Merge branch 'advanced-security:main' into main

Author: CalinL

.github/workflows/codeql-dynamic.yml

@@ -1,14 +1,20 @@
 name: "CodeQL Analysis"
 
 on:
+  # Makes the workflow reusable / callable from other workflows
   workflow_call:
+  workflow_dispatch:
 
 jobs:
   create-matrix:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     outputs:
       matrix: ${{ steps.set-matrix.outputs.languages }}
     steps:
+      # This step gets the languages for the repository and creates a supported
+      # CodeQL language list that gets passed into the analyze step
       - name: Get languages from repo
         id: set-matrix
         uses: advanced-security/set-codeql-language-matrix@v1
@@ -18,6 +24,7 @@ jobs:
 
   analyze:
     needs: create-matrix
+    # Check if there are no CodeQL supported languages
     if: ${{ needs.create-matrix.outputs.matrix != '[]' }}
     name: Analyze
     runs-on: ubuntu-latest
@@ -28,24 +35,25 @@ jobs:
 
     strategy:
       fail-fast: false
-      matrix: 
+      matrix:
+        # Create a matrix build for all supported languages
         language: ${{ fromJSON(needs.create-matrix.outputs.matrix) }}
 
     steps:
     - name: Checkout repository
-      uses: actions/checkout@v4
+      uses: actions/checkout@v6
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@v3
+      uses: github/codeql-action/init@v4
       with:
         languages: ${{ matrix.language }}
 
     # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
     - name: Autobuild
-      uses: github/codeql-action/autobuild@v3
+      uses: github/codeql-action/autobuild@v4
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@v3
+      uses: github/codeql-action/analyze@v4
       with:
         category: "/language:${{matrix.language}}"

.github/workflows/codeql-iac.yml

@@ -14,13 +14,13 @@ jobs:
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6
 
       - name: Initialize and Analyze IaC
         id: codeql_iac
         uses: advanced-security/codeql-extractor-iac@main
 
       - name: Upload SARIF file
-        uses: github/codeql-action/upload-sarif@v3
+        uses: github/codeql-action/upload-sarif@v4
         with:
           sarif_file: ${{ steps.codeql_iac.outputs.sarif }}

.github/workflows/codeql-packs.yml

@@ -17,10 +17,12 @@ jobs:
     steps:
       - name: "Set Matrix"
         id: set-matrix
-        uses: actions/github-script@v7
+        uses: actions/github-script@v8
+        env:
+          INPUTS_PACKS: ${{ inputs.packs }}
         with:
           script: |
-            const packs = '${{ inputs.packs }}'.split(',');
+            const packs = process.env.INPUTS_PACKS.split(',');
             packs.forEach((pack, index) => {
               if (pack.endsWith('qlpack.yml')) {
                 packs[index] = pack.slice(0, -10);
@@ -42,24 +44,24 @@ jobs:
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6
 
       - name: "Build and Publish CodeQL Packs"
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          PACKS: ${{ matrix.packs }}
+          GITHUB_REPOSITORY_OWNER: ${{ github.repository_owner }}
         run: |
-          PACK_PATH="${{ matrix.packs }}/qlpack.yml"
+          PACK_PATH="${PACKS}/qlpack.yml"
           CURRENT_VERSION=$(grep version $PACK_PATH | awk '{print $2}')
           PACK_FULLNAME=$(cat $PACK_PATH | grep "name:" | awk '{print $2}')
           PACK_NAME=$(echo $PACK_FULLNAME | awk -F '/' '{print $2}')
 
-          PUBLISHED_VERSION=$(gh api /orgs/${{ github.repository_owner }}/packages/container/$PACK_NAME/versions --jq '.[0].metadata.container.tags[0]')
+          PUBLISHED_VERSION=$(gh api /orgs/"$GITHUB_REPOSITORY_OWNER"/packages/container/"$PACK_NAME"/versions --jq '.[0].metadata.container.tags[0]')
           echo "Packs :: ${CURRENT_VERSION} -> ${PUBLISHED_VERSION}"
 
           if [ "$PUBLISHED_VERSION" != "$CURRENT_VERSION" ]; then
             gh extension install github/gh-codeql
-            gh codeql pack install "${{ matrix.packs }}"
-            gh codeql pack publish "${{ matrix.packs }}"
+            gh codeql pack install "$PACKS"
+            gh codeql pack publish "$PACKS"
           fi
-
-      

.github/workflows/codeql-ql.yml

@@ -18,16 +18,16 @@ jobs:
 
     steps:
       - name: "Checkout repository"
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6
 
       - name: "Set up Rust"
-        uses: dtolnay/rust-toolchain@56f84321dbccf38fb67ce29ab63e4754056677e0   # v1.85.1
+        uses: dtolnay/rust-toolchain@f7ccc83f9ed1e5b9c81d8a67d7ad1a747e22a561   # v1.85.1
         with:
           toolchain: stable
 
       - name: "Restore cached Cargo"
         id: cache-restore
-        uses: actions/cache/restore@v4
+        uses: actions/cache/restore@v5
         with:
           path: |
             ~/.cargo/bin/
@@ -111,15 +111,15 @@ jobs:
           mv updated_sarif.sarif ${{ steps.run_ql.outputs.sarif }}
 
       - name: Upload SARIF file
-        uses: github/codeql-action/upload-sarif@v3
+        uses: github/codeql-action/upload-sarif@v4
         with:
           sarif_file: ${{ steps.run_ql.outputs.sarif }}
           category: "/codeql:ql"
 
       - name: Save Cargo / Rust Cache 
         id: cache-save
         if: ${{ github.event_name == 'push' }}
-        uses: actions/cache/save@v4
+        uses: actions/cache/save@v5
         with:
           path: |
             ~/.cargo/bin/

.github/workflows/container-publish.yml

@@ -45,20 +45,20 @@ jobs:
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6
 
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@b5ca514318bd6ebac0fb2aedd5d36ec1b5c232a2 # v3.10.0
+        uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0
 
       - name: Log in to the Container registry
-        uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
+        uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0
         with:
           registry: ${{ env.REGISTRY }}
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Set Container Metadata
-        uses: docker/metadata-action@902fa8ec7d6ecbf8d84d538b9b233a880e428804
+        uses: docker/metadata-action@c299e40c65443455700f0fdfc63efafe5b349051
         id: meta
         with:
           images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
@@ -72,7 +72,7 @@ jobs:
             type=semver,pattern=v{{major}}.{{minor}},value=${{ inputs.version }}
     
       - name: Build & Publish Container ${{ env.IMAGE_NAME }}
-        uses: docker/build-push-action@471d1dc4e07e5cdedd4c2171150001c434f0b7a4 # v6.15.0
+        uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
         id: build
         with:
           file: "${{ inputs.container-file }}"
@@ -85,20 +85,20 @@ jobs:
 
       # Upload Software Bill of Materials (SBOM) to GitHub
       - name: Upload SBOM
-        uses: advanced-security/spdx-dependency-submission-action@5530bab9ee4bbe66420ce8280624036c77f89746  # v0.1.1
+        uses: advanced-security/spdx-dependency-submission-action@f957edbb35161c1f9e33f61026fc86a671c58cae  # v0.1.2
         with:
           filePath: '.'
           filePattern: '*.spdx.json'
 
       # Build provenance attestations
       - name: Attest Container Image
-        uses: actions/attest-build-provenance@c074443f1aee8d4aeeae555aebba3282517141b2  # v2.2.3
+        uses: actions/attest-build-provenance@96278af6caaf10aea03fd8d33a09a777ca52d62f  # v3.2.0
         with:
           subject-name: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
           subject-digest: ${{ steps.build.outputs.digest }}
           push-to-registry: true
 
       # - name: Attest Container SBOM
-      #   uses: actions/attest-build-provenance@c074443f1aee8d4aeeae555aebba3282517141b2  # v2.2.3
+      #   uses: actions/attest-build-provenance@96278af6caaf10aea03fd8d33a09a777ca52d62f  # v3.2.0
       #   with:
       #     subject-path:: '*.spdx.json'

.github/workflows/container-security.yml

@@ -40,13 +40,13 @@ jobs:
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6
 
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@b5ca514318bd6ebac0fb2aedd5d36ec1b5c232a2 # v3.10.0
+        uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0
 
       - name: Build Initial Container
-        uses: docker/build-push-action@471d1dc4e07e5cdedd4c2171150001c434f0b7a4 # v6.15.0
+        uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
         id: build
         with:
           file: "${{ inputs.container-file }}"
@@ -57,20 +57,20 @@ jobs:
 
       # Scan the image for vulnerabilities
       - name: Run the Anchore / Grype scan action
-        uses: anchore/scan-action@7c05671ae9be166aeb155bad2d7df9121823df32 # v6.1.0
+        uses: anchore/scan-action@8d2fce09422cd6037e577f4130e9b925e9a37175 # v7.3.1
         id: scan
         with:
           image: localbuild/testimage:latest
           only-fixed: true
           fail-build: ${{ inputs.scanning-block }}
 
       - name: Upload SARIF artifact
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@v6
         with:
           name: sarif
           path: ${{ steps.scan.outputs.sarif }}
 
       - name: Upload vulnerability report
-        uses: github/codeql-action/upload-sarif@v3
+        uses: github/codeql-action/upload-sarif@v4
         with:
           sarif_file: ${{ steps.scan.outputs.sarif }}

.github/workflows/container.yml

@@ -63,7 +63,7 @@ jobs:
 
     steps:
       - name: "Checkout"
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6
       - name: "Get and Set version"
         id: set-version
         env:

.github/workflows/dependency-review.yml

@@ -19,7 +19,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: 'Checkout Repository'
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6
 
       # [optional] This setup isn't required but if your repository have a configuration,
       # we use that versus the centralised config. 

.github/workflows/labeler.yml

@@ -18,7 +18,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
     - name: Checkout
-      uses: actions/checkout@v4
+      uses: actions/checkout@v6
 
     # Check if the .github/labeler.yml file exists
     - name: Check for labeler configuration
@@ -46,7 +46,7 @@ jobs:
 
         fi
 
-    - uses: "actions/labeler@v5"
+    - uses: "actions/labeler@v6"
       with:
         repo-token: "${{ secrets.GITHUB_TOKEN }}"
         configuration-path: "${{ steps.labeler-config.outputs.config }}"

.github/workflows/language-detection-and-assignment.yml

@@ -1,22 +1,23 @@
 name: Language Detection and Assignment
 
 on:
-  pull_request:
-    branches: [main]
-
+  workflow_call:
+permissions: 
+  pull-requests: write
 env:
-  GH_TOKEN: ${{ secrets.GH_AP_TOKEN }}
+  GH_TOKEN: ${{ github.token }}
+  GITHUB_EVENT_NUMBER: ${{ github.event.number }}
 jobs:
   detect-and-assign:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6
 
       - name: Detect languages
         id: detect-languages
         run: |
-          FILES=$(gh pr diff --name-only ${{ github.event.number }} | sed 's/.*\.//')  
+          FILES=$(gh pr diff --name-only "$GITHUB_EVENT_NUMBER" | sed 's/.*\.//')  
           echo "java=$(echo $FILES | grep -q "java" && echo true || echo false)" >> $GITHUB_OUTPUT
           echo "kotlin=$(echo $FILES | grep -q "kt" && echo true || echo false)" >> $GITHUB_OUTPUT
           echo "javascript=$(echo $FILES | grep -E "(js|jsx)" && echo true || echo false)" >> $GITHUB_OUTPUT
@@ -30,19 +31,19 @@ jobs:
       - name: Assign for Java, Kotlin, JavaScript, TypeScript, Go
         if: steps.detect-languages.outputs.java == 'true' || steps.detect-languages.outputs.kotlin == 'true' || steps.detect-languages.outputs.javascript == 'true' || steps.detect-languages.outputs.typescript == 'true' || steps.detect-languages.outputs.go == 'true'
         run: |
-          gh pr edit ${{ github.event.number }} --add-reviewer adrienpessu
+          gh pr edit "$GITHUB_EVENT_NUMBER" --add-reviewer adrienpessu
 
       - name: Assign for Python, Go, CodeQL, Rust
         if: steps.detect-languages.outputs.python == 'true' || steps.detect-languages.outputs.go == 'true' || steps.detect-languages.outputs.codeql == 'true' || steps.detect-languages.outputs.rust == 'true'
         run: |
-          gh pr edit ${{ github.event.number }} --add-reviewer Geekmasher
+          gh pr edit "$GITHUB_EVENT_NUMBER" --add-reviewer felickz
 
       - name: Assign for Python, JavaScript, TypeScript, CodeQL
         if: steps.detect-languages.outputs.python == 'true' || steps.detect-languages.outputs.javascript == 'true' || steps.detect-languages.outputs.typescript == 'true' || steps.detect-languages.outputs.codeql == 'true'
         run: |
-          gh pr edit ${{ github.event.number }} --add-reviewer felickz
+          gh pr edit "$GITHUB_EVENT_NUMBER" --add-reviewer felickz
 
       - name: Assign default
         if: steps.detect-languages.outputs.java != 'true' && steps.detect-languages.outputs.kotlin != 'true' && steps.detect-languages.outputs.javascript != 'true' && steps.detect-languages.outputs.typescript != 'true' && steps.detect-languages.outputs.go != 'true'  && steps.detect-languages.outputs.codeql != 'true' && steps.detect-languages.outputs.python != 'true'  
         run: |
-          gh pr edit ${{ github.event.number }} --add-reviewer felickz --add-reviewer Geekmasher --add-reviewer adrienpessu
+          gh pr edit "$GITHUB_EVENT_NUMBER" --add-reviewer felickz --add-reviewer adrienpessu --repo "$GITHUB_REPOSITORY"