diff --git a/.github/workflows/automatus-cs8.yaml b/.github/workflows/automatus-cs8.yaml index 9917af66f22..6ff4fd8a77a 100644 --- a/.github/workflows/automatus-cs8.yaml +++ b/.github/workflows/automatus-cs8.yaml @@ -19,11 +19,11 @@ jobs: - name: Install deps python run: pip install gitpython xmldiff - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4 with: fetch-depth: 0 - name: Checkout (CTF) - uses: actions/checkout@v4 + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4 with: repository: ComplianceAsCode/content-test-filtering path: ctf @@ -40,7 +40,7 @@ jobs: - name: Test if there are no content changes run: echo "CTF_OUTPUT_SIZE=$(stat --printf="%s" output.json)" >> $GITHUB_OUTPUT id: ctf - - uses: actions/upload-artifact@v4 + - uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4 if: ${{ steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }} with: name: output.json @@ -51,14 +51,14 @@ jobs: - name: Get product attribute if: ${{ steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }} id: product - uses: notiz-dev/github-action-json-property@v0.2.0 + uses: notiz-dev/github-action-json-property@a5a9c668b16513c737c3e1f8956772c99c73f6e8 # v0.2.0 with: path: 'output.json' prop_path: 'product' - name: Build product if: ${{ steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }} run: ./build_product rhel8 --derivatives - - uses: actions/upload-artifact@v4 + - uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4 if: ${{ steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }} with: name: ${{ env.DATASTREAM }} @@ -71,9 +71,9 @@ jobs: - name: Install Deps run: sudo apt-get update && sudo apt-get install cmake ninja-build libopenscap8 libxml2-utils xsltproc python3-jinja2 python3-yaml ansible-lint podman - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4 - name: Get cached CTF output - uses: actions/download-artifact@v4 + uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4 id: get_ctf_output with: name: output.json @@ -105,32 +105,32 @@ jobs: - name: Get rule ids to be tested if: ${{ steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }} id: rules - uses: notiz-dev/github-action-json-property@v0.2.0 + uses: notiz-dev/github-action-json-property@a5a9c668b16513c737c3e1f8956772c99c73f6e8 # v0.2.0 with: path: 'output.json' prop_path: 'rules' - name: Get product attribute if: ${{ steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }} id: product - uses: notiz-dev/github-action-json-property@v0.2.0 + uses: notiz-dev/github-action-json-property@a5a9c668b16513c737c3e1f8956772c99c73f6e8 # v0.2.0 with: path: 'output.json' prop_path: 'product' - name: Get bash attribute if: ${{ steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }} id: bash - uses: notiz-dev/github-action-json-property@v0.2.0 + uses: notiz-dev/github-action-json-property@a5a9c668b16513c737c3e1f8956772c99c73f6e8 # v0.2.0 with: path: 'output.json' prop_path: 'bash' - name: Get ansible attribute if: ${{ steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }} id: ansible - uses: notiz-dev/github-action-json-property@v0.2.0 + uses: notiz-dev/github-action-json-property@a5a9c668b16513c737c3e1f8956772c99c73f6e8 # v0.2.0 with: path: 'output.json' prop_path: 'ansible' - - uses: actions/download-artifact@v4 + - uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4 if: ${{ steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }} with: name: ${{ env.DATASTREAM }} @@ -151,7 +151,7 @@ jobs: continue-on-error: true - name: Upload logs in case of failure if: ${{steps.bash.outputs.prop == 'True' && steps.check_results_bash.outcome == 'success' && steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }} - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4 with: name: logs_bash path: logs_bash/ @@ -167,7 +167,7 @@ jobs: continue-on-error: true - name: Upload logs in case of failure if: ${{ steps.ansible.outputs.prop == 'True' && steps.check_results_ansible.outcome == 'success' && steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }} - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4 with: name: logs_ansible path: logs_ansible/ diff --git a/.github/workflows/automatus-cs9.yaml b/.github/workflows/automatus-cs9.yaml index 8ab289fd82e..45e276e2b50 100644 --- a/.github/workflows/automatus-cs9.yaml +++ b/.github/workflows/automatus-cs9.yaml @@ -19,11 +19,11 @@ jobs: - name: Install deps python run: pip install gitpython xmldiff - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4 with: fetch-depth: 0 - name: Checkout (CTF) - uses: actions/checkout@v4 + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4 with: repository: ComplianceAsCode/content-test-filtering path: ctf @@ -40,7 +40,7 @@ jobs: - name: Test if there are no content changes run: echo "CTF_OUTPUT_SIZE=$(stat --printf="%s" output.json)" >> $GITHUB_OUTPUT id: ctf - - uses: actions/upload-artifact@v4 + - uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4 if: ${{ steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }} with: name: output.json @@ -51,14 +51,14 @@ jobs: - name: Get product attribute if: ${{ steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }} id: product - uses: notiz-dev/github-action-json-property@v0.2.0 + uses: notiz-dev/github-action-json-property@a5a9c668b16513c737c3e1f8956772c99c73f6e8 # v0.2.0 with: path: 'output.json' prop_path: 'product' - name: Build product if: ${{ steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }} run: ./build_product rhel9 --derivatives - - uses: actions/upload-artifact@v4 + - uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4 if: ${{ steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }} with: name: ${{ env.DATASTREAM }} @@ -71,9 +71,9 @@ jobs: - name: Install Deps run: sudo apt-get update && sudo apt-get install cmake ninja-build libopenscap8 libxml2-utils xsltproc python3-jinja2 python3-yaml ansible-lint podman - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4 - name: Get cached CTF output - uses: actions/download-artifact@v4 + uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4 id: get_ctf_output with: name: output.json @@ -105,32 +105,32 @@ jobs: - name: Get rule ids to be tested if: ${{ steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }} id: rules - uses: notiz-dev/github-action-json-property@v0.2.0 + uses: notiz-dev/github-action-json-property@a5a9c668b16513c737c3e1f8956772c99c73f6e8 # v0.2.0 with: path: 'output.json' prop_path: 'rules' - name: Get product attribute if: ${{ steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }} id: product - uses: notiz-dev/github-action-json-property@v0.2.0 + uses: notiz-dev/github-action-json-property@a5a9c668b16513c737c3e1f8956772c99c73f6e8 # v0.2.0 with: path: 'output.json' prop_path: 'product' - name: Get bash attribute if: ${{ steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }} id: bash - uses: notiz-dev/github-action-json-property@v0.2.0 + uses: notiz-dev/github-action-json-property@a5a9c668b16513c737c3e1f8956772c99c73f6e8 # v0.2.0 with: path: 'output.json' prop_path: 'bash' - name: Get ansible attribute if: ${{ steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }} id: ansible - uses: notiz-dev/github-action-json-property@v0.2.0 + uses: notiz-dev/github-action-json-property@a5a9c668b16513c737c3e1f8956772c99c73f6e8 # v0.2.0 with: path: 'output.json' prop_path: 'ansible' - - uses: actions/download-artifact@v4 + - uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4 if: ${{ steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }} with: name: ${{ env.DATASTREAM }} @@ -151,7 +151,7 @@ jobs: continue-on-error: true - name: Upload logs in case of failure if: ${{steps.bash.outputs.prop == 'True' && steps.check_results_bash.outcome == 'success' && steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }} - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4 with: name: logs_bash path: logs_bash/ @@ -167,7 +167,7 @@ jobs: continue-on-error: true - name: Upload logs in case of failure if: ${{ steps.ansible.outputs.prop == 'True' && steps.check_results_ansible.outcome == 'success' && steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }} - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4 with: name: logs_ansible path: logs_ansible/ diff --git a/.github/workflows/automatus-sanity.yaml b/.github/workflows/automatus-sanity.yaml index 37fe70be619..1b2c9eaec1f 100644 --- a/.github/workflows/automatus-sanity.yaml +++ b/.github/workflows/automatus-sanity.yaml @@ -17,12 +17,12 @@ jobs: - name: Install Deps run: dnf install -y cmake make openscap-utils python3-pyyaml python3-jinja2 git python3-pip - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4 with: fetch-depth: 0 - name: Build product run: ./build_product fedora --debug - - uses: actions/upload-artifact@v4 + - uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4 with: name: ${{ env.DATASTREAM }} path: build/${{ env.DATASTREAM }} @@ -35,7 +35,7 @@ jobs: - name: Install Deps run: sudo apt-get update && sudo apt-get install cmake ninja-build libopenscap8 libxml2-utils xsltproc python3-jinja2 python3-yaml ansible-lint podman - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4 - name: Generate id_rsa key run: ssh-keygen -N '' -t rsa -f ~/.ssh/id_rsa - name: Build test suite container @@ -49,7 +49,7 @@ jobs: sudo chown root:root /usr/local/bin/oscap-ssh rm -f oscap-ssh - name: Get Datastream - uses: actions/download-artifact@v4 + uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4 with: name: ${{ env.DATASTREAM }} - name: Check One Rule diff --git a/.github/workflows/automatus-sle15.yaml b/.github/workflows/automatus-sle15.yaml index 9933a7fc9d8..26f9cfe2e47 100644 --- a/.github/workflows/automatus-sle15.yaml +++ b/.github/workflows/automatus-sle15.yaml @@ -27,11 +27,11 @@ jobs: - name: Install deps python run: pip install json2html sphinxcontrib.jinjadomain GitPython deepdiff Jinja2 xmldiff - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4 with: fetch-depth: 0 - name: Checkout (CTF) - uses: actions/checkout@v4 + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4 with: repository: ComplianceAsCode/content-test-filtering path: ctf @@ -48,7 +48,7 @@ jobs: - name: Test if there are no content changes run: echo "CTF_OUTPUT_SIZE=$(stat --printf="%s" output.json)" >> $GITHUB_OUTPUT id: ctf - - uses: actions/upload-artifact@v4 + - uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4 if: ${{ steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }} with: name: output.json @@ -59,14 +59,14 @@ jobs: - name: Get product attribute if: ${{ steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }} id: product - uses: notiz-dev/github-action-json-property@v0.2.0 + uses: notiz-dev/github-action-json-property@a5a9c668b16513c737c3e1f8956772c99c73f6e8 # v0.2.0 with: path: 'output.json' prop_path: 'product' - name: Build product if: ${{ steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }} run: ./build_product sle15 - - uses: actions/upload-artifact@v4 + - uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4 if: ${{ steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }} with: name: ${{ env.DATASTREAM }} @@ -79,9 +79,9 @@ jobs: - name: Install Deps run: sudo apt-get update && sudo apt-get install cmake ninja-build libopenscap8 libxml2-utils xsltproc python3-jinja2 python3-yaml ansible-lint podman - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4 - name: Get cached CTF output - uses: actions/download-artifact@v4 + uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4 id: get_ctf_output with: name: output.json @@ -113,32 +113,32 @@ jobs: - name: Get rule ids to be tested if: ${{ steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }} id: rules - uses: notiz-dev/github-action-json-property@v0.2.0 + uses: notiz-dev/github-action-json-property@a5a9c668b16513c737c3e1f8956772c99c73f6e8 # v0.2.0 with: path: 'output.json' prop_path: 'rules' - name: Get product attribute if: ${{ steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }} id: product - uses: notiz-dev/github-action-json-property@v0.2.0 + uses: notiz-dev/github-action-json-property@a5a9c668b16513c737c3e1f8956772c99c73f6e8 # v0.2.0 with: path: 'output.json' prop_path: 'product' - name: Get bash attribute if: ${{ steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }} id: bash - uses: notiz-dev/github-action-json-property@v0.2.0 + uses: notiz-dev/github-action-json-property@a5a9c668b16513c737c3e1f8956772c99c73f6e8 # v0.2.0 with: path: 'output.json' prop_path: 'bash' - name: Get ansible attribute if: ${{ steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }} id: ansible - uses: notiz-dev/github-action-json-property@v0.2.0 + uses: notiz-dev/github-action-json-property@a5a9c668b16513c737c3e1f8956772c99c73f6e8 # v0.2.0 with: path: 'output.json' prop_path: 'ansible' - - uses: actions/download-artifact@v4 + - uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4 if: ${{ steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }} with: name: ${{ env.DATASTREAM }} @@ -159,7 +159,7 @@ jobs: continue-on-error: true - name: Upload logs in case of failure if: ${{steps.bash.outputs.prop == 'True' && steps.check_results_bash.outcome == 'success' && steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }} - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4 with: name: logs_bash path: logs_bash/ @@ -175,7 +175,7 @@ jobs: continue-on-error: true - name: Upload logs in case of failure if: ${{ steps.ansible.outputs.prop == 'True' && steps.check_results_ansible.outcome == 'success' && steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }} - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4 with: name: logs_ansible path: logs_ansible/ diff --git a/.github/workflows/automatus-ubuntu2204.yaml b/.github/workflows/automatus-ubuntu2204.yaml index e1d93adb260..33f2d5f5f57 100644 --- a/.github/workflows/automatus-ubuntu2204.yaml +++ b/.github/workflows/automatus-ubuntu2204.yaml @@ -17,11 +17,11 @@ jobs: - name: Install deps python run: pip3 install gitpython xmldiff - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4 with: fetch-depth: 0 - name: Checkout (CTF) - uses: actions/checkout@v4 + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4 with: repository: ComplianceAsCode/content-test-filtering path: ctf @@ -38,7 +38,7 @@ jobs: - name: Test if there are no content changes run: echo "CTF_OUTPUT_SIZE=$(stat --printf="%s" output.json)" >> $GITHUB_OUTPUT id: ctf - - uses: actions/upload-artifact@v4 + - uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4 if: ${{ steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }} with: name: output.json @@ -49,14 +49,14 @@ jobs: - name: Get product attribute if: ${{ steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }} id: product - uses: notiz-dev/github-action-json-property@v0.2.0 + uses: notiz-dev/github-action-json-property@a5a9c668b16513c737c3e1f8956772c99c73f6e8 # v0.2.0 with: path: 'output.json' prop_path: 'product' - name: Build product if: ${{ steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }} run: ./build_product ubuntu2204 - - uses: actions/upload-artifact@v4 + - uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4 if: ${{ steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }} with: name: ${{ env.DATASTREAM }} @@ -69,9 +69,9 @@ jobs: - name: Install Deps run: sudo apt update && sudo apt install -y cmake ninja-build libopenscap8 libxml2-utils xsltproc python3-jinja2 python3-yaml ansible-lint podman - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4 - name: Get cached CTF output - uses: actions/download-artifact@v4 + uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4 id: get_ctf_output with: name: output.json @@ -103,32 +103,32 @@ jobs: - name: Get rule ids to be tested if: ${{ steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }} id: rules - uses: notiz-dev/github-action-json-property@v0.2.0 + uses: notiz-dev/github-action-json-property@a5a9c668b16513c737c3e1f8956772c99c73f6e8 # v0.2.0 with: path: 'output.json' prop_path: 'rules' - name: Get product attribute if: ${{ steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }} id: product - uses: notiz-dev/github-action-json-property@v0.2.0 + uses: notiz-dev/github-action-json-property@a5a9c668b16513c737c3e1f8956772c99c73f6e8 # v0.2.0 with: path: 'output.json' prop_path: 'product' - name: Get bash attribute if: ${{ steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }} id: bash - uses: notiz-dev/github-action-json-property@v0.2.0 + uses: notiz-dev/github-action-json-property@a5a9c668b16513c737c3e1f8956772c99c73f6e8 # v0.2.0 with: path: 'output.json' prop_path: 'bash' - name: Get ansible attribute if: ${{ steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }} id: ansible - uses: notiz-dev/github-action-json-property@v0.2.0 + uses: notiz-dev/github-action-json-property@a5a9c668b16513c737c3e1f8956772c99c73f6e8 # v0.2.0 with: path: 'output.json' prop_path: 'ansible' - - uses: actions/download-artifact@v4 + - uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4 if: ${{ steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }} with: name: ${{ env.DATASTREAM }} @@ -149,7 +149,7 @@ jobs: continue-on-error: true - name: Upload logs in case of failure if: ${{steps.bash.outputs.prop == 'True' && steps.check_results_bash.outcome == 'success' && steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }} - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4 with: name: logs_bash path: logs_bash/ @@ -165,7 +165,7 @@ jobs: continue-on-error: true - name: Upload logs in case of failure if: ${{ steps.ansible.outputs.prop == 'True' && steps.check_results_ansible.outcome == 'success' && steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }} - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4 with: name: logs_ansible path: logs_ansible/ diff --git a/.github/workflows/automatus.yaml b/.github/workflows/automatus.yaml index 4a1c76d81c3..d41b7e7e011 100644 --- a/.github/workflows/automatus.yaml +++ b/.github/workflows/automatus.yaml @@ -17,11 +17,11 @@ jobs: - name: Install deps python run: pip install gitpython xmldiff - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4 with: fetch-depth: 0 - name: Checkout (CTF) - uses: actions/checkout@v4 + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4 with: repository: ComplianceAsCode/content-test-filtering path: ctf @@ -38,7 +38,7 @@ jobs: - name: Test if there are no content changes run: echo "CTF_OUTPUT_SIZE=$(stat --printf="%s" output.json)" >> $GITHUB_OUTPUT id: ctf - - uses: actions/upload-artifact@v4 + - uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4 if: ${{ steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }} with: name: output.json @@ -49,14 +49,14 @@ jobs: - name: Get product attribute if: ${{ steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }} id: product - uses: notiz-dev/github-action-json-property@v0.2.0 + uses: notiz-dev/github-action-json-property@a5a9c668b16513c737c3e1f8956772c99c73f6e8 # v0.2.0 with: path: 'output.json' prop_path: 'product' - name: Build product if: ${{ steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }} run: ./build_product ${{steps.product.outputs.prop}} --datastream-only - - uses: actions/upload-artifact@v4 + - uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4 if: ${{ steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }} with: name: ssg-${{steps.product.outputs.prop}}-ds.xml @@ -69,9 +69,9 @@ jobs: - name: Install Deps run: sudo apt-get update && sudo apt-get install cmake ninja-build libopenscap8 libxml2-utils xsltproc python3-jinja2 python3-yaml ansible-lint podman - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4 - name: Get cached CTF output - uses: actions/download-artifact@v4 + uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4 id: get_ctf_output with: name: output.json @@ -103,32 +103,32 @@ jobs: - name: Get rule ids to be tested if: ${{ steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }} id: rules - uses: notiz-dev/github-action-json-property@v0.2.0 + uses: notiz-dev/github-action-json-property@a5a9c668b16513c737c3e1f8956772c99c73f6e8 # v0.2.0 with: path: 'output.json' prop_path: 'rules' - name: Get product attribute if: ${{ steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }} id: product - uses: notiz-dev/github-action-json-property@v0.2.0 + uses: notiz-dev/github-action-json-property@a5a9c668b16513c737c3e1f8956772c99c73f6e8 # v0.2.0 with: path: 'output.json' prop_path: 'product' - name: Get bash attribute if: ${{ steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }} id: bash - uses: notiz-dev/github-action-json-property@v0.2.0 + uses: notiz-dev/github-action-json-property@a5a9c668b16513c737c3e1f8956772c99c73f6e8 # v0.2.0 with: path: 'output.json' prop_path: 'bash' - name: Get ansible attribute if: ${{ steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }} id: ansible - uses: notiz-dev/github-action-json-property@v0.2.0 + uses: notiz-dev/github-action-json-property@a5a9c668b16513c737c3e1f8956772c99c73f6e8 # v0.2.0 with: path: 'output.json' prop_path: 'ansible' - - uses: actions/download-artifact@v4 + - uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4 if: ${{ steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }} with: name: ssg-${{steps.product.outputs.prop}}-ds.xml @@ -149,7 +149,7 @@ jobs: continue-on-error: true - name: Upload logs in case of failure if: ${{steps.bash.outputs.prop == 'True' && steps.check_results_bash.outcome == 'success' && steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }} - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4 with: name: logs_bash path: logs_bash/ @@ -165,7 +165,7 @@ jobs: continue-on-error: true - name: Upload logs in case of failure if: ${{ steps.ansible.outputs.prop == 'True' && steps.check_results_ansible.outcome == 'success' && steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }} - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4 with: name: logs_ansible path: logs_ansible/ diff --git a/.github/workflows/compare-ds.yaml b/.github/workflows/compare-ds.yaml index 809dc512376..49d777f951f 100644 --- a/.github/workflows/compare-ds.yaml +++ b/.github/workflows/compare-ds.yaml @@ -14,7 +14,7 @@ jobs: - name: Install deps python run: pip install gitpython xmldiff - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4 with: ref: ${{ github.event.pull_request.head.sha }} fetch-depth: 0 @@ -27,12 +27,12 @@ jobs: run: echo "FORK_POINT=$(git merge-base origin/$BASE_BRANCH ${{ github.event.pull_request.head.sha }})" >> $GITHUB_OUTPUT id: fork_point - name: Checkout fork point - uses: actions/checkout@v4 + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4 with: ref: ${{ steps.fork_point.outputs.FORK_POINT }} fetch-depth: 0 - name: Checkout (CTF) - uses: actions/checkout@v4 + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4 with: repository: ComplianceAsCode/content-test-filtering path: ctf @@ -47,7 +47,7 @@ jobs: - name: Get product attribute if: ${{ steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }} id: product - uses: notiz-dev/github-action-json-property@v0.2.0 + uses: notiz-dev/github-action-json-property@a5a9c668b16513c737c3e1f8956772c99c73f6e8 # v0.2.0 with: path: 'output.json' prop_path: 'product' @@ -59,7 +59,7 @@ jobs: run: cp build/ssg-${{steps.product.outputs.prop}}-ds.xml ssg-${{steps.product.outputs.prop}}-ds.xml - name: Checkout if: ${{ steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }} - uses: actions/checkout@v4 + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4 with: ref: ${{ github.event.pull_request.head.sha }} clean: false @@ -88,7 +88,7 @@ jobs: echo "${body:0:65000}" >> "$GITHUB_OUTPUT" echo "$EOF" >> "$GITHUB_OUTPUT" - name: Find Comment - uses: peter-evans/find-comment@v3 + uses: peter-evans/find-comment@3eae4d37986fb5a8592848f6a574fdf654e61f9e # v3 id: fc with: issue-number: ${{ github.event.pull_request.number }} @@ -96,7 +96,7 @@ jobs: body-includes: This datastream diff is auto generated by the check - name: Create or update comment if: ${{ steps.compare_ds.outputs.COMPARE_DS_OUTPUT_SIZE != '0' && steps.compare_ds.outputs.COMPARE_DS_OUTPUT_SIZE <= 65000 }} - uses: peter-evans/create-or-update-comment@v4 + uses: peter-evans/create-or-update-comment@71345be0265236311c031f5c7866368bd1eff043 # v4 with: comment-id: ${{ steps.fc.outputs.comment-id }} issue-number: ${{ github.event.pull_request.number }} @@ -113,7 +113,7 @@ jobs: edit-mode: replace - name: Create or update a trimmed comment if: ${{ steps.compare_ds.outputs.COMPARE_DS_OUTPUT_SIZE > 65000 }} - uses: peter-evans/create-or-update-comment@v4 + uses: peter-evans/create-or-update-comment@71345be0265236311c031f5c7866368bd1eff043 # v4 with: comment-id: ${{ steps.fc.outputs.comment-id }} issue-number: ${{ github.event.pull_request.number }} @@ -133,7 +133,7 @@ jobs: edit-mode: replace - name: Delete existing comment in case new commits trigger no changes in Compare DS tool if: ${{ (steps.compare_ds.outputs.COMPARE_DS_OUTPUT_SIZE == '0' || steps.ctf.outputs.CTF_OUTPUT_SIZE == '0') && steps.fc.outputs.comment-id != 0 }} - uses: jungwinter/comment@v1 + uses: jungwinter/comment@fda92dbcb5e7e79cccd55ecb107a8a3d7802a469 # v1 with: type: delete comment_id: ${{ steps.fc.outputs.comment-id }} @@ -148,7 +148,7 @@ jobs: run: echo "SHELL_DIFF_OUTPUT_SIZE=$(stat --printf="%s" diff.log)" >> $GITHUB_OUTPUT id: ansible_shell_diff - name: Find Comment - uses: peter-evans/find-comment@v3 + uses: peter-evans/find-comment@3eae4d37986fb5a8592848f6a574fdf654e61f9e # v3 id: shell_diff with: issue-number: ${{ github.event.pull_request.number }} @@ -156,7 +156,7 @@ jobs: body-includes: Change in Ansible 'shell' module found. - name: Create comment if: ${{ steps.ansible_shell_diff.outputs.SHELL_DIFF_OUTPUT_SIZE != '0' && steps.shell_diff.outputs.comment-id == 0 }} - uses: peter-evans/create-or-update-comment@v4 + uses: peter-evans/create-or-update-comment@71345be0265236311c031f5c7866368bd1eff043 # v4 with: issue-number: ${{ github.event.pull_request.number }} body: | @@ -165,7 +165,7 @@ jobs: Please consider using more suitable Ansible module than `shell` if possible. - name: Delete existing comment in case new commits trigger no changes in Ansible shell module if: ${{ (steps.ansible_shell_diff.outputs.SHELL_DIFF_OUTPUT_SIZE == '0' || steps.ctf.outputs.CTF_OUTPUT_SIZE == '0') && steps.shell_diff.outputs.comment-id != 0 }} - uses: jungwinter/comment@v1 + uses: jungwinter/comment@fda92dbcb5e7e79cccd55ecb107a8a3d7802a469 # v1 with: type: delete comment_id: ${{ steps.shell_diff.outputs.comment-id }} diff --git a/.github/workflows/ctf.yaml b/.github/workflows/ctf.yaml index 682baeacb84..235fe654f01 100644 --- a/.github/workflows/ctf.yaml +++ b/.github/workflows/ctf.yaml @@ -10,7 +10,7 @@ jobs: - name: Install Deps run: sudo apt-get update && sudo apt-get install git python3-jinja2 python3-yaml python3-setuptools python3-deepdiff python3-git python3-github python3-requests xmldiff - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4 with: ref: ${{ github.event.pull_request.head.sha }} fetch-depth: 0 @@ -23,12 +23,12 @@ jobs: run: echo "FORK_POINT=$(git merge-base origin/$BASE_BRANCH ${{ github.event.pull_request.head.sha }})" >> $GITHUB_OUTPUT id: fork_point - name: Checkout fork point - uses: actions/checkout@v4 + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4 with: ref: ${{ steps.fork_point.outputs.FORK_POINT }} fetch-depth: 0 - name: Checkout (CTF) - uses: actions/checkout@v4 + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4 with: repository: ComplianceAsCode/content-test-filtering path: ctf @@ -43,12 +43,12 @@ jobs: - name: Get product attribute if: ${{ steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }} id: product - uses: notiz-dev/github-action-json-property@v0.2.0 + uses: notiz-dev/github-action-json-property@a5a9c668b16513c737c3e1f8956772c99c73f6e8 # v0.2.0 with: path: 'output.json' prop_path: 'product' - name: Find Comment - uses: peter-evans/find-comment@v3 + uses: peter-evans/find-comment@3eae4d37986fb5a8592848f6a574fdf654e61f9e # v3 id: fc with: issue-number: ${{ github.event.pull_request.number }} @@ -56,7 +56,7 @@ jobs: body-includes: Start a new ephemeral environment with changes proposed in this pull request - name: Create or update comment if: ${{ steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }} - uses: peter-evans/create-or-update-comment@v4 + uses: peter-evans/create-or-update-comment@71345be0265236311c031f5c7866368bd1eff043 # v4 with: comment-id: ${{ steps.fc.outputs.comment-id }} issue-number: ${{ github.event.pull_request.number }} @@ -75,7 +75,7 @@ jobs: edit-mode: replace - name: Create or update a trimmed comment if: ${{ steps.ctf.outputs.CTF_OUTPUT_SIZE == '0' }} - uses: peter-evans/create-or-update-comment@v4 + uses: peter-evans/create-or-update-comment@71345be0265236311c031f5c7866368bd1eff043 # v4 with: comment-id: ${{ steps.fc.outputs.comment-id }} issue-number: ${{ github.event.pull_request.number }} diff --git a/.github/workflows/gate-lint-ansible-roles.yaml b/.github/workflows/gate-lint-ansible-roles.yaml index 0d377e02e50..1093584626b 100644 --- a/.github/workflows/gate-lint-ansible-roles.yaml +++ b/.github/workflows/gate-lint-ansible-roles.yaml @@ -15,7 +15,7 @@ jobs: - name: Install Deps run: dnf install -y cmake make ninja-build openscap-utils python3-pyyaml python3-setuptools python3-jinja2 python3-pygithub ansible ansible-lint libxslt git - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4 - name: Configure run: cmake -DSSG_PRODUCT_DEFAULT=OFF -DSSG_PRODUCT_RHEL7=ON -DSSG_PRODUCT_RHEL8=ON -DSSG_PRODUCT_RHEL9=ON -G Ninja .. working-directory: ./build diff --git a/.github/workflows/gate.yaml b/.github/workflows/gate.yaml index 482c477ca01..22b2dfdfd05 100644 --- a/.github/workflows/gate.yaml +++ b/.github/workflows/gate.yaml @@ -19,7 +19,7 @@ jobs: - name: Install Deps run: yum install -y cmake make openscap-utils PyYAML libxslt xml-common python-jinja2 python-setuptools - name: Checkout - uses: actions/checkout@v3 + uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3 - name: Build run: |- ./build_product rhel7 rhel8 rhel9 rhel10 --derivatives @@ -52,7 +52,7 @@ jobs: - name: Install deps python run: pip install pytest pytest-cov - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4 - name: Build run: ./build_product sle12 sle15 - name: Test @@ -68,7 +68,7 @@ jobs: - name: Install Deps run: zypper install -y git cmake make openscap-utils python3-PyYAML bats python3-pytest python3-pytest-cov python3-Jinja2 python3-setuptools libxslt-tools libxml2-tools ShellCheck - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4 - name: Build run: ./build_product opensuse env: @@ -88,7 +88,7 @@ jobs: - name: Install Deps run: apt-get install -y ansible-lint bats check cmake libopenscap8 libxml2-utils ninja-build python3-github python3-pip xsltproc libxslt1-dev libxml2-dev zlib1g-dev - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4 - name: Upgrade pip python run: pip3 install --upgrade pip - name: Install deps python @@ -109,7 +109,7 @@ jobs: - name: Install Deps run: sudo apt-get update && sudo apt-get install cmake ninja-build libopenscap8 libxml2-utils xsltproc ansible-lint bats python3-github python3-jinja2 python3-pip python3-pytest python3-pytest-cov python3-setuptools python3-yaml shellcheck - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4 - name: Install deps python run: pip3 install -r requirements.txt -r test-requirements.txt - name: Build @@ -128,7 +128,7 @@ jobs: - name: Install Deps run: sudo apt-get update && sudo apt-get install cmake ninja-build libopenscap8 libxml2-utils xsltproc ansible-lint bats python3-github python3-jinja2 python3-pip python3-pytest python3-pytest-cov python3-setuptools python3-yaml shellcheck - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4 - name: Install deps python run: pip3 install -r requirements.txt -r test-requirements.txt - name: Build @@ -151,7 +151,7 @@ jobs: - name: Install Deps run: dnf install -y cmake make openscap-utils bats ansible python3-pip ShellCheck git python3-devel gcc-c++ - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4 - name: Install deps python run: pip install -r requirements-base.txt -r test-requirements.txt - name: Build @@ -196,7 +196,7 @@ jobs: shell: powershell run: "msiexec.exe /norestart /q /i ${{ github.workspace }}\\openscap-win\\OpenSCAP-${env:OPENSCAP_VERSION}-win64.msi" - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4 - name: Install Python Deps run: pip install -r requirements.txt -r test-requirements.txt - name: Build diff --git a/.github/workflows/gate_fedora.yml b/.github/workflows/gate_fedora.yml index 452722f3e24..3c7df4a56f5 100644 --- a/.github/workflows/gate_fedora.yml +++ b/.github/workflows/gate_fedora.yml @@ -19,7 +19,7 @@ jobs: - name: Install Deps run: dnf install -y cmake make openscap-utils python3-pyyaml bats ansible python3-pip ShellCheck git gcc gcc-c++ python3-devel - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4 - name: Install deps python run: pip install pcre2 -r requirements.txt -r test-requirements.txt - name: Build @@ -57,7 +57,7 @@ jobs: run: git config --global --add safe.directory "$GITHUB_WORKSPACE" - name: Upload coverage to Code Climate # Requires: git package if: ${{ github.repository == 'ComplianceAsCode/content' }} - uses: paambaati/codeclimate-action@v8.0.0 + uses: paambaati/codeclimate-action@7c100bd1ed15de0bdee476b38ca759d8c94207b5 # v8.0.0 env: CC_TEST_REPORTER_ID: e67e068471d32b63f8e9561dba8f6a3f84dcc76b05ebfd98e44ced1a91cff854 with: diff --git a/.github/workflows/gate_thin_ds.yml b/.github/workflows/gate_thin_ds.yml index 5a709f9d2db..8fc5bb185b4 100644 --- a/.github/workflows/gate_thin_ds.yml +++ b/.github/workflows/gate_thin_ds.yml @@ -19,7 +19,7 @@ jobs: - name: Install Deps run: dnf install -y cmake make openscap-utils python3-pyyaml bats ansible python3-pip ShellCheck git gcc gcc-c++ python3-devel python3-lxml python3-pytest - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4 - name: Install deps python # pytest-xdist is used for parallel execution of thin ds test run: pip install pcre2 pytest-xdist -r requirements.txt -r test-requirements.txt diff --git a/.github/workflows/gh-pages.yaml b/.github/workflows/gh-pages.yaml index e48995a16c2..779b134f2da 100644 --- a/.github/workflows/gh-pages.yaml +++ b/.github/workflows/gh-pages.yaml @@ -23,7 +23,7 @@ jobs: - name: Install deps python run: pip3 install json2html prometheus_client - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4 - name: Build run: cmake .. -G Ninja -DCMAKE_BUILD_TYPE=Debug working-directory: ./build @@ -50,7 +50,7 @@ jobs: git config --global --add safe.directory "$GITHUB_WORKSPACE" - name: Deploy if: ${{ github.event_name == 'push' && github.repository == 'ComplianceAsCode/content' && github.ref == 'refs/heads/master' }} - uses: JamesIves/github-pages-deploy-action@v4.6.1 + uses: JamesIves/github-pages-deploy-action@5c6e9e9f3672ce8fd37b9856193d2a537941e66c # v4.6.1 with: branch: main # The branch the action should deploy to. folder: ${{ env.PAGES_DIR }} # The folder the action should deploy. @@ -61,7 +61,7 @@ jobs: git-config-name: openscap-ci git-config-email: openscap-ci@gmail.com - name: Upload artifact if the event is pull request - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4 if: ${{ github.event_name == 'pull_request' }} with: name: built-content diff --git a/.github/workflows/k8s-content-pr-test.yaml b/.github/workflows/k8s-content-pr-test.yaml index fe7540ddfe3..662b75b4696 100644 --- a/.github/workflows/k8s-content-pr-test.yaml +++ b/.github/workflows/k8s-content-pr-test.yaml @@ -18,7 +18,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Copy XCCDF files from existing content image - uses: nick-fields/retry@v3 + uses: nick-fields/retry@7152eba30c6575329ac0576536151aca5a72780e # v3 with: timeout_minutes: 20 max_attempts: 3 @@ -43,7 +43,7 @@ jobs: id: save-go-version run: | echo "go-version=$(cat compliance-operator/go-version)" > compliance-operator/go-version - - uses: actions/setup-go@v5 + - uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5 with: go-version: ${{ steps.save-go-version.outputs.go-version }} - name: Run ginkgo tests and check if each XCCDF file is parsed correctly diff --git a/.github/workflows/k8s-content-pr-trigger.yaml b/.github/workflows/k8s-content-pr-trigger.yaml index b6138235af0..a4669ba9060 100644 --- a/.github/workflows/k8s-content-pr-trigger.yaml +++ b/.github/workflows/k8s-content-pr-trigger.yaml @@ -23,7 +23,7 @@ jobs: run: | mkdir -p ./pr echo $PR_NUMBER > ./pr/pr_number - - uses: actions/upload-artifact@v4 + - uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4 with: name: pr_number path: pr/ diff --git a/.github/workflows/k8s-content-pr.yaml b/.github/workflows/k8s-content-pr.yaml index 3e5e713cc26..6c9189e1bf5 100644 --- a/.github/workflows/k8s-content-pr.yaml +++ b/.github/workflows/k8s-content-pr.yaml @@ -14,7 +14,7 @@ jobs: pr-number: ${{ steps.pr_number.outputs.pr_number }} steps: - name: 'Download artifacts' - uses: actions/github-script@v7 + uses: actions/github-script@5c56fde4671bc2d3592fb0f2c5b5bab9ddae03b1 # v7 with: script: | let allArtifacts = await github.rest.actions.listWorkflowRunArtifacts({ @@ -53,22 +53,22 @@ jobs: image-tags: ${{ steps.container_info.outputs.image-tags }} steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4 with: ref: refs/pull/${{ needs.get-pr-number.outputs.pr-number }}/head - name: Login to ghcr.io - uses: docker/login-action@v3.2.0 + uses: docker/login-action@0d4c9c5ea7693da7b068278f7b52bda2a190a446 # v3.2.0 with: registry: ghcr.io username: ${{ github.actor }} password: ${{ secrets.GITHUB_TOKEN }} - name: Set up QEMU - uses: docker/setup-qemu-action@v3 + uses: docker/setup-qemu-action@68827325e0b33c7199eb31dd4e31fbe9023e06e3 # v3 - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 + uses: docker/setup-buildx-action@d70bba72b1f3fd22344832f00baa16ece964efeb # v3 - name: Docker metadata id: meta - uses: docker/metadata-action@v5 + uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81 # v5 with: images: ghcr.io/complianceascode/k8scontent flavor: | @@ -84,7 +84,7 @@ jobs: org.opencontainers.image.vendor='Compliance Operator Authors' - name: Build container images and push id: docker_build - uses: docker/build-push-action@v6 + uses: docker/build-push-action@94f8f8c2eec4bc3f1d78c1755580779804cb87b2 # v6 with: context: . file: ./Dockerfiles/ocp4_content @@ -106,7 +106,7 @@ jobs: runs-on: ubuntu-latest name: Upsert comment on the PR steps: - - uses: thollander/actions-comment-pull-request@v2 + - uses: thollander/actions-comment-pull-request@fabd468d3a1a0b97feee5f6b9e499eab0dd903f6 # v2 with: message: | :robot: A k8s content image for this PR is available at: diff --git a/.github/workflows/nightly_build.yml b/.github/workflows/nightly_build.yml index 903d47e7d2d..8d9014f4416 100644 --- a/.github/workflows/nightly_build.yml +++ b/.github/workflows/nightly_build.yml @@ -13,7 +13,7 @@ jobs: - name: Install Dependencies run: dnf install -y cmake ninja-build openscap-utils python3-pip python3-devel gcc-c++ ansible-lint libxslt ansible - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4 - name: Install python deps run: pip install -r requirements-base.txt -r test-requirements.txt - name: Configure @@ -32,7 +32,7 @@ jobs: run: ninja -j2 package_source working-directory: ./build - name: 'Upload Artifact' - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4 with: name: Nightly Build path: | diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index 4d73d8c505d..4963c4e26b1 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -12,7 +12,7 @@ jobs: - name: Install Deps run: dnf install -y cmake ninja-build openscap-utils python3-pip python3-devel gcc-c++ ansible ansible-lint libxslt - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4 - name: Install python deps run: pip install -r requirements-base.txt -r test-requirements.txt - name: Configure @@ -39,13 +39,13 @@ jobs: GITHUB_REF: ${{ github.ref }} - name: Build Changelog id: build_changelog - uses: mikepenz/release-changelog-builder-action@v4 + uses: mikepenz/release-changelog-builder-action@32e3c96f29a6532607f638797455e9e98cfc703d # v4 with: configuration: .github/workflows/release-changelog.json env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Release - uses: softprops/action-gh-release@v2.0.6 + uses: softprops/action-gh-release@a74c6b72af54cfa997e81df42d94703d6313a2d0 # v2.0.6 with: draft: True name: Content ${{ steps.set_version.outputs.ver }} diff --git a/.github/workflows/srg-mapping-table.yaml b/.github/workflows/srg-mapping-table.yaml index 7de591b40e2..0e28ecf647f 100644 --- a/.github/workflows/srg-mapping-table.yaml +++ b/.github/workflows/srg-mapping-table.yaml @@ -23,7 +23,7 @@ jobs: - name: Install deps python run: pip3 install pandas openpyxl - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4 - name: Setup Build run: cmake .. -G Ninja working-directory: ./build @@ -60,33 +60,33 @@ jobs: run: python3 utils/create_srg_export.py -c controls/srg_gpos.yml -p rhel10 -m shared/references/disa-os-srg-v2r7.xml --out-format html --output $PAGES_DIR/srg-mapping-rhel10.html env: PYTHONPATH: ${{ github.workspace }} - - uses: actions/upload-artifact@v4 + - uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4 if: ${{ github.event_name == 'pull_request' }} with: name: srg-mapping-rhel9.xlsx path: ${{ env.PAGES_DIR }}/srg-mapping-rhel9.xlsx - - uses: actions/upload-artifact@v4 + - uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4 if: ${{ github.event_name == 'pull_request' }} with: name: srg-mapping-rhel9.html path: ${{ env.PAGES_DIR }}/srg-mapping-rhel9.html - - uses: actions/upload-artifact@v4 + - uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4 if: ${{ github.event_name == 'pull_request' }} with: name: srg-mapping-rhel10.xlsx path: ${{ env.PAGES_DIR }}/srg-mapping-rhel10.xlsx - - uses: actions/upload-artifact@v4 + - uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4 if: ${{ github.event_name == 'pull_request' }} with: name: srg-mapping-rhel10.html path: ${{ env.PAGES_DIR }}/srg-mapping-rhel10.html - - uses: actions/upload-artifact@v4 + - uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4 if: ${{ github.event_name == 'pull_request' }} with: name: srg-mapping-ocp4.xlsx path: ${{ env.PAGES_DIR }}/srg-mapping-ocp4.xlsx - - uses: actions/upload-artifact@v4 + - uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4 if: ${{ github.event_name == 'pull_request' }} with: name: srg-mapping-ocp4.html @@ -99,7 +99,7 @@ jobs: git config --global --add safe.directory "$GITHUB_WORKSPACE" - name: Deploy if: ${{ github.event_name == 'push' && github.repository == 'ComplianceAsCode/content' }} - uses: JamesIves/github-pages-deploy-action@v4.6.1 + uses: JamesIves/github-pages-deploy-action@5c6e9e9f3672ce8fd37b9856193d2a537941e66c # v4.6.1 with: branch: main # The branch the action should deploy to. folder: ${{ env.PAGES_DIR }} # The folder the action should deploy. diff --git a/.github/workflows/stabilize.yaml b/.github/workflows/stabilize.yaml index 0207f47c6c5..5b11f93bac3 100644 --- a/.github/workflows/stabilize.yaml +++ b/.github/workflows/stabilize.yaml @@ -19,7 +19,7 @@ jobs: - name: Install Deps run: dnf install -y cmake ninja-build openscap-utils python3-pyyaml python3-jinja2 python3-pytest ansible libxslt python3-ansible-lint linkchecker java-1.8.0-openjdk unar wget python-unversioned-command git-core - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4 - name: Configure run: cmake -DSSG_OVAL_SCHEMATRON_VALIDATION_ENABLED=OFF -DANSIBLE_CHECKS=ON -DENABLE_SCAPVAL13=ON -DSCAPVAL_PATH='/opt/scapval/SCAP-Content-Validation-Tool-1.3.5/scapval-1.3.5.jar' .. working-directory: ./build diff --git a/.github/workflows/update-oscal.yml b/.github/workflows/update-oscal.yml index 1ccc3874fb5..707ff9718ac 100644 --- a/.github/workflows/update-oscal.yml +++ b/.github/workflows/update-oscal.yml @@ -26,9 +26,9 @@ jobs: catalog-name: "nist_rev4_800_53" steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4 - name: Install Python - uses: actions/setup-python@v5 + uses: actions/setup-python@82c7e631bb3cdc910f68e0081d67478d79c6982d # v5 with: python-version: '3.9' - name: Install python deps @@ -45,7 +45,7 @@ jobs: trestle href --name "${{ matrix.variables.profile-name }}" -hr "trestle://catalogs/${{ matrix.variables.catalog-name }}/catalog.json" working-directory: ./shared/references/oscal - name: Update content - uses: peter-evans/create-pull-request@v6.1.0 + uses: peter-evans/create-pull-request@c5a7806660adbe173f04e3e038b0ccdcd758773c # v6.1.0 with: base: master branch: "oscal-update-${{ github.run_id }}"