summaryrefslogtreecommitdiff
path: root/.github
diff options
context:
space:
mode:
Diffstat (limited to '.github')
-rw-r--r--.github/workflows/checker.yml6
-rw-r--r--.github/workflows/cleanup.yml2
-rw-r--r--.github/workflows/container.yml34
-rw-r--r--.github/workflows/data-update.yml8
-rw-r--r--.github/workflows/documentation.yml8
-rw-r--r--.github/workflows/integration.yml16
-rw-r--r--.github/workflows/l10n.yml14
-rw-r--r--.github/workflows/security.yml24
8 files changed, 57 insertions, 55 deletions
diff --git a/.github/workflows/checker.yml b/.github/workflows/checker.yml
index 8e16aeef9..5b71cd5a7 100644
--- a/.github/workflows/checker.yml
+++ b/.github/workflows/checker.yml
@@ -24,17 +24,17 @@ jobs:
runs-on: ubuntu-24.04-arm
steps:
- name: Setup Python
- uses: actions/setup-python@v5
+ uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0
with:
python-version: "${{ env.PYTHON_VERSION }}"
- name: Checkout
- uses: actions/checkout@v4
+ uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
persist-credentials: "false"
- name: Setup cache Python
- uses: actions/cache@v4
+ uses: actions/cache@0400d5f644dc74513175e3cd8d07132dd4860809 # v4.2.4
with:
key: "python-${{ env.PYTHON_VERSION }}-${{ runner.arch }}-${{ hashFiles('./requirements*.txt') }}"
restore-keys: "python-${{ env.PYTHON_VERSION }}-${{ runner.arch }}-"
diff --git a/.github/workflows/cleanup.yml b/.github/workflows/cleanup.yml
index 32b34bd96..5041c69e2 100644
--- a/.github/workflows/cleanup.yml
+++ b/.github/workflows/cleanup.yml
@@ -26,7 +26,7 @@ jobs:
steps:
- name: Prune
- uses: snok/container-retention-policy@v3.0.0
+ uses: snok/container-retention-policy@4f22ef80902ad409ed55a99dc5133cc1250a0d03 # v3.0.0
with:
account: "${{ github.repository_owner }}"
token: "${{ secrets.GITHUB_TOKEN }}"
diff --git a/.github/workflows/container.yml b/.github/workflows/container.yml
index 6369f1b7a..27856bbe8 100644
--- a/.github/workflows/container.yml
+++ b/.github/workflows/container.yml
@@ -38,7 +38,7 @@ jobs:
steps:
- if: github.repository_owner == 'searxng'
name: Checkout
- uses: actions/checkout@v4
+ uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
persist-credentials: "false"
@@ -50,7 +50,7 @@ jobs:
- if: github.repository_owner == 'searxng'
name: Check cache apko
id: cache-apko
- uses: actions/cache/restore@v4
+ uses: actions/cache/restore@0400d5f644dc74513175e3cd8d07132dd4860809 # v4.2.4
with:
# yamllint disable-line rule:line-length
key: "apko-${{ steps.date.outputs.date }}-${{ hashFiles('./container/base.yml', './container/base-builder.yml') }}"
@@ -59,7 +59,7 @@ jobs:
- if: github.repository_owner == 'searxng' && steps.cache-apko.outputs.cache-hit != 'true'
name: Setup cache apko
- uses: actions/cache@v4
+ uses: actions/cache@0400d5f644dc74513175e3cd8d07132dd4860809 # v4.2.4
with:
# yamllint disable-line rule:line-length
key: "apko-${{ steps.date.outputs.date }}-${{ hashFiles('./container/base.yml', './container/base-builder.yml') }}"
@@ -74,7 +74,7 @@ jobs:
- if: github.repository_owner == 'searxng' && steps.cache-apko.outputs.cache-hit != 'true'
name: Login to GHCR
- uses: docker/login-action@v3
+ uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3.5.0
with:
registry: "ghcr.io"
username: "${{ github.repository_owner }}"
@@ -130,17 +130,17 @@ jobs:
steps:
- name: Setup Python
- uses: actions/setup-python@v5
+ uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0
with:
python-version: "${{ env.PYTHON_VERSION }}"
- name: Checkout
- uses: actions/checkout@v4
+ uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
persist-credentials: "false"
- name: Setup cache Python
- uses: actions/cache@v4
+ uses: actions/cache@0400d5f644dc74513175e3cd8d07132dd4860809 # v4.2.4
with:
key: "python-${{ env.PYTHON_VERSION }}-${{ runner.arch }}-${{ hashFiles('./requirements*.txt') }}"
restore-keys: "python-${{ env.PYTHON_VERSION }}-${{ runner.arch }}-"
@@ -148,7 +148,7 @@ jobs:
- name: Restore cache container mounts
id: cache-container-mounts
- uses: actions/cache/restore@v4
+ uses: actions/cache/restore@0400d5f644dc74513175e3cd8d07132dd4860809 # v4.2.4
with:
key: "container-mounts-${{ hashFiles('./container/*.dockerfile') }}"
restore-keys: "container-mounts-"
@@ -166,10 +166,10 @@ jobs:
- if: ${{ matrix.emulation }}
name: Setup QEMU
- uses: docker/setup-qemu-action@v3
+ uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v3.6.0
- name: Login to GHCR
- uses: docker/login-action@v3
+ uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3.5.0
with:
registry: "ghcr.io"
username: "${{ github.repository_owner }}"
@@ -183,7 +183,7 @@ jobs:
- if: always()
name: Save cache container mounts
- uses: actions/cache/save@v4
+ uses: actions/cache/save@0400d5f644dc74513175e3cd8d07132dd4860809 # v4.2.4
with:
key: "container-mounts-${{ hashFiles('./container/*.dockerfile') }}"
path: |
@@ -210,16 +210,16 @@ jobs:
steps:
- name: Checkout
- uses: actions/checkout@v4
+ uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
persist-credentials: "false"
- if: ${{ matrix.emulation }}
name: Setup QEMU
- uses: docker/setup-qemu-action@v3
+ uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v3.6.0
- name: Login to GHCR
- uses: docker/login-action@v3
+ uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3.5.0
with:
registry: "ghcr.io"
username: "${{ github.repository_owner }}"
@@ -245,19 +245,19 @@ jobs:
steps:
- name: Checkout
- uses: actions/checkout@v4
+ uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
persist-credentials: "false"
- name: Login to GHCR
- uses: docker/login-action@v3
+ uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3.5.0
with:
registry: "ghcr.io"
username: "${{ github.repository_owner }}"
password: "${{ secrets.GITHUB_TOKEN }}"
- name: Login to Docker Hub
- uses: docker/login-action@v3
+ uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3.5.0
with:
registry: "docker.io"
username: "${{ secrets.DOCKERHUB_USERNAME }}"
diff --git a/.github/workflows/data-update.yml b/.github/workflows/data-update.yml
index 4deca2ffc..fe55ffaf6 100644
--- a/.github/workflows/data-update.yml
+++ b/.github/workflows/data-update.yml
@@ -40,17 +40,17 @@ jobs:
steps:
- name: Setup Python
- uses: actions/setup-python@v5
+ uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0
with:
python-version: "${{ env.PYTHON_VERSION }}"
- name: Checkout
- uses: actions/checkout@v4
+ uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
persist-credentials: "false"
- name: Setup cache Python
- uses: actions/cache@v4
+ uses: actions/cache@0400d5f644dc74513175e3cd8d07132dd4860809 # v4.2.4
with:
key: "python-${{ env.PYTHON_VERSION }}-${{ runner.arch }}-${{ hashFiles('./requirements*.txt') }}"
restore-keys: "python-${{ env.PYTHON_VERSION }}-${{ runner.arch }}-"
@@ -64,7 +64,7 @@ jobs:
- name: Create PR
id: cpr
- uses: peter-evans/create-pull-request@v7
+ uses: peter-evans/create-pull-request@271a8d0340265f705b14b6d32b9829c1cb33d45e # v7.0.8
with:
author: "searxng-bot <searxng-bot@users.noreply.github.com>"
committer: "searxng-bot <searxng-bot@users.noreply.github.com>"
diff --git a/.github/workflows/documentation.yml b/.github/workflows/documentation.yml
index 577ad84f3..20f8a641f 100644
--- a/.github/workflows/documentation.yml
+++ b/.github/workflows/documentation.yml
@@ -32,18 +32,18 @@ jobs:
steps:
- name: Setup Python
- uses: actions/setup-python@v5
+ uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0
with:
python-version: "${{ env.PYTHON_VERSION }}"
- name: Checkout
- uses: actions/checkout@v4
+ uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
persist-credentials: "false"
fetch-depth: "0"
- name: Setup cache Python
- uses: actions/cache@v4
+ uses: actions/cache@0400d5f644dc74513175e3cd8d07132dd4860809 # v4.2.4
with:
key: "python-${{ env.PYTHON_VERSION }}-${{ runner.arch }}-${{ hashFiles('./requirements*.txt') }}"
restore-keys: "python-${{ env.PYTHON_VERSION }}-${{ runner.arch }}-"
@@ -57,7 +57,7 @@ jobs:
- if: github.ref_name == 'master'
name: Release
- uses: JamesIves/github-pages-deploy-action@v4
+ uses: JamesIves/github-pages-deploy-action@6c2d9db40f9296374acc17b90404b6e8864128c8 # v4.7.3
with:
folder: "dist/docs"
branch: "gh-pages"
diff --git a/.github/workflows/integration.yml b/.github/workflows/integration.yml
index b40ae26ab..59e1e473e 100644
--- a/.github/workflows/integration.yml
+++ b/.github/workflows/integration.yml
@@ -35,17 +35,17 @@ jobs:
steps:
- name: Setup Python
- uses: actions/setup-python@v5
+ uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0
with:
python-version: "${{ matrix.python-version }}"
- name: Checkout
- uses: actions/checkout@v4
+ uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
persist-credentials: "false"
- name: Setup cache Python
- uses: actions/cache@v4
+ uses: actions/cache@0400d5f644dc74513175e3cd8d07132dd4860809 # v4.2.4
with:
key: "python-${{ matrix.python-version }}-${{ runner.arch }}-${{ hashFiles('./requirements*.txt') }}"
restore-keys: "python-${{ matrix.python-version }}-${{ runner.arch }}-"
@@ -62,28 +62,28 @@ jobs:
runs-on: ubuntu-24.04-arm
steps:
- name: Setup Python
- uses: actions/setup-python@v5
+ uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0
with:
python-version: "${{ env.PYTHON_VERSION }}"
- name: Checkout
- uses: actions/checkout@v4
+ uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
persist-credentials: "false"
- name: Setup Node.js
- uses: actions/setup-node@v4
+ uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
with:
node-version-file: "./.nvmrc"
- name: Setup cache Node.js
- uses: actions/cache@v4
+ uses: actions/cache@0400d5f644dc74513175e3cd8d07132dd4860809 # v4.2.4
with:
key: "nodejs-${{ runner.arch }}-${{ hashFiles('./.nvmrc', './package.json') }}"
path: "./client/simple/node_modules/"
- name: Setup cache Python
- uses: actions/cache@v4
+ uses: actions/cache@0400d5f644dc74513175e3cd8d07132dd4860809 # v4.2.4
with:
key: "python-${{ env.PYTHON_VERSION }}-${{ runner.arch }}-${{ hashFiles('./requirements*.txt') }}"
restore-keys: "python-${{ env.PYTHON_VERSION }}-${{ runner.arch }}-"
diff --git a/.github/workflows/l10n.yml b/.github/workflows/l10n.yml
index 0b23975d3..92cddff1e 100644
--- a/.github/workflows/l10n.yml
+++ b/.github/workflows/l10n.yml
@@ -35,18 +35,18 @@ jobs:
steps:
- name: Setup Python
- uses: actions/setup-python@v5
+ uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0
with:
python-version: "${{ env.PYTHON_VERSION }}"
- name: Checkout
- uses: actions/checkout@v4
+ uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
token: "${{ secrets.WEBLATE_GITHUB_TOKEN }}"
fetch-depth: "0"
- name: Setup cache Python
- uses: actions/cache@v4
+ uses: actions/cache@0400d5f644dc74513175e3cd8d07132dd4860809 # v4.2.4
with:
key: "python-${{ env.PYTHON_VERSION }}-${{ runner.arch }}-${{ hashFiles('./requirements*.txt') }}"
restore-keys: "python-${{ env.PYTHON_VERSION }}-${{ runner.arch }}-"
@@ -82,18 +82,18 @@ jobs:
steps:
- name: Setup Python
- uses: actions/setup-python@v5
+ uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0
with:
python-version: "${{ env.PYTHON_VERSION }}"
- name: Checkout
- uses: actions/checkout@v4
+ uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
token: "${{ secrets.WEBLATE_GITHUB_TOKEN }}"
fetch-depth: "0"
- name: Setup cache Python
- uses: actions/cache@v4
+ uses: actions/cache@0400d5f644dc74513175e3cd8d07132dd4860809 # v4.2.4
with:
key: "python-${{ env.PYTHON_VERSION }}-${{ runner.arch }}-${{ hashFiles('./requirements*.txt') }}"
restore-keys: "python-${{ env.PYTHON_VERSION }}-${{ runner.arch }}-"
@@ -117,7 +117,7 @@ jobs:
- name: Create PR
id: cpr
- uses: peter-evans/create-pull-request@v7
+ uses: peter-evans/create-pull-request@271a8d0340265f705b14b6d32b9829c1cb33d45e # v7.0.8
with:
author: "searxng-bot <searxng-bot@users.noreply.github.com>"
committer: "searxng-bot <searxng-bot@users.noreply.github.com>"
diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml
index 669d0f293..8a59e5062 100644
--- a/.github/workflows/security.yml
+++ b/.github/workflows/security.yml
@@ -24,21 +24,23 @@ jobs:
steps:
- name: Checkout
- uses: actions/checkout@v4
+ uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
persist-credentials: "false"
- - name: Run Trivy scanner
- uses: aquasecurity/trivy-action@0.32.0
+ - name: Sync GHCS from Docker Scout
+ uses: docker/scout-action@f8c776824083494ab0d56b8105ba2ca85c86e4de # v1.18.2
with:
- image-ref: "ghcr.io/searxng/searxng:latest"
- vuln-type: "os,library"
- severity: "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL"
- ignore-unfixed: "false"
- format: "sarif"
- output: "./trivy-results.sarif"
+ organization: "searxng"
+ dockerhub-user: "${{ secrets.DOCKERHUB_USERNAME }}"
+ dockerhub-password: "${{ secrets.DOCKERHUB_TOKEN }}"
+ image: "registry://ghcr.io/searxng/searxng:latest"
+ command: "cves"
+ sarif-file: "./scout.sarif"
+ exit-code: "false"
+ write-comment: "false"
- name: Upload SARIFs
- uses: github/codeql-action/upload-sarif@v3
+ uses: github/codeql-action/upload-sarif@a4e1a019f5e24960714ff6296aee04b736cbc3cf # v3.29.6
with:
- sarif_file: "./trivy-results.sarif"
+ sarif_file: "./scout.sarif"
generated by cgit v1.2.3 (git 2.25.1) at 2026-03-03 17:10:25 +0000