4141 # Produces SBOM and CVE report
4242 # Helps understand vulnerabilities / license compliance across third party dependencies
4343 - id : sca-project
44- uses : Kong/public-shared-actions/security-actions/sca@2f02738ecb1670f01391162e43fe3f5d4e7942a1 # v2.2.2
44+ uses : Kong/public-shared-actions/security-actions/sca@a18abf762d6e2444bcbfd20de70451ea1e3bc1b1 # v4.1.1
4545 with :
4646 dir : .
4747 upload-sbom-release-assets : true
9999 outputs : type=docker,dest=${{ env.DOCKER_OCI_ARCHIVE }}.tar,oci-mediatypes=true
100100
101101 - name : Upload Docker OCI layout TAR Artifact
102- uses : actions/upload-artifact@v3
102+ uses : actions/upload-artifact@v4
103103 with :
104104 name : ${{ env.DOCKER_OCI_ARCHIVE }}
105105 path : ${{ env.DOCKER_OCI_ARCHIVE }}.tar
@@ -118,7 +118,7 @@ jobs:
118118steps :
119119
120120 - name : Download OCI docker TAR artifact
121- uses : actions/download-artifact@v3
121+ uses : actions/download-artifact@v4
122122 with :
123123 name : ${{ env.DOCKER_OCI_ARCHIVE }}
124124 path : ${{ github.workspace }}
@@ -129,7 +129,7 @@ jobs:
129129
130130name : Scan the docker OCI Tar ball
131131 id : sbom_action_amd64
132- uses : Kong/public-shared-actions/security-actions/scan-docker-image@2f02738ecb1670f01391162e43fe3f5d4e7942a1 # v2.2.2
132+ uses : Kong/public-shared-actions/security-actions/scan-docker-image@a18abf762d6e2444bcbfd20de70451ea1e3bc1b1 # v4.1.3
133133 with :
134134 asset_prefix : image-${{ env.IMAGE_NAME }}-amd64
135135 image : ${{ env.DOCKER_OCI_ARCHIVE }}.tar
@@ -155,7 +155,7 @@ jobs:
155155 steps :
156156
157157 - name : Download OCI docker TAR artifact
158- uses : actions/download-artifact@v3
158+ uses : actions/download-artifact@v4
159159 with :
160160 name : ${{ env.DOCKER_OCI_ARCHIVE }}
161161 path : ${{ github.workspace }}
@@ -183,7 +183,7 @@ jobs:
183183
184184# Setup regctl to parse platform specific image digest from image manifest
185185 - name : Install regctl
186- uses : regclient/actions/regctl-installer@main
186+ uses : regclient/actions/regctl-installer@ce5fd131e371ffcdd7508b478cb223b3511a9183 # main
187187
188188 # The image manifest digest/sha is generated only after the image is published to registry
189189 - name : Parse architecture specific digest from image manifest
@@ -197,7 +197,7 @@ jobs:
197197 - name : Sign images
198198 id : sign_images
199199 if : ${{ steps.image_manifest_metadata.outputs.sha != '' }}
200- uses : Kong/public-shared-actions/security-actions/sign-docker-image@2f02738ecb1670f01391162e43fe3f5d4e7942a1 # v2.2.2
200+ uses : Kong/public-shared-actions/security-actions/sign-docker-image@a18abf762d6e2444bcbfd20de70451ea1e3bc1b1 # v4.1.1
201201 with :
202202 image_digest : ${{ steps.image_manifest_metadata.outputs.sha }}
203203 tags : ${{ env.IMAGE_TAGS }}
@@ -213,7 +213,7 @@ jobs:
213213 release-images-provenance :
214214 needs : ["check", "build-images", "scan-images", "release-images"]
215215 if : ${{ github.ref_type == 'tag' || (github.event_name == 'push' && github.ref_name == 'master') }}
216- uses :
slsa-framework/slsa-github-generator/.github/workflows/[email protected] 216+ uses : slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@5a775b367a56d5bd118a224a811bba288150a563 # v2.0.0
217217 permissions :
218218 contents : write
219219 id-token : write # For using token to sign images
0 commit comments