chore(deps): update github-actions (#103)

* chore(deps): update github-actions * chore: addressed some checkov concerns --------- Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> Co-authored-by: chgl <[email protected]>
miracum · Apr 6, 2023 · 9c7fa5c · 9c7fa5c
1 parent ae05502
commit 9c7fa5c
Show file tree

Hide file tree

Showing 17 changed files with 57 additions and 29 deletions.
diff --git a/.checkov.yml b/.checkov.yml
@@ -6,3 +6,31 @@ skip-check:
   # "Ensure Workflow pods are not using the default ServiceAccount."
   #  - Doesn't matter when just running integration tests
   - CKV_ARGO_1
+  # Prefer using secrets as files over secrets as environment variables
+  - CKV_K8S_35
+  # "Image should use digest"
+  - CKV_K8S_43
+  # "Image Pull Policy should be Always"
+  - CKV_K8S_15
+  # "Ensure that Service Account Tokens are only mounted where necessary"
+  - CKV_K8S_38
+  # "CPU limits should be set"
+  - CKV_K8S_11
+  # "CPU requests should be set"
+  - CKV_K8S_10
+  # "Memory requests should be set"
+  - CKV_K8S_12
+  # "Memory limits should be set"
+  - CKV_K8S_13
+  # "Ensure that the seccomp profile is set to docker/default or runtime/default"
+  # all container-level securityContexts are already set to this
+  - CKV_K8S_31
+  # "Containers should run as a high UID to avoid host conflict"
+  # only happens because the postgresql container is ran as uid 1001
+  - CKV_K8S_40
+  # "Use read-only filesystem for containers where possible"
+  # true everywhere except for the postgres image
+  - CKV_K8S_22
+  # "Apply security context to your pods and containers"
+  # security contexts are applied to containers
+  - CKV_K8S_29
diff --git a/.github/workflows/build-docs.yaml b/.github/workflows/build-docs.yaml
@@ -17,7 +17,7 @@ jobs:
       contents: write
       pages: write
     steps:
-      - uses: actions/checkout@24cb9080177205b6e8c946b17badbe402adc938f # v3.4.0
+      - uses: actions/checkout@8f4b7f84864484a7bf31766abe9204da3cbe65b3 # v3.5.0
       - uses: actions/setup-python@d27e3f3d7c64b4bbf8e4abfb9b63b83e846e0435 # v4.5.0
         with:
           python-version: 3.x

diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml
@@ -33,7 +33,7 @@ jobs:
       digest: ${{ steps.build.outputs.digest }}
       tag: ${{ steps.container_meta.outputs.version }}
     steps:
-      - uses: actions/checkout@24cb9080177205b6e8c946b17badbe402adc938f # v3.4.0
+      - uses: actions/checkout@8f4b7f84864484a7bf31766abe9204da3cbe65b3 # v3.5.0
 
       - name: Login to GitHub Container Registry
         uses: docker/login-action@f4ef78c080cd8ba55a85445d5b36e214a81df20a # v2

diff --git a/.github/workflows/chaos-test.yaml b/.github/workflows/chaos-test.yaml
@@ -11,7 +11,7 @@ jobs:
     runs-on: ubuntu-22.04
     steps:
       - name: Checkout
-        uses: actions/checkout@24cb9080177205b6e8c946b17badbe402adc938f # v3
+        uses: actions/checkout@8f4b7f84864484a7bf31766abe9204da3cbe65b3 # v3
 
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@4b4e9c3e2d4531116a6f8ba8e71fc6e2cb6e6c8c # v2.5.0

diff --git a/.github/workflows/check-links.yaml b/.github/workflows/check-links.yaml
@@ -12,7 +12,7 @@ jobs:
   check-links:
     runs-on: ubuntu-22.04
     steps:
-      - uses: actions/checkout@24cb9080177205b6e8c946b17badbe402adc938f # v3.4.0
+      - uses: actions/checkout@8f4b7f84864484a7bf31766abe9204da3cbe65b3 # v3.5.0
 
       - name: Link Checker
         id: lychee

diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
@@ -53,7 +53,7 @@ jobs:
     env:
       IMAGE_NAME: ghcr.io/${{ github.repository }}/${{ matrix.module }}
     steps:
-      - uses: actions/checkout@24cb9080177205b6e8c946b17badbe402adc938f # v3.4.0
+      - uses: actions/checkout@8f4b7f84864484a7bf31766abe9204da3cbe65b3 # v3.5.0
 
       - uses: ./.github/actions/test-image
         with:

diff --git a/.github/workflows/codeql.yaml b/.github/workflows/codeql.yaml
@@ -42,18 +42,18 @@ jobs:
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@24cb9080177205b6e8c946b17badbe402adc938f # v3
+        uses: actions/checkout@8f4b7f84864484a7bf31766abe9204da3cbe65b3 # v3
 
       - name: Set up Java
-        uses: actions/setup-java@3f07048e3d294f56e9b90ac5ea2c6f74e9ad0f98 # v3
+        uses: actions/setup-java@5ffc13f4174014e2d4d4572b3d74c3fa61aeb2c2 # v3
         with:
           java-version: "17"
           distribution: "adopt"
           cache: gradle
 
       # Initializes the CodeQL tools for scanning.
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@168b99b3c22180941ae7dbdd5f5c9678ede476ba # v2
+        uses: github/codeql-action/init@d186a2a36cc67bfa1b860e6170d37fb9634742c7 # v2
         with:
           languages: ${{ matrix.language }}
           # If you wish to specify custom queries, you can do so here or in a config file.
@@ -66,7 +66,7 @@ jobs:
       # Autobuild attempts to build any compiled languages  (C/C++, C#, Go, or Java).
       # If this step fails, then you should remove it and run the build manually (see below)
       - name: Autobuild
-        uses: github/codeql-action/autobuild@168b99b3c22180941ae7dbdd5f5c9678ede476ba # v2
+        uses: github/codeql-action/autobuild@d186a2a36cc67bfa1b860e6170d37fb9634742c7 # v2
 
       # ℹ️ Command-line programs to run using the OS shell.
       # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun
@@ -79,6 +79,6 @@ jobs:
       #   ./location_of_script_within_repo/buildscript.sh
 
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@168b99b3c22180941ae7dbdd5f5c9678ede476ba # v2
+        uses: github/codeql-action/analyze@d186a2a36cc67bfa1b860e6170d37fb9634742c7 # v2
         with:
           category: "/language:${{matrix.language}}"
diff --git a/.github/workflows/helm-lint.yaml b/.github/workflows/helm-lint.yaml
@@ -13,14 +13,14 @@ permissions: read-all
 jobs:
   lint:
     runs-on: ubuntu-22.04
-    container: ghcr.io/chgl/kube-powertools:v1.22.16@sha256:1363f7de15d193edecf9eed16ac361496808b4d09d887afd1fed4162b6dd7742
+    container: ghcr.io/chgl/kube-powertools:v1.22.17@sha256:fd0257d7fe744371dcbede5372d21ebd9da94021da2dace179203c10049d0a13
     steps:
       - name: Add workspace as safe directory
         run: |
           git config --global --add safe.directory /__w/recruit/recruit
 
       - name: Checkout
-        uses: actions/checkout@24cb9080177205b6e8c946b17badbe402adc938f # v3.4.0
+        uses: actions/checkout@8f4b7f84864484a7bf31766abe9204da3cbe65b3 # v3.5.0
         with:
           fetch-depth: 0
 

diff --git a/.github/workflows/mega-linter.yml b/.github/workflows/mega-linter.yml
@@ -29,7 +29,7 @@ jobs:
     steps:
       # Git Checkout
       - name: Checkout Code
-        uses: actions/checkout@24cb9080177205b6e8c946b17badbe402adc938f # v3
+        uses: actions/checkout@8f4b7f84864484a7bf31766abe9204da3cbe65b3 # v3
         with:
           token: ${{ secrets.PAT || secrets.GITHUB_TOKEN }}
           fetch-depth: 0
@@ -39,7 +39,7 @@ jobs:
         id: ml
         # You can override MegaLinter flavor used to have faster performances
         # More info at https://oxsecurity.github.io/megalinter/flavors/
-        uses: oxsecurity/megalinter@fa252447a038abeedc60aeb3d9f913315bf5fcf2 # v6.20.1
+        uses: oxsecurity/megalinter@93700f8c21c59ea784a32abe23896e49e54463b8 # v6.22.2
         env:
           # All available variables are described in documentation
           # https://oxsecurity.github.io/megalinter/configuration/

diff --git a/.github/workflows/release-please.yaml b/.github/workflows/release-please.yaml
@@ -14,7 +14,7 @@ jobs:
       contents: write
       pull-requests: write
     steps:
-      - uses: google-github-actions/release-please-action@e0b9d1885d92e9a93d5ce8656de60e3b806e542c # v3.7.5
+      - uses: google-github-actions/release-please-action@ee9822ec2c397e8a364d634464339ac43a06e042 # v3.7.6
         with:
           token: ${{ secrets.MIRACUM_BOT_SEMANTIC_RELEASE_TOKEN }}
           release-type: simple

diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
@@ -20,7 +20,7 @@ jobs:
       id-token: write
     steps:
       - name: Checkout
-        uses: actions/checkout@24cb9080177205b6e8c946b17badbe402adc938f # v3.4.0
+        uses: actions/checkout@8f4b7f84864484a7bf31766abe9204da3cbe65b3 # v3.5.0
 
       - name: Login to GitHub Container Registry
         uses: docker/login-action@f4ef78c080cd8ba55a85445d5b36e214a81df20a # v2
@@ -66,11 +66,11 @@ jobs:
     permissions:
       contents: read
     steps:
-      - uses: actions/checkout@24cb9080177205b6e8c946b17badbe402adc938f # v3.4.0
+      - uses: actions/checkout@8f4b7f84864484a7bf31766abe9204da3cbe65b3 # v3.5.0
         with:
           path: recruit
 
-      - uses: actions/checkout@24cb9080177205b6e8c946b17badbe402adc938f # v3.4.0
+      - uses: actions/checkout@8f4b7f84864484a7bf31766abe9204da3cbe65b3 # v3.5.0
         with:
           token: ${{ secrets.GITHUB_TOKEN }}
           repository: miracum/charts
@@ -105,7 +105,7 @@ jobs:
       contents: write # to upload artifacts to the release
     steps:
       - name: Checkout
-        uses: actions/checkout@24cb9080177205b6e8c946b17badbe402adc938f # v3.4.0
+        uses: actions/checkout@8f4b7f84864484a7bf31766abe9204da3cbe65b3 # v3.5.0
 
       - name: Download Helm chart
         uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3

diff --git a/.github/workflows/reset-chart-changelog-annotations.yaml b/.github/workflows/reset-chart-changelog-annotations.yaml
@@ -13,12 +13,12 @@ jobs:
   reset-commit-and-push:
     name: reset changelog annotations, commit, and push
     runs-on: ubuntu-22.04
-    container: ghcr.io/chgl/kube-powertools:v1.22.16@sha256:1363f7de15d193edecf9eed16ac361496808b4d09d887afd1fed4162b6dd7742
+    container: ghcr.io/chgl/kube-powertools:v1.22.17@sha256:fd0257d7fe744371dcbede5372d21ebd9da94021da2dace179203c10049d0a13
     permissions:
       contents: write
     steps:
       - name: Checkout
-        uses: actions/checkout@24cb9080177205b6e8c946b17badbe402adc938f # v3.4.0
+        uses: actions/checkout@8f4b7f84864484a7bf31766abe9204da3cbe65b3 # v3.5.0
 
       # currently defaults to just the one chart, "recruit", needs to be updated if
       # more charts are added in the future. See <https://github.com/chgl/kube-powertools/blob/master/scripts/generate-chart-changelog.sh>

diff --git a/.github/workflows/scorecards.yml b/.github/workflows/scorecards.yml
@@ -32,12 +32,12 @@ jobs:
 
     steps:
       - name: "Checkout code"
-        uses: actions/checkout@24cb9080177205b6e8c946b17badbe402adc938f # v3.4.0
+        uses: actions/checkout@8f4b7f84864484a7bf31766abe9204da3cbe65b3 # v3.5.0
         with:
           persist-credentials: false
 
       - name: "Run analysis"
-        uses: ossf/scorecard-action@e38b1902ae4f44df626f11ba0734b14fb91f8f86 # v2.1.2
+        uses: ossf/scorecard-action@80e868c13c90f172d68d1f4501dee99e2479f7af # v2.1.3
         with:
           results_file: results.sarif
           results_format: sarif
@@ -67,6 +67,6 @@ jobs:
 
       # Upload the results to GitHub's code scanning dashboard.
       - name: "Upload to code-scanning"
-        uses: github/codeql-action/upload-sarif@168b99b3c22180941ae7dbdd5f5c9678ede476ba # v2.2.7
+        uses: github/codeql-action/upload-sarif@d186a2a36cc67bfa1b860e6170d37fb9634742c7 # v2.2.11
         with:
           sarif_file: results.sarif
diff --git a/.github/workflows/test-compose-installation.yaml b/.github/workflows/test-compose-installation.yaml
@@ -16,7 +16,7 @@ jobs:
       RECRUIT_IMAGE_BASE_NAME: ghcr.io/${{ github.repository }}
       RECRUIT_IMAGE_TAG: ${{ inputs.image-tag }}
     steps:
-      - uses: actions/checkout@24cb9080177205b6e8c946b17badbe402adc938f # v3.4.0
+      - uses: actions/checkout@8f4b7f84864484a7bf31766abe9204da3cbe65b3 # v3.5.0
 
       - name: Download all artifacts
         if: ${{ github.event_name == 'pull_request' }}

diff --git a/.github/workflows/test-k8s-installation.yaml b/.github/workflows/test-k8s-installation.yaml
@@ -14,7 +14,7 @@ jobs:
   test:
     runs-on: ubuntu-22.04
     steps:
-      - uses: actions/checkout@24cb9080177205b6e8c946b17badbe402adc938f # v3.4.0
+      - uses: actions/checkout@8f4b7f84864484a7bf31766abe9204da3cbe65b3 # v3.5.0
 
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@4b4e9c3e2d4531116a6f8ba8e71fc6e2cb6e6c8c # v2.5.0

diff --git a/.github/workflows/validate-gradle-wrapper.yaml b/.github/workflows/validate-gradle-wrapper.yaml
@@ -14,5 +14,5 @@ jobs:
     name: "Validation"
     runs-on: ubuntu-22.04
     steps:
-      - uses: actions/checkout@24cb9080177205b6e8c946b17badbe402adc938f # v3.4.0
+      - uses: actions/checkout@8f4b7f84864484a7bf31766abe9204da3cbe65b3 # v3.5.0
       - uses: gradle/wrapper-validation-action@8d49e559aae34d3e0eb16cde532684bc9702762b # v1.0.6
diff --git a/.github/workflows/yamllint.yaml b/.github/workflows/yamllint.yaml
@@ -18,10 +18,10 @@ jobs:
   yamllint:
     runs-on: ubuntu-22.04
     # contains yamllint
-    container: ghcr.io/chgl/kube-powertools:v1.22.16@sha256:1363f7de15d193edecf9eed16ac361496808b4d09d887afd1fed4162b6dd7742
+    container: ghcr.io/chgl/kube-powertools:v1.22.17@sha256:fd0257d7fe744371dcbede5372d21ebd9da94021da2dace179203c10049d0a13
     steps:
       - name: Checkout
-        uses: actions/checkout@24cb9080177205b6e8c946b17badbe402adc938f # v3.4.0
+        uses: actions/checkout@8f4b7f84864484a7bf31766abe9204da3cbe65b3 # v3.5.0
 
       - name: Run yamllint
         run: yamllint -c .yamllint.yaml .