Skip to content

Commit 302386f

Browse files
Copilotbeevelop
Copilot
and
beevelop
committed
Pin all GitHub Actions to SHA hashes & fix deprecated Trivy SARIF template
Co-authored-by: beevelop <6891349+beevelop@users.noreply.github.com> Agent-Logs-Url: https://github.com/beevelop/docker-java/sessions/be8812a6-b645-4ed8-8bd3-7bad66963436
1 parent 7c041cd commit 302386f

File tree

1 file changed

+13
-13
lines changed

1 file changed

+13
-13
lines changed

.github/workflows/docker.yml

Lines changed: 13 additions & 13 deletions
Original file line numberDiff line numberDiff line change
@@ -16,7 +16,7 @@ jobs:
1616
timeout-minutes: 30
1717
steps:
1818
- name: Check out the repo
19-
uses: actions/checkout@v6
19+
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
2020
- name: Set imageName based on the repository name
2121
id: step_one
2222
run: |
@@ -25,28 +25,28 @@ jobs:
2525
echo "imageName=$imageName" >> $GITHUB_ENV
2626
- name: Docker meta
2727
id: docker_meta
28-
uses: crazy-max/ghaction-docker-meta@v6
28+
uses: crazy-max/ghaction-docker-meta@030e881283bb7a6894de51c315a6bfe6a94e05cf # v6.0.0
2929
with:
3030
images: ${{ env.imageName }}
3131
- name: Set up QEMU
32-
uses: docker/setup-qemu-action@v4
32+
uses: docker/setup-qemu-action@ce360397dd3f832beb865e1373c09c0e9f86d70a # v4.0.0
3333
- name: Set up Docker Buildx
34-
uses: docker/setup-buildx-action@v4
34+
uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
3535
- name: Login to Docker Hub
36-
uses: docker/login-action@v4
36+
uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
3737
with:
3838
username: ${{ secrets.DOCKERHUB_USERNAME }}
3939
password: ${{ secrets.DOCKERHUB_TOKEN }}
4040
- name: Buildx cache
41-
uses: actions/cache@v5
41+
uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5
4242
with:
4343
path: ${{ github.workspace }}/cache
4444
key: ${{ runner.os }}-docker-${{ hashfiles('cache/**') }}
4545
restore-keys: |
4646
${{ runner.os }}-docker
4747
- name: Build and push
4848
id: docker_build
49-
uses: docker/build-push-action@v7
49+
uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7.0.0
5050
with:
5151
platforms: ${{ env.platforms }}
5252
push: ${{ github.event_name != 'pull_request' }}
@@ -55,13 +55,13 @@ jobs:
5555
cache-from: type=local,src=${{ github.workspace }}/cache
5656
cache-to: type=local,dest=${{ github.workspace }}/cache
5757
- name: Run Trivy vulnerability scanner
58-
uses: aquasecurity/trivy-action@0.35.0
58+
uses: aquasecurity/trivy-action@57a97c7e41536f44adcf59faf14cd94554d91eb0 # v0.35.0
5959
with:
6060
image-ref: ${{ env.imageName }}:${{ steps.docker_meta.outputs.version }}
61-
format: "template"
62-
template: "@/contrib/sarif.tpl"
63-
output: "trivy-results.sarif"
61+
format: 'sarif'
62+
output: 'trivy-results.sarif'
63+
severity: 'CRITICAL,HIGH'
6464
- name: Upload Trivy scan results to GitHub Security tab
65-
uses: github/codeql-action/upload-sarif@v4
65+
uses: github/codeql-action/upload-sarif@38697555549f1db7851b81482ff19f1fa5c4fedc # v4
6666
with:
67-
sarif_file: "trivy-results.sarif"
67+
sarif_file: 'trivy-results.sarif'

0 commit comments

Comments
 (0)