From dd170964c70664e2793ceb7e990cf443d9b324ae Mon Sep 17 00:00:00 2001 From: Ivan Gabaldon Date: Fri, 8 Aug 2025 11:26:45 +0200 Subject: [PATCH] [mod] ci: strict(er) exec (#5099) All actions are pulled using the version hash, versions are handled by dependabot, and we'll have control over which actions get updated. Replaces Trivy scanner with Docker Scout, we have recently begun analyzing the images there, and the action will keep us in sync about the problems on GHCS dashboard. --- .github/workflows/checker.yml | 6 ++--- .github/workflows/cleanup.yml | 2 +- .github/workflows/container.yml | 34 ++++++++++++++--------------- .github/workflows/data-update.yml | 8 +++---- .github/workflows/documentation.yml | 8 +++---- .github/workflows/integration.yml | 16 +++++++------- .github/workflows/l10n.yml | 14 ++++++------ .github/workflows/security.yml | 24 ++++++++++---------- 8 files changed, 57 insertions(+), 55 deletions(-) diff --git a/.github/workflows/checker.yml b/.github/workflows/checker.yml index 8e16aeef9..5b71cd5a7 100644 --- a/.github/workflows/checker.yml +++ b/.github/workflows/checker.yml @@ -24,17 +24,17 @@ jobs: runs-on: ubuntu-24.04-arm steps: - name: Setup Python - uses: actions/setup-python@v5 + uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0 with: python-version: "${{ env.PYTHON_VERSION }}" - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: persist-credentials: "false" - name: Setup cache Python - uses: actions/cache@v4 + uses: actions/cache@0400d5f644dc74513175e3cd8d07132dd4860809 # v4.2.4 with: key: "python-${{ env.PYTHON_VERSION }}-${{ runner.arch }}-${{ hashFiles('./requirements*.txt') }}" restore-keys: "python-${{ env.PYTHON_VERSION }}-${{ runner.arch }}-" diff --git a/.github/workflows/cleanup.yml b/.github/workflows/cleanup.yml index 32b34bd96..5041c69e2 100644 --- a/.github/workflows/cleanup.yml +++ b/.github/workflows/cleanup.yml @@ -26,7 +26,7 @@ jobs: steps: - name: Prune - uses: snok/container-retention-policy@v3.0.0 + uses: snok/container-retention-policy@4f22ef80902ad409ed55a99dc5133cc1250a0d03 # v3.0.0 with: account: "${{ github.repository_owner }}" token: "${{ secrets.GITHUB_TOKEN }}" diff --git a/.github/workflows/container.yml b/.github/workflows/container.yml index 6369f1b7a..27856bbe8 100644 --- a/.github/workflows/container.yml +++ b/.github/workflows/container.yml @@ -38,7 +38,7 @@ jobs: steps: - if: github.repository_owner == 'searxng' name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: persist-credentials: "false" @@ -50,7 +50,7 @@ jobs: - if: github.repository_owner == 'searxng' name: Check cache apko id: cache-apko - uses: actions/cache/restore@v4 + uses: actions/cache/restore@0400d5f644dc74513175e3cd8d07132dd4860809 # v4.2.4 with: # yamllint disable-line rule:line-length key: "apko-${{ steps.date.outputs.date }}-${{ hashFiles('./container/base.yml', './container/base-builder.yml') }}" @@ -59,7 +59,7 @@ jobs: - if: github.repository_owner == 'searxng' && steps.cache-apko.outputs.cache-hit != 'true' name: Setup cache apko - uses: actions/cache@v4 + uses: actions/cache@0400d5f644dc74513175e3cd8d07132dd4860809 # v4.2.4 with: # yamllint disable-line rule:line-length key: "apko-${{ steps.date.outputs.date }}-${{ hashFiles('./container/base.yml', './container/base-builder.yml') }}" @@ -74,7 +74,7 @@ jobs: - if: github.repository_owner == 'searxng' && steps.cache-apko.outputs.cache-hit != 'true' name: Login to GHCR - uses: docker/login-action@v3 + uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3.5.0 with: registry: "ghcr.io" username: "${{ github.repository_owner }}" @@ -130,17 +130,17 @@ jobs: steps: - name: Setup Python - uses: actions/setup-python@v5 + uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0 with: python-version: "${{ env.PYTHON_VERSION }}" - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: persist-credentials: "false" - name: Setup cache Python - uses: actions/cache@v4 + uses: actions/cache@0400d5f644dc74513175e3cd8d07132dd4860809 # v4.2.4 with: key: "python-${{ env.PYTHON_VERSION }}-${{ runner.arch }}-${{ hashFiles('./requirements*.txt') }}" restore-keys: "python-${{ env.PYTHON_VERSION }}-${{ runner.arch }}-" @@ -148,7 +148,7 @@ jobs: - name: Restore cache container mounts id: cache-container-mounts - uses: actions/cache/restore@v4 + uses: actions/cache/restore@0400d5f644dc74513175e3cd8d07132dd4860809 # v4.2.4 with: key: "container-mounts-${{ hashFiles('./container/*.dockerfile') }}" restore-keys: "container-mounts-" @@ -166,10 +166,10 @@ jobs: - if: ${{ matrix.emulation }} name: Setup QEMU - uses: docker/setup-qemu-action@v3 + uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v3.6.0 - name: Login to GHCR - uses: docker/login-action@v3 + uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3.5.0 with: registry: "ghcr.io" username: "${{ github.repository_owner }}" @@ -183,7 +183,7 @@ jobs: - if: always() name: Save cache container mounts - uses: actions/cache/save@v4 + uses: actions/cache/save@0400d5f644dc74513175e3cd8d07132dd4860809 # v4.2.4 with: key: "container-mounts-${{ hashFiles('./container/*.dockerfile') }}" path: | @@ -210,16 +210,16 @@ jobs: steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: persist-credentials: "false" - if: ${{ matrix.emulation }} name: Setup QEMU - uses: docker/setup-qemu-action@v3 + uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v3.6.0 - name: Login to GHCR - uses: docker/login-action@v3 + uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3.5.0 with: registry: "ghcr.io" username: "${{ github.repository_owner }}" @@ -245,19 +245,19 @@ jobs: steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: persist-credentials: "false" - name: Login to GHCR - uses: docker/login-action@v3 + uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3.5.0 with: registry: "ghcr.io" username: "${{ github.repository_owner }}" password: "${{ secrets.GITHUB_TOKEN }}" - name: Login to Docker Hub - uses: docker/login-action@v3 + uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3.5.0 with: registry: "docker.io" username: "${{ secrets.DOCKERHUB_USERNAME }}" diff --git a/.github/workflows/data-update.yml b/.github/workflows/data-update.yml index 4deca2ffc..fe55ffaf6 100644 --- a/.github/workflows/data-update.yml +++ b/.github/workflows/data-update.yml @@ -40,17 +40,17 @@ jobs: steps: - name: Setup Python - uses: actions/setup-python@v5 + uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0 with: python-version: "${{ env.PYTHON_VERSION }}" - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: persist-credentials: "false" - name: Setup cache Python - uses: actions/cache@v4 + uses: actions/cache@0400d5f644dc74513175e3cd8d07132dd4860809 # v4.2.4 with: key: "python-${{ env.PYTHON_VERSION }}-${{ runner.arch }}-${{ hashFiles('./requirements*.txt') }}" restore-keys: "python-${{ env.PYTHON_VERSION }}-${{ runner.arch }}-" @@ -64,7 +64,7 @@ jobs: - name: Create PR id: cpr - uses: peter-evans/create-pull-request@v7 + uses: peter-evans/create-pull-request@271a8d0340265f705b14b6d32b9829c1cb33d45e # v7.0.8 with: author: "searxng-bot " committer: "searxng-bot " diff --git a/.github/workflows/documentation.yml b/.github/workflows/documentation.yml index 577ad84f3..20f8a641f 100644 --- a/.github/workflows/documentation.yml +++ b/.github/workflows/documentation.yml @@ -32,18 +32,18 @@ jobs: steps: - name: Setup Python - uses: actions/setup-python@v5 + uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0 with: python-version: "${{ env.PYTHON_VERSION }}" - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: persist-credentials: "false" fetch-depth: "0" - name: Setup cache Python - uses: actions/cache@v4 + uses: actions/cache@0400d5f644dc74513175e3cd8d07132dd4860809 # v4.2.4 with: key: "python-${{ env.PYTHON_VERSION }}-${{ runner.arch }}-${{ hashFiles('./requirements*.txt') }}" restore-keys: "python-${{ env.PYTHON_VERSION }}-${{ runner.arch }}-" @@ -57,7 +57,7 @@ jobs: - if: github.ref_name == 'master' name: Release - uses: JamesIves/github-pages-deploy-action@v4 + uses: JamesIves/github-pages-deploy-action@6c2d9db40f9296374acc17b90404b6e8864128c8 # v4.7.3 with: folder: "dist/docs" branch: "gh-pages" diff --git a/.github/workflows/integration.yml b/.github/workflows/integration.yml index b40ae26ab..59e1e473e 100644 --- a/.github/workflows/integration.yml +++ b/.github/workflows/integration.yml @@ -35,17 +35,17 @@ jobs: steps: - name: Setup Python - uses: actions/setup-python@v5 + uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0 with: python-version: "${{ matrix.python-version }}" - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: persist-credentials: "false" - name: Setup cache Python - uses: actions/cache@v4 + uses: actions/cache@0400d5f644dc74513175e3cd8d07132dd4860809 # v4.2.4 with: key: "python-${{ matrix.python-version }}-${{ runner.arch }}-${{ hashFiles('./requirements*.txt') }}" restore-keys: "python-${{ matrix.python-version }}-${{ runner.arch }}-" @@ -62,28 +62,28 @@ jobs: runs-on: ubuntu-24.04-arm steps: - name: Setup Python - uses: actions/setup-python@v5 + uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0 with: python-version: "${{ env.PYTHON_VERSION }}" - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: persist-credentials: "false" - name: Setup Node.js - uses: actions/setup-node@v4 + uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0 with: node-version-file: "./.nvmrc" - name: Setup cache Node.js - uses: actions/cache@v4 + uses: actions/cache@0400d5f644dc74513175e3cd8d07132dd4860809 # v4.2.4 with: key: "nodejs-${{ runner.arch }}-${{ hashFiles('./.nvmrc', './package.json') }}" path: "./client/simple/node_modules/" - name: Setup cache Python - uses: actions/cache@v4 + uses: actions/cache@0400d5f644dc74513175e3cd8d07132dd4860809 # v4.2.4 with: key: "python-${{ env.PYTHON_VERSION }}-${{ runner.arch }}-${{ hashFiles('./requirements*.txt') }}" restore-keys: "python-${{ env.PYTHON_VERSION }}-${{ runner.arch }}-" diff --git a/.github/workflows/l10n.yml b/.github/workflows/l10n.yml index 0b23975d3..92cddff1e 100644 --- a/.github/workflows/l10n.yml +++ b/.github/workflows/l10n.yml @@ -35,18 +35,18 @@ jobs: steps: - name: Setup Python - uses: actions/setup-python@v5 + uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0 with: python-version: "${{ env.PYTHON_VERSION }}" - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: token: "${{ secrets.WEBLATE_GITHUB_TOKEN }}" fetch-depth: "0" - name: Setup cache Python - uses: actions/cache@v4 + uses: actions/cache@0400d5f644dc74513175e3cd8d07132dd4860809 # v4.2.4 with: key: "python-${{ env.PYTHON_VERSION }}-${{ runner.arch }}-${{ hashFiles('./requirements*.txt') }}" restore-keys: "python-${{ env.PYTHON_VERSION }}-${{ runner.arch }}-" @@ -82,18 +82,18 @@ jobs: steps: - name: Setup Python - uses: actions/setup-python@v5 + uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0 with: python-version: "${{ env.PYTHON_VERSION }}" - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: token: "${{ secrets.WEBLATE_GITHUB_TOKEN }}" fetch-depth: "0" - name: Setup cache Python - uses: actions/cache@v4 + uses: actions/cache@0400d5f644dc74513175e3cd8d07132dd4860809 # v4.2.4 with: key: "python-${{ env.PYTHON_VERSION }}-${{ runner.arch }}-${{ hashFiles('./requirements*.txt') }}" restore-keys: "python-${{ env.PYTHON_VERSION }}-${{ runner.arch }}-" @@ -117,7 +117,7 @@ jobs: - name: Create PR id: cpr - uses: peter-evans/create-pull-request@v7 + uses: peter-evans/create-pull-request@271a8d0340265f705b14b6d32b9829c1cb33d45e # v7.0.8 with: author: "searxng-bot " committer: "searxng-bot " diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml index 669d0f293..8a59e5062 100644 --- a/.github/workflows/security.yml +++ b/.github/workflows/security.yml @@ -24,21 +24,23 @@ jobs: steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: persist-credentials: "false" - - name: Run Trivy scanner - uses: aquasecurity/trivy-action@0.32.0 + - name: Sync GHCS from Docker Scout + uses: docker/scout-action@f8c776824083494ab0d56b8105ba2ca85c86e4de # v1.18.2 with: - image-ref: "ghcr.io/searxng/searxng:latest" - vuln-type: "os,library" - severity: "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL" - ignore-unfixed: "false" - format: "sarif" - output: "./trivy-results.sarif" + organization: "searxng" + dockerhub-user: "${{ secrets.DOCKERHUB_USERNAME }}" + dockerhub-password: "${{ secrets.DOCKERHUB_TOKEN }}" + image: "registry://ghcr.io/searxng/searxng:latest" + command: "cves" + sarif-file: "./scout.sarif" + exit-code: "false" + write-comment: "false" - name: Upload SARIFs - uses: github/codeql-action/upload-sarif@v3 + uses: github/codeql-action/upload-sarif@a4e1a019f5e24960714ff6296aee04b736cbc3cf # v3.29.6 with: - sarif_file: "./trivy-results.sarif" + sarif_file: "./scout.sarif"