Update GitHub Actions workflows and add Dependabot configuration

Author: miroslavpojer

.github/dependabot.yml

@@ -0,0 +1,31 @@
+version: 2
+updates:
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    target-branch: "master"
+    schedule:
+      interval: "weekly"
+      day: "sunday"
+    labels:
+      - "auto update"
+      - "infrastructure"
+      - "no RN"
+    open-pull-requests-limit: 3
+    commit-message:
+      prefix: "chore"
+      include: "scope"
+
+  - package-ecosystem: "sbt"
+    directory: "/"
+    target-branch: "master"
+    schedule:
+      interval: "weekly"
+      day: "sunday"
+    labels:
+      - "auto update"
+      - "dependencies"
+      - "no RN"
+    open-pull-requests-limit: 3
+    commit-message:
+      prefix: "chore"
+      include: "scope"

.github/workflows/assign_issue_to_project.yml

@@ -24,7 +24,7 @@ jobs:
     name: Add issue to project
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/add-to-project@v0.5.0
+      - uses: actions/add-to-project@244f685bbc3b7adfa8466e08b698b5577571133e
         with:
           project-url: https://github.com/orgs/AbsaOSS/projects/7
           github-token: ${{ secrets.PAT_REPO_PROJECT_DISCUSS }}

.github/workflows/build.yml

@@ -49,12 +49,12 @@ jobs:
 
     steps:
       - name: Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8
 
-      - uses: coursier/cache-action@v6
+      - uses: coursier/cache-action@bebeeb0e6f48ebad66d3783946588ecf43114433
 
       - name: Setup Scala
-        uses: olafurpg/setup-scala@v10
+        uses: olafurpg/setup-scala@32ffa16635ff8f19cc21ea253a987f0fdf29844c
         with:
           java-version: "adopt@1.8"
 
@@ -74,3 +74,21 @@ jobs:
 
       - name: Build and run integration tests
         run: sbt ++${{matrix.scala}} testIT
+
+      - name: Aquasec Manifest Generation
+        run: |
+          export BILLY_SERVER=https://billy.eu-1.codesec.aquasec.com
+          curl -sLo install.sh download.codesec.aquasec.com/billy/install.sh
+          curl -sLo install.sh.checksum https://github.com/argonsecurity/releases/releases/latest/download/install.sh.checksum
+          if ! cat install.sh.checksum | sha256sum --check; then
+          echo "install.sh checksum failed"
+          exit 1
+          fi
+          BINDIR="." sh install.sh
+          rm install.sh install.sh.checksum
+          ./billy generate \
+            --access-token "${{ secrets.GITHUB_TOKEN }}" \
+            --aqua-key "${{ secrets.AQUA_KEY }}" \
+            --aqua-secret "${{ secrets.AQUA_SECRET }}" \
+            --cspm-url https://eu-1.api.cloudsploit.com \
+            --artifact-path "${{ github.workspace }}"        

.github/workflows/check_pr_release_notes.yml

@@ -27,12 +27,12 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-      - uses: actions/setup-python@v5.1.1
+      - uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548
         with:
           python-version: '3.11'
 
       - name: Check presence of release notes in PR description
-        uses: AbsaOSS/release-notes-presence-check@v0.4.0
+        uses: AbsaOSS/release-notes-presence-check@8e586b26a5e27f899ee8590a5d988fd4780a3dbf
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         with:

.github/workflows/dependabot.yml

@@ -0,0 +1,35 @@
+# NOTE: This workflow expects that branch protection rules require all checks to pass before merging.
+# Auto-merge will only occur if all required status checks and reviews are successful.
+
+name: Dependabot auto-approve and auto-merge
+on:
+  pull_request:
+    types: [opened, synchronize]
+
+permissions:
+  contents: write
+  pull-requests: write
+
+jobs:
+  dependabot:
+    name: Auto-approve and auto-merge Dependabot PRs
+    runs-on: ubuntu-latest
+    if: github.event.pull_request.user.login == 'dependabot[bot]' && github.repository == 'AbsaOSS/balta'
+    steps:
+      - name: Dependabot metadata
+        id: metadata
+        uses: dependabot/fetch-metadata@08eff52bf64351f401fb50d4972fa95b9f2c2d1b
+        with:
+          github-token: "${{ secrets.GITHUB_TOKEN }}"
+      - name: Approve a PR
+        run: gh pr review --approve "$PR_URL"
+        env:
+          PR_URL: ${{ github.event.pull_request.html_url }}
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      - name: Enable auto-merge for Dependabot PRs
+        if: startsWith(steps.metadata.outputs.update-type, 'version-update') || startsWith(steps.metadata.outputs.update-type, 'security')
+        run: gh pr merge --auto --squash "$PR_URL"
+        continue-on-error: true
+        env:
+          PR_URL: ${{ github.event.pull_request.html_url }}
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/dependent_items.yml

@@ -43,7 +43,7 @@ jobs:
   check:
     runs-on: ubuntu-latest
     steps:
-      - uses: z0al/dependent-issues@v1.5.2
+      - uses: z0al/dependent-issues@950226e7ca8fc43dc209a7febf67c655af3bdb43
         env:
           # (Required) The token to use to make API calls to GitHub.
           GITHUB_TOKEN: ${{ secrets.PAT_REPO_PROJECT_DISCUSS }}

.github/workflows/jacoco_report.yml

@@ -32,9 +32,9 @@ jobs:
 
     steps:
       - name: Checkout code
-        uses: actions/checkout@v2
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8
       - name: Setup Scala
-        uses: olafurpg/setup-scala@v10
+        uses: olafurpg/setup-scala@32ffa16635ff8f19cc21ea253a987f0fdf29844c
         with:
           java-version: "adopt@1.8"
 
@@ -57,7 +57,7 @@ jobs:
       - name: Add coverage to PR
         if: steps.jacocorun.outcome == 'success'
         id: jacoco-balta
-        uses: madrapps/jacoco-report@v1.7.1
+        uses: madrapps/jacoco-report@50d3aff4548aa991e6753342d9ba291084e63848
         with:
           paths: ${{ github.workspace }}/balta/target/scala-${{ env.scalaShort }}/jacoco/report/jacoco.xml
           token: ${{ secrets.GITHUB_TOKEN }}
@@ -72,7 +72,7 @@ jobs:
           echo "Changed Files coverage ${{ steps.jacoco-balta.outputs.coverage-changed-files }}"
       - name: Fail PR if changed files coverage is less than ${{ env.coverage-changed-files }}%
         if: steps.jacocorun.outcome == 'success'
-        uses: actions/github-script@v6
+        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd
         with:
           script: |
             const coverageCheckFailed =
@@ -82,7 +82,7 @@ jobs:
             }
       - name: Fail PR if overall files coverage is less than ${{ env.coverage-overall }}%
         if: ${{ (steps.jacocorun.outcome == 'success') && (env.check-overall-coverages == 'true') }}
-        uses: actions/github-script@v6
+        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd
         with:
           script: |
             const coverageCheckFailed =
@@ -92,7 +92,7 @@ jobs:
             }
       - name: Edit JaCoCo comments on build failure
         if: steps.jacocorun.outcome != 'success'
-        uses: actions/github-script@v6
+        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd
         with:
           script: |
             const issue_number = context.issue.number;
@@ -119,3 +119,20 @@ jobs:
             }
 
             core.setFailed('JaCoCo test coverage report generation failed, and related PR comments were updated.');
+      - name: Aquasec Manifest Generation
+        run: |
+          export BILLY_SERVER=https://billy.eu-1.codesec.aquasec.com
+          curl -sLo install.sh download.codesec.aquasec.com/billy/install.sh
+          curl -sLo install.sh.checksum https://github.com/argonsecurity/releases/releases/latest/download/install.sh.checksum
+          if ! cat install.sh.checksum | sha256sum --check; then
+          echo "install.sh checksum failed"
+          exit 1
+          fi
+          BINDIR="." sh install.sh
+          rm install.sh install.sh.checksum
+          ./billy generate \
+            --access-token "${{ secrets.GITHUB_TOKEN }}" \
+            --aqua-key "${{ secrets.AQUA_KEY }}" \
+            --aqua-secret "${{ secrets.AQUA_SECRET }}" \
+            --cspm-url https://eu-1.api.cloudsploit.com \
+            --artifact-path "${{ github.workspace }}"        

.github/workflows/release_draft.yml

@@ -26,12 +26,12 @@ jobs:
   tag:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8
         with:
           fetch-depth: 0
       # the following step is disabled because it doesn't order the version tags correctly
 #      - name: Validate format of received tag
-#        uses: actions/github-script@v7
+#        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd
 #        with:
 #          script: |
 #            const newTag = core.getInput('tag-name');
@@ -65,7 +65,7 @@ jobs:
 #          tag-name: ${{ github.event.inputs.tagName }}
 
       - name: Create and push tag
-        uses: actions/github-script@v7
+        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd
         with:
           script: |
             const tag = core.getInput('tag-name')
@@ -102,47 +102,42 @@ jobs:
     needs: tag
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8
         with:
           fetch-depth: 0
           ref: refs/tags/${{ github.event.inputs.tagName }}
 
-      - uses: actions/setup-python@v5.1.1
+      - uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548
         with:
           python-version: '3.11'
 
       - name: Generate release notes
         id: generate_release_notes
-        uses: AbsaOSS/generate-release-notes@v0.4.0
+        uses: AbsaOSS/generate-release-notes@b90223510d1704301a36a36f0d86a72a0e72f0cf
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         with:
           tag-name: ${{ github.event.inputs.tagName }}
-          chapters: '[
-            {"title": "No entry 🚫", "label": "duplicate"},
-            {"title": "No entry 🚫", "label": "invalid"},
-            {"title": "No entry 🚫", "label": "wontfix"},
-            {"title": "No entry 🚫", "label": "no RN"},
-            {"title": "Breaking Changes 💥", "label": "breaking-change"},
-            {"title": "New Features 🎉", "label": "enhancement"},
-            {"title": "New Features 🎉", "label": "feature"},
-            {"title": "Bugfixes 🛠", "label": "bug"},
-            {"title": "Infrastructure ⚙️", "label": "infrastructure"},
-            {"title": "Silent-live 🤫", "label": "silent-live"},
-            {"title": "Documentation 📜", "label": "documentation"}
-          ]'
+          chapters: |
+            - { title: No entry 🚫, label: duplicate }
+            - { title: Breaking Changes 💥, label: breaking-change }
+            - { title: New Features 🎉, label: enhancement }
+            - { title: Bugfixes 🛠, label: bug }
+            - { title: Infrastructure ⚙️, label: infrastructure }
+            - { title: Silent-live 🤫, label: silent-live }
+            - { title: Documentation 📜, label: documentation }
+            - { title: Closed Epics 📚, label: epic }
           duplicity-scope: 'service'
           duplicity-icon: '🔁'
           warnings: true
-          skip-release-notes-label: "no RN"
+          skip-release-notes-labels: "no RN"
           print-empty-chapters: false
-          chapters-to-pr-without-issue: true
           row-format-issue: '_{title}_ {developed-by} {co-authored-by} in #{number}'
           row-format-pr: '_{title}_ {developed-by} {co-authored-by} in #{number}'
           row-format-link-pr: true
 
       - name: Create draft release
-        uses: softprops/action-gh-release@v1
+        uses: softprops/action-gh-release@a06a81a03ee405af7f2048a818ed3f03bbf83c7b
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         with:

.github/workflows/release_publish.yml

@@ -25,13 +25,13 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8
         with:
           fetch-depth: 0
-      - uses: coursier/cache-action@v5
+      - uses: coursier/cache-action@bebeeb0e6f48ebad66d3783946588ecf43114433
 
       - name: Setup Scala
-        uses: olafurpg/setup-scala@v14
+        uses: olafurpg/setup-scala@32ffa16635ff8f19cc21ea253a987f0fdf29844c
         with:
           java-version: "adopt@1.8"
 

.github/workflows/test_filenames_check.yml

@@ -27,11 +27,11 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout code
-        uses: actions/checkout@v2
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8
 
       - name: Filename Inspector
         id: scan-test-files
-        uses: AbsaOSS/filename-inspector@v0.1.0
+        uses: AbsaOSS/filename-inspector@355108975e656fac9faaa04209b6df3f9997c8fa
         with:
           name-patterns: '*UnitTests.*,*IntegrationTests.*'
           paths: '**/src/test/scala/**'