diff --git a/.github/dependabot.yaml b/.github/dependabot.yaml new file mode 100644 index 0000000..48ac80f --- /dev/null +++ b/.github/dependabot.yaml @@ -0,0 +1,11 @@ +version: 2 +updates: + - package-ecosystem: "github-actions" + directory: "/" + schedule: + interval: "daily" + ignore: + - dependency-name: "*" + update-types: ["version-update:semver-minor", "version-update:semver-patch"] + cooldown: + default-days: 7 diff --git a/.github/workflows/ccm-integration-tests.yml b/.github/workflows/ccm-integration-tests.yml index 95840e6..f5acd7c 100644 --- a/.github/workflows/ccm-integration-tests.yml +++ b/.github/workflows/ccm-integration-tests.yml @@ -27,16 +27,16 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 with: persist-credentials: false - - uses: actions/setup-go@v6 + - uses: actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c # v6.1.0 with: go-version: '${{ env.GO_VERSION }}' - name: Restore cache - uses: actions/cache/restore@v4 + uses: actions/cache/restore@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0 with: path: | ~/.cache/golangci-lint @@ -50,7 +50,7 @@ jobs: run: make lint - name: Save cache - uses: actions/cache/save@v4 + uses: actions/cache/save@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0 with: path: | ~/.cache/golangci-lint @@ -62,11 +62,11 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 with: persist-credentials: false - - uses: actions/setup-go@v5 + - uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5.6.0 with: go-version: '${{ env.GO_VERSION }}' @@ -78,7 +78,7 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 with: persist-credentials: false @@ -94,7 +94,7 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 with: persist-credentials: false @@ -111,7 +111,7 @@ jobs: run: 'shasum -a 256 image.tar | tee image.tar.sha256' - name: Store image - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 with: name: tested-image path: | @@ -154,19 +154,19 @@ jobs: group: integration-${{ matrix.kubernetes }} steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 with: persist-credentials: false - name: Load image - uses: actions/download-artifact@v4 + uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0 with: name: tested-image - name: Validate hash run: 'shasum --check image.tar.sha256' - - uses: actions/setup-go@v5 + - uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5.6.0 with: go-version: '${{ env.GO_VERSION }}' @@ -198,23 +198,19 @@ jobs: name: Validate GitHub Workflows runs-on: ubuntu-latest + # More Information: + # https://github.com/zizmorcore/zizmor-action?tab=readme-ov-file#usage-with-github-advanced-security-recommended + # + # Use `uvx zizmor .github/` for a local preview using the latest zizmor version. + permissions: contents: read + security-events: write steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 with: - fetch-depth: 0 persist-credentials: false - - name: Set up Python - uses: actions/setup-python@v5 - with: - python-version: '3.13' - - - name: Check Workflows - run: | - python -m pip install zizmor --root-user-action=ignore - zizmor .github/workflows/* - env: - GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + - name: Run zizmor 🌈 + uses: zizmorcore/zizmor-action@e639db99335bc9038abc0e066dfcd72e23d26fb4 # v0.3.0