From a5b8e31fcae82e2a016f6a9728d0520ed5dcdf8e Mon Sep 17 00:00:00 2001 From: Roger Barker Date: Fri, 7 Jun 2024 10:53:28 -0500 Subject: [PATCH] ci: 3687 update ci workflows for best practices and standards (#3688) * Updated dependabot and publish files. Started other workflows Signed-off-by: Roger Barker * Updated main.yml Signed-off-by: Roger Barker * updated the workflows Signed-off-by: Roger Barker * Added setup-yarn action Signed-off-by: Roger Barker * Updated yarn install process Signed-off-by: Roger Barker * Updated Borales/setup-yarn command to include cmd: install Signed-off-by: Roger Barker --------- Signed-off-by: Roger Barker --- .github/dependabot.yml | 5 + .../workflows/add-documentation-to-repo.yaml | 32 ++++++- .github/workflows/api-manual.yml | 33 +++++-- .github/workflows/api.yml | 33 +++++-- .github/workflows/main.yml | 29 +++++- .github/workflows/publish.yml | 94 ++++++++++--------- 6 files changed, 161 insertions(+), 65 deletions(-) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 4d9378657e..245ec0a42c 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -1,5 +1,10 @@ version: 2 updates: + - package-ecosystem: "github-actions" + directory: "/" + schedule: + interval: "daily" + open-pull-requests-limit: 10 - package-ecosystem: npm directory: "/" schedule: diff --git a/.github/workflows/add-documentation-to-repo.yaml b/.github/workflows/add-documentation-to-repo.yaml index 3abe789b77..1ebf6b0b79 100644 --- a/.github/workflows/add-documentation-to-repo.yaml +++ b/.github/workflows/add-documentation-to-repo.yaml @@ -9,31 +9,51 @@ on: jobs: runService: - runs-on: ubuntu-latest + name: Run Service + runs-on: [self-hosted, Linux, medium, ephemeral] strategy: matrix: node-version: [ 20.x ] mongodb-version: [ 7.0.5 ] steps: - - uses: actions/checkout@v1 + - name: Harden Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + egress-policy: audit + + - name: Checkout Code + uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 + - name: Use Node.js ${{ matrix.node-version }} - uses: actions/setup-node@v1 + uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 #v4.0.2 with: node-version: ${{ matrix.node-version }} + + - name: Setup Yarn + uses: Borales/actions-yarn@3766bb1335b98fb13c60eaf358fe20811b730a88 # v5.0.0 + with: + cmd: install + + - name: Install dependencies + run: yarn install + - name: Start NatsMQ - uses: onichandame/nats-action@master + uses: onichandame/nats-action@a8144f9009c5f67c39edd6a50f9de659c44bd135 # v0.0.0 with: port: "4222" + - name: Config Repo run: | git config --global user.name "envision-ci-agent" git config --global user.email "envision-ci-agent@users.noreply.github.com" git remote set-url origin https://x-access-token:${{ secrets.DOC_UPDATE_API_KEY }}@github.com/$GITHUB_REPOSITORY git checkout "${GITHUB_REF:11}" + - name: Start MongoDB - uses: supercharge/mongodb-github-action@1.7.0 + uses: supercharge/mongodb-github-action@5a87bd81f88e2a8b195f8b7b656f5cda1350815a # v1.11.0 with: mongodb-version: ${{ matrix.mongodb-version }} + - name: Build run: | yarn @@ -51,6 +71,7 @@ jobs: popd env: CI: true + - name: Run service run: | pushd api-gateway @@ -60,6 +81,7 @@ jobs: yarn start & popd sleep 30 + - name: Download file run: | rm -fv swagger.yaml diff --git a/.github/workflows/api-manual.yml b/.github/workflows/api-manual.yml index 3357892219..1b0d764613 100644 --- a/.github/workflows/api-manual.yml +++ b/.github/workflows/api-manual.yml @@ -5,7 +5,8 @@ on: jobs: buildAndTest: - runs-on: ubuntu-latest + name: Build and Test (Manual) + runs-on: [self-hosted, Linux, medium, ephemeral] services: ipfs-node: image: ipfs/kubo:latest @@ -21,13 +22,27 @@ jobs: node-version: [ 20.x ] mongodb-version: [ 7.0.5 ] steps: - - uses: actions/checkout@v1 + - name: Harden Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + egress-policy: audit + + - name: Checkout Code + uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 + - name: Use Node.js ${{ matrix.node-version }} - uses: actions/setup-node@v1 + uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 #v4.0.2 with: node-version: ${{ matrix.node-version }} + + - name: Setup Yarn + uses: Borales/actions-yarn@3766bb1335b98fb13c60eaf358fe20811b730a88 # v5.0.0 + with: + cmd: install + - name: Install dependencies - run: yarn + run: yarn install + - name: Build packages run: | pushd interfaces @@ -57,14 +72,17 @@ jobs: pushd api-gateway yarn run build popd + - name: Start NatsMQ - uses: onichandame/nats-action@master + uses: onichandame/nats-action@a8144f9009c5f67c39edd6a50f9de659c44bd135 # v0.0.0 with: port: "4222" + - name: Start MongoDB - uses: supercharge/mongodb-github-action@1.7.0 + uses: supercharge/mongodb-github-action@5a87bd81f88e2a8b195f8b7b656f5cda1350815a # v1.11.0 with: mongodb-version: ${{ matrix.mongodb-version }} + - name: Run Guardian run: | pushd notification-service @@ -110,8 +128,9 @@ jobs: npm install --force npx cypress run --env "portApi=3002,operatorId=${{ secrets.CI_HEDERA_ACCOUNT }},operatorKey=${{ secrets.CI_HEDERA_PRIV_KEY }}" --spec cypress/e2e/api-tests/**/*.cy.js popd + - name: Publish API Test Results - uses: EnricoMi/publish-unit-test-result-action@v1 + uses: EnricoMi/publish-unit-test-result-action@30eadd5010312f995f0d3b3cff7fe2984f69409e # v2.16.1 if: always() with: files: e2e-tests/cypress/test_results/**/*.xml diff --git a/.github/workflows/api.yml b/.github/workflows/api.yml index 770db84e2a..d1d55c6ee5 100644 --- a/.github/workflows/api.yml +++ b/.github/workflows/api.yml @@ -5,7 +5,8 @@ on: jobs: buildAndTest: - runs-on: ubuntu-latest + name: Build and Test + runs-on: [self-hosted, Linux, medium, ephemeral] services: ipfs-node: image: ipfs/kubo:latest @@ -21,15 +22,29 @@ jobs: node-version: [ 20.x ] mongodb-version: [ 7.0.5 ] steps: - - uses: actions/checkout@v1 + - name: Harden Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + egress-policy: audit + + - name: Checkout Code + uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 with: ref: 'develop' + - name: Use Node.js ${{ matrix.node-version }} - uses: actions/setup-node@v1 + uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 #v4.0.2 with: node-version: ${{ matrix.node-version }} + + - name: Setup Yarn + uses: Borales/actions-yarn@3766bb1335b98fb13c60eaf358fe20811b730a88 # v5.0.0 + with: + cmd: install + - name: Install dependencies - run: yarn + run: yarn install + - name: Build packages run: | pushd interfaces @@ -59,14 +74,17 @@ jobs: pushd api-gateway yarn run build popd + - name: Start NatsMQ - uses: onichandame/nats-action@master + uses: onichandame/nats-action@a8144f9009c5f67c39edd6a50f9de659c44bd135 # v0.0.0 with: port: "4222" + - name: Start MongoDB - uses: supercharge/mongodb-github-action@1.7.0 + uses: supercharge/mongodb-github-action@5a87bd81f88e2a8b195f8b7b656f5cda1350815a # v1.11.0 with: mongodb-version: ${{ matrix.mongodb-version }} + - name: Run Guardian run: | pushd notification-service @@ -112,8 +130,9 @@ jobs: npm install --force npx cypress run --env "portApi=3002,operatorId=${{ secrets.CI_HEDERA_ACCOUNT }},operatorKey=${{ secrets.CI_HEDERA_PRIV_KEY }}" --spec cypress/e2e/api-tests/**/*.cy.js popd + - name: Publish API Test Results - uses: EnricoMi/publish-unit-test-result-action@v1 + uses: EnricoMi/publish-unit-test-result-action@30eadd5010312f995f0d3b3cff7fe2984f69409e # v2.16.1 if: always() with: files: e2e-tests/cypress/test_results/**/*.xml diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index ebb3c36de1..736e5d3a4c 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -7,16 +7,33 @@ on: - 'dependabot/**' jobs: buildAndTest: - runs-on: ubuntu-latest + name: Build and Test (Manual - Main) + runs-on: [self-hosted, Linux, medium, ephemeral] strategy: matrix: node-version: [ 20.10.0 ] steps: - - uses: actions/checkout@v1 + - name: Harden Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + egress-policy: audit + + - name: Checkout Code + uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 + - name: Use Node.js ${{ matrix.node-version }} - uses: actions/setup-node@v1 + uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4.0.2 with: node-version: ${{ matrix.node-version }} + + - name: Setup Yarn + uses: Borales/actions-yarn@3766bb1335b98fb13c60eaf358fe20811b730a88 # v5.0.0 + with: + cmd: install + + - name: Install dependencies + run: yarn install + - name: Build run: | yarn @@ -56,12 +73,14 @@ jobs: env: CI: true NODE_OPTIONS: --openssl-legacy-provider + - name: Detect secrets run: | yarn run detect-secrets env: CI: true NODE_OPTIONS: --openssl-legacy-provider + - name: Lint run: | pushd interfaces @@ -94,6 +113,7 @@ jobs: env: CI: true NODE_OPTIONS: --openssl-legacy-provider + - name: Test run: | pushd common @@ -110,8 +130,9 @@ jobs: NODE_OPTIONS: --openssl-legacy-provider OPERATOR_ID: ${{ secrets.CI_HEDERA_ACCOUNT }} OPERATOR_KEY: ${{ secrets.CI_HEDERA_PRIV_KEY }} + - name: Publish Unit Test Results - uses: EnricoMi/publish-unit-test-result-action@v1 + uses: EnricoMi/publish-unit-test-result-action@30eadd5010312f995f0d3b3cff7fe2984f69409e # v2.16.1 if: always() with: files: test_results/**/*.xml diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml index 720b945a6d..52133280a5 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/publish.yml @@ -5,14 +5,24 @@ on: release: types: [published] +permissions: + contents: read + jobs: docker: - runs-on: ubuntu-latest + name: Publish to Docker + runs-on: [self-hosted, Linux, medium, ephemeral] permissions: id-token: write contents: read steps: - - uses: haya14busa/action-cond@v1 + - name: Harden Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + egress-policy: audit + + - name: Conditional values for Github Action + uses: haya14busa/action-cond@94f77f7a80cd666cb3155084e428254fea4281fd # v1.2.1 id: latestTag with: cond: ${{ github.event.release.target_commitish == 'main' }} @@ -20,27 +30,27 @@ jobs: if_false: "hotfix" - name: Checkout - uses: actions/checkout@v2 + uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 - name: get-npm-version - id: package-version - uses: martinbeentjes/npm-get-version-action@main + uses: martinbeentjes/npm-get-version-action@3cf273023a0dda27efcd3164bdfb51908dd46a5b # v1.3.1 with: path: guardian-service - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v1 + uses: docker/setup-buildx-action@d70bba72b1f3fd22344832f00baa16ece964efeb # v3.3.0 - - id: 'auth' - name: 'Authenticate to Google Cloud' - uses: 'google-github-actions/auth@v0' + - name: Authenticate to Google Cloud + id: auth + uses: google-github-actions/auth@71fee32a0bb7e97b4d33d548e7d957010649d8fa # v2.1.3 with: workload_identity_provider: 'projects/101730247931/locations/global/workloadIdentityPools/hedera-registry-pool/providers/hedera-registry-gh-actions' service_account: 'guardian-publisher@hedera-registry.iam.gserviceaccount.com' token_format: 'access_token' - - uses: 'docker/login-action@v1' + - name: Docker Login + uses: docker/login-action@e92390c5fb421da1463c202d546fed0ec5c39f20 # v3.1.0 with: registry: 'gcr.io' # or REGION-docker.pkg.dev username: 'oauth2accesstoken' @@ -48,7 +58,7 @@ jobs: - name: application-events-latest if: ${{ steps.latestTag.outputs.value == 'latest'}} - uses: docker/build-push-action@v2 + uses: docker/build-push-action@2cdde995de11925a030ce8070c3d77a52ffcf1c0 # v5.3.0 with: context: . file: ./application-events/Dockerfile @@ -57,7 +67,7 @@ jobs: - name: application-events if: ${{ steps.latestTag.outputs.value == 'hotfix'}} - uses: docker/build-push-action@v2 + uses: docker/build-push-action@2cdde995de11925a030ce8070c3d77a52ffcf1c0 # v5.3.0 with: context: . file: ./application-events/Dockerfile @@ -66,7 +76,7 @@ jobs: - name: ai-service-latest if: ${{ steps.latestTag.outputs.value == 'latest'}} - uses: docker/build-push-action@v2 + uses: docker/build-push-action@2cdde995de11925a030ce8070c3d77a52ffcf1c0 # v5.3.0 with: context: . file: ./ai-service/Dockerfile @@ -75,7 +85,7 @@ jobs: - name: ai-service if: ${{ steps.latestTag.outputs.value == 'hotfix'}} - uses: docker/build-push-action@v2 + uses: docker/build-push-action@2cdde995de11925a030ce8070c3d77a52ffcf1c0 # v5.3.0 with: context: . file: ./ai-service/Dockerfile @@ -84,7 +94,7 @@ jobs: - name: logger-service-latest if: ${{ steps.latestTag.outputs.value == 'latest'}} - uses: docker/build-push-action@v2 + uses: docker/build-push-action@2cdde995de11925a030ce8070c3d77a52ffcf1c0 # v5.3.0 with: context: . file: ./logger-service/Dockerfile @@ -93,7 +103,7 @@ jobs: - name: logger-service if: ${{ steps.latestTag.outputs.value == 'hotfix'}} - uses: docker/build-push-action@v2 + uses: docker/build-push-action@2cdde995de11925a030ce8070c3d77a52ffcf1c0 # v5.3.0 with: context: . file: ./logger-service/Dockerfile @@ -102,7 +112,7 @@ jobs: - name: notification-service-latest if: ${{ steps.latestTag.outputs.value == 'latest'}} - uses: docker/build-push-action@v2 + uses: docker/build-push-action@2cdde995de11925a030ce8070c3d77a52ffcf1c0 # v5.3.0 with: context: . file: ./notification-service/Dockerfile @@ -111,7 +121,7 @@ jobs: - name: notification-service if: ${{ steps.latestTag.outputs.value == 'hotfix'}} - uses: docker/build-push-action@v2 + uses: docker/build-push-action@2cdde995de11925a030ce8070c3d77a52ffcf1c0 # v5.3.0 with: context: . file: ./notification-service/Dockerfile @@ -120,7 +130,7 @@ jobs: - name: auth-service-latest if: ${{ steps.latestTag.outputs.value == 'latest'}} - uses: docker/build-push-action@v2 + uses: docker/build-push-action@2cdde995de11925a030ce8070c3d77a52ffcf1c0 # v5.3.0 with: context: . file: ./auth-service/Dockerfile @@ -129,7 +139,7 @@ jobs: - name: auth-service-demo-latest if: ${{ steps.latestTag.outputs.value == 'latest'}} - uses: docker/build-push-action@v2 + uses: docker/build-push-action@2cdde995de11925a030ce8070c3d77a52ffcf1c0 # v5.3.0 with: context: . file: ./auth-service/Dockerfile.demo @@ -138,7 +148,7 @@ jobs: - name: auth-service if: ${{ steps.latestTag.outputs.value == 'hotfix'}} - uses: docker/build-push-action@v2 + uses: docker/build-push-action@2cdde995de11925a030ce8070c3d77a52ffcf1c0 # v5.3.0 with: context: . file: ./auth-service/Dockerfile @@ -147,7 +157,7 @@ jobs: - name: auth-service-demo if: ${{ steps.latestTag.outputs.value == 'hotfix'}} - uses: docker/build-push-action@v2 + uses: docker/build-push-action@2cdde995de11925a030ce8070c3d77a52ffcf1c0 # v5.3.0 with: context: . file: ./auth-service/Dockerfile.demo @@ -156,7 +166,7 @@ jobs: - name: api-gateway-latest if: ${{ steps.latestTag.outputs.value == 'latest'}} - uses: docker/build-push-action@v2 + uses: docker/build-push-action@2cdde995de11925a030ce8070c3d77a52ffcf1c0 # v5.3.0 with: context: . file: ./api-gateway/Dockerfile @@ -165,7 +175,7 @@ jobs: - name: api-gateway-demo-latest if: ${{ steps.latestTag.outputs.value == 'latest'}} - uses: docker/build-push-action@v2 + uses: docker/build-push-action@2cdde995de11925a030ce8070c3d77a52ffcf1c0 # v5.3.0 with: context: . file: ./api-gateway/Dockerfile.demo @@ -174,7 +184,7 @@ jobs: - name: api-gateway if: ${{ steps.latestTag.outputs.value == 'hotfix'}} - uses: docker/build-push-action@v2 + uses: docker/build-push-action@2cdde995de11925a030ce8070c3d77a52ffcf1c0 # v5.3.0 with: context: . file: ./api-gateway/Dockerfile @@ -183,7 +193,7 @@ jobs: - name: api-gateway-demo if: ${{ steps.latestTag.outputs.value == 'hotfix'}} - uses: docker/build-push-action@v2 + uses: docker/build-push-action@2cdde995de11925a030ce8070c3d77a52ffcf1c0 # v5.3.0 with: context: . file: ./api-gateway/Dockerfile.demo @@ -192,7 +202,7 @@ jobs: - name: policy-service-latest if: ${{ steps.latestTag.outputs.value == 'latest'}} - uses: docker/build-push-action@v2 + uses: docker/build-push-action@2cdde995de11925a030ce8070c3d77a52ffcf1c0 # v5.3.0 with: context: . file: ./policy-service/Dockerfile @@ -201,7 +211,7 @@ jobs: - name: policy-service if: ${{ steps.latestTag.outputs.value == 'hotfix'}} - uses: docker/build-push-action@v2 + uses: docker/build-push-action@2cdde995de11925a030ce8070c3d77a52ffcf1c0 # v5.3.0 with: context: . file: ./policy-service/Dockerfile @@ -210,7 +220,7 @@ jobs: - name: guardian-service-latest if: ${{ steps.latestTag.outputs.value == 'latest'}} - uses: docker/build-push-action@v2 + uses: docker/build-push-action@2cdde995de11925a030ce8070c3d77a52ffcf1c0 # v5.3.0 with: context: . file: ./guardian-service/Dockerfile @@ -219,7 +229,7 @@ jobs: - name: guardian-service if: ${{ steps.latestTag.outputs.value == 'hotfix'}} - uses: docker/build-push-action@v2 + uses: docker/build-push-action@2cdde995de11925a030ce8070c3d77a52ffcf1c0 # v5.3.0 with: context: . file: ./guardian-service/Dockerfile @@ -228,7 +238,7 @@ jobs: - name: worker-service-latest if: ${{ steps.latestTag.outputs.value == 'latest'}} - uses: docker/build-push-action@v2 + uses: docker/build-push-action@2cdde995de11925a030ce8070c3d77a52ffcf1c0 # v5.3.0 with: context: . file: ./worker-service/Dockerfile @@ -237,7 +247,7 @@ jobs: - name: worker-service if: ${{ steps.latestTag.outputs.value == 'hotfix'}} - uses: docker/build-push-action@v2 + uses: docker/build-push-action@2cdde995de11925a030ce8070c3d77a52ffcf1c0 # v5.3.0 with: context: . file: ./worker-service/Dockerfile @@ -246,7 +256,7 @@ jobs: - name: topic-viewer-latest if: ${{ steps.latestTag.outputs.value == 'latest'}} - uses: docker/build-push-action@v2 + uses: docker/build-push-action@2cdde995de11925a030ce8070c3d77a52ffcf1c0 # v5.3.0 with: context: . file: ./topic-viewer/Dockerfile @@ -255,7 +265,7 @@ jobs: - name: topic-viewer if: ${{ steps.latestTag.outputs.value == 'hotfix'}} - uses: docker/build-push-action@v2 + uses: docker/build-push-action@2cdde995de11925a030ce8070c3d77a52ffcf1c0 # v5.3.0 with: context: . file: ./topic-viewer/Dockerfile @@ -264,7 +274,7 @@ jobs: - name: mrv-sender-latest if: ${{ steps.latestTag.outputs.value == 'latest'}} - uses: docker/build-push-action@v2 + uses: docker/build-push-action@2cdde995de11925a030ce8070c3d77a52ffcf1c0 # v5.3.0 with: context: . file: ./mrv-sender/Dockerfile @@ -273,7 +283,7 @@ jobs: - name: mrv-sender if: ${{ steps.latestTag.outputs.value == 'hotfix'}} - uses: docker/build-push-action@v2 + uses: docker/build-push-action@2cdde995de11925a030ce8070c3d77a52ffcf1c0 # v5.3.0 with: context: . file: ./mrv-sender/Dockerfile @@ -282,7 +292,7 @@ jobs: - name: analytics-service-latest if: ${{ steps.latestTag.outputs.value == 'latest'}} - uses: docker/build-push-action@v2 + uses: docker/build-push-action@2cdde995de11925a030ce8070c3d77a52ffcf1c0 # v5.3.0 with: context: . file: ./analytics-service/Dockerfile @@ -291,7 +301,7 @@ jobs: - name: analytics-service if: ${{ steps.latestTag.outputs.value == 'hotfix'}} - uses: docker/build-push-action@v2 + uses: docker/build-push-action@2cdde995de11925a030ce8070c3d77a52ffcf1c0 # v5.3.0 with: context: . file: ./analytics-service/Dockerfile @@ -300,7 +310,7 @@ jobs: - name: web-proxy-latest if: ${{ steps.latestTag.outputs.value == 'latest'}} - uses: docker/build-push-action@v2 + uses: docker/build-push-action@2cdde995de11925a030ce8070c3d77a52ffcf1c0 # v5.3.0 with: context: . file: ./web-proxy/Dockerfile.ci @@ -309,7 +319,7 @@ jobs: - name: web-proxy if: ${{ steps.latestTag.outputs.value == 'hotfix'}} - uses: docker/build-push-action@v2 + uses: docker/build-push-action@2cdde995de11925a030ce8070c3d77a52ffcf1c0 # v5.3.0 with: context: . file: ./web-proxy/Dockerfile.ci @@ -318,7 +328,7 @@ jobs: - name: web-proxy-demo-latest if: ${{ steps.latestTag.outputs.value == 'latest'}} - uses: docker/build-push-action@v2 + uses: docker/build-push-action@2cdde995de11925a030ce8070c3d77a52ffcf1c0 # v5.3.0 with: context: . file: ./web-proxy/Dockerfile.demo @@ -327,7 +337,7 @@ jobs: - name: web-proxy-demo if: ${{ steps.latestTag.outputs.value == 'hotfix'}} - uses: docker/build-push-action@v2 + uses: docker/build-push-action@2cdde995de11925a030ce8070c3d77a52ffcf1c0 # v5.3.0 with: context: . file: ./web-proxy/Dockerfile.demo