diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index a3780785..fb1a76da 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -25,7 +25,7 @@ jobs: ci: ${{ steps.detect.outputs.ci }} steps: - name: Harden Runner - uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0 + uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4 with: deploy-on-self-hosted-vm: true egress-policy: block @@ -35,7 +35,7 @@ jobs: api.github.com:443 github.com:443 - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 with: sparse-checkout: .github/detect-ci-changes.bash sparse-checkout-cone-mode: false @@ -72,7 +72,7 @@ jobs: - windows-11-arm steps: - name: Harden Runner - uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0 + uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4 with: deploy-on-self-hosted-vm: true egress-policy: block @@ -80,9 +80,11 @@ jobs: allowed-endpoints: > api.github.com:443 api.zippopotam.us:443 + archive.ubuntu.com:80 azure.archive.ubuntu.com:80 esm.ubuntu.com:443 github.com:443 + mirrors.ubuntu.com:80 packages.microsoft.com:443 ports.ubuntu.com:80 proxy.golang.org:443 @@ -90,18 +92,21 @@ jobs: security.ubuntu.com:80 storage.googleapis.com:443 us-west-2.ec2.archive.ubuntu.com:80 + us-west-2.ec2.ports.ubuntu.com:80 - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 with: persist-credentials: false - - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0 + - uses: actions/setup-go@924ae3a1cded613372ab5595356fb5720e22ba16 # v6.5.0 with: go-version: "1.26" - name: Install extraction tools (Linux) if: runner.os == 'Linux' - run: sudo apt-get update && sudo apt-get install -y poppler-utils tesseract-ocr imagemagick + run: | + sudo apt-get update + sudo apt-get install -y poppler-utils tesseract-ocr imagemagick - name: Symlink magick to convert (Linux) if: runner.os == 'Linux' @@ -243,7 +248,7 @@ jobs: --health-retries 5 steps: - name: Harden Runner - uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0 + uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4 with: deploy-on-self-hosted-vm: true egress-policy: block @@ -255,11 +260,11 @@ jobs: release-assets.githubusercontent.com:443 storage.googleapis.com:443 - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 with: persist-credentials: false - - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0 + - uses: actions/setup-go@924ae3a1cded613372ab5595356fb5720e22ba16 # v6.5.0 with: go-version: "1.26" @@ -285,7 +290,7 @@ jobs: cancel-in-progress: ${{ github.event_name == 'pull_request' }} steps: - name: Harden Runner - uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0 + uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4 with: deploy-on-self-hosted-vm: true egress-policy: block @@ -298,11 +303,11 @@ jobs: release-assets.githubusercontent.com:443 storage.googleapis.com:443 - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 with: persist-credentials: false - - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0 + - uses: actions/setup-go@924ae3a1cded613372ab5595356fb5720e22ba16 # v6.5.0 with: go-version: "1.26" @@ -319,7 +324,7 @@ jobs: cancel-in-progress: ${{ github.event_name == 'pull_request' }} steps: - name: Harden Runner - uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0 + uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4 with: deploy-on-self-hosted-vm: true egress-policy: block @@ -333,11 +338,11 @@ jobs: releases.nixos.org:443 storage.googleapis.com:443 - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 with: persist-credentials: false - - uses: cachix/install-nix-action@ab739621df7a23f52766f9ccc97f38da6b7af14f # v31.10.5 + - uses: cachix/install-nix-action@8aa03977d8d733052d78f4e008a241fd1dbf36b3 # v31.10.6 - name: Build with Nix run: nix build '.#micasa' @@ -352,7 +357,7 @@ jobs: cancel-in-progress: ${{ github.event_name == 'pull_request' }} steps: - name: Harden Runner - uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0 + uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4 with: deploy-on-self-hosted-vm: true egress-policy: block @@ -363,11 +368,11 @@ jobs: github.com:443 releases.nixos.org:443 - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 with: persist-credentials: false - - uses: cachix/install-nix-action@ab739621df7a23f52766f9ccc97f38da6b7af14f # v31.10.5 + - uses: cachix/install-nix-action@8aa03977d8d733052d78f4e008a241fd1dbf36b3 # v31.10.6 - name: Build docs run: nix run '.#docs' @@ -383,7 +388,7 @@ jobs: runs-on: blacksmith-2vcpu-ubuntu-2404 steps: - name: Harden Runner - uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0 + uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4 with: deploy-on-self-hosted-vm: true egress-policy: block @@ -394,7 +399,7 @@ jobs: github.com:443 registry.npmjs.org:443 - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 with: fetch-depth: 0 persist-credentials: false @@ -419,7 +424,7 @@ jobs: build_tags: ["", "selfhosted"] steps: - name: Harden Runner - uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0 + uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4 with: deploy-on-self-hosted-vm: true egress-policy: block @@ -441,12 +446,12 @@ jobs: storage.googleapis.com:443 sum.golang.org:443 - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 with: persist-credentials: false - name: Setup Blacksmith Builder - uses: useblacksmith/setup-docker-builder@ac083cc84672d01c60d5e8561d0a939b697de542 # v1 + uses: useblacksmith/setup-docker-builder@ab5c1da94f53f5cd75c1038092aa276dddfccbba # v1 - name: Build relay image${{ matrix.build_tags && format(' ({0})', matrix.build_tags) }} run: docker build --build-arg BUILD_TAGS=${{ matrix.build_tags }} -f deploy/relay/Dockerfile . @@ -463,7 +468,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Harden Runner - uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0 + uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4 with: egress-policy: block disable-telemetry: true diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml index c5170192..add86fec 100644 --- a/.github/workflows/lint.yml +++ b/.github/workflows/lint.yml @@ -21,7 +21,7 @@ jobs: ci: ${{ steps.detect.outputs.ci }} steps: - name: Harden Runner - uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0 + uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4 with: deploy-on-self-hosted-vm: true egress-policy: block @@ -31,7 +31,7 @@ jobs: api.github.com:443 github.com:443 - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 with: sparse-checkout: .github/detect-ci-changes.bash sparse-checkout-cone-mode: false @@ -61,7 +61,7 @@ jobs: CGO_ENABLED: "0" steps: - name: Harden Runner - uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0 + uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4 with: deploy-on-self-hosted-vm: true egress-policy: block @@ -75,11 +75,11 @@ jobs: storage.googleapis.com:443 sum.golang.org:443 - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 with: persist-credentials: false - - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0 + - uses: actions/setup-go@924ae3a1cded613372ab5595356fb5720e22ba16 # v6.5.0 with: go-version: "1.26" @@ -106,7 +106,7 @@ jobs: CGO_ENABLED: "0" steps: - name: Harden Runner - uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0 + uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4 with: deploy-on-self-hosted-vm: true egress-policy: block @@ -122,16 +122,16 @@ jobs: release-assets.githubusercontent.com:443 storage.googleapis.com:443 - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 with: persist-credentials: false - - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0 + - uses: actions/setup-go@924ae3a1cded613372ab5595356fb5720e22ba16 # v6.5.0 with: go-version: "1.26" - name: Run golangci-lint - uses: golangci/golangci-lint-action@1e7e51e771db61008b38414a730f564565cf7c20 # v9.2.0 + uses: golangci/golangci-lint-action@82606bf257cbaff209d206a39f5134f0cfbfd2ee # v9.2.1 pre-commit: name: Pre-commit @@ -143,7 +143,7 @@ jobs: cancel-in-progress: ${{ github.event_name == 'pull_request' }} steps: - name: Harden Runner - uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0 + uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4 with: deploy-on-self-hosted-vm: true egress-policy: block @@ -156,12 +156,12 @@ jobs: releases.nixos.org:443 storage.googleapis.com:443 - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 with: fetch-depth: 0 persist-credentials: false - - uses: cachix/install-nix-action@ab739621df7a23f52766f9ccc97f38da6b7af14f # v31.10.5 + - uses: cachix/install-nix-action@8aa03977d8d733052d78f4e008a241fd1dbf36b3 # v31.10.6 - name: Run pre-commit hooks env: @@ -180,7 +180,7 @@ jobs: CGO_ENABLED: "0" steps: - name: Harden Runner - uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0 + uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4 with: deploy-on-self-hosted-vm: true egress-policy: block @@ -195,11 +195,11 @@ jobs: storage.googleapis.com:443 sum.golang.org:443 - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 with: persist-credentials: false - - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0 + - uses: actions/setup-go@924ae3a1cded613372ab5595356fb5720e22ba16 # v6.5.0 with: go-version: "1.26" @@ -213,7 +213,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Harden Runner - uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0 + uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4 with: egress-policy: block disable-telemetry: true diff --git a/.github/workflows/pages.yml b/.github/workflows/pages.yml index 2e02e03b..d8e14c8e 100644 --- a/.github/workflows/pages.yml +++ b/.github/workflows/pages.yml @@ -31,7 +31,7 @@ jobs: url: ${{ steps.deployment.outputs.page_url }} steps: - name: Harden Runner - uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0 + uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4 with: deploy-on-self-hosted-vm: true egress-policy: block @@ -42,13 +42,13 @@ jobs: github.com:443 releases.nixos.org:443 - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 with: persist-credentials: false - uses: actions/configure-pages@45bfe0192ca1faeb007ade9deae92b16b8254a0d # v6.0.0 - - uses: cachix/install-nix-action@ab739621df7a23f52766f9ccc97f38da6b7af14f # v31.10.5 + - uses: cachix/install-nix-action@8aa03977d8d733052d78f4e008a241fd1dbf36b3 # v31.10.6 - name: Build docs run: nix run '.#docs' diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 6056b583..f93f13f0 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -32,18 +32,18 @@ jobs: packages: write steps: - name: Harden Runner - uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0 + uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4 with: deploy-on-self-hosted-vm: true egress-policy: audit - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 with: ref: ${{ github.event.release.tag_name || inputs.tag }} fetch-depth: 0 persist-credentials: false - - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0 + - uses: actions/setup-go@924ae3a1cded613372ab5595356fb5720e22ba16 # v6.5.0 with: go-version: "1.26" @@ -51,7 +51,7 @@ jobs: # of pre-built CGO_ENABLED=0 binaries. Buildx assembles the multi-arch # manifest without emulation. - name: Setup Blacksmith Builder - uses: useblacksmith/setup-docker-builder@ac083cc84672d01c60d5e8561d0a939b697de542 # v1 + uses: useblacksmith/setup-docker-builder@ab5c1da94f53f5cd75c1038092aa276dddfccbba # v1 # useblacksmith/setup-docker-builder drops buildkitd.toml in the repo # root, which trips goreleaser's dirty-state check. Exclude it locally @@ -60,7 +60,7 @@ jobs: - name: Ignore buildkitd.toml locally run: echo buildkitd.toml >> .git/info/exclude - - uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0 + - uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4.2.0 with: registry: ${{ env.REGISTRY }} username: ${{ github.actor }} @@ -86,7 +86,7 @@ jobs: echo "value=false" >> "$GITHUB_OUTPUT" fi - - uses: goreleaser/goreleaser-action@1a80836c5c9d9e5755a25cb59ec6f45a3b5f41a8 # v7.2.1 + - uses: goreleaser/goreleaser-action@5daf1e915a5f0af01ddbcd89a43b8061ff4f1a89 # v7.2.2 with: version: "v2.13.3" args: release --clean diff --git a/.github/workflows/scheduled-release.yml b/.github/workflows/scheduled-release.yml index ce8a5232..06cbf07a 100644 --- a/.github/workflows/scheduled-release.yml +++ b/.github/workflows/scheduled-release.yml @@ -24,7 +24,7 @@ jobs: contents: write steps: - name: Harden Runner - uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0 + uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4 with: deploy-on-self-hosted-vm: true egress-policy: audit @@ -32,12 +32,12 @@ jobs: - name: Generate app token id: app-token - uses: actions/create-github-app-token@1b10c78c7865c340bc4f6099eb2f838309f1e8c3 # v3.1.1 + uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3.2.0 with: client-id: ${{ secrets.APP_ID }} private-key: ${{ secrets.APP_PRIVATE_KEY }} - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 with: fetch-depth: 0 token: ${{ steps.app-token.outputs.token }} diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml index 6c7d40eb..79cbb7cb 100644 --- a/.github/workflows/security.yml +++ b/.github/workflows/security.yml @@ -21,7 +21,7 @@ jobs: ci: ${{ steps.detect.outputs.ci }} steps: - name: Harden Runner - uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0 + uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4 with: deploy-on-self-hosted-vm: true egress-policy: block @@ -31,7 +31,7 @@ jobs: api.github.com:443 github.com:443 - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 with: sparse-checkout: .github/detect-ci-changes.bash sparse-checkout-cone-mode: false @@ -59,7 +59,7 @@ jobs: cancel-in-progress: ${{ github.event_name == 'pull_request' }} steps: - name: Harden Runner - uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0 + uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4 with: deploy-on-self-hosted-vm: true egress-policy: block @@ -73,11 +73,11 @@ jobs: storage.googleapis.com:443 vuln.go.dev:443 - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 with: persist-credentials: false - - uses: cachix/install-nix-action@ab739621df7a23f52766f9ccc97f38da6b7af14f # v31.10.5 + - uses: cachix/install-nix-action@8aa03977d8d733052d78f4e008a241fd1dbf36b3 # v31.10.6 - name: Run govulncheck run: nix run '.#govulncheck' @@ -94,7 +94,7 @@ jobs: CGO_ENABLED: "0" steps: - name: Harden Runner - uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0 + uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4 with: deploy-on-self-hosted-vm: true egress-policy: block @@ -109,11 +109,11 @@ jobs: storage.googleapis.com:443 sum.golang.org:443 - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 with: persist-credentials: false - - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0 + - uses: actions/setup-go@924ae3a1cded613372ab5595356fb5720e22ba16 # v6.5.0 with: go-version: "1.26" @@ -133,7 +133,7 @@ jobs: cancel-in-progress: ${{ github.event_name == 'pull_request' }} steps: - name: Harden Runner - uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0 + uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4 with: deploy-on-self-hosted-vm: true egress-policy: block @@ -143,13 +143,14 @@ jobs: github.com:443 pkg-containers.githubusercontent.com:443 - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 with: fetch-depth: 0 persist-credentials: false - - uses: trufflesecurity/trufflehog@17456f8c7d042d8c82c9a8ca9e937231f9f42e26 # v3.95.2 + - uses: step-security/trufflehog-action@8560b0deaa854dfe432084eaefa1dffbc1647a6b # v3.95.5 with: + version: 3.95.5 extra_args: --only-verified codeql: @@ -167,7 +168,7 @@ jobs: CGO_ENABLED: "0" steps: - name: Harden Runner - uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0 + uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4 with: deploy-on-self-hosted-vm: true egress-policy: block @@ -180,16 +181,16 @@ jobs: release-assets.githubusercontent.com:443 storage.googleapis.com:443 - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 with: persist-credentials: false - - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0 + - uses: actions/setup-go@924ae3a1cded613372ab5595356fb5720e22ba16 # v6.5.0 with: go-version: "1.26" - name: Initialize CodeQL - uses: github/codeql-action/init@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4.35.2 + uses: github/codeql-action/init@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4.36.2 with: languages: go build-mode: manual @@ -198,7 +199,7 @@ jobs: run: go build ./... - name: Perform CodeQL analysis - uses: github/codeql-action/analyze@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4.35.2 + uses: github/codeql-action/analyze@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4.36.2 result: name: Security Result @@ -207,7 +208,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Harden Runner - uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0 + uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4 with: egress-policy: block disable-telemetry: true diff --git a/.github/workflows/update-vendor-hash.yml b/.github/workflows/update-vendor-hash.yml index aa323959..3f3f84c8 100644 --- a/.github/workflows/update-vendor-hash.yml +++ b/.github/workflows/update-vendor-hash.yml @@ -22,7 +22,7 @@ jobs: needed: ${{ steps.check.outputs.needed }} steps: - name: Harden Runner - uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0 + uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4 with: deploy-on-self-hosted-vm: true egress-policy: block @@ -30,7 +30,7 @@ jobs: allowed-endpoints: > github.com:443 - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 with: ref: ${{ github.head_ref }} fetch-depth: 0 @@ -60,7 +60,7 @@ jobs: contents: write steps: - name: Harden Runner - uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0 + uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4 with: deploy-on-self-hosted-vm: true egress-policy: block @@ -77,18 +77,18 @@ jobs: - name: Generate app token id: app-token - uses: actions/create-github-app-token@1b10c78c7865c340bc4f6099eb2f838309f1e8c3 # v3.1.1 + uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3.2.0 with: client-id: ${{ secrets.APP_ID }} private-key: ${{ secrets.APP_PRIVATE_KEY }} - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 with: ref: ${{ github.head_ref }} fetch-depth: 0 token: ${{ steps.app-token.outputs.token }} - - uses: cachix/install-nix-action@ab739621df7a23f52766f9ccc97f38da6b7af14f # v31.10.5 + - uses: cachix/install-nix-action@8aa03977d8d733052d78f4e008a241fd1dbf36b3 # v31.10.6 - name: Tidy go modules run: nix develop -c go mod tidy diff --git a/nix/overlay.nix b/nix/overlay.nix index 62325b74..71e07008 100644 --- a/nix/overlay.nix +++ b/nix/overlay.nix @@ -8,24 +8,26 @@ _final: prev: let - # Scoped Go 1.26.3 override for micasa and its dev tools only. + # Scoped Go 1.26.4 override for micasa and its dev tools only. # NOT exported as go/go_1_26/buildGoModule — doing so rebuilds the # entire transitive closure from source (VHS → Chromium → PipeWire → # ffmpeg/gstreamer) because every Go derivation's input hash changes. # - # 1.26.3 fixes six stdlib vulnerabilities flagged by govulncheck: + # 1.26.4 fixes stdlib vulnerabilities flagged by govulncheck: # GO-2026-4918 (net/http HTTP/2 SETTINGS frame infinite loop) # GO-2026-4971 (net Dial/LookupPort panic on NUL input on Windows) # GO-2026-4977 (net/mail consumePhrase DoS) # GO-2026-4980 (html/template empty