diff --git a/.devcontainer/Dockerfile b/.devcontainer/Dockerfile index fd8fab55ca..4f09e38a1e 100644 --- a/.devcontainer/Dockerfile +++ b/.devcontainer/Dockerfile @@ -1,4 +1,4 @@ -FROM golang:1.26.0 AS confetty +FROM golang:1.26.0@sha256:9edf71320ef8a791c4c33ec79f90496d641f306a91fb112d3d060d5c1cee4e20 AS confetty # Set the working directory WORKDIR /app @@ -6,7 +6,7 @@ WORKDIR /app # Install the confetty application RUN go install github.com/maaslalani/confetty@latest -FROM mcr.microsoft.com/vscode/devcontainers/base:debian +FROM mcr.microsoft.com/vscode/devcontainers/base:debian@sha256:a30da48cdf5f9144ff7f2156622e701e752fc258d77ca7bb00120624f1a95938 # Copy the binary from the builder stage COPY --from=confetty /go/bin/confetty /usr/local/bin/confetty diff --git a/.github/actions/go-version-check/action.yml b/.github/actions/go-version-check/action.yml index 0faae6a221..1ac26a54ab 100644 --- a/.github/actions/go-version-check/action.yml +++ b/.github/actions/go-version-check/action.yml @@ -72,7 +72,7 @@ runs: - name: Comment on PR if: steps.compare.outputs.changed == 'true' - uses: actions/github-script@v7 + uses: actions/github-script@f28e40c7f34bde8b3046d885e986cb6290c5673b # v7.1.0 with: github-token: ${{ inputs.token }} script: | diff --git a/.github/actions/pr-sizer/action.yml b/.github/actions/pr-sizer/action.yml index 95a6200c8c..0ae1b62901 100644 --- a/.github/actions/pr-sizer/action.yml +++ b/.github/actions/pr-sizer/action.yml @@ -69,7 +69,7 @@ runs: using: 'composite' steps: - name: Label PR based on size - uses: actions/github-script@v8 + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: github-token: ${{ github.token }} script: | diff --git a/.github/actions/remove-dependabot-semver-labels/action.yml b/.github/actions/remove-dependabot-semver-labels/action.yml index aab221a1b6..a485e75172 100644 --- a/.github/actions/remove-dependabot-semver-labels/action.yml +++ b/.github/actions/remove-dependabot-semver-labels/action.yml @@ -15,7 +15,7 @@ runs: using: 'composite' steps: - name: Remove auto-added semver labels - uses: actions/github-script@v8 + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: github-token: ${{ github.token }} script: | diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 75cac6e980..754591a5e7 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -57,3 +57,58 @@ updates: ignore: - dependency-name: "*" update-types: ["version-update:semver-major"] + +- package-ecosystem: docker + directory: /.devcontainer + schedule: + interval: daily + +- package-ecosystem: docker + directory: / + schedule: + interval: daily + +- package-ecosystem: docker + directory: /demo/screenshots + schedule: + interval: daily + +- package-ecosystem: docker + directory: /examples/devcontainer-build + schedule: + interval: daily + +- package-ecosystem: docker + directory: /examples/quick-start-advanced + schedule: + interval: daily + +- package-ecosystem: gomod + directory: /tools/gomodcheck + schedule: + interval: daily + +- package-ecosystem: gomod + directory: /tools/lintroller + schedule: + interval: daily + +- package-ecosystem: npm + directory: /website/plugins/custom-loaders + schedule: + interval: daily + +- package-ecosystem: npm + directory: /website/plugins/docusaurus-plugin-llms-txt + schedule: + interval: daily + +- package-ecosystem: npm + directory: /website/plugins/fetch-latest-release + schedule: + interval: daily + +- package-ecosystem: npm + directory: /website/plugins/glossary-tooltips + schedule: + interval: daily diff --git a/.github/workflows/autofix.yml b/.github/workflows/autofix.yml index 76bafa58f2..2c987bd01c 100644 --- a/.github/workflows/autofix.yml +++ b/.github/workflows/autofix.yml @@ -20,7 +20,7 @@ jobs: actions: write timeout-minutes: 15 steps: - - uses: runs-on/action@v2 + - uses: runs-on/action@cd2b598b0515d39d78c38a02d529db87d2196d1e # v2.0.3 - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: persist-credentials: false diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 789ea780a3..2a224808e8 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -29,7 +29,7 @@ jobs: needs: release environment: release steps: - - uses: mislav/bump-homebrew-formula-action@v3 + - uses: mislav/bump-homebrew-formula-action@56a283fa15557e9abaa4bdb63b8212abc68e655c # v3.6 with: # A PR will be sent to github.com/Homebrew/homebrew-core to update this formula: formula-name: atmos @@ -44,11 +44,11 @@ jobs: if: ${{ github.event.release.prerelease == false }} steps: - name: "Checkout source code at current commit" - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 - name: "Docker Build" id: build - uses: cloudposse/github-action-docker-build-push@main + uses: cloudposse/github-action-docker-build-push@1d99c3977df15019f21658e2e7d4a2a8818eeb0a # main with: registry: ghcr.io organization: "${{ github.event.repository.owner.login }}" diff --git a/.github/workflows/changelog-check.yml b/.github/workflows/changelog-check.yml index 7762977b91..c9ff96a2bf 100644 --- a/.github/workflows/changelog-check.yml +++ b/.github/workflows/changelog-check.yml @@ -9,7 +9,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout code - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 with: fetch-depth: 0 diff --git a/.github/workflows/claude.yml b/.github/workflows/claude.yml index 12d3025be6..9b2bb5a091 100644 --- a/.github/workflows/claude.yml +++ b/.github/workflows/claude.yml @@ -14,7 +14,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout code - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 - name: Check modified CLAUDE.md size uses: ./.github/actions/check-claude-md-size @@ -28,7 +28,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout code - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 - name: Check modified agent files uses: ./.github/actions/check-claude-md-size diff --git a/.github/workflows/clear-cache.yml b/.github/workflows/clear-cache.yml index a4a4c7f2e4..1d394a9820 100644 --- a/.github/workflows/clear-cache.yml +++ b/.github/workflows/clear-cache.yml @@ -6,6 +6,9 @@ on: types: - closed +permissions: + contents: read + jobs: cleanup: runs-on: ubuntu-latest diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index ab6ad4d76d..41271b98ed 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -11,6 +11,9 @@ on: # runs on 19:17 every Tuesday - cron: "27 19 * * 2" +permissions: + contents: read + jobs: analyze: name: Analyze @@ -28,11 +31,11 @@ jobs: steps: - name: Checkout repository - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL - uses: github/codeql-action/init@v4 + uses: github/codeql-action/init@89a39a4e59826350b863aa6b6252a07ad50cf83e # v4.32.4 with: languages: ${{ matrix.language }} # If you wish to specify custom queries, you can do so here or in a config file. @@ -45,7 +48,7 @@ jobs: # Autobuild attempts to build any compiled languages (C/C++, C#, Go, Java, or Swift). # If this step fails, then you should remove it and run the build manually (see below) - name: Autobuild - uses: github/codeql-action/autobuild@v4 + uses: github/codeql-action/autobuild@89a39a4e59826350b863aa6b6252a07ad50cf83e # v4.32.4 # ℹ️ Command-line programs to run using the OS shell. # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun @@ -58,7 +61,7 @@ jobs: # ./location_of_script_within_repo/buildscript.sh - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v4 + uses: github/codeql-action/analyze@89a39a4e59826350b863aa6b6252a07ad50cf83e # v4.32.4 with: category: "/language:${{matrix.language}}" @@ -83,7 +86,7 @@ jobs: security-events: write steps: - name: Check out code into the Go module directory - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 with: fetch-depth: 0 @@ -91,7 +94,7 @@ jobs: # Without this step, the action may fail intermittently with # "could not load export data" errors due to cache corruption - name: Set up Go - uses: actions/setup-go@v5 + uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5.6.0 with: go-version-file: go.mod cache: true @@ -152,7 +155,7 @@ jobs: # - t.Setenv in defer blocks (should use os.Setenv) # will appear in the SARIF output and GitHub Security tab. - name: Run golangci-lint with lintroller plugin - uses: golangci/golangci-lint-action@v8.0.0 + uses: golangci/golangci-lint-action@4afd733a84b1f43292c63897423277bb7f4313a9 # v8.0.0 with: version: 101ccaca0df22b2e36dd917ed5d0be423baa6298 install-mode: none @@ -163,7 +166,7 @@ jobs: - name: Upload filtered SARIF results if: always() - uses: github/codeql-action/upload-sarif@v4 + uses: github/codeql-action/upload-sarif@89a39a4e59826350b863aa6b6252a07ad50cf83e # v4.32.4 with: sarif_file: golangci-lint.sarif @@ -176,7 +179,7 @@ jobs: issues: write steps: # Checkout is required for local composite actions - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 if: github.event_name == 'pull_request' && github.event.pull_request.user.login == 'dependabot[bot]' # Remove Dependabot's auto-added semver labels @@ -188,7 +191,7 @@ jobs: # Check for required semver labels # Every PR must have exactly one: major, minor, patch, or no-release - - uses: mheap/github-action-required-labels@v5 + - uses: mheap/github-action-required-labels@8afbe8ae6ab7647d0c9f0cfa7c2f939650d22509 # v5.5.1 with: mode: exactly count: 1 diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml index 3acc0eedba..c2fcd86b31 100644 --- a/.github/workflows/dependency-review.yml +++ b/.github/workflows/dependency-review.yml @@ -19,15 +19,15 @@ jobs: - private=false steps: - name: Checkout code - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 - name: Set up Go - uses: actions/setup-go@v5 + uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5.6.0 with: go-version-file: go.mod - name: Dependency Review - uses: actions/dependency-review-action@v4 + uses: actions/dependency-review-action@05fe4576374b728f0c523d6a13d64c25081e0803 # v4.8.3 with: # Disable OpenSSF scorecard to reduce summary size (prevents 1024k limit errors) show-openssf-scorecard: false diff --git a/.github/workflows/go-version-check.yml b/.github/workflows/go-version-check.yml index e7b52366a8..34977f4566 100644 --- a/.github/workflows/go-version-check.yml +++ b/.github/workflows/go-version-check.yml @@ -16,7 +16,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout PR branch - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 with: fetch-depth: 0 diff --git a/.github/workflows/link-check.yml b/.github/workflows/link-check.yml index 23fc8b10f1..13d0cc8cff 100644 --- a/.github/workflows/link-check.yml +++ b/.github/workflows/link-check.yml @@ -22,10 +22,10 @@ jobs: steps: - name: Checkout Code - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 - name: Check links with lychee - uses: lycheeverse/lychee-action@v2 + uses: lycheeverse/lychee-action@8646ba30535128ac92d33dfc9133794bfdd9b411 # v2.8.0 with: args: --config lychee.toml --root-dir ${{ github.workspace }} '**/*.md' fail: true diff --git a/.github/workflows/pr-size-labeler.yml b/.github/workflows/pr-size-labeler.yml index 0cb3d8fd98..b408b86ad5 100644 --- a/.github/workflows/pr-size-labeler.yml +++ b/.github/workflows/pr-size-labeler.yml @@ -7,6 +7,9 @@ on: pull_request_target: types: [opened, synchronize, reopened] +permissions: + contents: read + jobs: label: runs-on: ubuntu-latest @@ -16,7 +19,7 @@ jobs: issues: write steps: - name: Checkout repository - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 with: # Checkout the base branch (not the PR head) for security. # We only need the action definition from .github/actions/pr-sizer/ diff --git a/.github/workflows/pre-commit.yml b/.github/workflows/pre-commit.yml index 6979752032..f391aca2b4 100644 --- a/.github/workflows/pre-commit.yml +++ b/.github/workflows/pre-commit.yml @@ -26,13 +26,13 @@ jobs: steps: - name: Checkout Code - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 with: # Fetch full history for proper diff checking fetch-depth: 0 - name: Set up Go - uses: actions/setup-go@v5 + uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5.6.0 with: go-version-file: go.mod cache: true @@ -54,12 +54,12 @@ jobs: go mod download - name: Set up Python - uses: actions/setup-python@v5 + uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0 with: python-version: ${{ env.PYTHON_VERSION }} - name: Run CloudPosse pre-commit action - uses: cloudposse/github-action-pre-commit@v4.0.0 + uses: cloudposse/github-action-pre-commit@828247764461bc41b2bd267e24d76e91a279b093 # v4.0.0 with: # Run against files changed in the PR only # This prevents formatting/checking unrelated files diff --git a/.github/workflows/scorecards.yml b/.github/workflows/scorecards.yml new file mode 100644 index 0000000000..ab913742da --- /dev/null +++ b/.github/workflows/scorecards.yml @@ -0,0 +1,81 @@ +# This workflow uses actions that are not certified by GitHub. They are provided +# by a third-party and are governed by separate terms of service, privacy +# policy, and support documentation. + +name: Scorecard supply-chain security +on: + # For Branch-Protection check. Only the default branch is supported. See + # https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection + branch_protection_rule: + # To guarantee Maintained check is occasionally updated. See + # https://github.com/ossf/scorecard/blob/main/docs/checks.md#maintained + schedule: + - cron: '20 7 * * 2' + push: + branches: ["main"] + +# Declare default permissions as read only. +permissions: read-all + +jobs: + analysis: + name: Scorecard analysis + runs-on: ubuntu-latest + permissions: + # Needed to upload the results to code-scanning dashboard. + security-events: write + # Needed to publish results and get a badge (see publish_results below). + id-token: write + contents: read + actions: read + # To allow GraphQL ListCommits to work + issues: read + pull-requests: read + # To detect SAST tools + checks: read + + steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@a90bcbc6539c36a85cdfeb73f7e2f433735f215b # v2.15.0 + with: + egress-policy: audit + + - name: "Checkout code" + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 + with: + persist-credentials: false + + - name: "Run analysis" + uses: ossf/scorecard-action@62b2cac7ed8198b15735ed49ab1e5cf35480ba46 # v2.4.0 + with: + results_file: results.sarif + results_format: sarif + # (Optional) "write" PAT token. Uncomment the `repo_token` line below if: + # - you want to enable the Branch-Protection check on a *public* repository, or + # - you are installing Scorecards on a *private* repository + # To create the PAT, follow the steps in https://github.com/ossf/scorecard-action#authentication-with-pat. + # repo_token: ${{ secrets.SCORECARD_TOKEN }} + + # Public repositories: + # - Publish results to OpenSSF REST API for easy access by consumers + # - Allows the repository to include the Scorecard badge. + # - See https://github.com/ossf/scorecard-action#publishing-results. + # For private repositories: + # - `publish_results` will always be set to `false`, regardless + # of the value entered here. + publish_results: true + + # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF + # format to the repository Actions tab. + - name: "Upload artifact" + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 + with: + name: SARIF file + path: results.sarif + retention-days: 5 + + # Upload the results to GitHub's code scanning dashboard. + - name: "Upload to code-scanning" + uses: github/codeql-action/upload-sarif@45580472a5bb82c4681c4ac726cfdb60060c2ee1 # v3.32.4 + with: + sarif_file: results.sarif diff --git a/.github/workflows/screengrabs.yaml b/.github/workflows/screengrabs.yaml index 0a09af8caf..8cd11c4254 100644 --- a/.github/workflows/screengrabs.yaml +++ b/.github/workflows/screengrabs.yaml @@ -21,7 +21,7 @@ jobs: prepare: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 - name: Get Atmos version id: get-version @@ -56,10 +56,10 @@ jobs: git config --global core.eol lf - name: Checkout repository - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 - name: Install Atmos - uses: jaxxstorm/action-install-gh-release@v2.1.0 + uses: jaxxstorm/action-install-gh-release@6096f2a2bbfee498ced520b6922ac2c06e990ed2 # v2.1.0 with: repo: cloudposse/atmos tag: ${{ needs.prepare.outputs.version }} @@ -69,7 +69,7 @@ jobs: env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - - uses: hashicorp/setup-terraform@v3 + - uses: hashicorp/setup-terraform@b9cd54a3c349d3f38e8881555d616ced269862dd # v3.1.2 with: terraform_wrapper: false @@ -81,14 +81,14 @@ jobs: env: ATMOS_PAGER: "false" - - uses: actions/create-github-app-token@v1 + - uses: actions/create-github-app-token@d72941d797fd3113feb6b93fd0dec494b13a2547 # v1.12.0 id: github-app with: app-id: ${{ vars.BOT_GITHUB_APP_ID }} private-key: ${{ secrets.BOT_GITHUB_APP_PRIVATE_KEY }} - name: Create or update PR - uses: peter-evans/create-pull-request@v7 + uses: peter-evans/create-pull-request@22a9089034f40e5a961c8808d113e2c98fb63676 # v7.0.11 with: token: ${{ steps.github-app.outputs.token }} branch: "chore/update-build-screengrabs-for-${{ needs.prepare.outputs.version }}" diff --git a/.github/workflows/setup-go-cache-warmup.yml b/.github/workflows/setup-go-cache-warmup.yml index cf87cd9c80..940b2b973d 100644 --- a/.github/workflows/setup-go-cache-warmup.yml +++ b/.github/workflows/setup-go-cache-warmup.yml @@ -9,6 +9,9 @@ on: # • Eastern Time (ET): 7:35 PM (previous day) - cron: "35 0 * * *" +permissions: + contents: read + jobs: cache-warmup: name: Cache warmup (${{ matrix.target }}) @@ -28,10 +31,10 @@ jobs: run: echo "C:\Program Files\Git\usr\bin" >> $Env:GITHUB_PATH - name: Check out code into the Go module directory - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 - name: Set up Go - uses: actions/setup-go@v5 + uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5.6.0 with: go-version-file: "go.mod" id: go diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 1d00b21e0e..a4b41af304 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -41,7 +41,7 @@ jobs: target: macos runs-on: ${{ matrix.os }} steps: - - uses: runs-on/action@v1 + - uses: runs-on/action@030c186b28504cf0b4cfea1fa9853467795889d2 # v1 if: matrix.target == 'linux' - name: Build @@ -54,11 +54,11 @@ jobs: - name: Check out code into the Go module directory if: ${{ ! ( matrix.target == 'windows' && github.event.pull_request.draft ) }} - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 - name: Set up Go if: ${{ ! ( matrix.target == 'windows' && github.event.pull_request.draft ) }} - uses: actions/setup-go@v5 + uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5.6.0 with: go-version-file: "go.mod" id: go @@ -79,7 +79,7 @@ jobs: make version-${{ matrix.target }} - name: Upload build artifacts - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 if: ${{ ! ( matrix.target == 'windows' && github.event.pull_request.draft ) }} with: name: build-artifacts-${{ matrix.target }} @@ -100,19 +100,19 @@ jobs: timeout-minutes: 45 runs-on: ${{ matrix.flavor.os }} steps: - - uses: runs-on/action@v1 + - uses: runs-on/action@030c186b28504cf0b4cfea1fa9853467795889d2 # v1 if: matrix.flavor.target == 'linux' - name: Check out code into the Go module directory if: ${{ ! ( matrix.flavor.target == 'windows' && github.event.pull_request.draft ) }} - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 - name: Add GNU tar to PATH (significantly faster than windows tar) if: matrix.flavor.target == 'windows' && ! github.event.pull_request.draft run: echo "C:\Program Files\Git\usr\bin" >> $Env:GITHUB_PATH - name: Download build artifacts for ${{ matrix.flavor.target }} - uses: actions/download-artifact@v4 + uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0 if: ${{ ! ( matrix.flavor.target == 'windows' && github.event.pull_request.draft ) }} with: name: build-artifacts-${{ matrix.flavor.target }} @@ -135,14 +135,14 @@ jobs: echo "${{ github.workspace }}" >> $Env:GITHUB_PATH - name: Install Terraform - uses: hashicorp/setup-terraform@v3 + uses: hashicorp/setup-terraform@b9cd54a3c349d3f38e8881555d616ced269862dd # v3.1.2 if: ${{ ! ( matrix.flavor.target == 'windows' && github.event.pull_request.draft ) }} with: terraform_version: ${{ env.TERRAFORM_VERSION }} terraform_wrapper: false - name: Install OpenTofu - uses: opentofu/setup-opentofu@v1 + uses: opentofu/setup-opentofu@9d84900f3238fab8cd84ce47d658d25dd008be2f # v1.0.8 if: ${{ ! ( matrix.flavor.target == 'windows' && github.event.pull_request.draft ) }} with: tofu_version: ${{ env.OPEN_TOFU_VERSION }} @@ -150,14 +150,14 @@ jobs: # https://github.com/hashicorp/setup-packer - name: Install Packer - uses: hashicorp/setup-packer@main + uses: hashicorp/setup-packer@54678572a9eae3130016b4548482317e9f83f9f3 # main if: ${{ ! ( matrix.flavor.target == 'windows' && github.event.pull_request.draft ) }} with: version: ${{ env.PACKER_VERSION }} # https://github.com/helmfile/helmfile-action - name: Install Helmfile - uses: helmfile/helmfile-action@v2.0.5 + uses: helmfile/helmfile-action@6f21d94fa797f5dfbc92b9db62c6832ac6639a88 # v2.0.5 if: ${{ ! ( matrix.flavor.target == 'windows' && github.event.pull_request.draft ) }} with: helm-version: ${{ env.HELM_VERSION }} @@ -181,7 +181,7 @@ jobs: atmos version - name: Set up Go - uses: actions/setup-go@v5 + uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5.6.0 if: ${{ ! ( matrix.flavor.target == 'windows' && github.event.pull_request.draft ) }} with: go-version-file: "go.mod" @@ -195,7 +195,7 @@ jobs: # Enable this after merging test-cases # Only seems to work with remote schema files #- name: Validate YAML Schema for Test Cases - # uses: InoUno/yaml-ls-check@v1.4.0 + # uses: InoUno/yaml-ls-check@2c229b85b877b2853b40bd0fbdcfccff5ff735c7 # v1.4.0 # with: # root: "tests/test-cases" # schemaMapping: | @@ -218,7 +218,7 @@ jobs: - name: Upload coverage report to Codecov if: matrix.flavor.target == 'linux' && (success() || failure()) - uses: codecov/codecov-action@v5 + uses: codecov/codecov-action@671740ac38dd9b0130fbe1cec585b89eea48d3de # v5.5.2 with: token: ${{ secrets.CODECOV_TOKEN }} slug: ${{ github.repository }} @@ -233,9 +233,9 @@ jobs: runs-on: ubuntu-latest steps: - name: Check out code - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 - - uses: hadolint/hadolint-action@v3.1.0 + - uses: hadolint/hadolint-action@54c9adbab1582c2ef04b2016b760714a4bfde3cf # v3.1.0 id: hadolint with: dockerfile: Dockerfile @@ -247,7 +247,7 @@ jobs: ignore: DL3008 - name: Upload SARIF file - uses: github/codeql-action/upload-sarif@v4 + uses: github/codeql-action/upload-sarif@89a39a4e59826350b863aa6b6252a07ad50cf83e # v4.32.4 if: always() with: # Path to SARIF file relative to the root of the repository @@ -289,7 +289,7 @@ jobs: steps: - name: Download build artifacts - uses: actions/download-artifact@v4 + uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0 with: name: build-artifacts-linux path: /usr/local/bin @@ -298,23 +298,23 @@ jobs: run: chmod +x /usr/local/bin/atmos - name: Check out code into the Go module directory - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 - name: Install Terraform - uses: hashicorp/setup-terraform@v3 + uses: hashicorp/setup-terraform@b9cd54a3c349d3f38e8881555d616ced269862dd # v3.1.2 with: terraform_version: ${{ env.TERRAFORM_VERSION }} terraform_wrapper: false - name: Install OpenTofu - uses: opentofu/setup-opentofu@v1 + uses: opentofu/setup-opentofu@9d84900f3238fab8cd84ce47d658d25dd008be2f # v1.0.8 with: tofu_version: ${{ env.OPEN_TOFU_VERSION }} tofu_wrapper: false # https://github.com/hashicorp/setup-packer - name: Install Packer - uses: hashicorp/setup-packer@main + uses: hashicorp/setup-packer@54678572a9eae3130016b4548482317e9f83f9f3 # main with: version: ${{ env.PACKER_VERSION }} @@ -339,7 +339,7 @@ jobs: timeout-minutes: 20 steps: - name: Check out code into the Go module directory - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 - name: Start Docker Compose working-directory: examples/${{ matrix.demo-folder }} @@ -355,7 +355,7 @@ jobs: kubectl get pods --all-namespaces - name: Download build artifacts - uses: actions/download-artifact@v4 + uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0 with: name: build-artifacts-linux path: /usr/local/bin @@ -370,7 +370,7 @@ jobs: run: sudo apt-get -y install kubectl helmfile - name: Install Helm - uses: azure/setup-helm@v4 + uses: azure/setup-helm@1a275c3b69536ee54be43f2070a358922e12c8d4 # v4.3.1 with: version: ${{ env.HELM_VERSION }} @@ -425,7 +425,7 @@ jobs: steps: - name: Check out code into the Go module directory if: ${{ ! ( matrix.flavor.target == 'windows' && github.event.pull_request.draft ) }} - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 - name: Add GNU tar to flavor.target (significantly faster than windows tar) if: matrix.flavor.target == 'windows' && ! github.event.pull_request.draft @@ -433,7 +433,7 @@ jobs: - name: Download build artifacts for ${{ matrix.flavor.target }} if: ${{ ! ( matrix.flavor.target == 'windows' && github.event.pull_request.draft ) }} - uses: actions/download-artifact@v4 + uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0 with: name: build-artifacts-${{ matrix.flavor.target }} path: ${{ github.workspace }} @@ -452,21 +452,21 @@ jobs: - name: Install Terraform if: ${{ ! ( matrix.flavor.target == 'windows' && github.event.pull_request.draft ) }} - uses: hashicorp/setup-terraform@v3 + uses: hashicorp/setup-terraform@b9cd54a3c349d3f38e8881555d616ced269862dd # v3.1.2 with: terraform_version: ${{ env.TERRAFORM_VERSION }} terraform_wrapper: false - name: Install OpenTofu if: ${{ ! ( matrix.flavor.target == 'windows' && github.event.pull_request.draft ) }} - uses: opentofu/setup-opentofu@v1 + uses: opentofu/setup-opentofu@9d84900f3238fab8cd84ce47d658d25dd008be2f # v1.0.8 with: tofu_version: ${{ env.OPEN_TOFU_VERSION }} tofu_wrapper: false # https://github.com/hashicorp/setup-packer - name: Install Packer - uses: hashicorp/setup-packer@main + uses: hashicorp/setup-packer@54678572a9eae3130016b4548482317e9f83f9f3 # main with: version: ${{ env.PACKER_VERSION }} @@ -529,28 +529,28 @@ jobs: timeout-minutes: 20 steps: - name: Check out code into the Go module directory - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 - name: Install Terraform - uses: hashicorp/setup-terraform@v3 + uses: hashicorp/setup-terraform@b9cd54a3c349d3f38e8881555d616ced269862dd # v3.1.2 with: terraform_version: ${{ env.TERRAFORM_VERSION }} terraform_wrapper: false - name: Install OpenTofu - uses: opentofu/setup-opentofu@v1 + uses: opentofu/setup-opentofu@9d84900f3238fab8cd84ce47d658d25dd008be2f # v1.0.8 with: tofu_version: ${{ env.OPEN_TOFU_VERSION }} tofu_wrapper: false # https://github.com/hashicorp/setup-packer - name: Install Packer - uses: hashicorp/setup-packer@main + uses: hashicorp/setup-packer@54678572a9eae3130016b4548482317e9f83f9f3 # main with: version: ${{ env.PACKER_VERSION }} - name: Lint examples/${{ matrix.demo-folder }}/components/terraform - uses: reviewdog/action-tflint@v1 + uses: reviewdog/action-tflint@54a5e5aed57dcfbb4662ec548de876df33d6288d # v1.25.0 with: github_token: ${{ secrets.GITHUB_TOKEN }} working_directory: examples/${{ matrix.demo-folder }}/components/terraform @@ -581,10 +581,10 @@ jobs: timeout-minutes: 20 steps: - name: Check out code - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 - name: Validate YAML Schema for Stacks - uses: InoUno/yaml-ls-check@v1.4.0 + uses: InoUno/yaml-ls-check@2c229b85b877b2853b40bd0fbdcfccff5ff735c7 # v1.4.0 with: root: "examples/${{ matrix.demo-folder }}/stacks" schemaMapping: | diff --git a/.github/workflows/validate-codeowners.yml b/.github/workflows/validate-codeowners.yml index 4c364ab294..52fbe74004 100644 --- a/.github/workflows/validate-codeowners.yml +++ b/.github/workflows/validate-codeowners.yml @@ -9,18 +9,18 @@ jobs: runs-on: ubuntu-latest steps: - name: "Checkout source code at current commit" - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 with: fetch-depth: 0 # Required for tj-actions/changed-files - name: Check if CODEOWNERS changed id: changed-files - uses: tj-actions/changed-files@v45 + uses: tj-actions/changed-files@48d8f15b2aaa3d255ca5af3eba4870f807ce6b3c # v45.0.2 with: files: .github/CODEOWNERS # Leave pinned at 0.7.1 until https://github.com/mszostok/codeowners-validator/issues/173 is resolved - - uses: mszostok/codeowners-validator@v0.7.4 + - uses: mszostok/codeowners-validator@7f3f5e28c6d7b8dfae5731e54ce2272ca384592f # v0.7.4 # This condition verifies that the PR repo equals the Github Repo and it's NOT dependabot # Also runs on workflow_dispatch (manual trigger) or when CODEOWNERS file is changed if: ${{ github.event_name == 'workflow_dispatch' || (steps.changed-files.outputs.any_changed == 'true' && (github.event.pull_request.head.repo.full_name == github.repository) && (github.actor != 'dependabot[bot]')) }} @@ -34,7 +34,7 @@ jobs: # GitHub access token is required only if the `owners` check is enabled github_access_token: "${{ secrets.REPO_ACCESS_TOKEN }}" - - uses: mszostok/codeowners-validator@v0.7.4 + - uses: mszostok/codeowners-validator@7f3f5e28c6d7b8dfae5731e54ce2272ca384592f # v0.7.4 # This condition verifies that the PR repo does NOT equal the Github Repo (fork PR) # Only runs when CODEOWNERS file is changed if: ${{ steps.changed-files.outputs.any_changed == 'true' && github.event.pull_request.head.repo.full_name != github.repository }} diff --git a/.github/workflows/vhs.yaml b/.github/workflows/vhs.yaml index 3e6450df1e..42b54c8035 100644 --- a/.github/workflows/vhs.yaml +++ b/.github/workflows/vhs.yaml @@ -17,7 +17,7 @@ jobs: cancel-in-progress: false steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 - name: Check for vhs label id: labeled @@ -69,23 +69,23 @@ jobs: group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}-${{ matrix.file }} cancel-in-progress: false steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 - name: Install atmos - uses: jaxxstorm/action-install-gh-release@v1.14.0 + uses: jaxxstorm/action-install-gh-release@cd6b2b78ad38bdd294341cda064ec0692b06215b # v1.14.0 with: # Grab the latest version repo: cloudposse/atmos chmod: 0755 extension-matching: disable rename-to: atmos - - uses: charmbracelet/vhs-action@v1 + - uses: charmbracelet/vhs-action@5bc47255c016b6af28ad6b633ee9a07b79468804 # v1.2.3 with: token: ${{ secrets.GITHUB_TOKEN }} path: ${{ matrix.file }} install-fonts: true - - uses: stefanzweifel/git-auto-commit-action@v4 + - uses: stefanzweifel/git-auto-commit-action@3ea6ae190baf489ba007f7c92608f33ce20ef04a # v4.16.0 id: auto-commit env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/website-deploy-prod.yml b/.github/workflows/website-deploy-prod.yml index 91b155ceb9..c8f95b2c13 100644 --- a/.github/workflows/website-deploy-prod.yml +++ b/.github/workflows/website-deploy-prod.yml @@ -34,24 +34,24 @@ jobs: steps: # https://github.com/marketplace/actions/configure-aws-credentials-action-for-github-actions - name: Configure AWS Credentials - uses: aws-actions/configure-aws-credentials@v4 + uses: aws-actions/configure-aws-credentials@7474bc4690e29a8392af63c5b98e7449536d5c3a # v4.3.1 with: aws-region: ${{ env.AWS_REGION }} role-to-assume: ${{ env.IAM_ROLE_ARN }} role-session-name: ${{ env.IAM_ROLE_SESSION_NAME }} - name: Checkout Repository - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 with: fetch-depth: 0 - name: Setup Node - uses: actions/setup-node@v4 + uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0 with: node-version-file: "website/.nvmrc" - name: Setup pnpm - uses: pnpm/action-setup@v4 + uses: pnpm/action-setup@41ff72655975bd51cab0327fa583b6e92b6d3061 # v4.2.0 with: version: 9 @@ -72,7 +72,7 @@ jobs: aws s3 ls s3://${{ env.S3_BUCKET_NAME }} --recursive --human-readable --summarize - name: Trigger Algolia Crawler - uses: algolia/algoliasearch-crawler-github-actions@v1 + uses: algolia/algoliasearch-crawler-github-actions@79db67cd7284bf4623324cd69e3cba49c7a85c4c # v1.1.0 with: crawler-user-id: ${{ secrets.ALGOLIA_CRAWLER_USER_ID }} crawler-api-key: ${{ secrets.ALGOLIA_CRAWLER_API_KEY }} diff --git a/.github/workflows/website-preview-build.yml b/.github/workflows/website-preview-build.yml index eadee7ded6..cbc70509ca 100644 --- a/.github/workflows/website-preview-build.yml +++ b/.github/workflows/website-preview-build.yml @@ -25,17 +25,17 @@ jobs: steps: - name: Checkout Repository - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 with: fetch-depth: 0 - name: Setup Node - uses: actions/setup-node@v4 + uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0 with: node-version-file: "website/.nvmrc" - name: Setup pnpm - uses: pnpm/action-setup@v4 + uses: pnpm/action-setup@41ff72655975bd51cab0327fa583b6e92b6d3061 # v4.2.0 with: version: 9 @@ -50,7 +50,7 @@ jobs: DEPLOYMENT_HOST: ${{ github.event.pull_request.number && format('pr-{0}.atmos-docs.ue2.dev.plat.cloudposse.org', github.event.pull_request.number) || '' }} - name: Upload artifacts - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 with: name: website path: website/build diff --git a/.github/workflows/website-preview-deploy.yml b/.github/workflows/website-preview-deploy.yml index 8959d30d3e..2f468708a8 100644 --- a/.github/workflows/website-preview-deploy.yml +++ b/.github/workflows/website-preview-deploy.yml @@ -41,26 +41,26 @@ jobs: ref: ${{ github.event.workflow_run.pull_requests[0].head.ref }} - name: Checkout Repository - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 with: fetch-depth: 0 # https://github.com/marketplace/actions/configure-aws-credentials-action-for-github-actions - name: Configure AWS Credentials - uses: aws-actions/configure-aws-credentials@v4 + uses: aws-actions/configure-aws-credentials@7474bc4690e29a8392af63c5b98e7449536d5c3a # v4.3.1 with: aws-region: ${{ env.AWS_REGION }} role-to-assume: ${{ env.IAM_ROLE_ARN }} role-session-name: ${{ env.IAM_ROLE_SESSION_NAME }} - - uses: actions/create-github-app-token@v1 + - uses: actions/create-github-app-token@d72941d797fd3113feb6b93fd0dec494b13a2547 # v1.12.0 id: github-app with: app-id: ${{ vars.BOT_GITHUB_APP_ID }} private-key: ${{ secrets.BOT_GITHUB_APP_PRIVATE_KEY }} - name: Download artifacts - uses: actions/download-artifact@v4 + uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0 with: name: website path: website/build diff --git a/.github/workflows/website-preview-destroy.yml b/.github/workflows/website-preview-destroy.yml index 1cc07721d5..4ed05f2e5e 100644 --- a/.github/workflows/website-preview-destroy.yml +++ b/.github/workflows/website-preview-destroy.yml @@ -29,7 +29,7 @@ jobs: steps: - name: Configure AWS Credentials - uses: aws-actions/configure-aws-credentials@v4 + uses: aws-actions/configure-aws-credentials@7474bc4690e29a8392af63c5b98e7449536d5c3a # v4.3.1 with: aws-region: ${{ env.AWS_REGION }} role-to-assume: ${{ env.IAM_ROLE_ARN }} @@ -49,7 +49,7 @@ jobs: run: echo "branch=$(echo ${PR_HEAD#refs/heads/} | tr / -)" >> $GITHUB_OUTPUT - name: Seek deployment - uses: cloudposse/github-action-seek-deployment@0.1.1 + uses: cloudposse/github-action-seek-deployment@9c18326d279eaf1683777086a61ca3c744aeb246 # 0.1.1 id: deployment with: environment: preview diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 1541c6b49f..5c4a1ed13c 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -71,3 +71,12 @@ repos: - id: check-added-large-files args: [--maxkb=500] exclude: ^(docs/demo.gif|website/) + - repo: https://github.com/gitleaks/gitleaks + rev: v8.16.3 + hooks: + - id: gitleaks + - repo: https://github.com/jumanjihouse/pre-commit-hooks + rev: 3.0.0 + hooks: + - id: RuboCop + - id: shellcheck diff --git a/Dockerfile b/Dockerfile index 18d621cf6a..7fc12f47e6 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,5 +1,5 @@ # Use a base image with platform specification -FROM --platform=$BUILDPLATFORM debian:bookworm-slim +FROM --platform=$BUILDPLATFORM debian:bookworm-slim@sha256:74d56e3931e0d5a1dd51f8c8a2466d21de84a271cd3b5a733b803aa91abf4421 # Define the arguments for Atmos version and platforms ARG TARGETPLATFORM diff --git a/demo/screenshots/Dockerfile b/demo/screenshots/Dockerfile index 95a3a26062..b1f7f5ce70 100644 --- a/demo/screenshots/Dockerfile +++ b/demo/screenshots/Dockerfile @@ -1,4 +1,4 @@ -FROM ghcr.io/charmbracelet/vhs:latest +FROM ghcr.io/charmbracelet/vhs:latest@sha256:e88ed3faa06183a197fd44ded83e706098d9e4038b72da94bcdb9cb9b67e3527 ARG ARCH=arm64 RUN apt-get update && apt-get install -y apt-utils curl aha