diff --git a/.github/workflows/build-images-base.yaml b/.github/workflows/build-images-base.yaml index 580d028b922c1..73d3484cc3cc3 100644 --- a/.github/workflows/build-images-base.yaml +++ b/.github/workflows/build-images-base.yaml @@ -45,7 +45,7 @@ jobs: uses: docker/setup-qemu-action@68827325e0b33c7199eb31dd4e31fbe9023e06e3 # v3.0.0 - name: Install Cosign - uses: sigstore/cosign-installer@1fc5bd396d372bee37d608f955b336615edf79c8 # v3.2.0 + uses: sigstore/cosign-installer@9614fae9e5c5eddabb09f90a270fcb487c9f7149 # v3.3.0 # Warning: since this is a privileged workflow, subsequent workflow job # steps must take care not to execute untrusted code. @@ -85,7 +85,7 @@ jobs: - name: Release build cilium-runtime if: ${{ steps.cilium-runtime-tag-in-repositories.outputs.exists == 'false' }} - uses: docker/build-push-action@0565240e2d4ab88bba5387d719585280857ece09 # v5.0.0 + uses: docker/build-push-action@4a13e500e55cf31b7a5d59a38ab2040ab0f42f56 # v5.1.0 id: docker_build_release_runtime with: provenance: false @@ -105,7 +105,7 @@ jobs: shell: bash env: # renovate: datasource=github-releases depName=kubernetes-sigs/bom - BOM_VERSION: v0.5.1 + BOM_VERSION: v0.6.0 run: | curl -L https://github.com/kubernetes-sigs/bom/releases/download/${{ env.BOM_VERSION }}/bom-amd64-linux -o bom sudo mv ./bom /usr/local/bin/bom @@ -182,7 +182,7 @@ jobs: - name: Release build cilium-builder if: ${{ steps.cilium-builder-tag-in-repositories.outputs.exists == 'false' }} - uses: docker/build-push-action@0565240e2d4ab88bba5387d719585280857ece09 # v5.0.0 + uses: docker/build-push-action@4a13e500e55cf31b7a5d59a38ab2040ab0f42f56 # v5.1.0 id: docker_build_release_builder with: provenance: false diff --git a/.github/workflows/build-images-beta.yaml b/.github/workflows/build-images-beta.yaml index c5f7942bec28e..af960096afc04 100644 --- a/.github/workflows/build-images-beta.yaml +++ b/.github/workflows/build-images-beta.yaml @@ -95,7 +95,7 @@ jobs: persist-credentials: false - name: Release Build ${{ matrix.name }} - uses: docker/build-push-action@0565240e2d4ab88bba5387d719585280857ece09 # v5.0.0 + uses: docker/build-push-action@4a13e500e55cf31b7a5d59a38ab2040ab0f42f56 # v5.1.0 id: docker_build_release with: provenance: false @@ -110,7 +110,7 @@ jobs: OPERATOR_VARIANT=${{ matrix.name }} - name: Install Cosign - uses: sigstore/cosign-installer@1fc5bd396d372bee37d608f955b336615edf79c8 # v3.2.0 + uses: sigstore/cosign-installer@9614fae9e5c5eddabb09f90a270fcb487c9f7149 # v3.3.0 - name: Sign Container Image run: | @@ -120,7 +120,7 @@ jobs: shell: bash env: # renovate: datasource=github-releases depName=kubernetes-sigs/bom - BOM_VERSION: v0.5.1 + BOM_VERSION: v0.6.0 run: | curl -L https://github.com/kubernetes-sigs/bom/releases/download/${{ env.BOM_VERSION }}/bom-amd64-linux -o bom sudo mv ./bom /usr/local/bin/bom diff --git a/.github/workflows/build-images-ci.yaml b/.github/workflows/build-images-ci.yaml index b872c4fb41914..d5f6571dcf1a5 100644 --- a/.github/workflows/build-images-ci.yaml +++ b/.github/workflows/build-images-ci.yaml @@ -94,13 +94,13 @@ jobs: ref: ${{ steps.tag.outputs.tag }} - name: Install Cosign - uses: sigstore/cosign-installer@1fc5bd396d372bee37d608f955b336615edf79c8 # v3.2.0 + uses: sigstore/cosign-installer@9614fae9e5c5eddabb09f90a270fcb487c9f7149 # v3.3.0 - name: Install Bom shell: bash env: # renovate: datasource=github-releases depName=kubernetes-sigs/bom - BOM_VERSION: v0.5.1 + BOM_VERSION: v0.6.0 run: | curl -L https://github.com/kubernetes-sigs/bom/releases/download/${{ env.BOM_VERSION }}/bom-amd64-linux -o bom sudo mv ./bom /usr/local/bin/bom @@ -109,7 +109,7 @@ jobs: # v1.14 branch pushes - name: CI Build ${{ matrix.name }} if: ${{ github.event_name != 'pull_request_target' }} - uses: docker/build-push-action@0565240e2d4ab88bba5387d719585280857ece09 # v5.0.0 + uses: docker/build-push-action@4a13e500e55cf31b7a5d59a38ab2040ab0f42f56 # v5.1.0 id: docker_build_ci_v1_14 with: provenance: false @@ -129,7 +129,7 @@ jobs: - name: CI race detection Build ${{ matrix.name }} if: ${{ github.event_name != 'pull_request_target' }} - uses: docker/build-push-action@0565240e2d4ab88bba5387d719585280857ece09 # v5.0.0 + uses: docker/build-push-action@4a13e500e55cf31b7a5d59a38ab2040ab0f42f56 # v5.1.0 id: docker_build_ci_v1_14_detect_race_condition with: provenance: false @@ -152,7 +152,7 @@ jobs: - name: CI Unstripped Binaries Build ${{ matrix.name }} if: ${{ github.event_name != 'pull_request_target' }} - uses: docker/build-push-action@0565240e2d4ab88bba5387d719585280857ece09 # v5.0.0 + uses: docker/build-push-action@4a13e500e55cf31b7a5d59a38ab2040ab0f42f56 # v5.1.0 id: docker_build_ci_v1_14_unstripped with: provenance: false @@ -231,7 +231,7 @@ jobs: # PR updates - name: CI Build ${{ matrix.name }} if: ${{ github.event_name == 'pull_request_target' }} - uses: docker/build-push-action@0565240e2d4ab88bba5387d719585280857ece09 # v5.0.0 + uses: docker/build-push-action@4a13e500e55cf31b7a5d59a38ab2040ab0f42f56 # v5.1.0 id: docker_build_ci_pr with: provenance: false @@ -247,7 +247,7 @@ jobs: - name: CI race detection Build ${{ matrix.name }} if: ${{ github.event_name == 'pull_request_target' }} - uses: docker/build-push-action@0565240e2d4ab88bba5387d719585280857ece09 # v5.0.0 + uses: docker/build-push-action@4a13e500e55cf31b7a5d59a38ab2040ab0f42f56 # v5.1.0 id: docker_build_ci_pr_detect_race_condition with: provenance: false @@ -266,7 +266,7 @@ jobs: - name: CI Unstripped Binaries Build ${{ matrix.name }} if: ${{ github.event_name == 'pull_request_target' }} - uses: docker/build-push-action@0565240e2d4ab88bba5387d719585280857ece09 # v5.0.0 + uses: docker/build-push-action@4a13e500e55cf31b7a5d59a38ab2040ab0f42f56 # v5.1.0 id: docker_build_ci_pr_unstripped with: provenance: false diff --git a/.github/workflows/build-images-hotfixes.yaml b/.github/workflows/build-images-hotfixes.yaml index 54f9182e2fff5..72eaeef900736 100644 --- a/.github/workflows/build-images-hotfixes.yaml +++ b/.github/workflows/build-images-hotfixes.yaml @@ -89,7 +89,7 @@ jobs: persist-credentials: false - name: Release Build ${{ matrix.name }} - uses: docker/build-push-action@0565240e2d4ab88bba5387d719585280857ece09 # v5.0.0 + uses: docker/build-push-action@4a13e500e55cf31b7a5d59a38ab2040ab0f42f56 # v5.1.0 id: docker_build_release with: provenance: false @@ -105,7 +105,7 @@ jobs: OPERATOR_VARIANT=${{ matrix.name }} - name: Install Cosign - uses: sigstore/cosign-installer@1fc5bd396d372bee37d608f955b336615edf79c8 # v3.2.0 + uses: sigstore/cosign-installer@9614fae9e5c5eddabb09f90a270fcb487c9f7149 # v3.3.0 - name: Sign Container Image run: | @@ -116,7 +116,7 @@ jobs: shell: bash env: # renovate: datasource=github-releases depName=kubernetes-sigs/bom - BOM_VERSION: v0.5.1 + BOM_VERSION: v0.6.0 run: | curl -L https://github.com/kubernetes-sigs/bom/releases/download/${{ env.BOM_VERSION }}/bom-amd64-linux -o bom sudo mv ./bom /usr/local/bin/bom diff --git a/.github/workflows/build-images-releases.yaml b/.github/workflows/build-images-releases.yaml index 60423d2d7e639..c15c4d3d716ec 100644 --- a/.github/workflows/build-images-releases.yaml +++ b/.github/workflows/build-images-releases.yaml @@ -87,7 +87,7 @@ jobs: persist-credentials: false - name: Release Build ${{ matrix.name }} - uses: docker/build-push-action@0565240e2d4ab88bba5387d719585280857ece09 # v5.0.0 + uses: docker/build-push-action@4a13e500e55cf31b7a5d59a38ab2040ab0f42f56 # v5.1.0 id: docker_build_release with: provenance: false @@ -105,7 +105,7 @@ jobs: OPERATOR_VARIANT=${{ matrix.name }} - name: Install Cosign - uses: sigstore/cosign-installer@1fc5bd396d372bee37d608f955b336615edf79c8 # v3.2.0 + uses: sigstore/cosign-installer@9614fae9e5c5eddabb09f90a270fcb487c9f7149 # v3.3.0 - name: Sign Container Image run: | @@ -116,7 +116,7 @@ jobs: shell: bash env: # renovate: datasource=github-releases depName=kubernetes-sigs/bom - BOM_VERSION: v0.5.1 + BOM_VERSION: v0.6.0 run: | curl -L https://github.com/kubernetes-sigs/bom/releases/download/${{ env.BOM_VERSION }}/bom-amd64-linux -o bom sudo mv ./bom /usr/local/bin/bom diff --git a/.github/workflows/conformance-aks.yaml b/.github/workflows/conformance-aks.yaml index 72c64b6561926..0792c52d89c7a 100644 --- a/.github/workflows/conformance-aks.yaml +++ b/.github/workflows/conformance-aks.yaml @@ -179,7 +179,7 @@ jobs: ci-version: ${{ env.cilium_cli_ci_version }} - name: Login to Azure - uses: azure/login@92a5484dfaf04ca78a94597f4f19fea633851fa2 # v1.4.7 + uses: azure/login@cb79c773a3cfa27f31f25eb3f677781210c9ce3d # v1.6.1 with: creds: ${{ secrets.AZURE_PR_SP_CREDS }} diff --git a/.github/workflows/conformance-aws-cni.yaml b/.github/workflows/conformance-aws-cni.yaml index 9ecb7169e3afd..41069e9bcf9b4 100644 --- a/.github/workflows/conformance-aws-cni.yaml +++ b/.github/workflows/conformance-aws-cni.yaml @@ -59,7 +59,7 @@ env: check_url: https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }} eksctl_version: v0.143.0 # renovate: datasource=github-releases depName=kubernetes/kubernetes - kubectl_version: v1.28.3 + kubectl_version: v1.29.1 jobs: commit-status-start: diff --git a/.github/workflows/conformance-eks.yaml b/.github/workflows/conformance-eks.yaml index a2d8fe3934d75..21ea49ba7b622 100644 --- a/.github/workflows/conformance-eks.yaml +++ b/.github/workflows/conformance-eks.yaml @@ -59,7 +59,7 @@ env: check_url: https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }} eksctl_version: v0.143.0 # renovate: datasource=github-releases depName=kubernetes/kubernetes - kubectl_version: v1.28.3 + kubectl_version: v1.29.1 jobs: commit-status-start: diff --git a/.github/workflows/conformance-externalworkloads.yaml b/.github/workflows/conformance-externalworkloads.yaml index a5fe37ce6a78a..7d865dac3fd1f 100644 --- a/.github/workflows/conformance-externalworkloads.yaml +++ b/.github/workflows/conformance-externalworkloads.yaml @@ -188,7 +188,7 @@ jobs: - name: Set up gcloud credentials id: 'auth' - uses: google-github-actions/auth@35b0e87d162680511bf346c299f71c9c5c379033 # v1.1.1 + uses: google-github-actions/auth@3a3c4c57d294ef65efaaee4ff17b22fa88dd3c69 # v1.3.0 with: credentials_json: '${{ secrets.GCP_PR_SA_KEY }}' diff --git a/.github/workflows/conformance-gke.yaml b/.github/workflows/conformance-gke.yaml index 8dd01c17d7eb7..9db72e0c4681d 100644 --- a/.github/workflows/conformance-gke.yaml +++ b/.github/workflows/conformance-gke.yaml @@ -190,7 +190,7 @@ jobs: - name: Set up gcloud credentials id: 'auth' - uses: google-github-actions/auth@35b0e87d162680511bf346c299f71c9c5c379033 # v1.1.1 + uses: google-github-actions/auth@3a3c4c57d294ef65efaaee4ff17b22fa88dd3c69 # v1.3.0 with: credentials_json: '${{ secrets.GCP_PR_SA_KEY }}' diff --git a/.github/workflows/conformance-ipsec-e2e.yaml b/.github/workflows/conformance-ipsec-e2e.yaml index a4c4b29432cb1..fdf3324be2e74 100644 --- a/.github/workflows/conformance-ipsec-e2e.yaml +++ b/.github/workflows/conformance-ipsec-e2e.yaml @@ -287,7 +287,7 @@ jobs: - name: Rotate IPsec Key & Test (${{ join(matrix.*, ', ') }}) # renovate: branchName=v1.14 - uses: cilium/cilium/.github/actions/conn-disrupt-test@d42be92482e5568f5899626b95df369b39d03276 + uses: cilium/cilium/.github/actions/conn-disrupt-test@5a0698cb4e751474af8ed43879e4dcf7c41d1445 with: job-name: conformance-ipsec-e2e-key-rotation-${{ matrix.name }} operation-cmd: | diff --git a/.github/workflows/container-scan.yaml b/.github/workflows/container-scan.yaml index eb287edeca406..346a6003be4a9 100644 --- a/.github/workflows/container-scan.yaml +++ b/.github/workflows/container-scan.yaml @@ -31,7 +31,7 @@ jobs: - name: Set up Docker Buildx uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3.0.0 - name: Build local container - uses: docker/build-push-action@0565240e2d4ab88bba5387d719585280857ece09 # v5.0.0 + uses: docker/build-push-action@4a13e500e55cf31b7a5d59a38ab2040ab0f42f56 # v5.1.0 with: context: . tags: ${{ matrix.image.name }}:${{ matrix.branch }} @@ -41,7 +41,7 @@ jobs: build-args: | OPERATOR_VARIANT=${{ matrix.image.name }} - name: Scan image - uses: anchore/scan-action@24fd7c9060f3c96848dd1929fac8d796fb5ae4b4 # v3.3.6 + uses: anchore/scan-action@0550541809b9c6abbf7cbc43d12400db47056507 # v3.6.0 with: image: ${{ matrix.image.name }}:${{ matrix.branch }} output-format: table diff --git a/.github/workflows/lint-codeql.yaml b/.github/workflows/lint-codeql.yaml index 113fcd9c3774e..c8c9767c06562 100644 --- a/.github/workflows/lint-codeql.yaml +++ b/.github/workflows/lint-codeql.yaml @@ -47,9 +47,9 @@ jobs: persist-credentials: false fetch-depth: 1 - name: Initialize CodeQL - uses: github/codeql-action/init@74483a38d39275f33fcff5f35b679b5ca4a26a99 # v2.22.5 + uses: github/codeql-action/init@4759df8df70c5ebe7042c3029bbace20eee13edd # v2.23.1 with: languages: go debug: true - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@74483a38d39275f33fcff5f35b679b5ca4a26a99 # v2.22.5 + uses: github/codeql-action/analyze@4759df8df70c5ebe7042c3029bbace20eee13edd # v2.23.1 diff --git a/.github/workflows/lint-workflows.yaml b/.github/workflows/lint-workflows.yaml index 83488adb7f518..d9afc90446cc1 100644 --- a/.github/workflows/lint-workflows.yaml +++ b/.github/workflows/lint-workflows.yaml @@ -142,7 +142,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/setup-python@65d7f2d534ac1bc67fcd62888c5f4f3d2cb2b236 # v4.7.1 + uses: actions/setup-python@b64ffcaf5b410884ad320a9cfac8866006a109aa # v4.8.0 with: python-version: '3.10' - name: Install yamela @@ -167,7 +167,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/setup-python@65d7f2d534ac1bc67fcd62888c5f4f3d2cb2b236 # v4.7.1 + uses: actions/setup-python@b64ffcaf5b410884ad320a9cfac8866006a109aa # v4.8.0 with: python-version: '3.10' - name: Install yamela diff --git a/.github/workflows/tests-ipsec-upgrade.yaml b/.github/workflows/tests-ipsec-upgrade.yaml index b7ac30c25b1df..7fdebdfd52f87 100644 --- a/.github/workflows/tests-ipsec-upgrade.yaml +++ b/.github/workflows/tests-ipsec-upgrade.yaml @@ -260,7 +260,7 @@ jobs: - name: Upgrade Cilium & Test (${{ matrix.name }}) # renovate: branchName=v1.14 - uses: cilium/cilium/.github/actions/conn-disrupt-test@d42be92482e5568f5899626b95df369b39d03276 + uses: cilium/cilium/.github/actions/conn-disrupt-test@5a0698cb4e751474af8ed43879e4dcf7c41d1445 with: job-name: ipsec-upgrade-${{ matrix.name }} # Disable no-missed-tail-calls due to https://github.com/cilium/cilium/issues/26739 @@ -278,7 +278,7 @@ jobs: - name: Downgrade Cilium to ${{ env.cilium_stable_version }} & Test (${{ matrix.name }}) # renovate: branchName=v1.14 - uses: cilium/cilium/.github/actions/conn-disrupt-test@d42be92482e5568f5899626b95df369b39d03276 + uses: cilium/cilium/.github/actions/conn-disrupt-test@5a0698cb4e751474af8ed43879e4dcf7c41d1445 with: job-name: ipsec-downgrade-${{ matrix.name }} # Disable no-missed-tail-calls due to https://github.com/cilium/cilium/issues/26739