diff --git a/.github/workflows/build-and-analyze-fork.yml b/.github/workflows/build-and-analyze-fork.yml index 841dc77de..d59204376 100644 --- a/.github/workflows/build-and-analyze-fork.yml +++ b/.github/workflows/build-and-analyze-fork.yml @@ -10,12 +10,12 @@ jobs: runs-on: ubuntu-latest steps: - name: Setup .NET - uses: actions/setup-dotnet@v4 + uses: actions/setup-dotnet@67a3573c9a986a3f9c594539f4ab511d57bb3ce9 # v4 with: dotnet-version: | 8.0.x 3.1.x - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 with: fetch-depth: 0 # Shallow clones should be disabled for a better relevancy of analysis @@ -31,7 +31,7 @@ jobs: reportgenerator -reports:TestResults/**/coverage.cobertura.xml -targetdir:TestResults/Output/CoverageReport -reporttypes:Cobertura - name: Archive code coverage results - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4 with: name: code-coverage-report path: TestResults/Output/CoverageReport/ @@ -48,7 +48,7 @@ jobs: name: code-coverage-report path: dist/ - name: Create Coverage Summary Report - uses: irongut/CodeCoverageSummary@v1.3.0 + uses: irongut/CodeCoverageSummary@51cc3a756ddcd398d447c044c02cb6aa83fdae95 # v1.3.0 with: filename: dist/Cobertura.xml badge: true diff --git a/.github/workflows/build-and-analyze.yml b/.github/workflows/build-and-analyze.yml index 8659f8bf1..a8952f6bf 100644 --- a/.github/workflows/build-and-analyze.yml +++ b/.github/workflows/build-and-analyze.yml @@ -12,13 +12,13 @@ jobs: if: ((github.event_name == 'pull_request' && github.event.pull_request.head.repo.fork == false) || github.event_name == 'push') && github.repository_owner == 'Altinn' && github.actor != 'dependabot[bot]' runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 - name: Set inotify watchers run: echo fs.inotify.max_user_watches=524288 | sudo tee -a /etc/sysctl.conf && sudo sysctl -p - name: Set inotify instances run: echo fs.inotify.max_user_instances=8192 | sudo tee -a /etc/sysctl.conf && sudo sysctl -p - name: Setup .NET - uses: actions/setup-dotnet@v4 + uses: actions/setup-dotnet@67a3573c9a986a3f9c594539f4ab511d57bb3ce9 # v4 with: dotnet-version: | 8.0.x @@ -32,27 +32,27 @@ jobs: runs-on: windows-latest steps: - name: Setup .NET - uses: actions/setup-dotnet@v4 + uses: actions/setup-dotnet@67a3573c9a986a3f9c594539f4ab511d57bb3ce9 # v4 with: dotnet-version: | 8.0.x - name: Set up JDK 11 - uses: actions/setup-java@v4 + uses: actions/setup-java@c1e323688fd81a25caa38c78aa6df2d33d3e20d9 # v4 with: distribution: 'microsoft' java-version: 17 - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 with: fetch-depth: 0 # Shallow clones should be disabled for a better relevancy of analysis - name: Cache SonarCloud packages - uses: actions/cache@v4 + uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4 with: path: ~\sonar\cache key: ${{ runner.os }}-sonar restore-keys: ${{ runner.os }}-sonar - name: Cache SonarCloud scanner id: cache-sonar-scanner - uses: actions/cache@v4 + uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4 with: path: .\.sonar\scanner key: ${{ runner.os }}-sonar-scanner diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index bb73df89e..4ac07f63c 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -29,15 +29,15 @@ jobs: steps: - name: Checkout repository - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 - name: Setup .NET 8.0.* SDK - uses: actions/setup-dotnet@v4 + uses: actions/setup-dotnet@67a3573c9a986a3f9c594539f4ab511d57bb3ce9 # v4 with: dotnet-version: | 8.0.x 3.1.x - name: Initialize CodeQL - uses: github/codeql-action/init@v3 + uses: github/codeql-action/init@ebcb5b36ded6beda4ceefea6a8bc4cc885255bb3 # v3 with: languages: ${{ matrix.language }} # If you wish to specify custom queries, you can do so here or in a config file. @@ -45,7 +45,7 @@ jobs: # Prefix the list here with "+" to use these queries and those in the config file. # queries: ./path/to/local/query, your-org/your-repo/queries@main - name: Autobuild - uses: github/codeql-action/autobuild@v3 + uses: github/codeql-action/autobuild@ebcb5b36ded6beda4ceefea6a8bc4cc885255bb3 # v3 - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v3 + uses: github/codeql-action/analyze@ebcb5b36ded6beda4ceefea6a8bc4cc885255bb3 # v3 diff --git a/.github/workflows/container-scan.yml b/.github/workflows/container-scan.yml index 24bd95605..48cd46842 100644 --- a/.github/workflows/container-scan.yml +++ b/.github/workflows/container-scan.yml @@ -18,11 +18,11 @@ jobs: scan: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 - name: Build the Docker image run: docker build . --tag altinn-authorization:${{github.sha}} - - uses: Azure/container-scan@v0.1 + - uses: Azure/container-scan@f9af925b897d8af5f7e0026b8bca9346261abc93 # v0.1 with: image-name: altinn-authorization:${{ github.sha }} env: diff --git a/.github/workflows/create-pnd-issues.yml b/.github/workflows/create-pnd-issues.yml index 056dfa2df..1071c1d96 100644 --- a/.github/workflows/create-pnd-issues.yml +++ b/.github/workflows/create-pnd-issues.yml @@ -15,13 +15,13 @@ jobs: issues: write steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 - - uses: actions/setup-node@v4 + - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4 with: node-version: 20 - - uses: pnpm/action-setup@v4 + - uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v4 with: version: 9 run_install: | @@ -31,7 +31,7 @@ jobs: - id: create name: Create issue - uses: JasonEtco/create-an-issue@v2 + uses: JasonEtco/create-an-issue@1b14a70e4d8dc185e5cc76d3bec9eab20257b2c5 # v2 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} with: @@ -58,13 +58,13 @@ jobs: issues: write steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 - - uses: actions/setup-node@v4 + - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4 with: node-version: 20 - - uses: pnpm/action-setup@v4 + - uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v4 with: version: 9 run_install: | @@ -74,7 +74,7 @@ jobs: - id: create name: Create issue - uses: JasonEtco/create-an-issue@v2 + uses: JasonEtco/create-an-issue@1b14a70e4d8dc185e5cc76d3bec9eab20257b2c5 # v2 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} with: diff --git a/.github/workflows/infrastructure-template.yaml b/.github/workflows/infrastructure-template.yaml index 66a75d7ca..484084aa3 100644 --- a/.github/workflows/infrastructure-template.yaml +++ b/.github/workflows/infrastructure-template.yaml @@ -28,7 +28,7 @@ jobs: environment: ${{ inputs.environment }} steps: - name: Checkout Repository - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 - name: Terraform Set TFVARS run: echo "TF_VARS_FILE=$(echo ${{ inputs.environment }} | tr '[:upper:]' '[:lower:]').tfvars" >> $GITHUB_ENV @@ -53,7 +53,7 @@ jobs: if: inputs.tf_should_apply steps: - name: Checkout Repository - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 - name: Terraform Initialize uses: altinn/altinn-platform/actions/terraform/plan@main diff --git a/.github/workflows/pep-dotnet-test.yml b/.github/workflows/pep-dotnet-test.yml index 7971c2b2e..7be262341 100644 --- a/.github/workflows/pep-dotnet-test.yml +++ b/.github/workflows/pep-dotnet-test.yml @@ -21,12 +21,12 @@ jobs: DOTNET_HOSTBUILDER__RELOADCONFIGONCHANGE: false steps: - name: Setup .NET - uses: actions/setup-dotnet@v4 + uses: actions/setup-dotnet@67a3573c9a986a3f9c594539f4ab511d57bb3ce9 # v4 with: dotnet-version: | 6.0.x 5.0.x - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 with: fetch-depth: 0 # Shallow clones should be disabled for a better relevancy of analysis - name: Build diff --git a/.github/workflows/pep-test-and-analyze.yml b/.github/workflows/pep-test-and-analyze.yml index c0dd03069..7e9f3f7ce 100644 --- a/.github/workflows/pep-test-and-analyze.yml +++ b/.github/workflows/pep-test-and-analyze.yml @@ -20,28 +20,28 @@ jobs: runs-on: windows-latest steps: - name: Setup .NET - uses: actions/setup-dotnet@v4 + uses: actions/setup-dotnet@67a3573c9a986a3f9c594539f4ab511d57bb3ce9 # v4 with: dotnet-version: | 6.0.x 5.0.x - name: Set up JDK 11 - uses: actions/setup-java@v4 + uses: actions/setup-java@c1e323688fd81a25caa38c78aa6df2d33d3e20d9 # v4 with: distribution: 'zulu' java-version: 17 - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 with: fetch-depth: 0 # Shallow clones should be disabled for a better relevancy of analysis - name: Cache SonarCloud packages - uses: actions/cache@v4 + uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4 with: path: ~\sonar\cache key: ${{ runner.os }}-sonar restore-keys: ${{ runner.os }}-sonar - name: Cache SonarCloud scanner id: cache-sonar-scanner - uses: actions/cache@v4 + uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4 with: path: .\.sonar\scanner key: ${{ runner.os }}-sonar-scanner diff --git a/.github/workflows/publish-abac-nuget.yml b/.github/workflows/publish-abac-nuget.yml index 9a176a03d..581c519e7 100644 --- a/.github/workflows/publish-abac-nuget.yml +++ b/.github/workflows/publish-abac-nuget.yml @@ -10,12 +10,12 @@ jobs: if: startsWith(github.ref, 'refs/tags/Altinn.Authorization.ABAC-') runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 with: fetch-depth: 0 - name: Setup .NET - uses: actions/setup-dotnet@v4 + uses: actions/setup-dotnet@67a3573c9a986a3f9c594539f4ab511d57bb3ce9 # v4 with: dotnet-version: | 8.0.x @@ -31,7 +31,7 @@ jobs: dotnet pack --configuration Release --no-build - name: Create artifact - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4 with: name: nuget package path: src/Altinn.Authorization.ABAC/bin/Release/*.nupkg diff --git a/.github/workflows/publish-pep-nuget.yml b/.github/workflows/publish-pep-nuget.yml index 3f5d7f042..5957df49d 100644 --- a/.github/workflows/publish-pep-nuget.yml +++ b/.github/workflows/publish-pep-nuget.yml @@ -10,12 +10,12 @@ jobs: if: startsWith(github.ref, 'refs/tags/Altinn.Common.PEP-') runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 with: fetch-depth: 0 - name: Setup .NET - uses: actions/setup-dotnet@v4 + uses: actions/setup-dotnet@67a3573c9a986a3f9c594539f4ab511d57bb3ce9 # v4 with: dotnet-version: | 8.0.x @@ -31,7 +31,7 @@ jobs: dotnet pack --configuration Release --no-build - name: Create artifact - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4 with: name: nuget package path: src/Altinn.Common.PEP/Altinn.Common.PEP/bin/Release/*.nupkg diff --git a/Dockerfile b/Dockerfile index b9f63e926..7757d0add 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,4 +1,4 @@ -FROM mcr.microsoft.com/dotnet/sdk:9.0-alpine AS build +FROM mcr.microsoft.com/dotnet/sdk:9.0-alpine@sha256:5e2228a03bcb9b75b9078f7a2379c2c82639422b785601ff271f744745ac2f71 AS build WORKDIR Authorization/ COPY src/Authorization ./Authorization @@ -7,7 +7,7 @@ WORKDIR Authorization/ RUN dotnet build Altinn.Platform.Authorization.csproj -c Release -o /app_output RUN dotnet publish Altinn.Platform.Authorization.csproj -c Release -o /app_output -FROM mcr.microsoft.com/dotnet/aspnet:8.0-alpine AS final +FROM mcr.microsoft.com/dotnet/aspnet:8.0-alpine@sha256:354c2fcfb3c23abc60d98f0380cdb403fba844a62a123b6343a8c9611209995c AS final EXPOSE 5050 WORKDIR /app COPY --from=build /app_output .