chore: Updated GH Actions (#33)

Signed-off-by: Steve Hipwell <[email protected]>

Signed-off-by: Steve Hipwell <[email protected]>

.github/workflows/commit.yaml

@@ -20,14 +20,14 @@ jobs:
         shell: bash
     steps:
       - name: Checkout
-        uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8
+        uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 # v3.1.0
 
       - name: Install Cosign
-        uses: sigstore/cosign-installer@9becc617647dfa20ae7b1151972e9b3a2c338a2b
+        uses: sigstore/cosign-installer@9becc617647dfa20ae7b1151972e9b3a2c338a2b # v2.8.1
 
       - name: Run Hadolint
         id: hadolint
-        uses: hadolint/hadolint-action@4b5806eb9c6bee4954fc0e0cc3ad6175fc9782c1
+        uses: hadolint/hadolint-action@4b5806eb9c6bee4954fc0e0cc3ad6175fc9782c1 # v3.0.0
         continue-on-error: true
         with:
           dockerfile: ./${{ matrix.os }}.dockerfile
@@ -36,14 +36,14 @@ jobs:
           no-fail: false
 
       - name: Upload Hadolint SARIF report
-        uses: github/codeql-action/upload-sarif@4238421316c33d73aeea2801274dd286f157c2bb
+        uses: github/codeql-action/upload-sarif@b2a92eb56d8cb930006a1c6ed86b0782dd8a4297 # v2.1.35
         with:
-          category: hadolint
+          category: hadolint-${{ matrix.os }}
           sarif_file: hadolint.sarif
 
       - name: Generate OCI image metadata
         id: metadata
-        uses: docker/metadata-action@57396166ad8aefe6098280995947635806a0e6ea
+        uses: docker/metadata-action@57396166ad8aefe6098280995947635806a0e6ea # v4.1.1
         with:
           flavor: |
             latest=false
@@ -58,14 +58,14 @@ jobs:
             org.opencontainers.image.authors=Fluentd developers <[email protected]>
 
       - name: Set up QEMU
-        uses: docker/setup-qemu-action@e81a89b1732b9c48d79cd809d8d81d79c4647a18
+        uses: docker/setup-qemu-action@e81a89b1732b9c48d79cd809d8d81d79c4647a18 # v2.1.0
 
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@8c0edbc76e98fa90f69d9a2c020dcb50019dc325
+        uses: docker/setup-buildx-action@8c0edbc76e98fa90f69d9a2c020dcb50019dc325 # v2.2.1
 
       - name: Build OCI image
         id: build
-        uses: docker/build-push-action@c56af957549030174b10d6867f20e78cfd7debc5
+        uses: docker/build-push-action@c56af957549030174b10d6867f20e78cfd7debc5 # v3.2.0
         with:
           file: ./${{ matrix.os }}.dockerfile
           context: .
@@ -77,29 +77,29 @@ jobs:
           load: true
           push: false
 
-      - name: Generate OCI image SBOM
-        uses: anchore/sbom-action@06e109483e6aa305a2b2395eabae554e51530e1d
+      - name: Generate OCI image Syft SBOM
+        uses: anchore/sbom-action@06e109483e6aa305a2b2395eabae554e51530e1d # v0.13.1
         with:
-          image: "ghcr.io/${{ github.repository }}:${{ matrix.os }}-main"
+          image: "ghcr.io/${{ github.repository }}:${{ steps.metadata.outputs.version }}"
           dependency-snapshot: true
           format: spdx-json
-          artifact-name: ${{ github.event.repository.name }}-sbom.spdx.json
-          output-file: ${{ github.event.repository.name }}-sbom.spdx.json
+          artifact-name: ${{ github.event.repository.name }}-${{ matrix.os }}-syft-sbom
+          output-file: ${{ github.event.repository.name }}-${{ matrix.os }}-syft-sbom.spdx.json
 
-      - name: Scan OCI image SBOM with Grype
+      - name: Scan OCI image Syft SBOM with Grype
         id: scan
-        uses: anchore/scan-action@9a22e4caae42db0d4c687ab5431e1c3699d0def1
+        uses: anchore/scan-action@9a22e4caae42db0d4c687ab5431e1c3699d0def1 # v3.3.2
         continue-on-error: true
         with:
-          sbom: ${{ github.event.repository.name }}-sbom.spdx.json
+          sbom: ${{ github.event.repository.name }}-${{ matrix.os }}-syft-sbom.spdx.json
           severity-cutoff: medium
           output-format: sarif
           fail-build: true
 
       - name: Upload Grype SARIF report
-        uses: github/codeql-action/upload-sarif@4238421316c33d73aeea2801274dd286f157c2bb
+        uses: github/codeql-action/upload-sarif@b2a92eb56d8cb930006a1c6ed86b0782dd8a4297 # v2.1.35
         with:
-          category: grype
+          category: grype-${{ matrix.os }}
           sarif_file: ${{ steps.scan.outputs.sarif }}
 
       - name: Fail workflow
@@ -110,21 +110,21 @@ jobs:
           exit 1
 
       - name: Login to GitHub Container Registry
-        uses: docker/login-action@f4ef78c080cd8ba55a85445d5b36e214a81df20a
+        uses: docker/login-action@f4ef78c080cd8ba55a85445d5b36e214a81df20a # v2.1.0
         with:
           registry: ghcr.io
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Login to DockerHub
-        uses: docker/login-action@f4ef78c080cd8ba55a85445d5b36e214a81df20a
+        uses: docker/login-action@f4ef78c080cd8ba55a85445d5b36e214a81df20a # v2.1.0
         with:
           username: ${{ secrets.DOCKERHUB_USERNAME }}
           password: ${{ secrets.DOCKERHUB_TOKEN }}
 
       - name: Build & push OCI image
         id: build_push
-        uses: docker/build-push-action@c56af957549030174b10d6867f20e78cfd7debc5
+        uses: docker/build-push-action@c56af957549030174b10d6867f20e78cfd7debc5 # v3.2.0
         with:
           file: ./${{ matrix.os }}.dockerfile
           context: .
@@ -139,7 +139,4 @@ jobs:
       - name: Sign OCI image
         env:
           COSIGN_EXPERIMENTAL: true
-        run: |
-          set -euo pipefail
-          cosign sign --yes --recursive ghcr.io/${{ github.repository }}:main@${{ steps.build_push.outputs.digest }}
-          cosign sign --yes --recursive docker.io/${{ secrets.DOCKERHUB_REPO }}:main@${{ steps.build_push.outputs.digest }}
+        run: echo "${{ steps.metadata.outputs.tags }}" | xargs -I {} cosign sign --yes --recursive {}@${{ steps.build_push.outputs.digest }}

.github/workflows/pull-request.yaml

@@ -19,25 +19,25 @@ jobs:
         shell: bash
     steps:
       - name: Checkout
-        uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8
+        uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 # v3.1.0
 
       - name: Run Hadolint
-        uses: hadolint/hadolint-action@4b5806eb9c6bee4954fc0e0cc3ad6175fc9782c1
+        uses: hadolint/hadolint-action@4b5806eb9c6bee4954fc0e0cc3ad6175fc9782c1 # v3.0.0
         with:
           dockerfile: ./${{ matrix.os }}.dockerfile
           format: sarif
           output-file: hadolint.sarif
           no-fail: true
 
       - name: Upload Hadolint SARIF report
-        uses: github/codeql-action/upload-sarif@4238421316c33d73aeea2801274dd286f157c2bb
+        uses: github/codeql-action/upload-sarif@b2a92eb56d8cb930006a1c6ed86b0782dd8a4297 # v2.1.35
         with:
-          category: hadolint
+          category: hadolint-${{ matrix.os }}
           sarif_file: hadolint.sarif
 
       - name: Generate OCI image metadata
         id: metadata
-        uses: docker/metadata-action@57396166ad8aefe6098280995947635806a0e6ea
+        uses: docker/metadata-action@57396166ad8aefe6098280995947635806a0e6ea # v4.1.1
         with:
           flavor: |
             latest=false
@@ -50,11 +50,11 @@ jobs:
             org.opencontainers.image.authors=Fluentd developers <[email protected]>
 
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@8c0edbc76e98fa90f69d9a2c020dcb50019dc325
+        uses: docker/setup-buildx-action@8c0edbc76e98fa90f69d9a2c020dcb50019dc325 # v2.2.1
 
       - name: Build OCI image
         id: build
-        uses: docker/build-push-action@c56af957549030174b10d6867f20e78cfd7debc5
+        uses: docker/build-push-action@c56af957549030174b10d6867f20e78cfd7debc5 # v3.2.0
         with:
           file: ./${{ matrix.os }}.dockerfile
           context: .
@@ -66,26 +66,26 @@ jobs:
           load: true
           push: false
 
-      - name: Generate OCI image SBOM
-        uses: anchore/sbom-action@06e109483e6aa305a2b2395eabae554e51530e1d
+      - name: Generate OCI image Syft SBOM
+        uses: anchore/sbom-action@06e109483e6aa305a2b2395eabae554e51530e1d # v0.13.1
         with:
-          image: "${{ github.repository }}:${{ matrix.os }}-local"
+          image: "${{ github.repository }}:${{ steps.metadata.outputs.version }}"
           dependency-snapshot: true
           format: spdx-json
-          artifact-name: ${{ github.event.repository.name }}-sbom.spdx.json
-          output-file: ${{ github.event.repository.name }}-sbom.spdx.json
+          artifact-name: ${{ github.event.repository.name }}-${{ matrix.os }}-syft-sbom
+          output-file: ${{ github.event.repository.name }}-${{ matrix.os }}-syft-sbom.spdx.json
 
-      - name: Scan OCI image SBOM with Grype
+      - name: Scan OCI image Syft SBOM with Grype
         id: scan
-        uses: anchore/scan-action@9a22e4caae42db0d4c687ab5431e1c3699d0def1
+        uses: anchore/scan-action@9a22e4caae42db0d4c687ab5431e1c3699d0def1 # v3.3.2
         with:
-          sbom: ${{ github.event.repository.name }}-sbom.spdx.json
+          sbom: ${{ github.event.repository.name }}-${{ matrix.os }}-syft-sbom.spdx.json
           severity-cutoff: medium
           output-format: sarif
           fail-build: false
 
       - name: Upload Grype SARIF report
-        uses: github/codeql-action/upload-sarif@4238421316c33d73aeea2801274dd286f157c2bb
+        uses: github/codeql-action/upload-sarif@b2a92eb56d8cb930006a1c6ed86b0782dd8a4297 # v2.1.35
         with:
-          category: grype
+          category: grype-${{ matrix.os }}
           sarif_file: ${{ steps.scan.outputs.sarif }}

.github/workflows/release.yaml

@@ -19,13 +19,13 @@ jobs:
         shell: bash
     steps:
       - name: Checkout
-        uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8
+        uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 # v3.1.0
 
       - name: Install Cosign
-        uses: sigstore/cosign-installer@9becc617647dfa20ae7b1151972e9b3a2c338a2b
+        uses: sigstore/cosign-installer@9becc617647dfa20ae7b1151972e9b3a2c338a2b # v2.8.1
 
       - name: Run Hadolint
-        uses: hadolint/hadolint-action@4b5806eb9c6bee4954fc0e0cc3ad6175fc9782c1
+        uses: hadolint/hadolint-action@4b5806eb9c6bee4954fc0e0cc3ad6175fc9782c1 # v3.0.0
         continue-on-error: true
         with:
           dockerfile: ./${{ matrix.os }}.dockerfile
@@ -34,14 +34,14 @@ jobs:
           no-fail: false
 
       - name: Upload Hadolint SARIF report
-        uses: github/codeql-action/upload-sarif@4238421316c33d73aeea2801274dd286f157c2bb
+        uses: github/codeql-action/upload-sarif@b2a92eb56d8cb930006a1c6ed86b0782dd8a4297 # v2.1.35
         with:
-          category: hadolint
+          category: hadolint-${{ matrix.os }}
           sarif_file: hadolint.sarif
 
       - name: Generate OCI image metadata
         id: metadata
-        uses: docker/metadata-action@57396166ad8aefe6098280995947635806a0e6ea
+        uses: docker/metadata-action@57396166ad8aefe6098280995947635806a0e6ea # v4.1.1
         with:
           flavor: |
             latest=false
@@ -62,14 +62,14 @@ jobs:
             org.opencontainers.image.authors=Fluentd developers <[email protected]>
 
       - name: Set up QEMU
-        uses: docker/setup-qemu-action@e81a89b1732b9c48d79cd809d8d81d79c4647a18
+        uses: docker/setup-qemu-action@e81a89b1732b9c48d79cd809d8d81d79c4647a18 # v2.1.0
 
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@8c0edbc76e98fa90f69d9a2c020dcb50019dc325
+        uses: docker/setup-buildx-action@8c0edbc76e98fa90f69d9a2c020dcb50019dc325 # v2.2.1
 
       - name: Build OCI image
         id: build
-        uses: docker/build-push-action@c56af957549030174b10d6867f20e78cfd7debc5
+        uses: docker/build-push-action@c56af957549030174b10d6867f20e78cfd7debc5 # v3.2.0
         with:
           file: ./${{ matrix.os }}.dockerfile
           context: .
@@ -81,29 +81,29 @@ jobs:
           load: true
           push: false
 
-      - name: Generate OCI image SBOM
-        uses: anchore/sbom-action@06e109483e6aa305a2b2395eabae554e51530e1d
+      - name: Generate OCI image Syft SBOM
+        uses: anchore/sbom-action@06e109483e6aa305a2b2395eabae554e51530e1d # v0.13.1
         with:
           image: "ghcr.io/${{ github.repository }}:${{ steps.metadata.outputs.version }}"
           dependency-snapshot: true
           format: spdx-json
-          artifact-name: ${{ github.event.repository.name }}-sbom.spdx.json
-          output-file: ${{ github.event.repository.name }}-sbom.spdx.json
+          artifact-name: ${{ github.event.repository.name }}-${{ matrix.os }}-syft-sbom
+          output-file: ${{ github.event.repository.name }}-${{ matrix.os }}-syft-sbom.spdx.json
 
-      - name: Scan OCI image SBOM with Grype
+      - name: Scan OCI image Syft SBOM with Grype
         id: scan
-        uses: anchore/scan-action@9a22e4caae42db0d4c687ab5431e1c3699d0def1
+        uses: anchore/scan-action@9a22e4caae42db0d4c687ab5431e1c3699d0def1 # v3.3.2
         continue-on-error: true
         with:
-          sbom: ${{ github.event.repository.name }}-sbom.spdx.json
+          sbom: ${{ github.event.repository.name }}-${{ matrix.os }}-syft-sbom.spdx.json
           severity-cutoff: medium
           output-format: sarif
           fail-build: true
 
       - name: Upload Grype SARIF report
-        uses: github/codeql-action/upload-sarif@4238421316c33d73aeea2801274dd286f157c2bb
+        uses: github/codeql-action/upload-sarif@b2a92eb56d8cb930006a1c6ed86b0782dd8a4297 # v2.1.35
         with:
-          category: grype
+          category: grype-${{ matrix.os }}
           sarif_file: ${{ steps.scan.outputs.sarif }}
 
       - name: Fail workflow
@@ -114,21 +114,21 @@ jobs:
           exit 1
 
       - name: Login to GitHub Container Registry
-        uses: docker/login-action@f4ef78c080cd8ba55a85445d5b36e214a81df20a
+        uses: docker/login-action@f4ef78c080cd8ba55a85445d5b36e214a81df20a # v2.1.0
         with:
           registry: ghcr.io
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Login to DockerHub
-        uses: docker/login-action@f4ef78c080cd8ba55a85445d5b36e214a81df20a
+        uses: docker/login-action@f4ef78c080cd8ba55a85445d5b36e214a81df20a # v2.1.0
         with:
           username: ${{ secrets.DOCKERHUB_USERNAME }}
           password: ${{ secrets.DOCKERHUB_TOKEN }}
 
       - name: Build & push OCI image
         id: build_push
-        uses: docker/build-push-action@c56af957549030174b10d6867f20e78cfd7debc5
+        uses: docker/build-push-action@c56af957549030174b10d6867f20e78cfd7debc5 # v3.2.0
         with:
           file: ./${{ matrix.os }}.dockerfile
           context: .
@@ -143,27 +143,34 @@ jobs:
       - name: Sign OCI image
         env:
           COSIGN_EXPERIMENTAL: true
-        run: |
-          set -euo pipefail
-          cosign sign --yes --recursive ghcr.io/${{ github.repository }}:${{ steps.metadata.outputs.version }}@${{ steps.build_push.outputs.digest }}
-          cosign sign --yes --recursive docker.io/${{ secrets.DOCKERHUB_REPO }}:${{ steps.metadata.outputs.version }}@${{ steps.build_push.outputs.digest }}
+        run: echo "${{ steps.metadata.outputs.tags }}" | xargs -I {} cosign sign --yes --recursive {}@${{ steps.build_push.outputs.digest }}
+
+  publish:
+    name: Publish Release
+    runs-on: ubuntu-latest
+    defaults:
+      run:
+        shell: bash
+    steps:
+      - name: Checkout
+        uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 # v3.1.0
 
       - name: Update Docker repository description
-        uses: peter-evans/dockerhub-description@93b93397c27ed52b4055b8c6b2f8d92456ab3c56
+        uses: peter-evans/dockerhub-description@93b93397c27ed52b4055b8c6b2f8d92456ab3c56 # v3.1.2
         with:
           username: ${{ secrets.DOCKERHUB_USERNAME }}
           password: ${{ secrets.DOCKERHUB_TOKEN }}
           repository: ${{ secrets.DOCKERHUB_REPO }}
 
       - name: Get changelog entry
         id: changelog_reader
-        uses: mindsers/changelog-reader-action@b97ce03a10d9bdbb07beb491c76a5a01d78cd3ef
+        uses: mindsers/changelog-reader-action@b97ce03a10d9bdbb07beb491c76a5a01d78cd3ef # v2.2.2
         with:
           path: ./CHANGELOG.md
           version: ${{ github.ref_name }}
 
       - name: Create release
-        uses: ncipollo/release-action@4c75f0f2e4ae5f3c807cf0904605408e319dcaac
+        uses: ncipollo/release-action@18eadf9c9b0f226f47f164f5373c6a44f0aae169 # v1.11.2
         with:
           token: ${{ secrets.GITHUB_TOKEN }}
           allowUpdates: true