Skip to content

Commit

Permalink
release(1.7.0-alpha): merge release into main #285
Browse files Browse the repository at this point in the history 
Reviewed-By: Evelyn Gurschler <[email protected]>
  • Loading branch information
@Phil91
Phil91 authored Oct 4, 2023
2 parents 372290b + 3869c7e commit 87e8202
Show file tree
Hide file tree
Showing 560 changed files with 29,004 additions and 3,160 deletions.
7 changes: 7 additions & 0 deletions .github/workflows/administration-service.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -61,6 +61,12 @@ jobs:
username: ${{ secrets.DOCKER_HUB_USER }}
password: ${{ secrets.DOCKER_HUB_TOKEN }}

- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v2

- name: Set up QEMU
uses: docker/setup-qemu-action@v3

Check warning on line 68 in .github/workflows/administration-service.yml

View workflow job for this annotation

GitHub Actions / Analyze

[MEDIUM] Unpinned Actions Full Length Commit SHA 

Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps mitigate the risk of a bad actor adding a backdoor to the action's repository, as they would need to generate a SHA-1 collision for a valid Git object payload. When selecting a SHA, you should verify it is from the action's repository and not a repository fork.

Check warning on line 68 in .github/workflows/administration-service.yml

View workflow job for this annotation

GitHub Actions / Analyze

[MEDIUM] Unpinned Actions Full Length Commit SHA 

Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps mitigate the risk of a bad actor adding a backdoor to the action's repository, as they would need to generate a SHA-1 collision for a valid Git object payload. When selecting a SHA, you should verify it is from the action's repository and not a repository fork.

- name: Docker meta
id: meta
uses: docker/metadata-action@v4

Check warning on line 72 in .github/workflows/administration-service.yml

View workflow job for this annotation

GitHub Actions / Analyze

[MEDIUM] Unpinned Actions Full Length Commit SHA 

Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps mitigate the risk of a bad actor adding a backdoor to the action's repository, as they would need to generate a SHA-1 collision for a valid Git object payload. When selecting a SHA, you should verify it is from the action's repository and not a repository fork.
Expand All @@ -75,6 +81,7 @@ jobs:
with:
context: .
file: docker/Dockerfile-administration-service
platforms: linux/amd64, linux/arm64
pull: true
push: ${{ github.event_name != 'pull_request' }}
tags: ${{ steps.meta.outputs.tags }}
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/dependencies.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -32,7 +32,7 @@ jobs:
runs-on: ubuntu-latest
strategy:
matrix:
dotnet-version: ['6.0']
dotnet-version: ['7.0']

steps:

Expand Down
7 changes: 7 additions & 0 deletions .github/workflows/iam-seeding.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -55,6 +55,12 @@ jobs:
username: ${{ secrets.DOCKER_HUB_USER }}
password: ${{ secrets.DOCKER_HUB_TOKEN }}

- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v2

Check warning on line 59 in .github/workflows/iam-seeding.yml

View workflow job for this annotation

GitHub Actions / Analyze

[MEDIUM] Unpinned Actions Full Length Commit SHA 

Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps mitigate the risk of a bad actor adding a backdoor to the action's repository, as they would need to generate a SHA-1 collision for a valid Git object payload. When selecting a SHA, you should verify it is from the action's repository and not a repository fork.

- name: Set up QEMU
uses: docker/setup-qemu-action@v3

- name: Docker meta
id: meta
uses: docker/metadata-action@v4
Expand All @@ -69,6 +75,7 @@ jobs:
with:
context: .
file: docker/Dockerfile-iam-seeding
platforms: linux/amd64, linux/arm64
pull: true
push: ${{ github.event_name != 'pull_request' }}
tags: ${{ steps.meta.outputs.tags }}
Expand Down
7 changes: 7 additions & 0 deletions .github/workflows/maintenance-service.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -56,6 +56,12 @@ jobs:
username: ${{ secrets.DOCKER_HUB_USER }}
password: ${{ secrets.DOCKER_HUB_TOKEN }}

- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v2

- name: Set up QEMU
uses: docker/setup-qemu-action@v3

Check warning on line 63 in .github/workflows/maintenance-service.yml

View workflow job for this annotation

GitHub Actions / Analyze

[MEDIUM] Unpinned Actions Full Length Commit SHA 

Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps mitigate the risk of a bad actor adding a backdoor to the action's repository, as they would need to generate a SHA-1 collision for a valid Git object payload. When selecting a SHA, you should verify it is from the action's repository and not a repository fork.

- name: Docker meta
id: meta
uses: docker/metadata-action@v4
Expand All @@ -70,6 +76,7 @@ jobs:
with:
context: .
file: docker/Dockerfile-maintenance-service
platforms: linux/amd64, linux/arm64
pull: true
push: ${{ github.event_name != 'pull_request' }}
tags: ${{ steps.meta.outputs.tags }}
Expand Down
7 changes: 7 additions & 0 deletions .github/workflows/marketplace-app-service.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -59,6 +59,12 @@ jobs:
username: ${{ secrets.DOCKER_HUB_USER }}
password: ${{ secrets.DOCKER_HUB_TOKEN }}

- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v2

- name: Set up QEMU
uses: docker/setup-qemu-action@v3

- name: Docker meta
id: meta
uses: docker/metadata-action@v4
Expand All @@ -73,6 +79,7 @@ jobs:
with:
context: .
file: docker/Dockerfile-marketplace-app-service
platforms: linux/amd64, linux/arm64
pull: true
push: ${{ github.event_name != 'pull_request' }}
tags: ${{ steps.meta.outputs.tags }}
Expand Down
7 changes: 7 additions & 0 deletions .github/workflows/notification-service.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -58,6 +58,12 @@ jobs:
username: ${{ secrets.DOCKER_HUB_USER }}
password: ${{ secrets.DOCKER_HUB_TOKEN }}

- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v2

- name: Set up QEMU
uses: docker/setup-qemu-action@v3

Check warning on line 65 in .github/workflows/notification-service.yml

View workflow job for this annotation

GitHub Actions / Analyze

[MEDIUM] Unpinned Actions Full Length Commit SHA 

Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps mitigate the risk of a bad actor adding a backdoor to the action's repository, as they would need to generate a SHA-1 collision for a valid Git object payload. When selecting a SHA, you should verify it is from the action's repository and not a repository fork.

- name: Docker meta
id: meta
uses: docker/metadata-action@v4

Check warning on line 69 in .github/workflows/notification-service.yml

View workflow job for this annotation

GitHub Actions / Analyze

[MEDIUM] Unpinned Actions Full Length Commit SHA 

Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps mitigate the risk of a bad actor adding a backdoor to the action's repository, as they would need to generate a SHA-1 collision for a valid Git object payload. When selecting a SHA, you should verify it is from the action's repository and not a repository fork.
Expand All @@ -72,6 +78,7 @@ jobs:
with:
context: .
file: docker/Dockerfile-notification-service
platforms: linux/amd64, linux/arm64
pull: true
push: ${{ github.event_name != 'pull_request' }}
tags: ${{ steps.meta.outputs.tags }}
Expand Down
7 changes: 7 additions & 0 deletions .github/workflows/portal-migrations.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -56,6 +56,12 @@ jobs:
username: ${{ secrets.DOCKER_HUB_USER }}
password: ${{ secrets.DOCKER_HUB_TOKEN }}

- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v2

- name: Set up QEMU
uses: docker/setup-qemu-action@v3

Check warning on line 63 in .github/workflows/portal-migrations.yml

View workflow job for this annotation

GitHub Actions / Analyze

[MEDIUM] Unpinned Actions Full Length Commit SHA 

Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps mitigate the risk of a bad actor adding a backdoor to the action's repository, as they would need to generate a SHA-1 collision for a valid Git object payload. When selecting a SHA, you should verify it is from the action's repository and not a repository fork.

Check warning on line 63 in .github/workflows/portal-migrations.yml

View workflow job for this annotation

GitHub Actions / Analyze

[MEDIUM] Unpinned Actions Full Length Commit SHA 

Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps mitigate the risk of a bad actor adding a backdoor to the action's repository, as they would need to generate a SHA-1 collision for a valid Git object payload. When selecting a SHA, you should verify it is from the action's repository and not a repository fork.

Check warning on line 63 in .github/workflows/portal-migrations.yml

View workflow job for this annotation

GitHub Actions / Analyze

[MEDIUM] Unpinned Actions Full Length Commit SHA 

Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps mitigate the risk of a bad actor adding a backdoor to the action's repository, as they would need to generate a SHA-1 collision for a valid Git object payload. When selecting a SHA, you should verify it is from the action's repository and not a repository fork.

- name: Docker meta
id: meta
uses: docker/metadata-action@v4
Expand All @@ -70,6 +76,7 @@ jobs:
with:
context: .
file: docker/Dockerfile-portal-migrations
platforms: linux/amd64, linux/arm64
pull: true
push: ${{ github.event_name != 'pull_request' }}
tags: ${{ steps.meta.outputs.tags }}
Expand Down
10 changes: 10 additions & 0 deletions .github/workflows/processes-worker.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -25,6 +25,9 @@ on:
# service and transitive paths
- 'src/processes/Processes.Worker/**'
- 'src/processes/ApplicationChecklist.Library/**'
- 'src/processes/ApplicationChecklist.Executor/**'
- 'src/processes/NetworkRegistration.Library/**'
- 'src/processes/NetworkRegistration.Executor/**'
- 'src/externalsystems/**'
- 'src/framework/**'
- 'src/portalbackend/PortalBackend.PortalEntities/**'
Expand Down Expand Up @@ -58,6 +61,12 @@ jobs:
username: ${{ secrets.DOCKER_HUB_USER }}
password: ${{ secrets.DOCKER_HUB_TOKEN }}

- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v2

Check warning on line 65 in .github/workflows/processes-worker.yml

View workflow job for this annotation

GitHub Actions / Analyze

[MEDIUM] Unpinned Actions Full Length Commit SHA 

Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps mitigate the risk of a bad actor adding a backdoor to the action's repository, as they would need to generate a SHA-1 collision for a valid Git object payload. When selecting a SHA, you should verify it is from the action's repository and not a repository fork.

- name: Set up QEMU
uses: docker/setup-qemu-action@v3

Check warning on line 68 in .github/workflows/processes-worker.yml

View workflow job for this annotation

GitHub Actions / Analyze

[MEDIUM] Unpinned Actions Full Length Commit SHA 

Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps mitigate the risk of a bad actor adding a backdoor to the action's repository, as they would need to generate a SHA-1 collision for a valid Git object payload. When selecting a SHA, you should verify it is from the action's repository and not a repository fork.

Check warning on line 68 in .github/workflows/processes-worker.yml

View workflow job for this annotation

GitHub Actions / Analyze

[MEDIUM] Unpinned Actions Full Length Commit SHA 

Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps mitigate the risk of a bad actor adding a backdoor to the action's repository, as they would need to generate a SHA-1 collision for a valid Git object payload. When selecting a SHA, you should verify it is from the action's repository and not a repository fork.

- name: Docker meta
id: meta
uses: docker/metadata-action@v4
Expand All @@ -72,6 +81,7 @@ jobs:
with:
context: .
file: docker/Dockerfile-processes-worker
platforms: linux/amd64, linux/arm64
pull: true
push: ${{ github.event_name != 'pull_request' }}
tags: ${{ steps.meta.outputs.tags }}
Expand Down
7 changes: 7 additions & 0 deletions .github/workflows/provisioning-migrations.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -56,6 +56,12 @@ jobs:
username: ${{ secrets.DOCKER_HUB_USER }}
password: ${{ secrets.DOCKER_HUB_TOKEN }}

- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v2

- name: Set up QEMU
uses: docker/setup-qemu-action@v3

Check warning on line 63 in .github/workflows/provisioning-migrations.yml

View workflow job for this annotation

GitHub Actions / Analyze

[MEDIUM] Unpinned Actions Full Length Commit SHA 

Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps mitigate the risk of a bad actor adding a backdoor to the action's repository, as they would need to generate a SHA-1 collision for a valid Git object payload. When selecting a SHA, you should verify it is from the action's repository and not a repository fork.

- name: Docker meta
id: meta
uses: docker/metadata-action@v4

Check warning on line 67 in .github/workflows/provisioning-migrations.yml

View workflow job for this annotation

GitHub Actions / Analyze

[MEDIUM] Unpinned Actions Full Length Commit SHA 

Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps mitigate the risk of a bad actor adding a backdoor to the action's repository, as they would need to generate a SHA-1 collision for a valid Git object payload. When selecting a SHA, you should verify it is from the action's repository and not a repository fork.
Expand All @@ -70,6 +76,7 @@ jobs:
with:
context: .
file: docker/Dockerfile-provisioning-migrations
platforms: linux/amd64, linux/arm64
pull: true
push: ${{ github.event_name != 'pull_request' }}
tags: ${{ steps.meta.outputs.tags }}
Expand Down
7 changes: 7 additions & 0 deletions .github/workflows/registration-service.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -59,6 +59,12 @@ jobs:
username: ${{ secrets.DOCKER_HUB_USER }}
password: ${{ secrets.DOCKER_HUB_TOKEN }}

- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v2

Check warning on line 63 in .github/workflows/registration-service.yml

View workflow job for this annotation

GitHub Actions / Analyze

[MEDIUM] Unpinned Actions Full Length Commit SHA 

Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps mitigate the risk of a bad actor adding a backdoor to the action's repository, as they would need to generate a SHA-1 collision for a valid Git object payload. When selecting a SHA, you should verify it is from the action's repository and not a repository fork.

Check warning on line 63 in .github/workflows/registration-service.yml

View workflow job for this annotation

GitHub Actions / Analyze

[MEDIUM] Unpinned Actions Full Length Commit SHA 

Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps mitigate the risk of a bad actor adding a backdoor to the action's repository, as they would need to generate a SHA-1 collision for a valid Git object payload. When selecting a SHA, you should verify it is from the action's repository and not a repository fork.

Check warning on line 63 in .github/workflows/registration-service.yml

View workflow job for this annotation

GitHub Actions / Analyze

[MEDIUM] Unpinned Actions Full Length Commit SHA 

Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps mitigate the risk of a bad actor adding a backdoor to the action's repository, as they would need to generate a SHA-1 collision for a valid Git object payload. When selecting a SHA, you should verify it is from the action's repository and not a repository fork.

- name: Set up QEMU
uses: docker/setup-qemu-action@v3

Check warning on line 66 in .github/workflows/registration-service.yml

View workflow job for this annotation

GitHub Actions / Analyze

[MEDIUM] Unpinned Actions Full Length Commit SHA 

Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps mitigate the risk of a bad actor adding a backdoor to the action's repository, as they would need to generate a SHA-1 collision for a valid Git object payload. When selecting a SHA, you should verify it is from the action's repository and not a repository fork.

- name: Docker meta
id: meta
uses: docker/metadata-action@v4
Expand All @@ -73,6 +79,7 @@ jobs:
with:
context: .
file: docker/Dockerfile-registration-service
platforms: linux/amd64, linux/arm64
pull: true
push: ${{ github.event_name != 'pull_request' }}
tags: ${{ steps.meta.outputs.tags }}
Expand Down
63 changes: 63 additions & 0 deletions .github/workflows/release.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -56,6 +56,12 @@ jobs:
username: ${{ secrets.DOCKER_HUB_USER }}
password: ${{ secrets.DOCKER_HUB_TOKEN }}

- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v2

Check warning on line 60 in .github/workflows/release.yml

View workflow job for this annotation

GitHub Actions / Analyze

[MEDIUM] Unpinned Actions Full Length Commit SHA 

Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps mitigate the risk of a bad actor adding a backdoor to the action's repository, as they would need to generate a SHA-1 collision for a valid Git object payload. When selecting a SHA, you should verify it is from the action's repository and not a repository fork.

- name: Set up QEMU
uses: docker/setup-qemu-action@v3

Check warning on line 63 in .github/workflows/release.yml

View workflow job for this annotation

GitHub Actions / Analyze

[MEDIUM] Unpinned Actions Full Length Commit SHA 

Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps mitigate the risk of a bad actor adding a backdoor to the action's repository, as they would need to generate a SHA-1 collision for a valid Git object payload. When selecting a SHA, you should verify it is from the action's repository and not a repository fork.

- name: Docker meta
id: meta
uses: docker/metadata-action@v4

Check warning on line 67 in .github/workflows/release.yml

View workflow job for this annotation

GitHub Actions / Analyze

[MEDIUM] Unpinned Actions Full Length Commit SHA 

Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps mitigate the risk of a bad actor adding a backdoor to the action's repository, as they would need to generate a SHA-1 collision for a valid Git object payload. When selecting a SHA, you should verify it is from the action's repository and not a repository fork.

Check warning on line 67 in .github/workflows/release.yml

View workflow job for this annotation

GitHub Actions / Analyze

[MEDIUM] Unpinned Actions Full Length Commit SHA 

Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps mitigate the risk of a bad actor adding a backdoor to the action's repository, as they would need to generate a SHA-1 collision for a valid Git object payload. When selecting a SHA, you should verify it is from the action's repository and not a repository fork.
Expand All @@ -70,6 +76,7 @@ jobs:
with:
context: .
file: docker/Dockerfile-administration-service
platforms: linux/amd64, linux/arm64
pull: true
push: ${{ github.event_name != 'pull_request' }}
tags: ${{ steps.meta.outputs.tags }}
Expand Down Expand Up @@ -101,6 +108,12 @@ jobs:
username: ${{ secrets.DOCKER_HUB_USER }}
password: ${{ secrets.DOCKER_HUB_TOKEN }}

- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v2

Check warning on line 112 in .github/workflows/release.yml

View workflow job for this annotation

GitHub Actions / Analyze

[MEDIUM] Unpinned Actions Full Length Commit SHA 

Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps mitigate the risk of a bad actor adding a backdoor to the action's repository, as they would need to generate a SHA-1 collision for a valid Git object payload. When selecting a SHA, you should verify it is from the action's repository and not a repository fork.

- name: Set up QEMU
uses: docker/setup-qemu-action@v3

- name: Docker meta
id: meta
uses: docker/metadata-action@v4
Expand All @@ -115,6 +128,7 @@ jobs:
with:
context: .
file: docker/Dockerfile-processes-worker
platforms: linux/amd64, linux/arm64
pull: true
push: ${{ github.event_name != 'pull_request' }}
tags: ${{ steps.meta.outputs.tags }}
Expand Down Expand Up @@ -146,6 +160,12 @@ jobs:
username: ${{ secrets.DOCKER_HUB_USER }}
password: ${{ secrets.DOCKER_HUB_TOKEN }}

- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v2

- name: Set up QEMU
uses: docker/setup-qemu-action@v3

- name: Docker meta
id: meta
uses: docker/metadata-action@v4
Expand All @@ -160,6 +180,7 @@ jobs:
with:
context: .
file: docker/Dockerfile-registration-service
platforms: linux/amd64, linux/arm64
pull: true
push: ${{ github.event_name != 'pull_request' }}
tags: ${{ steps.meta.outputs.tags }}
Expand Down Expand Up @@ -191,6 +212,12 @@ jobs:
username: ${{ secrets.DOCKER_HUB_USER }}
password: ${{ secrets.DOCKER_HUB_TOKEN }}

- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v2

- name: Set up QEMU
uses: docker/setup-qemu-action@v3

Check warning on line 219 in .github/workflows/release.yml

View workflow job for this annotation

GitHub Actions / Analyze

[MEDIUM] Unpinned Actions Full Length Commit SHA 

Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps mitigate the risk of a bad actor adding a backdoor to the action's repository, as they would need to generate a SHA-1 collision for a valid Git object payload. When selecting a SHA, you should verify it is from the action's repository and not a repository fork.

- name: Docker meta
id: meta
uses: docker/metadata-action@v4
Expand All @@ -205,6 +232,7 @@ jobs:
with:
context: .
file: docker/Dockerfile-marketplace-app-service
platforms: linux/amd64, linux/arm64
pull: true
push: ${{ github.event_name != 'pull_request' }}
tags: ${{ steps.meta.outputs.tags }}
Expand Down Expand Up @@ -236,6 +264,12 @@ jobs:
username: ${{ secrets.DOCKER_HUB_USER }}
password: ${{ secrets.DOCKER_HUB_TOKEN }}

- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v2

Check warning on line 268 in .github/workflows/release.yml

View workflow job for this annotation

GitHub Actions / Analyze

[MEDIUM] Unpinned Actions Full Length Commit SHA 

Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps mitigate the risk of a bad actor adding a backdoor to the action's repository, as they would need to generate a SHA-1 collision for a valid Git object payload. When selecting a SHA, you should verify it is from the action's repository and not a repository fork.

Check warning on line 268 in .github/workflows/release.yml

View workflow job for this annotation

GitHub Actions / Analyze

[MEDIUM] Unpinned Actions Full Length Commit SHA 

Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps mitigate the risk of a bad actor adding a backdoor to the action's repository, as they would need to generate a SHA-1 collision for a valid Git object payload. When selecting a SHA, you should verify it is from the action's repository and not a repository fork.

- name: Set up QEMU
uses: docker/setup-qemu-action@v3

- name: Docker meta
id: meta
uses: docker/metadata-action@v4
Expand All @@ -250,6 +284,7 @@ jobs:
with:
context: .
file: docker/Dockerfile-portal-migrations
platforms: linux/amd64, linux/arm64
pull: true
push: ${{ github.event_name != 'pull_request' }}
tags: ${{ steps.meta.outputs.tags }}
Expand Down Expand Up @@ -281,6 +316,12 @@ jobs:
username: ${{ secrets.DOCKER_HUB_USER }}
password: ${{ secrets.DOCKER_HUB_TOKEN }}

- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v2

- name: Set up QEMU
uses: docker/setup-qemu-action@v3

Check warning on line 323 in .github/workflows/release.yml

View workflow job for this annotation

GitHub Actions / Analyze

[MEDIUM] Unpinned Actions Full Length Commit SHA 

Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps mitigate the risk of a bad actor adding a backdoor to the action's repository, as they would need to generate a SHA-1 collision for a valid Git object payload. When selecting a SHA, you should verify it is from the action's repository and not a repository fork.

- name: Docker meta
id: meta
uses: docker/metadata-action@v4

Check warning on line 327 in .github/workflows/release.yml

View workflow job for this annotation

GitHub Actions / Analyze

[MEDIUM] Unpinned Actions Full Length Commit SHA 

Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps mitigate the risk of a bad actor adding a backdoor to the action's repository, as they would need to generate a SHA-1 collision for a valid Git object payload. When selecting a SHA, you should verify it is from the action's repository and not a repository fork.
Expand All @@ -295,6 +336,7 @@ jobs:
with:
context: .
file: docker/Dockerfile-maintenance-service
platforms: linux/amd64, linux/arm64
pull: true
push: ${{ github.event_name != 'pull_request' }}
tags: ${{ steps.meta.outputs.tags }}
Expand Down Expand Up @@ -326,6 +368,12 @@ jobs:
username: ${{ secrets.DOCKER_HUB_USER }}
password: ${{ secrets.DOCKER_HUB_TOKEN }}

- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v2

- name: Set up QEMU
uses: docker/setup-qemu-action@v3

Check warning on line 375 in .github/workflows/release.yml

View workflow job for this annotation

GitHub Actions / Analyze

[MEDIUM] Unpinned Actions Full Length Commit SHA 

Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps mitigate the risk of a bad actor adding a backdoor to the action's repository, as they would need to generate a SHA-1 collision for a valid Git object payload. When selecting a SHA, you should verify it is from the action's repository and not a repository fork.

Check warning on line 375 in .github/workflows/release.yml

View workflow job for this annotation

GitHub Actions / Analyze

[MEDIUM] Unpinned Actions Full Length Commit SHA 

Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps mitigate the risk of a bad actor adding a backdoor to the action's repository, as they would need to generate a SHA-1 collision for a valid Git object payload. When selecting a SHA, you should verify it is from the action's repository and not a repository fork.

- name: Docker meta
id: meta
uses: docker/metadata-action@v4
Expand All @@ -340,6 +388,7 @@ jobs:
with:
context: .
file: docker/Dockerfile-notification-service
platforms: linux/amd64, linux/arm64
pull: true
push: ${{ github.event_name != 'pull_request' }}
tags: ${{ steps.meta.outputs.tags }}
Expand Down Expand Up @@ -371,6 +420,12 @@ jobs:
username: ${{ secrets.DOCKER_HUB_USER }}
password: ${{ secrets.DOCKER_HUB_TOKEN }}

- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v2

- name: Set up QEMU
uses: docker/setup-qemu-action@v3

- name: Docker meta
id: meta
uses: docker/metadata-action@v4
Expand All @@ -385,6 +440,7 @@ jobs:
with:
context: .
file: docker/Dockerfile-services-service
platforms: linux/amd64, linux/arm64
pull: true
push: ${{ github.event_name != 'pull_request' }}
tags: ${{ steps.meta.outputs.tags }}
Expand Down Expand Up @@ -416,6 +472,12 @@ jobs:
username: ${{ secrets.DOCKER_HUB_USER }}
password: ${{ secrets.DOCKER_HUB_TOKEN }}

- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v2

- name: Set up QEMU
uses: docker/setup-qemu-action@v3

- name: Docker meta
id: meta
uses: docker/metadata-action@v4

Check warning on line 483 in .github/workflows/release.yml

View workflow job for this annotation

GitHub Actions / Analyze

[MEDIUM] Unpinned Actions Full Length Commit SHA 

Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps mitigate the risk of a bad actor adding a backdoor to the action's repository, as they would need to generate a SHA-1 collision for a valid Git object payload. When selecting a SHA, you should verify it is from the action's repository and not a repository fork.
Expand All @@ -430,6 +492,7 @@ jobs:
with:
context: .
file: docker/Dockerfile-provisioning-migrations
platforms: linux/amd64, linux/arm64
pull: true
push: ${{ github.event_name != 'pull_request' }}
tags: ${{ steps.meta.outputs.tags }}
Expand Down
Loading

0 comments on commit 87e8202

Please sign in to comment.