From 6a5b790a7ac750a9e7863095d761d970c027a58a Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 13 Apr 2026 09:46:21 +0000 Subject: [PATCH] ci(deps): bump the github-actions group across 1 directory with 11 updates Bumps the github-actions group with 11 updates in the /.github/workflows directory: | Package | From | To | | --- | --- | --- | | [step-security/harden-runner](https://github.com/step-security/harden-runner) | `2.14.0` | `2.17.0` | | [actions/checkout](https://github.com/actions/checkout) | `6.0.1` | `6.0.2` | | [step-security/paths-filter](https://github.com/step-security/paths-filter) | `3.0.5` | `4.0.1` | | [hashicorp/setup-terraform](https://github.com/hashicorp/setup-terraform) | `3.1.2` | `4.0.0` | | [terraform-linters/setup-tflint](https://github.com/terraform-linters/setup-tflint) | `6.2.1` | `6.2.2` | | [actions/setup-python](https://github.com/actions/setup-python) | `6.1.0` | `6.2.0` | | [imranismail/setup-kustomize](https://github.com/imranismail/setup-kustomize) | `2.1.0` | `3.0.0` | | [aquasecurity/trivy-action](https://github.com/aquasecurity/trivy-action) | `0.33.1` | `0.35.0` | | [github/codeql-action](https://github.com/github/codeql-action) | `4.31.9` | `4.35.1` | | [bridgecrewio/checkov-action](https://github.com/bridgecrewio/checkov-action) | `12.3077.0` | `12.3094.0` | | [Checkmarx/kics-github-action](https://github.com/checkmarx/kics-github-action) | `00def9108246ec656aea725db2167522d26a99d2` | `4063ea7186bec9fed1bf055e095a4658693f9998` | Updates `step-security/harden-runner` from 2.14.0 to 2.17.0 - [Release notes](https://github.com/step-security/harden-runner/releases) - [Commits](https://github.com/step-security/harden-runner/compare/20cf305ff2072d973412fa9b1e3a4f227bda3c76...f808768d1510423e83855289c910610ca9b43176) Updates `actions/checkout` from 6.0.1 to 6.0.2 - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](https://github.com/actions/checkout/compare/8e8c483db84b4bee98b60c0593521ed34d9990e8...de0fac2e4500dabe0009e67214ff5f5447ce83dd) Updates `step-security/paths-filter` from 3.0.5 to 4.0.1 - [Release notes](https://github.com/step-security/paths-filter/releases) - [Commits](https://github.com/step-security/paths-filter/compare/6eee183b0d2fd101d3f8ee2935c127bca14c5625...5c5241b8233e77b55b9046daf88f1cb7560281de) Updates `hashicorp/setup-terraform` from 3.1.2 to 4.0.0 - [Release notes](https://github.com/hashicorp/setup-terraform/releases) - [Changelog](https://github.com/hashicorp/setup-terraform/blob/main/CHANGELOG.md) - [Commits](https://github.com/hashicorp/setup-terraform/compare/b9cd54a3c349d3f38e8881555d616ced269862dd...5e8dbf3c6d9deaf4193ca7a8fb23f2ac83bb6c85) Updates `terraform-linters/setup-tflint` from 6.2.1 to 6.2.2 - [Release notes](https://github.com/terraform-linters/setup-tflint/releases) - [Commits](https://github.com/terraform-linters/setup-tflint/compare/4cb9feea73331a35b422df102992a03a44a3bb33...b480b8fcdaa6f2c577f8e4fa799e89e756bb7c93) Updates `actions/setup-python` from 6.1.0 to 6.2.0 - [Release notes](https://github.com/actions/setup-python/releases) - [Commits](https://github.com/actions/setup-python/compare/83679a892e2d95755f2dac6acb0bfd1e9ac5d548...a309ff8b426b58ec0e2a45f0f869d46889d02405) Updates `imranismail/setup-kustomize` from 2.1.0 to 3.0.0 - [Release notes](https://github.com/imranismail/setup-kustomize/releases) - [Commits](https://github.com/imranismail/setup-kustomize/compare/2ba527d4d055ab63514ba50a99456fc35684947f...53f941b41dca13ed61874bbc6b4b6e1562877530) Updates `aquasecurity/trivy-action` from 0.33.1 to 0.35.0 - [Release notes](https://github.com/aquasecurity/trivy-action/releases) - [Commits](https://github.com/aquasecurity/trivy-action/compare/b6643a29fecd7f34b3597bc6acb0a98b03d33ff8...57a97c7e7821a5776cebc9bb87c984fa69cba8f1) Updates `github/codeql-action` from 4.31.9 to 4.35.1 - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](https://github.com/github/codeql-action/compare/5d4e8d1aca955e8d8589aabd499c5cae939e33c7...c10b8064de6f491fea524254123dbe5e09572f13) Updates `bridgecrewio/checkov-action` from 12.3077.0 to 12.3094.0 - [Release notes](https://github.com/bridgecrewio/checkov-action/releases) - [Commits](https://github.com/bridgecrewio/checkov-action/compare/8f61ce5b8a3afb4ca94d236b75201878ded6d2cd...9ff61ad7df06a619665acec928d66258bd6adc8f) Updates `Checkmarx/kics-github-action` from 00def9108246ec656aea725db2167522d26a99d2 to 4063ea7186bec9fed1bf055e095a4658693f9998 - [Release notes](https://github.com/checkmarx/kics-github-action/releases) - [Commits](https://github.com/checkmarx/kics-github-action/compare/00def9108246ec656aea725db2167522d26a99d2...4063ea7186bec9fed1bf055e095a4658693f9998) --- updated-dependencies: - dependency-name: step-security/harden-runner dependency-version: 2.17.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: github-actions - dependency-name: actions/checkout dependency-version: 6.0.2 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: github-actions - dependency-name: step-security/paths-filter dependency-version: 4.0.1 dependency-type: direct:production update-type: version-update:semver-major dependency-group: github-actions - dependency-name: hashicorp/setup-terraform dependency-version: 4.0.0 dependency-type: direct:production update-type: version-update:semver-major dependency-group: github-actions - dependency-name: terraform-linters/setup-tflint dependency-version: 6.2.2 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: github-actions - dependency-name: actions/setup-python dependency-version: 6.2.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: github-actions - dependency-name: imranismail/setup-kustomize dependency-version: 3.0.0 dependency-type: direct:production update-type: version-update:semver-major dependency-group: github-actions - dependency-name: aquasecurity/trivy-action dependency-version: 0.35.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: github-actions - dependency-name: github/codeql-action dependency-version: 4.35.1 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: github-actions - dependency-name: bridgecrewio/checkov-action dependency-version: 12.3094.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: github-actions - dependency-name: Checkmarx/kics-github-action dependency-version: 4063ea7186bec9fed1bf055e095a4658693f9998 dependency-type: direct:production dependency-group: github-actions ... Signed-off-by: dependabot[bot] --- .github/workflows/ci.yml | 40 +++++++++++++++++----------------- .github/workflows/labeler.yml | 2 +- .github/workflows/security.yml | 34 ++++++++++++++--------------- 3 files changed, 38 insertions(+), 38 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index c4b42be..0b7f2b7 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -39,16 +39,16 @@ jobs: policies: ${{ steps.filter.outputs.policies }} steps: - name: Harden the runner (Audit all outbound calls) - uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0 + uses: step-security/harden-runner@f808768d1510423e83855289c910610ca9b43176 # v2.17.0 with: egress-policy: audit - name: Checkout code - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Check for changes id: filter - uses: step-security/paths-filter@6eee183b0d2fd101d3f8ee2935c127bca14c5625 # v3.0.5 + uses: step-security/paths-filter@5c5241b8233e77b55b9046daf88f1cb7560281de # v4.0.1 with: filters: | terraform: @@ -78,15 +78,15 @@ jobs: pull-requests: write steps: - name: Harden the runner (Audit all outbound calls) - uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0 + uses: step-security/harden-runner@f808768d1510423e83855289c910610ca9b43176 # v2.17.0 with: egress-policy: audit - name: Checkout code - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Setup Terraform - uses: hashicorp/setup-terraform@b9cd54a3c349d3f38e8881555d616ced269862dd # v3.1.2 + uses: hashicorp/setup-terraform@5e8dbf3c6d9deaf4193ca7a8fb23f2ac83bb6c85 # v4.0.0 with: terraform_version: "1.10.0" @@ -115,7 +115,7 @@ jobs: exit $validation_failed - name: Setup TFLint - uses: terraform-linters/setup-tflint@4cb9feea73331a35b422df102992a03a44a3bb33 # v6.2.1 + uses: terraform-linters/setup-tflint@b480b8fcdaa6f2c577f8e4fa799e89e756bb7c93 # v6.2.2 with: tflint_version: v0.55.0 @@ -143,15 +143,15 @@ jobs: contents: read steps: - name: Harden the runner (Audit all outbound calls) - uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0 + uses: step-security/harden-runner@f808768d1510423e83855289c910610ca9b43176 # v2.17.0 with: egress-policy: audit - name: Checkout code - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Setup Python (for yamllint) - uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 # v6.1.0 + uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 with: python-version: "3.12" @@ -159,7 +159,7 @@ jobs: run: pip install yamllint - name: Install Kustomize - uses: imranismail/setup-kustomize@2ba527d4d055ab63514ba50a99456fc35684947f # v2.1.0 + uses: imranismail/setup-kustomize@53f941b41dca13ed61874bbc6b4b6e1562877530 # v3.0.0 - name: Install kubeconform run: | @@ -206,12 +206,12 @@ jobs: contents: read steps: - name: Harden the runner (Audit all outbound calls) - uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0 + uses: step-security/harden-runner@f808768d1510423e83855289c910610ca9b43176 # v2.17.0 with: egress-policy: audit - name: Checkout code - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: ShellCheck uses: ludeeus/action-shellcheck@00cae500b08a931fb5698e11e79bfbd38e612a38 # 2.0.0 @@ -235,15 +235,15 @@ jobs: contents: read steps: - name: Harden the runner (Audit all outbound calls) - uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0 + uses: step-security/harden-runner@f808768d1510423e83855289c910610ca9b43176 # v2.17.0 with: egress-policy: audit - name: Checkout code - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Setup Python (for yamllint) - uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 # v6.1.0 + uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 with: python-version: "3.12" @@ -275,15 +275,15 @@ jobs: contents: read steps: - name: Harden the runner (Audit all outbound calls) - uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0 + uses: step-security/harden-runner@f808768d1510423e83855289c910610ca9b43176 # v2.17.0 with: egress-policy: audit - name: Checkout code - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Setup Python (for yamllint) - uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 # v6.1.0 + uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 with: python-version: "3.12" @@ -338,7 +338,7 @@ jobs: if: always() steps: - name: Harden the runner (Audit all outbound calls) - uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0 + uses: step-security/harden-runner@f808768d1510423e83855289c910610ca9b43176 # v2.17.0 with: egress-policy: audit diff --git a/.github/workflows/labeler.yml b/.github/workflows/labeler.yml index bc5bfa7..855d674 100644 --- a/.github/workflows/labeler.yml +++ b/.github/workflows/labeler.yml @@ -24,7 +24,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Harden the runner (Audit all outbound calls) - uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0 + uses: step-security/harden-runner@f808768d1510423e83855289c910610ca9b43176 # v2.17.0 with: egress-policy: audit diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml index 431e234..85c08e7 100644 --- a/.github/workflows/security.yml +++ b/.github/workflows/security.yml @@ -34,15 +34,15 @@ jobs: security-events: write steps: - name: Harden the runner (Audit all outbound calls) - uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0 + uses: step-security/harden-runner@f808768d1510423e83855289c910610ca9b43176 # v2.17.0 with: egress-policy: audit - name: Checkout code - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Run Trivy IaC scanner (Terraform) - uses: aquasecurity/trivy-action@b6643a29fecd7f34b3597bc6acb0a98b03d33ff8 # 0.33.1 + uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # 0.35.0 with: scan-type: "config" scan-ref: "terraform/" @@ -53,7 +53,7 @@ jobs: version: "v0.60.0" # Pin to stable version (v0.65.0 has panic bugs) - name: Run Trivy IaC scanner (Kubernetes) - uses: aquasecurity/trivy-action@b6643a29fecd7f34b3597bc6acb0a98b03d33ff8 # 0.33.1 + uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # 0.35.0 with: scan-type: "config" scan-ref: "flux/" @@ -64,13 +64,13 @@ jobs: version: "v0.60.0" # Pin to stable version (v0.65.0 has panic bugs) - name: Upload Trivy Terraform results - uses: github/codeql-action/upload-sarif@5d4e8d1aca955e8d8589aabd499c5cae939e33c7 # v4.31.9 + uses: github/codeql-action/upload-sarif@c10b8064de6f491fea524254123dbe5e09572f13 # v4.35.1 with: sarif_file: "trivy-terraform.sarif" category: "trivy-terraform" - name: Upload Trivy Kubernetes results - uses: github/codeql-action/upload-sarif@5d4e8d1aca955e8d8589aabd499c5cae939e33c7 # v4.31.9 + uses: github/codeql-action/upload-sarif@c10b8064de6f491fea524254123dbe5e09572f13 # v4.35.1 with: sarif_file: "trivy-kubernetes.sarif" category: "trivy-kubernetes" @@ -84,15 +84,15 @@ jobs: security-events: write steps: - name: Harden the runner (Audit all outbound calls) - uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0 + uses: step-security/harden-runner@f808768d1510423e83855289c910610ca9b43176 # v2.17.0 with: egress-policy: audit - name: Checkout code - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Run Checkov on Terraform - uses: bridgecrewio/checkov-action@8f61ce5b8a3afb4ca94d236b75201878ded6d2cd # v12.3077.0 + uses: bridgecrewio/checkov-action@9ff61ad7df06a619665acec928d66258bd6adc8f # v12.3094.0 with: directory: terraform/ framework: terraform @@ -104,7 +104,7 @@ jobs: skip_check: CKV_TF_1 - name: Run Checkov on Kubernetes - uses: bridgecrewio/checkov-action@8f61ce5b8a3afb4ca94d236b75201878ded6d2cd # v12.3077.0 + uses: bridgecrewio/checkov-action@9ff61ad7df06a619665acec928d66258bd6adc8f # v12.3094.0 with: directory: flux/ framework: kubernetes @@ -124,14 +124,14 @@ jobs: skip_check: CKV_K8S_14,CKV_K8S_43,CKV2_K8S_6,CKV_K8S_22,CKV_K8S_35 - name: Upload Checkov Terraform results - uses: github/codeql-action/upload-sarif@5d4e8d1aca955e8d8589aabd499c5cae939e33c7 # v4.31.9 + uses: github/codeql-action/upload-sarif@c10b8064de6f491fea524254123dbe5e09572f13 # v4.35.1 if: always() with: sarif_file: checkov-terraform.sarif category: "checkov-terraform" - name: Upload Checkov Kubernetes results - uses: github/codeql-action/upload-sarif@5d4e8d1aca955e8d8589aabd499c5cae939e33c7 # v4.31.9 + uses: github/codeql-action/upload-sarif@c10b8064de6f491fea524254123dbe5e09572f13 # v4.35.1 if: always() with: sarif_file: checkov-kubernetes.sarif @@ -146,15 +146,15 @@ jobs: security-events: write steps: - name: Harden the runner (Audit all outbound calls) - uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0 + uses: step-security/harden-runner@f808768d1510423e83855289c910610ca9b43176 # v2.17.0 with: egress-policy: audit - name: Checkout code - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Run KICS scan - uses: Checkmarx/kics-github-action@00def9108246ec656aea725db2167522d26a99d2 # v2.1.3 + uses: Checkmarx/kics-github-action@4063ea7186bec9fed1bf055e095a4658693f9998 # v2.1.3 with: path: "terraform/,flux/,policies/" output_path: kics-results/ @@ -164,7 +164,7 @@ jobs: continue-on-error: true - name: Upload KICS results - uses: github/codeql-action/upload-sarif@5d4e8d1aca955e8d8589aabd499c5cae939e33c7 # v4.31.9 + uses: github/codeql-action/upload-sarif@c10b8064de6f491fea524254123dbe5e09572f13 # v4.35.1 if: always() with: sarif_file: kics-results/results.sarif @@ -180,7 +180,7 @@ jobs: contents: read steps: - name: Harden the runner (Audit all outbound calls) - uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0 + uses: step-security/harden-runner@f808768d1510423e83855289c910610ca9b43176 # v2.17.0 with: egress-policy: audit