chore: pin and update all workflow dependencies; add permission scopes (#2138)

---------

Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
This commit is contained in:
Christopher Angelo Phillips 2023-09-15 14:18:42 -04:00 committed by GitHub
parent 2eb2d55551
commit 094b41b301
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
26 changed files with 114 additions and 84 deletions

View file

@ -1,4 +1,5 @@
name: "Bootstrap" name: "Bootstrap"
description: "Bootstrap all tools and dependencies" description: "Bootstrap all tools and dependencies"
inputs: inputs:
go-version: go-version:
@ -24,13 +25,13 @@ inputs:
runs: runs:
using: "composite" using: "composite"
steps: steps:
- uses: actions/setup-go@v4 - uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe #v4.1.0
with: with:
go-version: ${{ inputs.go-version }} go-version: ${{ inputs.go-version }}
- name: Restore tool cache - name: Restore tool cache
id: tool-cache id: tool-cache
uses: actions/cache@v3 uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84 #v3.3.2
with: with:
path: ${{ github.workspace }}/.tmp path: ${{ github.workspace }}/.tmp
key: ${{ inputs.cache-key-prefix }}-${{ runner.os }}-tool-${{ hashFiles('Makefile') }} key: ${{ inputs.cache-key-prefix }}-${{ runner.os }}-tool-${{ hashFiles('Makefile') }}
@ -40,7 +41,7 @@ runs:
- name: Restore go module cache - name: Restore go module cache
id: go-mod-cache id: go-mod-cache
if: inputs.use-go-cache == 'true' if: inputs.use-go-cache == 'true'
uses: actions/cache@v3 uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84 #v3.3.2
with: with:
path: | path: |
~/go/pkg/mod ~/go/pkg/mod
@ -56,7 +57,7 @@ runs:
- name: Restore go build cache - name: Restore go build cache
id: go-cache id: go-cache
if: inputs.use-go-cache == 'true' if: inputs.use-go-cache == 'true'
uses: actions/cache@v3 uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84 #v3.3.2
with: with:
path: | path: |
~/.cache/go-build ~/.cache/go-build

View file

@ -1,10 +1,12 @@
version: 2 version: 2
updates: updates:
- package-ecosystem: gomod
directory: "/"
schedule:
interval: "daily"
open-pull-requests-limit: 10
- package-ecosystem: "github-actions" - package-ecosystem: "github-actions"
directory: "/" directory: "/"
schedule: schedule:
interval: daily interval: "daily"
- package-ecosystem: "gomod" open-pull-requests-limit: 10
directory: "/"
schedule:
interval: daily

View file

@ -4,6 +4,9 @@ on:
workflow_dispatch: workflow_dispatch:
pull_request: pull_request:
permissions:
contents: read
jobs: jobs:
Benchmark-Test: Benchmark-Test:
@ -13,13 +16,14 @@ jobs:
# we also want to run on push such that merges to main are recorded to the cache. For this reason we don't filter # we also want to run on push such that merges to main are recorded to the cache. For this reason we don't filter
# the job by event. # the job by event.
steps: steps:
- uses: actions/checkout@v4 - name: Checkout code
uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0
- name: Bootstrap environment - name: Bootstrap environment
uses: ./.github/actions/bootstrap uses: ./.github/actions/bootstrap
- name: Restore base benchmark result - name: Restore base benchmark result
uses: actions/cache@v3 uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84 #v3.3.2
with: with:
path: test/results/benchmark-main.txt path: test/results/benchmark-main.txt
# use base sha for PR or new commit hash for main push in benchmark result key # use base sha for PR or new commit hash for main push in benchmark result key
@ -35,13 +39,13 @@ jobs:
OUTPUT="${OUTPUT//$'\r'/'%0D'}" # URL encode all '\r' characters OUTPUT="${OUTPUT//$'\r'/'%0D'}" # URL encode all '\r' characters
echo "result=$OUTPUT" >> $GITHUB_OUTPUT echo "result=$OUTPUT" >> $GITHUB_OUTPUT
- uses: actions/upload-artifact@v3 - uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
with: with:
name: benchmark-test-results name: benchmark-test-results
path: test/results/**/* path: test/results/**/*
- name: Update PR benchmark results comment - name: Update PR benchmark results comment
uses: marocchino/sticky-pull-request-comment@v2 uses: marocchino/sticky-pull-request-comment@efaaab3fd41a9c3de579aba759d2552635e590fd #v2.8.0
continue-on-error: true continue-on-error: true
with: with:
header: benchmark header: benchmark

View file

@ -14,11 +14,17 @@ on:
schedule: schedule:
- cron: '0 0 * * 3' - cron: '0 0 * * 3'
permissions:
contents: read
jobs: jobs:
analyze: analyze:
name: Analyze name: Analyze
runs-on: ubuntu-latest runs-on: ubuntu-latest
permissions:
security-events: write
strategy: strategy:
fail-fast: false fail-fast: false
matrix: matrix:
@ -30,16 +36,16 @@ jobs:
steps: steps:
- name: Checkout repository - name: Checkout repository
uses: actions/checkout@v4 uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac #v4.0.0
- name: Install Go - name: Install Go
uses: actions/setup-go@v4 uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe #v4.1.0
with: with:
go-version-file: go.mod go-version-file: go.mod
# Initializes the CodeQL tools for scanning. # Initializes the CodeQL tools for scanning.
- name: Initialize CodeQL - name: Initialize CodeQL
uses: github/codeql-action/init@v2 uses: github/codeql-action/init@04daf014b50eaf774287bf3f0f1869d4b4c4b913 #v2.21.7
with: with:
languages: ${{ matrix.language }} languages: ${{ matrix.language }}
# If you wish to specify custom queries, you can do so here or in a config file. # If you wish to specify custom queries, you can do so here or in a config file.
@ -50,7 +56,7 @@ jobs:
# Autobuild attempts to build any compiled languages (C/C++, C#, or Java). # Autobuild attempts to build any compiled languages (C/C++, C#, or Java).
# If this step fails, then you should remove it and run the build manually (see below) # If this step fails, then you should remove it and run the build manually (see below)
- name: Autobuild - name: Autobuild
uses: github/codeql-action/autobuild@v2 uses: github/codeql-action/autobuild@04daf014b50eaf774287bf3f0f1869d4b4c4b913 #v2.21.7
# Command-line programs to run using the OS shell. # Command-line programs to run using the OS shell.
# 📚 https://git.io/JvXDl # 📚 https://git.io/JvXDl
@ -64,4 +70,4 @@ jobs:
# make release # make release
- name: Perform CodeQL Analysis - name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@v2 uses: github/codeql-action/analyze@04daf014b50eaf774287bf3f0f1869d4b4c4b913 #v2.21.7

View file

@ -1,5 +1,8 @@
name: Add to OSS board name: Add to OSS board
permissions:
contents: read
on: on:
issues: issues:
types: types:
@ -9,7 +12,6 @@ on:
- labeled - labeled
jobs: jobs:
run: run:
uses: "anchore/workflows/.github/workflows/oss-project-board-add.yaml@main" uses: "anchore/workflows/.github/workflows/oss-project-board-add.yaml@main"
secrets: secrets:

View file

@ -1,4 +1,8 @@
name: "Release" name: "Release"
permissions:
contents: read
on: on:
workflow_dispatch: workflow_dispatch:
inputs: inputs:
@ -14,7 +18,7 @@ jobs:
environment: release environment: release
runs-on: ubuntu-20.04 runs-on: ubuntu-20.04
steps: steps:
- uses: actions/checkout@v4 - uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac #v4.0.0
- name: Check if tag already exists - name: Check if tag already exists
# note: this will fail if the tag already exists # note: this will fail if the tag already exists
@ -23,7 +27,7 @@ jobs:
git tag ${{ github.event.inputs.version }} git tag ${{ github.event.inputs.version }}
- name: Check static analysis results - name: Check static analysis results
uses: fountainhead/action-wait-for-check@v1.1.0 uses: fountainhead/action-wait-for-check@297be350cf8393728ea4d4b39435c7d7ae167c93 # v1.1.0
id: static-analysis id: static-analysis
with: with:
token: ${{ secrets.GITHUB_TOKEN }} token: ${{ secrets.GITHUB_TOKEN }}
@ -32,7 +36,7 @@ jobs:
ref: ${{ github.event.pull_request.head.sha || github.sha }} ref: ${{ github.event.pull_request.head.sha || github.sha }}
- name: Check unit test results - name: Check unit test results
uses: fountainhead/action-wait-for-check@v1.1.0 uses: fountainhead/action-wait-for-check@297be350cf8393728ea4d4b39435c7d7ae167c93 # v1.1.0
id: unit id: unit
with: with:
token: ${{ secrets.GITHUB_TOKEN }} token: ${{ secrets.GITHUB_TOKEN }}
@ -41,7 +45,7 @@ jobs:
ref: ${{ github.event.pull_request.head.sha || github.sha }} ref: ${{ github.event.pull_request.head.sha || github.sha }}
- name: Check integration test results - name: Check integration test results
uses: fountainhead/action-wait-for-check@v1.1.0 uses: fountainhead/action-wait-for-check@297be350cf8393728ea4d4b39435c7d7ae167c93 # v1.1.0
id: integration id: integration
with: with:
token: ${{ secrets.GITHUB_TOKEN }} token: ${{ secrets.GITHUB_TOKEN }}
@ -50,7 +54,7 @@ jobs:
ref: ${{ github.event.pull_request.head.sha || github.sha }} ref: ${{ github.event.pull_request.head.sha || github.sha }}
- name: Check acceptance test results (linux) - name: Check acceptance test results (linux)
uses: fountainhead/action-wait-for-check@v1.1.0 uses: fountainhead/action-wait-for-check@297be350cf8393728ea4d4b39435c7d7ae167c93 # v1.1.0
id: acceptance-linux id: acceptance-linux
with: with:
token: ${{ secrets.GITHUB_TOKEN }} token: ${{ secrets.GITHUB_TOKEN }}
@ -59,7 +63,7 @@ jobs:
ref: ${{ github.event.pull_request.head.sha || github.sha }} ref: ${{ github.event.pull_request.head.sha || github.sha }}
- name: Check acceptance test results (mac) - name: Check acceptance test results (mac)
uses: fountainhead/action-wait-for-check@v1.1.0 uses: fountainhead/action-wait-for-check@297be350cf8393728ea4d4b39435c7d7ae167c93 # v1.1.0
id: acceptance-mac id: acceptance-mac
with: with:
token: ${{ secrets.GITHUB_TOKEN }} token: ${{ secrets.GITHUB_TOKEN }}
@ -68,7 +72,7 @@ jobs:
ref: ${{ github.event.pull_request.head.sha || github.sha }} ref: ${{ github.event.pull_request.head.sha || github.sha }}
- name: Check cli test results (linux) - name: Check cli test results (linux)
uses: fountainhead/action-wait-for-check@v1.1.0 uses: fountainhead/action-wait-for-check@297be350cf8393728ea4d4b39435c7d7ae167c93 # v1.1.0
id: cli-linux id: cli-linux
with: with:
token: ${{ secrets.GITHUB_TOKEN }} token: ${{ secrets.GITHUB_TOKEN }}
@ -94,7 +98,7 @@ jobs:
contents: write contents: write
packages: write packages: write
steps: steps:
- uses: actions/checkout@v4 - uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac #v4.0.0
with: with:
fetch-depth: 0 fetch-depth: 0
@ -105,13 +109,13 @@ jobs:
build-cache-key-prefix: "snapshot" build-cache-key-prefix: "snapshot"
- name: Login to Docker Hub - name: Login to Docker Hub
uses: docker/login-action@v3 uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d #v3.0.0
with: with:
username: ${{ secrets.TOOLBOX_DOCKER_USER }} username: ${{ secrets.TOOLBOX_DOCKER_USER }}
password: ${{ secrets.TOOLBOX_DOCKER_PASS }} password: ${{ secrets.TOOLBOX_DOCKER_PASS }}
- name: Login to GitHub Container Registry - name: Login to GitHub Container Registry
uses: docker/login-action@v3 uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d #v3.0.0
with: with:
registry: ghcr.io registry: ghcr.io
username: ${{ github.actor }} username: ${{ github.actor }}
@ -141,12 +145,12 @@ jobs:
AWS_ACCESS_KEY_ID: ${{ secrets.TOOLBOX_AWS_ACCESS_KEY_ID }} AWS_ACCESS_KEY_ID: ${{ secrets.TOOLBOX_AWS_ACCESS_KEY_ID }}
AWS_SECRET_ACCESS_KEY: ${{ secrets.TOOLBOX_AWS_SECRET_ACCESS_KEY }} AWS_SECRET_ACCESS_KEY: ${{ secrets.TOOLBOX_AWS_SECRET_ACCESS_KEY }}
- uses: anchore/sbom-action@v0 - uses: anchore/sbom-action@78fc58e266e87a38d4194b2137a3d4e9bcaf7ca1 #v0.14.3
continue-on-error: true continue-on-error: true
with: with:
artifact-name: sbom.spdx.json artifact-name: sbom.spdx.json
- uses: 8398a7/action-slack@v3 - uses: 8398a7/action-slack@49aa08e51e8782f49c601d79ec72d07fd39a4612 #v3.15.1
continue-on-error: true continue-on-error: true
with: with:
status: ${{ job.status }} status: ${{ job.status }}
@ -156,7 +160,7 @@ jobs:
SLACK_WEBHOOK_URL: ${{ secrets.SLACK_TOOLBOX_WEBHOOK_URL }} SLACK_WEBHOOK_URL: ${{ secrets.SLACK_TOOLBOX_WEBHOOK_URL }}
if: ${{ success() }} if: ${{ success() }}
- uses: actions/upload-artifact@v3 - uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 #v3.1.3
with: with:
name: artifacts name: artifacts
path: dist/**/* path: dist/**/*

View file

@ -9,14 +9,17 @@ env:
GO_VERSION: "1.21.x" GO_VERSION: "1.21.x"
GO_STABLE_VERSION: true GO_STABLE_VERSION: true
permissions:
contents: read
jobs: jobs:
update-bootstrap-tools: update-bootstrap-tools:
runs-on: ubuntu-latest runs-on: ubuntu-latest
if: github.repository == 'anchore/syft' # only run for main repo if: github.repository == 'anchore/syft' # only run for main repo
steps: steps:
- uses: actions/checkout@v4 - uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac #v4.0.0
- uses: actions/setup-go@v4 - uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe #v4.1.0
with: with:
go-version: ${{ env.GO_VERSION }} go-version: ${{ env.GO_VERSION }}
stable: ${{ env.GO_STABLE_VERSION }} stable: ${{ env.GO_STABLE_VERSION }}
@ -55,13 +58,13 @@ jobs:
echo "GLOW=GLOW_LATEST_VERSION" >> $GITHUB_OUTPUT echo "GLOW=GLOW_LATEST_VERSION" >> $GITHUB_OUTPUT
id: latest-versions id: latest-versions
- uses: tibdex/github-app-token@v2 - uses: tibdex/github-app-token@0914d50df753bbc42180d982a6550f195390069f #v2.0.0
id: generate-token id: generate-token
with: with:
app_id: ${{ secrets.TOKEN_APP_ID }} app_id: ${{ secrets.TOKEN_APP_ID }}
private_key: ${{ secrets.TOKEN_APP_PRIVATE_KEY }} private_key: ${{ secrets.TOKEN_APP_PRIVATE_KEY }}
- uses: peter-evans/create-pull-request@v5 - uses: peter-evans/create-pull-request@153407881ec5c347639a548ade7d8ad1d6740e38 #v5.0.2
with: with:
signoff: true signoff: true
delete-branch: true delete-branch: true

View file

@ -5,6 +5,9 @@ on:
workflow_dispatch: workflow_dispatch:
permissions:
contents: read
env: env:
GO_VERSION: "1.21.x" GO_VERSION: "1.21.x"
GO_STABLE_VERSION: true GO_STABLE_VERSION: true
@ -16,7 +19,7 @@ jobs:
steps: steps:
- uses: actions/checkout@v4 - uses: actions/checkout@v4
- uses: actions/setup-go@v4 - uses: actions/setup-go@3df4ab11eba7bda6032a0b82a6bb43b11571feac #v4.0.0
with: with:
go-version: ${{ env.GO_VERSION }} go-version: ${{ env.GO_VERSION }}
stable: ${{ env.GO_STABLE_VERSION }} stable: ${{ env.GO_STABLE_VERSION }}
@ -24,13 +27,13 @@ jobs:
- run: | - run: |
make generate-cpe-dictionary-index make generate-cpe-dictionary-index
- uses: tibdex/github-app-token@v2 - uses: tibdex/github-app-token@0914d50df753bbc42180d982a6550f195390069f #v2.0.0
id: generate-token id: generate-token
with: with:
app_id: ${{ secrets.TOKEN_APP_ID }} app_id: ${{ secrets.TOKEN_APP_ID }}
private_key: ${{ secrets.TOKEN_APP_PRIVATE_KEY }} private_key: ${{ secrets.TOKEN_APP_PRIVATE_KEY }}
- uses: peter-evans/create-pull-request@v5 - uses: peter-evans/create-pull-request@153407881ec5c347639a548ade7d8ad1d6740e38 #v5.0.2
with: with:
signoff: true signoff: true
delete-branch: true delete-branch: true

View file

@ -9,14 +9,17 @@ env:
GO_VERSION: "1.21.x" GO_VERSION: "1.21.x"
GO_STABLE_VERSION: true GO_STABLE_VERSION: true
permissions:
contents: read
jobs: jobs:
upgrade-stereoscope: upgrade-stereoscope:
runs-on: ubuntu-latest runs-on: ubuntu-latest
if: github.repository == 'anchore/syft' # only run for main repo if: github.repository == 'anchore/syft' # only run for main repo
steps: steps:
- uses: actions/checkout@v4 - uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac #v4.0.0
- uses: actions/setup-go@v4 - uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe #v4.1.0
with: with:
go-version: ${{ env.GO_VERSION }} go-version: ${{ env.GO_VERSION }}
stable: ${{ env.GO_STABLE_VERSION }} stable: ${{ env.GO_STABLE_VERSION }}
@ -32,13 +35,13 @@ jobs:
echo "LATEST_VERSION=$LATEST_VERSION" >> $GITHUB_OUTPUT echo "LATEST_VERSION=$LATEST_VERSION" >> $GITHUB_OUTPUT
id: latest-version id: latest-version
- uses: tibdex/github-app-token@v2 - uses: tibdex/github-app-token@0914d50df753bbc42180d982a6550f195390069f #v2.0.0
id: generate-token id: generate-token
with: with:
app_id: ${{ secrets.TOKEN_APP_ID }} app_id: ${{ secrets.TOKEN_APP_ID }}
private_key: ${{ secrets.TOKEN_APP_PRIVATE_KEY }} private_key: ${{ secrets.TOKEN_APP_PRIVATE_KEY }}
- uses: peter-evans/create-pull-request@v5 - uses: peter-evans/create-pull-request@153407881ec5c347639a548ade7d8ad1d6740e38 #v5.0.2
with: with:
signoff: true signoff: true
delete-branch: true delete-branch: true

View file

@ -7,14 +7,16 @@ on:
branches: branches:
- main - main
jobs: permissions:
contents: read
jobs:
Static-Analysis: Static-Analysis:
# Note: changing this job name requires making the same update in the .github/workflows/release.yaml pipeline # Note: changing this job name requires making the same update in the .github/workflows/release.yaml pipeline
name: "Static analysis" name: "Static analysis"
runs-on: ubuntu-20.04 runs-on: ubuntu-20.04
steps: steps:
- uses: actions/checkout@v4 - uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac #v4.0.0
- name: Bootstrap environment - name: Bootstrap environment
uses: ./.github/actions/bootstrap uses: ./.github/actions/bootstrap
@ -28,37 +30,37 @@ jobs:
name: "Unit tests" name: "Unit tests"
runs-on: ubuntu-20.04 runs-on: ubuntu-20.04
steps: steps:
- uses: actions/checkout@v4 - uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac #v4.0.0
- name: Bootstrap environment - name: Bootstrap environment
uses: ./.github/actions/bootstrap uses: ./.github/actions/bootstrap
- name: Restore Java test-fixture cache - name: Restore Java test-fixture cache
uses: actions/cache@v3 uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84 #v3.3.2
with: with:
path: syft/pkg/cataloger/java/test-fixtures/java-builds/packages path: syft/pkg/cataloger/java/test-fixtures/java-builds/packages
key: ${{ runner.os }}-unit-java-cache-${{ hashFiles( 'syft/pkg/cataloger/java/test-fixtures/java-builds/cache.fingerprint' ) }} key: ${{ runner.os }}-unit-java-cache-${{ hashFiles( 'syft/pkg/cataloger/java/test-fixtures/java-builds/cache.fingerprint' ) }}
- name: Restore RPM test-fixture cache - name: Restore RPM test-fixture cache
uses: actions/cache@v3 uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84 #v3.3.2
with: with:
path: syft/pkg/cataloger/rpm/test-fixtures/rpms path: syft/pkg/cataloger/rpm/test-fixtures/rpms
key: ${{ runner.os }}-unit-rpm-cache-${{ hashFiles( 'syft/pkg/cataloger/rpm/test-fixtures/rpms.fingerprint' ) }} key: ${{ runner.os }}-unit-rpm-cache-${{ hashFiles( 'syft/pkg/cataloger/rpm/test-fixtures/rpms.fingerprint' ) }}
- name: Restore go binary test-fixture cache - name: Restore go binary test-fixture cache
uses: actions/cache@v3 uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84 #v3.3.2
with: with:
path: syft/pkg/cataloger/golang/test-fixtures/archs/binaries path: syft/pkg/cataloger/golang/test-fixtures/archs/binaries
key: ${{ runner.os }}-unit-go-binaries-cache-${{ hashFiles( 'syft/pkg/cataloger/golang/test-fixtures/archs/binaries.fingerprint' ) }} key: ${{ runner.os }}-unit-go-binaries-cache-${{ hashFiles( 'syft/pkg/cataloger/golang/test-fixtures/archs/binaries.fingerprint' ) }}
- name: Restore binary cataloger test-fixture cache - name: Restore binary cataloger test-fixture cache
uses: actions/cache@v3 uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84 #v3.3.2
with: with:
path: syft/pkg/cataloger/binary/test-fixtures/classifiers/dynamic path: syft/pkg/cataloger/binary/test-fixtures/classifiers/dynamic
key: ${{ runner.os }}-unit-binary-cataloger-cache-${{ hashFiles( 'syft/pkg/cataloger/binary/test-fixtures/cache.fingerprint' ) }} key: ${{ runner.os }}-unit-binary-cataloger-cache-${{ hashFiles( 'syft/pkg/cataloger/binary/test-fixtures/cache.fingerprint' ) }}
- name: Restore Kernel test-fixture cache - name: Restore Kernel test-fixture cache
uses: actions/cache@v3 uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84 #v3.3.2
with: with:
path: syft/pkg/cataloger/kernel/test-fixtures/cache path: syft/pkg/cataloger/kernel/test-fixtures/cache
key: ${{ runner.os }}-unit-kernel-cache-${{ hashFiles( 'syft/pkg/cataloger/kernel/test-fixtures/cache.fingerprint' ) }} key: ${{ runner.os }}-unit-kernel-cache-${{ hashFiles( 'syft/pkg/cataloger/kernel/test-fixtures/cache.fingerprint' ) }}
@ -72,7 +74,7 @@ jobs:
name: "Integration tests" name: "Integration tests"
runs-on: ubuntu-20.04 runs-on: ubuntu-20.04
steps: steps:
- uses: actions/checkout@v4 - uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac #v4.0.0
- name: Bootstrap environment - name: Bootstrap environment
uses: ./.github/actions/bootstrap uses: ./.github/actions/bootstrap
@ -81,7 +83,7 @@ jobs:
run: make validate-cyclonedx-schema run: make validate-cyclonedx-schema
- name: Restore integration test cache - name: Restore integration test cache
uses: actions/cache@v3 uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84 #v3.3.2
with: with:
path: ${{ github.workspace }}/test/integration/test-fixtures/cache path: ${{ github.workspace }}/test/integration/test-fixtures/cache
key: ${{ runner.os }}-integration-test-cache-${{ hashFiles('test/integration/test-fixtures/cache.fingerprint') }} key: ${{ runner.os }}-integration-test-cache-${{ hashFiles('test/integration/test-fixtures/cache.fingerprint') }}
@ -94,7 +96,7 @@ jobs:
name: "Build snapshot artifacts" name: "Build snapshot artifacts"
runs-on: ubuntu-20.04 runs-on: ubuntu-20.04
steps: steps:
- uses: actions/checkout@v4 - uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac #v4.0.0
- name: Bootstrap environment - name: Bootstrap environment
uses: ./.github/actions/bootstrap uses: ./.github/actions/bootstrap
@ -113,7 +115,7 @@ jobs:
# why not use actions/upload-artifact? It is very slow (3 minutes to upload ~600MB of data, vs 10 seconds with this approach). # why not use actions/upload-artifact? It is very slow (3 minutes to upload ~600MB of data, vs 10 seconds with this approach).
# see https://github.com/actions/upload-artifact/issues/199 for more info # see https://github.com/actions/upload-artifact/issues/199 for more info
- name: Upload snapshot artifacts - name: Upload snapshot artifacts
uses: actions/cache/save@v3 uses: actions/cache/save@704facf57e6136b1bc63b828d79edcd491f0ee84 #v3.3.2
with: with:
path: snapshot path: snapshot
key: snapshot-build-${{ github.run_id }} key: snapshot-build-${{ github.run_id }}
@ -125,10 +127,10 @@ jobs:
needs: [Build-Snapshot-Artifacts] needs: [Build-Snapshot-Artifacts]
runs-on: ubuntu-20.04 runs-on: ubuntu-20.04
steps: steps:
- uses: actions/checkout@v4 - uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac #v4.0.0
- name: Download snapshot build - name: Download snapshot build
uses: actions/cache/restore@v3 uses: actions/cache/restore@704facf57e6136b1bc63b828d79edcd491f0ee84 #v3.3.2
with: with:
path: snapshot path: snapshot
key: snapshot-build-${{ github.run_id }} key: snapshot-build-${{ github.run_id }}
@ -138,7 +140,7 @@ jobs:
- name: Restore install.sh test image cache - name: Restore install.sh test image cache
id: install-test-image-cache id: install-test-image-cache
uses: actions/cache@v3 uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84 #v3.3.2
with: with:
path: ${{ github.workspace }}/test/install/cache path: ${{ github.workspace }}/test/install/cache
key: ${{ runner.os }}-install-test-image-cache-${{ hashFiles('test/install/cache.fingerprint') }} key: ${{ runner.os }}-install-test-image-cache-${{ hashFiles('test/install/cache.fingerprint') }}
@ -161,17 +163,17 @@ jobs:
needs: [Build-Snapshot-Artifacts] needs: [Build-Snapshot-Artifacts]
runs-on: macos-latest runs-on: macos-latest
steps: steps:
- uses: actions/checkout@v4 - uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac #v4.0.0
- name: Download snapshot build - name: Download snapshot build
uses: actions/cache/restore@v3 uses: actions/cache/restore@704facf57e6136b1bc63b828d79edcd491f0ee84 #v3.3.2
with: with:
path: snapshot path: snapshot
key: snapshot-build-${{ github.run_id }} key: snapshot-build-${{ github.run_id }}
- name: Restore docker image cache for compare testing - name: Restore docker image cache for compare testing
id: mac-compare-testing-cache id: mac-compare-testing-cache
uses: actions/cache@v3 uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84 #v3.3.2
with: with:
path: image.tar path: image.tar
key: ${{ runner.os }}-${{ hashFiles('test/compare/mac.sh') }} key: ${{ runner.os }}-${{ hashFiles('test/compare/mac.sh') }}
@ -189,19 +191,19 @@ jobs:
needs: [Build-Snapshot-Artifacts] needs: [Build-Snapshot-Artifacts]
runs-on: ubuntu-20.04 runs-on: ubuntu-20.04
steps: steps:
- uses: actions/checkout@v4 - uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac #v4.0.0
- name: Bootstrap environment - name: Bootstrap environment
uses: ./.github/actions/bootstrap uses: ./.github/actions/bootstrap
- name: Restore CLI test-fixture cache - name: Restore CLI test-fixture cache
uses: actions/cache@v3 uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84 #v3.3.2
with: with:
path: ${{ github.workspace }}/test/cli/test-fixtures/cache path: ${{ github.workspace }}/test/cli/test-fixtures/cache
key: ${{ runner.os }}-cli-test-cache-${{ hashFiles('test/cli/test-fixtures/cache.fingerprint') }} key: ${{ runner.os }}-cli-test-cache-${{ hashFiles('test/cli/test-fixtures/cache.fingerprint') }}
- name: Download snapshot build - name: Download snapshot build
uses: actions/cache/restore@v3 uses: actions/cache/restore@704facf57e6136b1bc63b828d79edcd491f0ee84 #v3.3.2
with: with:
path: snapshot path: snapshot
key: snapshot-build-${{ github.run_id }} key: snapshot-build-${{ github.run_id }}

View file

@ -1,4 +1,4 @@
FROM gcr.io/distroless/static-debian11:debug AS build FROM gcr.io/distroless/static-debian11:debug@sha256:a0a404776dec98be120089ae42bbdfbe48c177921d856937d124d48eb8c0b951 AS build
FROM scratch FROM scratch
# needed for version check HTTPS request # needed for version check HTTPS request

View file

@ -1,4 +1,4 @@
FROM gcr.io/distroless/static-debian11:debug FROM gcr.io/distroless/static-debian11:debug@sha256:a0a404776dec98be120089ae42bbdfbe48c177921d856937d124d48eb8c0b951
# create the /tmp dir, which is needed for image content cache # create the /tmp dir, which is needed for image content cache
WORKDIR /tmp WORKDIR /tmp

View file

@ -1,4 +1,4 @@
FROM alpine:3.17.1 as tools FROM alpine:3.17.1@sha256:93d5a28ff72d288d69b5997b8ba47396d2cbb62a72b5d87cd3351094b5d578a0 as tools
FROM scratch FROM scratch
COPY --from=tools /bin /bin COPY --from=tools /bin /bin
COPY --from=tools /lib /lib COPY --from=tools /lib /lib

View file

@ -1 +1 @@
FROM busybox:1.35 FROM busybox:1.35@sha256:7ae8447f3a7f5bccaa765926f25fc038e425cf1b2be6748727bbea9a13102094

View file

@ -1,2 +1,2 @@
FROM alpine:3.6 FROM alpine:3.6@sha256:66790a2b79e1ea3e1dabac43990c54aca5d1ddf268d9a5a0285e4167c8b24475
RUN apk update && apk add python3 wget unzip make ca-certificates RUN apk update && apk add python3 wget unzip make ca-certificates

View file

@ -1,2 +1,2 @@
FROM ubuntu:20.04 FROM ubuntu:20.04@sha256:33a5cc25d22c45900796a1aca487ad7a7cb09f09ea00b779e3b2026b4fc2faba
RUN apt update -y && apt install make python3 curl unzip -y RUN apt update -y && apt install make python3 curl unzip -y

View file

@ -1,3 +1,3 @@
FROM busybox:1.31.1 FROM busybox:1.31.1@sha256:95cf004f559831017cdf4628aaf1bb30133677be8702a8c5f2994629f637a209

View file

@ -1,4 +1,4 @@
FROM golang:latest as builder FROM golang:1.21.1@sha256:cffaba795c36f07e372c7191b35ceaae114d74c31c3763d442982e3a4df3b39e as builder
WORKDIR /app WORKDIR /app
COPY go.sum go.mod app.go ./ COPY go.sum go.mod app.go ./

View file

@ -1,4 +1,4 @@
FROM jenkins/jenkins:2.346.3-slim-jdk17 FROM jenkins/jenkins:2.346.3-slim-jdk17@sha256:028fbbd9112c60ed086f5197fcba71992317864d27644e5949cf9c52ff4b65f0
USER root USER root

View file

@ -1,4 +1,4 @@
FROM alpine:latest FROM alpine:3.18.3@sha256:7144f7bab3d4c2648d7e59409f15ec52a18006a128c733fcff20d3a4a54ba44a
RUN wget https://repo1.maven.org/maven2/org/jvnet/hudson/main/hudson-war/2.2.1/hudson-war-2.2.1.war RUN wget https://repo1.maven.org/maven2/org/jvnet/hudson/main/hudson-war/2.2.1/hudson-war-2.2.1.war

View file

@ -1,4 +1,4 @@
FROM alpine:latest FROM alpine:3.18.3@sha256:7144f7bab3d4c2648d7e59409f15ec52a18006a128c733fcff20d3a4a54ba44a
# syft should not longer show the binary package for this image: # syft should not longer show the binary package for this image:
# https://github.com/anchore/syft/issues/931 # https://github.com/anchore/syft/issues/931

View file

@ -1,3 +1,3 @@
FROM ubuntu:20.04 FROM ubuntu:20.04@sha256:33a5cc25d22c45900796a1aca487ad7a7cb09f09ea00b779e3b2026b4fc2faba
# this covers rpm-python # this covers rpm-python
RUN apt-get update && apt-get install -y python-pil=6.2.1-3 RUN apt-get update && apt-get install -y python-pil=6.2.1-3

View file

@ -1 +1 @@
FROM photon:5.0-20230729 FROM photon:5.0-20230729@sha256:4cf2a1ce0a3f4625f13a0becb6b9bccfdb014c565be6e9a2ec4c4aad1ff8a5d9

View file

@ -1,2 +1,2 @@
# An image containing the example hello-auditable binary from https://github.com/Shnatsel/rust-audit/tree/master/hello-auditable # An image containing the example hello-auditable binary from https://github.com/Shnatsel/rust-audit/tree/master/hello-auditable
FROM docker.io/tofay/hello-rust-auditable:latest FROM docker.io/tofay/hello-rust-auditable@sha256:1d35d1e007180b3f7500aae5e27560697909132ca9a6d480c4c825534c1c47a9

View file

@ -1,2 +1,2 @@
FROM registry.suse.com/suse/sle15:15.3.17.20.20 FROM registry.suse.com/suse/sle15:15.3.17.20.20@sha256:fd657ecbab5ca564d6933e887f6ae8542a9398e6a4b399f352ce10c3a24afc64
RUN zypper in -y wget RUN zypper in -y wget

View file

@ -1,4 +1,4 @@
FROM centos:7.9.2009 FROM centos:7.9.2009@sha256:be65f488b7764ad3638f236b7b515b3678369a5124c47b8d32916d6487418ea4
# modifying the RPM DB multiple times will result in duplicate packages when using all-layers (if there was no de-dup logic) # modifying the RPM DB multiple times will result in duplicate packages when using all-layers (if there was no de-dup logic)
# curl is tricky, it already exists in the image and is being upgraded # curl is tricky, it already exists in the image and is being upgraded
RUN yum install -y wget-1.14-18.el7_6.1 curl-7.29.0-59.el7_9.1 RUN yum install -y wget-1.14-18.el7_6.1 curl-7.29.0-59.el7_9.1