diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 0c5d6b3..802d969 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -25,7 +25,7 @@ jobs: scripts: ${{ steps.filter.outputs.scripts }} steps: - name: Checkout code - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v4 - name: Check for file changes uses: dorny/paths-filter@v3 @@ -48,10 +48,10 @@ jobs: if: needs.changes.outputs.go == 'true' steps: - name: Checkout code - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v4 - name: Set up Go - uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5 + uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v5 with: go-version: ${{ env.GO_VERSION }} cache: true @@ -72,7 +72,7 @@ jobs: - name: Run golangci-lint if: steps.filter.outputs.go == 'true' - uses: golangci/golangci-lint-action@4afd733a84b1f43292c63897423277bb7f4313a9 # v8 + uses: golangci/golangci-lint-action@1e7e51e771db61008b38414a730f564565cf7c20 # v9.2.0 with: version: ${{ env.GOLANGCI_LINT_VERSION }} @@ -92,10 +92,10 @@ jobs: if: needs.changes.outputs.go == 'true' steps: - name: Checkout code - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v4 - name: Set up Go - uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5 + uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v5 with: go-version: "1.24" cache: true @@ -111,14 +111,14 @@ jobs: gotestsum --junitfile junit.xml --format testname -- -v -cover -coverprofile=coverage.out ./internal/... - name: Upload test results - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4 + uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 if: always() with: name: test-results path: junit.xml - name: Upload coverage reports - uses: codecov/codecov-action@18283e04ce6e62d37312384ff67231eb8fd56d24 # v5 + uses: codecov/codecov-action@671740ac38dd9b0130fbe1cec585b89eea48d3de # v5 if: matrix.go-version == env.GO_VERSION with: token: ${{ secrets.CODECOV_TOKEN }} @@ -136,10 +136,10 @@ jobs: if: needs.changes.outputs.go == 'true' steps: - name: Checkout code - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v4 - name: Set up Go - uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5 + uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v5 with: go-version: ${{ env.GO_VERSION }} cache: true @@ -166,7 +166,7 @@ jobs: go test -v -timeout 30m -cover -coverprofile=acceptance-coverage.out ./internal/... -tags=acc - name: Upload acceptance test coverage - uses: codecov/codecov-action@18283e04ce6e62d37312384ff67231eb8fd56d24 # v5 + uses: codecov/codecov-action@671740ac38dd9b0130fbe1cec585b89eea48d3de # v5 with: token: ${{ secrets.CODECOV_TOKEN }} slug: Trozz/terraform-provider-pocketid @@ -191,10 +191,10 @@ jobs: if: needs.changes.outputs.go == 'true' steps: - name: Checkout code - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v4 - name: Set up Go - uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5 + uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v5 with: go-version: ${{ env.GO_VERSION }} cache: true @@ -214,7 +214,7 @@ jobs: cp terraform-provider-pocketid "$PROVIDER_DIR/" - name: Upload provider artifact - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4 + uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 with: name: provider-binary path: artifact/ @@ -231,15 +231,15 @@ jobs: terraform-version: ["1.5.7", "1.6.6", "1.7.5", "1.8.5", "1.9.8"] steps: - name: Checkout code - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v4 - name: Setup Terraform ${{ matrix.terraform-version }} - uses: hashicorp/setup-terraform@b9cd54a3c349d3f38e8881555d616ced269862dd # v3 + uses: hashicorp/setup-terraform@5e8dbf3c6d9deaf4193ca7a8fb23f2ac83bb6c85 # v4.0.0 with: terraform_version: ${{ matrix.terraform-version }} - name: Download provider artifact - uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4 + uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # v8.0.0 with: name: provider-binary path: artifact/ @@ -310,7 +310,7 @@ jobs: if: always() steps: - name: Checkout code - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v4 - name: Check CI Status id: check_status @@ -324,7 +324,7 @@ jobs: - name: Find Comment if: always() && github.event_name == 'pull_request' - uses: peter-evans/find-comment@3eae4d37986fb5a8592848f6a574fdf654e61f9e # v3 + uses: peter-evans/find-comment@b30e6a3c0ed37e7c023ccd3f1db5c6c0b0c23aad # v4.0.0 id: fc with: issue-number: ${{ github.event.pull_request.number }} @@ -354,7 +354,7 @@ jobs: - name: Create or Update PR Comment if: always() && steps.generate_comment.outputs.should_comment == 'true' - uses: peter-evans/create-or-update-comment@71345be0265236311c031f5c7866368bd1eff043 # v4 + uses: peter-evans/create-or-update-comment@e8674b075228eee787fea43ef493e45ece1004c9 # v5.0.0 with: comment-id: ${{ steps.fc.outputs.comment-id }} issue-number: ${{ github.event.pull_request.number }} diff --git a/.github/workflows/cleanup-prereleases.yml b/.github/workflows/cleanup-prereleases.yml index 64bfdc1..9a7ba8e 100644 --- a/.github/workflows/cleanup-prereleases.yml +++ b/.github/workflows/cleanup-prereleases.yml @@ -26,7 +26,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Cleanup pre-releases - uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7 + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v7 with: script: | const { owner, repo } = context.repo; diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 4d8dd6e..fc37c13 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -24,16 +24,16 @@ jobs: steps: - name: Checkout repository - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Initialize CodeQL - uses: github/codeql-action/init@181d5eefc20863364f96762470ba6f862bdef56b # v3.29.2 + uses: github/codeql-action/init@0d579ffd059c29b07949a3cce3983f0780820c98 # v4.32.6 with: languages: ${{ matrix.language }} queries: security-extended,security-and-quality - name: Setup Go - uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0 + uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0 with: go-version-file: 'go.mod' cache: true @@ -42,6 +42,6 @@ jobs: run: go build -v ./... - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@181d5eefc20863364f96762470ba6f862bdef56b # v3.29.2 + uses: github/codeql-action/analyze@0d579ffd059c29b07949a3cce3983f0780820c98 # v4.32.6 with: category: "/language:${{matrix.language}}" diff --git a/.github/workflows/contributors.yml b/.github/workflows/contributors.yml index 333e390..d345a50 100644 --- a/.github/workflows/contributors.yml +++ b/.github/workflows/contributors.yml @@ -19,7 +19,7 @@ jobs: steps: - name: Checkout repository - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v4 with: fetch-depth: 0 diff --git a/.github/workflows/conventional-commits.yml b/.github/workflows/conventional-commits.yml index d982a27..9615a76 100644 --- a/.github/workflows/conventional-commits.yml +++ b/.github/workflows/conventional-commits.yml @@ -13,7 +13,7 @@ jobs: name: Conventional Commits steps: - name: Validate PR title follows Conventional Commits - uses: amannn/action-semantic-pull-request@0723387faaf9b38adef4775cd42cfd5155ed6017 # v5 + uses: amannn/action-semantic-pull-request@48f256284bd46cdaab1048c3721360e808335d50 # v5 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} with: @@ -33,7 +33,7 @@ jobs: - name: Add PR Comment on Failure if: failure() - uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7 + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v7 with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | diff --git a/.github/workflows/pre-release.yml b/.github/workflows/pre-release.yml index f02b080..17badbb 100644 --- a/.github/workflows/pre-release.yml +++ b/.github/workflows/pre-release.yml @@ -20,7 +20,7 @@ jobs: if: github.actor != 'dependabot[bot]' steps: - name: Checkout code - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v4 with: fetch-depth: 0 @@ -49,7 +49,7 @@ jobs: - name: Set up Go if: steps.go_changes.outputs.changed == 'true' - uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5 + uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v5 with: go-version: ${{ env.GO_VERSION }} cache: true @@ -57,7 +57,7 @@ jobs: - name: Import GPG key if: steps.go_changes.outputs.changed == 'true' id: import_gpg - uses: crazy-max/ghaction-import-gpg@e89d40939c28e39f97cf32126055eeae86ba74ec # v6 + uses: crazy-max/ghaction-import-gpg@2dc316deee8e90f13e1a351ab510b4d5bc0c82cd # v7.0.0 with: gpg_private_key: ${{ secrets.GPG_PRIVATE_KEY }} passphrase: ${{ secrets.GPG_PASSPHRASE }} @@ -88,7 +88,7 @@ jobs: - name: Run GoReleaser (snapshot) if: steps.go_changes.outputs.changed == 'true' - uses: goreleaser/goreleaser-action@9c156ee8a17a598857849441385a2041ef570552 # v6 + uses: goreleaser/goreleaser-action@ec59f474b9834571250b370d4735c50f8e2d1e29 # v6 with: version: latest args: release --snapshot --skip=sign --clean --skip=validate @@ -97,7 +97,7 @@ jobs: - name: Generate pre-release attestations if: steps.go_changes.outputs.changed == 'true' - uses: actions/attest-build-provenance@e8998f949152b193b063cb0ec769d69d929409be # v2 + uses: actions/attest-build-provenance@a2bbfa25375fe432b6a289bc6b6cd05ecd0c4c32 # v4.1.0 with: subject-path: | dist/*.zip @@ -105,14 +105,14 @@ jobs: - name: Upload artifacts if: steps.go_changes.outputs.changed == 'true' - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4 + uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 with: name: pre-release-artifacts path: dist/* - name: Create GitHub pre-release if: steps.go_changes.outputs.changed == 'true' - uses: softprops/action-gh-release@72f2c25fcb47643c292f7107632f7a47c1df5cd8 # v2 + uses: softprops/action-gh-release@a06a81a03ee405af7f2048a818ed3f03bbf83c7b # v2 with: name: "Development Build v${{ steps.version.outputs.version }}" tag_name: "v${{ steps.version.outputs.version }}" diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 1cb7e2c..1ee14e0 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -15,25 +15,25 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v4 with: fetch-depth: 0 - name: Set up Go - uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5 + uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v5 with: go-version-file: "go.mod" cache: true - name: Import GPG key id: import_gpg - uses: crazy-max/ghaction-import-gpg@e89d40939c28e39f97cf32126055eeae86ba74ec # v6 + uses: crazy-max/ghaction-import-gpg@2dc316deee8e90f13e1a351ab510b4d5bc0c82cd # v7.0.0 with: gpg_private_key: ${{ secrets.GPG_PRIVATE_KEY }} passphrase: ${{ secrets.PASSPHRASE }} - name: Run GoReleaser - uses: goreleaser/goreleaser-action@9c156ee8a17a598857849441385a2041ef570552 # v6 + uses: goreleaser/goreleaser-action@ec59f474b9834571250b370d4735c50f8e2d1e29 # v6 with: version: latest args: release --clean @@ -43,7 +43,7 @@ jobs: PASSPHRASE: ${{ secrets.PASSPHRASE }} - name: Generate release attestations - uses: actions/attest-build-provenance@e8998f949152b193b063cb0ec769d69d929409be # v2 + uses: actions/attest-build-provenance@a2bbfa25375fe432b6a289bc6b6cd05ecd0c4c32 # v4.1.0 with: subject-path: | dist/*.zip diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml index 6a5509c..e10247f 100644 --- a/.github/workflows/security.yml +++ b/.github/workflows/security.yml @@ -14,13 +14,13 @@ jobs: continue-on-error: true steps: - name: Checkout code - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v4 with: fetch-depth: 0 # Required for TruffleHog to scan git history # Secret scanning - name: TruffleHog Secret Scan - uses: trufflesecurity/trufflehog@907ac64fd42b18dab2ceba2fda39834d3f8ba7e3 # v3.90.1 + uses: trufflesecurity/trufflehog@c3e599b7163e8198a55467f3133db0e7b2a492cb # v3.93.7 with: path: ./ base: ${{ github.event.repository.default_branch }} @@ -29,7 +29,7 @@ jobs: # Vulnerability scanning - name: Run Trivy vulnerability scanner - uses: aquasecurity/trivy-action@77137e9dc3ab1b329b7c8a38c2eb7475850a14e8 # master + uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # master with: scan-type: "fs" scan-ref: "." @@ -39,7 +39,7 @@ jobs: exit-code: "0" # Don't fail the build - name: Upload Trivy scan results - uses: github/codeql-action/upload-sarif@181d5eefc20863364f96762470ba6f862bdef56b # v3 + uses: github/codeql-action/upload-sarif@0d579ffd059c29b07949a3cce3983f0780820c98 # v3 if: always() with: sarif_file: "trivy-results.sarif" @@ -47,18 +47,18 @@ jobs: # Go security scanning - name: Set up Go - uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5 + uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v5 with: go-version: "1.24" cache: true - name: Run gosec security scanner - uses: securego/gosec@59ae7e9e275d7dce03bb9c37432b7b3575dbe5fc # master + uses: securego/gosec@c709ed8be30a01d52ef51a099f5da6fc23dd3e31 # master with: args: "-fmt sarif -out gosec-results.sarif ./..." - name: Upload gosec results - uses: github/codeql-action/upload-sarif@181d5eefc20863364f96762470ba6f862bdef56b # v3 + uses: github/codeql-action/upload-sarif@0d579ffd059c29b07949a3cce3983f0780820c98 # v3 if: always() with: sarif_file: "gosec-results.sarif" diff --git a/.github/workflows/validation.yml b/.github/workflows/validation.yml index bcadbf7..a028016 100644 --- a/.github/workflows/validation.yml +++ b/.github/workflows/validation.yml @@ -19,7 +19,7 @@ jobs: terraform: ${{ steps.filter.outputs.terraform }} steps: - name: Checkout code - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v4 - name: Check for file changes uses: dorny/paths-filter@v3 @@ -50,7 +50,7 @@ jobs: if: always() steps: - name: Checkout code - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v4 - name: Check trailing whitespace run: ./scripts/validation/check-trailing-whitespace.sh @@ -86,10 +86,10 @@ jobs: if: needs.changes.outputs.markdown == 'true' steps: - name: Checkout code - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v4 - name: Run markdownlint - uses: DavidAnson/markdownlint-cli2-action@992badcdf24e3b8eb7e87ff9287fe931bcb00c6e # v19 + uses: DavidAnson/markdownlint-cli2-action@07035fd053f7be764496c0f8d8f9f41f98305101 # v19 with: fix: false globs: '**/*.md' @@ -101,10 +101,10 @@ jobs: if: needs.changes.outputs.terraform == 'true' steps: - name: Checkout code - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v4 - name: Setup Terraform - uses: hashicorp/setup-terraform@b9cd54a3c349d3f38e8881555d616ced269862dd # v3 + uses: hashicorp/setup-terraform@5e8dbf3c6d9deaf4193ca7a8fb23f2ac83bb6c85 # v4.0.0 - name: Terraform Format Check id: fmt @@ -112,7 +112,7 @@ jobs: continue-on-error: true - name: Comment PR on failure - uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7 + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v7 if: github.event_name == 'pull_request' && steps.fmt.outcome == 'failure' with: github-token: ${{ secrets.GITHUB_TOKEN }}