diff --git a/.github/workflows/deployment.yml b/.github/workflows/deployment.yml index 9a7d27d46..1588c7566 100644 --- a/.github/workflows/deployment.yml +++ b/.github/workflows/deployment.yml @@ -41,7 +41,7 @@ jobs: # We need extglob for REFERENCE_BRANCH substitution shell: bash -l -O extglob {0} steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 with: token: ${{ github.token }} persist-credentials: false @@ -91,7 +91,7 @@ jobs: # Also build the diracx metapackage python -m build --outdir $PWD/dist . - name: 'Upload Artifact' - uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 with: name: diracx-whl path: dist/diracx*.whl @@ -100,7 +100,7 @@ jobs: # https://docs.pypi.org/trusted-publishers/ - name: Publish package on PyPI if: steps.check-tag.outputs.create-release == 'true' - uses: pypa/gh-action-pypi-publish@ed0c53931b1dc9bd32cbe73a98c7f6766f8a527e # v1.13.0 + uses: pypa/gh-action-pypi-publish@cef221092ed1bacb1cc03d23a2d87d1d172e277b # v1.14.0 with: # Generate and upload PEP 740 attestations (build provenance) for the wheels. attestations: true @@ -116,15 +116,15 @@ jobs: attestations: write # write build-provenance attestations steps: - name: Checkout - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 with: persist-credentials: false - name: Set up QEMU - uses: docker/setup-qemu-action@ce360397dd3f832beb865e1373c09c0e9f86d70a # v4.0.0 + uses: docker/setup-qemu-action@06116385d9baf250c9f4dcb4858b16962ea869c3 # v4.1.0 - name: Set up Docker Buildx - uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0 + uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5 # v4.1.0 - name: Login to GitHub container registry - uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0 + uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4.2.0 with: registry: ghcr.io username: ${{ github.actor }} @@ -132,7 +132,7 @@ jobs: - name: Build and push services (release) id: build-services-release - uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7.0.0 + uses: docker/build-push-action@f9f3042f7e2789586610d6e8b85c8f03e5195baf # v7.2.0 if: ${{ needs.deploy-pypi.outputs.create-release == 'true' }} with: context: . @@ -150,7 +150,7 @@ jobs: push-to-registry: true - name: Build and push tasks (release) id: build-tasks-release - uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7.0.0 + uses: docker/build-push-action@f9f3042f7e2789586610d6e8b85c8f03e5195baf # v7.2.0 if: ${{ needs.deploy-pypi.outputs.create-release == 'true' }} with: context: . @@ -168,7 +168,7 @@ jobs: push-to-registry: true - name: Build and push client (release) id: build-client-release - uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7.0.0 + uses: docker/build-push-action@f9f3042f7e2789586610d6e8b85c8f03e5195baf # v7.2.0 if: ${{ needs.deploy-pypi.outputs.create-release == 'true' }} with: context: . @@ -186,7 +186,7 @@ jobs: push-to-registry: true - name: Build and push services (dev) - uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7.0.0 + uses: docker/build-push-action@f9f3042f7e2789586610d6e8b85c8f03e5195baf # v7.2.0 with: context: . file: containers/Dockerfile @@ -195,7 +195,7 @@ jobs: tags: ghcr.io/diracgrid/diracx/services:dev platforms: linux/amd64,linux/arm64 - name: Build and push tasks (dev) - uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7.0.0 + uses: docker/build-push-action@f9f3042f7e2789586610d6e8b85c8f03e5195baf # v7.2.0 with: context: . file: containers/Dockerfile @@ -204,7 +204,7 @@ jobs: tags: ghcr.io/diracgrid/diracx/tasks:dev platforms: linux/amd64,linux/arm64 - name: Build and push client (dev) - uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7.0.0 + uses: docker/build-push-action@f9f3042f7e2789586610d6e8b85c8f03e5195baf # v7.2.0 with: context: . file: containers/Dockerfile @@ -222,12 +222,12 @@ jobs: if: ${{ needs.deploy-pypi.outputs.create-release == 'true' }} steps: - name: Checkout diracx - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 with: path: diracx persist-credentials: false - name: Checkout diracx-charts - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 with: repository: DIRACGrid/diracx-charts token: ${{ secrets.CHARTS_UPDATE_TOKEN }} @@ -262,7 +262,7 @@ jobs: echo "current_chart_version=$CURRENT_CHART_VERSION" >> $GITHUB_OUTPUT echo "new_chart_version=$NEW_CHART_VERSION" >> $GITHUB_OUTPUT echo "diracx_version=$VERSION" >> $GITHUB_OUTPUT - - uses: prefix-dev/setup-pixi@a0af7a228712d6121d37aba47adf55c1332c9c2e # v0.9.4 + - uses: prefix-dev/setup-pixi@5185adfbffb4bd703da3010310260805d89ebb11 # v0.9.6 with: working-directory: ./diracx-charts - name: Run pre-commit to update README diff --git a/.github/workflows/draft-on-changes-requested.yml b/.github/workflows/draft-on-changes-requested.yml index 957b07246..4cd71dd98 100644 --- a/.github/workflows/draft-on-changes-requested.yml +++ b/.github/workflows/draft-on-changes-requested.yml @@ -26,7 +26,7 @@ jobs: draft: needs: get-pr - uses: DIRACGrid/.github/.github/workflows/draft-on-changes-requested.yml@eab297d50d33cf7eabf0b388ac57d1f91e36d14c # main + uses: DIRACGrid/.github/.github/workflows/draft-on-changes-requested.yml@a599200da5df9e3ea9104a6b9b99eb5bf83754a3 # main with: pr_number: ${{ fromJSON(needs.get-pr.outputs.pr_number) }} secrets: diff --git a/.github/workflows/integration.yml b/.github/workflows/integration.yml index 332292cca..c04a8acde 100644 --- a/.github/workflows/integration.yml +++ b/.github/workflows/integration.yml @@ -33,7 +33,7 @@ jobs: dirac-branch: - integration steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 with: persist-credentials: false - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 @@ -95,7 +95,7 @@ jobs: echo "::group::DIRAC server logs" cd /tmp/DIRACRepo && ./integration_tests.py logs --no-follow --lines 1000 2>&1 | tee /tmp/service-logs/dirac.log || true echo "::endgroup::" - - uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 + - uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 if: ${{ failure() }} with: name: service-logs-${{ github.job }} diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 2ff5737cf..f78ac669b 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -30,14 +30,14 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout code - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 with: persist-credentials: false - - uses: prefix-dev/setup-pixi@a0af7a228712d6121d37aba47adf55c1332c9c2e # v0.9.4 + - uses: prefix-dev/setup-pixi@5185adfbffb4bd703da3010310260805d89ebb11 # v0.9.6 with: run-install: false post-cleanup: false - - uses: prefix-dev/setup-pixi@a0af7a228712d6121d37aba47adf55c1332c9c2e # v0.9.4 + - uses: prefix-dev/setup-pixi@5185adfbffb4bd703da3010310260805d89ebb11 # v0.9.6 with: cache: false environments: shellcheck @@ -67,10 +67,10 @@ jobs: - gubbins-cli steps: - name: Checkout code - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 with: persist-credentials: false - - uses: prefix-dev/setup-pixi@a0af7a228712d6121d37aba47adf55c1332c9c2e # v0.9.4 + - uses: prefix-dev/setup-pixi@5185adfbffb4bd703da3010310260805d89ebb11 # v0.9.6 with: run-install: false post-cleanup: false @@ -81,7 +81,7 @@ jobs: rm pixi.toml.bak # Show any changes git diff - - uses: prefix-dev/setup-pixi@a0af7a228712d6121d37aba47adf55c1332c9c2e # v0.9.4 + - uses: prefix-dev/setup-pixi@5185adfbffb4bd703da3010310260805d89ebb11 # v0.9.6 with: cache: false environments: ${{ matrix.package }} @@ -120,10 +120,10 @@ jobs: echo "After cleanup:" df -h - name: Checkout code - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 with: persist-credentials: false - - uses: prefix-dev/setup-pixi@a0af7a228712d6121d37aba47adf55c1332c9c2e # v0.9.4 + - uses: prefix-dev/setup-pixi@5185adfbffb4bd703da3010310260805d89ebb11 # v0.9.6 with: run-install: false post-cleanup: false @@ -134,14 +134,14 @@ jobs: rm pixi.toml.bak # Show any changes git diff - - uses: prefix-dev/setup-pixi@a0af7a228712d6121d37aba47adf55c1332c9c2e # v0.9.4 + - uses: prefix-dev/setup-pixi@5185adfbffb4bd703da3010310260805d89ebb11 # v0.9.6 with: cache: false environments: ${{ matrix.extension == 'diracx' && 'default' || 'default-gubbins' }} - name: Set up Docker Buildx - uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0 + uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5 # v4.1.0 - name: Build services image - uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7.0.0 + uses: docker/build-push-action@f9f3042f7e2789586610d6e8b85c8f03e5195baf # v7.2.0 with: context: . file: containers/Dockerfile @@ -150,7 +150,7 @@ jobs: tags: ghcr.io/${{ matrix.extension == 'diracx' && 'diracgrid/diracx' || 'gubbins' }}/services:dev outputs: type=docker,dest=/tmp/services_image.tar - name: Build tasks image - uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7.0.0 + uses: docker/build-push-action@f9f3042f7e2789586610d6e8b85c8f03e5195baf # v7.2.0 with: context: . file: containers/Dockerfile @@ -159,7 +159,7 @@ jobs: tags: ghcr.io/${{ matrix.extension == 'diracx' && 'diracgrid/diracx' || 'gubbins' }}/tasks:dev outputs: type=docker,dest=/tmp/tasks_image.tar - name: Build client image - uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7.0.0 + uses: docker/build-push-action@f9f3042f7e2789586610d6e8b85c8f03e5195baf # v7.2.0 with: context: . file: containers/Dockerfile @@ -244,14 +244,14 @@ jobs: package: [diracx, gubbins] steps: - name: Checkout code - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 with: persist-credentials: false - - uses: prefix-dev/setup-pixi@a0af7a228712d6121d37aba47adf55c1332c9c2e # v0.9.4 + - uses: prefix-dev/setup-pixi@5185adfbffb4bd703da3010310260805d89ebb11 # v0.9.6 with: run-install: false post-cleanup: false - - uses: prefix-dev/setup-pixi@a0af7a228712d6121d37aba47adf55c1332c9c2e # v0.9.4 + - uses: prefix-dev/setup-pixi@5185adfbffb4bd703da3010310260805d89ebb11 # v0.9.6 with: cache: false locked: false @@ -267,14 +267,14 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout code - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 with: persist-credentials: false - - uses: prefix-dev/setup-pixi@a0af7a228712d6121d37aba47adf55c1332c9c2e # v0.9.4 + - uses: prefix-dev/setup-pixi@5185adfbffb4bd703da3010310260805d89ebb11 # v0.9.6 with: run-install: false post-cleanup: false - - uses: prefix-dev/setup-pixi@a0af7a228712d6121d37aba47adf55c1332c9c2e # v0.9.4 + - uses: prefix-dev/setup-pixi@5185adfbffb4bd703da3010310260805d89ebb11 # v0.9.6 with: cache: false environments: pre-commit diff --git a/.github/workflows/record-changes-requested.yml b/.github/workflows/record-changes-requested.yml index 7e472c553..f04478ec7 100644 --- a/.github/workflows/record-changes-requested.yml +++ b/.github/workflows/record-changes-requested.yml @@ -12,7 +12,7 @@ jobs: runs-on: ubuntu-latest steps: - run: echo "${{ github.event.pull_request.number }}" > pr_number.txt - - uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 + - uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 with: name: pr-info path: pr_number.txt diff --git a/.github/workflows/update_security_txt_expiry.yml b/.github/workflows/update_security_txt_expiry.yml index 17e45fb4b..81e717d5e 100644 --- a/.github/workflows/update_security_txt_expiry.yml +++ b/.github/workflows/update_security_txt_expiry.yml @@ -16,7 +16,7 @@ jobs: steps: - name: Checkout repository - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 with: persist-credentials: false @@ -76,7 +76,7 @@ jobs: - name: Create Pull Request if: steps.update_script.outputs.changes_made == 'true' - uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v8.1.0 + uses: peter-evans/create-pull-request@5f6978faf089d4d20b00c7766989d076bb2fc7f1 # v8.1.1 with: token: ${{ secrets.GITHUB_TOKEN }} commit-message: "chore(security): Update security.txt expiry date" diff --git a/.github/workflows/vulnerabilities.yml b/.github/workflows/vulnerabilities.yml index 758be4060..284a1fb25 100644 --- a/.github/workflows/vulnerabilities.yml +++ b/.github/workflows/vulnerabilities.yml @@ -16,26 +16,26 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 with: fetch-depth: 0 tags: true persist-credentials: false - name: Run Trivy (client:dev) - uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # 0.35.0 + uses: aquasecurity/trivy-action@ed142fd0673e97e23eac54620cfb913e5ce36c25 # v0.36.0 with: image-ref: "ghcr.io/diracgrid/diracx/client:dev" format: "sarif" output: "client-dev-vulnerability-report.sarif" - name: Upload SARIF to GitHub Security (client:dev) - uses: github/codeql-action/upload-sarif@38697555549f1db7851b81482ff19f1fa5c4fedc # v4.34.1 + uses: github/codeql-action/upload-sarif@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4.36.2 with: sarif_file: "client-dev-vulnerability-report.sarif" category: "client-dev" - name: Run Trivy (services:dev) - uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # 0.35.0 + uses: aquasecurity/trivy-action@ed142fd0673e97e23eac54620cfb913e5ce36c25 # v0.36.0 with: image-ref: "ghcr.io/diracgrid/diracx/services:dev" format: "sarif" @@ -43,7 +43,7 @@ jobs: skip-setup-trivy: true - name: Upload SARIF to GitHub Security (services:dev) - uses: github/codeql-action/upload-sarif@38697555549f1db7851b81482ff19f1fa5c4fedc # v4.34.1 + uses: github/codeql-action/upload-sarif@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4.36.2 with: sarif_file: "services-dev-vulnerability-report.sarif" category: "services-dev" @@ -61,7 +61,7 @@ jobs: - name: Run Trivy (client:release) if: ${{ steps.get-latest-tag.outputs.latest_tag != '' }} - uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # 0.35.0 + uses: aquasecurity/trivy-action@ed142fd0673e97e23eac54620cfb913e5ce36c25 # v0.36.0 with: image-ref: "ghcr.io/diracgrid/diracx/client:${{ steps.get-latest-tag.outputs.latest_tag }}" format: "sarif" @@ -70,14 +70,14 @@ jobs: - name: Upload SARIF to GitHub Security (client:rel) if: ${{ steps.get-latest-tag.outputs.latest_tag != '' }} - uses: github/codeql-action/upload-sarif@38697555549f1db7851b81482ff19f1fa5c4fedc # v4.34.1 + uses: github/codeql-action/upload-sarif@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4.36.2 with: sarif_file: "client-rel-vulnerability-report.sarif" category: "client-rel" - name: Run Trivy (services:release) if: ${{ steps.get-latest-tag.outputs.latest_tag != '' }} - uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # 0.35.0 + uses: aquasecurity/trivy-action@ed142fd0673e97e23eac54620cfb913e5ce36c25 # v0.36.0 with: image-ref: "ghcr.io/diracgrid/diracx/services:${{ steps.get-latest-tag.outputs.latest_tag }}" format: "sarif" @@ -86,7 +86,7 @@ jobs: - name: Upload SARIF to GitHub Security (services:rel) if: ${{ steps.get-latest-tag.outputs.latest_tag != '' }} - uses: github/codeql-action/upload-sarif@38697555549f1db7851b81482ff19f1fa5c4fedc # v4.34.1 + uses: github/codeql-action/upload-sarif@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4.36.2 with: sarif_file: "services-rel-vulnerability-report.sarif" category: "services-rel" diff --git a/extensions/gubbins/.github/workflows/main.yml b/extensions/gubbins/.github/workflows/main.yml index 4d5598d57..b12b19a27 100644 --- a/extensions/gubbins/.github/workflows/main.yml +++ b/extensions/gubbins/.github/workflows/main.yml @@ -27,11 +27,11 @@ jobs: - gubbins-cli steps: - name: Checkout code - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 with: persist-credentials: false - - uses: prefix-dev/setup-pixi@a0af7a228712d6121d37aba47adf55c1332c9c2e # v0.9.4 + - uses: prefix-dev/setup-pixi@5185adfbffb4bd703da3010310260805d89ebb11 # v0.9.6 with: run-install: false post-cleanup: false @@ -42,7 +42,7 @@ jobs: rm pixi.toml.bak # Show any changes git diff - - uses: prefix-dev/setup-pixi@a0af7a228712d6121d37aba47adf55c1332c9c2e # v0.9.4 + - uses: prefix-dev/setup-pixi@5185adfbffb4bd703da3010310260805d89ebb11 # v0.9.6 with: environments: ${{ matrix.package }} - name: Run pytest @@ -54,15 +54,15 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout code - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 with: persist-credentials: false - - uses: prefix-dev/setup-pixi@a0af7a228712d6121d37aba47adf55c1332c9c2e # v0.9.4 + - uses: prefix-dev/setup-pixi@5185adfbffb4bd703da3010310260805d89ebb11 # v0.9.6 with: run-install: false post-cleanup: false - - uses: prefix-dev/setup-pixi@a0af7a228712d6121d37aba47adf55c1332c9c2e # v0.9.4 + - uses: prefix-dev/setup-pixi@5185adfbffb4bd703da3010310260805d89ebb11 # v0.9.6 with: environments: generate-client - name: Run autorest