From b78a9fffab2285b4db8937a62004fc1f127a1af8 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 27 Apr 2026 10:35:49 +0000 Subject: [PATCH] ci(deps): bump the github-actions group across 1 directory with 12 updates Bumps the github-actions group with 12 updates in the /.github/workflows directory: | Package | From | To | | --- | --- | --- | | [step-security/harden-runner](https://github.com/step-security/harden-runner) | `2.16.1` | `2.19.0` | | [mozilla-actions/sccache-action](https://github.com/mozilla-actions/sccache-action) | `0.0.9` | `0.0.10` | | [step-security/rust-cache](https://github.com/step-security/rust-cache) | `2.8.3` | `2.9.1` | | [step-security/docker-login-action](https://github.com/step-security/docker-login-action) | `3.7.0` | `4.1.0` | | [step-security/docker-build-push-action](https://github.com/step-security/docker-build-push-action) | `6.18.0` | `7.1.0` | | [actions/upload-artifact](https://github.com/actions/upload-artifact) | `7.0.0` | `7.0.1` | | [step-security/action-semantic-pull-request](https://github.com/step-security/action-semantic-pull-request) | `6.1.1` | `6.1.2` | | [step-security/mise-action](https://github.com/step-security/mise-action) | `3.6.1` | `4.0.1` | | [taiki-e/install-action](https://github.com/taiki-e/install-action) | `2.73.0` | `2.75.22` | | [step-security/paths-filter](https://github.com/step-security/paths-filter) | `3.0.5` | `4.0.1` | | [github/codeql-action](https://github.com/github/codeql-action) | `4.35.1` | `4.35.2` | | [googleapis/release-please-action](https://github.com/googleapis/release-please-action) | `4.4.0` | `5.0.0` | Updates `step-security/harden-runner` from 2.16.1 to 2.19.0 - [Release notes](https://github.com/step-security/harden-runner/releases) - [Commits](https://github.com/step-security/harden-runner/compare/fe104658747b27e96e4f7e80cd0a94068e53901d...8d3c67de8e2fe68ef647c8db1e6a09f647780f40) Updates `mozilla-actions/sccache-action` from 0.0.9 to 0.0.10 - [Release notes](https://github.com/mozilla-actions/sccache-action/releases) - [Commits](https://github.com/mozilla-actions/sccache-action/compare/7d986dd989559c6ecdb630a3fd2557667be217ad...9e7fa8a12102821edf02ca5dbea1acd0f89a2696) Updates `step-security/rust-cache` from 2.8.3 to 2.9.1 - [Release notes](https://github.com/step-security/rust-cache/releases) - [Commits](https://github.com/step-security/rust-cache/compare/9be15b830520fab0ec3939586e917e4855cf76bd...851174d9a2fdc03e0896e02844dcc61d81dd7851) Updates `step-security/docker-login-action` from 3.7.0 to 4.1.0 - [Release notes](https://github.com/step-security/docker-login-action/releases) - [Commits](https://github.com/step-security/docker-login-action/compare/6aa05fe688caf2c58e784663f01b3415ced503e8...870af644803bf9f204aed474adbad2958fec048b) Updates `step-security/docker-build-push-action` from 6.18.0 to 7.1.0 - [Release notes](https://github.com/step-security/docker-build-push-action/releases) - [Commits](https://github.com/step-security/docker-build-push-action/compare/a8c3d08b23f8be6aeed43eb1a14ce6fe51284438...846549baaf047e867d038826129a64d81df0f704) Updates `actions/upload-artifact` from 7.0.0 to 7.0.1 - [Release notes](https://github.com/actions/upload-artifact/releases) - [Commits](https://github.com/actions/upload-artifact/compare/bbbca2ddaa5d8feaa63e36b76fdaad77386f024f...043fb46d1a93c77aae656e7c1c64a875d1fc6a0a) Updates `step-security/action-semantic-pull-request` from 6.1.1 to 6.1.2 - [Release notes](https://github.com/step-security/action-semantic-pull-request/releases) - [Commits](https://github.com/step-security/action-semantic-pull-request/compare/bc0cf74f5be4ce34accdec1ae908dff38dc5def1...75d2dd5deafa3e9fccc1626ecd58d076ed1d2c79) Updates `step-security/mise-action` from 3.6.1 to 4.0.1 - [Release notes](https://github.com/step-security/mise-action/releases) - [Commits](https://github.com/step-security/mise-action/compare/88aa01c99be6cb55cfeecd74955f88bc4151d030...c7396e2a2a4ad1ea43abee3317d964292da354ae) Updates `taiki-e/install-action` from 2.73.0 to 2.75.22 - [Release notes](https://github.com/taiki-e/install-action/releases) - [Changelog](https://github.com/taiki-e/install-action/blob/main/CHANGELOG.md) - [Commits](https://github.com/taiki-e/install-action/compare/7a562dfa955aa2e4d5b0fd6ebd57ff9715c07b0b...cf525cb33f51aca27cd6fa02034117ab963ff9f1) Updates `step-security/paths-filter` from 3.0.5 to 4.0.1 - [Release notes](https://github.com/step-security/paths-filter/releases) - [Commits](https://github.com/step-security/paths-filter/compare/6eee183b0d2fd101d3f8ee2935c127bca14c5625...5c5241b8233e77b55b9046daf88f1cb7560281de) Updates `github/codeql-action` from 4.35.1 to 4.35.2 - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](https://github.com/github/codeql-action/compare/c10b8064de6f491fea524254123dbe5e09572f13...95e58e9a2cdfd71adc6e0353d5c52f41a045d225) Updates `googleapis/release-please-action` from 4.4.0 to 5.0.0 - [Release notes](https://github.com/googleapis/release-please-action/releases) - [Changelog](https://github.com/googleapis/release-please-action/blob/main/CHANGELOG.md) - [Commits](https://github.com/googleapis/release-please-action/compare/16a9c90856f42705d54a6fda1823352bdc62cf38...45996ed1f6d02564a971a2fa1b5860e934307cf7) --- updated-dependencies: - dependency-name: step-security/harden-runner dependency-version: 2.19.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: github-actions - dependency-name: mozilla-actions/sccache-action dependency-version: 0.0.10 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: github-actions - dependency-name: step-security/rust-cache dependency-version: 2.9.1 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: github-actions - dependency-name: step-security/docker-login-action dependency-version: 4.1.0 dependency-type: direct:production update-type: version-update:semver-major dependency-group: github-actions - dependency-name: step-security/docker-build-push-action dependency-version: 7.1.0 dependency-type: direct:production update-type: version-update:semver-major dependency-group: github-actions - dependency-name: actions/upload-artifact dependency-version: 7.0.1 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: github-actions - dependency-name: step-security/action-semantic-pull-request dependency-version: 6.1.2 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: github-actions - dependency-name: step-security/mise-action dependency-version: 4.0.1 dependency-type: direct:production update-type: version-update:semver-major dependency-group: github-actions - dependency-name: taiki-e/install-action dependency-version: 2.75.22 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: github-actions - dependency-name: step-security/paths-filter dependency-version: 4.0.1 dependency-type: direct:production update-type: version-update:semver-major dependency-group: github-actions - dependency-name: github/codeql-action dependency-version: 4.35.2 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: github-actions - dependency-name: googleapis/release-please-action dependency-version: 5.0.0 dependency-type: direct:production update-type: version-update:semver-major dependency-group: github-actions ... Signed-off-by: dependabot[bot] --- .github/workflows/canary.yml | 28 +++++++++++------------ .github/workflows/ci.yml | 34 ++++++++++++++-------------- .github/workflows/cleanup.yml | 2 +- .github/workflows/codeql.yml | 16 ++++++------- .github/workflows/container.yml | 18 +++++++-------- .github/workflows/labeler.yml | 2 +- .github/workflows/nightly.yml | 32 +++++++++++++------------- .github/workflows/release-please.yml | 4 ++-- .github/workflows/release.yml | 34 ++++++++++++++-------------- .github/workflows/security.yml | 8 +++---- 10 files changed, 89 insertions(+), 89 deletions(-) diff --git a/.github/workflows/canary.yml b/.github/workflows/canary.yml index 12f4718..6d2fc67 100644 --- a/.github/workflows/canary.yml +++ b/.github/workflows/canary.yml @@ -41,7 +41,7 @@ jobs: short_sha: ${{ steps.version.outputs.short_sha }} steps: - name: Harden the runner (Audit all outbound calls) - uses: step-security/harden-runner@fe104658747b27e96e4f7e80cd0a94068e53901d # v2.16.1 + uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0 with: egress-policy: audit @@ -81,7 +81,7 @@ jobs: version: ${{ needs.version.outputs.version }} steps: - name: Harden the runner (Audit all outbound calls) - uses: step-security/harden-runner@fe104658747b27e96e4f7e80cd0a94068e53901d # v2.16.1 + uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0 with: egress-policy: audit @@ -145,7 +145,7 @@ jobs: steps: - name: Harden the runner (Audit all outbound calls) - uses: step-security/harden-runner@fe104658747b27e96e4f7e80cd0a94068e53901d # v2.16.1 + uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0 with: egress-policy: audit @@ -165,7 +165,7 @@ jobs: sudo apt-get install -y -qq mold - name: Setup sccache - uses: mozilla-actions/sccache-action@7d986dd989559c6ecdb630a3fd2557667be217ad # v0.0.9 + uses: mozilla-actions/sccache-action@9e7fa8a12102821edf02ca5dbea1acd0f89a2696 # v0.0.10 - name: Configure build environment env: @@ -182,7 +182,7 @@ jobs: fi - name: Cache Rust dependencies - uses: step-security/rust-cache@9be15b830520fab0ec3939586e917e4855cf76bd # v2.8.3 + uses: step-security/rust-cache@851174d9a2fdc03e0896e02844dcc61d81dd7851 # v2.9.1 with: shared-key: canary-${{ matrix.os }}-${{ matrix.target }} @@ -240,7 +240,7 @@ jobs: packages: write steps: - name: Harden the runner (Audit all outbound calls) - uses: step-security/harden-runner@fe104658747b27e96e4f7e80cd0a94068e53901d # v2.16.1 + uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0 with: egress-policy: audit @@ -251,7 +251,7 @@ jobs: uses: step-security/setup-buildx-action@f931205d68723ad9589fd2a7e2ece238bf9de341 # v4.0.0 - name: Log in to GitHub Container Registry - uses: step-security/docker-login-action@6aa05fe688caf2c58e784663f01b3415ced503e8 # v3.7.0 + uses: step-security/docker-login-action@870af644803bf9f204aed474adbad2958fec048b # v4.1.0 with: registry: ${{ env.GHCR_REGISTRY }} username: ${{ github.actor }} @@ -268,7 +268,7 @@ jobs: - name: Build and push by digest id: build - uses: step-security/docker-build-push-action@a8c3d08b23f8be6aeed43eb1a14ce6fe51284438 # v6.18.0 + uses: step-security/docker-build-push-action@846549baaf047e867d038826129a64d81df0f704 # v7.1.0 with: context: . platforms: ${{ matrix.platform }} @@ -285,7 +285,7 @@ jobs: touch "/tmp/digests/${DIGEST#sha256:}" - name: Upload digest - uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 with: name: digests-canary-${{ matrix.suffix }} path: /tmp/digests/* @@ -299,7 +299,7 @@ jobs: needs: [version, build-docker] steps: - name: Harden the runner (Audit all outbound calls) - uses: step-security/harden-runner@fe104658747b27e96e4f7e80cd0a94068e53901d # v2.16.1 + uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0 with: egress-policy: audit @@ -314,14 +314,14 @@ jobs: uses: step-security/setup-buildx-action@f931205d68723ad9589fd2a7e2ece238bf9de341 # v4.0.0 - name: Log in to GitHub Container Registry - uses: step-security/docker-login-action@6aa05fe688caf2c58e784663f01b3415ced503e8 # v3.7.0 + uses: step-security/docker-login-action@870af644803bf9f204aed474adbad2958fec048b # v4.1.0 with: registry: ${{ env.GHCR_REGISTRY }} username: ${{ github.actor }} password: ${{ secrets.GITHUB_TOKEN }} - name: Log in to Docker Hub - uses: step-security/docker-login-action@6aa05fe688caf2c58e784663f01b3415ced503e8 # v3.7.0 + uses: step-security/docker-login-action@870af644803bf9f204aed474adbad2958fec048b # v4.1.0 with: username: ${{ secrets.DOCKERHUB_USERNAME }} password: ${{ secrets.DOCKERHUB_TOKEN }} @@ -382,7 +382,7 @@ jobs: needs: [version, merge-docker] steps: - name: Harden the runner (Audit all outbound calls) - uses: step-security/harden-runner@fe104658747b27e96e4f7e80cd0a94068e53901d # v2.16.1 + uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0 with: egress-policy: audit @@ -390,7 +390,7 @@ jobs: uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Log in to GitHub Container Registry - uses: step-security/docker-login-action@6aa05fe688caf2c58e784663f01b3415ced503e8 # v3.7.0 + uses: step-security/docker-login-action@870af644803bf9f204aed474adbad2958fec048b # v4.1.0 with: registry: ${{ env.GHCR_REGISTRY }} username: ${{ github.actor }} diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 9458c80..023bc26 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -34,7 +34,7 @@ jobs: if: github.event_name == 'pull_request' steps: - name: Harden the runner (Audit all outbound calls) - uses: step-security/harden-runner@fe104658747b27e96e4f7e80cd0a94068e53901d # v2.16.1 + uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0 with: egress-policy: audit @@ -44,7 +44,7 @@ jobs: fetch-depth: 0 - name: Validate PR title - uses: step-security/action-semantic-pull-request@bc0cf74f5be4ce34accdec1ae908dff38dc5def1 # v6.1.1 + uses: step-security/action-semantic-pull-request@75d2dd5deafa3e9fccc1626ecd58d076ed1d2c79 # v6.1.2 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} with: @@ -78,7 +78,7 @@ jobs: contents: read steps: - name: Harden the runner (Audit all outbound calls) - uses: step-security/harden-runner@fe104658747b27e96e4f7e80cd0a94068e53901d # v2.16.1 + uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0 with: egress-policy: audit @@ -106,7 +106,7 @@ jobs: RUSTFLAGS: "-C codegen-units=16 -C link-arg=-fuse-ld=mold" steps: - name: Harden the runner (Audit all outbound calls) - uses: step-security/harden-runner@fe104658747b27e96e4f7e80cd0a94068e53901d # v2.16.1 + uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0 with: egress-policy: audit @@ -120,7 +120,7 @@ jobs: components: clippy - name: Install development tools via Mise - uses: step-security/mise-action@88aa01c99be6cb55cfeecd74955f88bc4151d030 # v3.6.1 + uses: step-security/mise-action@c7396e2a2a4ad1ea43abee3317d964292da354ae # v4.0.1 with: install_args: protobuf cache: true @@ -132,7 +132,7 @@ jobs: mold --version - name: Cache Rust dependencies - uses: step-security/rust-cache@9be15b830520fab0ec3939586e917e4855cf76bd # v2.8.3 + uses: step-security/rust-cache@851174d9a2fdc03e0896e02844dcc61d81dd7851 # v2.9.1 with: shared-key: management-ubuntu-latest-x86_64-unknown-linux-gnu save-if: false @@ -157,7 +157,7 @@ jobs: name: macOS Apple Silicon steps: - name: Harden the runner (Audit all outbound calls) - uses: step-security/harden-runner@fe104658747b27e96e4f7e80cd0a94068e53901d # v2.16.1 + uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0 with: egress-policy: audit @@ -186,12 +186,12 @@ jobs: brew install protobuf - name: Install cargo-nextest - uses: taiki-e/install-action@7a562dfa955aa2e4d5b0fd6ebd57ff9715c07b0b # v2.73.0 + uses: taiki-e/install-action@cf525cb33f51aca27cd6fa02034117ab963ff9f1 # v2.75.22 with: tool: cargo-nextest - name: Cache Rust dependencies - uses: step-security/rust-cache@9be15b830520fab0ec3939586e917e4855cf76bd # v2.8.3 + uses: step-security/rust-cache@851174d9a2fdc03e0896e02844dcc61d81dd7851 # v2.9.1 with: shared-key: test-${{ matrix.runner }} @@ -217,7 +217,7 @@ jobs: RUSTFLAGS: "-C codegen-units=16 -C link-arg=-fuse-ld=mold" steps: - name: Harden the runner (Audit all outbound calls) - uses: step-security/harden-runner@fe104658747b27e96e4f7e80cd0a94068e53901d # v2.16.1 + uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0 with: egress-policy: audit @@ -236,13 +236,13 @@ jobs: mold --version - name: Install development tools via Mise - uses: step-security/mise-action@88aa01c99be6cb55cfeecd74955f88bc4151d030 # v3.6.1 + uses: step-security/mise-action@c7396e2a2a4ad1ea43abee3317d964292da354ae # v4.0.1 with: install_args: protobuf cargo:cargo-llvm-cov cache: true - name: Restore build cache - uses: step-security/rust-cache@9be15b830520fab0ec3939586e917e4855cf76bd # v2.8.3 + uses: step-security/rust-cache@851174d9a2fdc03e0896e02844dcc61d81dd7851 # v2.9.1 with: shared-key: management-ubuntu-latest-x86_64-unknown-linux-gnu save-if: false # Don't save, only restore from build job @@ -266,7 +266,7 @@ jobs: contents: read steps: - name: Harden the runner (Audit all outbound calls) - uses: step-security/harden-runner@fe104658747b27e96e4f7e80cd0a94068e53901d # v2.16.1 + uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0 with: egress-policy: audit @@ -284,17 +284,17 @@ jobs: toolchain: nightly - name: Install cargo-outdated - uses: taiki-e/install-action@7a562dfa955aa2e4d5b0fd6ebd57ff9715c07b0b # v2.73.0 + uses: taiki-e/install-action@cf525cb33f51aca27cd6fa02034117ab963ff9f1 # v2.75.22 with: tool: cargo-outdated - name: Install cargo-udeps - uses: taiki-e/install-action@7a562dfa955aa2e4d5b0fd6ebd57ff9715c07b0b # v2.73.0 + uses: taiki-e/install-action@cf525cb33f51aca27cd6fa02034117ab963ff9f1 # v2.75.22 with: tool: cargo-udeps - name: Cache Rust dependencies - uses: step-security/rust-cache@9be15b830520fab0ec3939586e917e4855cf76bd # v2.8.3 + uses: step-security/rust-cache@851174d9a2fdc03e0896e02844dcc61d81dd7851 # v2.9.1 - name: Check outdated dependencies run: cargo outdated --exit-code 1 || echo "Some dependencies are outdated" @@ -315,7 +315,7 @@ jobs: if: always() steps: - name: Harden the runner (Audit all outbound calls) - uses: step-security/harden-runner@fe104658747b27e96e4f7e80cd0a94068e53901d # v2.16.1 + uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0 with: egress-policy: audit diff --git a/.github/workflows/cleanup.yml b/.github/workflows/cleanup.yml index 7e93206..70ddd0a 100644 --- a/.github/workflows/cleanup.yml +++ b/.github/workflows/cleanup.yml @@ -22,7 +22,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Harden the runner (Audit all outbound calls) - uses: step-security/harden-runner@fe104658747b27e96e4f7e80cd0a94068e53901d # v2.16.1 + uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0 with: egress-policy: audit diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index b92abdc..31b71eb 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -30,7 +30,7 @@ jobs: actions: ${{ steps.filter.outputs.actions }} steps: - name: Harden the runner (Audit all outbound calls) - uses: step-security/harden-runner@fe104658747b27e96e4f7e80cd0a94068e53901d # v2.16.1 + uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0 with: egress-policy: audit @@ -39,7 +39,7 @@ jobs: - name: Check for changes id: filter - uses: step-security/paths-filter@6eee183b0d2fd101d3f8ee2935c127bca14c5625 # v3.0.5 + uses: step-security/paths-filter@5c5241b8233e77b55b9046daf88f1cb7560281de # v4.0.1 with: filters: | rust: @@ -60,7 +60,7 @@ jobs: steps: - name: Harden the runner (Audit all outbound calls) - uses: step-security/harden-runner@fe104658747b27e96e4f7e80cd0a94068e53901d # v2.16.1 + uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0 with: egress-policy: audit @@ -68,12 +68,12 @@ jobs: uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Initialize CodeQL - uses: github/codeql-action/init@c10b8064de6f491fea524254123dbe5e09572f13 # v4.35.1 + uses: github/codeql-action/init@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4.35.2 with: languages: rust - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@c10b8064de6f491fea524254123dbe5e09572f13 # v4.35.1 + uses: github/codeql-action/analyze@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4.35.2 with: category: "/language:rust" @@ -88,7 +88,7 @@ jobs: steps: - name: Harden the runner (Audit all outbound calls) - uses: step-security/harden-runner@fe104658747b27e96e4f7e80cd0a94068e53901d # v2.16.1 + uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0 with: egress-policy: audit @@ -96,11 +96,11 @@ jobs: uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Initialize CodeQL - uses: github/codeql-action/init@c10b8064de6f491fea524254123dbe5e09572f13 # v4.35.1 + uses: github/codeql-action/init@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4.35.2 with: languages: actions - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@c10b8064de6f491fea524254123dbe5e09572f13 # v4.35.1 + uses: github/codeql-action/analyze@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4.35.2 with: category: "/language:actions" diff --git a/.github/workflows/container.yml b/.github/workflows/container.yml index 169547e..a7b0486 100644 --- a/.github/workflows/container.yml +++ b/.github/workflows/container.yml @@ -52,7 +52,7 @@ jobs: version: ${{ steps.meta.outputs.version }} steps: - name: Harden the runner (Audit all outbound calls) - uses: step-security/harden-runner@fe104658747b27e96e4f7e80cd0a94068e53901d # v2.16.1 + uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0 with: egress-policy: audit @@ -64,7 +64,7 @@ jobs: - name: Log in to GitHub Container Registry if: github.event_name != 'pull_request' - uses: step-security/docker-login-action@6aa05fe688caf2c58e784663f01b3415ced503e8 # v3.7.0 + uses: step-security/docker-login-action@870af644803bf9f204aed474adbad2958fec048b # v4.1.0 with: registry: ${{ env.REGISTRY }} username: ${{ github.actor }} @@ -91,7 +91,7 @@ jobs: - name: Build and push by digest id: build - uses: step-security/docker-build-push-action@a8c3d08b23f8be6aeed43eb1a14ce6fe51284438 # v6.18.0 + uses: step-security/docker-build-push-action@846549baaf047e867d038826129a64d81df0f704 # v7.1.0 with: context: . platforms: ${{ matrix.platform }} @@ -109,7 +109,7 @@ jobs: - name: Upload digest if: github.event_name != 'pull_request' - uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 with: name: digests-${{ matrix.suffix }} path: /tmp/digests/* @@ -124,7 +124,7 @@ jobs: if: github.event_name != 'pull_request' steps: - name: Harden the runner (Audit all outbound calls) - uses: step-security/harden-runner@fe104658747b27e96e4f7e80cd0a94068e53901d # v2.16.1 + uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0 with: egress-policy: audit @@ -139,7 +139,7 @@ jobs: uses: step-security/setup-buildx-action@f931205d68723ad9589fd2a7e2ece238bf9de341 # v4.0.0 - name: Log in to GitHub Container Registry - uses: step-security/docker-login-action@6aa05fe688caf2c58e784663f01b3415ced503e8 # v3.7.0 + uses: step-security/docker-login-action@870af644803bf9f204aed474adbad2958fec048b # v4.1.0 with: registry: ${{ env.REGISTRY }} username: ${{ github.actor }} @@ -182,12 +182,12 @@ jobs: if: github.event_name != 'pull_request' steps: - name: Harden the runner (Audit all outbound calls) - uses: step-security/harden-runner@fe104658747b27e96e4f7e80cd0a94068e53901d # v2.16.1 + uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0 with: egress-policy: audit - name: Log in to GitHub Container Registry - uses: step-security/docker-login-action@6aa05fe688caf2c58e784663f01b3415ced503e8 # v3.7.0 + uses: step-security/docker-login-action@870af644803bf9f204aed474adbad2958fec048b # v4.1.0 with: registry: ${{ env.REGISTRY }} username: ${{ github.actor }} @@ -209,7 +209,7 @@ jobs: output-file: sbom.spdx.json - name: Upload SBOM - uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 with: name: sbom path: sbom.spdx.json diff --git a/.github/workflows/labeler.yml b/.github/workflows/labeler.yml index 032821e..b5b61cb 100644 --- a/.github/workflows/labeler.yml +++ b/.github/workflows/labeler.yml @@ -20,7 +20,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Harden the runner (Audit all outbound calls) - uses: step-security/harden-runner@fe104658747b27e96e4f7e80cd0a94068e53901d # v2.16.1 + uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0 with: egress-policy: audit diff --git a/.github/workflows/nightly.yml b/.github/workflows/nightly.yml index 0b931cc..7a3d74b 100644 --- a/.github/workflows/nightly.yml +++ b/.github/workflows/nightly.yml @@ -34,7 +34,7 @@ jobs: should_run: ${{ steps.check.outputs.should_run }} steps: - name: Harden the runner (Audit all outbound calls) - uses: step-security/harden-runner@fe104658747b27e96e4f7e80cd0a94068e53901d # v2.16.1 + uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0 with: egress-policy: audit @@ -88,7 +88,7 @@ jobs: date: ${{ steps.version.outputs.date }} steps: - name: Harden the runner (Audit all outbound calls) - uses: step-security/harden-runner@fe104658747b27e96e4f7e80cd0a94068e53901d # v2.16.1 + uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0 with: egress-policy: audit @@ -124,7 +124,7 @@ jobs: version: ${{ needs.version.outputs.version }} steps: - name: Harden the runner (Audit all outbound calls) - uses: step-security/harden-runner@fe104658747b27e96e4f7e80cd0a94068e53901d # v2.16.1 + uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0 with: egress-policy: audit @@ -189,7 +189,7 @@ jobs: steps: - name: Harden the runner (Audit all outbound calls) - uses: step-security/harden-runner@fe104658747b27e96e4f7e80cd0a94068e53901d # v2.16.1 + uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0 with: egress-policy: audit @@ -209,7 +209,7 @@ jobs: sudo apt-get install -y -qq mold - name: Setup sccache - uses: mozilla-actions/sccache-action@7d986dd989559c6ecdb630a3fd2557667be217ad # v0.0.9 + uses: mozilla-actions/sccache-action@9e7fa8a12102821edf02ca5dbea1acd0f89a2696 # v0.0.10 - name: Configure build environment env: @@ -226,7 +226,7 @@ jobs: fi - name: Cache Rust dependencies - uses: step-security/rust-cache@9be15b830520fab0ec3939586e917e4855cf76bd # v2.8.3 + uses: step-security/rust-cache@851174d9a2fdc03e0896e02844dcc61d81dd7851 # v2.9.1 with: shared-key: nightly-${{ matrix.os }}-${{ matrix.target }} @@ -284,7 +284,7 @@ jobs: packages: write steps: - name: Harden the runner (Audit all outbound calls) - uses: step-security/harden-runner@fe104658747b27e96e4f7e80cd0a94068e53901d # v2.16.1 + uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0 with: egress-policy: audit @@ -295,7 +295,7 @@ jobs: uses: step-security/setup-buildx-action@f931205d68723ad9589fd2a7e2ece238bf9de341 # v4.0.0 - name: Log in to GitHub Container Registry - uses: step-security/docker-login-action@6aa05fe688caf2c58e784663f01b3415ced503e8 # v3.7.0 + uses: step-security/docker-login-action@870af644803bf9f204aed474adbad2958fec048b # v4.1.0 with: registry: ${{ env.GHCR_REGISTRY }} username: ${{ github.actor }} @@ -312,7 +312,7 @@ jobs: - name: Build and push by digest id: build - uses: step-security/docker-build-push-action@a8c3d08b23f8be6aeed43eb1a14ce6fe51284438 # v6.18.0 + uses: step-security/docker-build-push-action@846549baaf047e867d038826129a64d81df0f704 # v7.1.0 with: context: . platforms: ${{ matrix.platform }} @@ -329,7 +329,7 @@ jobs: touch "/tmp/digests/${DIGEST#sha256:}" - name: Upload digest - uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 with: name: digests-nightly-${{ matrix.suffix }} path: /tmp/digests/* @@ -343,7 +343,7 @@ jobs: needs: [version, build-docker] steps: - name: Harden the runner (Audit all outbound calls) - uses: step-security/harden-runner@fe104658747b27e96e4f7e80cd0a94068e53901d # v2.16.1 + uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0 with: egress-policy: audit @@ -358,14 +358,14 @@ jobs: uses: step-security/setup-buildx-action@f931205d68723ad9589fd2a7e2ece238bf9de341 # v4.0.0 - name: Log in to GitHub Container Registry - uses: step-security/docker-login-action@6aa05fe688caf2c58e784663f01b3415ced503e8 # v3.7.0 + uses: step-security/docker-login-action@870af644803bf9f204aed474adbad2958fec048b # v4.1.0 with: registry: ${{ env.GHCR_REGISTRY }} username: ${{ github.actor }} password: ${{ secrets.GITHUB_TOKEN }} - name: Log in to Docker Hub - uses: step-security/docker-login-action@6aa05fe688caf2c58e784663f01b3415ced503e8 # v3.7.0 + uses: step-security/docker-login-action@870af644803bf9f204aed474adbad2958fec048b # v4.1.0 with: username: ${{ secrets.DOCKERHUB_USERNAME }} password: ${{ secrets.DOCKERHUB_TOKEN }} @@ -426,7 +426,7 @@ jobs: needs: [version, merge-docker] steps: - name: Harden the runner (Audit all outbound calls) - uses: step-security/harden-runner@fe104658747b27e96e4f7e80cd0a94068e53901d # v2.16.1 + uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0 with: egress-policy: audit @@ -434,7 +434,7 @@ jobs: uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Log in to GitHub Container Registry - uses: step-security/docker-login-action@6aa05fe688caf2c58e784663f01b3415ced503e8 # v3.7.0 + uses: step-security/docker-login-action@870af644803bf9f204aed474adbad2958fec048b # v4.1.0 with: registry: ${{ env.GHCR_REGISTRY }} username: ${{ github.actor }} @@ -465,7 +465,7 @@ jobs: needs: [sbom-docker] steps: - name: Harden the runner (Audit all outbound calls) - uses: step-security/harden-runner@fe104658747b27e96e4f7e80cd0a94068e53901d # v2.16.1 + uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0 with: egress-policy: audit diff --git a/.github/workflows/release-please.yml b/.github/workflows/release-please.yml index a1cc0c5..b284eb9 100644 --- a/.github/workflows/release-please.yml +++ b/.github/workflows/release-please.yml @@ -26,13 +26,13 @@ jobs: patch: ${{ steps.release.outputs.patch }} steps: - name: Harden the runner (Audit all outbound calls) - uses: step-security/harden-runner@fe104658747b27e96e4f7e80cd0a94068e53901d # v2.16.1 + uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0 with: egress-policy: audit - name: Run Release Please id: release - uses: googleapis/release-please-action@16a9c90856f42705d54a6fda1823352bdc62cf38 # v4.4.0 + uses: googleapis/release-please-action@45996ed1f6d02564a971a2fa1b5860e934307cf7 # v5.0.0 with: token: ${{ secrets.GITHUB_TOKEN }} config-file: release-please-config.json diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 1295b95..1ea4404 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -43,7 +43,7 @@ jobs: tag_name: ${{ steps.version.outputs.tag_name }} steps: - name: Harden the runner (Audit all outbound calls) - uses: step-security/harden-runner@fe104658747b27e96e4f7e80cd0a94068e53901d # v2.16.1 + uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0 with: egress-policy: audit @@ -78,7 +78,7 @@ jobs: contents: write steps: - name: Harden the runner (Audit all outbound calls) - uses: step-security/harden-runner@fe104658747b27e96e4f7e80cd0a94068e53901d # v2.16.1 + uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0 with: egress-policy: audit @@ -99,7 +99,7 @@ jobs: contents: write steps: - name: Harden the runner (Audit all outbound calls) - uses: step-security/harden-runner@fe104658747b27e96e4f7e80cd0a94068e53901d # v2.16.1 + uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0 with: egress-policy: audit @@ -140,7 +140,7 @@ jobs: steps: - name: Harden the runner (Audit all outbound calls) - uses: step-security/harden-runner@fe104658747b27e96e4f7e80cd0a94068e53901d # v2.16.1 + uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0 with: egress-policy: audit @@ -159,7 +159,7 @@ jobs: sudo apt-get install -y -qq mold - name: Setup sccache - uses: mozilla-actions/sccache-action@7d986dd989559c6ecdb630a3fd2557667be217ad # v0.0.9 + uses: mozilla-actions/sccache-action@9e7fa8a12102821edf02ca5dbea1acd0f89a2696 # v0.0.10 - name: Configure build environment env: @@ -176,7 +176,7 @@ jobs: fi - name: Cache Rust dependencies - uses: step-security/rust-cache@9be15b830520fab0ec3939586e917e4855cf76bd # v2.8.3 + uses: step-security/rust-cache@851174d9a2fdc03e0896e02844dcc61d81dd7851 # v2.9.1 with: shared-key: release-${{ matrix.os }}-${{ matrix.target }} @@ -243,7 +243,7 @@ jobs: hashes: ${{ steps.aggregate.outputs.hashes }} steps: - name: Harden the runner (Audit all outbound calls) - uses: step-security/harden-runner@fe104658747b27e96e4f7e80cd0a94068e53901d # v2.16.1 + uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0 with: egress-policy: audit @@ -298,7 +298,7 @@ jobs: id-token: write steps: - name: Harden the runner (Audit all outbound calls) - uses: step-security/harden-runner@fe104658747b27e96e4f7e80cd0a94068e53901d # v2.16.1 + uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0 with: egress-policy: audit @@ -310,14 +310,14 @@ jobs: # Login to Docker Hub - name: Login to Docker Hub - uses: step-security/docker-login-action@6aa05fe688caf2c58e784663f01b3415ced503e8 # v3.7.0 + uses: step-security/docker-login-action@870af644803bf9f204aed474adbad2958fec048b # v4.1.0 with: username: ${{ secrets.DOCKER_USERNAME }} password: ${{ secrets.DOCKER_PASSWORD }} # Login to GitHub Container Registry - name: Login to GitHub Container Registry - uses: step-security/docker-login-action@6aa05fe688caf2c58e784663f01b3415ced503e8 # v3.7.0 + uses: step-security/docker-login-action@870af644803bf9f204aed474adbad2958fec048b # v4.1.0 with: registry: ghcr.io username: ${{ github.actor }} @@ -325,7 +325,7 @@ jobs: - name: Build and push by digest id: build - uses: step-security/docker-build-push-action@a8c3d08b23f8be6aeed43eb1a14ce6fe51284438 # v6.18.0 + uses: step-security/docker-build-push-action@846549baaf047e867d038826129a64d81df0f704 # v7.1.0 with: context: . platforms: ${{ matrix.platform }} @@ -341,7 +341,7 @@ jobs: touch "/tmp/digests/${DIGEST#sha256:}" - name: Upload digest - uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 with: name: digests-release-${{ matrix.suffix }} path: /tmp/digests/* @@ -358,7 +358,7 @@ jobs: packages: write steps: - name: Harden the runner (Audit all outbound calls) - uses: step-security/harden-runner@fe104658747b27e96e4f7e80cd0a94068e53901d # v2.16.1 + uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0 with: egress-policy: audit @@ -374,14 +374,14 @@ jobs: # Login to Docker Hub - name: Login to Docker Hub - uses: step-security/docker-login-action@6aa05fe688caf2c58e784663f01b3415ced503e8 # v3.7.0 + uses: step-security/docker-login-action@870af644803bf9f204aed474adbad2958fec048b # v4.1.0 with: username: ${{ secrets.DOCKER_USERNAME }} password: ${{ secrets.DOCKER_PASSWORD }} # Login to GitHub Container Registry - name: Login to GitHub Container Registry - uses: step-security/docker-login-action@6aa05fe688caf2c58e784663f01b3415ced503e8 # v3.7.0 + uses: step-security/docker-login-action@870af644803bf9f204aed474adbad2958fec048b # v4.1.0 with: registry: ghcr.io username: ${{ github.actor }} @@ -462,7 +462,7 @@ jobs: packages: read steps: - name: Harden the runner (Audit all outbound calls) - uses: step-security/harden-runner@fe104658747b27e96e4f7e80cd0a94068e53901d # v2.16.1 + uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0 with: egress-policy: audit @@ -470,7 +470,7 @@ jobs: uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Login to GitHub Container Registry - uses: step-security/docker-login-action@6aa05fe688caf2c58e784663f01b3415ced503e8 # v3.7.0 + uses: step-security/docker-login-action@870af644803bf9f204aed474adbad2958fec048b # v4.1.0 with: registry: ghcr.io username: ${{ github.actor }} diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml index 593f55c..f8f9d1d 100644 --- a/.github/workflows/security.yml +++ b/.github/workflows/security.yml @@ -26,7 +26,7 @@ jobs: cargo: ${{ steps.filter.outputs.cargo }} steps: - name: Harden the runner (Audit all outbound calls) - uses: step-security/harden-runner@fe104658747b27e96e4f7e80cd0a94068e53901d # v2.16.1 + uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0 with: egress-policy: audit @@ -34,7 +34,7 @@ jobs: uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Check for dependency changes - uses: step-security/paths-filter@6eee183b0d2fd101d3f8ee2935c127bca14c5625 # v3.0.5 + uses: step-security/paths-filter@5c5241b8233e77b55b9046daf88f1cb7560281de # v4.0.1 id: filter with: filters: | @@ -55,7 +55,7 @@ jobs: pull-requests: write steps: - name: Harden the runner (Audit all outbound calls) - uses: step-security/harden-runner@fe104658747b27e96e4f7e80cd0a94068e53901d # v2.16.1 + uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0 with: egress-policy: audit @@ -79,7 +79,7 @@ jobs: contents: read steps: - name: Harden the runner (Audit all outbound calls) - uses: step-security/harden-runner@fe104658747b27e96e4f7e80cd0a94068e53901d # v2.16.1 + uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0 with: egress-policy: audit