From fdf3974a5b13e1c0358cb2856f9ab14e8cbf4f91 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sun, 2 Feb 2025 16:13:14 +0000 Subject: [PATCH 1/9] chore(deps): bump the ci group with 10 updates Bumps the ci group with 10 updates: | Package | From | To | | --- | --- | --- | | [mercedesbenzio/detect-action](https://github.com/mercedesbenzio/detect-action) | `1` | `2` | | [actions/cache](https://github.com/actions/cache) | `3` | `4` | | [peter-evans/repository-dispatch](https://github.com/peter-evans/repository-dispatch) | `2` | `3` | | [dcarbone/install-jq-action](https://github.com/dcarbone/install-jq-action) | `2.1.0` | `3.0.1` | | [8BitJonny/gh-get-current-pr](https://github.com/8bitjonny/gh-get-current-pr) | `2.2.0` | `3.0.0` | | [thollander/actions-comment-pull-request](https://github.com/thollander/actions-comment-pull-request) | `2.4.3` | `3.0.1` | | [release-drafter/release-drafter](https://github.com/release-drafter/release-drafter) | `5` | `6` | | [anchore/sbom-action](https://github.com/anchore/sbom-action) | `0.15.11` | `0.18.0` | | [sigstore/cosign-installer](https://github.com/sigstore/cosign-installer) | `3.5.0` | `3.7.0` | | [goreleaser/goreleaser-action](https://github.com/goreleaser/goreleaser-action) | `5` | `6` | Updates `mercedesbenzio/detect-action` from 1 to 2 - [Release notes](https://github.com/mercedesbenzio/detect-action/releases) - [Changelog](https://github.com/tvcsantos/detect-action/blob/main/CHANGELOG.md) - [Commits](https://github.com/mercedesbenzio/detect-action/compare/v1...v2) Updates `actions/cache` from 3 to 4 - [Release notes](https://github.com/actions/cache/releases) - [Changelog](https://github.com/actions/cache/blob/main/RELEASES.md) - [Commits](https://github.com/actions/cache/compare/v3...v4) Updates `peter-evans/repository-dispatch` from 2 to 3 - [Release notes](https://github.com/peter-evans/repository-dispatch/releases) - [Commits](https://github.com/peter-evans/repository-dispatch/compare/v2...v3) Updates `dcarbone/install-jq-action` from 2.1.0 to 3.0.1 - [Release notes](https://github.com/dcarbone/install-jq-action/releases) - [Commits](https://github.com/dcarbone/install-jq-action/compare/v2.1.0...v3.0.1) Updates `8BitJonny/gh-get-current-pr` from 2.2.0 to 3.0.0 - [Release notes](https://github.com/8bitjonny/gh-get-current-pr/releases) - [Commits](https://github.com/8bitjonny/gh-get-current-pr/compare/2.2.0...3.0.0) Updates `thollander/actions-comment-pull-request` from 2.4.3 to 3.0.1 - [Release notes](https://github.com/thollander/actions-comment-pull-request/releases) - [Commits](https://github.com/thollander/actions-comment-pull-request/compare/v2.4.3...v3.0.1) Updates `release-drafter/release-drafter` from 5 to 6 - [Release notes](https://github.com/release-drafter/release-drafter/releases) - [Commits](https://github.com/release-drafter/release-drafter/compare/v5...v6) Updates `anchore/sbom-action` from 0.15.11 to 0.18.0 - [Release notes](https://github.com/anchore/sbom-action/releases) - [Changelog](https://github.com/anchore/sbom-action/blob/main/RELEASE.md) - [Commits](https://github.com/anchore/sbom-action/compare/7ccf588e3cf3cc2611714c2eeae48550fbc17552...f325610c9f50a54015d37c8d16cb3b0e2c8f4de0) Updates `sigstore/cosign-installer` from 3.5.0 to 3.7.0 - [Release notes](https://github.com/sigstore/cosign-installer/releases) - [Commits](https://github.com/sigstore/cosign-installer/compare/v3.5.0...v3.7.0) Updates `goreleaser/goreleaser-action` from 5 to 6 - [Release notes](https://github.com/goreleaser/goreleaser-action/releases) - [Commits](https://github.com/goreleaser/goreleaser-action/compare/v5...v6) --- updated-dependencies: - dependency-name: mercedesbenzio/detect-action dependency-type: direct:production update-type: version-update:semver-major dependency-group: ci - dependency-name: actions/cache dependency-type: direct:production update-type: version-update:semver-major dependency-group: ci - dependency-name: peter-evans/repository-dispatch dependency-type: direct:production update-type: version-update:semver-major dependency-group: ci - dependency-name: dcarbone/install-jq-action dependency-type: direct:production update-type: version-update:semver-major dependency-group: ci - dependency-name: 8BitJonny/gh-get-current-pr dependency-type: direct:production update-type: version-update:semver-major dependency-group: ci - dependency-name: thollander/actions-comment-pull-request dependency-type: direct:production update-type: version-update:semver-major dependency-group: ci - dependency-name: release-drafter/release-drafter dependency-type: direct:production update-type: version-update:semver-major dependency-group: ci - dependency-name: anchore/sbom-action dependency-type: direct:production update-type: version-update:semver-minor dependency-group: ci - dependency-name: sigstore/cosign-installer dependency-type: direct:production update-type: version-update:semver-minor dependency-group: ci - dependency-name: goreleaser/goreleaser-action dependency-type: direct:production update-type: version-update:semver-major dependency-group: ci ... Signed-off-by: dependabot[bot] --- .github/workflows/blackduck_scan_scheduled.yaml | 2 +- .github/workflows/check-manifest-generation-diff.yaml | 2 +- .github/workflows/dispatch-e2e.yaml | 2 +- .github/workflows/mend_scan.yaml | 6 +++--- .github/workflows/release-drafter.yaml | 2 +- .github/workflows/release.yaml | 8 ++++---- .github/workflows/tests.yaml | 2 +- 7 files changed, 12 insertions(+), 12 deletions(-) diff --git a/.github/workflows/blackduck_scan_scheduled.yaml b/.github/workflows/blackduck_scan_scheduled.yaml index 3af97f7..d86ae5a 100644 --- a/.github/workflows/blackduck_scan_scheduled.yaml +++ b/.github/workflows/blackduck_scan_scheduled.yaml @@ -20,7 +20,7 @@ jobs: distribution: 'temurin' - name: Blackduck Full Scan - uses: mercedesbenzio/detect-action@v1 + uses: mercedesbenzio/detect-action@v2 env: DETECT_PROJECT_USER_GROUPS: opencomponentmodel DETECT_PROJECT_VERSION_DISTRIBUTION: SAAS diff --git a/.github/workflows/check-manifest-generation-diff.yaml b/.github/workflows/check-manifest-generation-diff.yaml index 6334a3c..e0d8107 100644 --- a/.github/workflows/check-manifest-generation-diff.yaml +++ b/.github/workflows/check-manifest-generation-diff.yaml @@ -20,7 +20,7 @@ jobs: with: go-version-file: '${{ github.workspace }}/go.mod' - name: Restore Go cache - uses: actions/cache@v3 + uses: actions/cache@v4 with: path: /home/runner/work/_temp/_github_home/go/pkg/mod key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }} diff --git a/.github/workflows/dispatch-e2e.yaml b/.github/workflows/dispatch-e2e.yaml index 5d21ee7..33c5789 100644 --- a/.github/workflows/dispatch-e2e.yaml +++ b/.github/workflows/dispatch-e2e.yaml @@ -16,7 +16,7 @@ jobs: app_id: ${{ secrets.OCMBOT_APP_ID }} private_key: ${{ secrets.OCMBOT_PRIV_KEY }} - name: Dispatch e2e test trigger - uses: peter-evans/repository-dispatch@v2 + uses: peter-evans/repository-dispatch@v3 with: token: ${{ steps.generate_token.outputs.token }} repository: open-component-model/MPAS diff --git a/.github/workflows/mend_scan.yaml b/.github/workflows/mend_scan.yaml index 430fdc8..60227e2 100644 --- a/.github/workflows/mend_scan.yaml +++ b/.github/workflows/mend_scan.yaml @@ -41,7 +41,7 @@ jobs: go-version-file: '${{ github.workspace }}/go.mod' - name: 'Setup jq' - uses: dcarbone/install-jq-action@v2.1.0 + uses: dcarbone/install-jq-action@v3.0.1 with: version: '1.7' @@ -171,7 +171,7 @@ jobs: fi - name: Check if PR exists - uses: 8BitJonny/gh-get-current-pr@2.2.0 + uses: 8BitJonny/gh-get-current-pr@3.0.0 id: pr_exists with: filterOutClosed: true @@ -179,7 +179,7 @@ jobs: - name: Comment Mend Status on PR if: ${{ github.event_name != 'schedule' && steps.pr_exists.outputs.pr_found == 'true' }} - uses: thollander/actions-comment-pull-request@v2.4.3 + uses: thollander/actions-comment-pull-request@v3.0.1 with: message: | ## Mend Scan Summary: :${{ steps.report.outputs.status }}: diff --git a/.github/workflows/release-drafter.yaml b/.github/workflows/release-drafter.yaml index 250f809..f406594 100644 --- a/.github/workflows/release-drafter.yaml +++ b/.github/workflows/release-drafter.yaml @@ -15,6 +15,6 @@ jobs: update_release_draft: runs-on: ubuntu-latest steps: - - uses: release-drafter/release-drafter@v5 + - uses: release-drafter/release-drafter@v6 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index e6736ed..cc12b26 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -42,7 +42,7 @@ jobs: with: go-version-file: '${{ github.workspace }}/go.mod' - name: Cache go-build and mod - uses: actions/cache@v3 + uses: actions/cache@v4 with: path: | ~/.cache/go-build/ @@ -98,11 +98,11 @@ jobs: mkdir -p output kustomize build ./config/default > ./output/install.yaml - name: Setup Syft - uses: anchore/sbom-action/download-syft@7ccf588e3cf3cc2611714c2eeae48550fbc17552 # v0.15.11 + uses: anchore/sbom-action/download-syft@f325610c9f50a54015d37c8d16cb3b0e2c8f4de0 # v0.18.0 - name: Setup Cosign - uses: sigstore/cosign-installer@v3.5.0 + uses: sigstore/cosign-installer@v3.7.0 - name: Run goreleaser - uses: goreleaser/goreleaser-action@v5 + uses: goreleaser/goreleaser-action@v6 with: distribution: goreleaser version: latest diff --git a/.github/workflows/tests.yaml b/.github/workflows/tests.yaml index 9e79ac4..b04a2f4 100644 --- a/.github/workflows/tests.yaml +++ b/.github/workflows/tests.yaml @@ -26,7 +26,7 @@ jobs: with: go-version-file: '${{ github.workspace }}/go.mod' - name: Restore Go cache - uses: actions/cache@v3 + uses: actions/cache@v4 with: path: /home/runner/work/_temp/_github_home/go/pkg/mod key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }} From 45d8090ffaa33dccbc2ceb18a92493c11cdacdf4 Mon Sep 17 00:00:00 2001 From: Hilmar Falkenberg Date: Thu, 6 Feb 2025 14:09:54 +0100 Subject: [PATCH 2/9] peter-evans/repository-dispatch@ff45666b9427631e3450c54a1bcbee4d9ff4d7c0 --- .github/workflows/dispatch-e2e.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/dispatch-e2e.yaml b/.github/workflows/dispatch-e2e.yaml index 33c5789..5c01af3 100644 --- a/.github/workflows/dispatch-e2e.yaml +++ b/.github/workflows/dispatch-e2e.yaml @@ -16,7 +16,7 @@ jobs: app_id: ${{ secrets.OCMBOT_APP_ID }} private_key: ${{ secrets.OCMBOT_PRIV_KEY }} - name: Dispatch e2e test trigger - uses: peter-evans/repository-dispatch@v3 + uses: peter-evans/repository-dispatch@ff45666b9427631e3450c54a1bcbee4d9ff4d7c0 with: token: ${{ steps.generate_token.outputs.token }} repository: open-component-model/MPAS From 4efd6f7ce25a5015496c342e117e1cd6faac878b Mon Sep 17 00:00:00 2001 From: Hilmar Falkenberg Date: Thu, 6 Feb 2025 14:16:44 +0100 Subject: [PATCH 3/9] dcarbone/install-jq-action@e397bd87438d72198f81efd21f876461183d383a --- .github/workflows/mend_scan.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/mend_scan.yaml b/.github/workflows/mend_scan.yaml index 60227e2..5aa958e 100644 --- a/.github/workflows/mend_scan.yaml +++ b/.github/workflows/mend_scan.yaml @@ -41,7 +41,7 @@ jobs: go-version-file: '${{ github.workspace }}/go.mod' - name: 'Setup jq' - uses: dcarbone/install-jq-action@v3.0.1 + uses: dcarbone/install-jq-action@e397bd87438d72198f81efd21f876461183d383a with: version: '1.7' From 80433937d4caf8978ea52c7ee6cb2a2a825342c7 Mon Sep 17 00:00:00 2001 From: Hilmar Falkenberg Date: Thu, 6 Feb 2025 14:17:12 +0100 Subject: [PATCH 4/9] 8BitJonny/gh-get-current-pr@08e737c57a3a4eb24cec6487664b243b77eb5e36 --- .github/workflows/mend_scan.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/mend_scan.yaml b/.github/workflows/mend_scan.yaml index 5aa958e..304516a 100644 --- a/.github/workflows/mend_scan.yaml +++ b/.github/workflows/mend_scan.yaml @@ -171,7 +171,7 @@ jobs: fi - name: Check if PR exists - uses: 8BitJonny/gh-get-current-pr@3.0.0 + uses: 8BitJonny/gh-get-current-pr@08e737c57a3a4eb24cec6487664b243b77eb5e36 id: pr_exists with: filterOutClosed: true From 9d22c0b5e0a82f0a23326867fa32887d8d219bec Mon Sep 17 00:00:00 2001 From: Hilmar Falkenberg Date: Thu, 6 Feb 2025 14:18:05 +0100 Subject: [PATCH 5/9] thollander/actions-comment-pull-request@24bffb9b452ba05a4f3f77933840a6a841d1b32b --- .github/workflows/mend_scan.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/mend_scan.yaml b/.github/workflows/mend_scan.yaml index 304516a..afb5102 100644 --- a/.github/workflows/mend_scan.yaml +++ b/.github/workflows/mend_scan.yaml @@ -179,7 +179,7 @@ jobs: - name: Comment Mend Status on PR if: ${{ github.event_name != 'schedule' && steps.pr_exists.outputs.pr_found == 'true' }} - uses: thollander/actions-comment-pull-request@v3.0.1 + uses: thollander/actions-comment-pull-request@24bffb9b452ba05a4f3f77933840a6a841d1b32b with: message: | ## Mend Scan Summary: :${{ steps.report.outputs.status }}: From 8d9d9442de935d0422f3834e62a7aaba8a7ba32e Mon Sep 17 00:00:00 2001 From: Hilmar Falkenberg Date: Thu, 6 Feb 2025 14:19:14 +0100 Subject: [PATCH 6/9] release-drafter/release-drafter@b1476f6e6eb133afa41ed8589daba6dc69b4d3f5 --- .github/workflows/release-drafter.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/release-drafter.yaml b/.github/workflows/release-drafter.yaml index f406594..9448859 100644 --- a/.github/workflows/release-drafter.yaml +++ b/.github/workflows/release-drafter.yaml @@ -15,6 +15,6 @@ jobs: update_release_draft: runs-on: ubuntu-latest steps: - - uses: release-drafter/release-drafter@v6 + - uses: release-drafter/release-drafter@b1476f6e6eb133afa41ed8589daba6dc69b4d3f5 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} From ca6afb42e3a82e751623eecc8f12177ff91a30dc Mon Sep 17 00:00:00 2001 From: Hilmar Falkenberg Date: Thu, 6 Feb 2025 14:21:37 +0100 Subject: [PATCH 7/9] sigstore/cosign-installer@c56c2d3e59e4281cc41dea2217323ba5694b171e --- .github/workflows/release.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index cc12b26..627041a 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -100,7 +100,7 @@ jobs: - name: Setup Syft uses: anchore/sbom-action/download-syft@f325610c9f50a54015d37c8d16cb3b0e2c8f4de0 # v0.18.0 - name: Setup Cosign - uses: sigstore/cosign-installer@v3.7.0 + uses: sigstore/cosign-installer@c56c2d3e59e4281cc41dea2217323ba5694b171e - name: Run goreleaser uses: goreleaser/goreleaser-action@v6 with: From 4528178e732328d303a899408c25a560038d1c2b Mon Sep 17 00:00:00 2001 From: Hilmar Falkenberg Date: Thu, 6 Feb 2025 14:22:07 +0100 Subject: [PATCH 8/9] goreleaser/goreleaser-action@9ed2f89a662bf1735a48bc8557fd212fa902bebf --- .github/workflows/release.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index 627041a..868de8c 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -102,7 +102,7 @@ jobs: - name: Setup Cosign uses: sigstore/cosign-installer@c56c2d3e59e4281cc41dea2217323ba5694b171e - name: Run goreleaser - uses: goreleaser/goreleaser-action@v6 + uses: goreleaser/goreleaser-action@9ed2f89a662bf1735a48bc8557fd212fa902bebf with: distribution: goreleaser version: latest From 0b5345219b63e3a968bccf578df1c50a12c6dcb4 Mon Sep 17 00:00:00 2001 From: Hilmar Falkenberg Date: Thu, 6 Feb 2025 17:48:21 +0100 Subject: [PATCH 9/9] https://github.com/open-component-model/ocm-project/issues/405 --- .../workflows/blackduck_scan_scheduled.yaml | 20 +++++++------------ 1 file changed, 7 insertions(+), 13 deletions(-) diff --git a/.github/workflows/blackduck_scan_scheduled.yaml b/.github/workflows/blackduck_scan_scheduled.yaml index d86ae5a..78ac406 100644 --- a/.github/workflows/blackduck_scan_scheduled.yaml +++ b/.github/workflows/blackduck_scan_scheduled.yaml @@ -1,7 +1,8 @@ name: Blackduck Scan Cronjob on: schedule: - - cron: '30 1 * * 0' + - cron: '0 4 * * 1' + workflow_dispatch: permissions: checks: write @@ -13,22 +14,15 @@ jobs: - name: Checkout code uses: actions/checkout@v4 - - name: Set up Java 17 - uses: actions/setup-java@v4 - with: - java-version: '17' - distribution: 'temurin' - - name: Blackduck Full Scan - uses: mercedesbenzio/detect-action@v2 + uses: blackduck-inc/black-duck-security-scan@805cbd09e806b01907bbea0f990723c2bb85abe9 env: DETECT_PROJECT_USER_GROUPS: opencomponentmodel DETECT_PROJECT_VERSION_DISTRIBUTION: SAAS DETECT_SOURCE_PATH: ./ NODE_TLS_REJECT_UNAUTHORIZED: true with: - scan-mode: INTELLIGENT - github-token: ${{ secrets.GITHUB_TOKEN }} - blackduck-url: ${{ secrets.BLACKDUCK_URL }} - blackduck-api-token: ${{ secrets.BLACKDUCK_API_TOKEN }} - detect-version: 8.8.0 + github_token: ${{ secrets.GITHUB_TOKEN }} + blackducksca_url: ${{ secrets.BLACKDUCK_URL }} + blackducksca_token: ${{ secrets.BLACKDUCK_API_TOKEN }} + blackducksca_scan_full: true