From bcf7dd33d3ef8974b63881dd6aa4765d7ae75a0a Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Thu, 17 Oct 2024 12:52:33 +0000 Subject: [PATCH] chore(deps): pin dependencies --- .github/workflows/add-to-task-list.yml | 4 +- .github/workflows/dependency_review.yml | 4 +- .github/workflows/fail-notify.yml | 6 +- .github/workflows/fix-fail-notify.yml | 6 +- .github/workflows/format-json-yml.yml | 6 +- .github/workflows/gcr-cleaner.yml | 4 +- .../github-actions-cache-cleaner.yml | 4 +- .github/workflows/release.yml | 114 +++++++++--------- .../workflows/remove_app_engine_versions.yml | 8 +- .github/workflows/resource-update.yml | 12 +- .github/workflows/super-linter.yml | 6 +- .github/workflows/update-gitleaks.yml | 6 +- frontend/Dockerfile | 4 +- gcp/datastore/Dockerfile | 2 +- server/Dockerfile | 2 +- 15 files changed, 94 insertions(+), 94 deletions(-) diff --git a/.github/workflows/add-to-task-list.yml b/.github/workflows/add-to-task-list.yml index 946a764fe..4035ff311 100644 --- a/.github/workflows/add-to-task-list.yml +++ b/.github/workflows/add-to-task-list.yml @@ -15,11 +15,11 @@ jobs: steps: - name: Generate a token id: generate_token - uses: actions/create-github-app-token@v1.11.0 + uses: actions/create-github-app-token@5d869da34e18e7287c1daad50e0b8ea0f506ce69 # v1.11.0 with: app-id: ${{ secrets.PROJECT_AUTOMATION_APP_ID }} private-key: ${{ secrets.PROJECT_AUTOMATION_PRIVATE_KEY }} - - uses: dev-hato/actions-add-to-projects@v0.0.83 + - uses: dev-hato/actions-add-to-projects@fd5b783f40eca48aaee26b62b3df0c1606e845dc # v0.0.83 with: github-token: ${{steps.generate_token.outputs.token}} project-url: https://github.com/orgs/dev-hato/projects/1 diff --git a/.github/workflows/dependency_review.yml b/.github/workflows/dependency_review.yml index c258bf7ff..f72037533 100644 --- a/.github/workflows/dependency_review.yml +++ b/.github/workflows/dependency_review.yml @@ -7,8 +7,8 @@ jobs: dependency-review: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4.2.1 - - uses: actions/dependency-review-action@v4.3.4 + - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 + - uses: actions/dependency-review-action@5a2ce3f5b92ee19cbb1541a4984c76d921601d7c # v4.3.4 with: base-ref: ${{ github.base_ref || github.event.merge_group.base_ref }} head-ref: ${{ github.head_ref || github.event.merge_group.head_ref }} diff --git a/.github/workflows/fail-notify.yml b/.github/workflows/fail-notify.yml index 4fe0c228c..5a485889a 100644 --- a/.github/workflows/fail-notify.yml +++ b/.github/workflows/fail-notify.yml @@ -22,17 +22,17 @@ jobs: runs-on: ubuntu-latest if: github.event.workflow_run.conclusion == 'failure' steps: - - uses: actions/checkout@v4.2.1 + - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 - name: Get slack payload id: get_slack_payload - uses: actions/github-script@v7.0.1 + uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1 with: github-token: ${{secrets.GITHUB_TOKEN}} result-encoding: string script: | const script = require(`${process.env.GITHUB_WORKSPACE}/scripts/fail_notify/fail_notify/get_slack_payload.js`) return script({context}) - - uses: slackapi/slack-github-action@v1.27.0 + - uses: slackapi/slack-github-action@37ebaef184d7626c5f204ab8d3baff4262dd30f0 # v1.27.0 with: channel-id: ${{secrets.SLACK_CHANNEL_ID}} payload: ${{steps.get_slack_payload.outputs.result}} diff --git a/.github/workflows/fix-fail-notify.yml b/.github/workflows/fix-fail-notify.yml index ce51f28bc..3f5959690 100644 --- a/.github/workflows/fix-fail-notify.yml +++ b/.github/workflows/fix-fail-notify.yml @@ -10,17 +10,17 @@ jobs: steps: - name: Generate a token id: generate_token - uses: actions/create-github-app-token@v1.11.0 + uses: actions/create-github-app-token@5d869da34e18e7287c1daad50e0b8ea0f506ce69 # v1.11.0 with: app-id: ${{ secrets.PROJECT_AUTOMATION_APP_ID }} private-key: ${{ secrets.PROJECT_AUTOMATION_PRIVATE_KEY }} - - uses: actions/checkout@v4.2.1 + - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 with: fetch-depth: 0 ref: ${{ github.event.pull_request.head.sha || github.event.merge_group.head_sha }} token: ${{steps.generate_token.outputs.token}} - run: bash "${GITHUB_WORKSPACE}/scripts/fix_fail_notify/fix_fail_notify/fix_fail_notify.sh" - - uses: dev-hato/actions-diff-pr-management@v1.2.0 + - uses: dev-hato/actions-diff-pr-management@e5c78b251a69f44f93b2f1398e06b129bcf151ec # v1.2.0 with: github-token: ${{steps.generate_token.outputs.token}} branch-name-prefix: fix-fail-notify diff --git a/.github/workflows/format-json-yml.yml b/.github/workflows/format-json-yml.yml index 459a71a83..854767b05 100644 --- a/.github/workflows/format-json-yml.yml +++ b/.github/workflows/format-json-yml.yml @@ -17,17 +17,17 @@ jobs: steps: - name: Generate a token id: generate_token - uses: actions/create-github-app-token@v1.11.0 + uses: actions/create-github-app-token@5d869da34e18e7287c1daad50e0b8ea0f506ce69 # v1.11.0 with: app-id: ${{ secrets.PROJECT_AUTOMATION_APP_ID }} private-key: ${{ secrets.PROJECT_AUTOMATION_PRIVATE_KEY }} - - uses: actions/checkout@v4.2.1 + - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 if: github.event_name != 'pull_request' || github.event.action != 'closed' with: fetch-depth: 0 ref: ${{ github.event.pull_request.head.sha || github.event.merge_group.head_sha }} token: ${{steps.generate_token.outputs.token}} - - uses: dev-hato/actions-format-json-yml@v0.0.74 + - uses: dev-hato/actions-format-json-yml@fb4529a3bce610d82460527c56ff354ed545d1a1 # v0.0.74 with: github-token: ${{steps.generate_token.outputs.token}} concurrency: diff --git a/.github/workflows/gcr-cleaner.yml b/.github/workflows/gcr-cleaner.yml index 2dfe9c959..02bf3940e 100644 --- a/.github/workflows/gcr-cleaner.yml +++ b/.github/workflows/gcr-cleaner.yml @@ -14,10 +14,10 @@ jobs: gcr-cleaner: runs-on: "ubuntu-latest" steps: - - uses: actions/checkout@v4.2.1 + - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 - id: "auth" name: "Authenticate to GCP" - uses: google-github-actions/auth@v2.1.6 + uses: google-github-actions/auth@8254fb75a33b976a221574d287e93919e6a36f70 # v2.1.6 with: workload_identity_provider: ${{env.GCP_WORKLOAD_IDENTITY_PROVIDER}} service_account: ${{env.GCP_SERVICE_ACCOUNT}} diff --git a/.github/workflows/github-actions-cache-cleaner.yml b/.github/workflows/github-actions-cache-cleaner.yml index 3e47de96a..73a316c55 100644 --- a/.github/workflows/github-actions-cache-cleaner.yml +++ b/.github/workflows/github-actions-cache-cleaner.yml @@ -13,8 +13,8 @@ jobs: github-actions-cache-cleaner: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4.2.1 - - uses: dev-hato/github-actions-cache-cleaner@v0.0.54 + - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 + - uses: dev-hato/github-actions-cache-cleaner@8885351fba02a9d237a5115d7dff95f2b8fa8078 # v0.0.54 with: github-token: ${{secrets.GITHUB_TOKEN}} concurrency: diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 1cf97ff35..990da8406 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -22,8 +22,8 @@ jobs: deploy-files: ${{ steps.changes.outputs.deploy-files }} if: github.event_name != 'pull_request' || github.event.action != 'closed' steps: - - uses: actions/checkout@v4.2.1 - - uses: dorny/paths-filter@v3.0.2 + - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 + - uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v3.0.2 id: changes with: filters: | @@ -45,8 +45,8 @@ jobs: run: working-directory: frontend steps: - - uses: actions/checkout@v4.2.1 - - uses: actions/setup-node@v4.0.4 + - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 + - uses: actions/setup-node@0a44ba7841725637a19e28fa30b79a866c81b0a6 # v4.0.4 with: node-version-file: frontend/.node-version cache: npm @@ -68,25 +68,25 @@ jobs: packages: write if: github.event_name == 'push' || (github.event_name == 'pull_request' && github.event.action != 'closed' && github.repository == github.event.pull_request.head.repo.full_name) || github.event_name == 'merge_group' steps: - - uses: actions/checkout@v4.2.1 + - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 - name: Login to GitHub Container Registry - uses: docker/login-action@v3.3.0 + uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0 with: registry: ghcr.io username: ${{ github.actor }} password: ${{ secrets.GITHUB_TOKEN }} - name: Set up QEMU - uses: docker/setup-qemu-action@v3.2.0 + uses: docker/setup-qemu-action@49b3bc8e6bdd4a60e6116a5414239cba5943d3cf # v3.2.0 - name: Set up Docker Buildx id: buildx - uses: docker/setup-buildx-action@v3.7.1 + uses: docker/setup-buildx-action@c47758b77c9736f4b2ef4073d4d51994fabfe349 # v3.7.1 - run: cat .env >>"$GITHUB_ENV" - run: echo "TAG_NAME=${HEAD_REF//\//-}" >> "$GITHUB_ENV" env: HEAD_REF: ${{github.head_ref || github.event.merge_group.head_ref}} if: github.event_name == 'pull_request' || github.event_name == 'merge_group' - name: Build and push - uses: docker/bake-action@v5.10.0 + uses: docker/bake-action@2e3d19baedb14545e5d41222653874f25d5b4dfb # v5.10.0 env: DOCKER_CONTENT_TRUST: 1 with: @@ -104,32 +104,32 @@ jobs: contents: read packages: write steps: - - uses: actions/checkout@v4.2.1 + - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 - name: Login to GitHub Container Registry - uses: docker/login-action@v3.3.0 + uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0 with: registry: ghcr.io username: ${{ github.actor }} password: ${{ secrets.GITHUB_TOKEN }} - name: Set up QEMU - uses: docker/setup-qemu-action@v3.2.0 + uses: docker/setup-qemu-action@49b3bc8e6bdd4a60e6116a5414239cba5943d3cf # v3.2.0 - name: Set up Docker Buildx id: buildx - uses: docker/setup-buildx-action@v3.7.1 + uses: docker/setup-buildx-action@c47758b77c9736f4b2ef4073d4d51994fabfe349 # v3.7.1 - run: cat .env >>"$GITHUB_ENV" - run: echo "TAG_NAME=${HEAD_REF//\//-}" >> "$GITHUB_ENV" env: HEAD_REF: ${{github.head_ref || github.event.merge_group.head_ref}} if: github.event_name == 'pull_request' || github.event_name == 'merge_group' - name: Build and push (dev) - uses: docker/bake-action@v5.10.0 + uses: docker/bake-action@2e3d19baedb14545e5d41222653874f25d5b4dfb # v5.10.0 env: DOCKER_CONTENT_TRUST: 1 with: push: true files: compose.yml,dev.base.compose.yml - name: Build and push (staging) - uses: docker/bake-action@v5.10.0 + uses: docker/bake-action@2e3d19baedb14545e5d41222653874f25d5b4dfb # v5.10.0 env: DOCKER_CONTENT_TRUST: 1 with: @@ -146,7 +146,7 @@ jobs: DOCKER_CONTENT_TRUST: 1 REPOSITORY: ${{github.repository}} steps: - - uses: actions/checkout@v4.2.1 + - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 if: github.event_name != 'pull_request' || github.event.action != 'closed' with: fetch-depth: 0 @@ -162,14 +162,14 @@ jobs: if: github.event_name != 'pull_request' || github.event.action != 'closed' run: bash "${GITHUB_WORKSPACE}/scripts/get_go_version.sh" - name: Set up Go - uses: actions/setup-go@v5.0.2 + uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2 if: github.event_name != 'pull_request' || github.event.action != 'closed' with: go-version: ${{steps.get_go_version.outputs.go_version}} - name: Install goimports if: github.event_name != 'pull_request' || github.event.action != 'closed' run: bash "${GITHUB_WORKSPACE}/scripts/release/format_go/run_goimports.sh" - - uses: dev-hato/actions-diff-pr-management@v1.2.0 + - uses: dev-hato/actions-diff-pr-management@e5c78b251a69f44f93b2f1398e06b129bcf151ec # v1.2.0 with: github-token: ${{secrets.GITHUB_TOKEN}} branch-name-prefix: fix-format @@ -185,7 +185,7 @@ jobs: env: DOCKER_CMD: "node --version && npm --version" steps: - - uses: actions/checkout@v4.2.1 + - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 if: github.event_name != 'pull_request' || github.event.action != 'closed' with: fetch-depth: 0 @@ -211,7 +211,7 @@ jobs: NODE_VERSION: ${{steps.get_node_version.outputs.node_version}} NPM_VERSION: ${{steps.get_node_version.outputs.npm_version}} run: bash "${GITHUB_WORKSPACE}/scripts/release/update_package/update_versions.sh" - - uses: actions/setup-node@v4.0.4 + - uses: actions/setup-node@0a44ba7841725637a19e28fa30b79a866c81b0a6 # v4.0.4 if: github.event_name != 'pull_request' || github.event.action != 'closed' with: node-version-file: .node-version @@ -219,7 +219,7 @@ jobs: - name: Update packages (.) if: github.event_name != 'pull_request' || github.event.action != 'closed' run: npm install - - uses: actions/setup-node@v4.0.4 + - uses: actions/setup-node@0a44ba7841725637a19e28fa30b79a866c81b0a6 # v4.0.4 if: github.event_name != 'pull_request' || github.event.action != 'closed' with: node-version-file: frontend/.node-version @@ -229,7 +229,7 @@ jobs: if: github.event_name != 'pull_request' || github.event.action != 'closed' run: npm install working-directory: frontend - - uses: actions/setup-node@v4.0.4 + - uses: actions/setup-node@0a44ba7841725637a19e28fa30b79a866c81b0a6 # v4.0.4 if: github.event_name != 'pull_request' || github.event.action != 'closed' with: node-version-file: test/e2e/.node-version @@ -239,7 +239,7 @@ jobs: if: github.event_name != 'pull_request' || github.event.action != 'closed' run: npm install working-directory: test/e2e - - uses: dev-hato/actions-diff-pr-management@v1.2.0 + - uses: dev-hato/actions-diff-pr-management@e5c78b251a69f44f93b2f1398e06b129bcf151ec # v1.2.0 with: github-token: ${{secrets.GITHUB_TOKEN}} branch-name-prefix: fix-version @@ -247,12 +247,12 @@ jobs: update-dockle: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4.2.1 + - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 if: github.event_name != 'pull_request' || github.event.action != 'closed' with: fetch-depth: 0 ref: ${{ github.event.pull_request.head.sha || github.event.merge_group.head_sha }} - - uses: dev-hato/actions-update-dockle@v0.0.100 + - uses: dev-hato/actions-update-dockle@7d767818acf33e5f6f7a4887566aa5f8f36bdf53 # v0.0.100 with: github-token: ${{secrets.GITHUB_TOKEN}} check-nginx-config: @@ -260,7 +260,7 @@ jobs: needs: - docker-compose-build steps: - - uses: actions/checkout@v4.2.1 + - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 - run: cat .env >>"$GITHUB_ENV" - run: echo "TAG_NAME=${HEAD_REF//\//-}" >> "$GITHUB_ENV" env: @@ -285,7 +285,7 @@ jobs: DOCKER_CONTENT_TRUST: 1 REPOSITORY: ${{github.repository}} steps: - - uses: actions/checkout@v4.2.1 + - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 - run: echo "TAG_NAME=${HEAD_REF//\//-}" >> "$GITHUB_ENV" env: HEAD_REF: ${{github.head_ref || github.event.merge_group.head_ref}} @@ -303,8 +303,8 @@ jobs: run: working-directory: frontend steps: - - uses: actions/checkout@v4.2.1 - - uses: actions/setup-node@v4.0.4 + - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 + - uses: actions/setup-node@0a44ba7841725637a19e28fa30b79a866c81b0a6 # v4.0.4 with: node-version-file: frontend/.node-version cache: npm @@ -325,19 +325,19 @@ jobs: DOCKER_CONTENT_TRUST: 1 REPOSITORY: ${{github.repository}} steps: - - uses: actions/checkout@v4.2.1 + - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 - run: cat .env >>"$GITHUB_ENV" - run: echo "TAG_NAME=${HEAD_REF//\//-}" >> "$GITHUB_ENV" env: HEAD_REF: ${{github.head_ref || github.event.merge_group.head_ref}} if: github.event_name == 'pull_request' || github.event_name == 'merge_group' - run: bash "${GITHUB_WORKSPACE}/scripts/release/run_docker_compose.sh" - - uses: actions/setup-node@v4.0.4 + - uses: actions/setup-node@0a44ba7841725637a19e28fa30b79a866c81b0a6 # v4.0.4 with: node-version-file: test/e2e/.node-version cache: npm cache-dependency-path: test/e2e/package-lock.json - - uses: browser-actions/setup-firefox@v1.5.2 + - uses: browser-actions/setup-firefox@955a5d42b5f068a8917c6a4ff1656a2235c66dfb # v1.5.2 if: matrix.browser_name == 'firefox' with: firefox-version: ${{ matrix.browser_version }} @@ -359,19 +359,19 @@ jobs: DOCKER_CONTENT_TRUST: 1 REPOSITORY: ${{github.repository}} steps: - - uses: actions/checkout@v4.2.1 + - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 - run: cat .env >>"$GITHUB_ENV" - run: echo "TAG_NAME=${HEAD_REF//\//-}" >> "$GITHUB_ENV" env: HEAD_REF: ${{github.head_ref || github.event.merge_group.head_ref}} if: github.event_name == 'pull_request' || github.event_name == 'merge_group' - run: bash "${GITHUB_WORKSPACE}/scripts/release/run_docker_compose.sh" - - uses: actions/setup-node@v4.0.4 + - uses: actions/setup-node@0a44ba7841725637a19e28fa30b79a866c81b0a6 # v4.0.4 with: node-version-file: test/e2e/.node-version cache: npm cache-dependency-path: test/e2e/package-lock.json - - uses: browser-actions/setup-firefox@v1.5.2 + - uses: browser-actions/setup-firefox@955a5d42b5f068a8917c6a4ff1656a2235c66dfb # v1.5.2 if: matrix.browser_name == 'firefox' with: firefox-version: ${{ matrix.browser_version }} @@ -390,7 +390,7 @@ jobs: id-token: write contents: read steps: - - uses: actions/checkout@v4.2.1 + - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 - uses: actions/download-artifact@v4.1.8 with: name: frontend @@ -401,12 +401,12 @@ jobs: if: ${{ github.event_name == 'push' }} - id: "auth" name: "Authenticate to GCP" - uses: google-github-actions/auth@v2.1.6 + uses: google-github-actions/auth@8254fb75a33b976a221574d287e93919e6a36f70 # v2.1.6 with: workload_identity_provider: ${{env.GCP_WORKLOAD_IDENTITY_PROVIDER}} service_account: ${{env.GCP_SERVICE_ACCOUNT}} - name: Deploy to App Engine - uses: google-github-actions/deploy-appengine@v2.1.3 + uses: google-github-actions/deploy-appengine@3c758836610e6ad98d8719bf3e2bdf94c3082728 # v2.1.3 with: deliverables: app.yaml project_id: hato-atama @@ -423,8 +423,8 @@ jobs: pull-requests: write if: github.event_name == 'pull_request' steps: - - uses: actions/checkout@v4.2.1 - - uses: actions/github-script@v7.0.1 + - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 + - uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1 env: SHA: ${{github.event.pull_request.head.sha}} with: @@ -442,9 +442,9 @@ jobs: ARTIFACT_PATH: ${{ github.workspace }}/tmp/artifacts URLS: https://v${{ github.run_number }}-dot-hato-atama.an.r.appspot.com steps: - - uses: actions/checkout@v4.2.1 + - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 - run: mkdir -p "${ARTIFACT_PATH}" - - uses: foo-software/lighthouse-check-action@v12.0.1 + - uses: foo-software/lighthouse-check-action@a80267da2e0244b8a2e457a8575fc47590615852 # v12.0.1 with: gitHubAccessToken: ${{ secrets.GITHUB_TOKEN }} urls: ${{ env.URLS }} @@ -465,13 +465,13 @@ jobs: browser_name: ["chrome", "electron", "edge"] include: ${{fromJson(needs.make-browserslist.outputs.browserslist)}} steps: - - uses: actions/checkout@v4.2.1 - - uses: actions/setup-node@v4.0.4 + - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 + - uses: actions/setup-node@0a44ba7841725637a19e28fa30b79a866c81b0a6 # v4.0.4 with: node-version-file: test/e2e/.node-version cache: npm cache-dependency-path: test/e2e/package-lock.json - - uses: browser-actions/setup-firefox@v1.5.2 + - uses: browser-actions/setup-firefox@955a5d42b5f068a8917c6a4ff1656a2235c66dfb # v1.5.2 if: matrix.browser_name == 'firefox' with: firefox-version: ${{ matrix.browser_version }} @@ -493,13 +493,13 @@ jobs: include: ${{fromJson(needs.make-browserslist.outputs.browserslist)}} if: ${{ github.event_name == 'push' }} steps: - - uses: actions/checkout@v4.2.1 - - uses: actions/setup-node@v4.0.4 + - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 + - uses: actions/setup-node@0a44ba7841725637a19e28fa30b79a866c81b0a6 # v4.0.4 with: node-version-file: test/e2e/.node-version cache: npm cache-dependency-path: test/e2e/package-lock.json - - uses: browser-actions/setup-firefox@v1.5.2 + - uses: browser-actions/setup-firefox@955a5d42b5f068a8917c6a4ff1656a2235c66dfb # v1.5.2 if: matrix.browser_name == 'firefox' with: firefox-version: ${{ matrix.browser_version }} @@ -517,14 +517,14 @@ jobs: id-token: write contents: read steps: - - uses: actions/checkout@v4.2.1 + - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 - id: "auth" name: "Authenticate to GCP" - uses: google-github-actions/auth@v2.1.6 + uses: google-github-actions/auth@8254fb75a33b976a221574d287e93919e6a36f70 # v2.1.6 with: workload_identity_provider: ${{env.GCP_WORKLOAD_IDENTITY_PROVIDER}} service_account: ${{env.GCP_SERVICE_ACCOUNT}} - - uses: google-github-actions/setup-gcloud@v2.1.1 + - uses: google-github-actions/setup-gcloud@f0990588f1e5b5af6827153b93673613abdc6ec7 # v2.1.1 - run: bash "${GITHUB_WORKSPACE}/scripts/release/migrating_traffic/set_traffic.sh" remove-app-engine-past-versions: runs-on: ubuntu-latest @@ -535,9 +535,9 @@ jobs: id-token: write contents: read steps: - - uses: actions/checkout@v4.2.1 + - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 - name: Get run numbers - uses: actions/github-script@v7.0.1 + uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1 id: get_run_numbers env: HEAD_REF: master @@ -551,11 +551,11 @@ jobs: - id: "auth" if: ${{ steps.get_run_numbers.outputs.result != '' }} name: "Authenticate to GCP" - uses: google-github-actions/auth@v2.1.6 + uses: google-github-actions/auth@8254fb75a33b976a221574d287e93919e6a36f70 # v2.1.6 with: workload_identity_provider: ${{env.GCP_WORKLOAD_IDENTITY_PROVIDER}} service_account: ${{env.GCP_SERVICE_ACCOUNT}} - - uses: google-github-actions/setup-gcloud@v2.1.1 + - uses: google-github-actions/setup-gcloud@f0990588f1e5b5af6827153b93673613abdc6ec7 # v2.1.1 if: ${{ steps.get_run_numbers.outputs.result != '' }} - name: Remove app engine versions if: ${{ steps.get_run_numbers.outputs.result != '' }} @@ -605,7 +605,7 @@ jobs: if: (github.event_name == 'pull_request' && github.event.action != 'closed') || github.event_name == 'merge_group' runs-on: ubuntu-latest steps: - - uses: Kesin11/actions-timeline@v2 + - uses: Kesin11/actions-timeline@3046833d9aacfd7745c5264b7f3af851c3e2a619 # v2 # pushをトリガーとした場合に完了しているべきjobが完了したか release-complete: runs-on: ubuntu-latest @@ -624,7 +624,7 @@ jobs: if: github.event_name == 'push' runs-on: ubuntu-latest steps: - - uses: Kesin11/actions-timeline@v2 + - uses: Kesin11/actions-timeline@3046833d9aacfd7745c5264b7f3af851c3e2a619 # v2 concurrency: group: ${{ github.workflow }}-${{ github.event_name }}-${{ github.ref }} cancel-in-progress: true diff --git a/.github/workflows/remove_app_engine_versions.yml b/.github/workflows/remove_app_engine_versions.yml index e6a92559f..db0274c17 100644 --- a/.github/workflows/remove_app_engine_versions.yml +++ b/.github/workflows/remove_app_engine_versions.yml @@ -12,9 +12,9 @@ jobs: runs-on: ubuntu-latest if: github.repository == github.event.pull_request.head.repo.full_name && github.repository == 'dev-hato/hato-atama' steps: - - uses: actions/checkout@v4.2.1 + - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 - name: Get run numbers - uses: actions/github-script@v7.0.1 + uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1 id: get_run_numbers env: HEAD_REF: ${{github.event.pull_request.head.ref}} @@ -27,11 +27,11 @@ jobs: - id: "auth" if: ${{ steps.get_run_numbers.outputs.result != '' }} name: "Authenticate to GCP" - uses: google-github-actions/auth@v2.1.6 + uses: google-github-actions/auth@8254fb75a33b976a221574d287e93919e6a36f70 # v2.1.6 with: workload_identity_provider: "projects/765091727073/locations/global/workloadIdentityPools/hato-atama-workload-identity/providers/github" service_account: "actions-deploy@hato-atama.iam.gserviceaccount.com" - - uses: google-github-actions/setup-gcloud@v2.1.1 + - uses: google-github-actions/setup-gcloud@f0990588f1e5b5af6827153b93673613abdc6ec7 # v2.1.1 if: ${{ steps.get_run_numbers.outputs.result != '' }} - if: ${{ steps.get_run_numbers.outputs.result != '' }} run: gcloud app versions delete --service=default ${{steps.get_run_numbers.outputs.result}} diff --git a/.github/workflows/resource-update.yml b/.github/workflows/resource-update.yml index 215d4ac18..b92f16e52 100644 --- a/.github/workflows/resource-update.yml +++ b/.github/workflows/resource-update.yml @@ -13,12 +13,12 @@ jobs: run: working-directory: ${{ matrix.path }} steps: - - uses: actions/checkout@v4.2.1 + - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 if: github.event_name != 'pull_request' || github.event.action != 'closed' with: fetch-depth: 0 ref: ${{ github.event.pull_request.head.sha }} - - uses: actions/setup-node@v4.0.4 + - uses: actions/setup-node@0a44ba7841725637a19e28fa30b79a866c81b0a6 # v4.0.4 if: github.event_name != 'pull_request' || github.event.action != 'closed' with: node-version-file: ${{ matrix.path }}/.node-version @@ -27,7 +27,7 @@ jobs: - name: ncu install if: github.event_name != 'pull_request' || github.event.action != 'closed' run: bash "${GITHUB_WORKSPACE}/scripts/resource_update/update.sh" - - uses: dev-hato/actions-diff-pr-management@v1.2.0 + - uses: dev-hato/actions-diff-pr-management@e5c78b251a69f44f93b2f1398e06b129bcf151ec # v1.2.0 with: github-token: ${{secrets.GITHUB_TOKEN}} branch-name-prefix: update-${{ matrix.path }} @@ -37,7 +37,7 @@ jobs: env: REPOSITORY: ${{github.repository}} steps: - - uses: actions/checkout@v4.2.1 + - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 if: github.event_name != 'pull_request' || github.event.action != 'closed' with: fetch-depth: 0 @@ -48,13 +48,13 @@ jobs: run: bash "${GITHUB_WORKSPACE}/scripts/get_go_version.sh" - name: Set up Go if: github.event_name != 'pull_request' || github.event.action != 'closed' - uses: actions/setup-go@v5.0.2 + uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2 with: go-version: ${{steps.get_go_version.outputs.go_version}} - name: go mod update if: github.event_name != 'pull_request' || github.event.action != 'closed' run: bash "${GITHUB_WORKSPACE}/scripts/resource_update/update_go/run_go_mod_tidy.sh" - - uses: dev-hato/actions-diff-pr-management@v1.2.0 + - uses: dev-hato/actions-diff-pr-management@e5c78b251a69f44f93b2f1398e06b129bcf151ec # v1.2.0 with: github-token: ${{secrets.GITHUB_TOKEN}} branch-name-prefix: update-go diff --git a/.github/workflows/super-linter.yml b/.github/workflows/super-linter.yml index c5b50bc44..4ceb0d6af 100644 --- a/.github/workflows/super-linter.yml +++ b/.github/workflows/super-linter.yml @@ -14,10 +14,10 @@ jobs: runs-on: ubuntu-latest timeout-minutes: 30 steps: - - uses: actions/checkout@v4.2.1 + - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 with: fetch-depth: 0 - - uses: actions/setup-node@v4.0.4 + - uses: actions/setup-node@0a44ba7841725637a19e28fa30b79a866c81b0a6 # v4.0.4 with: node-version-file: .node-version cache: npm @@ -26,7 +26,7 @@ jobs: working-directory: test/e2e - run: bash "${GITHUB_WORKSPACE}/scripts/super_linter/super_linter/set_path.sh" - name: Super-Linter - uses: super-linter/super-linter/slim@v7.1.0 + uses: super-linter/super-linter/slim@b92721f792f381cedc002ecdbb9847a15ece5bb8 # v7.1.0 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} LINTER_RULES_PATH: . diff --git a/.github/workflows/update-gitleaks.yml b/.github/workflows/update-gitleaks.yml index e39c4ac2c..d398243b5 100644 --- a/.github/workflows/update-gitleaks.yml +++ b/.github/workflows/update-gitleaks.yml @@ -15,12 +15,12 @@ jobs: update-gitleaks: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4.2.1 + - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 if: github.event_name != 'pull_request' || github.event.action != 'closed' with: fetch-depth: 0 ref: ${{ github.event.pull_request.head.sha || github.event.merge_group.head_sha }} - - uses: actions/setup-node@v4.0.4 + - uses: actions/setup-node@0a44ba7841725637a19e28fa30b79a866c81b0a6 # v4.0.4 if: github.event_name != 'pull_request' || github.event.action != 'closed' with: node-version-file: .node-version @@ -28,7 +28,7 @@ jobs: - name: Install packages if: github.event_name != 'pull_request' || github.event.action != 'closed' run: npm ci - - uses: dev-hato/actions-update-gitleaks@v0.0.79 + - uses: dev-hato/actions-update-gitleaks@0e9a2d1c25c0acc3108157714109d94ebecbf7cf # v0.0.79 with: github-token: ${{secrets.GITHUB_TOKEN}} concurrency: diff --git a/frontend/Dockerfile b/frontend/Dockerfile index ef836eda9..494d14a6e 100644 --- a/frontend/Dockerfile +++ b/frontend/Dockerfile @@ -1,4 +1,4 @@ -FROM node:22.9.0-bullseye-slim AS base +FROM node:22.9.0-bullseye-slim@sha256:315746bb8e0efcc2609af061784ebe6ccee9e6639019b26908a3b61ae1f5a4a0 AS base SHELL ["/bin/bash", "-o", "pipefail", "-c"] ARG TARGETPLATFORM @@ -50,7 +50,7 @@ COPY frontend/healthcheck.sh . HEALTHCHECK --interval=5s --retries=20 CMD ["./healthcheck.sh"] CMD ["npm", "run", "dev"] -FROM nginx:1.27.2 +FROM nginx:1.27.2@sha256:ff466795a4535e1d47cf2b901ce15b0ad2ba7f6e0140f12f7d62cb1c9160067a RUN find / -type f -perm /u+s -ignore_readdir_race -exec chmod u-s {} \; \ && find / -type f -perm /g+s -ignore_readdir_race -exec chmod g-s {} \; \ diff --git a/gcp/datastore/Dockerfile b/gcp/datastore/Dockerfile index ec926c690..3ec5f3a27 100644 --- a/gcp/datastore/Dockerfile +++ b/gcp/datastore/Dockerfile @@ -1,5 +1,5 @@ #checkov:skip=CKV_DOCKER_3 -FROM gcr.io/google.com/cloudsdktool/google-cloud-cli:496.0.0-emulators +FROM gcr.io/google.com/cloudsdktool/google-cloud-cli:496.0.0-emulators@sha256:98634552ada78aac1fea3a19aa2e3f245f764b71a9af11c7d6202a89d1e72212 RUN find / -type f -perm /u+s -ignore_readdir_race -exec chmod u-s {} \; \ && find / -type f -perm /g+s -ignore_readdir_race -exec chmod g-s {} \; diff --git a/server/Dockerfile b/server/Dockerfile index 8d0f9d970..b2cfc0054 100644 --- a/server/Dockerfile +++ b/server/Dockerfile @@ -1,4 +1,4 @@ -FROM golang:1.23.2-bullseye AS base +FROM golang:1.23.2-bullseye@sha256:64f1ec5d077ec2e47a96f4c0752edd1a18b2a5b30aa8cad1b1dd798ce89571a5 AS base WORKDIR /go/app