diff --git a/.github/workflows/ci-test.yml b/.github/workflows/ci-test.yml index 46e5e7eb..a9067e41 100644 --- a/.github/workflows/ci-test.yml +++ b/.github/workflows/ci-test.yml @@ -28,20 +28,20 @@ jobs: name: lint runs-on: ubuntu-latest steps: - - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 - uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2 with: go-version-file: './go.mod' check-latest: true - name: golangci-lint - uses: golangci/golangci-lint-action@aaa42aa0628b4ae2578232a66b541047968fac86 # v6.1.0 + uses: golangci/golangci-lint-action@971e284b6050e8a5849b72094c50ab08da042db8 # v6.1.1 with: version: v1.59 yamllint: runs-on: ubuntu-latest steps: - - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 - name: Set up Python uses: actions/setup-python@0a5c61591373683505ea898e09a3ea4f39ef2b9c # v5.0.0 with: @@ -58,9 +58,9 @@ jobs: actionlint: runs-on: ubuntu-latest steps: - - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 - name: Check workflow files - uses: reviewdog/action-actionlint@4f8f9963ca57a41e5fd5b538dd79dbfbd3e0b38a # v1.54.0 + uses: reviewdog/action-actionlint@7eeec1dd160c2301eb28e1568721837d084558ad # v1.57.0 # TODO(asraa): Re-enable shellcheck from actionlint with: actionlint_flags: -color -shellcheck= @@ -68,7 +68,7 @@ jobs: test: runs-on: ubuntu-latest steps: - - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 - uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2 with: go-version-file: './go.mod' @@ -84,7 +84,7 @@ jobs: build: runs-on: ubuntu-latest steps: - - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 - uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2 with: go-version-file: './go.mod' @@ -103,7 +103,7 @@ jobs: name: Shellcheck runs-on: ubuntu-latest steps: - - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 - name: Run ShellCheck uses: ludeeus/action-shellcheck@00cae500b08a931fb5698e11e79bfbd38e612a38 # v2.0.0 env: diff --git a/.github/workflows/cosign-test.yml b/.github/workflows/cosign-test.yml index fe792b58..cb85e0fd 100644 --- a/.github/workflows/cosign-test.yml +++ b/.github/workflows/cosign-test.yml @@ -29,13 +29,13 @@ jobs: runs-on: ubuntu-latest steps: # Install cosign - - uses: sigstore/cosign-installer@4959ce089c160fddf62f7b42464195ba1a56d382 # v3.6.0 + - uses: sigstore/cosign-installer@dc72c7d5c4d10cd6bcb8cf6e3fd625a9e5e537da # v3.7.0 # Set up a repository server with python - uses: actions/setup-python@0a5c61591373683505ea898e09a3ea4f39ef2b9c # v5.0.0 with: python-version: '3.x' - - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 with: fetch-depth: 2 - run: | diff --git a/.github/workflows/create-signing-events.yml b/.github/workflows/create-signing-events.yml index 6dfce059..b1239f1d 100644 --- a/.github/workflows/create-signing-events.yml +++ b/.github/workflows/create-signing-events.yml @@ -16,7 +16,7 @@ jobs: actions: 'write' # for dispatching signing event workflow steps: - name: Create signing events for offline version bumps - uses: theupdateframework/tuf-on-ci/actions/create-signing-events@89d2dad3c8b626dde7a9e65b036ca35d11ab8b2a # v0.12.0 + uses: theupdateframework/tuf-on-ci/actions/create-signing-events@27c49c016591c7cfea57f6b15296f714a5c4a5f6 # v0.13.0 with: token: ${{ secrets.TUF_ON_CI_TOKEN || secrets.GITHUB_TOKEN }} @@ -28,7 +28,7 @@ jobs: issues: 'write' # for modifying Issues steps: - name: Update the issue for the workflow - uses: theupdateframework/tuf-on-ci/actions/update-issue@89d2dad3c8b626dde7a9e65b036ca35d11ab8b2a # v0.12.0 + uses: theupdateframework/tuf-on-ci/actions/update-issue@27c49c016591c7cfea57f6b15296f714a5c4a5f6 # v0.13.0 with: token: ${{ secrets.TUF_ON_CI_TOKEN || secrets.GITHUB_TOKEN }} success: ${{ !contains(needs.*.result, 'failure') }} diff --git a/.github/workflows/custom-test.yml b/.github/workflows/custom-test.yml index 29cb91af..4454511a 100644 --- a/.github/workflows/custom-test.yml +++ b/.github/workflows/custom-test.yml @@ -42,7 +42,7 @@ jobs: python -m sigstore verify github --cert-identity $IDENTITY --bundle artifact.sigstore.json artifact - name: Upload the bundle for other clients to verify - uses: actions/upload-artifact@834a144ee995460fba8ed112a2fc961b36a5ec5a # v4.3.6 + uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3 with: name: bundle path: artifact.sigstore.json @@ -51,7 +51,7 @@ jobs: cosign: runs-on: ubuntu-latest steps: - - uses: sigstore/cosign-installer@4959ce089c160fddf62f7b42464195ba1a56d382 # v3.6.0 + - uses: sigstore/cosign-installer@dc72c7d5c4d10cd6bcb8cf6e3fd625a9e5e537da # v3.7.0 - name: Download initial root run: curl -o root.json ${METADATA_URL}/1.root.json @@ -111,7 +111,7 @@ jobs: runs-on: ubuntu-latest needs: [sigstore-python] steps: - - uses: actions/setup-node@1e60f620b9541d16bece96c5465dc8ee9832be0b # v4.0.3 + - uses: actions/setup-node@0a44ba7841725637a19e28fa30b79a866c81b0a6 # v4.0.4 - name: Install sigstore-js run: npm install -g @sigstore/cli @@ -141,7 +141,7 @@ jobs: needs: [sigstore-python] steps: - name: Set up JDK - uses: actions/setup-java@6a0805fcefea3d4657a47ac4c165951e33482018 # v4.2.2 + uses: actions/setup-java@b36c23c0d998641eff861008f374ee103c25ac73 # v4.4.0 with: java-version: 17 distribution: 'temurin' @@ -149,7 +149,7 @@ jobs: - name: Setup Gradle uses: gradle/actions/setup-gradle@v4 - - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 with: repository: "sigstore/sigstore-java" fetch-tags: true diff --git a/.github/workflows/delegation-pop-verify.yml b/.github/workflows/delegation-pop-verify.yml index 50a43bb4..d80e2c11 100644 --- a/.github/workflows/delegation-pop-verify.yml +++ b/.github/workflows/delegation-pop-verify.yml @@ -34,7 +34,7 @@ jobs: PR_NUMBER: ${{ github.event.pull_request.number }} steps: - name: Checkout - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 with: fetch-depth: 0 diff --git a/.github/workflows/deploy-to-gcs.yml b/.github/workflows/deploy-to-gcs.yml index e9596b60..850c1273 100644 --- a/.github/workflows/deploy-to-gcs.yml +++ b/.github/workflows/deploy-to-gcs.yml @@ -23,7 +23,7 @@ jobs: tar --directory repository -xvf artifact.tar # NOTE: This gcloud project/account is NOT the tuf-on-ci online signing account - - uses: google-github-actions/auth@f112390a2df9932162083945e46d439060d66ec2 # v2.1.4 + - uses: google-github-actions/auth@8254fb75a33b976a221574d287e93919e6a36f70 # v2.1.6 with: token_format: access_token workload_identity_provider: projects/306323169285/locations/global/workloadIdentityPools/github-actions-pool/providers/github-actions-provider diff --git a/.github/workflows/initialize.yml b/.github/workflows/initialize.yml index 2280d1a6..0e867e51 100644 --- a/.github/workflows/initialize.yml +++ b/.github/workflows/initialize.yml @@ -44,7 +44,7 @@ jobs: check_branch: runs-on: ubuntu-latest steps: - - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 with: fetch-depth: 0 - name: Check if remote branch exists @@ -64,7 +64,7 @@ jobs: permissions: id-token: 'write' steps: - - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 with: fetch-depth: 0 # TODO(https://github.com/sigstore/root-signing/issues/98): Use a common configuration checked into source control @@ -82,7 +82,7 @@ jobs: go-version-file: './go.mod' check-latest: true # Setup OIDC->SA auth for signing with KMS - - uses: google-github-actions/auth@f112390a2df9932162083945e46d439060d66ec2 # v2.1.4 + - uses: google-github-actions/auth@8254fb75a33b976a221574d287e93919e6a36f70 # v2.1.6 id: auth with: token_format: 'access_token' @@ -108,7 +108,7 @@ jobs: run: | ./scripts/step-1.5.sh ${{ inputs.revoke_key }} - name: Upload new repository - uses: actions/upload-artifact@834a144ee995460fba8ed112a2fc961b36a5ec5a # v4.3.6 + uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3 with: name: ${{ inputs.repo }} path: ${{ inputs.repo }} @@ -121,7 +121,7 @@ jobs: pull-requests: 'write' contents: 'write' steps: - - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 with: ref: ${{ inputs.branch }} fetch-depth: 0 diff --git a/.github/workflows/online-sign.yml b/.github/workflows/online-sign.yml index 92d1c1f2..7a82b36e 100644 --- a/.github/workflows/online-sign.yml +++ b/.github/workflows/online-sign.yml @@ -20,7 +20,7 @@ jobs: actions: 'write' # for dispatching publish workflow steps: - id: online-sign - uses: theupdateframework/tuf-on-ci/actions/online-sign@89d2dad3c8b626dde7a9e65b036ca35d11ab8b2a # v0.12.0 + uses: theupdateframework/tuf-on-ci/actions/online-sign@27c49c016591c7cfea57f6b15296f714a5c4a5f6 # v0.13.0 with: token: ${{ secrets.TUF_ON_CI_TOKEN || secrets.GITHUB_TOKEN }} gcp_workload_identity_provider: 'projects/163070369698/locations/global/workloadIdentityPools/github-actions-pool/providers/github-actions-provider' @@ -35,7 +35,7 @@ jobs: issues: 'write' # for modifying Issues steps: - name: Update the issue for the workflow - uses: theupdateframework/tuf-on-ci/actions/update-issue@89d2dad3c8b626dde7a9e65b036ca35d11ab8b2a # v0.12.0 + uses: theupdateframework/tuf-on-ci/actions/update-issue@27c49c016591c7cfea57f6b15296f714a5c4a5f6 # v0.13.0 with: token: ${{ secrets.TUF_ON_CI_TOKEN || secrets.GITHUB_TOKEN }} success: ${{ !contains(needs.*.result, 'failure') }} diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml index f46eeded..1d8ff9f4 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/publish.yml @@ -16,7 +16,7 @@ jobs: runs-on: ubuntu-latest steps: - id: build-and-upload-repository - uses: theupdateframework/tuf-on-ci/actions/upload-repository@89d2dad3c8b626dde7a9e65b036ca35d11ab8b2a # v0.12.0 + uses: theupdateframework/tuf-on-ci/actions/upload-repository@27c49c016591c7cfea57f6b15296f714a5c4a5f6 # v0.13.0 with: gh_pages: true ref: ${{ inputs.ref }} @@ -67,7 +67,7 @@ jobs: issues: 'write' # for modifying Issues steps: - name: Update the issue for the workflow - uses: theupdateframework/tuf-on-ci/actions/update-issue@89d2dad3c8b626dde7a9e65b036ca35d11ab8b2a # v0.12.0 + uses: theupdateframework/tuf-on-ci/actions/update-issue@27c49c016591c7cfea57f6b15296f714a5c4a5f6 # v0.13.0 with: token: ${{ secrets.TUF_ON_CI_TOKEN || secrets.GITHUB_TOKEN }} success: ${{ !contains(needs.*.result, 'failure') }} diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 834d1b17..355ba368 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -31,15 +31,15 @@ jobs: outputs: hashes: ${{ steps.hash.outputs.hashes }} steps: - - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 - uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2 with: go-version-file: './go.mod' check-latest: true - - uses: sigstore/cosign-installer@4959ce089c160fddf62f7b42464195ba1a56d382 # v3.6.0 - - uses: anchore/sbom-action/download-syft@ab9d16d4b419c9d1a02df5213fa0ebe965ca5a57 # v0.17.1 + - uses: sigstore/cosign-installer@dc72c7d5c4d10cd6bcb8cf6e3fd625a9e5e537da # v3.7.0 + - uses: anchore/sbom-action/download-syft@f5e124a5e5e1d497a692818ae907d3c45829d033 # v0.17.3 - uses: imjasonh/setup-ko@3aebd0597dc1e9d1a26bcfdb7cbeb19c131d3037 # v0.7 - name: Set LDFLAGS diff --git a/.github/workflows/reuseable-snapshot-timestamp.yml b/.github/workflows/reuseable-snapshot-timestamp.yml index c0a9f1e3..3ec1c718 100644 --- a/.github/workflows/reuseable-snapshot-timestamp.yml +++ b/.github/workflows/reuseable-snapshot-timestamp.yml @@ -73,7 +73,7 @@ jobs: permissions: id-token: 'write' steps: - - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 with: fetch-depth: 0 ref: ${{ inputs.branch }} @@ -91,7 +91,7 @@ jobs: go-version-file: './go.mod' check-latest: true # Setup OIDC->SA auth - - uses: google-github-actions/auth@f112390a2df9932162083945e46d439060d66ec2 # v2.1.4 + - uses: google-github-actions/auth@8254fb75a33b976a221574d287e93919e6a36f70 # v2.1.6 id: auth with: token_format: 'access_token' @@ -141,7 +141,7 @@ jobs: git format-patch HEAD^ -o snapshot-timestamp - name: Upload snapshot and timestamp - uses: actions/upload-artifact@834a144ee995460fba8ed112a2fc961b36a5ec5a # v4.3.6 + uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3 with: name: snapshot-timestamp path: snapshot-timestamp @@ -178,7 +178,7 @@ jobs: pull-requests: 'write' contents: 'write' steps: - - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 with: fetch-depth: 0 ref: ${{ inputs.branch }} diff --git a/.github/workflows/review-snapshot-timestamp.yml b/.github/workflows/review-snapshot-timestamp.yml index f5491882..8f9e926c 100644 --- a/.github/workflows/review-snapshot-timestamp.yml +++ b/.github/workflows/review-snapshot-timestamp.yml @@ -33,7 +33,7 @@ jobs: env: GITHUB_TOKEN: ${{ secrets.SIGSTORE_REVIEW_BOT_FINE_GRAINED_PAT }} steps: - - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 - run: | set -euo pipefail ./.github/workflows/scripts/review-pull-request.sh diff --git a/.github/workflows/signing-event.yml b/.github/workflows/signing-event.yml index b5d9615c..b451408e 100644 --- a/.github/workflows/signing-event.yml +++ b/.github/workflows/signing-event.yml @@ -19,6 +19,6 @@ jobs: steps: - name: Signing event - uses: theupdateframework/tuf-on-ci/actions/signing-event@89d2dad3c8b626dde7a9e65b036ca35d11ab8b2a # v0.12.0 + uses: theupdateframework/tuf-on-ci/actions/signing-event@27c49c016591c7cfea57f6b15296f714a5c4a5f6 # v0.13.0 with: token: ${{ secrets.TUF_ON_CI_TOKEN || secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/stable-snapshot-timestamp.yml b/.github/workflows/stable-snapshot-timestamp.yml index 4f765680..5ae59d32 100644 --- a/.github/workflows/stable-snapshot-timestamp.yml +++ b/.github/workflows/stable-snapshot-timestamp.yml @@ -50,7 +50,7 @@ jobs: env: FORCE_SNAPSHOT: ${{ inputs.force_snapshot }} steps: - - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 with: fetch-depth: 0 - name: Determine whether to run a snapshot/timestamp diff --git a/.github/workflows/stable-timestamp.yml b/.github/workflows/stable-timestamp.yml index fd5f643c..6fd89fd1 100644 --- a/.github/workflows/stable-timestamp.yml +++ b/.github/workflows/stable-timestamp.yml @@ -44,7 +44,7 @@ jobs: env: FORCE_TIMESTAMP: ${{ inputs.force_timestamp }} steps: - - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 with: fetch-depth: 0 - name: Determine whether to create a timestamp diff --git a/.github/workflows/sync-ceremony-to-main.yml b/.github/workflows/sync-ceremony-to-main.yml index b239d860..59cfe94a 100644 --- a/.github/workflows/sync-ceremony-to-main.yml +++ b/.github/workflows/sync-ceremony-to-main.yml @@ -44,7 +44,7 @@ jobs: contents: 'write' runs-on: ubuntu-latest steps: - - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 with: fetch-depth: 0 ref: ${{ github.event.repository.default_branch }} diff --git a/.github/workflows/sync-main-to-preprod-and-prod.yml b/.github/workflows/sync-main-to-preprod-and-prod.yml index 5b4c680c..f83df897 100644 --- a/.github/workflows/sync-main-to-preprod-and-prod.yml +++ b/.github/workflows/sync-main-to-preprod-and-prod.yml @@ -42,7 +42,7 @@ jobs: permissions: id-token: 'write' steps: - - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 with: fetch-depth: 0 - uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2 @@ -50,7 +50,7 @@ jobs: go-version-file: './go.mod' check-latest: true # Setup OIDC->SA auth - - uses: google-github-actions/auth@f112390a2df9932162083945e46d439060d66ec2 # v2.1.4 + - uses: google-github-actions/auth@8254fb75a33b976a221574d287e93919e6a36f70 # v2.1.6 id: auth with: token_format: 'access_token' diff --git a/.github/workflows/sync-main-to-preprod.yml b/.github/workflows/sync-main-to-preprod.yml index 4c3be18e..1ce4dedf 100644 --- a/.github/workflows/sync-main-to-preprod.yml +++ b/.github/workflows/sync-main-to-preprod.yml @@ -36,7 +36,7 @@ jobs: id-token: 'write' runs-on: ubuntu-latest steps: - - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 with: fetch-depth: 0 - uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2 @@ -44,7 +44,7 @@ jobs: go-version-file: './go.mod' check-latest: true # Setup OIDC->SA auth - - uses: google-github-actions/auth@f112390a2df9932162083945e46d439060d66ec2 # v2.1.4 + - uses: google-github-actions/auth@8254fb75a33b976a221574d287e93919e6a36f70 # v2.1.6 id: auth with: token_format: 'access_token' diff --git a/.github/workflows/sync-preprod-to-prod.yml b/.github/workflows/sync-preprod-to-prod.yml index 5cfe94a0..23af47f4 100644 --- a/.github/workflows/sync-preprod-to-prod.yml +++ b/.github/workflows/sync-preprod-to-prod.yml @@ -26,7 +26,7 @@ jobs: id-token: 'write' steps: # Setup OIDC->SA auth - - uses: google-github-actions/auth@f112390a2df9932162083945e46d439060d66ec2 # v2.1.4 + - uses: google-github-actions/auth@8254fb75a33b976a221574d287e93919e6a36f70 # v2.1.6 id: auth with: token_format: 'access_token' diff --git a/.github/workflows/test-gcs.yml b/.github/workflows/test-gcs.yml index 4c1d7a08..0fa6b3d1 100644 --- a/.github/workflows/test-gcs.yml +++ b/.github/workflows/test-gcs.yml @@ -13,13 +13,13 @@ jobs: smoke-test: runs-on: ubuntu-latest steps: - - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 - name: Set initial root for the smoke test run: cp metadata/root_history/5.root.json ./root.json - name: Smoke test Sigstore TUF repository with a TUF client - uses: theupdateframework/tuf-on-ci/actions/test-repository@89d2dad3c8b626dde7a9e65b036ca35d11ab8b2a # v0.12.0 + uses: theupdateframework/tuf-on-ci/actions/test-repository@27c49c016591c7cfea57f6b15296f714a5c4a5f6 # v0.13.0 with: metadata_url: https://tuf-repo-cdn.sigstore.dev/ valid_days: 3 @@ -41,7 +41,7 @@ jobs: issues: 'write' # for modifying Issues steps: - name: Update the issue for the workflow - uses: theupdateframework/tuf-on-ci/actions/update-issue@89d2dad3c8b626dde7a9e65b036ca35d11ab8b2a # v0.12.0 + uses: theupdateframework/tuf-on-ci/actions/update-issue@27c49c016591c7cfea57f6b15296f714a5c4a5f6 # v0.13.0 with: token: ${{ secrets.TUF_ON_CI_TOKEN || secrets.GITHUB_TOKEN }} success: ${{ !contains(needs.*.result, 'failure') }} diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 950da4ff..59c0c2d3 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -13,13 +13,13 @@ jobs: smoke-test: runs-on: ubuntu-latest steps: - - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 - name: Set initial root for the smoke test run: cp metadata/root_history/5.root.json ./root.json - name: Smoke test TUF-on-CI repository with a TUF client - uses: theupdateframework/tuf-on-ci/actions/test-repository@89d2dad3c8b626dde7a9e65b036ca35d11ab8b2a # v0.12.0 + uses: theupdateframework/tuf-on-ci/actions/test-repository@27c49c016591c7cfea57f6b15296f714a5c4a5f6 # v0.13.0 with: metadata_url: https://sigstore.github.io/root-signing/ update_base_url: https://tuf-repo-cdn.sigstore.dev/ @@ -42,7 +42,7 @@ jobs: issues: 'write' # for modifying Issues steps: - name: Update the issue for the workflow - uses: theupdateframework/tuf-on-ci/actions/update-issue@89d2dad3c8b626dde7a9e65b036ca35d11ab8b2a # v0.12.0 + uses: theupdateframework/tuf-on-ci/actions/update-issue@27c49c016591c7cfea57f6b15296f714a5c4a5f6 # v0.13.0 with: token: ${{ secrets.TUF_ON_CI_TOKEN || secrets.GITHUB_TOKEN }} success: ${{ !contains(needs.*.result, 'failure') }} diff --git a/.github/workflows/tuf_client_tests.yml b/.github/workflows/tuf_client_tests.yml index 88f1fc95..4b421ee3 100644 --- a/.github/workflows/tuf_client_tests.yml +++ b/.github/workflows/tuf_client_tests.yml @@ -30,7 +30,7 @@ jobs: - uses: actions/setup-python@v5 with: python-version: '3.x' - - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 with: fetch-depth: 2 - run: | @@ -55,7 +55,7 @@ jobs: go run ./tests/client-tests list http://localhost:8001 # Test with rust client - name: Configure cargo cache - uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 + uses: actions/cache@3624ceb22c1c5a301c8db4169662070a689d9ea8 with: path: | /tmp/tuftool-target @@ -82,9 +82,9 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout repository - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 - name: Setup node - uses: actions/setup-node@1e60f620b9541d16bece96c5465dc8ee9832be0b # v4.0.3 + uses: actions/setup-node@0a44ba7841725637a19e28fa30b79a866c81b0a6 # v4.0.4 with: node-version: 20 - name: Install tufjs/cli diff --git a/.github/workflows/validate.yml b/.github/workflows/validate.yml index e05144db..893919eb 100644 --- a/.github/workflows/validate.yml +++ b/.github/workflows/validate.yml @@ -26,7 +26,7 @@ jobs: validate: runs-on: ubuntu-latest steps: - - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 with: fetch-depth: 2 - run: |