diff --git a/.github/workflows/continuous-integration.yml b/.github/workflows/continuous-integration.yml index 0e7523bc..02364f52 100644 --- a/.github/workflows/continuous-integration.yml +++ b/.github/workflows/continuous-integration.yml @@ -56,7 +56,7 @@ jobs: needs: build-push-test if: ${{ !cancelled() }} steps: - - uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1 + - uses: step-security/harden-runner@95d9a5deda9de15063e7595e9719c11c38c90ae2 # v2.13.2 with: disable-sudo: true egress-policy: audit diff --git a/.github/workflows/image-cleanup.yml b/.github/workflows/image-cleanup.yml index 859b3255..bf958c03 100644 --- a/.github/workflows/image-cleanup.yml +++ b/.github/workflows/image-cleanup.yml @@ -15,7 +15,7 @@ jobs: permissions: packages: write # is needed by dataaxiom/ghcr-cleanup-action to delete untagged and orphaned images steps: - - uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1 + - uses: step-security/harden-runner@95d9a5deda9de15063e7595e9719c11c38c90ae2 # v2.13.2 with: disable-sudo: true allowed-endpoints: > diff --git a/.github/workflows/issue-cleanup.yml b/.github/workflows/issue-cleanup.yml index 132fa01c..f858db20 100644 --- a/.github/workflows/issue-cleanup.yml +++ b/.github/workflows/issue-cleanup.yml @@ -15,7 +15,7 @@ jobs: issues: write # is needed by actions/stale to close/comment on issues pull-requests: write # is needed by actions/stale to close/comment on PRs steps: - - uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1 + - uses: step-security/harden-runner@95d9a5deda9de15063e7595e9719c11c38c90ae2 # v2.13.2 with: disable-sudo-and-containers: true egress-policy: audit diff --git a/.github/workflows/issue-creation-tool-versions.yml b/.github/workflows/issue-creation-tool-versions.yml index 5d680d83..a167613a 100644 --- a/.github/workflows/issue-creation-tool-versions.yml +++ b/.github/workflows/issue-creation-tool-versions.yml @@ -15,7 +15,7 @@ jobs: permissions: issues: write # is needed by gh cli to create/close/pin/unpin issues steps: - - uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1 + - uses: step-security/harden-runner@95d9a5deda9de15063e7595e9719c11c38c90ae2 # v2.13.2 with: disable-sudo-and-containers: true egress-policy: audit diff --git a/.github/workflows/linting-formatting.yml b/.github/workflows/linting-formatting.yml index 2041b8f6..014a4746 100644 --- a/.github/workflows/linting-formatting.yml +++ b/.github/workflows/linting-formatting.yml @@ -26,7 +26,7 @@ jobs: pull-requests: write # is needed by oxsecurity/megalinter and reviewdog/action-suggester to post PR comments security-events: write # is needed by oxsecurity/megalinter for uploading sarif files steps: - - uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1 + - uses: step-security/harden-runner@95d9a5deda9de15063e7595e9719c11c38c90ae2 # v2.13.2 with: disable-sudo: true egress-policy: audit diff --git a/.github/workflows/ossf-scorecard.yml b/.github/workflows/ossf-scorecard.yml index 12898432..6ed63de0 100644 --- a/.github/workflows/ossf-scorecard.yml +++ b/.github/workflows/ossf-scorecard.yml @@ -20,7 +20,7 @@ jobs: security-events: write # is needed by github/codeql-action/upload-sarif to upload sarif files id-token: write # is needed by ossf/scorecard-action to authenticate with OIDC steps: - - uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1 + - uses: step-security/harden-runner@95d9a5deda9de15063e7595e9719c11c38c90ae2 # v2.13.2 with: disable-sudo: true egress-policy: audit diff --git a/.github/workflows/pr-conventional-title.yml b/.github/workflows/pr-conventional-title.yml index f3b3e03f..dde68df4 100644 --- a/.github/workflows/pr-conventional-title.yml +++ b/.github/workflows/pr-conventional-title.yml @@ -17,7 +17,7 @@ jobs: permissions: pull-requests: write # is needed by marocchino/sticky-pull-request-comment to post comments on PRs steps: - - uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1 + - uses: step-security/harden-runner@95d9a5deda9de15063e7595e9719c11c38c90ae2 # v2.13.2 with: disable-sudo-and-containers: true allowed-endpoints: > diff --git a/.github/workflows/pr-image-cleanup.yml b/.github/workflows/pr-image-cleanup.yml index 8651ae0f..a751813f 100644 --- a/.github/workflows/pr-image-cleanup.yml +++ b/.github/workflows/pr-image-cleanup.yml @@ -14,7 +14,7 @@ jobs: permissions: packages: write # is needed by dataaxiom/ghcr-cleanup-action to delete images steps: - - uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1 + - uses: step-security/harden-runner@95d9a5deda9de15063e7595e9719c11c38c90ae2 # v2.13.2 with: disable-sudo: true egress-policy: audit @@ -28,7 +28,7 @@ jobs: permissions: actions: write # is needed to delete workflow run caches steps: - - uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1 + - uses: step-security/harden-runner@95d9a5deda9de15063e7595e9719c11c38c90ae2 # v2.13.2 with: disable-sudo-and-containers: true egress-policy: audit diff --git a/.github/workflows/pr-report.yml b/.github/workflows/pr-report.yml index 4842d66c..122d4cbb 100644 --- a/.github/workflows/pr-report.yml +++ b/.github/workflows/pr-report.yml @@ -18,7 +18,7 @@ jobs: actions: read # is needed by philips-software/pull-request-report-action to fetch workflow run information runs-on: ubuntu-latest steps: - - uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1 + - uses: step-security/harden-runner@95d9a5deda9de15063e7595e9719c11c38c90ae2 # v2.13.2 with: disable-sudo-and-containers: true egress-policy: audit diff --git a/.github/workflows/release-build.yml b/.github/workflows/release-build.yml index 4614d0c3..9ed9faec 100644 --- a/.github/workflows/release-build.yml +++ b/.github/workflows/release-build.yml @@ -48,7 +48,7 @@ jobs: # currently provide a more fine-grained permission for release modification. contents: write # is needed to modify a release steps: - - uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1 + - uses: step-security/harden-runner@95d9a5deda9de15063e7595e9719c11c38c90ae2 # v2.13.2 with: disable-sudo-and-containers: true egress-policy: audit @@ -82,7 +82,7 @@ jobs: REF_NAME: ${{ github.ref_name }} REGISTRY: ghcr.io steps: - - uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1 + - uses: step-security/harden-runner@95d9a5deda9de15063e7595e9719c11c38c90ae2 # v2.13.2 with: disable-sudo-and-containers: true egress-policy: audit diff --git a/.github/workflows/release-please.yml b/.github/workflows/release-please.yml index a487d4e0..dcb5afb4 100644 --- a/.github/workflows/release-please.yml +++ b/.github/workflows/release-please.yml @@ -18,7 +18,7 @@ jobs: permissions: contents: read steps: - - uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1 + - uses: step-security/harden-runner@95d9a5deda9de15063e7595e9719c11c38c90ae2 # v2.13.2 with: disable-sudo-and-containers: true egress-policy: audit diff --git a/.github/workflows/release-published.yml b/.github/workflows/release-published.yml index c277859e..f12e5412 100644 --- a/.github/workflows/release-published.yml +++ b/.github/workflows/release-published.yml @@ -14,7 +14,7 @@ jobs: permissions: pull-requests: write # is needed by rdlf0/comment-released-prs-action to post comments on PRs steps: - - uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1 + - uses: step-security/harden-runner@95d9a5deda9de15063e7595e9719c11c38c90ae2 # v2.13.2 with: disable-sudo-and-containers: true egress-policy: audit diff --git a/.github/workflows/update-dependencies.yml b/.github/workflows/update-dependencies.yml index e257028a..a202a03d 100644 --- a/.github/workflows/update-dependencies.yml +++ b/.github/workflows/update-dependencies.yml @@ -22,7 +22,7 @@ jobs: contents: write # is needed by peter-evans/create-pull-request to create branches and push commits pull-requests: write # is needed by peter-evans/create-pull-request to create a PR steps: - - uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1 + - uses: step-security/harden-runner@95d9a5deda9de15063e7595e9719c11c38c90ae2 # v2.13.2 with: egress-policy: audit - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 @@ -56,7 +56,7 @@ jobs: contents: write # is needed by peter-evans/create-pull-request to create branches and push commits pull-requests: write # is needed by peter-evans/create-pull-request to create a PR steps: - - uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1 + - uses: step-security/harden-runner@95d9a5deda9de15063e7595e9719c11c38c90ae2 # v2.13.2 with: egress-policy: audit - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 diff --git a/.github/workflows/vulnerability-scan.yml b/.github/workflows/vulnerability-scan.yml index d3d7b6b2..2c0002bf 100644 --- a/.github/workflows/vulnerability-scan.yml +++ b/.github/workflows/vulnerability-scan.yml @@ -18,7 +18,7 @@ jobs: permissions: security-events: write # is needed by github/codeql-action/upload-sarif to upload sarif files steps: - - uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1 + - uses: step-security/harden-runner@95d9a5deda9de15063e7595e9719c11c38c90ae2 # v2.13.2 with: egress-policy: audit - uses: crazy-max/ghaction-container-scan@4d8e0acba576e46016cbd65b9ecfc604e85e3990 # v3.2.0 diff --git a/.github/workflows/wc-acceptance-test.yml b/.github/workflows/wc-acceptance-test.yml index 9eb68acd..f3b1fa4a 100644 --- a/.github/workflows/wc-acceptance-test.yml +++ b/.github/workflows/wc-acceptance-test.yml @@ -35,7 +35,7 @@ jobs: name: Acceptance Test runs-on: ubuntu-latest steps: - - uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1 + - uses: step-security/harden-runner@95d9a5deda9de15063e7595e9719c11c38c90ae2 # v2.13.2 with: disable-sudo: false # Playwright requires root privileges to install browsers egress-policy: audit diff --git a/.github/workflows/wc-build-push.yml b/.github/workflows/wc-build-push.yml index 27cd535f..5b8fb33a 100644 --- a/.github/workflows/wc-build-push.yml +++ b/.github/workflows/wc-build-push.yml @@ -67,7 +67,7 @@ jobs: contents: read packages: write # is needed by docker/build-push-action to push images when using GitHub Container Registry steps: - - uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1 + - uses: step-security/harden-runner@95d9a5deda9de15063e7595e9719c11c38c90ae2 # v2.13.2 with: disable-sudo: true egress-policy: audit @@ -82,7 +82,7 @@ jobs: registry: ${{ inputs.registry }} username: ${{ secrets.DOCKER_REGISTRY_USERNAME || github.actor }} password: ${{ secrets.DOCKER_REGISTRY_PASSWORD || github.token }} - - uses: docker/metadata-action@c1e51972afc2121e065aed6d45c65596fe445f3f # v5.8.0 + - uses: docker/metadata-action@318604b99e75e41977312d83839a89be02ca4893 # v5.9.0 env: DOCKER_METADATA_SET_OUTPUT_ENV: false id: metadata @@ -151,7 +151,7 @@ jobs: outputs: digest: ${{ steps.inspect-manifest.outputs.digest }} steps: - - uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1 + - uses: step-security/harden-runner@95d9a5deda9de15063e7595e9719c11c38c90ae2 # v2.13.2 with: disable-sudo: true egress-policy: audit @@ -168,7 +168,7 @@ jobs: registry: ${{ inputs.registry }} username: ${{ secrets.DOCKER_REGISTRY_USERNAME || github.actor }} password: ${{ secrets.DOCKER_REGISTRY_PASSWORD || github.token }} - - uses: docker/metadata-action@c1e51972afc2121e065aed6d45c65596fe445f3f # v5.8.0 + - uses: docker/metadata-action@318604b99e75e41977312d83839a89be02ca4893 # v5.9.0 id: metadata env: DOCKER_METADATA_ANNOTATIONS_LEVELS: index diff --git a/.github/workflows/wc-dependency-review.yml b/.github/workflows/wc-dependency-review.yml index 03bc2d3c..a806c139 100644 --- a/.github/workflows/wc-dependency-review.yml +++ b/.github/workflows/wc-dependency-review.yml @@ -26,7 +26,7 @@ jobs: contents: read pull-requests: write # is needed by actions/dependency-review-action to write PR summaries steps: - - uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1 + - uses: step-security/harden-runner@95d9a5deda9de15063e7595e9719c11c38c90ae2 # v2.13.2 with: disable-sudo-and-containers: true egress-policy: audit diff --git a/.github/workflows/wc-document-generation.yml b/.github/workflows/wc-document-generation.yml index 24afeb86..4d31051a 100644 --- a/.github/workflows/wc-document-generation.yml +++ b/.github/workflows/wc-document-generation.yml @@ -13,7 +13,7 @@ jobs: permissions: contents: read steps: - - uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1 + - uses: step-security/harden-runner@95d9a5deda9de15063e7595e9719c11c38c90ae2 # v2.13.2 with: egress-policy: audit - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 diff --git a/.github/workflows/wc-integration-test.yml b/.github/workflows/wc-integration-test.yml index 462f0228..22e46707 100644 --- a/.github/workflows/wc-integration-test.yml +++ b/.github/workflows/wc-integration-test.yml @@ -45,7 +45,7 @@ jobs: permissions: contents: read steps: - - uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1 + - uses: step-security/harden-runner@95d9a5deda9de15063e7595e9719c11c38c90ae2 # v2.13.2 with: disable-sudo: true egress-policy: audit diff --git a/.github/workflows/wc-sanitize-image-name.yml b/.github/workflows/wc-sanitize-image-name.yml index 878d37a2..18665c89 100644 --- a/.github/workflows/wc-sanitize-image-name.yml +++ b/.github/workflows/wc-sanitize-image-name.yml @@ -35,7 +35,7 @@ jobs: image-name: ${{ steps.sanitize-image-name.outputs.sanitized-image-name }} fully-qualified-image-name: ${{ inputs.registry }}/${{ steps.sanitize-image-name.outputs.sanitized-image-name }} steps: - - uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1 + - uses: step-security/harden-runner@95d9a5deda9de15063e7595e9719c11c38c90ae2 # v2.13.2 with: disable-sudo-and-containers: true allowed-endpoints: >