From dd170964c70664e2793ceb7e990cf443d9b324ae Mon Sep 17 00:00:00 2001 From: Ivan Gabaldon Date: Fri, 8 Aug 2025 11:26:45 +0200 Subject: [mod] ci: strict(er) exec (#5099) All actions are pulled using the version hash, versions are handled by dependabot, and we'll have control over which actions get updated. Replaces Trivy scanner with Docker Scout, we have recently begun analyzing the images there, and the action will keep us in sync about the problems on GHCS dashboard. --- .github/workflows/checker.yml | 6 +++--- .github/workflows/cleanup.yml | 2 +- .github/workflows/container.yml | 34 +++++++++++++++++----------------- .github/workflows/data-update.yml | 8 ++++---- .github/workflows/documentation.yml | 8 ++++---- .github/workflows/integration.yml | 16 ++++++++-------- .github/workflows/l10n.yml | 14 +++++++------- .github/workflows/security.yml | 24 +++++++++++++----------- 8 files changed, 57 insertions(+), 55 deletions(-) (limited to '.github') diff --git a/.github/workflows/checker.yml b/.github/workflows/checker.yml index 8e16aeef9..5b71cd5a7 100644 --- a/.github/workflows/checker.yml +++ b/.github/workflows/checker.yml @@ -24,17 +24,17 @@ jobs: runs-on: ubuntu-24.04-arm steps: - name: Setup Python - uses: actions/setup-python@v5 + uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0 with: python-version: "${{ env.PYTHON_VERSION }}" - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: persist-credentials: "false" - name: Setup cache Python - uses: actions/cache@v4 + uses: actions/cache@0400d5f644dc74513175e3cd8d07132dd4860809 # v4.2.4 with: key: "python-${{ env.PYTHON_VERSION }}-${{ runner.arch }}-${{ hashFiles('./requirements*.txt') }}" restore-keys: "python-${{ env.PYTHON_VERSION }}-${{ runner.arch }}-" diff --git a/.github/workflows/cleanup.yml b/.github/workflows/cleanup.yml index 32b34bd96..5041c69e2 100644 --- a/.github/workflows/cleanup.yml +++ b/.github/workflows/cleanup.yml @@ -26,7 +26,7 @@ jobs: steps: - name: Prune - uses: snok/container-retention-policy@v3.0.0 + uses: snok/container-retention-policy@4f22ef80902ad409ed55a99dc5133cc1250a0d03 # v3.0.0 with: account: "${{ github.repository_owner }}" token: "${{ secrets.GITHUB_TOKEN }}" diff --git a/.github/workflows/container.yml b/.github/workflows/container.yml index 6369f1b7a..27856bbe8 100644 --- a/.github/workflows/container.yml +++ b/.github/workflows/container.yml @@ -38,7 +38,7 @@ jobs: steps: - if: github.repository_owner == 'searxng' name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: persist-credentials: "false" @@ -50,7 +50,7 @@ jobs: - if: github.repository_owner == 'searxng' name: Check cache apko id: cache-apko - uses: actions/cache/restore@v4 + uses: actions/cache/restore@0400d5f644dc74513175e3cd8d07132dd4860809 # v4.2.4 with: # yamllint disable-line rule:line-length key: "apko-${{ steps.date.outputs.date }}-${{ hashFiles('./container/base.yml', './container/base-builder.yml') }}" @@ -59,7 +59,7 @@ jobs: - if: github.repository_owner == 'searxng' && steps.cache-apko.outputs.cache-hit != 'true' name: Setup cache apko - uses: actions/cache@v4 + uses: actions/cache@0400d5f644dc74513175e3cd8d07132dd4860809 # v4.2.4 with: # yamllint disable-line rule:line-length key: "apko-${{ steps.date.outputs.date }}-${{ hashFiles('./container/base.yml', './container/base-builder.yml') }}" @@ -74,7 +74,7 @@ jobs: - if: github.repository_owner == 'searxng' && steps.cache-apko.outputs.cache-hit != 'true' name: Login to GHCR - uses: docker/login-action@v3 + uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3.5.0 with: registry: "ghcr.io" username: "${{ github.repository_owner }}" @@ -130,17 +130,17 @@ jobs: steps: - name: Setup Python - uses: actions/setup-python@v5 + uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0 with: python-version: "${{ env.PYTHON_VERSION }}" - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: persist-credentials: "false" - name: Setup cache Python - uses: actions/cache@v4 + uses: actions/cache@0400d5f644dc74513175e3cd8d07132dd4860809 # v4.2.4 with: key: "python-${{ env.PYTHON_VERSION }}-${{ runner.arch }}-${{ hashFiles('./requirements*.txt') }}" restore-keys: "python-${{ env.PYTHON_VERSION }}-${{ runner.arch }}-" @@ -148,7 +148,7 @@ jobs: - name: Restore cache container mounts id: cache-container-mounts - uses: actions/cache/restore@v4 + uses: actions/cache/restore@0400d5f644dc74513175e3cd8d07132dd4860809 # v4.2.4 with: key: "container-mounts-${{ hashFiles('./container/*.dockerfile') }}" restore-keys: "container-mounts-" @@ -166,10 +166,10 @@ jobs: - if: ${{ matrix.emulation }} name: Setup QEMU - uses: docker/setup-qemu-action@v3 + uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v3.6.0 - name: Login to GHCR - uses: docker/login-action@v3 + uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3.5.0 with: registry: "ghcr.io" username: "${{ github.repository_owner }}" @@ -183,7 +183,7 @@ jobs: - if: always() name: Save cache container mounts - uses: actions/cache/save@v4 + uses: actions/cache/save@0400d5f644dc74513175e3cd8d07132dd4860809 # v4.2.4 with: key: "container-mounts-${{ hashFiles('./container/*.dockerfile') }}" path: | @@ -210,16 +210,16 @@ jobs: steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: persist-credentials: "false" - if: ${{ matrix.emulation }} name: Setup QEMU - uses: docker/setup-qemu-action@v3 + uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v3.6.0 - name: Login to GHCR - uses: docker/login-action@v3 + uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3.5.0 with: registry: "ghcr.io" username: "${{ github.repository_owner }}" @@ -245,19 +245,19 @@ jobs: steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: persist-credentials: "false" - name: Login to GHCR - uses: docker/login-action@v3 + uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3.5.0 with: registry: "ghcr.io" username: "${{ github.repository_owner }}" password: "${{ secrets.GITHUB_TOKEN }}" - name: Login to Docker Hub - uses: docker/login-action@v3 + uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3.5.0 with: registry: "docker.io" username: "${{ secrets.DOCKERHUB_USERNAME }}" diff --git a/.github/workflows/data-update.yml b/.github/workflows/data-update.yml index 4deca2ffc..fe55ffaf6 100644 --- a/.github/workflows/data-update.yml +++ b/.github/workflows/data-update.yml @@ -40,17 +40,17 @@ jobs: steps: - name: Setup Python - uses: actions/setup-python@v5 + uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0 with: python-version: "${{ env.PYTHON_VERSION }}" - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: persist-credentials: "false" - name: Setup cache Python - uses: actions/cache@v4 + uses: actions/cache@0400d5f644dc74513175e3cd8d07132dd4860809 # v4.2.4 with: key: "python-${{ env.PYTHON_VERSION }}-${{ runner.arch }}-${{ hashFiles('./requirements*.txt') }}" restore-keys: "python-${{ env.PYTHON_VERSION }}-${{ runner.arch }}-" @@ -64,7 +64,7 @@ jobs: - name: Create PR id: cpr - uses: peter-evans/create-pull-request@v7 + uses: peter-evans/create-pull-request@271a8d0340265f705b14b6d32b9829c1cb33d45e # v7.0.8 with: author: "searxng-bot " committer: "searxng-bot " diff --git a/.github/workflows/documentation.yml b/.github/workflows/documentation.yml index 577ad84f3..20f8a641f 100644 --- a/.github/workflows/documentation.yml +++ b/.github/workflows/documentation.yml @@ -32,18 +32,18 @@ jobs: steps: - name: Setup Python - uses: actions/setup-python@v5 + uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0 with: python-version: "${{ env.PYTHON_VERSION }}" - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: persist-credentials: "false" fetch-depth: "0" - name: Setup cache Python - uses: actions/cache@v4 + uses: actions/cache@0400d5f644dc74513175e3cd8d07132dd4860809 # v4.2.4 with: key: "python-${{ env.PYTHON_VERSION }}-${{ runner.arch }}-${{ hashFiles('./requirements*.txt') }}" restore-keys: "python-${{ env.PYTHON_VERSION }}-${{ runner.arch }}-" @@ -57,7 +57,7 @@ jobs: - if: github.ref_name == 'master' name: Release - uses: JamesIves/github-pages-deploy-action@v4 + uses: JamesIves/github-pages-deploy-action@6c2d9db40f9296374acc17b90404b6e8864128c8 # v4.7.3 with: folder: "dist/docs" branch: "gh-pages" diff --git a/.github/workflows/integration.yml b/.github/workflows/integration.yml index b40ae26ab..59e1e473e 100644 --- a/.github/workflows/integration.yml +++ b/.github/workflows/integration.yml @@ -35,17 +35,17 @@ jobs: steps: - name: Setup Python - uses: actions/setup-python@v5 + uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0 with: python-version: "${{ matrix.python-version }}" - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: persist-credentials: "false" - name: Setup cache Python - uses: actions/cache@v4 + uses: actions/cache@0400d5f644dc74513175e3cd8d07132dd4860809 # v4.2.4 with: key: "python-${{ matrix.python-version }}-${{ runner.arch }}-${{ hashFiles('./requirements*.txt') }}" restore-keys: "python-${{ matrix.python-version }}-${{ runner.arch }}-" @@ -62,28 +62,28 @@ jobs: runs-on: ubuntu-24.04-arm steps: - name: Setup Python - uses: actions/setup-python@v5 + uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0 with: python-version: "${{ env.PYTHON_VERSION }}" - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: persist-credentials: "false" - name: Setup Node.js - uses: actions/setup-node@v4 + uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0 with: node-version-file: "./.nvmrc" - name: Setup cache Node.js - uses: actions/cache@v4 + uses: actions/cache@0400d5f644dc74513175e3cd8d07132dd4860809 # v4.2.4 with: key: "nodejs-${{ runner.arch }}-${{ hashFiles('./.nvmrc', './package.json') }}" path: "./client/simple/node_modules/" - name: Setup cache Python - uses: actions/cache@v4 + uses: actions/cache@0400d5f644dc74513175e3cd8d07132dd4860809 # v4.2.4 with: key: "python-${{ env.PYTHON_VERSION }}-${{ runner.arch }}-${{ hashFiles('./requirements*.txt') }}" restore-keys: "python-${{ env.PYTHON_VERSION }}-${{ runner.arch }}-" diff --git a/.github/workflows/l10n.yml b/.github/workflows/l10n.yml index 0b23975d3..92cddff1e 100644 --- a/.github/workflows/l10n.yml +++ b/.github/workflows/l10n.yml @@ -35,18 +35,18 @@ jobs: steps: - name: Setup Python - uses: actions/setup-python@v5 + uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0 with: python-version: "${{ env.PYTHON_VERSION }}" - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: token: "${{ secrets.WEBLATE_GITHUB_TOKEN }}" fetch-depth: "0" - name: Setup cache Python - uses: actions/cache@v4 + uses: actions/cache@0400d5f644dc74513175e3cd8d07132dd4860809 # v4.2.4 with: key: "python-${{ env.PYTHON_VERSION }}-${{ runner.arch }}-${{ hashFiles('./requirements*.txt') }}" restore-keys: "python-${{ env.PYTHON_VERSION }}-${{ runner.arch }}-" @@ -82,18 +82,18 @@ jobs: steps: - name: Setup Python - uses: actions/setup-python@v5 + uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0 with: python-version: "${{ env.PYTHON_VERSION }}" - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: token: "${{ secrets.WEBLATE_GITHUB_TOKEN }}" fetch-depth: "0" - name: Setup cache Python - uses: actions/cache@v4 + uses: actions/cache@0400d5f644dc74513175e3cd8d07132dd4860809 # v4.2.4 with: key: "python-${{ env.PYTHON_VERSION }}-${{ runner.arch }}-${{ hashFiles('./requirements*.txt') }}" restore-keys: "python-${{ env.PYTHON_VERSION }}-${{ runner.arch }}-" @@ -117,7 +117,7 @@ jobs: - name: Create PR id: cpr - uses: peter-evans/create-pull-request@v7 + uses: peter-evans/create-pull-request@271a8d0340265f705b14b6d32b9829c1cb33d45e # v7.0.8 with: author: "searxng-bot " committer: "searxng-bot " diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml index 669d0f293..8a59e5062 100644 --- a/.github/workflows/security.yml +++ b/.github/workflows/security.yml @@ -24,21 +24,23 @@ jobs: steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: persist-credentials: "false" - - name: Run Trivy scanner - uses: aquasecurity/trivy-action@0.32.0 + - name: Sync GHCS from Docker Scout + uses: docker/scout-action@f8c776824083494ab0d56b8105ba2ca85c86e4de # v1.18.2 with: - image-ref: "ghcr.io/searxng/searxng:latest" - vuln-type: "os,library" - severity: "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL" - ignore-unfixed: "false" - format: "sarif" - output: "./trivy-results.sarif" + organization: "searxng" + dockerhub-user: "${{ secrets.DOCKERHUB_USERNAME }}" + dockerhub-password: "${{ secrets.DOCKERHUB_TOKEN }}" + image: "registry://ghcr.io/searxng/searxng:latest" + command: "cves" + sarif-file: "./scout.sarif" + exit-code: "false" + write-comment: "false" - name: Upload SARIFs - uses: github/codeql-action/upload-sarif@v3 + uses: github/codeql-action/upload-sarif@a4e1a019f5e24960714ff6296aee04b736cbc3cf # v3.29.6 with: - sarif_file: "./trivy-results.sarif" + sarif_file: "./scout.sarif" -- cgit v1.2.3