From 403afe379a29ad8ce400e1f65556e1afd62a089c Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 3 Jun 2026 23:53:45 +0000 Subject: [PATCH 1/2] [DT-400-actions]: Bump actions/checkout Bumps the action-other-updates group with 1 update: [actions/checkout](https://github.com/actions/checkout). Updates `actions/checkout` from 6 to 6.0.2 - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](https://github.com/actions/checkout/compare/v6...v6.0.2) --- updated-dependencies: - dependency-name: actions/checkout dependency-version: 6.0.2 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: action-other-updates ... Signed-off-by: dependabot[bot] --- .github/workflows/build.yaml | 2 +- .github/workflows/coverage.yaml | 2 +- .github/workflows/maven.yaml | 2 +- .github/workflows/semgrep.yml | 2 +- .github/workflows/trivy.yaml | 2 +- 5 files changed, 5 insertions(+), 5 deletions(-) diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index 0a84a46b86..2d0f0e0d7e 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -21,7 +21,7 @@ jobs: id-token: 'write' steps: - name: Checkout code - uses: actions/checkout@v6 + uses: actions/checkout@v6.0.2 with: persist-credentials: false - name: Get Short Sha diff --git a/.github/workflows/coverage.yaml b/.github/workflows/coverage.yaml index a0f111072b..b9a313bf32 100644 --- a/.github/workflows/coverage.yaml +++ b/.github/workflows/coverage.yaml @@ -13,7 +13,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@v6 + uses: actions/checkout@v6.0.2 with: persist-credentials: false fetch-depth: 0 diff --git a/.github/workflows/maven.yaml b/.github/workflows/maven.yaml index d298c74dac..5adb1e7312 100644 --- a/.github/workflows/maven.yaml +++ b/.github/workflows/maven.yaml @@ -6,7 +6,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@v6 + uses: actions/checkout@v6.0.2 with: persist-credentials: false - uses: actions/setup-java@v5 diff --git a/.github/workflows/semgrep.yml b/.github/workflows/semgrep.yml index cf7bf4c778..c96a6a06f4 100644 --- a/.github/workflows/semgrep.yml +++ b/.github/workflows/semgrep.yml @@ -7,7 +7,7 @@ jobs: image: returntocorp/semgrep name: Check steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@v6.0.2 with: persist-credentials: false - run: semgrep ci --config=p/findsecbugs diff --git a/.github/workflows/trivy.yaml b/.github/workflows/trivy.yaml index e9c8f5e2f6..2e355c2447 100644 --- a/.github/workflows/trivy.yaml +++ b/.github/workflows/trivy.yaml @@ -7,7 +7,7 @@ jobs: name: DSP AppSec Trivy check runs-on: ubuntu-latest steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@v6.0.2 with: persist-credentials: false - uses: broadinstitute/dsp-appsec-trivy-action@v1 From 394e4abf0c458ad71da26c11732a6e5219ff47ea Mon Sep 17 00:00:00 2001 From: Elliot Otchet Date: Thu, 4 Jun 2026 11:07:24 -0400 Subject: [PATCH 2/2] Update to use pinned hashes. --- .github/workflows/build.yaml | 12 ++++++------ .github/workflows/coverage.yaml | 4 ++-- .github/workflows/maven.yaml | 4 ++-- .github/workflows/semgrep.yml | 2 +- .github/workflows/trivy.yaml | 4 ++-- 5 files changed, 13 insertions(+), 13 deletions(-) diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index 2d0f0e0d7e..806e229f10 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -21,14 +21,14 @@ jobs: id-token: 'write' steps: - name: Checkout code - uses: actions/checkout@v6.0.2 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: Get Short Sha id: short-sha run: echo "sha=$(git rev-parse --short=12 HEAD)" >> $GITHUB_OUTPUT - name: 'Set up Cloud SDK' - uses: 'google-github-actions/setup-gcloud@v3' + uses: 'google-github-actions/setup-gcloud@aa5489c8933f4cc7a4f7d45035b3b1440c9c10db' # v3 - name: Construct tags id: construct-tags run: | @@ -52,7 +52,7 @@ jobs: ENVIRONMENT_TAG: ${{ steps.construct-tags.outputs.environment-tag }} - id: 'auth' name: 'Authenticate to Google Cloud' - uses: 'google-github-actions/auth@v3' + uses: 'google-github-actions/auth@7c6bc770dae815cd3e89ee6cdf493a5fab2cc093' # v3 with: # Centralized in dsp-tools-k8s; ask in #dsp-devops-champions for help troubleshooting token_format: 'access_token' @@ -60,7 +60,7 @@ jobs: service_account: 'dsp-artifact-registry-push@dsp-artifact-registry.iam.gserviceaccount.com' # authenticate to GAR docker repo - name: Docker Login - uses: 'docker/login-action@v4' + uses: 'docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee' # v4 with: registry: 'us-central1-docker.pkg.dev' username: 'oauth2accesstoken' @@ -74,7 +74,7 @@ jobs: SHA_TAG: ${{ steps.construct-tags.outputs.sha-tag }} ENVIRONMENT_TAG: ${{ steps.construct-tags.outputs.environment-tag }} report-to-sherlock: - uses: broadinstitute/sherlock/.github/workflows/client-report-app-version.yaml@main + uses: broadinstitute/sherlock/.github/workflows/client-report-app-version.yaml@a6dc633a77b77a038c5534ad3a038536505fea2f # main needs: [ tag-build-push ] with: new-version: ${{ needs.tag-build-push.outputs.sherlock-version }} @@ -84,7 +84,7 @@ jobs: id-token: 'write' set-version-in-dev: if: github.event_name == 'push' - uses: broadinstitute/sherlock/.github/workflows/client-set-environment-app-version.yaml@main + uses: broadinstitute/sherlock/.github/workflows/client-set-environment-app-version.yaml@a6dc633a77b77a038c5534ad3a038536505fea2f # main needs: [ tag-build-push, report-to-sherlock ] with: new-version: ${{ needs.tag-build-push.outputs.sherlock-version }} diff --git a/.github/workflows/coverage.yaml b/.github/workflows/coverage.yaml index b9a313bf32..e789c29b78 100644 --- a/.github/workflows/coverage.yaml +++ b/.github/workflows/coverage.yaml @@ -13,11 +13,11 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@v6.0.2 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false fetch-depth: 0 - - uses: actions/setup-java@v5 + - uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5 with: distribution: 'temurin' java-version: 25 diff --git a/.github/workflows/maven.yaml b/.github/workflows/maven.yaml index 5adb1e7312..e09b2fdd38 100644 --- a/.github/workflows/maven.yaml +++ b/.github/workflows/maven.yaml @@ -6,10 +6,10 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@v6.0.2 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - - uses: actions/setup-java@v5 + - uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5 with: distribution: 'temurin' java-version: 25 diff --git a/.github/workflows/semgrep.yml b/.github/workflows/semgrep.yml index c96a6a06f4..7c6ce842a3 100644 --- a/.github/workflows/semgrep.yml +++ b/.github/workflows/semgrep.yml @@ -7,7 +7,7 @@ jobs: image: returntocorp/semgrep name: Check steps: - - uses: actions/checkout@v6.0.2 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - run: semgrep ci --config=p/findsecbugs diff --git a/.github/workflows/trivy.yaml b/.github/workflows/trivy.yaml index 2e355c2447..aa98c33d5e 100644 --- a/.github/workflows/trivy.yaml +++ b/.github/workflows/trivy.yaml @@ -7,7 +7,7 @@ jobs: name: DSP AppSec Trivy check runs-on: ubuntu-latest steps: - - uses: actions/checkout@v6.0.2 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - - uses: broadinstitute/dsp-appsec-trivy-action@v1 + - uses: broadinstitute/dsp-appsec-trivy-action@c1b62b340a158930941f2ffde12831c1d1df586d # v1