diff --git a/.github/actions/secure-project-checkout-node/action.yml b/.github/actions/secure-project-checkout-node/action.yml index 5c9726e514..bc3a4d1a7e 100644 --- a/.github/actions/secure-project-checkout-node/action.yml +++ b/.github/actions/secure-project-checkout-node/action.yml @@ -41,6 +41,6 @@ runs: path: ${{ inputs.path }} - name: Set up Node environment - uses: actions/setup-node@5e21ff4d9bc1a8cf6de233a3057d20ec6b3fb69d # v3.8.1 + uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4.0.2 with: node-version: ${{ inputs.node-version }} diff --git a/.github/actions/sign-attestations/package-lock.json b/.github/actions/sign-attestations/package-lock.json index 8b732d2cb7..b247d57d16 100644 --- a/.github/actions/sign-attestations/package-lock.json +++ b/.github/actions/sign-attestations/package-lock.json @@ -11,7 +11,7 @@ "dependencies": { "@actions/core": "1.10.1", "@actions/github": "5.1.1", - "@sigstore/rekor-types": "1.0.0", + "@sigstore/rekor-types": "2.0.0", "sigstore": "2.2.2", "tscommon": "file:../tscommon/tscommon-0.0.0.tgz" }, @@ -446,11 +446,12 @@ } }, "node_modules/@sigstore/rekor-types": { - "version": "1.0.0", - "resolved": "https://registry.npmjs.org/@sigstore/rekor-types/-/rekor-types-1.0.0.tgz", - "integrity": "sha512-edxXHjtRDU1pj5uVy4ehDSrFdSkLQYhe22x+OF0n8OIJk7sh5+bLu/I7O/YL9dH0AfpMxMme1J2tb5wVdTc61A==", + "version": "2.0.0", + "resolved": "https://registry.npmjs.org/@sigstore/rekor-types/-/rekor-types-2.0.0.tgz", + "integrity": "sha512-gArf4ZWF5PNjxSlOZnNePwKTJ8uXn10D2jRm1e7CKSOZmRdblW0rHbGhjeVn312M+vuXzyaeii7jm0fcmA1UsQ==", + "license": "Apache-2.0", "engines": { - "node": "^14.17.0 || ^16.13.0 || >=18.0.0" + "node": "^16.14.0 || >=18.0.0" } }, "node_modules/@sigstore/sign": { diff --git a/.github/actions/sign-attestations/package.json b/.github/actions/sign-attestations/package.json index 9bcddcfa89..05e055ad15 100644 --- a/.github/actions/sign-attestations/package.json +++ b/.github/actions/sign-attestations/package.json @@ -30,7 +30,7 @@ "dependencies": { "@actions/core": "1.10.1", "@actions/github": "5.1.1", - "@sigstore/rekor-types": "1.0.0", + "@sigstore/rekor-types": "2.0.0", "sigstore": "2.2.2", "tscommon": "file:../tscommon/tscommon-0.0.0.tgz" } diff --git a/.github/actions/verify-token/package-lock.json b/.github/actions/verify-token/package-lock.json index c3c8523a2a..0e608cd777 100644 --- a/.github/actions/verify-token/package-lock.json +++ b/.github/actions/verify-token/package-lock.json @@ -12,7 +12,7 @@ "@actions/core": "1.10.1", "@actions/github": "5.1.1", "@octokit/webhooks-types": "7.3.1", - "@sigstore/rekor-types": "1.0.0", + "@sigstore/rekor-types": "2.0.0", "sigstore": "2.2.2", "tscommon": "file:../tscommon/tscommon-0.0.0.tgz", "yaml": "2.3.3" @@ -1736,11 +1736,11 @@ } }, "node_modules/@sigstore/rekor-types": { - "version": "1.0.0", - "resolved": "https://registry.npmjs.org/@sigstore/rekor-types/-/rekor-types-1.0.0.tgz", - "integrity": "sha512-edxXHjtRDU1pj5uVy4ehDSrFdSkLQYhe22x+OF0n8OIJk7sh5+bLu/I7O/YL9dH0AfpMxMme1J2tb5wVdTc61A==", + "version": "2.0.0", + "resolved": "https://registry.npmjs.org/@sigstore/rekor-types/-/rekor-types-2.0.0.tgz", + "integrity": "sha512-gArf4ZWF5PNjxSlOZnNePwKTJ8uXn10D2jRm1e7CKSOZmRdblW0rHbGhjeVn312M+vuXzyaeii7jm0fcmA1UsQ==", "engines": { - "node": "^14.17.0 || ^16.13.0 || >=18.0.0" + "node": "^16.14.0 || >=18.0.0" } }, "node_modules/@sigstore/sign": { @@ -9000,9 +9000,9 @@ "integrity": "sha512-zxiQ66JFOjVvP9hbhGj/F/qNdsZfkGb/dVXSanNRNuAzMlr4MC95voPUBX8//ZNnmv3uSYzdfR/JSkrgvZTGxA==" }, "@sigstore/rekor-types": { - "version": "1.0.0", - "resolved": "https://registry.npmjs.org/@sigstore/rekor-types/-/rekor-types-1.0.0.tgz", - "integrity": "sha512-edxXHjtRDU1pj5uVy4ehDSrFdSkLQYhe22x+OF0n8OIJk7sh5+bLu/I7O/YL9dH0AfpMxMme1J2tb5wVdTc61A==" + "version": "2.0.0", + "resolved": "https://registry.npmjs.org/@sigstore/rekor-types/-/rekor-types-2.0.0.tgz", + "integrity": "sha512-gArf4ZWF5PNjxSlOZnNePwKTJ8uXn10D2jRm1e7CKSOZmRdblW0rHbGhjeVn312M+vuXzyaeii7jm0fcmA1UsQ==" }, "@sigstore/sign": { "version": "2.2.3", @@ -12838,7 +12838,7 @@ } }, "tscommon": { - "version": "file:..\\tscommon\\tscommon-0.0.0.tgz", + "version": "file:../tscommon/tscommon-0.0.0.tgz", "integrity": "sha512-i1kF4tw4dJ7Lq+5IBXThmImwKDC+LfhipAql9sthe9ktMmAQzyrgdHqnUjoIjLUSnnP7yQloa9WabFQJ9yROPQ==" }, "tsconfig-paths": { diff --git a/.github/actions/verify-token/package.json b/.github/actions/verify-token/package.json index 7c1613e4c0..1f8c7951e3 100644 --- a/.github/actions/verify-token/package.json +++ b/.github/actions/verify-token/package.json @@ -25,7 +25,7 @@ "@actions/core": "1.10.1", "@actions/github": "5.1.1", "@octokit/webhooks-types": "7.3.1", - "@sigstore/rekor-types": "1.0.0", + "@sigstore/rekor-types": "2.0.0", "sigstore": "2.2.2", "tscommon": "file:../tscommon/tscommon-0.0.0.tgz", "yaml": "2.3.3" diff --git a/.github/workflows/builder_container-based_slsa3.yml b/.github/workflows/builder_container-based_slsa3.yml index 9e2cb93bf1..5ebccd0e52 100644 --- a/.github/workflows/builder_container-based_slsa3.yml +++ b/.github/workflows/builder_container-based_slsa3.yml @@ -306,7 +306,7 @@ jobs: - id: auth name: Authenticate to Google Cloud if: inputs.gcp-workload-identity-provider != '' - uses: google-github-actions/auth@35b0e87d162680511bf346c299f71c9c5c379033 # v1.1.1 + uses: google-github-actions/auth@71fee32a0bb7e97b4d33d548e7d957010649d8fa # v2.1.3 with: token_format: "access_token" workload_identity_provider: ${{ inputs.gcp-workload-identity-provider }} @@ -633,13 +633,13 @@ jobs: SLSA_OUTPUTS_NAME: ${{ needs.build.outputs.slsa-outputs-name }} RNG: ${{ needs.rng.outputs.value }} steps: - - uses: geekyeggo/delete-artifact@54ab544f12cdb7b71613a16a2b5a37a9ade990af # v2.0.0 + - uses: geekyeggo/delete-artifact@24928e75e6e6590170563b8ddae9fac674508aa1 # v5.0.0 with: name: "${{ env.BUILD_DEFINITION_NAME }}-${{ env.RNG }}" useGlob: true - - uses: geekyeggo/delete-artifact@54ab544f12cdb7b71613a16a2b5a37a9ade990af # v2.0.0 + - uses: geekyeggo/delete-artifact@24928e75e6e6590170563b8ddae9fac674508aa1 # v5.0.0 with: name: "${{ env.SLSA_OUTPUTS_NAME }}-${{ env.RNG }}" - - uses: geekyeggo/delete-artifact@54ab544f12cdb7b71613a16a2b5a37a9ade990af # v2.0.0 + - uses: geekyeggo/delete-artifact@24928e75e6e6590170563b8ddae9fac674508aa1 # v5.0.0 with: name: "${{ env.BUILDER_BINARY }}-${{ env.RNG }}" diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index 6dc5e5fecc..02ebe42dc5 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -59,7 +59,7 @@ jobs: # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL - uses: github/codeql-action/init@49abf0ba24d0b7953cb586944e918a0b92074c80 # v2.22.4 + uses: github/codeql-action/init@b7cec7526559c32f1616476ff32d17ba4c59b2d6 # v3.25.5 with: languages: ${{ matrix.language }} # If you wish to specify custom queries, you can do so here or in a config file. @@ -72,7 +72,7 @@ jobs: # Autobuild attempts to build any compiled languages (C/C++, C#, or Java). # If this step fails, then you should remove it and run the build manually (see below) - name: Autobuild - uses: github/codeql-action/autobuild@49abf0ba24d0b7953cb586944e918a0b92074c80 # v2.22.4 + uses: github/codeql-action/autobuild@b7cec7526559c32f1616476ff32d17ba4c59b2d6 # v3.25.5 # Command-line programs to run using the OS shell. # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun @@ -85,7 +85,7 @@ jobs: # ./location_of_script_within_repo/buildscript.sh - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@49abf0ba24d0b7953cb586944e918a0b92074c80 # v2.22.4 + uses: github/codeql-action/analyze@b7cec7526559c32f1616476ff32d17ba4c59b2d6 # v3.25.5 # NOTE: Checks that the matrix job above completes successfully. # This is necessary because the matrix strategy generates new jobs with diff --git a/.github/workflows/delegator_generic_slsa3.yml b/.github/workflows/delegator_generic_slsa3.yml index ede70d957d..3935e2ca0b 100644 --- a/.github/workflows/delegator_generic_slsa3.yml +++ b/.github/workflows/delegator_generic_slsa3.yml @@ -294,9 +294,9 @@ jobs: env: RNG: ${{ needs.rng.outputs.value }} steps: - - uses: geekyeggo/delete-artifact@54ab544f12cdb7b71613a16a2b5a37a9ade990af # v2.0.0 + - uses: geekyeggo/delete-artifact@24928e75e6e6590170563b8ddae9fac674508aa1 # v5.0.0 with: name: "${{ env.RNG }}-${{ env.SLSA_PREDICATE_FILE }}" - - uses: geekyeggo/delete-artifact@54ab544f12cdb7b71613a16a2b5a37a9ade990af # v2.0.0 + - uses: geekyeggo/delete-artifact@24928e75e6e6590170563b8ddae9fac674508aa1 # v5.0.0 with: name: "${{ env.RNG }}-${{ env.SLSA_ARTIFACTS_FILE }}" diff --git a/.github/workflows/delegator_lowperms-generic_slsa3.yml b/.github/workflows/delegator_lowperms-generic_slsa3.yml index b3d0a68ad1..bfee2d7e95 100644 --- a/.github/workflows/delegator_lowperms-generic_slsa3.yml +++ b/.github/workflows/delegator_lowperms-generic_slsa3.yml @@ -297,9 +297,9 @@ jobs: env: RNG: ${{ needs.rng.outputs.value }} steps: - - uses: geekyeggo/delete-artifact@54ab544f12cdb7b71613a16a2b5a37a9ade990af # v2.0.0 + - uses: geekyeggo/delete-artifact@24928e75e6e6590170563b8ddae9fac674508aa1 # v5.0.0 with: name: "${{ env.RNG }}-${{ env.SLSA_PREDICATE_FILE }}" - - uses: geekyeggo/delete-artifact@54ab544f12cdb7b71613a16a2b5a37a9ade990af # v2.0.0 + - uses: geekyeggo/delete-artifact@24928e75e6e6590170563b8ddae9fac674508aa1 # v5.0.0 with: name: "${{ env.RNG }}-${{ env.SLSA_ARTIFACTS_FILE }}" diff --git a/.github/workflows/e2e.sign-attestations.schedule.yml b/.github/workflows/e2e.sign-attestations.schedule.yml index bee0082e14..01ba42fe1e 100644 --- a/.github/workflows/e2e.sign-attestations.schedule.yml +++ b/.github/workflows/e2e.sign-attestations.schedule.yml @@ -40,7 +40,7 @@ jobs: attestations: .github/actions/sign-attestations/testdata/attestations output-folder: outputs - name: Setup node - uses: actions/setup-node@5e21ff4d9bc1a8cf6de233a3057d20ec6b3fb69d # v3 + uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4 with: node-version: 20 - name: install sigstore-js diff --git a/.github/workflows/generator_container_slsa3.yml b/.github/workflows/generator_container_slsa3.yml index bf6ca8a8fe..4d2e325f30 100644 --- a/.github/workflows/generator_container_slsa3.yml +++ b/.github/workflows/generator_container_slsa3.yml @@ -158,7 +158,7 @@ jobs: - id: auth name: Authenticate to Google Cloud if: inputs.gcp-workload-identity-provider != '' - uses: google-github-actions/auth@35b0e87d162680511bf346c299f71c9c5c379033 # v1.1.1 + uses: google-github-actions/auth@71fee32a0bb7e97b4d33d548e7d957010649d8fa # v2.1.3 with: token_format: "access_token" workload_identity_provider: ${{ inputs.gcp-workload-identity-provider }} diff --git a/.github/workflows/pre-submit.actions.yml b/.github/workflows/pre-submit.actions.yml index d25ecdbf64..44560724c4 100644 --- a/.github/workflows/pre-submit.actions.yml +++ b/.github/workflows/pre-submit.actions.yml @@ -78,7 +78,7 @@ jobs: - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - name: Set Node.js 18 - uses: actions/setup-node@5e21ff4d9bc1a8cf6de233a3057d20ec6b3fb69d # v3.8.1 + uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4.0.2 with: node-version: 18 diff --git a/.github/workflows/pre-submit.lint.yml b/.github/workflows/pre-submit.lint.yml index 8e6530dca5..f6c903e504 100644 --- a/.github/workflows/pre-submit.lint.yml +++ b/.github/workflows/pre-submit.lint.yml @@ -32,7 +32,7 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - - uses: actions/setup-node@5e21ff4d9bc1a8cf6de233a3057d20ec6b3fb69d # v3.8.1 + - uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4.0.2 with: node-version: 20 - run: make markdownlint @@ -41,7 +41,7 @@ jobs: name: markdown-toc runs-on: ubuntu-latest steps: - - uses: actions/setup-node@5e21ff4d9bc1a8cf6de233a3057d20ec6b3fb69d # v3.8.1 + - uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4.0.2 with: node-version: 20 - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 @@ -79,8 +79,8 @@ jobs: - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - name: shellcheck env: - SHELLCHECK_VERSION: "0.8.0" - SHELLCHECK_CHECKSUM: "ab6ee1b178f014d1b86d1e24da20d1139656c8b0ed34d2867fbb834dad02bf0a" + SHELLCHECK_VERSION: "0.10.0" + SHELLCHECK_CHECKSUM: "6c881ab0698e4e6ea235245f22832860544f17ba386442fe7e9d629f8cbedf87" run: | set -euo pipefail @@ -97,8 +97,8 @@ jobs: - name: actionlint env: - ACTIONLINT_VERSION: "1.6.24" - ACTIONLINT_CHECKSUM: "3c5818744143a5d6754edd3dcc4c2b32c9dfcdd3bb30e0e108fb5e5c505262d4" + ACTIONLINT_VERSION: "1.7.0" + ACTIONLINT_CHECKSUM: "8aae9148f61952d11a97651852fdc7dffd2b762ed3cdd28b3c2232ae5f55d4db" run: | set -euo pipefail @@ -130,7 +130,7 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - - uses: actions/setup-node@5e21ff4d9bc1a8cf6de233a3057d20ec6b3fb69d # v3.8.1 + - uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4.0.2 with: node-version: 20 - run: make eslint @@ -139,7 +139,7 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - - uses: actions/setup-node@5e21ff4d9bc1a8cf6de233a3057d20ec6b3fb69d # v3.8.1 + - uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4.0.2 with: node-version: 20 - run: make renovate-config-validator diff --git a/.github/workflows/pre-submit.units.yml b/.github/workflows/pre-submit.units.yml index 5e8d6868f1..1ee05c4cd0 100644 --- a/.github/workflows/pre-submit.units.yml +++ b/.github/workflows/pre-submit.units.yml @@ -43,7 +43,7 @@ jobs: go-version-file: "go.mod" - name: Set Node.js 16 - uses: actions/setup-node@5e21ff4d9bc1a8cf6de233a3057d20ec6b3fb69d # v3.8.1 + uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4.0.2 with: node-version: 16 diff --git a/.github/workflows/scorecards.yml b/.github/workflows/scorecards.yml index ab72542953..146e51440f 100644 --- a/.github/workflows/scorecards.yml +++ b/.github/workflows/scorecards.yml @@ -71,6 +71,6 @@ jobs: # Upload the results to GitHub's code scanning dashboard. - name: "Upload to code-scanning" - uses: github/codeql-action/upload-sarif@49abf0ba24d0b7953cb586944e918a0b92074c80 # v2.22.4 + uses: github/codeql-action/upload-sarif@b7cec7526559c32f1616476ff32d17ba4c59b2d6 # v3.25.5 with: sarif_file: results.sarif diff --git a/.github/workflows/update-actions-dist-post-commit.yml b/.github/workflows/update-actions-dist-post-commit.yml new file mode 100644 index 0000000000..4ef58230f2 --- /dev/null +++ b/.github/workflows/update-actions-dist-post-commit.yml @@ -0,0 +1,117 @@ +# Copyright 2023 SLSA Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + + +# A workflow to run against renovate-bot's PRs, +# such as `make package` after it updates the package.json and package-lock.json files. + +# The potentially untrusted code is first run inside a low-privilege Job, and the diff is uploaded as an artifact. +# Then a higher-privilege Job applies the diff and pushes the changes to the PR. +# It's important to only run this workflow against PRs from trusted sources, after also reviewing the changes! + +# There have been vulnerabilities with using `git apply` https://github.blog/2023-04-25-git-security-vulnerabilities-announced-4/ +# At this point a compromised git binary cannot modify any of this repo's branches, only the PR fork's branch, +# due to our branch protection rules and CODEOWNERS. +# It aslso cannot submit a new release or modify exsiting releases due to tag protection rules. + +name: Update actions dist post-commit + +permissions: {} + +on: + workflow_dispatch: + inputs: + pr_number: + description: "The pull request number." + required: true + type: number + +jobs: + diff: + permissions: + # This Job executes the PR's untrusted code, so it must how low permissions. + pull-requests: read + outputs: + patch_not_empty: ${{ steps.diff.outputs.patch_not_empty }} + runs-on: ubuntu-latest + steps: + - name: checkout + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + with: + repository: ${{ github.repository }} + persist-credentials: false + - name: checkout-pr + env: + GH_TOKEN: ${{ github.token }} + PR_NUMBER: ${{ inputs.pr_number }} + run: gh pr checkout "$PR_NUMBER" + - name: run-command + run: | + find ./ -name "dist" -not -path "*/node_modules/*" -print0 \ + | xargs -0 dirname \ + | xargs -I {} sh -c '( + echo "Updating {}" && \ + cd {} && \ + make clean \ + && make package + )' + + - name: diff + id: diff + run: | + git add . + git status + git diff HEAD > changes.patch + [ -z "$(cat changes.patch)" ] && RESULT=false || RESULT=true + echo "patch_not_empty=$RESULT" >> "$GITHUB_OUTPUT" + - name: upload + uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1 + with: + name: changes.patch + path: changes.patch + + push: + if: needs.diff.outputs.patch_not_empty == 'true' + needs: diff + runs-on: ubuntu-latest + permissions: + # This Job does not run untrusted code, but it does need to push changes to the PR's branch. + pull-requests: read + contents: write + steps: + - name: checkout + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + - name: checkout-pr + env: + GH_TOKEN: ${{ github.token }} + PR_NUMBER: ${{ inputs.pr_number }} + run: gh pr checkout "$PR_NUMBER" + - name: download-patch + uses: actions/download-artifact@c850b930e6ba138125429b7e5c93fc707a7f8427 # v4.1.4 + with: + name: changes.patch + - id: apply + run: | + git apply changes.patch + rm changes.patch + # example from + # https://github.com/actions/checkout/blob/cd7d8d697e10461458bc61a30d094dc601a8b017/README.md#push-a-commit-using-the-built-in-token + - name: push + run: | + git config user.name github-actions + git config user.email github-actions@github.com + git add . + git status + git commit -s -m "update actions dist" + git push diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index d6ca12340f..b2024b41a1 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -26,6 +26,8 @@ welcome! - [Development Basics](#development-basics) - [Make your changes](#make-your-changes) - [Run tests](#run-tests) + - [Updating Github Actions Dependencies](#updating-github-actions-dependencies) + - [Renovate-Bot PRs](#renovate-bot-prs) - [Submit a PR](#submit-a-pr) - [Preferred Languages](#preferred-languages) - [Testing](#testing) @@ -167,6 +169,26 @@ git merge --signoff main Before you submit your change run the unit tests and linters to ensure your changes are ready to go. See the [Testing](#testing) section for more info. +#### Updating Github Actions Dependencies + +##### Renovate-Bot PRs + +`renovate-bot` will periodically send PRs to update the `package.json` and `package-lock.json` in the Github Actions of this repo. +But, it will not also automatically recompile the packages into `.js` files. + +We use a Workflow [Update actions dist post-commit](../.github/workflows/update-actions-dist-post-commit.yml) to +help maintainers easily recompile the Github Actions against a PR. + +Use the UI to invoke the workflow + +[update-actions-dist-post-commit.yml](https://github.com/slsa-framework/slsa-verifier/actions/workflows/update-actions-dist-post-commit.yml) + +or invoke with + +```shell +gh workflow run update-actions-dist-post-commit.yml -F pr_number= +``` + #### Submit a PR Once your change is ready you can submit a PR via the website. diff --git a/actions/delegator/setup-generic/package-lock.json b/actions/delegator/setup-generic/package-lock.json index afe4985df2..cfb1bc84e5 100644 --- a/actions/delegator/setup-generic/package-lock.json +++ b/actions/delegator/setup-generic/package-lock.json @@ -11,7 +11,7 @@ "dependencies": { "@actions/core": "1.10.1", "@actions/github": "5.1.1", - "@sigstore/rekor-types": "1.0.0", + "@sigstore/rekor-types": "2.0.0", "sigstore": "2.2.2", "tscommon": "file:../../../.github/actions/tscommon/tscommon-0.0.0.tgz" }, @@ -449,11 +449,11 @@ } }, "node_modules/@sigstore/rekor-types": { - "version": "1.0.0", - "resolved": "https://registry.npmjs.org/@sigstore/rekor-types/-/rekor-types-1.0.0.tgz", - "integrity": "sha512-edxXHjtRDU1pj5uVy4ehDSrFdSkLQYhe22x+OF0n8OIJk7sh5+bLu/I7O/YL9dH0AfpMxMme1J2tb5wVdTc61A==", + "version": "2.0.0", + "resolved": "https://registry.npmjs.org/@sigstore/rekor-types/-/rekor-types-2.0.0.tgz", + "integrity": "sha512-gArf4ZWF5PNjxSlOZnNePwKTJ8uXn10D2jRm1e7CKSOZmRdblW0rHbGhjeVn312M+vuXzyaeii7jm0fcmA1UsQ==", "engines": { - "node": "^14.17.0 || ^16.13.0 || >=18.0.0" + "node": "^16.14.0 || >=18.0.0" } }, "node_modules/@sigstore/sign": { @@ -5198,9 +5198,9 @@ "integrity": "sha512-zxiQ66JFOjVvP9hbhGj/F/qNdsZfkGb/dVXSanNRNuAzMlr4MC95voPUBX8//ZNnmv3uSYzdfR/JSkrgvZTGxA==" }, "@sigstore/rekor-types": { - "version": "1.0.0", - "resolved": "https://registry.npmjs.org/@sigstore/rekor-types/-/rekor-types-1.0.0.tgz", - "integrity": "sha512-edxXHjtRDU1pj5uVy4ehDSrFdSkLQYhe22x+OF0n8OIJk7sh5+bLu/I7O/YL9dH0AfpMxMme1J2tb5wVdTc61A==" + "version": "2.0.0", + "resolved": "https://registry.npmjs.org/@sigstore/rekor-types/-/rekor-types-2.0.0.tgz", + "integrity": "sha512-gArf4ZWF5PNjxSlOZnNePwKTJ8uXn10D2jRm1e7CKSOZmRdblW0rHbGhjeVn312M+vuXzyaeii7jm0fcmA1UsQ==" }, "@sigstore/sign": { "version": "2.2.3", @@ -8083,7 +8083,7 @@ "requires": {} }, "tscommon": { - "version": "file:..\\..\\..\\.github\\actions\\tscommon\\tscommon-0.0.0.tgz", + "version": "file:../../../.github/actions/tscommon/tscommon-0.0.0.tgz", "integrity": "sha512-i1kF4tw4dJ7Lq+5IBXThmImwKDC+LfhipAql9sthe9ktMmAQzyrgdHqnUjoIjLUSnnP7yQloa9WabFQJ9yROPQ==" }, "tsconfig-paths": { diff --git a/actions/delegator/setup-generic/package.json b/actions/delegator/setup-generic/package.json index 40725ffceb..9b4fdfaed5 100644 --- a/actions/delegator/setup-generic/package.json +++ b/actions/delegator/setup-generic/package.json @@ -22,7 +22,7 @@ "dependencies": { "@actions/core": "1.10.1", "@actions/github": "5.1.1", - "@sigstore/rekor-types": "1.0.0", + "@sigstore/rekor-types": "2.0.0", "sigstore": "2.2.2", "tscommon": "file:../../../.github/actions/tscommon/tscommon-0.0.0.tgz" }, diff --git a/actions/gradle/publish/action.yml b/actions/gradle/publish/action.yml index 5fef2d7b46..e636fcfd11 100644 --- a/actions/gradle/publish/action.yml +++ b/actions/gradle/publish/action.yml @@ -52,7 +52,7 @@ runs: steps: - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - name: Set up JDK - uses: actions/setup-java@0ab4596768b603586c0de567f2430c30f5b0d2b0 # v3.13.0 + uses: actions/setup-java@99b8673ff64fbf99d8d325f52d9a5bdedb8483e9 # v4.2.1 env: MAVEN_USERNAME: ${{ inputs.maven-username }} MAVEN_PASSWORD: ${{ inputs.maven-password }} diff --git a/actions/maven/publish/action.yml b/actions/maven/publish/action.yml index e7e24fd0ad..34775f3fb0 100644 --- a/actions/maven/publish/action.yml +++ b/actions/maven/publish/action.yml @@ -47,7 +47,7 @@ runs: - name: Checkout the project repository uses: slsa-framework/slsa-github-generator/.github/actions/secure-project-checkout@main # needed because we run javadoc and sources. - name: Set up Java for publishing to Maven Central Repository - uses: actions/setup-java@0ab4596768b603586c0de567f2430c30f5b0d2b0 # v3.13.0 + uses: actions/setup-java@99b8673ff64fbf99d8d325f52d9a5bdedb8483e9 # v4.2.1 env: MAVEN_USERNAME: ${{ inputs.maven-username }} MAVEN_PASSWORD: ${{ inputs.maven-password }} diff --git a/internal/builders/bazel/action.yml b/internal/builders/bazel/action.yml index 191ec0fa8f..d5388162f5 100644 --- a/internal/builders/bazel/action.yml +++ b/internal/builders/bazel/action.yml @@ -49,11 +49,11 @@ runs: - name: Setup Bazelisk id: bazelisk - uses: bazelbuild/setup-bazelisk@95c9bf48d0c570bb3e28e57108f3450cd67c1a44 # v2.0.0 + uses: bazelbuild/setup-bazelisk@b39c379c82683a5f25d34f0d062761f62693e0b2 # v3.0.0 - name: Setup Java id: java - uses: actions/setup-java@0ab4596768b603586c0de567f2430c30f5b0d2b0 # v3.13.0 + uses: actions/setup-java@99b8673ff64fbf99d8d325f52d9a5bdedb8483e9 # v4.2.1 with: distribution: "${{ fromJson(inputs.slsa-workflow-inputs).user-java-distribution }}" java-version: "${{ fromJson(inputs.slsa-workflow-inputs).user-java-version }}" diff --git a/internal/builders/gradle/action.yml b/internal/builders/gradle/action.yml index 7c2d693cee..bb4375825a 100644 --- a/internal/builders/gradle/action.yml +++ b/internal/builders/gradle/action.yml @@ -58,12 +58,12 @@ runs: steps: - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - name: Set up JDK - uses: actions/setup-java@0ab4596768b603586c0de567f2430c30f5b0d2b0 # v3.13.0 + uses: actions/setup-java@99b8673ff64fbf99d8d325f52d9a5bdedb8483e9 # v4.2.1 with: distribution: temurin java-version: ${{ fromJson(inputs.slsa-workflow-inputs).jdk-version }} - name: Setup Gradle - uses: gradle/gradle-build-action@842c587ad8aa4c68eeba24c396e15af4c2e9f30a # v2.9.0 + uses: gradle/gradle-build-action@4c39dd82cd5e1ec7c6fa0173bb41b4b6bb3b86ff # v3.3.2 - name: Run gradle builder id: run_gradle_builder shell: bash diff --git a/internal/builders/maven/action.yml b/internal/builders/maven/action.yml index 4fd7a113f6..9115f24868 100644 --- a/internal/builders/maven/action.yml +++ b/internal/builders/maven/action.yml @@ -58,7 +58,7 @@ runs: steps: - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v 3.5.2 - name: Set up JDK - uses: actions/setup-java@0ab4596768b603586c0de567f2430c30f5b0d2b0 # v3.13.0 + uses: actions/setup-java@99b8673ff64fbf99d8d325f52d9a5bdedb8483e9 # v4.2.1 with: distribution: temurin java-version: ${{ fromJson(inputs.slsa-workflow-inputs).jdk-version }} diff --git a/internal/builders/nodejs/action.yml b/internal/builders/nodejs/action.yml index f605d6207b..a04b78bc76 100644 --- a/internal/builders/nodejs/action.yml +++ b/internal/builders/nodejs/action.yml @@ -65,7 +65,7 @@ runs: # checkout ourselves. - name: Setup Node - uses: actions/setup-node@5e21ff4d9bc1a8cf6de233a3057d20ec6b3fb69d # v3.8.1 + uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4.0.2 with: node-version: ${{ fromJson(inputs.slsa-workflow-inputs).node-version }} node-version-file: ${{ fromJson(inputs.slsa-workflow-inputs).node-version-file }}