diff --git a/.github/workflows/ci-test.yml b/.github/workflows/ci-test.yml index 46e5e7eb..6af33a05 100644 --- a/.github/workflows/ci-test.yml +++ b/.github/workflows/ci-test.yml @@ -28,20 +28,20 @@ jobs: name: lint runs-on: ubuntu-latest steps: - - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - - uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + - uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0 with: go-version-file: './go.mod' check-latest: true - name: golangci-lint - uses: golangci/golangci-lint-action@aaa42aa0628b4ae2578232a66b541047968fac86 # v6.1.0 + uses: golangci/golangci-lint-action@971e284b6050e8a5849b72094c50ab08da042db8 # v6.1.1 with: version: v1.59 yamllint: runs-on: ubuntu-latest steps: - - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: Set up Python uses: actions/setup-python@0a5c61591373683505ea898e09a3ea4f39ef2b9c # v5.0.0 with: @@ -58,9 +58,9 @@ jobs: actionlint: runs-on: ubuntu-latest steps: - - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: Check workflow files - uses: reviewdog/action-actionlint@4f8f9963ca57a41e5fd5b538dd79dbfbd3e0b38a # v1.54.0 + uses: reviewdog/action-actionlint@7eeec1dd160c2301eb28e1568721837d084558ad # v1.57.0 # TODO(asraa): Re-enable shellcheck from actionlint with: actionlint_flags: -color -shellcheck= @@ -68,8 +68,8 @@ jobs: test: runs-on: ubuntu-latest steps: - - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - - uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + - uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0 with: go-version-file: './go.mod' check-latest: true @@ -84,8 +84,8 @@ jobs: build: runs-on: ubuntu-latest steps: - - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - - uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + - uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0 with: go-version-file: './go.mod' check-latest: true @@ -103,7 +103,7 @@ jobs: name: Shellcheck runs-on: ubuntu-latest steps: - - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: Run ShellCheck uses: ludeeus/action-shellcheck@00cae500b08a931fb5698e11e79bfbd38e612a38 # v2.0.0 env: diff --git a/.github/workflows/cosign-test.yml b/.github/workflows/cosign-test.yml index fe792b58..4e9f1b73 100644 --- a/.github/workflows/cosign-test.yml +++ b/.github/workflows/cosign-test.yml @@ -29,13 +29,13 @@ jobs: runs-on: ubuntu-latest steps: # Install cosign - - uses: sigstore/cosign-installer@4959ce089c160fddf62f7b42464195ba1a56d382 # v3.6.0 + - uses: sigstore/cosign-installer@dc72c7d5c4d10cd6bcb8cf6e3fd625a9e5e537da # v3.7.0 # Set up a repository server with python - uses: actions/setup-python@0a5c61591373683505ea898e09a3ea4f39ef2b9c # v5.0.0 with: python-version: '3.x' - - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: fetch-depth: 2 - run: | diff --git a/.github/workflows/create-signing-events.yml b/.github/workflows/create-signing-events.yml index 6dfce059..b1239f1d 100644 --- a/.github/workflows/create-signing-events.yml +++ b/.github/workflows/create-signing-events.yml @@ -16,7 +16,7 @@ jobs: actions: 'write' # for dispatching signing event workflow steps: - name: Create signing events for offline version bumps - uses: theupdateframework/tuf-on-ci/actions/create-signing-events@89d2dad3c8b626dde7a9e65b036ca35d11ab8b2a # v0.12.0 + uses: theupdateframework/tuf-on-ci/actions/create-signing-events@27c49c016591c7cfea57f6b15296f714a5c4a5f6 # v0.13.0 with: token: ${{ secrets.TUF_ON_CI_TOKEN || secrets.GITHUB_TOKEN }} @@ -28,7 +28,7 @@ jobs: issues: 'write' # for modifying Issues steps: - name: Update the issue for the workflow - uses: theupdateframework/tuf-on-ci/actions/update-issue@89d2dad3c8b626dde7a9e65b036ca35d11ab8b2a # v0.12.0 + uses: theupdateframework/tuf-on-ci/actions/update-issue@27c49c016591c7cfea57f6b15296f714a5c4a5f6 # v0.13.0 with: token: ${{ secrets.TUF_ON_CI_TOKEN || secrets.GITHUB_TOKEN }} success: ${{ !contains(needs.*.result, 'failure') }} diff --git a/.github/workflows/custom-test.yml b/.github/workflows/custom-test.yml index 29cb91af..47be2de1 100644 --- a/.github/workflows/custom-test.yml +++ b/.github/workflows/custom-test.yml @@ -42,7 +42,7 @@ jobs: python -m sigstore verify github --cert-identity $IDENTITY --bundle artifact.sigstore.json artifact - name: Upload the bundle for other clients to verify - uses: actions/upload-artifact@834a144ee995460fba8ed112a2fc961b36a5ec5a # v4.3.6 + uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3 with: name: bundle path: artifact.sigstore.json @@ -51,7 +51,7 @@ jobs: cosign: runs-on: ubuntu-latest steps: - - uses: sigstore/cosign-installer@4959ce089c160fddf62f7b42464195ba1a56d382 # v3.6.0 + - uses: sigstore/cosign-installer@dc72c7d5c4d10cd6bcb8cf6e3fd625a9e5e537da # v3.7.0 - name: Download initial root run: curl -o root.json ${METADATA_URL}/1.root.json @@ -79,7 +79,7 @@ jobs: runs-on: ubuntu-latest needs: [sigstore-python] steps: - - uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2 + - uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0 with: go-version: '1.22' check-latest: true @@ -111,7 +111,7 @@ jobs: runs-on: ubuntu-latest needs: [sigstore-python] steps: - - uses: actions/setup-node@1e60f620b9541d16bece96c5465dc8ee9832be0b # v4.0.3 + - uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v4.1.0 - name: Install sigstore-js run: npm install -g @sigstore/cli @@ -141,7 +141,7 @@ jobs: needs: [sigstore-python] steps: - name: Set up JDK - uses: actions/setup-java@6a0805fcefea3d4657a47ac4c165951e33482018 # v4.2.2 + uses: actions/setup-java@8df1039502a15bceb9433410b1a100fbe190c53b # v4.5.0 with: java-version: 17 distribution: 'temurin' @@ -149,7 +149,7 @@ jobs: - name: Setup Gradle uses: gradle/actions/setup-gradle@v4 - - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: repository: "sigstore/sigstore-java" fetch-tags: true diff --git a/.github/workflows/delegation-pop-verify.yml b/.github/workflows/delegation-pop-verify.yml index 50a43bb4..8e89f014 100644 --- a/.github/workflows/delegation-pop-verify.yml +++ b/.github/workflows/delegation-pop-verify.yml @@ -34,12 +34,12 @@ jobs: PR_NUMBER: ${{ github.event.pull_request.number }} steps: - name: Checkout - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: fetch-depth: 0 - name: Setup go - uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2 + uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0 with: go-version-file: './go.mod' check-latest: true diff --git a/.github/workflows/deploy-to-gcs.yml b/.github/workflows/deploy-to-gcs.yml index e9596b60..0f912e69 100644 --- a/.github/workflows/deploy-to-gcs.yml +++ b/.github/workflows/deploy-to-gcs.yml @@ -23,13 +23,13 @@ jobs: tar --directory repository -xvf artifact.tar # NOTE: This gcloud project/account is NOT the tuf-on-ci online signing account - - uses: google-github-actions/auth@f112390a2df9932162083945e46d439060d66ec2 # v2.1.4 + - uses: google-github-actions/auth@6fc4af4b145ae7821d527454aa9bd537d1f2dc5f # v2.1.7 with: token_format: access_token workload_identity_provider: projects/306323169285/locations/global/workloadIdentityPools/github-actions-pool/providers/github-actions-provider service_account: tuf-gha@project-rekor.iam.gserviceaccount.com - - uses: google-github-actions/setup-gcloud@f0990588f1e5b5af6827153b93673613abdc6ec7 # v2.1.1 + - uses: google-github-actions/setup-gcloud@6189d56e4096ee891640bb02ac264be376592d6a # v2.1.2 with: project_id: project-rekor diff --git a/.github/workflows/initialize.yml b/.github/workflows/initialize.yml index 2280d1a6..56f939a6 100644 --- a/.github/workflows/initialize.yml +++ b/.github/workflows/initialize.yml @@ -44,7 +44,7 @@ jobs: check_branch: runs-on: ubuntu-latest steps: - - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: fetch-depth: 0 - name: Check if remote branch exists @@ -64,7 +64,7 @@ jobs: permissions: id-token: 'write' steps: - - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: fetch-depth: 0 # TODO(https://github.com/sigstore/root-signing/issues/98): Use a common configuration checked into source control @@ -77,19 +77,19 @@ jobs: echo "BRANCH=${{ inputs.branch }}" >> $GITHUB_ENV # Note: we set LOCAL=1 because we manually push the changes in the next job. echo "LOCAL=1" >> $GITHUB_ENV - - uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2 + - uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0 with: go-version-file: './go.mod' check-latest: true # Setup OIDC->SA auth for signing with KMS - - uses: google-github-actions/auth@f112390a2df9932162083945e46d439060d66ec2 # v2.1.4 + - uses: google-github-actions/auth@6fc4af4b145ae7821d527454aa9bd537d1f2dc5f # v2.1.7 id: auth with: token_format: 'access_token' workload_identity_provider: 'projects/163070369698/locations/global/workloadIdentityPools/github-actions-pool/providers/github-actions-provider' service_account: 'github-actions@sigstore-root-signing.iam.gserviceaccount.com' create_credentials_file: true - - uses: google-github-actions/setup-gcloud@f0990588f1e5b5af6827153b93673613abdc6ec7 # v2.1.1 + - uses: google-github-actions/setup-gcloud@6189d56e4096ee891640bb02ac264be376592d6a # v2.1.2 with: project_id: sigstore-root-signing - name: Login @@ -108,7 +108,7 @@ jobs: run: | ./scripts/step-1.5.sh ${{ inputs.revoke_key }} - name: Upload new repository - uses: actions/upload-artifact@834a144ee995460fba8ed112a2fc961b36a5ec5a # v4.3.6 + uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3 with: name: ${{ inputs.repo }} path: ${{ inputs.repo }} @@ -121,7 +121,7 @@ jobs: pull-requests: 'write' contents: 'write' steps: - - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: ref: ${{ inputs.branch }} fetch-depth: 0 diff --git a/.github/workflows/online-sign.yml b/.github/workflows/online-sign.yml index 92d1c1f2..7a82b36e 100644 --- a/.github/workflows/online-sign.yml +++ b/.github/workflows/online-sign.yml @@ -20,7 +20,7 @@ jobs: actions: 'write' # for dispatching publish workflow steps: - id: online-sign - uses: theupdateframework/tuf-on-ci/actions/online-sign@89d2dad3c8b626dde7a9e65b036ca35d11ab8b2a # v0.12.0 + uses: theupdateframework/tuf-on-ci/actions/online-sign@27c49c016591c7cfea57f6b15296f714a5c4a5f6 # v0.13.0 with: token: ${{ secrets.TUF_ON_CI_TOKEN || secrets.GITHUB_TOKEN }} gcp_workload_identity_provider: 'projects/163070369698/locations/global/workloadIdentityPools/github-actions-pool/providers/github-actions-provider' @@ -35,7 +35,7 @@ jobs: issues: 'write' # for modifying Issues steps: - name: Update the issue for the workflow - uses: theupdateframework/tuf-on-ci/actions/update-issue@89d2dad3c8b626dde7a9e65b036ca35d11ab8b2a # v0.12.0 + uses: theupdateframework/tuf-on-ci/actions/update-issue@27c49c016591c7cfea57f6b15296f714a5c4a5f6 # v0.13.0 with: token: ${{ secrets.TUF_ON_CI_TOKEN || secrets.GITHUB_TOKEN }} success: ${{ !contains(needs.*.result, 'failure') }} diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml index f46eeded..1d8ff9f4 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/publish.yml @@ -16,7 +16,7 @@ jobs: runs-on: ubuntu-latest steps: - id: build-and-upload-repository - uses: theupdateframework/tuf-on-ci/actions/upload-repository@89d2dad3c8b626dde7a9e65b036ca35d11ab8b2a # v0.12.0 + uses: theupdateframework/tuf-on-ci/actions/upload-repository@27c49c016591c7cfea57f6b15296f714a5c4a5f6 # v0.13.0 with: gh_pages: true ref: ${{ inputs.ref }} @@ -67,7 +67,7 @@ jobs: issues: 'write' # for modifying Issues steps: - name: Update the issue for the workflow - uses: theupdateframework/tuf-on-ci/actions/update-issue@89d2dad3c8b626dde7a9e65b036ca35d11ab8b2a # v0.12.0 + uses: theupdateframework/tuf-on-ci/actions/update-issue@27c49c016591c7cfea57f6b15296f714a5c4a5f6 # v0.13.0 with: token: ${{ secrets.TUF_ON_CI_TOKEN || secrets.GITHUB_TOKEN }} success: ${{ !contains(needs.*.result, 'failure') }} diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 834d1b17..d3c4bad1 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -31,15 +31,15 @@ jobs: outputs: hashes: ${{ steps.hash.outputs.hashes }} steps: - - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - - uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2 + - uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0 with: go-version-file: './go.mod' check-latest: true - - uses: sigstore/cosign-installer@4959ce089c160fddf62f7b42464195ba1a56d382 # v3.6.0 - - uses: anchore/sbom-action/download-syft@ab9d16d4b419c9d1a02df5213fa0ebe965ca5a57 # v0.17.1 + - uses: sigstore/cosign-installer@dc72c7d5c4d10cd6bcb8cf6e3fd625a9e5e537da # v3.7.0 + - uses: anchore/sbom-action/download-syft@251a468eed47e5082b105c3ba6ee500c0e65a764 # v0.17.6 - uses: imjasonh/setup-ko@3aebd0597dc1e9d1a26bcfdb7cbeb19c131d3037 # v0.7 - name: Set LDFLAGS diff --git a/.github/workflows/reuseable-snapshot-timestamp.yml b/.github/workflows/reuseable-snapshot-timestamp.yml index c0a9f1e3..dcef0a56 100644 --- a/.github/workflows/reuseable-snapshot-timestamp.yml +++ b/.github/workflows/reuseable-snapshot-timestamp.yml @@ -73,7 +73,7 @@ jobs: permissions: id-token: 'write' steps: - - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: fetch-depth: 0 ref: ${{ inputs.branch }} @@ -86,19 +86,19 @@ jobs: echo "BRANCH=${{ inputs.branch }}" >> $GITHUB_ENV # Note: we set LOCAL=1 because we manually push the changes in the next job. echo "LOCAL=1" >> $GITHUB_ENV - - uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2 + - uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0 with: go-version-file: './go.mod' check-latest: true # Setup OIDC->SA auth - - uses: google-github-actions/auth@f112390a2df9932162083945e46d439060d66ec2 # v2.1.4 + - uses: google-github-actions/auth@6fc4af4b145ae7821d527454aa9bd537d1f2dc5f # v2.1.7 id: auth with: token_format: 'access_token' workload_identity_provider: ${{ inputs.provider }} service_account: ${{ inputs.service_account }} create_credentials_file: true - - uses: google-github-actions/setup-gcloud@f0990588f1e5b5af6827153b93673613abdc6ec7 # v2.1.1 + - uses: google-github-actions/setup-gcloud@6189d56e4096ee891640bb02ac264be376592d6a # v2.1.2 with: # Note: This needs to be parameterized if the KMS keys are in a different project project_id: sigstore-root-signing @@ -141,7 +141,7 @@ jobs: git format-patch HEAD^ -o snapshot-timestamp - name: Upload snapshot and timestamp - uses: actions/upload-artifact@834a144ee995460fba8ed112a2fc961b36a5ec5a # v4.3.6 + uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3 with: name: snapshot-timestamp path: snapshot-timestamp @@ -178,7 +178,7 @@ jobs: pull-requests: 'write' contents: 'write' steps: - - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: fetch-depth: 0 ref: ${{ inputs.branch }} diff --git a/.github/workflows/review-snapshot-timestamp.yml b/.github/workflows/review-snapshot-timestamp.yml index f5491882..984a1f2f 100644 --- a/.github/workflows/review-snapshot-timestamp.yml +++ b/.github/workflows/review-snapshot-timestamp.yml @@ -33,7 +33,7 @@ jobs: env: GITHUB_TOKEN: ${{ secrets.SIGSTORE_REVIEW_BOT_FINE_GRAINED_PAT }} steps: - - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - run: | set -euo pipefail ./.github/workflows/scripts/review-pull-request.sh diff --git a/.github/workflows/signing-event.yml b/.github/workflows/signing-event.yml index b5d9615c..b451408e 100644 --- a/.github/workflows/signing-event.yml +++ b/.github/workflows/signing-event.yml @@ -19,6 +19,6 @@ jobs: steps: - name: Signing event - uses: theupdateframework/tuf-on-ci/actions/signing-event@89d2dad3c8b626dde7a9e65b036ca35d11ab8b2a # v0.12.0 + uses: theupdateframework/tuf-on-ci/actions/signing-event@27c49c016591c7cfea57f6b15296f714a5c4a5f6 # v0.13.0 with: token: ${{ secrets.TUF_ON_CI_TOKEN || secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/stable-snapshot-timestamp.yml b/.github/workflows/stable-snapshot-timestamp.yml index 4f765680..653face2 100644 --- a/.github/workflows/stable-snapshot-timestamp.yml +++ b/.github/workflows/stable-snapshot-timestamp.yml @@ -50,7 +50,7 @@ jobs: env: FORCE_SNAPSHOT: ${{ inputs.force_snapshot }} steps: - - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: fetch-depth: 0 - name: Determine whether to run a snapshot/timestamp diff --git a/.github/workflows/stable-timestamp.yml b/.github/workflows/stable-timestamp.yml index fd5f643c..f770c11a 100644 --- a/.github/workflows/stable-timestamp.yml +++ b/.github/workflows/stable-timestamp.yml @@ -44,7 +44,7 @@ jobs: env: FORCE_TIMESTAMP: ${{ inputs.force_timestamp }} steps: - - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: fetch-depth: 0 - name: Determine whether to create a timestamp diff --git a/.github/workflows/sync-ceremony-to-main.yml b/.github/workflows/sync-ceremony-to-main.yml index b239d860..612ce677 100644 --- a/.github/workflows/sync-ceremony-to-main.yml +++ b/.github/workflows/sync-ceremony-to-main.yml @@ -44,7 +44,7 @@ jobs: contents: 'write' runs-on: ubuntu-latest steps: - - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: fetch-depth: 0 ref: ${{ github.event.repository.default_branch }} diff --git a/.github/workflows/sync-main-to-preprod-and-prod.yml b/.github/workflows/sync-main-to-preprod-and-prod.yml index 5b4c680c..7fcecc80 100644 --- a/.github/workflows/sync-main-to-preprod-and-prod.yml +++ b/.github/workflows/sync-main-to-preprod-and-prod.yml @@ -42,22 +42,22 @@ jobs: permissions: id-token: 'write' steps: - - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: fetch-depth: 0 - - uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2 + - uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0 with: go-version-file: './go.mod' check-latest: true # Setup OIDC->SA auth - - uses: google-github-actions/auth@f112390a2df9932162083945e46d439060d66ec2 # v2.1.4 + - uses: google-github-actions/auth@6fc4af4b145ae7821d527454aa9bd537d1f2dc5f # v2.1.7 id: auth with: token_format: 'access_token' workload_identity_provider: 'projects/306323169285/locations/global/workloadIdentityPools/github-actions-pool/providers/github-actions-provider' service_account: 'tuf-gha@project-rekor.iam.gserviceaccount.com' create_credentials_file: true - - uses: google-github-actions/setup-gcloud@f0990588f1e5b5af6827153b93673613abdc6ec7 # v2.1.1 + - uses: google-github-actions/setup-gcloud@6189d56e4096ee891640bb02ac264be376592d6a # v2.1.2 with: project_id: project-rekor - name: Login diff --git a/.github/workflows/sync-main-to-preprod.yml b/.github/workflows/sync-main-to-preprod.yml index 4c3be18e..fb036428 100644 --- a/.github/workflows/sync-main-to-preprod.yml +++ b/.github/workflows/sync-main-to-preprod.yml @@ -36,22 +36,22 @@ jobs: id-token: 'write' runs-on: ubuntu-latest steps: - - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: fetch-depth: 0 - - uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2 + - uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0 with: go-version-file: './go.mod' check-latest: true # Setup OIDC->SA auth - - uses: google-github-actions/auth@f112390a2df9932162083945e46d439060d66ec2 # v2.1.4 + - uses: google-github-actions/auth@6fc4af4b145ae7821d527454aa9bd537d1f2dc5f # v2.1.7 id: auth with: token_format: 'access_token' workload_identity_provider: 'projects/306323169285/locations/global/workloadIdentityPools/github-actions-pool/providers/github-actions-provider' service_account: 'tuf-gha@project-rekor.iam.gserviceaccount.com' create_credentials_file: true - - uses: google-github-actions/setup-gcloud@f0990588f1e5b5af6827153b93673613abdc6ec7 # v2.1.1 + - uses: google-github-actions/setup-gcloud@6189d56e4096ee891640bb02ac264be376592d6a # v2.1.2 with: project_id: project-rekor - name: Login diff --git a/.github/workflows/sync-preprod-to-prod.yml b/.github/workflows/sync-preprod-to-prod.yml index 5cfe94a0..f33b291f 100644 --- a/.github/workflows/sync-preprod-to-prod.yml +++ b/.github/workflows/sync-preprod-to-prod.yml @@ -26,14 +26,14 @@ jobs: id-token: 'write' steps: # Setup OIDC->SA auth - - uses: google-github-actions/auth@f112390a2df9932162083945e46d439060d66ec2 # v2.1.4 + - uses: google-github-actions/auth@6fc4af4b145ae7821d527454aa9bd537d1f2dc5f # v2.1.7 id: auth with: token_format: 'access_token' workload_identity_provider: 'projects/306323169285/locations/global/workloadIdentityPools/github-actions-pool/providers/github-actions-provider' service_account: 'tuf-gha@project-rekor.iam.gserviceaccount.com' create_credentials_file: true - - uses: google-github-actions/setup-gcloud@f0990588f1e5b5af6827153b93673613abdc6ec7 # v2.1.1 + - uses: google-github-actions/setup-gcloud@6189d56e4096ee891640bb02ac264be376592d6a # v2.1.2 with: project_id: project-rekor - name: login diff --git a/.github/workflows/test-gcs.yml b/.github/workflows/test-gcs.yml index 4c1d7a08..709a4463 100644 --- a/.github/workflows/test-gcs.yml +++ b/.github/workflows/test-gcs.yml @@ -13,13 +13,13 @@ jobs: smoke-test: runs-on: ubuntu-latest steps: - - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: Set initial root for the smoke test run: cp metadata/root_history/5.root.json ./root.json - name: Smoke test Sigstore TUF repository with a TUF client - uses: theupdateframework/tuf-on-ci/actions/test-repository@89d2dad3c8b626dde7a9e65b036ca35d11ab8b2a # v0.12.0 + uses: theupdateframework/tuf-on-ci/actions/test-repository@27c49c016591c7cfea57f6b15296f714a5c4a5f6 # v0.13.0 with: metadata_url: https://tuf-repo-cdn.sigstore.dev/ valid_days: 3 @@ -41,7 +41,7 @@ jobs: issues: 'write' # for modifying Issues steps: - name: Update the issue for the workflow - uses: theupdateframework/tuf-on-ci/actions/update-issue@89d2dad3c8b626dde7a9e65b036ca35d11ab8b2a # v0.12.0 + uses: theupdateframework/tuf-on-ci/actions/update-issue@27c49c016591c7cfea57f6b15296f714a5c4a5f6 # v0.13.0 with: token: ${{ secrets.TUF_ON_CI_TOKEN || secrets.GITHUB_TOKEN }} success: ${{ !contains(needs.*.result, 'failure') }} diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 950da4ff..9de20e54 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -13,13 +13,13 @@ jobs: smoke-test: runs-on: ubuntu-latest steps: - - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: Set initial root for the smoke test run: cp metadata/root_history/5.root.json ./root.json - name: Smoke test TUF-on-CI repository with a TUF client - uses: theupdateframework/tuf-on-ci/actions/test-repository@89d2dad3c8b626dde7a9e65b036ca35d11ab8b2a # v0.12.0 + uses: theupdateframework/tuf-on-ci/actions/test-repository@27c49c016591c7cfea57f6b15296f714a5c4a5f6 # v0.13.0 with: metadata_url: https://sigstore.github.io/root-signing/ update_base_url: https://tuf-repo-cdn.sigstore.dev/ @@ -42,7 +42,7 @@ jobs: issues: 'write' # for modifying Issues steps: - name: Update the issue for the workflow - uses: theupdateframework/tuf-on-ci/actions/update-issue@89d2dad3c8b626dde7a9e65b036ca35d11ab8b2a # v0.12.0 + uses: theupdateframework/tuf-on-ci/actions/update-issue@27c49c016591c7cfea57f6b15296f714a5c4a5f6 # v0.13.0 with: token: ${{ secrets.TUF_ON_CI_TOKEN || secrets.GITHUB_TOKEN }} success: ${{ !contains(needs.*.result, 'failure') }} diff --git a/.github/workflows/tuf_client_tests.yml b/.github/workflows/tuf_client_tests.yml index 88f1fc95..10303947 100644 --- a/.github/workflows/tuf_client_tests.yml +++ b/.github/workflows/tuf_client_tests.yml @@ -30,7 +30,7 @@ jobs: - uses: actions/setup-python@v5 with: python-version: '3.x' - - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: fetch-depth: 2 - run: | @@ -38,7 +38,7 @@ jobs: python -m http.server 8001 & echo "REPO=http://localhost:8001" >> $GITHUB_ENV # Test with go-tuf client - - uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2 + - uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0 with: go-version-file: './go.mod' check-latest: true @@ -55,7 +55,7 @@ jobs: go run ./tests/client-tests list http://localhost:8001 # Test with rust client - name: Configure cargo cache - uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 + uses: actions/cache@6849a6489940f00c2f30c0fb92c6274307ccb58a with: path: | /tmp/tuftool-target @@ -82,9 +82,9 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout repository - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: Setup node - uses: actions/setup-node@1e60f620b9541d16bece96c5465dc8ee9832be0b # v4.0.3 + uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v4.1.0 with: node-version: 20 - name: Install tufjs/cli diff --git a/.github/workflows/validate.yml b/.github/workflows/validate.yml index e05144db..86173512 100644 --- a/.github/workflows/validate.yml +++ b/.github/workflows/validate.yml @@ -26,14 +26,14 @@ jobs: validate: runs-on: ubuntu-latest steps: - - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: fetch-depth: 2 - run: | echo "REPO=$(pwd)/repository" >> $GITHUB_ENV echo "CDN_REPO=https://tuf-repo-cdn.sigstore.dev" >> $GITHUB_ENV echo "CDN_PREPROD_REPO=https://tuf-preprod-repo-cdn.sigstore.dev" >> $GITHUB_ENV - - uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2 + - uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0 with: go-version-file: './go.mod' check-latest: true