diff --git a/.github/workflows/create-github-release.yml b/.github/workflows/create-github-release.yml index 29c74208..240f55bb 100644 --- a/.github/workflows/create-github-release.yml +++ b/.github/workflows/create-github-release.yml @@ -9,10 +9,12 @@ on: jobs: create-github-release: runs-on: ubuntu-24.04 + permissions: + contents: write # needed to create releases and upload assets steps: - name: Create a GitHub release - uses: softprops/action-gh-release@v2 + uses: softprops/action-gh-release@a06a81a03ee405af7f2048a818ed3f03bbf83c7b # v2.5.0 with: generate_release_notes: true draft: false diff --git a/.github/workflows/find-vulnerabilities.yml b/.github/workflows/find-vulnerabilities.yml index 0eebcf60..81ce7879 100644 --- a/.github/workflows/find-vulnerabilities.yml +++ b/.github/workflows/find-vulnerabilities.yml @@ -10,16 +10,20 @@ on: jobs: scan-codebase: runs-on: ubuntu-24.04 + permissions: + contents: read + name: Inspect packages with ScanCode.io steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: path: scancode-inputs sparse-checkout: pyproject.toml sparse-checkout-cone-mode: false + persist-credentials: false # do not keep the token around - name: Fail on known vulnerabilities - uses: aboutcode-org/scancode-action@main + uses: aboutcode-org/scancode-action@8adbf888f487c3cdf6c15386035769cd03a94c66 with: pipelines: "inspect_packages:StaticResolver,find_vulnerabilities" check-compliance: true diff --git a/.github/workflows/pr-quality.yml b/.github/workflows/pr-quality.yml index 0eaa5b04..8001a43a 100644 --- a/.github/workflows/pr-quality.yml +++ b/.github/workflows/pr-quality.yml @@ -14,7 +14,7 @@ jobs: runs-on: ubuntu-24.04 name: Detects and automatically closes low-quality and AI slop PRs steps: - - uses: peakoss/anti-slop@v0 + - uses: peakoss/anti-slop@e158eeefe5c43e1d3ba8533b84e0e35d9d6761de with: # Number of check failures needed before failure actions are triggered max-failures: 3 diff --git a/.github/workflows/publish-docker-image.yml b/.github/workflows/publish-docker-image.yml index e84a53be..4495f728 100644 --- a/.github/workflows/publish-docker-image.yml +++ b/.github/workflows/publish-docker-image.yml @@ -22,15 +22,19 @@ jobs: permissions: contents: read packages: write + attestations: write + id-token: write steps: - name: Checkout repository - uses: actions/checkout@v4 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false # do not keep the token around # Uses the `docker/login-action` action to log in to the Container registry using # the account and password that will publish the packages. - name: Log in to the Container registry - uses: docker/login-action@v3 + uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0 with: registry: ${{ env.REGISTRY }} username: ${{ github.actor }} @@ -42,7 +46,7 @@ jobs: # The `images` value provides the base name for the tags and labels. - name: Extract metadata (tags, labels) for Docker id: meta - uses: docker/metadata-action@v5 + uses: docker/metadata-action@c299e40c65443455700f0fdfc63efafe5b349051 # v5.10.0 with: images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} @@ -53,7 +57,8 @@ jobs: # It uses the `tags` and `labels` parameters to tag and label the image with # the output from the "meta" step. - name: Build and push Docker image - uses: docker/build-push-action@v5 + id: push + uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6.19.2 with: context: . push: true @@ -61,3 +66,13 @@ jobs: ${{ steps.meta.outputs.tags }} ${{ env.REGISTRY }}/aboutcode-org/dejacode:latest labels: ${{ steps.meta.outputs.labels }} + + # This step generates an artifact attestation for the image, which is an + # unforgeable statement about where and how it was built. + # It increases supply chain security for people who consume the image. + - name: Generate artifact attestation + uses: actions/attest-build-provenance@a2bbfa25375fe432b6a289bc6b6cd05ecd0c4c32 # v4.1.0 + with: + subject-name: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME}} + subject-digest: ${{ steps.push.outputs.digest }} + push-to-registry: true diff --git a/.github/workflows/run-unit-tests-docker.yml b/.github/workflows/run-unit-tests-docker.yml index 4029e809..53de574b 100644 --- a/.github/workflows/run-unit-tests-docker.yml +++ b/.github/workflows/run-unit-tests-docker.yml @@ -10,10 +10,14 @@ on: jobs: run-unit-tests: runs-on: ubuntu-24.04 + permissions: + contents: read steps: - - name: Checkout code - uses: actions/checkout@v4 + - name: Checkout + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false # do not keep the token around - name: Generate the .env file and the SECRET_KEY run: make envfile diff --git a/.github/workflows/run-unit-tests.yml b/.github/workflows/run-unit-tests.yml index f75e102f..06ecbf4b 100644 --- a/.github/workflows/run-unit-tests.yml +++ b/.github/workflows/run-unit-tests.yml @@ -16,10 +16,12 @@ env: jobs: run-unit-tests: runs-on: ubuntu-24.04 + permissions: + contents: read services: postgres: - image: postgres:16 + image: postgres:16.13 env: POSTGRES_DB: ${{ env.DATABASE_NAME }} POSTGRES_USER: ${{ env.DATABASE_USER }} @@ -35,10 +37,12 @@ jobs: steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false # do not keep the token around - name: Set up Python - uses: actions/setup-python@v5 + uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 with: python-version: "3.14" @@ -59,7 +63,7 @@ jobs: run: make check - name: Start Redis - uses: supercharge/redis-github-action@1.8.1 + uses: supercharge/redis-github-action@bc274cb7238cd63a45029db04ee48c07a72609fd # v1.8.1 - name: Build the documentation run: make docs