c5c9b8c # v7.1.0 + uses: goreleaser/goreleaser-action@5daf1e915a5f0af01ddbcd89a43b8061ff4f1a89 # v7.2.2 with: distribution: goreleaser version: '~> v2' @@ -222,10 +222,10 @@ jobs: check-latest: true - name: Set up Docker Buildx - uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0 + uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5 # v4.1.0 - name: Build and push openfga/openfga:dockertest - uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7.1.0 + uses: docker/build-push-action@f9f3042f7e2789586610d6e8b85c8f03e5195baf # v7.2.0 with: file: Dockerfile push: false # don't publish the built container for Docker tests @@ -298,7 +298,7 @@ jobs: key: ${{ steps.get-main-branch-sha.outputs.sha }}-${{ runner.os }}-${{ steps.system-info.outputs.cpu-model }}-go-benchmark - name: Compare benchmarks with Main - uses: benchmark-action/github-action-benchmark@a60cea5bc7b49e15c1f58f411161f99e0df48372 # v1.22.0 + uses: benchmark-action/github-action-benchmark@52576c92bccf6ac60c8223ec7eb2565637cae9ba # v1.22.1 if: steps.cache.outputs.cache-hit == 'true' && (steps.changes.outputs.perf == 'true' || github.event_name == 'merge_group') with: # What benchmark tool the output.txt came from @@ -316,7 +316,7 @@ jobs: summary-always: true - name: Run benchmarks but don't compare to Main branch - uses: benchmark-action/github-action-benchmark@a60cea5bc7b49e15c1f58f411161f99e0df48372 # v1.22.0 + uses: benchmark-action/github-action-benchmark@52576c92bccf6ac60c8223ec7eb2565637cae9ba # v1.22.1 if: steps.cache.outputs.cache-hit != 'true' && (steps.changes.outputs.perf == 'true' || github.event_name == 'merge_group') with: # What benchmark tool the output.txt came from diff --git a/.github/workflows/release-nightly.yaml b/.github/workflows/release-nightly.yaml index 2dbd9dda..a24294d0 100644 --- a/.github/workflows/release-nightly.yaml +++ b/.github/workflows/release-nightly.yaml @@ -26,14 +26,14 @@ jobs: check-latest: true - name: Login to Docker Hub - uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0 + uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4.2.0 with: username: ${{ secrets.DOCKERHUB_USERNAME }} password: ${{ secrets.DOCKERHUB_TOKEN }} # skip publish to GitHub Releases - name: Run GoReleaser Nightly - uses: goreleaser/goreleaser-action@e24998b8b67b290c2fa8b7c14fcfa7de2c5c9b8c # v7.1.0 + uses: goreleaser/goreleaser-action@5daf1e915a5f0af01ddbcd89a43b8061ff4f1a89 # v7.2.2 with: distribution: goreleaser version: '~> v2' diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index 672e1855..34f81f91 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -39,19 +39,19 @@ jobs: check-latest: true - name: Login to Docker Hub - uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0 + uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4.2.0 with: username: ${{ secrets.DOCKERHUB_USERNAME }} password: ${{ secrets.DOCKERHUB_TOKEN }} - name: Log in to GHCR - uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0 + uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4.2.0 with: registry: ghcr.io username: ${{ github.actor }} password: ${{ secrets.GITHUB_TOKEN }} - - uses: sigstore/cosign-installer@cad07c2e89fa2edd6e2d7bab4c1aa38e53f76003 # v4.1.1 + - uses: sigstore/cosign-installer@6f9f17788090df1f26f669e9d70d6ae9567deba6 # v4.1.2 with: cosign-release: "v2.6.1" @@ -59,7 +59,7 @@ jobs: - name: Run GoReleaser id: goreleaser - uses: goreleaser/goreleaser-action@e24998b8b67b290c2fa8b7c14fcfa7de2c5c9b8c # v7.1.0 + uses: goreleaser/goreleaser-action@5daf1e915a5f0af01ddbcd89a43b8061ff4f1a89 # v7.2.2 with: distribution: goreleaser version: '~> v2' @@ -133,7 +133,7 @@ jobs: mv snyk.categorized.sarif snyk.sarif - name: Upload result to GitHub Code Scanning - uses: github/codeql-action/upload-sarif@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # pin@v2 + uses: github/codeql-action/upload-sarif@7211b7c8077ea37d8641b6271f6a365a22a5fbfa # pin@v2 with: sarif_file: snyk.sarif @@ -200,13 +200,13 @@ jobs: permissions: read-all steps: - name: Login to Docker Hub - uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0 + uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4.2.0 with: username: ${{ secrets.DOCKERHUB_USERNAME }} password: ${{ secrets.DOCKERHUB_TOKEN }} - name: Install Cosign - uses: sigstore/cosign-installer@cad07c2e89fa2edd6e2d7bab4c1aa38e53f76003 # v4.1.1 + uses: sigstore/cosign-installer@6f9f17788090df1f26f669e9d70d6ae9567deba6 # v4.1.2 with: cosign-release: "v2.6.1" diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml index 6f427a56..287b3479 100644 --- a/.github/workflows/scorecard.yml +++ b/.github/workflows/scorecard.yml @@ -67,6 +67,6 @@ jobs: # Upload the results to GitHub's code scanning dashboard. - name: "Upload to code-scanning" - uses: github/codeql-action/upload-sarif@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4.35.2 + uses: github/codeql-action/upload-sarif@7211b7c8077ea37d8641b6271f6a365a22a5fbfa # v4.36.0 with: sarif_file: results.sarif