chore: Bump golang from b274ff1 to 0ca97f4 in /httpserver (ratify…

…-project#1876)

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

chore: Bump github.com/prometheus/client_golang from 1.20.4 to 1.20.5 (ratify-project#1877)

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

chore: Bump vscode/devcontainers/go from `bdecb4c` to `46f85d1` in /.devcontainer (ratify-project#1879)

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

feat: crl cache

Signed-off-by: Juncheng Zhu <[email protected]>

feat: crl cache 2

Signed-off-by: Juncheng Zhu <[email protected]>

feat: crl provider

Signed-off-by: Juncheng Zhu <[email protected]>

feat: added interfaces

Signed-off-by: Juncheng Zhu <[email protected]>

feat: crl refactor

Signed-off-by: Juncheng Zhu <[email protected]>

feat: crl refactor

Signed-off-by: Juncheng Zhu <[email protected]>

feat: crl refactor

Signed-off-by: Juncheng Zhu <[email protected]>

feat: crl refactor

Signed-off-by: Juncheng Zhu <[email protected]>

feat: integrate crl to verifier

Signed-off-by: Juncheng Zhu <[email protected]>

feat: kmp revocationfactory refactor

Signed-off-by: Juncheng Zhu <[email protected]>

chore: bump up go version to 1.22.8 (ratify-project#1880)

Signed-off-by: Binbin Li <[email protected]>
Signed-off-by: Binbin Li <[email protected]>

chore: Bump github.com/sigstore/sigstore from 1.8.9 to 1.8.10 (ratify-project#1878)

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

docs: design proposal for tag and digest co-existing [ISSUE 1657] (ratify-project#1793)

docs: add CRL Design (ratify-project#1789)

Signed-off-by: Juncheng Zhu <[email protected]>

docs: Create proposal for verifying 'last-n' artifacts only. (ratify-project#1797)

Signed-off-by: Susan Shi <[email protected]>

docs: nVersionCount support for KMP design doc (ratify-project#1831)

Signed-off-by: Joshua Duffney <[email protected]>

ci: retry trivy db update upon failure (ratify-project#1881)

Signed-off-by: Binbin Li <[email protected]>

chore: Bump anchore/sbom-action from 0.17.4 to 0.17.5 (ratify-project#1882)

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

ci: fix tagging in publish-ghcr workflow (ratify-project#1884)

Signed-off-by: Binbin Li <[email protected]>

ci: retry trivy download-db on failure (ratify-project#1883)

Signed-off-by: Binbin Li <[email protected]>

chore: migrate azure-sdk-for-go/containerregistry to the latest release (ratify-project#1829)

Signed-off-by: Shahram Kalantari <[email protected]>

chore: Bump github/codeql-action from 3.26.13 to 3.27.0 (ratify-project#1887)

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

feat: crl fetcher

Signed-off-by: Juncheng Zhu <[email protected]>

feat: crl fetcher

Signed-off-by: Juncheng Zhu <[email protected]>

feat: update bytesFetcher

Signed-off-by: Juncheng Zhu <[email protected]>

feat: crl provider

Signed-off-by: Juncheng Zhu <[email protected]>

feat: refactor the interface

Signed-off-by: Juncheng Zhu <[email protected]>

feat: integrate crl to verifier 2

Signed-off-by: Juncheng Zhu <[email protected]>

feat: integrate crl to verifier 2

Signed-off-by: Juncheng Zhu <[email protected]>

chore: update charts (ratify-project#1892)

Signed-off-by: Juncheng Zhu <[email protected]>

chore: Bump actions/checkout from 4.2.1 to 4.2.2 (ratify-project#1893)

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

chore: Bump actions/setup-go from 5.0.2 to 5.1.0 (ratify-project#1894)

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

chore: Bump k8s.io/apimachinery from 0.28.14 to 0.28.15 (ratify-project#1896)

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

chore: Bump distroless/static from `26f9b99` to `3a03fc0` in /httpserver (ratify-project#1899)

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

chore: Bump k8s.io/client-go from 0.28.14 to 0.28.15 (ratify-project#1897)

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

chore: Bump anchore/sbom-action from 0.17.5 to 0.17.6 (ratify-project#1903)

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

feat: allow service account annotations (ratify-project#1907)

Signed-off-by: Maneesh Singh <[email protected]>

feat: add interface for testing

Signed-off-by: Juncheng Zhu <[email protected]>

feat: implemented interface

Signed-off-by: Juncheng Zhu <[email protected]>

feat: implemented interface

Signed-off-by: Juncheng Zhu <[email protected]>

test: working on test cases

Signed-off-by: Juncheng Zhu <[email protected]>

test: working on test cases 2

Signed-off-by: Juncheng Zhu <[email protected]>

test: working on test cases 3

Signed-off-by: Juncheng Zhu <[email protected]>

refactor: add cache constructor into fetcher constructor

Signed-off-by: Juncheng Zhu <[email protected]>

refactor: add cache constructor into fetcher constructor 2

Signed-off-by: Juncheng Zhu <[email protected]>

refactor: add cache constructor into fetcher constructor 3

Signed-off-by: Juncheng Zhu <[email protected]>

test: add cache constructor into fetcher constructor

Signed-off-by: Juncheng Zhu <[email protected]>

test: add cache constructor into fetcher constructor 2

Signed-off-by: Juncheng Zhu <[email protected]>

.devcontainer/Dockerfile

@@ -14,7 +14,7 @@
 # See here for image contents: https://github.com/microsoft/vscode-dev-containers/tree/v0.245.2/containers/go/.devcontainer/base.Dockerfile
 
 # [Choice] Go version (use -bullseye variants on local arm64/Apple Silicon): 1.22-bullseye, 1.21-bullseye, 1, 1.19, 1.18, 1-bullseye, 1.19-bullseye, 1.18-bullseye, 1-buster, 1.19-buster, 1.18-buster
-FROM mcr.microsoft.com/vscode/devcontainers/go:1.22-bullseye@sha256:bdecb4ca0d168e7bd73b01e475d017aac0888ee22c7d4998a09858ab95157669
+FROM mcr.microsoft.com/vscode/devcontainers/go:1.22-bullseye@sha256:46f85d17eff2b121269b4ed547eb366c2499b5f549d8eaa16fbe6e38f04dfb93
 
 # [Choice] Node.js version: none, lts/*, 18, 16, 14
 ARG NODE_VERSION="none"

.github/workflows/build-pr.yml

@@ -75,9 +75,9 @@ jobs:
           egress-policy: audit
 
       - name: Check out code into the Go module directory
-        uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       - name: Set up Go 1.22
-        uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
+        uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0
         with:
           go-version: "1.22"
 

.github/workflows/codeql.yml

@@ -31,18 +31,18 @@ jobs:
           egress-policy: audit
 
       - name: Checkout repository
-        uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # tag=3.0.2
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # tag=3.0.2
       - name: setup go environment
-        uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
+        uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0
         with:
           go-version: "1.22"
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@f779452ac5af1c261dce0346a8f964149f49322b # tag=v3.26.13
+        uses: github/codeql-action/init@662472033e021d55d94146f66f6058822b0b39fd # tag=v3.27.0
         with:
           languages: go
       - name: Run tidy
         run: go mod tidy
       - name: Build CLI
         run: make build
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@f779452ac5af1c261dce0346a8f964149f49322b # tag=v3.26.13
+        uses: github/codeql-action/analyze@662472033e021d55d94146f66f6058822b0b39fd # tag=v3.27.0

.github/workflows/e2e-aks.yml

@@ -33,9 +33,9 @@ jobs:
           egress-policy: audit
 
       - name: Check out code into the Go module directory
-        uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       - name: Set up Go 1.22
-        uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
+        uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0
         with:
           go-version: "1.22"
       - name: Az CLI login

.github/workflows/e2e-cli.yml

@@ -19,7 +19,7 @@ jobs:
           egress-policy: audit
 
       - name: Checkout
-        uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
       - name: Check license header
         uses: apache/skywalking-eyes/header@cd7b195c51fd3d6ad52afceb760719ddc6b3ee91
         with:
@@ -39,9 +39,9 @@ jobs:
           egress-policy: audit
 
       - name: Checkout
-        uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
       - name: setup go environment
-        uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
+        uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0
         with:
           go-version: "1.22"
       - name: Run tidy
@@ -68,9 +68,9 @@ jobs:
           egress-policy: audit
 
       - name: Checkout
-        uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       - name: setup go environment
-        uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
+        uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0
         with:
           go-version: "1.22"
       - name: Run tidy
@@ -96,7 +96,7 @@ jobs:
           egress-policy: audit
 
       - name: Checkout
-        uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           submodules: recursive
       - name: Run link check

.github/workflows/e2e-k8s.yml

@@ -31,9 +31,9 @@ jobs:
           egress-policy: audit
 
       - name: Check out code into the Go module directory
-        uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       - name: Set up Go 1.22
-        uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
+        uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0
         with:
           go-version: "1.22"
 

.github/workflows/golangci-lint.yml

@@ -19,10 +19,10 @@ jobs:
         with:
           egress-policy: audit
 
-      - uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
+      - uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0
         with:
           go-version: "1.22"
-      - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       - name: golangci-lint
         uses: golangci/golangci-lint-action@971e284b6050e8a5849b72094c50ab08da042db8 # v6.1.1
         with:

.github/workflows/high-availability.yml

@@ -35,9 +35,9 @@ jobs:
           egress-policy: audit
 
       - name: Check out code into the Go module directory
-        uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       - name: Set up Go 1.22
-        uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
+        uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0
         with:
           go-version: "1.22"
 

.github/workflows/pr-to-main.yml

@@ -18,7 +18,7 @@ jobs:
           egress-policy: audit
 
       - name: git checkout
-        uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
       - name: Get current date
         id: date
         run: echo "::set-output name=date::$(date +'%Y-%m-%d')"

.github/workflows/publish-charts.yml

@@ -17,7 +17,7 @@ jobs:
         with:
           egress-policy: audit
 
-      - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
       - name: Publish Helm charts
         uses: stefanprodan/helm-gh-pages@0ad2bb377311d61ac04ad9eb6f252fb68e207260 # v1.7.0
         with:

.github/workflows/publish-dev-assets.yml

@@ -21,7 +21,7 @@ jobs:
         with:
           egress-policy: audit
       - name: Checkout
-        uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
       - name: Install Notation
         uses: notaryproject/notation-action/setup@03242349f62aeddc995e12c6fbcea3b87697873f # v1.2.0
       - name: Install cosign

.github/workflows/publish-package.yml

@@ -20,7 +20,7 @@ jobs:
         with:
           egress-policy: audit
       - name: Checkout
-        uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
       - name: prepare
         id: prepare
         run: |
@@ -64,7 +64,7 @@ jobs:
             --attest type=sbom \
             --attest type=provenance,mode=max \
             --platform linux/amd64,linux/arm64,linux/arm/v7 \
-            --build-arg LDFLAGS="-X github.com/ratify-project/ratify/internal/version.Version=$(TAG)" \
+            --build-arg LDFLAGS="-X github.com/ratify-project/ratify/internal/version.Version=$TAG" \
             --label org.opencontainers.image.revision=${{ github.sha }} \
             -t ${{ steps.prepare.outputs.baseref }} \
             --push .
@@ -79,7 +79,7 @@ jobs:
             --build-arg build_licensechecker=true \
             --build-arg build_schemavalidator=true \
             --build-arg build_vulnerabilityreport=true \
-            --build-arg LDFLAGS="-X github.com/ratify-project/ratify/internal/version.Version=$(TAG)" \
+            --build-arg LDFLAGS="-X github.com/ratify-project/ratify/internal/version.Version=$TAG" \
             --label org.opencontainers.image.revision=${{ github.sha }} \
             -t ${{ steps.prepare.outputs.ref }} \
             --push .

.github/workflows/quick-start.yml

@@ -35,9 +35,9 @@ jobs:
           egress-policy: audit
 
       - name: Checkout
-        uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       - name: setup go environment
-        uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
+        uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0
         with:
           go-version: "1.22"
       - name: Run tidy

.github/workflows/release.yml

@@ -21,15 +21,15 @@ jobs:
           egress-policy: audit
 
       - name: Checkout
-        uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # tag=3.0.2
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # tag=3.0.2
         with:
           fetch-depth: 0
 
       - name: Install Syft
-        uses: anchore/sbom-action/download-syft@8d0a6505bf28ced3e85154d13dc6af83299e13f1 # v0.17.4
+        uses: anchore/sbom-action/download-syft@251a468eed47e5082b105c3ba6ee500c0e65a764 # v0.17.6
 
       - name: Set up Go
-        uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
+        uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0
         with:
           go-version: "1.22"
 

.github/workflows/run-full-validation.yml

@@ -63,9 +63,9 @@ jobs:
           egress-policy: audit
 
       - name: Check out code into the Go module directory
-        uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       - name: Set up Go 1.22
-        uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
+        uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0
         with:
           go-version: "1.22"
 

.github/workflows/scan-vulns.yaml

@@ -27,7 +27,7 @@ jobs:
         with:
           egress-policy: audit
 
-      - uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
+      - uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0
         with:
           go-version: "1.22"
           check-latest: true
@@ -38,68 +38,48 @@ jobs:
     runs-on: ubuntu-22.04
     timeout-minutes: 15
     env:
-      TRIVY_VERSION: v0.49.1
+      TRIVY_VERSION: 0.49.1
     steps:
       - name: Harden Runner
         uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
         with:
           egress-policy: audit
 
       - name: Check out code into the Go module directory
-        uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
 
-      - name: Manual Trivy Setup
-        uses: aquasecurity/setup-trivy@eadb05c36f891dc855bba00f67174a1e61528cd4 # v0.2.1
+      - name: Download trivy
+        run: |
+          pushd $(mktemp -d)
+          wget https://github.com/aquasecurity/trivy/releases/download/v${{ env.TRIVY_VERSION }}/trivy_${{ env.TRIVY_VERSION }}_Linux-64bit.tar.gz
+          tar zxvf trivy_${{ env.TRIVY_VERSION }}_Linux-64bit.tar.gz
+          echo "$(pwd)" >> $GITHUB_PATH
+      
+      - name: Download vulnerability database
+        uses: nick-fields/retry@7152eba30c6575329ac0576536151aca5a72780e # v3.0.0
         with:
-          cache: true
-          version: ${{ env.TRIVY_VERSION }}
+          max_attempts: 3
+          retry_on: error
+          timeout_seconds: 30
+          retry_wait_seconds: 5
+          command: |
+            trivy image --download-db-only
 
       - name: Run trivy on git repository
-        uses: aquasecurity/trivy-action@915b19bbe73b92a6cf82a1bc12b087c9a19a5fe2 # 0.28.0
-        with:
-          scan-type: 'fs'
-          scan-ref: '.'
-          ignore-unfixed: true
-          scanners: 'vuln'
-          version: ${{ env.TRIVY_VERSION }}
+        run: |
+          trivy fs --skip-db-update --format table --ignore-unfixed --scanners vuln .
 
       - name: Build docker images
         run: |
           make e2e-build-local-ratify-image
           make e2e-build-crd-image
-      
-      - name: Run Trivy vulnerability scanner on localbuild:test
-        uses: aquasecurity/trivy-action@915b19bbe73b92a6cf82a1bc12b087c9a19a5fe2 # 0.28.0
-        with:
-          scan-type: 'image'
-          image-ref: 'localbuild:test'
-          ignore-unfixed: true
-          version: ${{ env.TRIVY_VERSION }}
-
-      - name: Run Trivy vulnerability scanner on localbuildcrd:test
-        uses: aquasecurity/trivy-action@915b19bbe73b92a6cf82a1bc12b087c9a19a5fe2 # 0.28.0
-        with:
-          scan-type: 'image'
-          image-ref: 'localbuildcrd:test'
-          ignore-unfixed: true
-          version: ${{ env.TRIVY_VERSION }}
-
-      - name: Run Trivy vulnerability scanner on localbuild:test and exit on HIGH severity
-        uses: aquasecurity/trivy-action@915b19bbe73b92a6cf82a1bc12b087c9a19a5fe2 # 0.28.0
-        with:
-          scan-type: 'image'
-          image-ref: 'localbuild:test'
-          ignore-unfixed: true
-          severity: 'HIGH,CRITICAL'
-          exit-code: '1'
-          version: ${{ env.TRIVY_VERSION }}
-
-      - name: Run Trivy vulnerability scanner on localbuildcrd:test and exit on HIGH severity
-        uses: aquasecurity/trivy-action@915b19bbe73b92a6cf82a1bc12b087c9a19a5fe2 # 0.28.0
-        with:
-          scan-type: 'image'
-          image-ref: 'localbuildcrd:test'
-          ignore-unfixed: true
-          severity: 'HIGH,CRITICAL'
-          exit-code: '1'
-          version: ${{ env.TRIVY_VERSION }}
+      - name: Run trivy on images for all severity
+        run: |
+          for img in "localbuild:test" "localbuildcrd:test"; do
+              trivy image --skip-db-update --ignore-unfixed --vuln-type="os,library" "${img}"
+          done
+      - name: Run trivy on images and exit on HIGH/CRITICAL severity
+        run: |
+          for img in "localbuild:test" "localbuildcrd:test"; do
+              trivy image --skip-db-update --ignore-unfixed --exit-code 1 --severity HIGH,CRITICAL --vuln-type="os,library" "${img}"
+          done

.github/workflows/scorecards.yml

@@ -35,7 +35,7 @@ jobs:
           egress-policy: audit
 
       - name: "Checkout code"
-        uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # tag=3.0.2
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # tag=3.0.2
         with:
           persist-credentials: false
 
@@ -55,6 +55,6 @@ jobs:
           retention-days: 5
 
       - name: "Upload to code-scanning"
-        uses: github/codeql-action/upload-sarif@f779452ac5af1c261dce0346a8f964149f49322b # tag=v3.26.13
+        uses: github/codeql-action/upload-sarif@662472033e021d55d94146f66f6058822b0b39fd # tag=v3.27.0
         with:
           sarif_file: results.sarif

.github/workflows/sync-gh-pages.yml

@@ -21,7 +21,7 @@ jobs:
         with:
           egress-policy: audit
 
-      - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
       - uses: everlytic/branch-merge@c4a244dc23143f824ae6c022a10732566cb8e973
         with:
           github_token: ${{ github.token }}