diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index 2693baa..620193a 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -101,7 +101,7 @@ jobs: docker info -f '{{ .DriverStatus }}' - name: Set up Docker Buildx - uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0 + uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5 # v4.1.0 - name: Download build image uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 diff --git a/.github/workflows/standard-build.yaml b/.github/workflows/standard-build.yaml index b9e224b..4532854 100644 --- a/.github/workflows/standard-build.yaml +++ b/.github/workflows/standard-build.yaml @@ -118,7 +118,7 @@ jobs: image-slug: ${{ steps.slugify-image.outputs.slug }} steps: - name: Harden Runner - uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1 + uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4 with: egress-policy: audit # change to 'egress-policy: block' after couple of runs @@ -141,7 +141,7 @@ jobs: docker info -f '{{ .DriverStatus }}' - name: Set up Docker Buildx - uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0 + uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5 # v4.1.0 with: # zizmor: runtime artifacts potentially vulnerable to a cache poisoning attack cache-binary: false @@ -150,7 +150,7 @@ jobs: uses: docker/setup-qemu-action@ce360397dd3f832beb865e1373c09c0e9f86d70a # v4.0.0 - name: Login to GitHub Container Registry - uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0 + uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4.2.0 if: ${{ github.event_name != 'pull_request' || (github.event.pull_request.base.repo.full_name == github.event.pull_request.head.repo.full_name) }} with: registry: ghcr.io @@ -159,7 +159,7 @@ jobs: - name: Container image meta id: image_meta - uses: docker/metadata-action@030e881283bb7a6894de51c315a6bfe6a94e05cf # v6.0.0 + uses: docker/metadata-action@80c7e94dd9b9319bd5eb7a0e0fe9291e23a2a2e9 # v6.1.0 with: images: | ${{ inputs.image }} @@ -169,7 +169,7 @@ jobs: - name: Container meta for the test image id: tests_image_meta if: ${{ inputs.enable-build-test-layer == true }} - uses: docker/metadata-action@030e881283bb7a6894de51c315a6bfe6a94e05cf # v6.0.0 + uses: docker/metadata-action@80c7e94dd9b9319bd5eb7a0e0fe9291e23a2a2e9 # v6.1.0 with: images: | ${{ inputs.image }}-test @@ -178,7 +178,7 @@ jobs: - name: Build unit test image layer if: ${{ inputs.enable-build-test-layer == true }} id: build_test - uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7.1.0 + uses: docker/build-push-action@f9f3042f7e2789586610d6e8b85c8f03e5195baf # v7.2.0 with: context: ${{ inputs.build-context }} # zizmor: ignore[template-injection] push: false @@ -209,7 +209,7 @@ jobs: - name: Build and push image id: build - uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7.1.0 + uses: docker/build-push-action@f9f3042f7e2789586610d6e8b85c8f03e5195baf # v7.2.0 with: context: ${{ inputs.build-context }} # zizmor: ignore[template-injection] # when in a PR, save the image as a tar archive @@ -349,12 +349,12 @@ jobs: packages: write steps: - name: Harden Runner - uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1 + uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4 with: egress-policy: audit # change to 'egress-policy: block' after couple of runs - name: Login to GitHub Container Registry - uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0 + uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4.2.0 with: registry: ghcr.io username: ${{ github.actor }} @@ -382,12 +382,12 @@ jobs: packages: write steps: - name: Harden Runner - uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1 + uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4 with: egress-policy: audit # change to 'egress-policy: block' after couple of runs - name: Login to GitHub Container Registry - uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0 + uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4.2.0 with: registry: ghcr.io username: ${{ github.actor }} @@ -421,7 +421,7 @@ jobs: contents: write steps: - name: Harden Runner - uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1 + uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4 with: egress-policy: audit # change to 'egress-policy: block' after couple of runs @@ -451,7 +451,7 @@ jobs: contents: write steps: - name: Harden Runner - uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1 + uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4 with: egress-policy: audit # change to 'egress-policy: block' after couple of runs diff --git a/.github/workflows/standard-lint.yaml b/.github/workflows/standard-lint.yaml index 4fbac6e..ef2cb56 100644 --- a/.github/workflows/standard-lint.yaml +++ b/.github/workflows/standard-lint.yaml @@ -9,7 +9,7 @@ defaults: env: # renovate: datasource=pypi depName=zizmor - ZIZMOR_VERSION: 1.24.1 + ZIZMOR_VERSION: 1.25.2 on: workflow_call: @@ -69,7 +69,7 @@ jobs: pull-requests: write steps: - name: Harden Runner - uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1 + uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4 with: egress-policy: audit # change to 'egress-policy: block' after couple of runs @@ -78,18 +78,35 @@ jobs: with: persist-credentials: false + - name: Create standard zizmor rules file + env: + ZIZMOR_CONFIG_YAML: |- + --- + rules: + undocumented-permissions: + disable: true + concurrency-limits: + disable: true + superfluous-actions: + disable: true + run: | + echo "${ZIZMOR_CONFIG_YAML}" > ./.zizmor-standard-lint-defaults.yaml + # MegaLinter - name: MegaLinter id: ml # You can override MegaLinter flavor used to have faster performances # More info at https://megalinter.io/latest/flavors/ - uses: oxsecurity/megalinter@8fbdead70d1409964ab3d5afa885e18ee85388bb # v9.4.0 + uses: oxsecurity/megalinter@0e3ce9b9c8c10effb9b269509cc47ca17cae31c7 # v9.5.0 env: VALIDATE_ALL_CODEBASE: "true" # only try to post PR comments if it's not a fork GITHUB_COMMENT_REPORTER: ${{ !github.event.pull_request.head.repo.fork }} GITHUB_TOKEN: ${{ secrets.github-token }} # zizmor: ignore[secrets-outside-env] SARIF_REPORTER: "true" + ACTION_ZIZMOR_CONFIG_FILE: ./.zizmor-standard-lint-defaults.yaml + ACTION_ZIZMOR_UNSECURED_ENV_VARIABLES: GITHUB_TOKEN + REPOSITORY_OSV_SCANNER_ARGUMENTS: --allow-no-lockfiles # Upload MegaLinter artifacts - name: Archive production artifacts @@ -103,7 +120,7 @@ jobs: - name: Upload MegaLinter scan results to GitHub Security tab if: ${{ always() }} - uses: github/codeql-action/upload-sarif@68bde559dea0fdcac2102bfdf6230c5f70eb485e # v4.35.4 + uses: github/codeql-action/upload-sarif@7211b7c8077ea37d8641b6271f6a365a22a5fbfa # v4.36.0 with: sarif_file: "megalinter-reports/megalinter-report.sarif" @@ -196,7 +213,7 @@ jobs: # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL - uses: github/codeql-action/init@68bde559dea0fdcac2102bfdf6230c5f70eb485e # v4.35.4 + uses: github/codeql-action/init@7211b7c8077ea37d8641b6271f6a365a22a5fbfa # v4.36.0 with: languages: ${{ matrix.language }} # If you wish to specify custom queries, you can do so here or in a config file. @@ -209,7 +226,7 @@ jobs: # Autobuild attempts to build any compiled languages (C/C++, C#, or Java). # If this step fails, then you should remove it and run the build manually (see below) - name: Autobuild - uses: github/codeql-action/autobuild@68bde559dea0fdcac2102bfdf6230c5f70eb485e # v4.35.4 + uses: github/codeql-action/autobuild@7211b7c8077ea37d8641b6271f6a365a22a5fbfa # v4.36.0 # ℹī¸ Command-line programs to run using the OS shell. # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun @@ -222,58 +239,6 @@ jobs: # ./location_of_script_within_repo/buildscript.sh - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@68bde559dea0fdcac2102bfdf6230c5f70eb485e # v4.35.4 + uses: github/codeql-action/analyze@7211b7c8077ea37d8641b6271f6a365a22a5fbfa # v4.36.0 with: category: "/language:${{matrix.language}}" - - zizmor: - name: zizmor scan - runs-on: ubuntu-24.04 - if: ${{ github.event_name == 'pull_request' }} - permissions: - security-events: write - contents: read - actions: read - steps: - - name: Checkout Code - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - with: - persist-credentials: false - - - name: Install the latest version of uv - uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0 - with: - enable-cache: false - - - name: Create standard zizmor rules file - env: - ZIZMOR_CONFIG_YAML: | - rules: - undocumented-permissions: - disable: true - concurrency-limits: - disable: true - superfluous-actions: - disable: true - run: | - echo "${ZIZMOR_CONFIG_YAML}" > /tmp/zizmor-standard-lint-defaults.yaml - - - name: Run zizmor (sarif) - run: | - uvx "zizmor@${ZIZMOR_VERSION}" --pedantic --format sarif . > results.sarif - env: - GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} - ZIZMOR_CONFIG: /tmp/zizmor-standard-lint-defaults.yaml - - - name: Upload SARIF file - uses: github/codeql-action/upload-sarif@68bde559dea0fdcac2102bfdf6230c5f70eb485e # v4.35.4 - with: - sarif_file: results.sarif - category: zizmor - - - name: Run zizmor (fail on findings) - run: | - uvx "zizmor@${ZIZMOR_VERSION}" --verbose --pedantic --format plain . - env: - GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} - ZIZMOR_CONFIG: /tmp/zizmor-standard-lint-defaults.yaml diff --git a/.github/workflows/standard-release.yaml b/.github/workflows/standard-release.yaml index e356161..3074bbe 100644 --- a/.github/workflows/standard-release.yaml +++ b/.github/workflows/standard-release.yaml @@ -39,17 +39,20 @@ jobs: issues: write steps: - name: Harden Runner - uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1 + uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4 with: egress-policy: audit # change to 'egress-policy: block' after couple of runs - - uses: actions/create-github-app-token@1b10c78c7865c340bc4f6099eb2f838309f1e8c3 # v3.1.1 + - uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3.2.0 id: app-token if: ${{ inputs.use-app-token }} with: - app-id: ${{ secrets.app-token-app-id }} # zizmor: ignore[secrets-outside-env] + client-id: ${{ secrets.app-token-app-id }} # zizmor: ignore[secrets-outside-env] private-key: ${{ secrets.app-token-private-key }} # zizmor: ignore[secrets-outside-env] - owner: ${{ github.repository_owner }} + repositories: ${{ github.repository }} + permission-contents: write + permission-pull-requests: write + permission-issues: write - name: Checkout uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 diff --git a/Dockerfile b/Dockerfile index 1ae06c2..6e07254 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,4 +1,4 @@ -FROM docker.io/library/python:3.14.4-slim@sha256:2ca02f32b4d9d893863367ce07ec1972819f476dd38d8612f2a9cb6a41cbb727 AS base +FROM docker.io/library/python:3.14.5-slim@sha256:c845af9399020c7e562969a13689e929074a10fd057acd1b1fad06a2fb068e97 AS base WORKDIR /app COPY hello_world.py .