CI updates (#9440)

* add labels to dependabot prs Signed-off-by: cpanato <ctadeu@gmail.com> * sync hashes and versions dependabot can update the version comment now Signed-off-by: cpanato <ctadeu@gmail.com> Signed-off-by: cpanato <ctadeu@gmail.com>
2022-12-22 16:37:26 +01:00 · 2022-12-22 16:37:26 +01:00 · bb60e02e96
commit bb60e02e96
parent 21aa7f55a3
11 changed files with 125 additions and 119 deletions
--- a/.github/workflows/scorecards.yml
+++ b/.github/workflows/scorecards.yml
@ -1,11 +1,13 @@
 name: Scorecards supply-chain security
+
 on:
  # Only the default branch is supported.
  branch_protection_rule:
  schedule:
    - cron: '20 11 * * 5'
  push:
-    branches: [ "main" ]
+    branches:
+      - "main"

 # Declare default permissions as read only.
 permissions: read-all
@ -22,15 +24,15 @@ jobs:
      # Needs for private repositories.
      contents: read
      actions: read
-    
+
    steps:
      - name: "Checkout code"
-        uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b # v3.0.0
+        uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b # v3.2.0
        with:
          persist-credentials: false

      - name: "Run analysis"
-        uses: ossf/scorecard-action@937ffa90d79c7d720498178154ad4c7ba1e4ad8c # v1.1.1
+        uses: ossf/scorecard-action@e38b1902ae4f44df626f11ba0734b14fb91f8f86 # v2.1.2
        with:
          results_file: results.sarif
          results_format: sarif
@ -41,22 +43,22 @@ jobs:
          # repo_token: ${{ secrets.SCORECARD_READ_TOKEN }}

          # Publish the results for public repositories to enable scorecard badges. For more details, see
-          # https://github.com/ossf/scorecard-action#publishing-results. 
-          # For private repositories, `publish_results` will automatically be set to `false`, regardless 
+          # https://github.com/ossf/scorecard-action#publishing-results.
+          # For private repositories, `publish_results` will automatically be set to `false`, regardless
          # of the value entered here.
          publish_results: true

      # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
      # format to the repository Actions tab.
      - name: "Upload artifact"
-        uses: actions/upload-artifact@83fd05a356d7e2593de66fc9913b3002723633cb # v3.0.0
+        uses: actions/upload-artifact@83fd05a356d7e2593de66fc9913b3002723633cb # v3.1.1
        with:
          name: SARIF file
          path: results.sarif
          retention-days: 5
-      
+
      # Upload the results to GitHub's code scanning dashboard.
      - name: "Upload to code-scanning"
-        uses: github/codeql-action/upload-sarif@959cbb7472c4d4ad70cdfe6f4976053fe48ab394 # v2.1.14
+        uses: github/codeql-action/upload-sarif@896079047b4bb059ba6f150a5d87d47dde99e6e5 # v2.1.37
        with:
          sarif_file: results.sarif