From cb7837999f1c540a2be8099a7667b1ef04a77129 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 24 Jun 2024 02:24:34 +0000 Subject: [PATCH] Bump the ci group across 1 directory with 10 updates Bumps the ci group with 10 updates in the / directory: | Package | From | To | | --- | --- | --- | | [docker/setup-buildx-action](https://github.com/docker/setup-buildx-action) | `3.0.0` | `3.3.0` | | [docker/login-action](https://github.com/docker/login-action) | `1` | `3` | | [docker/metadata-action](https://github.com/docker/metadata-action) | `5.4.0` | `5.5.1` | | [docker/build-push-action](https://github.com/docker/build-push-action) | `5.1.0` | `6.1.0` | | [sigstore/cosign-installer](https://github.com/sigstore/cosign-installer) | `3.3.0` | `3.5.0` | | [slsa-framework/slsa-github-generator](https://github.com/slsa-framework/slsa-github-generator) | `1.9.0` | `2.0.0` | | [actions/setup-go](https://github.com/actions/setup-go) | `5.0.0` | `5.0.1` | | [anchore/sbom-action](https://github.com/anchore/sbom-action) | `0.15.1` | `0.16.0` | | [goreleaser/goreleaser-action](https://github.com/goreleaser/goreleaser-action) | `5.0.0` | `6.0.0` | | [docker/scout-action](https://github.com/docker/scout-action) | `1.2.2` | `1.10.0` | Updates `docker/setup-buildx-action` from 3.0.0 to 3.3.0 - [Release notes](https://github.com/docker/setup-buildx-action/releases) - [Commits](https://github.com/docker/setup-buildx-action/compare/f95db51fddba0c2d1ec667646a06c2ce06100226...d70bba72b1f3fd22344832f00baa16ece964efeb) Updates `docker/login-action` from 1 to 3 - [Release notes](https://github.com/docker/login-action/releases) - [Commits](https://github.com/docker/login-action/compare/v1...v3) Updates `docker/metadata-action` from 5.4.0 to 5.5.1 - [Release notes](https://github.com/docker/metadata-action/releases) - [Commits](https://github.com/docker/metadata-action/compare/9dc751fe249ad99385a2583ee0d084c400eee04e...8e5442c4ef9f78752691e2d8f8d19755c6f78e81) Updates `docker/build-push-action` from 5.1.0 to 6.1.0 - [Release notes](https://github.com/docker/build-push-action/releases) - [Commits](https://github.com/docker/build-push-action/compare/4a13e500e55cf31b7a5d59a38ab2040ab0f42f56...31159d49c0d4756269a0940a750801a1ea5d7003) Updates `sigstore/cosign-installer` from 3.3.0 to 3.5.0 - [Release notes](https://github.com/sigstore/cosign-installer/releases) - [Commits](https://github.com/sigstore/cosign-installer/compare/9614fae9e5c5eddabb09f90a270fcb487c9f7149...59acb6260d9c0ba8f4a2f9d9b48431a222b68e20) Updates `slsa-framework/slsa-github-generator` from 1.9.0 to 2.0.0 - [Release notes](https://github.com/slsa-framework/slsa-github-generator/releases) - [Changelog](https://github.com/slsa-framework/slsa-github-generator/blob/main/CHANGELOG.md) - [Commits](https://github.com/slsa-framework/slsa-github-generator/compare/v1.9.0...v2.0.0) Updates `actions/setup-go` from 5.0.0 to 5.0.1 - [Release notes](https://github.com/actions/setup-go/releases) - [Commits](https://github.com/actions/setup-go/compare/0c52d547c9bc32b1aa3301fd7a9cb496313a4491...cdcb36043654635271a94b9a6d1392de5bb323a7) Updates `anchore/sbom-action` from 0.15.1 to 0.16.0 - [Release notes](https://github.com/anchore/sbom-action/releases) - [Commits](https://github.com/anchore/sbom-action/compare/5ecf649a417b8ae17dc8383dc32d46c03f2312df...e8d2a6937ecead383dfe75190d104edd1f9c5751) Updates `goreleaser/goreleaser-action` from 5.0.0 to 6.0.0 - [Release notes](https://github.com/goreleaser/goreleaser-action/releases) - [Commits](https://github.com/goreleaser/goreleaser-action/compare/7ec5c2b0c6cdda6e8bbb49444bc797dd33d74dd8...286f3b13b1b49da4ac219696163fb8c1c93e1200) Updates `docker/scout-action` from 1.2.2 to 1.10.0 - [Release notes](https://github.com/docker/scout-action/releases) - [Commits](https://github.com/docker/scout-action/compare/b7413c99043c2a9131c0fa39cedaece80f285788...fc749439af4870e8f6feb592250ab728600d10a6) --- updated-dependencies: - dependency-name: docker/setup-buildx-action dependency-type: direct:production update-type: version-update:semver-minor dependency-group: ci - dependency-name: docker/login-action dependency-type: direct:production update-type: version-update:semver-major dependency-group: ci - dependency-name: docker/metadata-action dependency-type: direct:production update-type: version-update:semver-minor dependency-group: ci - dependency-name: docker/build-push-action dependency-type: direct:production update-type: version-update:semver-major dependency-group: ci - dependency-name: sigstore/cosign-installer dependency-type: direct:production update-type: version-update:semver-minor dependency-group: ci - dependency-name: slsa-framework/slsa-github-generator dependency-type: direct:production update-type: version-update:semver-major dependency-group: ci - dependency-name: actions/setup-go dependency-type: direct:production update-type: version-update:semver-patch dependency-group: ci - dependency-name: anchore/sbom-action dependency-type: direct:production update-type: version-update:semver-minor dependency-group: ci - dependency-name: goreleaser/goreleaser-action dependency-type: direct:production update-type: version-update:semver-major dependency-group: ci - dependency-name: docker/scout-action dependency-type: direct:production update-type: version-update:semver-minor dependency-group: ci ... Signed-off-by: dependabot[bot] --- .github/workflows/controller_release.yaml | 10 +++---- .github/workflows/release_v21.yaml | 36 +++++++++++------------ .github/workflows/release_v22.yaml | 36 +++++++++++------------ .github/workflows/scan.yaml | 16 +++++----- 4 files changed, 49 insertions(+), 49 deletions(-) diff --git a/.github/workflows/controller_release.yaml b/.github/workflows/controller_release.yaml index 7101a13..4a6c3d8 100644 --- a/.github/workflows/controller_release.yaml +++ b/.github/workflows/controller_release.yaml @@ -45,9 +45,9 @@ jobs: uses: docker/setup-qemu-action@68827325e0b33c7199eb31dd4e31fbe9023e06e3 # v3.0.0 - name: Setup Docker Buildx id: buildx - uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3.0.0 + uses: docker/setup-buildx-action@d70bba72b1f3fd22344832f00baa16ece964efeb # v3.3.0 - name: Login to GitHub Container Registry - uses: docker/login-action@v1 + uses: docker/login-action@v3 with: registry: ghcr.io username: weave-ghcr-bot @@ -76,7 +76,7 @@ jobs: echo "base_version=${BASE_VERSION}" >> $GITHUB_OUTPUT - name: Generate images meta id: meta - uses: docker/metadata-action@9dc751fe249ad99385a2583ee0d084c400eee04e # v5.4.0 + uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81 # v5.5.1 with: images: | ghcr.io/weaveworks/${{ inputs.controller }} @@ -84,7 +84,7 @@ jobs: type=raw,value=${{ steps.patch.outputs.version }} - name: Publish images id: build-push - uses: docker/build-push-action@4a13e500e55cf31b7a5d59a38ab2040ab0f42f56 # v5.1.0 + uses: docker/build-push-action@31159d49c0d4756269a0940a750801a1ea5d7003 # v6.1.0 with: sbom: true provenance: true @@ -94,7 +94,7 @@ jobs: platforms: linux/amd64,linux/arm/v7,linux/arm64 tags: ${{ steps.meta.outputs.tags }} labels: ${{ steps.meta.outputs.labels }} - - uses: sigstore/cosign-installer@9614fae9e5c5eddabb09f90a270fcb487c9f7149 # v3.3.0 + - uses: sigstore/cosign-installer@59acb6260d9c0ba8f4a2f9d9b48431a222b68e20 # v3.5.0 - name: Sign images env: COSIGN_EXPERIMENTAL: 1 diff --git a/.github/workflows/release_v21.yaml b/.github/workflows/release_v21.yaml index affa3f7..6dba54c 100644 --- a/.github/workflows/release_v21.yaml +++ b/.github/workflows/release_v21.yaml @@ -113,7 +113,7 @@ jobs: id-token: write # for creating OIDC tokens for signing. packages: write # for uploading attestations. if: startsWith(github.ref, 'refs/tags/v') - uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v1.9.0 + uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v2.0.0 with: image: ghcr.io/${{ needs.release-source-controller.outputs.image_url }} digest: ${{ needs.release-source-controller.outputs.image_digest }} @@ -129,7 +129,7 @@ jobs: id-token: write # for creating OIDC tokens for signing. packages: write # for uploading attestations. if: startsWith(github.ref, 'refs/tags/v') - uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v1.9.0 + uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v2.0.0 with: image: ghcr.io/${{ needs.release-kustomize-controller.outputs.image_url }} digest: ${{ needs.release-kustomize-controller.outputs.image_digest }} @@ -145,7 +145,7 @@ jobs: id-token: write # for creating OIDC tokens for signing. packages: write # for uploading attestations. if: startsWith(github.ref, 'refs/tags/v') - uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v1.9.0 + uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v2.0.0 with: image: ghcr.io/${{ needs.release-helm-controller.outputs.image_url }} digest: ${{ needs.release-helm-controller.outputs.image_digest }} @@ -161,7 +161,7 @@ jobs: id-token: write # for creating OIDC tokens for signing. packages: write # for uploading attestations. if: startsWith(github.ref, 'refs/tags/v') - uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v1.9.0 + uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v2.0.0 with: image: ghcr.io/${{ needs.release-image-reflector-controller.outputs.image_url }} digest: ${{ needs.release-image-reflector-controller.outputs.image_digest }} @@ -177,7 +177,7 @@ jobs: id-token: write # for creating OIDC tokens for signing. packages: write # for uploading attestations. if: startsWith(github.ref, 'refs/tags/v') - uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v1.9.0 + uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v2.0.0 with: image: ghcr.io/${{ needs.release-image-automation-controller.outputs.image_url }} digest: ${{ needs.release-image-automation-controller.outputs.image_digest }} @@ -193,7 +193,7 @@ jobs: id-token: write # for creating OIDC tokens for signing. packages: write # for uploading attestations. if: startsWith(github.ref, 'refs/tags/v') - uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v1.9.0 + uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v2.0.0 with: image: ghcr.io/${{ needs.release-notification-controller.outputs.image_url }} digest: ${{ needs.release-notification-controller.outputs.image_digest }} @@ -225,7 +225,7 @@ jobs: git config --global user.name "Soule BA" git config --global user.email "soule@weave.works" - name: Setup Go - uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0 + uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1 with: go-version: 1.20.x cache: false @@ -233,13 +233,13 @@ jobs: uses: docker/setup-qemu-action@68827325e0b33c7199eb31dd4e31fbe9023e06e3 # v3.0.0 - name: Setup Docker Buildx id: buildx - uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3.0.0 + uses: docker/setup-buildx-action@d70bba72b1f3fd22344832f00baa16ece964efeb # v3.3.0 - name: Setup Syft - uses: anchore/sbom-action/download-syft@5ecf649a417b8ae17dc8383dc32d46c03f2312df # v0.15.1 + uses: anchore/sbom-action/download-syft@e8d2a6937ecead383dfe75190d104edd1f9c5751 # v0.16.0 - name: Setup Cosign - uses: sigstore/cosign-installer@9614fae9e5c5eddabb09f90a270fcb487c9f7149 # v3.3.0 + uses: sigstore/cosign-installer@59acb6260d9c0ba8f4a2f9d9b48431a222b68e20 # v3.5.0 - name: Login to GitHub Container Registry - uses: docker/login-action@v1 + uses: docker/login-action@v3 with: registry: ghcr.io username: weave-ghcr-bot @@ -318,7 +318,7 @@ jobs: - name: Run GoReleaser id: run-goreleaser if: startsWith(github.ref, 'refs/tags/v') - uses: goreleaser/goreleaser-action@7ec5c2b0c6cdda6e8bbb49444bc797dd33d74dd8 # v5.0.0 + uses: goreleaser/goreleaser-action@286f3b13b1b49da4ac219696163fb8c1c93e1200 # v6.0.0 with: version: latest args: release --clean --skip=validate @@ -383,7 +383,7 @@ jobs: - name: Setup Flux CLI uses: ./flux2/action/ - name: Login to GHCR - uses: docker/login-action@465a07811f14bebb1938fbed4728c6a1ff8901fc # v2.2.0 + uses: docker/login-action@0d4c9c5ea7693da7b068278f7b52bda2a190a446 # v3.2.0 with: registry: ghcr.io username: weave-ghcr-bot @@ -409,7 +409,7 @@ jobs: --path="./flux-system" \ --source=${{ github.repositoryUrl }} \ --revision="${{ github.ref_name }}@sha1:${{ github.sha }}" - - uses: sigstore/cosign-installer@9614fae9e5c5eddabb09f90a270fcb487c9f7149 # v3.3.0 + - uses: sigstore/cosign-installer@59acb6260d9c0ba8f4a2f9d9b48431a222b68e20 # v3.5.0 - name: Sign manifests env: COSIGN_EXPERIMENTAL: 1 @@ -462,7 +462,7 @@ jobs: unlink patches-flux echo "version=${VERSION}" >> $GITHUB_OUTPUT - name: Login to GHCR - uses: docker/login-action@465a07811f14bebb1938fbed4728c6a1ff8901fc # v2.2.0 + uses: docker/login-action@0d4c9c5ea7693da7b068278f7b52bda2a190a446 # v3.2.0 with: registry: ghcr.io username: weave-ghcr-bot @@ -480,7 +480,7 @@ jobs: echo "FLUX_CLI_IMAGE_DIGEST=${{ needs.release-flux-cli.outputs.image_digest }}" >> ./ghcr.io/flux-system/image_digests oras push -u weave-ghcr-bot -p ${{ secrets.WEAVE_ASSURED_GHCR_BOT_TOKEN }} ghcr.io/weaveworks/flux-images-digests:${{ steps.patch.outputs.version }} ./ghcr.io/flux-system/image_digests - - uses: sigstore/cosign-installer@9614fae9e5c5eddabb09f90a270fcb487c9f7149 # v3.3.0 + - uses: sigstore/cosign-installer@59acb6260d9c0ba8f4a2f9d9b48431a222b68e20 # v3.5.0 - name: Sign manifests env: COSIGN_EXPERIMENTAL: 1 @@ -497,7 +497,7 @@ jobs: actions: read # for detecting the Github Actions environment. id-token: write # for creating OIDC tokens for signing. contents: write # for uploading attestations to GitHub releases. - uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.9.0 + uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v2.0.0 with: provenance-name: "provenance.intoto.jsonl" base64-subjects: "${{ needs.release-flux-cli.outputs.hashes }}" @@ -510,7 +510,7 @@ jobs: actions: read # for detecting the Github Actions environment. id-token: write # for creating OIDC tokens for signing. packages: write # for uploading attestations. - uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v1.9.0 + uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v2.0.0 with: image: ghcr.io/${{ needs.release-flux-cli.outputs.image_url }} digest: ${{ needs.release-flux-cli.outputs.image_digest }} diff --git a/.github/workflows/release_v22.yaml b/.github/workflows/release_v22.yaml index 8cf696b..29b643f 100644 --- a/.github/workflows/release_v22.yaml +++ b/.github/workflows/release_v22.yaml @@ -113,7 +113,7 @@ jobs: id-token: write # for creating OIDC tokens for signing. packages: write # for uploading attestations. if: startsWith(github.ref, 'refs/tags/v') - uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v1.9.0 + uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v2.0.0 with: image: ghcr.io/${{ needs.release-source-controller.outputs.image_url }} digest: ${{ needs.release-source-controller.outputs.image_digest }} @@ -129,7 +129,7 @@ jobs: id-token: write # for creating OIDC tokens for signing. packages: write # for uploading attestations. if: startsWith(github.ref, 'refs/tags/v') - uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v1.9.0 + uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v2.0.0 with: image: ghcr.io/${{ needs.release-kustomize-controller.outputs.image_url }} digest: ${{ needs.release-kustomize-controller.outputs.image_digest }} @@ -145,7 +145,7 @@ jobs: id-token: write # for creating OIDC tokens for signing. packages: write # for uploading attestations. if: startsWith(github.ref, 'refs/tags/v') - uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v1.9.0 + uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v2.0.0 with: image: ghcr.io/${{ needs.release-helm-controller.outputs.image_url }} digest: ${{ needs.release-helm-controller.outputs.image_digest }} @@ -161,7 +161,7 @@ jobs: id-token: write # for creating OIDC tokens for signing. packages: write # for uploading attestations. if: startsWith(github.ref, 'refs/tags/v') - uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v1.9.0 + uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v2.0.0 with: image: ghcr.io/${{ needs.release-image-reflector-controller.outputs.image_url }} digest: ${{ needs.release-image-reflector-controller.outputs.image_digest }} @@ -177,7 +177,7 @@ jobs: id-token: write # for creating OIDC tokens for signing. packages: write # for uploading attestations. if: startsWith(github.ref, 'refs/tags/v') - uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v1.9.0 + uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v2.0.0 with: image: ghcr.io/${{ needs.release-image-automation-controller.outputs.image_url }} digest: ${{ needs.release-image-automation-controller.outputs.image_digest }} @@ -193,7 +193,7 @@ jobs: id-token: write # for creating OIDC tokens for signing. packages: write # for uploading attestations. if: startsWith(github.ref, 'refs/tags/v') - uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v1.9.0 + uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v2.0.0 with: image: ghcr.io/${{ needs.release-notification-controller.outputs.image_url }} digest: ${{ needs.release-notification-controller.outputs.image_digest }} @@ -225,7 +225,7 @@ jobs: git config --global user.name "Soule BA" git config --global user.email "soule@weave.works" - name: Setup Go - uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0 + uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1 with: go-version: 1.20.x cache: false @@ -233,13 +233,13 @@ jobs: uses: docker/setup-qemu-action@68827325e0b33c7199eb31dd4e31fbe9023e06e3 # v3.0.0 - name: Setup Docker Buildx id: buildx - uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3.0.0 + uses: docker/setup-buildx-action@d70bba72b1f3fd22344832f00baa16ece964efeb # v3.3.0 - name: Setup Syft - uses: anchore/sbom-action/download-syft@5ecf649a417b8ae17dc8383dc32d46c03f2312df # v0.15.1 + uses: anchore/sbom-action/download-syft@e8d2a6937ecead383dfe75190d104edd1f9c5751 # v0.16.0 - name: Setup Cosign - uses: sigstore/cosign-installer@9614fae9e5c5eddabb09f90a270fcb487c9f7149 # v3.3.0 + uses: sigstore/cosign-installer@59acb6260d9c0ba8f4a2f9d9b48431a222b68e20 # v3.5.0 - name: Login to GitHub Container Registry - uses: docker/login-action@v1 + uses: docker/login-action@v3 with: registry: ghcr.io username: weave-ghcr-bot @@ -318,7 +318,7 @@ jobs: - name: Run GoReleaser id: run-goreleaser if: startsWith(github.ref, 'refs/tags/v') - uses: goreleaser/goreleaser-action@7ec5c2b0c6cdda6e8bbb49444bc797dd33d74dd8 # v5.0.0 + uses: goreleaser/goreleaser-action@286f3b13b1b49da4ac219696163fb8c1c93e1200 # v6.0.0 with: version: latest args: release --clean --skip=validate @@ -383,7 +383,7 @@ jobs: - name: Setup Flux CLI uses: ./flux2/action/ - name: Login to GHCR - uses: docker/login-action@465a07811f14bebb1938fbed4728c6a1ff8901fc # v2.2.0 + uses: docker/login-action@0d4c9c5ea7693da7b068278f7b52bda2a190a446 # v3.2.0 with: registry: ghcr.io username: weave-ghcr-bot @@ -409,7 +409,7 @@ jobs: --path="./flux-system" \ --source=${{ github.repositoryUrl }} \ --revision="${{ github.ref_name }}@sha1:${{ github.sha }}" - - uses: sigstore/cosign-installer@9614fae9e5c5eddabb09f90a270fcb487c9f7149 # v3.3.0 + - uses: sigstore/cosign-installer@59acb6260d9c0ba8f4a2f9d9b48431a222b68e20 # v3.5.0 - name: Sign manifests env: COSIGN_EXPERIMENTAL: 1 @@ -462,7 +462,7 @@ jobs: unlink patches-flux echo "version=${VERSION}" >> $GITHUB_OUTPUT - name: Login to GHCR - uses: docker/login-action@465a07811f14bebb1938fbed4728c6a1ff8901fc # v2.2.0 + uses: docker/login-action@0d4c9c5ea7693da7b068278f7b52bda2a190a446 # v3.2.0 with: registry: ghcr.io username: weave-ghcr-bot @@ -480,7 +480,7 @@ jobs: echo "FLUX_CLI_IMAGE_DIGEST=${{ needs.release-flux-cli.outputs.image_digest }}" >> ./ghcr.io/flux-system/image_digests oras push -u weave-ghcr-bot -p ${{ secrets.WEAVE_ASSURED_GHCR_BOT_TOKEN }} ghcr.io/weaveworks/flux-images-digests:${{ steps.patch.outputs.version }} ./ghcr.io/flux-system/image_digests - - uses: sigstore/cosign-installer@9614fae9e5c5eddabb09f90a270fcb487c9f7149 # v3.3.0 + - uses: sigstore/cosign-installer@59acb6260d9c0ba8f4a2f9d9b48431a222b68e20 # v3.5.0 - name: Sign manifests env: COSIGN_EXPERIMENTAL: 1 @@ -497,7 +497,7 @@ jobs: actions: read # for detecting the Github Actions environment. id-token: write # for creating OIDC tokens for signing. contents: write # for uploading attestations to GitHub releases. - uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.9.0 + uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v2.0.0 with: provenance-name: "provenance.intoto.jsonl" base64-subjects: "${{ needs.release-flux-cli.outputs.hashes }}" @@ -510,7 +510,7 @@ jobs: actions: read # for detecting the Github Actions environment. id-token: write # for creating OIDC tokens for signing. packages: write # for uploading attestations. - uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v1.9.0 + uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v2.0.0 with: image: ghcr.io/${{ needs.release-flux-cli.outputs.image_url }} digest: ${{ needs.release-flux-cli.outputs.image_digest }} diff --git a/.github/workflows/scan.yaml b/.github/workflows/scan.yaml index ad27136..b1a923b 100644 --- a/.github/workflows/scan.yaml +++ b/.github/workflows/scan.yaml @@ -119,55 +119,55 @@ jobs: needs: get-image-version steps: - name: Log into registry ${{ env.REGISTRY }} - uses: docker/login-action@v2.1.0 + uses: docker/login-action@v3 with: registry: ${{ env.REGISTRY }} username: ${{ secrets.DOCKER_USER }} password: ${{ secrets.DOCKER_PASSWORD }} - name: Scan source-controller image - uses: docker/scout-action@b7413c99043c2a9131c0fa39cedaece80f285788 # v1.2.2 + uses: docker/scout-action@fc749439af4870e8f6feb592250ab728600d10a6 # v1.10.0 with: command: cves image: 'ghcr.io/weaveworks/source-controller@${{ needs.get-image-version.outputs.sc }}' only-severities: critical,high exit-code: true - name: Scan kustomize-controller image - uses: docker/scout-action@b7413c99043c2a9131c0fa39cedaece80f285788 # v1.2.2 + uses: docker/scout-action@fc749439af4870e8f6feb592250ab728600d10a6 # v1.10.0 with: command: cves image: 'ghcr.io/weaveworks/kustomize-controller@${{ needs.get-image-version.outputs.kc }}' only-severities: critical,high exit-code: true - name: Scan helm-controller image - uses: docker/scout-action@b7413c99043c2a9131c0fa39cedaece80f285788 # v1.2.2 + uses: docker/scout-action@fc749439af4870e8f6feb592250ab728600d10a6 # v1.10.0 with: command: cves image: 'ghcr.io/weaveworks/helm-controller@${{ needs.get-image-version.outputs.hc }}' only-severities: critical,high exit-code: true - name: Scan notification-controller image - uses: docker/scout-action@b7413c99043c2a9131c0fa39cedaece80f285788 # v1.2.2 + uses: docker/scout-action@fc749439af4870e8f6feb592250ab728600d10a6 # v1.10.0 with: command: cves image: 'ghcr.io/weaveworks/notification-controller@${{ needs.get-image-version.outputs.nc }}' only-severities: critical,high exit-code: true - name: Scan image-reflector-controller image - uses: docker/scout-action@b7413c99043c2a9131c0fa39cedaece80f285788 # v1.2.2 + uses: docker/scout-action@fc749439af4870e8f6feb592250ab728600d10a6 # v1.10.0 with: command: cves image: 'ghcr.io/weaveworks/image-reflector-controller@${{ needs.get-image-version.outputs.irc }}' only-severities: critical,high exit-code: true - name: Scan image-automation-controller image - uses: docker/scout-action@b7413c99043c2a9131c0fa39cedaece80f285788 # v1.2.2 + uses: docker/scout-action@fc749439af4870e8f6feb592250ab728600d10a6 # v1.10.0 with: command: cves image: 'ghcr.io/weaveworks/image-automation-controller@${{ needs.get-image-version.outputs.iac }}' only-severities: critical,high exit-code: true - name: Scan flux2 image - uses: docker/scout-action@b7413c99043c2a9131c0fa39cedaece80f285788 # v1.2.2 + uses: docker/scout-action@fc749439af4870e8f6feb592250ab728600d10a6 # v1.10.0 with: command: cves image: 'ghcr.io/weaveworks/flux-cli@${{ needs.get-image-version.outputs.flux2 }}'