diff --git a/.github/dependabot.yml b/.github/dependabot.yml new file mode 100644 index 00000000..1dec56b6 --- /dev/null +++ b/.github/dependabot.yml @@ -0,0 +1,25 @@ +version: 2 +updates: + - package-ecosystem: gomod + directories: + - ./build/* + - ./plugins/* + - ./shared/go/*/* + schedule: + interval: "weekly" + open-pull-requests-limit: 10 + groups: + gomod: + update-types: + - "patch" + + - package-ecosystem: "github-actions" + directory: "/" + schedule: + interval: "weekly" + open-pull-requests-limit: 10 + groups: + actions: + update-types: + - "minor" + - "patch" diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index 14dd374d..ea8cd9f9 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -43,15 +43,15 @@ jobs: steps: - name: Checkout repository - uses: actions/checkout@v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: Setup Go - uses: actions/setup-go@v5 + uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34 # v5.3.0 with: go-version: 1.21 # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL - uses: github/codeql-action/init@v3 + uses: github/codeql-action/init@dd196fa9ce80b6bacc74ca1c32bd5b0ba22efca7 # v3.28.3 with: languages: go # If you wish to specify custom queries, you can do so here or in a config file. @@ -62,7 +62,7 @@ jobs: # Autobuild attempts to build any compiled languages (C/C++, C#, or Java). # If this step fails, then you should remove it and run the build manually (see below) - name: Autobuild - uses: github/codeql-action/autobuild@v3 + uses: github/codeql-action/autobuild@dd196fa9ce80b6bacc74ca1c32bd5b0ba22efca7 # v3.28.3 # ℹī¸ Command-line programs to run using the OS shell. # 📚 https://git.io/JvXDl @@ -76,4 +76,4 @@ jobs: # make release - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v3 + uses: github/codeql-action/analyze@dd196fa9ce80b6bacc74ca1c32bd5b0ba22efca7 # v3.28.3 diff --git a/.github/workflows/create-comment.yaml b/.github/workflows/create-comment.yaml index 1a9e8dcb..cc68a48c 100644 --- a/.github/workflows/create-comment.yaml +++ b/.github/workflows/create-comment.yaml @@ -15,7 +15,7 @@ jobs: if: github.event.workflow_run.event == 'pull_request' steps: - name: 'Download artifact' - uses: actions/github-script@v6.4.1 + uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1 with: script: | var artifacts = await github.rest.actions.listWorkflowRunArtifacts({ @@ -39,7 +39,7 @@ jobs: run: unzip pr.zip - name: 'Comment on PR' - uses: actions/github-script@v6.4.1 + uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1 with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | diff --git a/.github/workflows/dummy_c-ci.yaml b/.github/workflows/dummy_c-ci.yaml index eb031a35..24be8463 100644 --- a/.github/workflows/dummy_c-ci.yaml +++ b/.github/workflows/dummy_c-ci.yaml @@ -31,7 +31,7 @@ jobs: sudo apt install -y --no-install-recommends build-essential - name: Initialize CodeQL - uses: github/codeql-action/init@v2 + uses: github/codeql-action/init@dd196fa9ce80b6bacc74ca1c32bd5b0ba22efca7 # v3.28.3 with: languages: cpp @@ -41,7 +41,7 @@ jobs: make libdummy_c.so - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v2 + uses: github/codeql-action/analyze@dd196fa9ce80b6bacc74ca1c32bd5b0ba22efca7 # v3.28.3 formatting-check: runs-on: ubuntu-22.04 diff --git a/.github/workflows/k8smeta-ci.yaml b/.github/workflows/k8smeta-ci.yaml index d6f40913..e1eef8f2 100644 --- a/.github/workflows/k8smeta-ci.yaml +++ b/.github/workflows/k8smeta-ci.yaml @@ -37,7 +37,7 @@ jobs: sudo apt install -y --no-install-recommends cmake build-essential autoconf libtool pkg-config - name: Initialize CodeQL - uses: github/codeql-action/init@v2 + uses: github/codeql-action/init@dd196fa9ce80b6bacc74ca1c32bd5b0ba22efca7 # v3.28.3 with: languages: cpp @@ -49,7 +49,7 @@ jobs: make k8smeta -j6 - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v2 + uses: github/codeql-action/analyze@dd196fa9ce80b6bacc74ca1c32bd5b0ba22efca7 # v3.28.3 - name: Build and run tests 🏎ī¸ run: | diff --git a/.github/workflows/main.yaml b/.github/workflows/main.yaml index 07b24851..05618f42 100644 --- a/.github/workflows/main.yaml +++ b/.github/workflows/main.yaml @@ -20,7 +20,7 @@ jobs: get-changed-plugins: uses: ./.github/workflows/reusable_get_changed_plugins.yaml - + build-rules-tool: needs: [get-changed-plugins] if: needs.get-changed-plugins.outputs.changed-plugins != '[]' && needs.get-changed-plugins.outputs.changed-plugins != '' @@ -28,7 +28,7 @@ jobs: with: output: rules-checker repository: falcosecurity/rules - + validate-plugins: needs: [build-plugins-dev, get-changed-plugins, build-rules-tool] if: needs.get-changed-plugins.outputs.changed-plugins != '[]' && needs.get-changed-plugins.outputs.changed-plugins != '' @@ -44,7 +44,7 @@ jobs: plugins-artifact: plugins-x86_64-dev.tar.gz rules-checker: ./rules-checker arch: x86_64 - + publish-plugins-dev: needs: [build-plugins-dev, validate-plugins] uses: falcosecurity/plugins/.github/workflows/reusable_publish_packages.yaml@main diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 468dd297..adc4bfa6 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -16,10 +16,10 @@ jobs: runs-on: ubuntu-latest outputs: package: ${{ steps.regex-match.outputs.group1 }} - + steps: - name: Validate tag ℹī¸ - uses: actions-ecosystem/action-regex-match@v2 + uses: actions-ecosystem/action-regex-match@9e6c4fb3d5e898f505be7a1fb6e7b0a278f6665b # v2.0.2 id: regex-match with: text: ${{ github.ref_name }} diff --git a/.github/workflows/reusable-publish-oci-artifacts.yaml b/.github/workflows/reusable-publish-oci-artifacts.yaml index c1d89d4a..7c2d3078 100644 --- a/.github/workflows/reusable-publish-oci-artifacts.yaml +++ b/.github/workflows/reusable-publish-oci-artifacts.yaml @@ -23,24 +23,24 @@ jobs: steps: - name: Download x86_64 plugins - uses: actions/download-artifact@v4 + uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 with: name: plugins-x86_64-${{ inputs.suffix }}.tar.gz path: /tmp/plugins-x86_64 - name: Download aarch64 plugins - uses: actions/download-artifact@v4 + uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 with: name: plugins-aarch64-${{ inputs.suffix }}.tar.gz path: /tmp/plugins-aarch64 - name: Checkout Plugins - uses: actions/checkout@v3 + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: fetch-depth: 0 - name: Setup Golang - uses: actions/setup-go@v3 + uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34 # v5.3.0 with: go-version: "^1.21" @@ -88,7 +88,7 @@ jobs: - run: cosign version - name: Log into ghcr.io - uses: docker/login-action@master + uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0 with: registry: ghcr.io username: ${{ github.repository_owner }} diff --git a/.github/workflows/reusable_build_packages.yaml b/.github/workflows/reusable_build_packages.yaml index e7aa70a2..dff144b7 100644 --- a/.github/workflows/reusable_build_packages.yaml +++ b/.github/workflows/reusable_build_packages.yaml @@ -36,7 +36,7 @@ jobs: rm -rf /tmp/cmake-3.22.5-linux-$(uname -m) - name: Checkout Plugins â¤ĩī¸ - uses: actions/checkout@v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: fetch-depth: 0 @@ -47,7 +47,7 @@ jobs: run: ${{ inputs.makecommand }} - name: Upload artifacts - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0 with: name: plugins-${{ matrix.arch }}-${{ inputs.suffix }}.tar.gz path: output/*.tar.gz diff --git a/.github/workflows/reusable_build_rules_tool.yaml b/.github/workflows/reusable_build_rules_tool.yaml index 6999bc6d..bee660cc 100644 --- a/.github/workflows/reusable_build_rules_tool.yaml +++ b/.github/workflows/reusable_build_rules_tool.yaml @@ -18,12 +18,12 @@ jobs: runs-on: ubuntu-latest steps: - name: Setup Golang - uses: actions/setup-go@v3 + uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34 # v5.3.0 with: go-version: "1.19.0" - name: Checkout rules - uses: actions/checkout@v3 + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: repository: ${{ inputs.repository }} @@ -36,7 +36,7 @@ jobs: run: go test ./... -cover - name: Upload artifacts - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0 with: name: rules-tool.tar.gz path: build/checker/${{ inputs.output }} diff --git a/.github/workflows/reusable_get_changed_plugins.yaml b/.github/workflows/reusable_get_changed_plugins.yaml index 593d317b..d29486c5 100644 --- a/.github/workflows/reusable_get_changed_plugins.yaml +++ b/.github/workflows/reusable_get_changed_plugins.yaml @@ -13,12 +13,12 @@ jobs: changed-plugins: ${{ steps.set-changed-plugins.outputs.changed-plugins }} steps: - name: Checkout rules - uses: actions/checkout@v3 + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - name: Get changed files id: changed-plugins if: github.event_name == 'pull_request' - uses: Ana06/get-changed-files@v2.2.0 + uses: Ana06/get-changed-files@25f79e676e7ea1868813e21465014798211fad8c # v2.3.0 with: format: space-delimited token: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/reusable_publish_packages.yaml b/.github/workflows/reusable_publish_packages.yaml index 59acca67..85514ae1 100644 --- a/.github/workflows/reusable_publish_packages.yaml +++ b/.github/workflows/reusable_publish_packages.yaml @@ -21,19 +21,19 @@ jobs: runs-on: ubuntu-latest steps: - name: Download x86_64 plugins - uses: actions/download-artifact@v4 + uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 with: name: plugins-x86_64-${{ inputs.suffix }}.tar.gz path: /tmp/plugins-x86_64 - name: Download aarch64 plugins - uses: actions/download-artifact@v4 + uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 with: name: plugins-aarch64-${{ inputs.suffix }}.tar.gz path: /tmp/plugins-aarch64 - name: Configure AWS credentials 🔧⚙ī¸ - uses: aws-actions/configure-aws-credentials@v2 + uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2 with: role-to-assume: "arn:aws:iam::292999226676:role/github_actions-plugins-s3" aws-region: ${{ env.AWS_S3_REGION }} diff --git a/.github/workflows/reusable_suggest_rules_version.yaml b/.github/workflows/reusable_suggest_rules_version.yaml index 12a558ac..df2eb1c9 100644 --- a/.github/workflows/reusable_suggest_rules_version.yaml +++ b/.github/workflows/reusable_suggest_rules_version.yaml @@ -35,7 +35,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout code - uses: actions/checkout@v3 + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: ref: ${{ github.event.pull_request.head.sha }} fetch-depth: 0 @@ -52,7 +52,7 @@ jobs: run: ./.github/get-latest-plugin-version.sh ${{ inputs.plugin }} - name: Download rules tool - uses: actions/download-artifact@v4 + uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 with: name: rules-tool.tar.gz @@ -63,7 +63,7 @@ jobs: # the two rulesets depend on plugins with different majors. # todo(jasondellaluce): fix this corner case in the future - name: Download plugins - uses: actions/download-artifact@v4 + uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 with: name: ${{ inputs.plugins-artifact }} path: /tmp/plugins-${{ inputs.arch }} @@ -114,7 +114,7 @@ jobs: cp ${{ steps.compare.outputs.comment_file }} ./pr/COMMENT-${{ inputs.job-index }} - name: Upload PR info as artifact - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0 if: steps.compare.outputs.comment_file != '' with: name: pr-${{ inputs.job-index }} diff --git a/.github/workflows/reusable_upload_pr_info.yaml b/.github/workflows/reusable_upload_pr_info.yaml index 743ae47c..b7efaa05 100644 --- a/.github/workflows/reusable_upload_pr_info.yaml +++ b/.github/workflows/reusable_upload_pr_info.yaml @@ -8,7 +8,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Download PR infos - uses: actions/download-artifact@v4 + uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 with: path: tmp-artifacts @@ -30,7 +30,7 @@ jobs: echo "" - name: Upload PR info as artifact - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0 with: name: pr path: pr/ diff --git a/.github/workflows/reusable_validate_plugins.yaml b/.github/workflows/reusable_validate_plugins.yaml index 130b48bc..80d050f2 100644 --- a/.github/workflows/reusable_validate_plugins.yaml +++ b/.github/workflows/reusable_validate_plugins.yaml @@ -37,7 +37,7 @@ jobs: GOFLAGS: "-buildvcs=false" steps: - name: Checkout code - uses: actions/checkout@v3 + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - name: Install system dependencies run: wget https://github.com/mikefarah/yq/releases/latest/download/yq_linux_amd64 -O /usr/bin/yq && chmod +x /usr/bin/yq @@ -47,12 +47,12 @@ jobs: run: ./.github/setup-plugin-config-rules.sh ${{ inputs.plugin }} - name: Download rules tool - uses: actions/download-artifact@v4 + uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 with: name: rules-tool.tar.gz - name: Download plugins - uses: actions/download-artifact@v4 + uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 with: name: ${{ inputs.plugins-artifact }} path: /tmp/plugins-${{ inputs.arch }} @@ -119,7 +119,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout code - uses: actions/checkout@v3 + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - name: Install system dependencies run: sudo wget https://github.com/mikefarah/yq/releases/latest/download/yq_linux_amd64 -O /usr/bin/yq && sudo chmod +x /usr/bin/yq @@ -129,13 +129,13 @@ jobs: run: ./.github/setup-plugin-config-rules.sh ${{ inputs.plugin }} - name: Download plugins - uses: actions/download-artifact@v4 + uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 with: name: ${{ inputs.plugins-artifact }} path: /tmp/plugins-${{ inputs.arch }} - name: Download rules tool - uses: actions/download-artifact@v4 + uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 with: name: rules-tool.tar.gz @@ -195,7 +195,7 @@ jobs: plugin_ver=$(echo $dep | tr -d '"' | cut -d ':' -f 2) plugin_ver_major=$(echo $plugin_ver | cut -d '.' -f 1) plugin_ver_minor=$(expr $(echo $plugin_ver | cut -d '.' -f 2) + $ver_diff) - plugin_ver_patch=0 + plugin_ver_patch=0 plugin_ver="${plugin_ver_major}.${plugin_ver_minor}.${plugin_ver_patch}" set +e pipefail