diff --git a/.github/actions/setup-test-environment/action.yml b/.github/actions/setup-test-environment/action.yml index 55cab75..f1304ad 100644 --- a/.github/actions/setup-test-environment/action.yml +++ b/.github/actions/setup-test-environment/action.yml @@ -17,7 +17,7 @@ runs: using: composite steps: - name: Install uv - uses: astral-sh/setup-uv@e06108dd0aef18192324c70427afc47652e63a82 # v7.5.0 + uses: astral-sh/setup-uv@37802adc94f370d6bfd71619e3f0bf239e1f3b78 # v7.6.0 with: enable-cache: true diff --git a/.github/workflows/action-security.yml b/.github/workflows/action-security.yml index 94c5902..e38d7ea 100644 --- a/.github/workflows/action-security.yml +++ b/.github/workflows/action-security.yml @@ -6,11 +6,9 @@ on: push: paths: - '**/action.yml' - - '**/action.yaml' pull_request: paths: - '**/action.yml' - - '**/action.yaml' merge_group: concurrency: diff --git a/.github/workflows/issue-stats.yml b/.github/workflows/issue-stats.yml index 5778ab4..5fe9579 100644 --- a/.github/workflows/issue-stats.yml +++ b/.github/workflows/issue-stats.yml @@ -29,7 +29,7 @@ jobs: echo "last_month=$first_day..$last_day" >> "$GITHUB_ENV" - name: Run issue-metrics tool - uses: github/issue-metrics@41a7961f701cc64490f32e143af8ef479b93e87d # v4.1.0 + uses: github/issue-metrics@6a35322ff89cee3e1a594d282c27eb34bffa9174 # v4.1.1 env: GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} SEARCH_QUERY: 'repo:ivuorinen/actions is:issue created:${{ env.last_month }} -reason:"not planned"' diff --git a/.github/workflows/pr-lint.yml b/.github/workflows/pr-lint.yml index aba9c48..6824cb5 100644 --- a/.github/workflows/pr-lint.yml +++ b/.github/workflows/pr-lint.yml @@ -8,19 +8,17 @@ on: - main - master paths-ignore: - - '**.md' - - 'docs/**' + - '**/*.md' - '.github/*.md' - - 'LICENSE' + - 'LICENSE.md' pull_request: branches: - main - master paths-ignore: - - '**.md' - - 'docs/**' + - '**/*.md' - '.github/*.md' - - 'LICENSE' + - 'LICENSE.md' merge_group: env: @@ -72,7 +70,7 @@ jobs: - name: Upload SARIF Report if: always() && hashFiles('megalinter-reports/sarif/*.sarif') - uses: github/codeql-action/upload-sarif@0d579ffd059c29b07949a3cce3983f0780820c98 # v4.32.6 + uses: github/codeql-action/upload-sarif@b1bff81932f5cdfc8695c7752dcee935dcd061c8 # v4.33.0 with: sarif_file: megalinter-reports/sarif category: megalinter diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 8a6c356..ef8cd45 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -16,7 +16,7 @@ jobs: contents: write steps: - uses: actions/checkout@71cf2267d89c5cb81562390fa70a37fa40b1305e # v6-beta - - uses: softprops/action-gh-release@a06a81a03ee405af7f2048a818ed3f03bbf83c7b # v2.5.0 + - uses: softprops/action-gh-release@153bb8e04406b158c6c84fc1615b65b24149a1fe # v2.6.1 with: generate_release_notes: true diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml index 31fe836..1c6ebba 100644 --- a/.github/workflows/scorecard.yml +++ b/.github/workflows/scorecard.yml @@ -53,6 +53,6 @@ jobs: # Upload the results to GitHub's code scanning dashboard (optional). # Commenting out will disable upload of results to your repo's Code Scanning dashboard - name: 'Upload to code-scanning' - uses: github/codeql-action/upload-sarif@0d579ffd059c29b07949a3cce3983f0780820c98 # v4.32.6 + uses: github/codeql-action/upload-sarif@b1bff81932f5cdfc8695c7752dcee935dcd061c8 # v4.33.0 with: sarif_file: results.sarif diff --git a/.github/workflows/security-suite.yml b/.github/workflows/security-suite.yml index ffa73fd..175524e 100644 --- a/.github/workflows/security-suite.yml +++ b/.github/workflows/security-suite.yml @@ -7,16 +7,12 @@ on: paths: - '**/package.json' - '**/package-lock.json' - - '**/yarn.lock' - - '**/pnpm-lock.yaml' - - '**/requirements.txt' - '**/Dockerfile' - '**/*.py' - '**/*.js' - '**/*.ts' - '**/*.yml' - '**/*.yaml' - - '.github/workflows/**' permissions: {} diff --git a/.github/workflows/sync-labels.yml b/.github/workflows/sync-labels.yml index 070aa0e..b4e5a33 100644 --- a/.github/workflows/sync-labels.yml +++ b/.github/workflows/sync-labels.yml @@ -8,7 +8,6 @@ on: - main - master paths: - - '.github/labels.yml' - '.github/workflows/sync-labels.yml' - 'sync-labels/action.yml' - 'sync-labels/labels.yml' diff --git a/.github/workflows/test-actions.yml b/.github/workflows/test-actions.yml index fad28f1..483d3cd 100644 --- a/.github/workflows/test-actions.yml +++ b/.github/workflows/test-actions.yml @@ -73,7 +73,7 @@ jobs: if: always() - name: Upload SARIF file - uses: github/codeql-action/upload-sarif@0d579ffd059c29b07949a3cce3983f0780820c98 # v4.32.6 + uses: github/codeql-action/upload-sarif@b1bff81932f5cdfc8695c7752dcee935dcd061c8 # v4.33.0 if: always() && hashFiles('_tests/reports/test-results.sarif') != '' with: sarif_file: _tests/reports/test-results.sarif diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index e3def24..06ed6e3 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -14,7 +14,7 @@ repos: types: [markdown, python, yaml] files: ^(docs/.*|README\.md|CONTRIBUTING\.md|CHANGELOG\.md|.*\.py|.*\.ya?ml)$ - repo: https://github.com/astral-sh/uv-pre-commit - rev: 0.10.9 + rev: 0.10.11 hooks: - id: uv-lock - id: uv-sync @@ -67,30 +67,36 @@ repos: rev: v3.12.0-2 hooks: - id: shfmt - args: ['--apply-ignore'] + args: ["--apply-ignore"] exclude: '^_tests/.*\.sh$' - repo: https://github.com/shellcheck-py/shellcheck-py rev: v0.11.0.1 hooks: - id: shellcheck - args: ['-x'] + args: ["-x"] exclude: '^_tests/.*\.sh$' - repo: https://github.com/rhysd/actionlint rev: v1.7.11 hooks: - id: actionlint - args: ['-shellcheck='] + args: ["-shellcheck="] - repo: https://github.com/bridgecrewio/checkov.git - rev: '3.2.508' + rev: "3.2.510" hooks: - id: checkov args: - - '--quiet' + - "--quiet" - repo: https://github.com/gitleaks/gitleaks rev: v8.30.1 hooks: - id: gitleaks + + - repo: https://github.com/mpalmer/action-validator + rev: v0.8.0 + hooks: + - id: action-validator + files: '(^\.github/workflows/.*\.ya?ml$|.*/action\.ya?ml$)' diff --git a/CLAUDE.md b/CLAUDE.md index 751a7ca..8efcaeb 100644 --- a/CLAUDE.md +++ b/CLAUDE.md @@ -168,3 +168,78 @@ Check: `make check-version-refs` --- All actions modular and externally usable. No exceptions to any rule. + +## context-mode — MANDATORY routing rules + +You have context-mode MCP tools available. These rules are NOT optional — they protect your context window from flooding. A single unrouted command can dump 56 KB into context and waste the entire session. + +### BLOCKED commands — do NOT attempt these + +#### curl / wget — BLOCKED + +Any Bash command containing `curl` or `wget` is intercepted and replaced with an error message. Do NOT retry. +Instead use: + +- `ctx_fetch_and_index(url, source)` to fetch and index web pages +- `ctx_execute(language: "javascript", code: "const r = await fetch(...)")` to run HTTP calls in sandbox + +#### Inline HTTP — BLOCKED + +Any Bash command containing `fetch('http`, `requests.get(`, `requests.post(`, `http.get(`, or `http.request(` is intercepted and replaced with an error message. Do NOT retry with Bash. +Instead use: + +- `ctx_execute(language, code)` to run HTTP calls in sandbox — only stdout enters context + +#### WebFetch — BLOCKED + +WebFetch calls are denied entirely. The URL is extracted and you are told to use `ctx_fetch_and_index` instead. +Instead use: + +- `ctx_fetch_and_index(url, source)` then `ctx_search(queries)` to query the indexed content + +### REDIRECTED tools — use sandbox equivalents + +#### Bash (>20 lines output) + +Bash is ONLY for: `git`, `mkdir`, `rm`, `mv`, `cd`, `ls`, `npm install`, `pip install`, and other short-output commands. +For everything else, use: + +- `ctx_batch_execute(commands, queries)` — run multiple commands + search in ONE call +- `ctx_execute(language: "shell", code: "...")` — run in sandbox, only stdout enters context + +#### Read (for analysis) + +If you are reading a file to **Edit** it → Read is correct (Edit needs content in context). +If you are reading to **analyze, explore, or summarize** → use `ctx_execute_file(path, language, code)` instead. Only your printed summary enters context. The raw file content stays in the sandbox. + +#### Grep (large results) + +Grep results can flood context. Use `ctx_execute(language: "shell", code: "grep ...")` to run searches in sandbox. Only your printed summary enters context. + +### Tool selection hierarchy + +1. **GATHER**: `ctx_batch_execute(commands, queries)` — Primary tool. Runs all commands, auto-indexes output, returns search results. ONE call replaces 30+ individual calls. +2. **FOLLOW-UP**: `ctx_search(queries: ["q1", "q2", ...])` — Query indexed content. Pass ALL questions as array in ONE call. +3. **PROCESSING**: `ctx_execute(language, code)` | `ctx_execute_file(path, language, code)` — Sandbox execution. Only stdout enters context. +4. **WEB**: `ctx_fetch_and_index(url, source)` then `ctx_search(queries)` — Fetch, chunk, index, query. Raw HTML never enters context. +5. **INDEX**: `ctx_index(content, source)` — Store content in FTS5 knowledge base for later search. + +### Subagent routing + +When spawning subagents (Agent/Task tool), the routing block is automatically injected into their prompt. +Bash-type subagents are upgraded to general-purpose so they have access to MCP tools. +You do NOT need to manually instruct subagents about context-mode. + +### Output constraints + +- Keep responses under 500 words. +- Write artifacts (code, configs, PRDs) to FILES — never return them as inline text. Return only: file path + 1-line description. +- When indexing content, use descriptive source labels so others can `ctx_search(source: "label")` later. + +### ctx commands + +| Command | Action | +|---------|--------| +| `ctx stats` | Call the `ctx_stats` MCP tool and display the full output verbatim | +| `ctx doctor` | Call the `ctx_doctor` MCP tool, run the returned shell command, display as checklist | +| `ctx upgrade` | Call the `ctx_upgrade` MCP tool, run the returned shell command, display as checklist | diff --git a/Makefile b/Makefile index 28bb121..a79ce8e 100644 --- a/Makefile +++ b/Makefile @@ -1,7 +1,7 @@ # Makefile for GitHub Actions repository # Provides organized task management with parallel execution capabilities -.PHONY: help all docs update-catalog lint format check clean install-tools test test-unit test-integration test-coverage generate-tests generate-tests-dry test-generate-tests docker-build docker-push docker-test docker-login docker-all release release-dry release-prep release-tag release-undo update-version-refs bump-major-version check-version-refs +.PHONY: help all docs update-catalog lint format check clean install-tools test test-unit test-integration test-coverage generate-tests generate-tests-dry test-generate-tests docker-build docker-push docker-test docker-login docker-all release release-dry release-prep release-tag release-undo update-version-refs bump-major-version check-version-refs lint-actions .DEFAULT_GOAL := help # Colors for output @@ -98,7 +98,7 @@ update-validators-dry: ## Preview validation rules changes (dry run) format: format-markdown format-yaml-json format-python ## Format all files @echo "$(GREEN)✅ All files formatted$(RESET)" -lint: lint-markdown lint-yaml lint-shell lint-python ## Run all linters +lint: lint-markdown lint-yaml lint-shell lint-python lint-actions ## Run all linters @echo "$(GREEN)✅ All linting completed$(RESET)" check: check-tools check-syntax check-local-refs ## Quick syntax and tool availability checks @@ -322,6 +322,20 @@ lint-python: ## Lint Python files with ruff and pyright echo "$(GREEN)✅ Python linting and type checking passed$(RESET)"; \ fi +lint-actions: ## Validate GitHub Actions workflows and action.yml files + @echo "$(BLUE)🔍 Validating GitHub Actions...$(RESET)" + @if command -v pre-commit >/dev/null 2>&1; then \ + if PRE_COMMIT_USE_UV=1 pre-commit run action-validator --all-files; then \ + echo "$(GREEN)✅ Actions validation passed$(RESET)"; \ + else \ + echo "$(RED)❌ Actions validation failed$(RESET)" | tee -a $(LOG_FILE); \ + exit 1; \ + fi; \ + else \ + echo "$(RED)❌ pre-commit not found. Install it via 'make install-tools' before linting$(RESET)"; \ + exit 1; \ + fi + # Check targets check-tools: ## Check if required tools are available @echo "$(BLUE)🔧 Checking required tools...$(RESET)" diff --git a/ansible-lint-fix/action.yml b/ansible-lint-fix/action.yml index e371fb5..17079d1 100644 --- a/ansible-lint-fix/action.yml +++ b/ansible-lint-fix/action.yml @@ -83,7 +83,7 @@ runs: - name: Install ansible-lint id: install-ansible-lint if: steps.check-files.outputs.files_found == 'true' - uses: nick-fields/retry@ce71cc2ab81d554ebbe88c79ab5975992d79ba08 # v3.0.2 + uses: nick-fields/retry@ad984534de44a9489a53aefd81eb77f87c70dc60 # v4.0.0 with: timeout_minutes: 5 max_attempts: ${{ inputs.max-retries }} @@ -130,6 +130,6 @@ runs: - name: Upload SARIF Report if: steps.check-files.outputs.files_found == 'true' - uses: github/codeql-action/upload-sarif@0d579ffd059c29b07949a3cce3983f0780820c98 # v4.32.6 + uses: github/codeql-action/upload-sarif@b1bff81932f5cdfc8695c7752dcee935dcd061c8 # v4.33.0 with: sarif_file: ansible-lint.sarif diff --git a/biome-lint/action.yml b/biome-lint/action.yml index 65dde5d..0a8ee63 100644 --- a/biome-lint/action.yml +++ b/biome-lint/action.yml @@ -212,13 +212,13 @@ runs: - name: Setup Bun if: steps.detect-pm.outputs.package-manager == 'bun' - uses: oven-sh/setup-bun@ecf28ddc73e819eb6fa29df6b34ef8921c743461 # v2.1.3 + uses: oven-sh/setup-bun@0c5077e51419868618aeaa5fe8019c62421857d6 # v2.2.0 with: bun-version: latest - name: Cache Node Dependencies id: cache - uses: actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3 + uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4 with: path: node_modules key: ${{ runner.os }}-biome-lint-${{ inputs.mode }}-${{ steps.detect-pm.outputs.package-manager }}-${{ hashFiles('package-lock.json', 'yarn.lock', 'pnpm-lock.yaml', 'bun.lockb') }} @@ -331,7 +331,7 @@ runs: - name: Upload SARIF Report if: inputs.mode == 'check' && always() - uses: github/codeql-action/upload-sarif@0d579ffd059c29b07949a3cce3983f0780820c98 # v4.32.6 + uses: github/codeql-action/upload-sarif@b1bff81932f5cdfc8695c7752dcee935dcd061c8 # v4.33.0 with: sarif_file: biome-report.sarif diff --git a/codeql-analysis/action.yml b/codeql-analysis/action.yml index c5db5d0..e892a91 100644 --- a/codeql-analysis/action.yml +++ b/codeql-analysis/action.yml @@ -186,7 +186,7 @@ runs: echo "Using build mode: $build_mode" - name: Initialize CodeQL - uses: github/codeql-action/init@0d579ffd059c29b07949a3cce3983f0780820c98 # v4.32.6 + uses: github/codeql-action/init@b1bff81932f5cdfc8695c7752dcee935dcd061c8 # v4.33.0 with: languages: ${{ inputs.language }} queries: ${{ inputs.queries }} @@ -199,12 +199,12 @@ runs: threads: ${{ inputs.threads }} - name: Autobuild - uses: github/codeql-action/autobuild@0d579ffd059c29b07949a3cce3983f0780820c98 # v4.32.6 + uses: github/codeql-action/autobuild@b1bff81932f5cdfc8695c7752dcee935dcd061c8 # v4.33.0 if: ${{ steps.set-build-mode.outputs.build-mode == 'autobuild' }} - name: Perform CodeQL Analysis id: analysis - uses: github/codeql-action/analyze@0d579ffd059c29b07949a3cce3983f0780820c98 # v4.32.6 + uses: github/codeql-action/analyze@b1bff81932f5cdfc8695c7752dcee935dcd061c8 # v4.33.0 with: category: ${{ steps.set-category.outputs.category }} upload: ${{ inputs.upload-results }} diff --git a/csharp-build/action.yml b/csharp-build/action.yml index 99cf734..36cb845 100644 --- a/csharp-build/action.yml +++ b/csharp-build/action.yml @@ -155,7 +155,7 @@ runs: cache-dependency-path: '**/packages.lock.json' - name: Restore Dependencies - uses: nick-fields/retry@ce71cc2ab81d554ebbe88c79ab5975992d79ba08 # v3.0.2 + uses: nick-fields/retry@ad984534de44a9489a53aefd81eb77f87c70dc60 # v4.0.0 with: timeout_minutes: 10 max_attempts: ${{ inputs.max-retries }} diff --git a/csharp-lint-check/action.yml b/csharp-lint-check/action.yml index 87ef02a..ba99703 100644 --- a/csharp-lint-check/action.yml +++ b/csharp-lint-check/action.yml @@ -206,6 +206,6 @@ runs: fi - name: Upload SARIF Report - uses: github/codeql-action/upload-sarif@0d579ffd059c29b07949a3cce3983f0780820c98 # v4.32.6 + uses: github/codeql-action/upload-sarif@b1bff81932f5cdfc8695c7752dcee935dcd061c8 # v4.33.0 with: sarif_file: dotnet-format.sarif diff --git a/csharp-publish/action.yml b/csharp-publish/action.yml index 348062c..a4a5ac8 100644 --- a/csharp-publish/action.yml +++ b/csharp-publish/action.yml @@ -169,7 +169,7 @@ runs: cache-dependency-path: '**/packages.lock.json' - name: Restore Dependencies - uses: nick-fields/retry@ce71cc2ab81d554ebbe88c79ab5975992d79ba08 # v3.0.2 + uses: nick-fields/retry@ad984534de44a9489a53aefd81eb77f87c70dc60 # v4.0.0 with: timeout_minutes: 10 max_attempts: ${{ inputs.max-retries }} diff --git a/docker-build/action.yml b/docker-build/action.yml index bff91dc..45f5e20 100644 --- a/docker-build/action.yml +++ b/docker-build/action.yml @@ -536,7 +536,7 @@ runs: - name: Scan Image for Vulnerabilities id: scan if: inputs.scan-image == 'true' && inputs.dry-run != 'true' - uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # 0.35.0 + uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # v0.35.0 with: scan-type: 'image' image-ref: ${{ steps.image-name.outputs.name }}:${{ inputs.tag }} diff --git a/eslint-lint/action.yml b/eslint-lint/action.yml index 7c00a34..fe871ee 100644 --- a/eslint-lint/action.yml +++ b/eslint-lint/action.yml @@ -319,13 +319,13 @@ runs: - name: Setup Bun if: steps.detect-pm.outputs.package-manager == 'bun' - uses: oven-sh/setup-bun@ecf28ddc73e819eb6fa29df6b34ef8921c743461 # v2.1.3 + uses: oven-sh/setup-bun@0c5077e51419868618aeaa5fe8019c62421857d6 # v2.2.0 with: bun-version: latest - name: Cache Node Dependencies id: cache - uses: actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3 + uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4 with: path: node_modules key: ${{ runner.os }}-eslint-lint-${{ inputs.mode }}-${{ steps.detect-pm.outputs.package-manager }}-${{ hashFiles('package-lock.json', 'yarn.lock', 'pnpm-lock.yaml', 'bun.lockb') }} @@ -457,7 +457,7 @@ runs: - name: Upload SARIF Report if: inputs.mode == 'check' && inputs.report-format == 'sarif' && always() - uses: github/codeql-action/upload-sarif@0d579ffd059c29b07949a3cce3983f0780820c98 # v4.32.6 + uses: github/codeql-action/upload-sarif@b1bff81932f5cdfc8695c7752dcee935dcd061c8 # v4.33.0 with: sarif_file: ${{ inputs.working-directory }}/eslint-results.sarif diff --git a/go-build/action.yml b/go-build/action.yml index a92ba9d..4256fb7 100644 --- a/go-build/action.yml +++ b/go-build/action.yml @@ -165,7 +165,7 @@ runs: cache: true - name: Download Dependencies - uses: nick-fields/retry@ce71cc2ab81d554ebbe88c79ab5975992d79ba08 # v3.0.2 + uses: nick-fields/retry@ad984534de44a9489a53aefd81eb77f87c70dc60 # v4.0.0 with: timeout_minutes: 10 max_attempts: ${{ inputs.max-retries }} diff --git a/go-lint/action.yml b/go-lint/action.yml index 02c32d0..5ee3300 100644 --- a/go-lint/action.yml +++ b/go-lint/action.yml @@ -218,7 +218,7 @@ runs: - name: Cache golangci-lint id: cache if: inputs.cache == 'true' - uses: actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3 + uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4 with: path: | ~/.cache/golangci-lint @@ -414,7 +414,7 @@ runs: - name: Upload Lint Results if: always() && inputs.report-format == 'sarif' - uses: github/codeql-action/upload-sarif@0d579ffd059c29b07949a3cce3983f0780820c98 # v4.32.6 + uses: github/codeql-action/upload-sarif@b1bff81932f5cdfc8695c7752dcee935dcd061c8 # v4.33.0 with: sarif_file: ${{ inputs.working-directory }}/reports/golangci-lint.sarif category: golangci-lint diff --git a/language-version-detect/action.yml b/language-version-detect/action.yml index b93b166..466a6c5 100644 --- a/language-version-detect/action.yml +++ b/language-version-detect/action.yml @@ -5,7 +5,6 @@ name: Language Version Detect description: 'DEPRECATED: This action is deprecated. Inline version detection directly in your actions instead. Detects language version from project configuration files with support for PHP, Python, Go, and .NET.' author: 'Ismo Vuorinen' -deprecated: true branding: icon: code diff --git a/npm-publish/action.yml b/npm-publish/action.yml index 4cf36f9..9813bbf 100644 --- a/npm-publish/action.yml +++ b/npm-publish/action.yml @@ -152,13 +152,13 @@ runs: - name: Setup Bun if: steps.detect-pm.outputs.package-manager == 'bun' - uses: oven-sh/setup-bun@ecf28ddc73e819eb6fa29df6b34ef8921c743461 # v2.1.3 + uses: oven-sh/setup-bun@0c5077e51419868618aeaa5fe8019c62421857d6 # v2.2.0 with: bun-version: latest - name: Cache Node Dependencies id: cache - uses: actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3 + uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4 with: path: node_modules key: ${{ runner.os }}-npm-publish-${{ steps.detect-pm.outputs.package-manager }}-${{ hashFiles('package-lock.json', 'yarn.lock', 'pnpm-lock.yaml', 'bun.lockb') }} diff --git a/php-tests/action.yml b/php-tests/action.yml index 0ddd0e6..ad095b2 100644 --- a/php-tests/action.yml +++ b/php-tests/action.yml @@ -319,7 +319,7 @@ runs: - name: Setup PHP id: setup-php - uses: shivammathur/setup-php@44454db4f0199b8b9685a5d763dc37cbf79108e1 # 2.36.0 + uses: shivammathur/setup-php@accd6127cb78bee3e8082180cb391013d204ef9f # 2.37.0 with: php-version: ${{ steps.detect-php-version.outputs.detected-version }} extensions: ${{ inputs.extensions }} @@ -356,7 +356,7 @@ runs: - name: Cache Composer packages id: composer-cache - uses: actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3 + uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4 with: path: | vendor @@ -376,7 +376,7 @@ runs: composer clear-cache - name: Install Composer Dependencies - uses: nick-fields/retry@ce71cc2ab81d554ebbe88c79ab5975992d79ba08 # v3.0.2 + uses: nick-fields/retry@ad984534de44a9489a53aefd81eb77f87c70dc60 # v4.0.0 with: timeout_minutes: 10 max_attempts: ${{ inputs.max-retries }} diff --git a/pr-lint/action.yml b/pr-lint/action.yml index c1b06d7..d439e98 100644 --- a/pr-lint/action.yml +++ b/pr-lint/action.yml @@ -156,14 +156,14 @@ runs: - name: Setup Bun if: steps.detect-node.outputs.found == 'true' && steps.detect-pm.outputs.package-manager == 'bun' - uses: oven-sh/setup-bun@ecf28ddc73e819eb6fa29df6b34ef8921c743461 # v2.1.3 + uses: oven-sh/setup-bun@0c5077e51419868618aeaa5fe8019c62421857d6 # v2.2.0 with: bun-version: latest - name: Cache Node Dependencies if: steps.detect-node.outputs.found == 'true' id: node-cache - uses: actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3 + uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4 with: path: node_modules key: ${{ runner.os }}-pr-lint-${{ steps.detect-pm.outputs.package-manager }}-${{ hashFiles('package-lock.json', 'yarn.lock', 'pnpm-lock.yaml', 'bun.lockb') }} @@ -335,7 +335,7 @@ runs: - name: Setup PHP if: steps.detect-php.outputs.found == 'true' - uses: shivammathur/setup-php@44454db4f0199b8b9685a5d763dc37cbf79108e1 # 2.36.0 + uses: shivammathur/setup-php@accd6127cb78bee3e8082180cb391013d204ef9f # 2.37.0 with: php-version: ${{ steps.php-version.outputs.detected-version }} tools: composer diff --git a/prettier-lint/action.yml b/prettier-lint/action.yml index 89d04d9..c910a32 100644 --- a/prettier-lint/action.yml +++ b/prettier-lint/action.yml @@ -305,13 +305,13 @@ runs: - name: Setup Bun if: steps.detect-pm.outputs.package-manager == 'bun' - uses: oven-sh/setup-bun@ecf28ddc73e819eb6fa29df6b34ef8921c743461 # v2.1.3 + uses: oven-sh/setup-bun@0c5077e51419868618aeaa5fe8019c62421857d6 # v2.2.0 with: bun-version: latest - name: Cache Node Dependencies id: cache - uses: actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3 + uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4 with: path: node_modules key: ${{ runner.os }}-prettier-lint-${{ inputs.mode }}-${{ steps.detect-pm.outputs.package-manager }}-${{ hashFiles('package-lock.json', 'yarn.lock', 'pnpm-lock.yaml', 'bun.lockb') }} diff --git a/python-lint-fix/action.yml b/python-lint-fix/action.yml index c100af4..be15d18 100644 --- a/python-lint-fix/action.yml +++ b/python-lint-fix/action.yml @@ -370,7 +370,7 @@ runs: - name: Upload SARIF Report if: steps.check-files.outputs.result == 'found' - uses: github/codeql-action/upload-sarif@0d579ffd059c29b07949a3cce3983f0780820c98 # v4.32.6 + uses: github/codeql-action/upload-sarif@b1bff81932f5cdfc8695c7752dcee935dcd061c8 # v4.33.0 with: sarif_file: ${{ inputs.working-directory }}/reports/flake8.sarif category: 'python-lint' diff --git a/security-scan/action.yml b/security-scan/action.yml index eb95de4..58e07d3 100644 --- a/security-scan/action.yml +++ b/security-scan/action.yml @@ -118,7 +118,7 @@ runs: - name: Run Trivy vulnerability scanner if: steps.check-configs.outputs.run_trivy == 'true' - uses: aquasecurity/trivy-action@a11da62073708815958ea6d84f5650c78a3ef85b # master + uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # v0.35.0 with: scan-type: 'fs' scanners: ${{ inputs.trivy-scanners }} @@ -161,14 +161,14 @@ runs: - name: Upload Trivy results if: steps.verify-sarif.outputs.has_trivy == 'true' - uses: github/codeql-action/upload-sarif@0d579ffd059c29b07949a3cce3983f0780820c98 # v4.32.6 + uses: github/codeql-action/upload-sarif@b1bff81932f5cdfc8695c7752dcee935dcd061c8 # v4.33.0 with: sarif_file: 'trivy-results.sarif' category: 'trivy' - name: Upload Gitleaks results if: steps.verify-sarif.outputs.has_gitleaks == 'true' - uses: github/codeql-action/upload-sarif@0d579ffd059c29b07949a3cce3983f0780820c98 # v4.32.6 + uses: github/codeql-action/upload-sarif@b1bff81932f5cdfc8695c7752dcee935dcd061c8 # v4.33.0 with: sarif_file: 'gitleaks-report.sarif' category: 'gitleaks' diff --git a/terraform-lint-fix/action.yml b/terraform-lint-fix/action.yml index a9947e1..a8e5347 100644 --- a/terraform-lint-fix/action.yml +++ b/terraform-lint-fix/action.yml @@ -147,7 +147,7 @@ runs: - name: Setup TFLint if: steps.check-files.outputs.found == 'true' - uses: terraform-linters/setup-tflint@4cb9feea73331a35b422df102992a03a44a3bb33 # v6.2.1 + uses: terraform-linters/setup-tflint@b480b8fcdaa6f2c577f8e4fa799e89e756bb7c93 # v6.2.2 with: tflint_version: ${{ inputs.tflint-version }} @@ -256,7 +256,7 @@ runs: - name: Upload SARIF Report if: steps.check-files.outputs.found == 'true' && inputs.format == 'sarif' - uses: github/codeql-action/upload-sarif@0d579ffd059c29b07949a3cce3983f0780820c98 # v4.32.6 + uses: github/codeql-action/upload-sarif@b1bff81932f5cdfc8695c7752dcee935dcd061c8 # v4.33.0 with: sarif_file: ${{ env.VALIDATED_WORKING_DIR }}/reports/tflint.sarif category: terraform-lint