diff --git a/.github/workflows/bandith_security_scan.yml b/.github/workflows/bandith_security_scan.yml index 746caa02..a6b7d96e 100644 --- a/.github/workflows/bandith_security_scan.yml +++ b/.github/workflows/bandith_security_scan.yml @@ -8,7 +8,7 @@ jobs: bandit: runs-on: ubuntu-latest steps: - - uses: actions/checkout@7884fcad6b5d53d10323aee724dc68d8b9096a2e # tag=v2 + - uses: actions/checkout@dc323e67f16fb5f7663d20ff7941f27f5809e9b6 # v2.6.0 - name: Bandit run: | .github/workflows/scripts/run_bandit_scan.sh diff --git a/.github/workflows/build_and_push.yml b/.github/workflows/build_and_push.yml index 268b1ac8..afac3a45 100644 --- a/.github/workflows/build_and_push.yml +++ b/.github/workflows/build_and_push.yml @@ -16,9 +16,9 @@ jobs: images: ${{ steps.filter.outputs.changes }} steps: - name: Checkout - uses: actions/checkout@7884fcad6b5d53d10323aee724dc68d8b9096a2e # tag=v2 + uses: actions/checkout@dc323e67f16fb5f7663d20ff7941f27f5809e9b6 # v2.6.0 - - uses: dorny/paths-filter@v2 + - uses: dorny/paths-filter@4512585405083f25c027a35db413c2b3b9006d50 # v2.11.1 id: filter with: filters: | @@ -35,7 +35,7 @@ jobs: steps: - name: Checkout - uses: actions/checkout@7884fcad6b5d53d10323aee724dc68d8b9096a2e # tag=v2 + uses: actions/checkout@dc323e67f16fb5f7663d20ff7941f27f5809e9b6 # v2.6.0 - name: Build container working-directory: ./${{ matrix.image }} @@ -47,7 +47,7 @@ jobs: - name: Configure AWS credentials id: aws-creds - uses: aws-actions/configure-aws-credentials@67fbcbb121271f7775d2e7715933280b06314838 # tag=v1 + uses: aws-actions/configure-aws-credentials@67fbcbb121271f7775d2e7715933280b06314838 # v1.7.0 with: aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} @@ -55,7 +55,7 @@ jobs: - name: Login to ECR id: login-ecr - uses: aws-actions/amazon-ecr-login@9149ade017c57f86dea2f76a01f8b2d5bd06b10f # tag=v1 + uses: aws-actions/amazon-ecr-login@261a7de32bda11ba01f4d75c4ed6caf3739e54be # v1.5.3 - name: Push containers to ECR run: | @@ -80,7 +80,7 @@ jobs: migrate - name: Generate list-manager/${{ matrix.image }}/docker SBOM - uses: cds-snc/security-tools/.github/actions/generate-sbom@4c6b386722985552f3f008d04279a3f01402cc35 # renovate: tag=v1 + uses: cds-snc/security-tools/.github/actions/generate-sbom@f0d609b2a8f51dbb4b1760b02a35fb1aadbae7f1 # v1.1.6 with: dependency_track_api_key: ${{ secrets.DEPENDENCY_TRACK_API_KEY }} docker_image: $REGISTRY/${{ matrix.image }}:$GITHUB_SHA diff --git a/.github/workflows/ci_build_continers.yml b/.github/workflows/ci_build_continers.yml index 4066bf22..f23a39e4 100644 --- a/.github/workflows/ci_build_continers.yml +++ b/.github/workflows/ci_build_continers.yml @@ -15,9 +15,9 @@ jobs: images: ${{ steps.filter.outputs.changes }} steps: - name: Checkout - uses: actions/checkout@7884fcad6b5d53d10323aee724dc68d8b9096a2e # tag=v2 + uses: actions/checkout@dc323e67f16fb5f7663d20ff7941f27f5809e9b6 # v2.6.0 - - uses: dorny/paths-filter@v2 + - uses: dorny/paths-filter@4512585405083f25c027a35db413c2b3b9006d50 # v2.11.1 id: filter with: filters: | @@ -34,7 +34,7 @@ jobs: steps: - name: Checkout - uses: actions/checkout@7884fcad6b5d53d10323aee724dc68d8b9096a2e # tag=v2 + uses: actions/checkout@dc323e67f16fb5f7663d20ff7941f27f5809e9b6 # v2.6.0 - name: Build container working-directory: ./${{ matrix.image }} diff --git a/.github/workflows/ci_code.yml b/.github/workflows/ci_code.yml index 706c907f..9e416535 100644 --- a/.github/workflows/ci_code.yml +++ b/.github/workflows/ci_code.yml @@ -25,15 +25,15 @@ jobs: steps: - name: Checkout - uses: actions/checkout@7884fcad6b5d53d10323aee724dc68d8b9096a2e # tag=v2 + uses: actions/checkout@dc323e67f16fb5f7663d20ff7941f27f5809e9b6 # v2.6.0 - name: Setup python - uses: actions/setup-python@7f80679172b057fc5e90d70d197929d454754a5a # tag=v2 + uses: actions/setup-python@75f3110429a8c05be0e1bf360334e4cced2b63fa # v2.3.3 with: python-version: "3.9" - name: Setup node - uses: actions/setup-node@1f8c6b94b26d0feae1e387ca63ccbdc44d27b561 # tag=v2 + uses: actions/setup-node@1f8c6b94b26d0feae1e387ca63ccbdc44d27b561 # v2.5.1 with: node-version: "14" diff --git a/.github/workflows/generate_sbom.yml b/.github/workflows/generate_sbom.yml index 3216c0a8..a34d1449 100644 --- a/.github/workflows/generate_sbom.yml +++ b/.github/workflows/generate_sbom.yml @@ -19,10 +19,10 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@7884fcad6b5d53d10323aee724dc68d8b9096a2e # tag=v2 + uses: actions/checkout@dc323e67f16fb5f7663d20ff7941f27f5809e9b6 # v2.6.0 - name: Generate app SBOM - uses: cds-snc/security-tools/.github/actions/generate-sbom@4c6b386722985552f3f008d04279a3f01402cc35 # renovate: tag=v1 + uses: cds-snc/security-tools/.github/actions/generate-sbom@f0d609b2a8f51dbb4b1760b02a35fb1aadbae7f1 # v1.1.6 with: dependency_track_api_key: ${{ secrets.DEPENDENCY_TRACK_API_KEY }} project_name: list-manager/app diff --git a/.github/workflows/s3-backup.yml b/.github/workflows/s3-backup.yml index fe5cafc6..684b3501 100644 --- a/.github/workflows/s3-backup.yml +++ b/.github/workflows/s3-backup.yml @@ -10,12 +10,12 @@ jobs: steps: - name: Checkout - uses: actions/checkout@7884fcad6b5d53d10323aee724dc68d8b9096a2e # tag=v2 + uses: actions/checkout@dc323e67f16fb5f7663d20ff7941f27f5809e9b6 # v2.6.0 with: fetch-depth: 0 # retrieve all history - name: Configure AWS credentials - uses: aws-actions/configure-aws-credentials@67fbcbb121271f7775d2e7715933280b06314838 # tag=v1 + uses: aws-actions/configure-aws-credentials@67fbcbb121271f7775d2e7715933280b06314838 # v1.7.0 with: aws-access-key-id: ${{ secrets.AWS_S3_BACKUP_ACCESS_KEY_ID }} aws-secret-access-key: ${{ secrets.AWS_S3_BACKUP_SECRET_ACCESS_KEY }} diff --git a/.github/workflows/scripts.yml b/.github/workflows/scripts.yml index dfd9104e..2010b4e7 100644 --- a/.github/workflows/scripts.yml +++ b/.github/workflows/scripts.yml @@ -8,14 +8,14 @@ jobs: shellcheck: runs-on: ubuntu-latest steps: - - uses: actions/checkout@7884fcad6b5d53d10323aee724dc68d8b9096a2e # tag=v2 + - uses: actions/checkout@dc323e67f16fb5f7663d20ff7941f27f5809e9b6 # v2.6.0 - name: Shellcheck run: .github/workflows/scripts/run_shellcheck.sh script_test: runs-on: ubuntu-latest steps: - - uses: actions/checkout@7884fcad6b5d53d10323aee724dc68d8b9096a2e # tag=v2 + - uses: actions/checkout@dc323e67f16fb5f7663d20ff7941f27f5809e9b6 # v2.6.0 - name: Test Scripts run: .github/workflows/scripts/test_scripts.sh diff --git a/.github/workflows/shellcheck.yml b/.github/workflows/shellcheck.yml index d41dcbb2..00a205d9 100644 --- a/.github/workflows/shellcheck.yml +++ b/.github/workflows/shellcheck.yml @@ -8,7 +8,7 @@ jobs: shellcheck: runs-on: ubuntu-latest steps: - - uses: actions/checkout@7884fcad6b5d53d10323aee724dc68d8b9096a2e # tag=v2 + - uses: actions/checkout@dc323e67f16fb5f7663d20ff7941f27f5809e9b6 # v2.6.0 - name: Shellcheck run: | .github/workflows/scripts/run_shellcheck.sh diff --git a/.github/workflows/terraform-security-scan.yml b/.github/workflows/terraform-security-scan.yml index 79501804..045b5070 100644 --- a/.github/workflows/terraform-security-scan.yml +++ b/.github/workflows/terraform-security-scan.yml @@ -18,7 +18,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@7884fcad6b5d53d10323aee724dc68d8b9096a2e # tag=v2 + uses: actions/checkout@dc323e67f16fb5f7663d20ff7941f27f5809e9b6 # v2.6.0 - name: Checkov security scan uses: bridgecrewio/checkov-action@f621ecfe2d83b0e2028c7e93f082812eb56d3743 # latest as of Sept 9, 2021 diff --git a/.github/workflows/tf_apply.yml b/.github/workflows/tf_apply.yml index 59cb71a1..06ca8665 100644 --- a/.github/workflows/tf_apply.yml +++ b/.github/workflows/tf_apply.yml @@ -23,10 +23,10 @@ jobs: AWS_REGION: ca-central-1 steps: - name: Checkout - uses: actions/checkout@7884fcad6b5d53d10323aee724dc68d8b9096a2e # tag=v2 + uses: actions/checkout@dc323e67f16fb5f7663d20ff7941f27f5809e9b6 # v2.6.0 - name: Setup Terraform - uses: hashicorp/setup-terraform@d22444889af304a44b997011fbabb81ff705a7b4 # tag=v1.2.1 + uses: hashicorp/setup-terraform@ed3a0531877aca392eb870f440d9ae7aba83a6bd # v1.4.0 with: terraform_version: ${{ env.TERRAFORM_VERSION }} terraform_wrapper: false @@ -38,7 +38,7 @@ jobs: chmod +x bin/terragrunt echo "$GITHUB_WORKSPACE/bin" >> $GITHUB_PATH - - uses: dorny/paths-filter@3b817c99747a70f3b42db7c51bcc44407b73481e # tag=v2.2.1 + - uses: dorny/paths-filter@4512585405083f25c027a35db413c2b3b9006d50 # v2.11.1 id: filter with: filters: | diff --git a/.github/workflows/tf_plan.yml b/.github/workflows/tf_plan.yml index 5134ce4a..e37e0445 100644 --- a/.github/workflows/tf_plan.yml +++ b/.github/workflows/tf_plan.yml @@ -28,10 +28,10 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@7884fcad6b5d53d10323aee724dc68d8b9096a2e # tag=v2 + uses: actions/checkout@dc323e67f16fb5f7663d20ff7941f27f5809e9b6 # v2.6.0 - name: Setup Terraform - uses: hashicorp/setup-terraform@d22444889af304a44b997011fbabb81ff705a7b4 # tag=v1.2.1 + uses: hashicorp/setup-terraform@ed3a0531877aca392eb870f440d9ae7aba83a6bd # v1.4.0 with: terraform_version: ${{ env.TERRAFORM_VERSION }} terraform_wrapper: false