cloudposse · step-security-bot · Mar 1, 2026 · Mar 31, 2026 · Apr 6, 2026 · Apr 7, 2026
@@ -1,12 +1,12 @@
-FROM golang:1.26.0 AS confetty
+FROM golang:1.26.0@sha256:9edf71320ef8a791c4c33ec79f90496d641f306a91fb112d3d060d5c1cee4e20 AS confetty
 
 # Set the working directory
 WORKDIR /app
 
 # Install the confetty application
 RUN go install github.com/maaslalani/confetty@latest
 
-FROM mcr.microsoft.com/vscode/devcontainers/base:debian
+FROM mcr.microsoft.com/vscode/devcontainers/base:debian@sha256:a30da48cdf5f9144ff7f2156622e701e752fc258d77ca7bb00120624f1a95938
 
 # Copy the binary from the builder stage
 COPY --from=confetty /go/bin/confetty /usr/local/bin/confetty

@@ -72,7 +72,7 @@ runs:
 
     - name: Comment on PR
       if: steps.compare.outputs.changed == 'true'
-      uses: actions/github-script@v7
+      uses: actions/github-script@f28e40c7f34bde8b3046d885e986cb6290c5673b # v7.1.0
       with:
         github-token: ${{ inputs.token }}
         script: |

@@ -69,7 +69,7 @@ runs:
   using: 'composite'
   steps:
     - name: Label PR based on size
-      uses: actions/github-script@v8
+      uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
       with:
         github-token: ${{ github.token }}
         script: |

@@ -15,7 +15,7 @@ runs:
   using: 'composite'
   steps:
     - name: Remove auto-added semver labels
-      uses: actions/github-script@v8
+      uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
       with:
         github-token: ${{ github.token }}
         script: |

@@ -57,3 +57,58 @@ updates:
   ignore:
     - dependency-name: "*"
       update-types: ["version-update:semver-major"]
+
+- package-ecosystem: docker
+  directory: /.devcontainer
+  schedule:
+    interval: daily
+
+- package-ecosystem: docker
+  directory: /
+  schedule:
+    interval: daily
+
+- package-ecosystem: docker
+  directory: /demo/screenshots
+  schedule:
+    interval: daily
+
+- package-ecosystem: docker
+  directory: /examples/devcontainer-build
+  schedule:
+    interval: daily
+
+- package-ecosystem: docker
+  directory: /examples/quick-start-advanced
+  schedule:
+    interval: daily
+
+- package-ecosystem: gomod
+  directory: /tools/gomodcheck
+  schedule:
+    interval: daily
+
+- package-ecosystem: gomod
+  directory: /tools/lintroller
+  schedule:
+    interval: daily
+
+- package-ecosystem: npm
+  directory: /website/plugins/custom-loaders
+  schedule:
+    interval: daily
+
+- package-ecosystem: npm
+  directory: /website/plugins/docusaurus-plugin-llms-txt
+  schedule:
+    interval: daily
+
+- package-ecosystem: npm
+  directory: /website/plugins/fetch-latest-release
+  schedule:
+    interval: daily
+
+- package-ecosystem: npm
+  directory: /website/plugins/glossary-tooltips
+  schedule:
+    interval: daily
@@ -20,7 +20,7 @@ jobs:
       actions: write
     timeout-minutes: 15
     steps:
-      - uses: runs-on/action@v2
+      - uses: runs-on/action@cd2b598b0515d39d78c38a02d529db87d2196d1e # v2.0.3
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           persist-credentials: false

@@ -28,7 +28,7 @@ jobs:
     runs-on: ubuntu-latest
     needs: release
     steps:
-      - uses: mislav/bump-homebrew-formula-action@v3
+      - uses: mislav/bump-homebrew-formula-action@56a283fa15557e9abaa4bdb63b8212abc68e655c # v3.6
         with:
           # A PR will be sent to github.com/Homebrew/homebrew-core to update this formula:
           formula-name: atmos
@@ -43,11 +43,11 @@ jobs:
     if: ${{ github.event.release.prerelease == false }}
     steps:
       - name: "Checkout source code at current commit"
-        uses: actions/checkout@v4
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
 
       - name: "Docker Build"
         id: build
-        uses: cloudposse/github-action-docker-build-push@main
+        uses: cloudposse/github-action-docker-build-push@1d99c3977df15019f21658e2e7d4a2a8818eeb0a # main
         with:
           registry: ghcr.io
           organization: "${{ github.event.repository.owner.login }}"

@@ -9,7 +9,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
         with:
           fetch-depth: 0
 

@@ -14,7 +14,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
 
       - name: Check modified CLAUDE.md size
         uses: ./.github/actions/check-claude-md-size
@@ -28,7 +28,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
 
       - name: Check modified agent files
         uses: ./.github/actions/check-claude-md-size

@@ -6,6 +6,9 @@ on:
     types:
       - closed
 
+permissions:
+  contents: read
+
 jobs:
   cleanup:
     runs-on: ubuntu-latest

@@ -11,6 +11,9 @@ on:
     # runs on 19:17 every Tuesday
     - cron: "27 19 * * 2"
 
+permissions:
+  contents: read
+
 jobs:
   analyze:
     name: Analyze
@@ -28,11 +31,11 @@ jobs:
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
 
       # Initializes the CodeQL tools for scanning.
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@v4
+        uses: github/codeql-action/init@89a39a4e59826350b863aa6b6252a07ad50cf83e # v4.32.4
         with:
           languages: ${{ matrix.language }}
           # If you wish to specify custom queries, you can do so here or in a config file.
@@ -45,7 +48,7 @@ jobs:
       # Autobuild attempts to build any compiled languages (C/C++, C#, Go, Java, or Swift).
       # If this step fails, then you should remove it and run the build manually (see below)
       - name: Autobuild
-        uses: github/codeql-action/autobuild@v4
+        uses: github/codeql-action/autobuild@89a39a4e59826350b863aa6b6252a07ad50cf83e # v4.32.4
 
       # ℹ️ Command-line programs to run using the OS shell.
       # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun
@@ -58,7 +61,7 @@ jobs:
       #     ./location_of_script_within_repo/buildscript.sh
 
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@v4
+        uses: github/codeql-action/analyze@89a39a4e59826350b863aa6b6252a07ad50cf83e # v4.32.4
         with:
           category: "/language:${{matrix.language}}"
 
@@ -83,15 +86,15 @@ jobs:
       security-events: write
     steps:
       - name: Check out code into the Go module directory
-        uses: actions/checkout@v4
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
         with:
           fetch-depth: 0
 
       # golangci-lint-action@v4.0.0+ requires explicit Go setup
       # Without this step, the action may fail intermittently with
       # "could not load export data" errors due to cache corruption
       - name: Set up Go
-        uses: actions/setup-go@v5
+        uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5.6.0
         with:
           go-version-file: go.mod
           cache: true
@@ -152,7 +155,7 @@ jobs:
       # - t.Setenv in defer blocks (should use os.Setenv)
       # will appear in the SARIF output and GitHub Security tab.
       - name: Run golangci-lint with lintroller plugin
-        uses: golangci/golangci-lint-action@v8.0.0
+        uses: golangci/golangci-lint-action@4afd733a84b1f43292c63897423277bb7f4313a9 # v8.0.0
         with:
           version: 101ccaca0df22b2e36dd917ed5d0be423baa6298
           install-mode: none
@@ -163,7 +166,7 @@ jobs:
 
       - name: Upload filtered SARIF results
         if: always()
-        uses: github/codeql-action/upload-sarif@v4
+        uses: github/codeql-action/upload-sarif@89a39a4e59826350b863aa6b6252a07ad50cf83e # v4.32.4
         with:
           sarif_file: golangci-lint.sarif
 
@@ -176,7 +179,7 @@ jobs:
       issues: write
     steps:
       # Checkout is required for local composite actions
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
         if: github.event_name == 'pull_request' && github.event.pull_request.user.login == 'dependabot[bot]'
 
       # Remove Dependabot's auto-added semver labels
@@ -188,7 +191,7 @@ jobs:
 
       # Check for required semver labels
       # Every PR must have exactly one: major, minor, patch, or no-release
-      - uses: mheap/github-action-required-labels@v5
+      - uses: mheap/github-action-required-labels@8afbe8ae6ab7647d0c9f0cfa7c2f939650d22509 # v5.5.1
         with:
           mode: exactly
           count: 1

@@ -19,15 +19,15 @@ jobs:
       - private=false
     steps:
       - name: Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
 
       - name: Set up Go
-        uses: actions/setup-go@v5
+        uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5.6.0
         with:
           go-version-file: go.mod
 
       - name: Dependency Review
-        uses: actions/dependency-review-action@v4
+        uses: actions/dependency-review-action@05fe4576374b728f0c523d6a13d64c25081e0803 # v4.8.3
         with:
           # Disable OpenSSF scorecard to reduce summary size (prevents 1024k limit errors)
           show-openssf-scorecard: false

@@ -16,7 +16,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout PR branch
-        uses: actions/checkout@v4
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
         with:
           fetch-depth: 0
 

@@ -22,10 +22,10 @@ jobs:
 
     steps:
       - name: Checkout Code
-        uses: actions/checkout@v4
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
 
       - name: Check links with lychee
-        uses: lycheeverse/lychee-action@v2
+        uses: lycheeverse/lychee-action@8646ba30535128ac92d33dfc9133794bfdd9b411 # v2.8.0
         with:
           args: --config lychee.toml --root-dir ${{ github.workspace }} '**/*.md'
           fail: true

@@ -7,6 +7,9 @@ on:
   pull_request_target:
     types: [opened, synchronize, reopened]
 
+permissions:
+  contents: read
+
 jobs:
   label:
     runs-on: ubuntu-latest
@@ -16,7 +19,7 @@ jobs:
       issues: write
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
         with:
           # Checkout the base branch (not the PR head) for security.
           # We only need the action definition from .github/actions/pr-sizer/

@@ -26,13 +26,13 @@ jobs:
 
     steps:
       - name: Checkout Code
-        uses: actions/checkout@v4
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
         with:
           # Fetch full history for proper diff checking
           fetch-depth: 0
 
       - name: Set up Go
-        uses: actions/setup-go@v5
+        uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5.6.0
         with:
           go-version-file: go.mod
           cache: true
@@ -54,12 +54,12 @@ jobs:
           go mod download
 
       - name: Set up Python
-        uses: actions/setup-python@v5
+        uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0
         with:
           python-version: ${{ env.PYTHON_VERSION }}
 
       - name: Run CloudPosse pre-commit action
-        uses: cloudposse/github-action-pre-commit@v4.0.0
+        uses: cloudposse/github-action-pre-commit@828247764461bc41b2bd267e24d76e91a279b093 # v4.0.0
         with:
           # Run against files changed in the PR only
           # This prevents formatting/checking unrelated files