From f5e7c107e0991a899f2ffc493b503f5d92ff022e Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Thu, 17 Oct 2024 22:38:44 +0000 Subject: [PATCH 1/3] chore(deps): pin dependencies --- .github/workflows/add-to-task-list.yml | 2 +- .github/workflows/dependency_review.yml | 4 +- .github/workflows/fail-notify.yml | 6 +- .github/workflows/fix-fail-notify.yml | 6 +- .github/workflows/format-json-yml.yml | 6 +- .github/workflows/gcr-cleaner.yml | 4 +- .../github-actions-cache-cleaner.yml | 2 +- .github/workflows/release.yml | 112 +++++++++--------- .../workflows/remove_app_engine_versions.yml | 8 +- .github/workflows/resource-update.yml | 12 +- .github/workflows/super-linter.yml | 6 +- .github/workflows/update-gitleaks.yml | 4 +- elm/Dockerfile | 2 +- frontend/Dockerfile | 4 +- server/Dockerfile | 2 +- 15 files changed, 90 insertions(+), 90 deletions(-) diff --git a/.github/workflows/add-to-task-list.yml b/.github/workflows/add-to-task-list.yml index 13b54ebaf..f70ceb1e6 100644 --- a/.github/workflows/add-to-task-list.yml +++ b/.github/workflows/add-to-task-list.yml @@ -15,7 +15,7 @@ jobs: steps: - name: Generate a token id: generate_token - uses: actions/create-github-app-token@v1.11.0 + uses: actions/create-github-app-token@5d869da34e18e7287c1daad50e0b8ea0f506ce69 # v1.11.0 with: app-id: ${{ secrets.PROJECT_AUTOMATION_APP_ID }} private-key: ${{ secrets.PROJECT_AUTOMATION_PRIVATE_KEY }} diff --git a/.github/workflows/dependency_review.yml b/.github/workflows/dependency_review.yml index c258bf7ff..f72037533 100644 --- a/.github/workflows/dependency_review.yml +++ b/.github/workflows/dependency_review.yml @@ -7,8 +7,8 @@ jobs: dependency-review: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4.2.1 - - uses: actions/dependency-review-action@v4.3.4 + - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 + - uses: actions/dependency-review-action@5a2ce3f5b92ee19cbb1541a4984c76d921601d7c # v4.3.4 with: base-ref: ${{ github.base_ref || github.event.merge_group.base_ref }} head-ref: ${{ github.head_ref || github.event.merge_group.head_ref }} diff --git a/.github/workflows/fail-notify.yml b/.github/workflows/fail-notify.yml index 4fe0c228c..5a485889a 100644 --- a/.github/workflows/fail-notify.yml +++ b/.github/workflows/fail-notify.yml @@ -22,17 +22,17 @@ jobs: runs-on: ubuntu-latest if: github.event.workflow_run.conclusion == 'failure' steps: - - uses: actions/checkout@v4.2.1 + - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 - name: Get slack payload id: get_slack_payload - uses: actions/github-script@v7.0.1 + uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1 with: github-token: ${{secrets.GITHUB_TOKEN}} result-encoding: string script: | const script = require(`${process.env.GITHUB_WORKSPACE}/scripts/fail_notify/fail_notify/get_slack_payload.js`) return script({context}) - - uses: slackapi/slack-github-action@v1.27.0 + - uses: slackapi/slack-github-action@37ebaef184d7626c5f204ab8d3baff4262dd30f0 # v1.27.0 with: channel-id: ${{secrets.SLACK_CHANNEL_ID}} payload: ${{steps.get_slack_payload.outputs.result}} diff --git a/.github/workflows/fix-fail-notify.yml b/.github/workflows/fix-fail-notify.yml index ce51f28bc..3f5959690 100644 --- a/.github/workflows/fix-fail-notify.yml +++ b/.github/workflows/fix-fail-notify.yml @@ -10,17 +10,17 @@ jobs: steps: - name: Generate a token id: generate_token - uses: actions/create-github-app-token@v1.11.0 + uses: actions/create-github-app-token@5d869da34e18e7287c1daad50e0b8ea0f506ce69 # v1.11.0 with: app-id: ${{ secrets.PROJECT_AUTOMATION_APP_ID }} private-key: ${{ secrets.PROJECT_AUTOMATION_PRIVATE_KEY }} - - uses: actions/checkout@v4.2.1 + - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 with: fetch-depth: 0 ref: ${{ github.event.pull_request.head.sha || github.event.merge_group.head_sha }} token: ${{steps.generate_token.outputs.token}} - run: bash "${GITHUB_WORKSPACE}/scripts/fix_fail_notify/fix_fail_notify/fix_fail_notify.sh" - - uses: dev-hato/actions-diff-pr-management@v1.2.0 + - uses: dev-hato/actions-diff-pr-management@e5c78b251a69f44f93b2f1398e06b129bcf151ec # v1.2.0 with: github-token: ${{steps.generate_token.outputs.token}} branch-name-prefix: fix-fail-notify diff --git a/.github/workflows/format-json-yml.yml b/.github/workflows/format-json-yml.yml index 0a6e6b823..7a25995bb 100644 --- a/.github/workflows/format-json-yml.yml +++ b/.github/workflows/format-json-yml.yml @@ -17,17 +17,17 @@ jobs: steps: - name: Generate a token id: generate_token - uses: actions/create-github-app-token@v1.11.0 + uses: actions/create-github-app-token@5d869da34e18e7287c1daad50e0b8ea0f506ce69 # v1.11.0 with: app-id: ${{ secrets.PROJECT_AUTOMATION_APP_ID }} private-key: ${{ secrets.PROJECT_AUTOMATION_PRIVATE_KEY }} - - uses: actions/checkout@v4.2.1 + - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 if: github.event_name != 'pull_request' || github.event.action != 'closed' with: fetch-depth: 0 ref: ${{ github.event.pull_request.head.sha || github.event.merge_group.head_sha }} token: ${{steps.generate_token.outputs.token}} - - uses: dev-hato/actions-format-json-yml@v0.0.76 + - uses: dev-hato/actions-format-json-yml@c049d2dbbb97a565135fa12fb0502ac1efbcbd35 # v0.0.76 with: github-token: ${{steps.generate_token.outputs.token}} concurrency: diff --git a/.github/workflows/gcr-cleaner.yml b/.github/workflows/gcr-cleaner.yml index 2dfe9c959..02bf3940e 100644 --- a/.github/workflows/gcr-cleaner.yml +++ b/.github/workflows/gcr-cleaner.yml @@ -14,10 +14,10 @@ jobs: gcr-cleaner: runs-on: "ubuntu-latest" steps: - - uses: actions/checkout@v4.2.1 + - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 - id: "auth" name: "Authenticate to GCP" - uses: google-github-actions/auth@v2.1.6 + uses: google-github-actions/auth@8254fb75a33b976a221574d287e93919e6a36f70 # v2.1.6 with: workload_identity_provider: ${{env.GCP_WORKLOAD_IDENTITY_PROVIDER}} service_account: ${{env.GCP_SERVICE_ACCOUNT}} diff --git a/.github/workflows/github-actions-cache-cleaner.yml b/.github/workflows/github-actions-cache-cleaner.yml index 746ad19fb..ea347a3ee 100644 --- a/.github/workflows/github-actions-cache-cleaner.yml +++ b/.github/workflows/github-actions-cache-cleaner.yml @@ -13,7 +13,7 @@ jobs: github-actions-cache-cleaner: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4.2.1 + - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 - uses: dev-hato/github-actions-cache-cleaner@0a731b19b53bac2c5e7f2b9cb9f9a17d91c50604 # v0.0.56 with: github-token: ${{secrets.GITHUB_TOKEN}} diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 78a5d9ff7..7ce957949 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -22,8 +22,8 @@ jobs: deploy-files: ${{ steps.changes.outputs.deploy-files }} if: github.event_name != 'pull_request' || github.event.action != 'closed' steps: - - uses: actions/checkout@v4.2.1 - - uses: dorny/paths-filter@v3.0.2 + - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 + - uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v3.0.2 id: changes with: filters: | @@ -45,8 +45,8 @@ jobs: run: working-directory: frontend steps: - - uses: actions/checkout@v4.2.1 - - uses: actions/setup-node@v4.0.4 + - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 + - uses: actions/setup-node@0a44ba7841725637a19e28fa30b79a866c81b0a6 # v4.0.4 with: node-version-file: frontend/.node-version cache: npm @@ -68,25 +68,25 @@ jobs: packages: write if: github.event_name == 'push' || (github.event_name == 'pull_request' && github.event.action != 'closed' && github.repository == github.event.pull_request.head.repo.full_name) || github.event_name == 'merge_group' steps: - - uses: actions/checkout@v4.2.1 + - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 - name: Login to GitHub Container Registry - uses: docker/login-action@v3.3.0 + uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0 with: registry: ghcr.io username: ${{ github.actor }} password: ${{ secrets.GITHUB_TOKEN }} - name: Set up QEMU - uses: docker/setup-qemu-action@v3.2.0 + uses: docker/setup-qemu-action@49b3bc8e6bdd4a60e6116a5414239cba5943d3cf # v3.2.0 - name: Set up Docker Buildx id: buildx - uses: docker/setup-buildx-action@v3.7.1 + uses: docker/setup-buildx-action@c47758b77c9736f4b2ef4073d4d51994fabfe349 # v3.7.1 - run: cat .env >>"$GITHUB_ENV" - run: echo "TAG_NAME=${HEAD_REF//\//-}" >> "$GITHUB_ENV" env: HEAD_REF: ${{github.head_ref || github.event.merge_group.head_ref}} if: github.event_name == 'pull_request' || github.event_name == 'merge_group' - name: Build and push - uses: docker/bake-action@v5.10.0 + uses: docker/bake-action@2e3d19baedb14545e5d41222653874f25d5b4dfb # v5.10.0 env: DOCKER_CONTENT_TRUST: 1 with: @@ -104,32 +104,32 @@ jobs: contents: read packages: write steps: - - uses: actions/checkout@v4.2.1 + - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 - name: Login to GitHub Container Registry - uses: docker/login-action@v3.3.0 + uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0 with: registry: ghcr.io username: ${{ github.actor }} password: ${{ secrets.GITHUB_TOKEN }} - name: Set up QEMU - uses: docker/setup-qemu-action@v3.2.0 + uses: docker/setup-qemu-action@49b3bc8e6bdd4a60e6116a5414239cba5943d3cf # v3.2.0 - name: Set up Docker Buildx id: buildx - uses: docker/setup-buildx-action@v3.7.1 + uses: docker/setup-buildx-action@c47758b77c9736f4b2ef4073d4d51994fabfe349 # v3.7.1 - run: cat .env >>"$GITHUB_ENV" - run: echo "TAG_NAME=${HEAD_REF//\//-}" >> "$GITHUB_ENV" env: HEAD_REF: ${{github.head_ref || github.event.merge_group.head_ref}} if: github.event_name == 'pull_request' || github.event_name == 'merge_group' - name: Build and push (dev) - uses: docker/bake-action@v5.10.0 + uses: docker/bake-action@2e3d19baedb14545e5d41222653874f25d5b4dfb # v5.10.0 env: DOCKER_CONTENT_TRUST: 1 with: push: true files: compose.yml,dev.base.compose.yml - name: Build and push (staging) - uses: docker/bake-action@v5.10.0 + uses: docker/bake-action@2e3d19baedb14545e5d41222653874f25d5b4dfb # v5.10.0 env: DOCKER_CONTENT_TRUST: 1 with: @@ -146,7 +146,7 @@ jobs: DOCKER_CONTENT_TRUST: 1 REPOSITORY: ${{github.repository}} steps: - - uses: actions/checkout@v4.2.1 + - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 if: github.event_name != 'pull_request' || github.event.action != 'closed' with: fetch-depth: 0 @@ -162,14 +162,14 @@ jobs: if: github.event_name != 'pull_request' || github.event.action != 'closed' run: bash "${GITHUB_WORKSPACE}/scripts/get_go_version.sh" - name: Set up Go - uses: actions/setup-go@v5.0.2 + uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2 if: github.event_name != 'pull_request' || github.event.action != 'closed' with: go-version: ${{steps.get_go_version.outputs.go_version}} - name: Install goimports if: github.event_name != 'pull_request' || github.event.action != 'closed' run: bash "${GITHUB_WORKSPACE}/scripts/release/format_go/run_goimports.sh" - - uses: dev-hato/actions-diff-pr-management@v1.2.0 + - uses: dev-hato/actions-diff-pr-management@e5c78b251a69f44f93b2f1398e06b129bcf151ec # v1.2.0 with: github-token: ${{secrets.GITHUB_TOKEN}} branch-name-prefix: fix-format @@ -185,7 +185,7 @@ jobs: env: DOCKER_CMD: "node --version && npm --version" steps: - - uses: actions/checkout@v4.2.1 + - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 if: github.event_name != 'pull_request' || github.event.action != 'closed' with: fetch-depth: 0 @@ -211,7 +211,7 @@ jobs: NODE_VERSION: ${{steps.get_node_version.outputs.node_version}} NPM_VERSION: ${{steps.get_node_version.outputs.npm_version}} run: bash "${GITHUB_WORKSPACE}/scripts/release/update_package/update_versions.sh" - - uses: actions/setup-node@v4.0.4 + - uses: actions/setup-node@0a44ba7841725637a19e28fa30b79a866c81b0a6 # v4.0.4 if: github.event_name != 'pull_request' || github.event.action != 'closed' with: node-version-file: .node-version @@ -219,7 +219,7 @@ jobs: - name: Update packages (.) if: github.event_name != 'pull_request' || github.event.action != 'closed' run: npm install - - uses: actions/setup-node@v4.0.4 + - uses: actions/setup-node@0a44ba7841725637a19e28fa30b79a866c81b0a6 # v4.0.4 if: github.event_name != 'pull_request' || github.event.action != 'closed' with: node-version-file: frontend/.node-version @@ -229,7 +229,7 @@ jobs: if: github.event_name != 'pull_request' || github.event.action != 'closed' run: npm install working-directory: frontend - - uses: actions/setup-node@v4.0.4 + - uses: actions/setup-node@0a44ba7841725637a19e28fa30b79a866c81b0a6 # v4.0.4 if: github.event_name != 'pull_request' || github.event.action != 'closed' with: node-version-file: test/e2e/.node-version @@ -239,7 +239,7 @@ jobs: if: github.event_name != 'pull_request' || github.event.action != 'closed' run: npm install working-directory: test/e2e - - uses: dev-hato/actions-diff-pr-management@v1.2.0 + - uses: dev-hato/actions-diff-pr-management@e5c78b251a69f44f93b2f1398e06b129bcf151ec # v1.2.0 with: github-token: ${{secrets.GITHUB_TOKEN}} branch-name-prefix: fix-version @@ -247,7 +247,7 @@ jobs: update-dockle: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4.2.1 + - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 if: github.event_name != 'pull_request' || github.event.action != 'closed' with: fetch-depth: 0 @@ -260,7 +260,7 @@ jobs: needs: - docker-compose-build steps: - - uses: actions/checkout@v4.2.1 + - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 - run: cat .env >>"$GITHUB_ENV" - run: echo "TAG_NAME=${HEAD_REF//\//-}" >> "$GITHUB_ENV" env: @@ -285,7 +285,7 @@ jobs: DOCKER_CONTENT_TRUST: 1 REPOSITORY: ${{github.repository}} steps: - - uses: actions/checkout@v4.2.1 + - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 - run: echo "TAG_NAME=${HEAD_REF//\//-}" >> "$GITHUB_ENV" env: HEAD_REF: ${{github.head_ref || github.event.merge_group.head_ref}} @@ -303,8 +303,8 @@ jobs: run: working-directory: frontend steps: - - uses: actions/checkout@v4.2.1 - - uses: actions/setup-node@v4.0.4 + - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 + - uses: actions/setup-node@0a44ba7841725637a19e28fa30b79a866c81b0a6 # v4.0.4 with: node-version-file: frontend/.node-version cache: npm @@ -325,19 +325,19 @@ jobs: DOCKER_CONTENT_TRUST: 1 REPOSITORY: ${{github.repository}} steps: - - uses: actions/checkout@v4.2.1 + - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 - run: cat .env >>"$GITHUB_ENV" - run: echo "TAG_NAME=${HEAD_REF//\//-}" >> "$GITHUB_ENV" env: HEAD_REF: ${{github.head_ref || github.event.merge_group.head_ref}} if: github.event_name == 'pull_request' || github.event_name == 'merge_group' - run: bash "${GITHUB_WORKSPACE}/scripts/release/run_docker_compose.sh" - - uses: actions/setup-node@v4.0.4 + - uses: actions/setup-node@0a44ba7841725637a19e28fa30b79a866c81b0a6 # v4.0.4 with: node-version-file: test/e2e/.node-version cache: npm cache-dependency-path: test/e2e/package-lock.json - - uses: browser-actions/setup-firefox@v1.5.2 + - uses: browser-actions/setup-firefox@955a5d42b5f068a8917c6a4ff1656a2235c66dfb # v1.5.2 if: matrix.browser_name == 'firefox' with: firefox-version: ${{ matrix.browser_version }} @@ -359,19 +359,19 @@ jobs: DOCKER_CONTENT_TRUST: 1 REPOSITORY: ${{github.repository}} steps: - - uses: actions/checkout@v4.2.1 + - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 - run: cat .env >>"$GITHUB_ENV" - run: echo "TAG_NAME=${HEAD_REF//\//-}" >> "$GITHUB_ENV" env: HEAD_REF: ${{github.head_ref || github.event.merge_group.head_ref}} if: github.event_name == 'pull_request' || github.event_name == 'merge_group' - run: bash "${GITHUB_WORKSPACE}/scripts/release/run_docker_compose.sh" - - uses: actions/setup-node@v4.0.4 + - uses: actions/setup-node@0a44ba7841725637a19e28fa30b79a866c81b0a6 # v4.0.4 with: node-version-file: test/e2e/.node-version cache: npm cache-dependency-path: test/e2e/package-lock.json - - uses: browser-actions/setup-firefox@v1.5.2 + - uses: browser-actions/setup-firefox@955a5d42b5f068a8917c6a4ff1656a2235c66dfb # v1.5.2 if: matrix.browser_name == 'firefox' with: firefox-version: ${{ matrix.browser_version }} @@ -390,7 +390,7 @@ jobs: id-token: write contents: read steps: - - uses: actions/checkout@v4.2.1 + - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 - uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 with: name: frontend @@ -401,12 +401,12 @@ jobs: if: ${{ github.event_name == 'push' }} - id: "auth" name: "Authenticate to GCP" - uses: google-github-actions/auth@v2.1.6 + uses: google-github-actions/auth@8254fb75a33b976a221574d287e93919e6a36f70 # v2.1.6 with: workload_identity_provider: ${{env.GCP_WORKLOAD_IDENTITY_PROVIDER}} service_account: ${{env.GCP_SERVICE_ACCOUNT}} - name: Deploy to App Engine - uses: google-github-actions/deploy-appengine@v2.1.3 + uses: google-github-actions/deploy-appengine@3c758836610e6ad98d8719bf3e2bdf94c3082728 # v2.1.3 with: deliverables: app.yaml project_id: hato-atama @@ -423,8 +423,8 @@ jobs: pull-requests: write if: github.event_name == 'pull_request' steps: - - uses: actions/checkout@v4.2.1 - - uses: actions/github-script@v7.0.1 + - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 + - uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1 env: SHA: ${{github.event.pull_request.head.sha}} with: @@ -442,9 +442,9 @@ jobs: ARTIFACT_PATH: ${{ github.workspace }}/tmp/artifacts URLS: https://v${{ github.run_number }}-dot-hato-atama.an.r.appspot.com steps: - - uses: actions/checkout@v4.2.1 + - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 - run: mkdir -p "${ARTIFACT_PATH}" - - uses: foo-software/lighthouse-check-action@v12.0.1 + - uses: foo-software/lighthouse-check-action@a80267da2e0244b8a2e457a8575fc47590615852 # v12.0.1 with: gitHubAccessToken: ${{ secrets.GITHUB_TOKEN }} urls: ${{ env.URLS }} @@ -465,13 +465,13 @@ jobs: browser_name: ["chrome", "electron", "edge"] include: ${{fromJson(needs.make-browserslist.outputs.browserslist)}} steps: - - uses: actions/checkout@v4.2.1 - - uses: actions/setup-node@v4.0.4 + - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 + - uses: actions/setup-node@0a44ba7841725637a19e28fa30b79a866c81b0a6 # v4.0.4 with: node-version-file: test/e2e/.node-version cache: npm cache-dependency-path: test/e2e/package-lock.json - - uses: browser-actions/setup-firefox@v1.5.2 + - uses: browser-actions/setup-firefox@955a5d42b5f068a8917c6a4ff1656a2235c66dfb # v1.5.2 if: matrix.browser_name == 'firefox' with: firefox-version: ${{ matrix.browser_version }} @@ -493,13 +493,13 @@ jobs: include: ${{fromJson(needs.make-browserslist.outputs.browserslist)}} if: ${{ github.event_name == 'push' }} steps: - - uses: actions/checkout@v4.2.1 - - uses: actions/setup-node@v4.0.4 + - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 + - uses: actions/setup-node@0a44ba7841725637a19e28fa30b79a866c81b0a6 # v4.0.4 with: node-version-file: test/e2e/.node-version cache: npm cache-dependency-path: test/e2e/package-lock.json - - uses: browser-actions/setup-firefox@v1.5.2 + - uses: browser-actions/setup-firefox@955a5d42b5f068a8917c6a4ff1656a2235c66dfb # v1.5.2 if: matrix.browser_name == 'firefox' with: firefox-version: ${{ matrix.browser_version }} @@ -517,14 +517,14 @@ jobs: id-token: write contents: read steps: - - uses: actions/checkout@v4.2.1 + - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 - id: "auth" name: "Authenticate to GCP" - uses: google-github-actions/auth@v2.1.6 + uses: google-github-actions/auth@8254fb75a33b976a221574d287e93919e6a36f70 # v2.1.6 with: workload_identity_provider: ${{env.GCP_WORKLOAD_IDENTITY_PROVIDER}} service_account: ${{env.GCP_SERVICE_ACCOUNT}} - - uses: google-github-actions/setup-gcloud@v2.1.1 + - uses: google-github-actions/setup-gcloud@f0990588f1e5b5af6827153b93673613abdc6ec7 # v2.1.1 - run: bash "${GITHUB_WORKSPACE}/scripts/release/migrating_traffic/set_traffic.sh" remove-app-engine-past-versions: runs-on: ubuntu-latest @@ -535,9 +535,9 @@ jobs: id-token: write contents: read steps: - - uses: actions/checkout@v4.2.1 + - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 - name: Get run numbers - uses: actions/github-script@v7.0.1 + uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1 id: get_run_numbers env: HEAD_REF: master @@ -551,11 +551,11 @@ jobs: - id: "auth" if: ${{ steps.get_run_numbers.outputs.result != '' }} name: "Authenticate to GCP" - uses: google-github-actions/auth@v2.1.6 + uses: google-github-actions/auth@8254fb75a33b976a221574d287e93919e6a36f70 # v2.1.6 with: workload_identity_provider: ${{env.GCP_WORKLOAD_IDENTITY_PROVIDER}} service_account: ${{env.GCP_SERVICE_ACCOUNT}} - - uses: google-github-actions/setup-gcloud@v2.1.1 + - uses: google-github-actions/setup-gcloud@f0990588f1e5b5af6827153b93673613abdc6ec7 # v2.1.1 if: ${{ steps.get_run_numbers.outputs.result != '' }} - name: Remove app engine versions if: ${{ steps.get_run_numbers.outputs.result != '' }} @@ -605,7 +605,7 @@ jobs: if: (github.event_name == 'pull_request' && github.event.action != 'closed') || github.event_name == 'merge_group' runs-on: ubuntu-latest steps: - - uses: Kesin11/actions-timeline@v2 + - uses: Kesin11/actions-timeline@3046833d9aacfd7745c5264b7f3af851c3e2a619 # v2 # pushをトリガーとした場合に完了しているべきjobが完了したか release-complete: runs-on: ubuntu-latest @@ -624,7 +624,7 @@ jobs: if: github.event_name == 'push' runs-on: ubuntu-latest steps: - - uses: Kesin11/actions-timeline@v2 + - uses: Kesin11/actions-timeline@3046833d9aacfd7745c5264b7f3af851c3e2a619 # v2 concurrency: group: ${{ github.workflow }}-${{ github.event_name }}-${{ github.ref }} cancel-in-progress: true diff --git a/.github/workflows/remove_app_engine_versions.yml b/.github/workflows/remove_app_engine_versions.yml index e6a92559f..db0274c17 100644 --- a/.github/workflows/remove_app_engine_versions.yml +++ b/.github/workflows/remove_app_engine_versions.yml @@ -12,9 +12,9 @@ jobs: runs-on: ubuntu-latest if: github.repository == github.event.pull_request.head.repo.full_name && github.repository == 'dev-hato/hato-atama' steps: - - uses: actions/checkout@v4.2.1 + - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 - name: Get run numbers - uses: actions/github-script@v7.0.1 + uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1 id: get_run_numbers env: HEAD_REF: ${{github.event.pull_request.head.ref}} @@ -27,11 +27,11 @@ jobs: - id: "auth" if: ${{ steps.get_run_numbers.outputs.result != '' }} name: "Authenticate to GCP" - uses: google-github-actions/auth@v2.1.6 + uses: google-github-actions/auth@8254fb75a33b976a221574d287e93919e6a36f70 # v2.1.6 with: workload_identity_provider: "projects/765091727073/locations/global/workloadIdentityPools/hato-atama-workload-identity/providers/github" service_account: "actions-deploy@hato-atama.iam.gserviceaccount.com" - - uses: google-github-actions/setup-gcloud@v2.1.1 + - uses: google-github-actions/setup-gcloud@f0990588f1e5b5af6827153b93673613abdc6ec7 # v2.1.1 if: ${{ steps.get_run_numbers.outputs.result != '' }} - if: ${{ steps.get_run_numbers.outputs.result != '' }} run: gcloud app versions delete --service=default ${{steps.get_run_numbers.outputs.result}} diff --git a/.github/workflows/resource-update.yml b/.github/workflows/resource-update.yml index 215d4ac18..b92f16e52 100644 --- a/.github/workflows/resource-update.yml +++ b/.github/workflows/resource-update.yml @@ -13,12 +13,12 @@ jobs: run: working-directory: ${{ matrix.path }} steps: - - uses: actions/checkout@v4.2.1 + - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 if: github.event_name != 'pull_request' || github.event.action != 'closed' with: fetch-depth: 0 ref: ${{ github.event.pull_request.head.sha }} - - uses: actions/setup-node@v4.0.4 + - uses: actions/setup-node@0a44ba7841725637a19e28fa30b79a866c81b0a6 # v4.0.4 if: github.event_name != 'pull_request' || github.event.action != 'closed' with: node-version-file: ${{ matrix.path }}/.node-version @@ -27,7 +27,7 @@ jobs: - name: ncu install if: github.event_name != 'pull_request' || github.event.action != 'closed' run: bash "${GITHUB_WORKSPACE}/scripts/resource_update/update.sh" - - uses: dev-hato/actions-diff-pr-management@v1.2.0 + - uses: dev-hato/actions-diff-pr-management@e5c78b251a69f44f93b2f1398e06b129bcf151ec # v1.2.0 with: github-token: ${{secrets.GITHUB_TOKEN}} branch-name-prefix: update-${{ matrix.path }} @@ -37,7 +37,7 @@ jobs: env: REPOSITORY: ${{github.repository}} steps: - - uses: actions/checkout@v4.2.1 + - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 if: github.event_name != 'pull_request' || github.event.action != 'closed' with: fetch-depth: 0 @@ -48,13 +48,13 @@ jobs: run: bash "${GITHUB_WORKSPACE}/scripts/get_go_version.sh" - name: Set up Go if: github.event_name != 'pull_request' || github.event.action != 'closed' - uses: actions/setup-go@v5.0.2 + uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2 with: go-version: ${{steps.get_go_version.outputs.go_version}} - name: go mod update if: github.event_name != 'pull_request' || github.event.action != 'closed' run: bash "${GITHUB_WORKSPACE}/scripts/resource_update/update_go/run_go_mod_tidy.sh" - - uses: dev-hato/actions-diff-pr-management@v1.2.0 + - uses: dev-hato/actions-diff-pr-management@e5c78b251a69f44f93b2f1398e06b129bcf151ec # v1.2.0 with: github-token: ${{secrets.GITHUB_TOKEN}} branch-name-prefix: update-go diff --git a/.github/workflows/super-linter.yml b/.github/workflows/super-linter.yml index c5b50bc44..4ceb0d6af 100644 --- a/.github/workflows/super-linter.yml +++ b/.github/workflows/super-linter.yml @@ -14,10 +14,10 @@ jobs: runs-on: ubuntu-latest timeout-minutes: 30 steps: - - uses: actions/checkout@v4.2.1 + - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 with: fetch-depth: 0 - - uses: actions/setup-node@v4.0.4 + - uses: actions/setup-node@0a44ba7841725637a19e28fa30b79a866c81b0a6 # v4.0.4 with: node-version-file: .node-version cache: npm @@ -26,7 +26,7 @@ jobs: working-directory: test/e2e - run: bash "${GITHUB_WORKSPACE}/scripts/super_linter/super_linter/set_path.sh" - name: Super-Linter - uses: super-linter/super-linter/slim@v7.1.0 + uses: super-linter/super-linter/slim@b92721f792f381cedc002ecdbb9847a15ece5bb8 # v7.1.0 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} LINTER_RULES_PATH: . diff --git a/.github/workflows/update-gitleaks.yml b/.github/workflows/update-gitleaks.yml index 52e9221b7..02487f319 100644 --- a/.github/workflows/update-gitleaks.yml +++ b/.github/workflows/update-gitleaks.yml @@ -15,12 +15,12 @@ jobs: update-gitleaks: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4.2.1 + - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 if: github.event_name != 'pull_request' || github.event.action != 'closed' with: fetch-depth: 0 ref: ${{ github.event.pull_request.head.sha || github.event.merge_group.head_sha }} - - uses: actions/setup-node@v4.0.4 + - uses: actions/setup-node@0a44ba7841725637a19e28fa30b79a866c81b0a6 # v4.0.4 if: github.event_name != 'pull_request' || github.event.action != 'closed' with: node-version-file: .node-version diff --git a/elm/Dockerfile b/elm/Dockerfile index 83bdc532f..fb348eda3 100644 --- a/elm/Dockerfile +++ b/elm/Dockerfile @@ -1,7 +1,7 @@ # https://dev.to/csaltos/elm-for-linux-arm64-32bc # GitHub Actionsでビルドするとうまく行かないため、手元でビルドする前提 #checkov:skip=CKV_DOCKER_2 -FROM debian:bullseye-slim +FROM debian:bullseye-slim@sha256:610b4c7ad241e66f6e2f9791e3abdf0cc107a69238ab21bf9b4695d51fd6366a SHELL ["/bin/bash", "-o", "pipefail", "-c"] diff --git a/frontend/Dockerfile b/frontend/Dockerfile index ef836eda9..6db6b8c4f 100644 --- a/frontend/Dockerfile +++ b/frontend/Dockerfile @@ -1,4 +1,4 @@ -FROM node:22.9.0-bullseye-slim AS base +FROM node:22.9.0-bullseye-slim@sha256:b9be40d246bd09f0beb95b6f199b637c59331db2ec31da0bb91ebb3ac4f619ef AS base SHELL ["/bin/bash", "-o", "pipefail", "-c"] ARG TARGETPLATFORM @@ -50,7 +50,7 @@ COPY frontend/healthcheck.sh . HEALTHCHECK --interval=5s --retries=20 CMD ["./healthcheck.sh"] CMD ["npm", "run", "dev"] -FROM nginx:1.27.2 +FROM nginx:1.27.2@sha256:28402db69fec7c17e179ea87882667f1e054391138f77ffaf0c3eb388efc3ffb RUN find / -type f -perm /u+s -ignore_readdir_race -exec chmod u-s {} \; \ && find / -type f -perm /g+s -ignore_readdir_race -exec chmod g-s {} \; \ diff --git a/server/Dockerfile b/server/Dockerfile index 8d0f9d970..5fb1f3dfd 100644 --- a/server/Dockerfile +++ b/server/Dockerfile @@ -1,4 +1,4 @@ -FROM golang:1.23.2-bullseye AS base +FROM golang:1.23.2-bullseye@sha256:48ac5022f9740543cac0eba41a4e37b721073a0103349e416678e0142a53b49a AS base WORKDIR /go/app From bdf3a7ce87a9119c2831da5fdd9e9d3886d557a3 Mon Sep 17 00:00:00 2001 From: Masaya Suzuki <15100604+massongit@users.noreply.github.com> Date: Fri, 18 Oct 2024 09:04:04 +0900 Subject: [PATCH 2/3] =?UTF-8?q?super-linter=E3=81=AE=E3=83=90=E3=83=BC?= =?UTF-8?q?=E3=82=B8=E3=83=A7=E3=83=B3=E5=8F=96=E5=BE=97=E5=87=A6=E7=90=86?= =?UTF-8?q?=E4=BF=AE=E6=AD=A3?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- scripts/super_linter/super_linter/set_path.sh | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/scripts/super_linter/super_linter/set_path.sh b/scripts/super_linter/super_linter/set_path.sh index b683ce11f..9f10df98b 100755 --- a/scripts/super_linter/super_linter/set_path.sh +++ b/scripts/super_linter/super_linter/set_path.sh @@ -1,5 +1,6 @@ #!/usr/bin/env bash -action="$(yq '.jobs.super-linter.steps[-1].uses' .github/workflows/super-linter.yml)" -PATH="$(docker run --rm --entrypoint '' "ghcr.io/${action//\/slim@/:slim-}" /bin/sh -c 'echo $PATH')" +tag_name="$(yq '.jobs.build.steps[-1].uses' .github/workflows/super-linter.yml | sed -e 's;/slim@.*;:slim;g')" +tag_version="$(yq '.jobs.build.steps[-1].uses | line_comment' .github/workflows/super-linter.yml)" +PATH="$(docker run --rm --entrypoint '' "ghcr.io/${tag_name}-${tag_version}" /bin/sh -c 'echo $PATH')" echo "PATH=/github/workspace/node_modules/.bin:/github/workspace/test/e2e/node_modules/.bin:${PATH}" >>"$GITHUB_ENV" From dcd8d859dc313b41c3c797d42f6cfc7193f143ec Mon Sep 17 00:00:00 2001 From: Masaya Suzuki <15100604+massongit@users.noreply.github.com> Date: Fri, 18 Oct 2024 09:08:41 +0900 Subject: [PATCH 3/3] =?UTF-8?q?job=E5=90=8D=E4=BF=AE=E6=AD=A3?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- scripts/super_linter/super_linter/set_path.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/scripts/super_linter/super_linter/set_path.sh b/scripts/super_linter/super_linter/set_path.sh index 9f10df98b..3b527aeaa 100755 --- a/scripts/super_linter/super_linter/set_path.sh +++ b/scripts/super_linter/super_linter/set_path.sh @@ -1,6 +1,6 @@ #!/usr/bin/env bash -tag_name="$(yq '.jobs.build.steps[-1].uses' .github/workflows/super-linter.yml | sed -e 's;/slim@.*;:slim;g')" -tag_version="$(yq '.jobs.build.steps[-1].uses | line_comment' .github/workflows/super-linter.yml)" +tag_name="$(yq '.jobs.super-linter.steps[-1].uses' .github/workflows/super-linter.yml | sed -e 's;/slim@.*;:slim;g')" +tag_version="$(yq '.jobs.super-linter.steps[-1].uses | line_comment' .github/workflows/super-linter.yml)" PATH="$(docker run --rm --entrypoint '' "ghcr.io/${tag_name}-${tag_version}" /bin/sh -c 'echo $PATH')" echo "PATH=/github/workspace/node_modules/.bin:/github/workspace/test/e2e/node_modules/.bin:${PATH}" >>"$GITHUB_ENV"