From bfd8f279d0b42c82e01fa56c259d19889d401930 Mon Sep 17 00:00:00 2001 From: Bjoern Kottner <1780890+BjoernKarma@users.noreply.github.com> Date: Wed, 25 Mar 2026 08:51:16 +0100 Subject: [PATCH 1/2] chore: Update github actions and pin digest --- .github/workflows/codeql.yml | 6 +-- .github/workflows/release.yaml | 22 +++++----- .github/workflows/reusable-go-ci.yaml | 63 +++++++++++++-------------- .github/workflows/scorecard.yml | 2 +- 4 files changed, 46 insertions(+), 47 deletions(-) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 760ec26..38629f4 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -55,7 +55,7 @@ jobs: # your codebase is analyzed, see https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages steps: - name: Checkout repository - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # pin@v6.0.2 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 # Add any setup steps before running the `github/codeql-action/init` action. # This includes steps like installing compilers or runtimes (`actions/setup-node` @@ -65,7 +65,7 @@ jobs: # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL - uses: github/codeql-action/init@f443b600d91635bebf5b0d9ebc620189c0d6fba5 # pinv4.30.8 + uses: github/codeql-action/init@38697555549f1db7851b81482ff19f1fa5c4fedc # v4.31.1 with: languages: ${{ matrix.language }} build-mode: ${{ matrix.build-mode }} @@ -93,6 +93,6 @@ jobs: exit 1 - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@f443b600d91635bebf5b0d9ebc620189c0d6fba5 # pinv4.30.8 + uses: github/codeql-action/analyze@38697555549f1db7851b81482ff19f1fa5c4fedc # v4.31.1 with: category: "/language:${{matrix.language}}" diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index b415b5e..f7ed855 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -15,34 +15,34 @@ jobs: steps: - name: 'Generate token' id: generate_token - uses: tibdex/github-app-token@v2 + uses: actions/create-github-app-token@fee1f7d63c2ff003460e3d139729b119787bc349 # v2.2.2 with: - app_id: ${{ secrets.BOT_APP_ID }} - private_key: ${{ secrets.BOT_PRIVATE_KEY }} + app-id: ${{ secrets.BOT_APP_ID }} + private-key: ${{ secrets.BOT_PRIVATE_KEY }} - name: Checkout - uses: actions/checkout@v6.0.2 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: fetch-depth: 0 token: ${{ steps.generate_token.outputs.token }} - name: Set up Go - uses: actions/setup-go@v6.3.0 + uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0 with: go-version: stable - - uses: actions/cache@v5 + - uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4 with: path: | ~/.cache/go-build ~/go/pkg/mod key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }} - - uses: sigstore/cosign-installer@v4.0.0 - - uses: anchore/sbom-action/download-syft@v0.23.1 + - uses: sigstore/cosign-installer@ba7bc0a3fef59531c69a25acd34668d6d3fe6f22 # v4.1.0 + - uses: anchore/sbom-action/download-syft@e22c389904149dbc22b58101806040fa8d37a610 # v0.24.0 - name: Install GoReleaser - uses: goreleaser/goreleaser-action@v7 + uses: goreleaser/goreleaser-action@ec59f474b9834571250b370d4735c50f8e2d1e29 # v7.0.0 with: install-only: true - name: Run Semantic Release id: semantic_release - uses: cycjimmy/semantic-release-action@v6 + uses: cycjimmy/semantic-release-action@b12c8f6015dc215fe37bc154d4ad456dd3833c90 # v6.0.0 with: extra_plugins: | @semantic-release/changelog @@ -52,7 +52,7 @@ jobs: GITHUB_TOKEN: ${{ steps.generate_token.outputs.token }} - name: Run GoReleaser if: steps.semantic_release.outputs.new_release_published == 'true' - uses: goreleaser/goreleaser-action@v7 + uses: goreleaser/goreleaser-action@ec59f474b9834571250b370d4735c50f8e2d1e29 # v7.0.0 with: args: release --release-notes /tmp/release-notes.md --clean env: diff --git a/.github/workflows/reusable-go-ci.yaml b/.github/workflows/reusable-go-ci.yaml index 3005df7..79eba07 100644 --- a/.github/workflows/reusable-go-ci.yaml +++ b/.github/workflows/reusable-go-ci.yaml @@ -79,18 +79,18 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout Code - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # pin@v6.0.2 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: fetch-depth: ${{ inputs.run_code_analysis && 0 || 1 }} - name: Setup Go - uses: actions/setup-go@27fdb267c15a8835f1ead03dfa07f89be2bb741a # pin@6.1.0 + uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0 with: go-version-file: "${{ inputs.module }}/go.mod" cache: false # Using a separate cache step - name: Restore Go Cache - uses: actions/cache@v5 + uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4 with: path: | ~/.cache/go-build @@ -101,9 +101,9 @@ jobs: - name: Run golangci-lint if: ${{ inputs.run_lint }} - uses: golangci/golangci-lint-action@1e7e51e771db61008b38414a730f564565cf7c20 #pin@9.2.0 + uses: golangci/golangci-lint-action@1e7e51e771db61008b38414a730f564565cf7c20 # v9.2.0 with: - version: v2.1 + version: v2.11 working-directory: ${{ inputs.module }} args: --timeout 5m --issues-exit-code=0 --config .golangci.yml @@ -115,18 +115,18 @@ jobs: test_reports_artifact_id: ${{ steps.upload_test_reports_artifact_step.outputs.artifact-id }} steps: - name: Checkout Code - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # pin@v6.0.2 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: fetch-depth: ${{ inputs.run_code_analysis && 0 || 1 }} - name: Setup Go - uses: actions/setup-go@27fdb267c15a8835f1ead03dfa07f89be2bb741a # pin@6.1.0 + uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0 with: go-version-file: "${{ inputs.module }}/go.mod" cache: false # Using a separate cache step - name: Restore Go Cache - uses: actions/cache@v5 + uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4 with: path: | ~/.cache/go-build @@ -136,7 +136,7 @@ jobs: ${{ runner.os }}-go-${{ inputs.module }}- - name: Set up gotestfmt - uses: gotesttools/gotestfmt-action@v2 + uses: gotesttools/gotestfmt-action@8b4478c7019be847373babde9300210e7de34bfb # v2.2.0 with: token: ${{ secrets.GITHUB_TOKEN }} @@ -167,7 +167,7 @@ jobs: - name: Upload go test log if: ${{ always() }} # Upload even if previous steps fail - uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # pin@v7.0.0 + uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 with: name: ${{ inputs.name }}-gotest.log path: ${{ inputs.module }}/gotest.log @@ -176,7 +176,7 @@ jobs: - name: Upload test reports artifact id: upload_test_reports_artifact_step if: ${{ always() }} # Upload even if previous steps fail - uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # pin@v7.0.0 + uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 with: name: ${{ inputs.name }}-test-report path: | @@ -187,7 +187,7 @@ jobs: - name: Publish test report as Check if: ${{ always() && (github.event_name == 'pull_request') }} - uses: mikepenz/action-junit-report@v6 + uses: mikepenz/action-junit-report@49b2ca06f62aa7ef83ae6769a2179271e160d8e4 # v6.3.1 with: report_paths: "${{ inputs.module }}/junit.xml" check_name: "Test Report (${{ inputs.name }})" @@ -197,7 +197,7 @@ jobs: - name: Prepare coverage comment id: prepare_coverage_comment_step if: ${{ always() && (github.event_name == 'pull_request') }} - uses: irongut/CodeCoverageSummary@v1.3.0 + uses: irongut/CodeCoverageSummary@51cc3a756ddcd398d447c044c02cb6aa83fdae95 # v1.3.0 with: filename: ${{ inputs.module }}/cobertura.xml badge: true @@ -209,7 +209,7 @@ jobs: - name: Add Coverage PR Comment if: ${{ always() && (github.event_name == 'pull_request') }} - uses: marocchino/sticky-pull-request-comment@v2 + uses: marocchino/sticky-pull-request-comment@70d2764d1a7d5d9560b100cbea0077fc8f633987 # v3.0.2 with: header: module-coverage-${{ inputs.name }} message: | @@ -223,19 +223,19 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout Code - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # pin@v6.0.2 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: fetch-depth: ${{ inputs.run_code_analysis && 0 || 1 }} persist-credentials: false - name: Setup Go - uses: actions/setup-go@27fdb267c15a8835f1ead03dfa07f89be2bb741a # pin@6.1.0 + uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0 with: go-version-file: "${{ inputs.module }}/go.mod" cache: false - name: Restore Go Cache - uses: actions/cache@v5 + uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4 with: path: | ~/.cache/go-build @@ -245,7 +245,7 @@ jobs: ${{ runner.os }}-go-${{ inputs.module }}- - name: Run govulncheck - uses: golang/govulncheck-action@b625fbe08f3bccbe446d94fbf87fcc875a4f50ee # pin@1.0.4 + uses: golang/govulncheck-action@b625fbe08f3bccbe446d94fbf87fcc875a4f50ee # v1.0.4 with: go-package: ./... work-dir: ${{ inputs.module }} @@ -256,18 +256,18 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout Code - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # pin@v6.0.2 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: fetch-depth: 0 # CodeQL requires full history - name: Setup Go - uses: actions/setup-go@27fdb267c15a8835f1ead03dfa07f89be2bb741a # pin@6.1.0 + uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0 with: go-version-file: "${{ inputs.module }}/go.mod" cache: false - name: Restore Go Cache - uses: actions/cache@v5 + uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4 with: path: | ~/.cache/go-build @@ -277,7 +277,7 @@ jobs: ${{ runner.os }}-go-${{ inputs.module }}- - name: Initialize CodeQL - uses: github/codeql-action/init@f443b600d91635bebf5b0d9ebc620189c0d6fba5 # pinv4.30.8 + uses: github/codeql-action/init@3599b3baa15b485a2e49ef411a7a4bb2452e7f93 # v3.30.5 with: languages: go build-mode: manual # Set to manual as we provide a build step @@ -298,7 +298,7 @@ jobs: fi - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@f443b600d91635bebf5b0d9ebc620189c0d6fba5 # pinv4.30.8 + uses: github/codeql-action/analyze@3599b3baa15b485a2e49ef411a7a4bb2452e7f93 # v3.30.5 with: category: "/language:go/${{ inputs.name }}" @@ -311,18 +311,18 @@ jobs: image_digest: ${{ steps.build_image_ko_step.outputs.digest }} steps: - name: Checkout Code - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # pin@v6.0.2 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: fetch-depth: ${{ inputs.run_code_analysis && 0 || 1 }} - name: Setup Go - uses: actions/setup-go@27fdb267c15a8835f1ead03dfa07f89be2bb741a # pin@6.1.0 + uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0 with: go-version-file: "${{ inputs.module }}/go.mod" cache: false - name: Restore Go Cache - uses: actions/cache@v5 + uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4 with: path: | ~/.cache/go-build @@ -332,10 +332,10 @@ jobs: ${{ runner.os }}-go-${{ inputs.module }}- - name: Setup Ko - uses: ko-build/setup-ko@v0.9 + uses: ko-build/setup-ko@d006021bd0c28d1ce33a07e7943d48b079944c8d # v0.9 - name: Inject slug vars - uses: rlespinasse/github-slug-action@v5 + uses: rlespinasse/github-slug-action@9e7def61550737ba68c62d34a32dd31792e3f429 # v5.5.0 - name: Build and Push Image with Ko id: build_image_ko_step @@ -361,7 +361,6 @@ jobs: fi echo "Building with tags: $effective_tags" - echo "Using KO_DOCKER_REPO: ${KO_DOCKER_REPO}" export VERSION=$(git describe --tags --always --dirty || echo 'develop') export BUILD_TIME=$(date -u +"%Y-%m-%dT%H:%M:%SZ") @@ -385,9 +384,9 @@ jobs: echo "repo=${REPO_LOWER}" >> $GITHUB_OUTPUT - name: Run Trivy vulnerability scanner - uses: aquasecurity/trivy-action@0.34.2 + uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # v0.35.0 with: - image-ref: ${{ inputs.container_registry }}/${{ steps.repo_lower.outputs.repo }}@${{ needs.build.outputs.image_digest }} + image-ref: ${{ inputs.container_registry }}/${{ inputs.github_repository }}/${{ inputs.name }}@${{ needs.build.outputs.image_digest }} exit-code: "1" vuln-type: "os,library" - severity: "CRITICAL,HIGH" + severity: "CRITICAL,HIGH" \ No newline at end of file diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml index cba7d38..7f82abd 100644 --- a/.github/workflows/scorecard.yml +++ b/.github/workflows/scorecard.yml @@ -68,6 +68,6 @@ jobs: # Upload the results to GitHub's code scanning dashboard (optional). # Commenting out will disable upload of results to your repo's Code Scanning dashboard - name: "Upload to code-scanning" - uses: github/codeql-action/upload-sarif@v4 + uses: github/codeql-action/upload-sarif@38697555549f1db7851b81482ff19f1fa5c4fedc # v4.31.1 with: sarif_file: results.sarif \ No newline at end of file From 2d10f7cc84d799074c744d16368623fc90a81e70 Mon Sep 17 00:00:00 2001 From: Bjoern Kottner <1780890+BjoernKarma@users.noreply.github.com> Date: Wed, 25 Mar 2026 09:00:02 +0100 Subject: [PATCH 2/2] fix: revert unwanted changes for image_scan --- .github/workflows/reusable-go-ci.yaml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/workflows/reusable-go-ci.yaml b/.github/workflows/reusable-go-ci.yaml index 79eba07..f9e06f7 100644 --- a/.github/workflows/reusable-go-ci.yaml +++ b/.github/workflows/reusable-go-ci.yaml @@ -361,6 +361,7 @@ jobs: fi echo "Building with tags: $effective_tags" + echo "Using KO_DOCKER_REPO: ${KO_DOCKER_REPO}" export VERSION=$(git describe --tags --always --dirty || echo 'develop') export BUILD_TIME=$(date -u +"%Y-%m-%dT%H:%M:%SZ") @@ -386,7 +387,7 @@ jobs: - name: Run Trivy vulnerability scanner uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # v0.35.0 with: - image-ref: ${{ inputs.container_registry }}/${{ inputs.github_repository }}/${{ inputs.name }}@${{ needs.build.outputs.image_digest }} + image-ref: ${{ inputs.container_registry }}/${{ steps.repo_lower.outputs.repo }}@${{ needs.build.outputs.image_digest }} exit-code: "1" vuln-type: "os,library" severity: "CRITICAL,HIGH" \ No newline at end of file