diff --git a/.github/actions/cloudsmith-login/action.yml b/.github/actions/cloudsmith-login/action.yml index 71adc29..994abe1 100644 --- a/.github/actions/cloudsmith-login/action.yml +++ b/.github/actions/cloudsmith-login/action.yml @@ -19,7 +19,7 @@ runs: steps: - name: Get Cloudsmith token id: get-token - uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 + uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 env: CLOUDSMITH_ORG: ${{ inputs.org }} CLOUDSMITH_SERVICE_SLUG: ${{ inputs.service-slug }} @@ -59,7 +59,7 @@ runs: } - name: Login to Cloudsmith - uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0 + uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4.2.0 with: registry: ${{ inputs.registry }} username: ${{ steps.get-token.outputs.cloudsmith_user }} diff --git a/.github/workflows/build-docker.yaml b/.github/workflows/build-docker.yaml index ec92ba9..436e512 100644 --- a/.github/workflows/build-docker.yaml +++ b/.github/workflows/build-docker.yaml @@ -46,7 +46,7 @@ jobs: runner: ubuntu-24.04-arm steps: - name: Checkout - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 with: submodules: recursive @@ -57,11 +57,11 @@ jobs: run: echo "short_hash=${SHA::8}" >> "$GITHUB_OUTPUT" - name: Set up Docker Buildx - uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0 + uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5 # v4.1.0 - name: Build image id: build - uses: docker/bake-action@82490499d2e5613fcead7e128237ef0b0ea210f7 # v7.0.0 + uses: docker/bake-action@6614cfa25eff9a0b2b2697efb0b6159e7680d584 # v7.2.0 with: source: . files: docker-bake.hcl @@ -89,7 +89,7 @@ jobs: - name: Upload Trivy scan results if: always() - uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 with: name: trivy-${{ matrix.image }}-${{ matrix.arch }} path: trivy-results.sarif @@ -125,7 +125,7 @@ jobs: - name: Upload digest if: ${{ github.event_name == 'push' }} - uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 with: name: digest-${{ matrix.image }}-${{ matrix.arch }} path: /tmp/digests/${{ matrix.image }}/* @@ -148,12 +148,12 @@ jobs: - arc-consensus steps: - name: Checkout - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 with: sparse-checkout: .github/actions - name: Set up Docker Buildx - uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0 + uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5 # v4.1.0 - name: Login to Cloudsmith uses: ./.github/actions/cloudsmith-login @@ -161,7 +161,7 @@ jobs: registry: ${{ env.REGISTRY }} - name: Download digests - uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # v8.0.0 + uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 with: pattern: digest-${{ matrix.image }}-* merge-multiple: true @@ -196,7 +196,7 @@ jobs: - name: Generate SBOM continue-on-error: true - uses: anchore/sbom-action@17ae1740179002c89186b61233e0f892c3118b11 # v0.23.0 + uses: anchore/sbom-action@e22c389904149dbc22b58101806040fa8d37a610 # v0.24.0 with: image: ${{ steps.manifest.outputs.image-with-digest }} artifact-name: sbom-${{ matrix.image }}.spdx.json diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 31928da..b655f8f 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -24,7 +24,7 @@ jobs: name: Rust Formatting runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - name: Install Rust toolchain uses: actions-rust-lang/setup-rust-toolchain@v1 @@ -38,7 +38,7 @@ jobs: name: Rust Dependencies runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - name: Install Rust toolchain uses: actions-rust-lang/setup-rust-toolchain@v1 @@ -53,7 +53,7 @@ jobs: name: Rust Lint runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - name: Install system dependencies run: sudo apt-get update && sudo apt-get install -y --no-install-recommends libclang-dev zlib1g-dev @@ -72,7 +72,7 @@ jobs: needs: rust-lint runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - name: Install system dependencies run: sudo apt-get update && sudo apt-get install -y --no-install-recommends libclang-dev zlib1g-dev @@ -95,7 +95,7 @@ jobs: needs: rust-test runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - name: Init public submodules run: git submodule update --init contracts/lib/forge-std contracts/lib/openzeppelin-contracts contracts/lib/openzeppelin-contracts-upgradeable @@ -107,7 +107,7 @@ jobs: uses: actions-rust-lang/setup-rust-toolchain@v1 - name: Setup Node.js - uses: actions/setup-node@v4 + uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 with: node-version: 22 cache: npm @@ -149,10 +149,10 @@ jobs: contents: read pull-requests: write steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - name: Buf lint, format, and breaking change detection - uses: bufbuild/buf-action@v1 + uses: bufbuild/buf-action@fd21066df7214747548607aaa45548ba2b9bc1ff # v1.4.0 with: github_token: ${{ secrets.GITHUB_TOKEN }} push: false @@ -166,13 +166,13 @@ jobs: name: Contracts Lint runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - name: Init public submodules run: git submodule update --init contracts/lib/forge-std contracts/lib/openzeppelin-contracts contracts/lib/openzeppelin-contracts-upgradeable - name: Setup Node.js - uses: actions/setup-node@v4 + uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 with: node-version: 22 cache: npm @@ -205,7 +205,7 @@ jobs: needs: contracts-lint runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - name: Init public submodules run: git submodule update --init contracts/lib/forge-std contracts/lib/openzeppelin-contracts contracts/lib/openzeppelin-contracts-upgradeable @@ -227,7 +227,7 @@ jobs: needs: contracts-build runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - name: Init public submodules run: git submodule update --init contracts/lib/forge-std contracts/lib/openzeppelin-contracts contracts/lib/openzeppelin-contracts-upgradeable @@ -261,17 +261,17 @@ jobs: - target: consensus dockerfile: deployments/Dockerfile.consensus steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - name: Get short SHA id: short-sha run: echo "sha=$(echo ${{ github.sha }} | cut -c1-8)" >> $GITHUB_OUTPUT - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 + uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5 # v4.1.0 - name: Build ${{ matrix.target }} image - uses: docker/build-push-action@v6 + uses: docker/build-push-action@f9f3042f7e2789586610d6e8b85c8f03e5195baf # v7.2.0 with: context: . file: ${{ matrix.dockerfile }} diff --git a/.github/workflows/release-binaries.yaml b/.github/workflows/release-binaries.yaml index 15ad43e..80128ed 100644 --- a/.github/workflows/release-binaries.yaml +++ b/.github/workflows/release-binaries.yaml @@ -62,7 +62,7 @@ jobs: echo "version=$VERSION" >> "$GITHUB_OUTPUT" - name: Checkout - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 with: ref: ${{ github.event_name == 'workflow_dispatch' && format('refs/tags/{0}', inputs.tag) || github.ref }} submodules: recursive @@ -98,7 +98,7 @@ jobs: tool: sccache - name: Configure sccache - uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1 + uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 with: script: | core.exportVariable('ACTIONS_RESULTS_URL', process.env.ACTIONS_RESULTS_URL || ''); @@ -121,7 +121,7 @@ jobs: run: ./scripts/release-package.sh "$TAG" "$TARGET" - name: Upload build artifacts - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 with: name: release-${{ matrix.target }} path: release-assets/ @@ -137,7 +137,7 @@ jobs: HAS_RELEASE_GPG_KEY: ${{ secrets.RELEASE_GPG_PRIVATE_KEY != '' }} steps: - name: Download build artifacts - uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0 + uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 with: pattern: release-* merge-multiple: true @@ -145,7 +145,7 @@ jobs: - name: Import GPG key if: env.HAS_RELEASE_GPG_KEY == 'true' - uses: crazy-max/ghaction-import-gpg@e89d40939c28e39f97cf32126055eeae86ba74ec # v6.3.0 + uses: crazy-max/ghaction-import-gpg@2dc316deee8e90f13e1a351ab510b4d5bc0c82cd # v7.0.0 with: gpg_private_key: ${{ secrets.RELEASE_GPG_PRIVATE_KEY }} @@ -157,7 +157,7 @@ jobs: done - name: Upload release assets - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 with: name: release-assets path: release-assets/ @@ -197,7 +197,7 @@ jobs: fi - name: Download build artifacts - uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0 + uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 with: name: release-assets path: release-assets/