From b968974fbb06e2d1eebd66658c39f98cf814a464 Mon Sep 17 00:00:00 2001 From: "stepsecurity-app[bot]" <188008098+stepsecurity-app[bot]@users.noreply.github.com> Date: Mon, 9 Mar 2026 23:23:45 +0000 Subject: [PATCH] chore: [StepSecurity] Apply security best practicesSigned-off-by: StepSecurity Bot --- .github/workflows/api-manual.yml | 2 +- .github/workflows/publish.yml | 94 ++++++++++++++++---------------- 2 files changed, 48 insertions(+), 48 deletions(-) diff --git a/.github/workflows/api-manual.yml b/.github/workflows/api-manual.yml index 312d7ed600..33c78a0a7c 100644 --- a/.github/workflows/api-manual.yml +++ b/.github/workflows/api-manual.yml @@ -195,7 +195,7 @@ jobs: files: e2e-tests/cypress/test_results/**/*.xml - name: Upload tests results - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 if: always() with: path: e2e-tests/cypress/reports/html/.jsons/** diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml index a8e1208938..1cafb551eb 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/publish.yml @@ -39,10 +39,10 @@ jobs: # Add support for more platforms with QEMU - name: Set up QEMU - uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130 # v3.7.0 + uses: step-security/setup-qemu-action@8c4aef027ab2df56e08f597afe6dd8cd31cb84f5 # v3.7.0 - name: Set up Docker Buildx - uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0 + uses: step-security/setup-buildx-action@c60a792b446ef83310733d5cd9d0c8d6870d043f # v3.12.0 - name: Authenticate to Google Cloud id: auth @@ -53,7 +53,7 @@ jobs: token_format: 'access_token' - name: Docker Login - uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0 + uses: step-security/docker-login-action@c3e677aae8393bc9c81cfdf9709648720ea4bd4d # v3.6.0 with: registry: 'gcr.io' # or REGION-docker.pkg.dev username: 'oauth2accesstoken' @@ -61,7 +61,7 @@ jobs: - name: application-events-latest if: ${{ steps.latestTag.outputs.value == 'latest'}} - uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6.19.2 + uses: step-security/docker-build-push-action@a8c3d08b23f8be6aeed43eb1a14ce6fe51284438 # v6.18.0 with: context: . file: ./application-events/Dockerfile @@ -71,7 +71,7 @@ jobs: - name: application-events if: ${{ steps.latestTag.outputs.value == 'hotfix'}} - uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6.19.2 + uses: step-security/docker-build-push-action@a8c3d08b23f8be6aeed43eb1a14ce6fe51284438 # v6.18.0 with: context: . file: ./application-events/Dockerfile @@ -81,7 +81,7 @@ jobs: - name: ai-service-latest if: ${{ steps.latestTag.outputs.value == 'latest'}} - uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6.19.2 + uses: step-security/docker-build-push-action@a8c3d08b23f8be6aeed43eb1a14ce6fe51284438 # v6.18.0 with: context: . file: ./ai-service/Dockerfile @@ -91,7 +91,7 @@ jobs: - name: ai-service if: ${{ steps.latestTag.outputs.value == 'hotfix'}} - uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6.19.2 + uses: step-security/docker-build-push-action@a8c3d08b23f8be6aeed43eb1a14ce6fe51284438 # v6.18.0 with: context: . file: ./ai-service/Dockerfile @@ -101,7 +101,7 @@ jobs: - name: logger-service-latest if: ${{ steps.latestTag.outputs.value == 'latest'}} - uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6.19.2 + uses: step-security/docker-build-push-action@a8c3d08b23f8be6aeed43eb1a14ce6fe51284438 # v6.18.0 with: context: . file: ./logger-service/Dockerfile @@ -111,7 +111,7 @@ jobs: - name: logger-service if: ${{ steps.latestTag.outputs.value == 'hotfix'}} - uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6.19.2 + uses: step-security/docker-build-push-action@a8c3d08b23f8be6aeed43eb1a14ce6fe51284438 # v6.18.0 with: context: . file: ./logger-service/Dockerfile @@ -121,7 +121,7 @@ jobs: - name: notification-service-latest if: ${{ steps.latestTag.outputs.value == 'latest'}} - uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6.19.2 + uses: step-security/docker-build-push-action@a8c3d08b23f8be6aeed43eb1a14ce6fe51284438 # v6.18.0 with: context: . file: ./notification-service/Dockerfile @@ -131,7 +131,7 @@ jobs: - name: notification-service if: ${{ steps.latestTag.outputs.value == 'hotfix'}} - uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6.19.2 + uses: step-security/docker-build-push-action@a8c3d08b23f8be6aeed43eb1a14ce6fe51284438 # v6.18.0 with: context: . file: ./notification-service/Dockerfile @@ -141,7 +141,7 @@ jobs: - name: auth-service-latest if: ${{ steps.latestTag.outputs.value == 'latest'}} - uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6.19.2 + uses: step-security/docker-build-push-action@a8c3d08b23f8be6aeed43eb1a14ce6fe51284438 # v6.18.0 with: context: . file: ./auth-service/Dockerfile @@ -151,7 +151,7 @@ jobs: - name: auth-service-demo-latest if: ${{ steps.latestTag.outputs.value == 'latest'}} - uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6.19.2 + uses: step-security/docker-build-push-action@a8c3d08b23f8be6aeed43eb1a14ce6fe51284438 # v6.18.0 with: context: . file: ./auth-service/Dockerfile.demo @@ -161,7 +161,7 @@ jobs: - name: auth-service if: ${{ steps.latestTag.outputs.value == 'hotfix'}} - uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6.19.2 + uses: step-security/docker-build-push-action@a8c3d08b23f8be6aeed43eb1a14ce6fe51284438 # v6.18.0 with: context: . file: ./auth-service/Dockerfile @@ -171,7 +171,7 @@ jobs: - name: auth-service-demo if: ${{ steps.latestTag.outputs.value == 'hotfix'}} - uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6.19.2 + uses: step-security/docker-build-push-action@a8c3d08b23f8be6aeed43eb1a14ce6fe51284438 # v6.18.0 with: context: . file: ./auth-service/Dockerfile.demo @@ -181,7 +181,7 @@ jobs: - name: api-gateway-latest if: ${{ steps.latestTag.outputs.value == 'latest'}} - uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6.19.2 + uses: step-security/docker-build-push-action@a8c3d08b23f8be6aeed43eb1a14ce6fe51284438 # v6.18.0 with: context: . file: ./api-gateway/Dockerfile @@ -191,7 +191,7 @@ jobs: - name: api-gateway-demo-latest if: ${{ steps.latestTag.outputs.value == 'latest'}} - uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6.19.2 + uses: step-security/docker-build-push-action@a8c3d08b23f8be6aeed43eb1a14ce6fe51284438 # v6.18.0 with: context: . file: ./api-gateway/Dockerfile.demo @@ -201,7 +201,7 @@ jobs: - name: api-gateway if: ${{ steps.latestTag.outputs.value == 'hotfix'}} - uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6.19.2 + uses: step-security/docker-build-push-action@a8c3d08b23f8be6aeed43eb1a14ce6fe51284438 # v6.18.0 with: context: . file: ./api-gateway/Dockerfile @@ -211,7 +211,7 @@ jobs: - name: api-gateway-demo if: ${{ steps.latestTag.outputs.value == 'hotfix'}} - uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6.19.2 + uses: step-security/docker-build-push-action@a8c3d08b23f8be6aeed43eb1a14ce6fe51284438 # v6.18.0 with: context: . file: ./api-gateway/Dockerfile.demo @@ -221,7 +221,7 @@ jobs: - name: policy-service-latest if: ${{ steps.latestTag.outputs.value == 'latest'}} - uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6.19.2 + uses: step-security/docker-build-push-action@a8c3d08b23f8be6aeed43eb1a14ce6fe51284438 # v6.18.0 with: context: . file: ./policy-service/Dockerfile @@ -231,7 +231,7 @@ jobs: - name: policy-service if: ${{ steps.latestTag.outputs.value == 'hotfix'}} - uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6.19.2 + uses: step-security/docker-build-push-action@a8c3d08b23f8be6aeed43eb1a14ce6fe51284438 # v6.18.0 with: context: . file: ./policy-service/Dockerfile @@ -241,7 +241,7 @@ jobs: - name: guardian-service-latest if: ${{ steps.latestTag.outputs.value == 'latest'}} - uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6.19.2 + uses: step-security/docker-build-push-action@a8c3d08b23f8be6aeed43eb1a14ce6fe51284438 # v6.18.0 with: context: . file: ./guardian-service/Dockerfile @@ -251,7 +251,7 @@ jobs: - name: guardian-service if: ${{ steps.latestTag.outputs.value == 'hotfix'}} - uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6.19.2 + uses: step-security/docker-build-push-action@a8c3d08b23f8be6aeed43eb1a14ce6fe51284438 # v6.18.0 with: context: . file: ./guardian-service/Dockerfile @@ -261,7 +261,7 @@ jobs: - name: worker-service-latest if: ${{ steps.latestTag.outputs.value == 'latest'}} - uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6.19.2 + uses: step-security/docker-build-push-action@a8c3d08b23f8be6aeed43eb1a14ce6fe51284438 # v6.18.0 with: context: . file: ./worker-service/Dockerfile @@ -271,7 +271,7 @@ jobs: - name: worker-service if: ${{ steps.latestTag.outputs.value == 'hotfix'}} - uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6.19.2 + uses: step-security/docker-build-push-action@a8c3d08b23f8be6aeed43eb1a14ce6fe51284438 # v6.18.0 with: context: . file: ./worker-service/Dockerfile @@ -281,7 +281,7 @@ jobs: - name: queue-service-latest if: ${{ steps.latestTag.outputs.value == 'latest'}} - uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6.19.2 + uses: step-security/docker-build-push-action@a8c3d08b23f8be6aeed43eb1a14ce6fe51284438 # v6.18.0 with: context: . file: ./queue-service/Dockerfile @@ -291,7 +291,7 @@ jobs: - name: queue-service if: ${{ steps.latestTag.outputs.value == 'hotfix'}} - uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6.19.2 + uses: step-security/docker-build-push-action@a8c3d08b23f8be6aeed43eb1a14ce6fe51284438 # v6.18.0 with: context: . file: ./queue-service/Dockerfile @@ -301,7 +301,7 @@ jobs: - name: topic-listener-service-latest if: ${{ steps.latestTag.outputs.value == 'latest'}} - uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6.19.2 + uses: step-security/docker-build-push-action@a8c3d08b23f8be6aeed43eb1a14ce6fe51284438 # v6.18.0 with: context: . file: ./topic-listener-service/Dockerfile @@ -311,7 +311,7 @@ jobs: - name: topic-listener-service if: ${{ steps.latestTag.outputs.value == 'hotfix'}} - uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6.19.2 + uses: step-security/docker-build-push-action@a8c3d08b23f8be6aeed43eb1a14ce6fe51284438 # v6.18.0 with: context: . file: ./topic-listener-service/Dockerfile @@ -321,7 +321,7 @@ jobs: - name: topic-viewer-latest if: ${{ steps.latestTag.outputs.value == 'latest'}} - uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6.19.2 + uses: step-security/docker-build-push-action@a8c3d08b23f8be6aeed43eb1a14ce6fe51284438 # v6.18.0 with: context: . file: ./topic-viewer/Dockerfile @@ -331,7 +331,7 @@ jobs: - name: topic-viewer if: ${{ steps.latestTag.outputs.value == 'hotfix'}} - uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6.19.2 + uses: step-security/docker-build-push-action@a8c3d08b23f8be6aeed43eb1a14ce6fe51284438 # v6.18.0 with: context: . file: ./topic-viewer/Dockerfile @@ -341,7 +341,7 @@ jobs: - name: mrv-sender-latest if: ${{ steps.latestTag.outputs.value == 'latest'}} - uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6.19.2 + uses: step-security/docker-build-push-action@a8c3d08b23f8be6aeed43eb1a14ce6fe51284438 # v6.18.0 with: context: . file: ./mrv-sender/Dockerfile @@ -351,7 +351,7 @@ jobs: - name: mrv-sender if: ${{ steps.latestTag.outputs.value == 'hotfix'}} - uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6.19.2 + uses: step-security/docker-build-push-action@a8c3d08b23f8be6aeed43eb1a14ce6fe51284438 # v6.18.0 with: context: . file: ./mrv-sender/Dockerfile @@ -361,7 +361,7 @@ jobs: - name: analytics-service-latest if: ${{ steps.latestTag.outputs.value == 'latest'}} - uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6.19.2 + uses: step-security/docker-build-push-action@a8c3d08b23f8be6aeed43eb1a14ce6fe51284438 # v6.18.0 with: context: . file: ./analytics-service/Dockerfile @@ -371,7 +371,7 @@ jobs: - name: analytics-service if: ${{ steps.latestTag.outputs.value == 'hotfix'}} - uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6.19.2 + uses: step-security/docker-build-push-action@a8c3d08b23f8be6aeed43eb1a14ce6fe51284438 # v6.18.0 with: context: . file: ./analytics-service/Dockerfile @@ -381,7 +381,7 @@ jobs: - name: web-proxy-latest if: ${{ steps.latestTag.outputs.value == 'latest'}} - uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6.19.2 + uses: step-security/docker-build-push-action@a8c3d08b23f8be6aeed43eb1a14ce6fe51284438 # v6.18.0 with: context: . file: ./web-proxy/Dockerfile.ci @@ -391,7 +391,7 @@ jobs: - name: web-proxy if: ${{ steps.latestTag.outputs.value == 'hotfix'}} - uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6.19.2 + uses: step-security/docker-build-push-action@a8c3d08b23f8be6aeed43eb1a14ce6fe51284438 # v6.18.0 with: context: . file: ./web-proxy/Dockerfile.ci @@ -401,7 +401,7 @@ jobs: - name: web-proxy-demo-latest if: ${{ steps.latestTag.outputs.value == 'latest'}} - uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6.19.2 + uses: step-security/docker-build-push-action@a8c3d08b23f8be6aeed43eb1a14ce6fe51284438 # v6.18.0 with: context: . file: ./web-proxy/Dockerfile.demo @@ -411,7 +411,7 @@ jobs: - name: web-proxy-demo if: ${{ steps.latestTag.outputs.value == 'hotfix'}} - uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6.19.2 + uses: step-security/docker-build-push-action@a8c3d08b23f8be6aeed43eb1a14ce6fe51284438 # v6.18.0 with: context: . file: ./web-proxy/Dockerfile.demo @@ -421,7 +421,7 @@ jobs: - name: indexer-worker-service-latest if: ${{ steps.latestTag.outputs.value == 'latest'}} - uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6.19.2 + uses: step-security/docker-build-push-action@a8c3d08b23f8be6aeed43eb1a14ce6fe51284438 # v6.18.0 with: context: . file: ./indexer-worker-service/Dockerfile @@ -431,7 +431,7 @@ jobs: - name: indexer-worker-service if: ${{ steps.latestTag.outputs.value == 'hotfix'}} - uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6.19.2 + uses: step-security/docker-build-push-action@a8c3d08b23f8be6aeed43eb1a14ce6fe51284438 # v6.18.0 with: context: . file: ./indexer-worker-service/Dockerfile @@ -441,7 +441,7 @@ jobs: - name: indexer-service-latest if: ${{ steps.latestTag.outputs.value == 'latest'}} - uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6.19.2 + uses: step-security/docker-build-push-action@a8c3d08b23f8be6aeed43eb1a14ce6fe51284438 # v6.18.0 with: context: . file: ./indexer-service/Dockerfile @@ -451,7 +451,7 @@ jobs: - name: indexer-service if: ${{ steps.latestTag.outputs.value == 'hotfix'}} - uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6.19.2 + uses: step-security/docker-build-push-action@a8c3d08b23f8be6aeed43eb1a14ce6fe51284438 # v6.18.0 with: context: . file: ./indexer-service/Dockerfile @@ -461,7 +461,7 @@ jobs: - name: indexer-api-gateway-latest if: ${{ steps.latestTag.outputs.value == 'latest'}} - uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6.19.2 + uses: step-security/docker-build-push-action@a8c3d08b23f8be6aeed43eb1a14ce6fe51284438 # v6.18.0 with: context: . file: ./indexer-api-gateway/Dockerfile @@ -471,7 +471,7 @@ jobs: - name: indexer-api-gateway if: ${{ steps.latestTag.outputs.value == 'hotfix'}} - uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6.19.2 + uses: step-security/docker-build-push-action@a8c3d08b23f8be6aeed43eb1a14ce6fe51284438 # v6.18.0 with: context: . file: ./indexer-api-gateway/Dockerfile @@ -481,7 +481,7 @@ jobs: - name: indexer-web-proxy-latest if: ${{ steps.latestTag.outputs.value == 'latest'}} - uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6.19.2 + uses: step-security/docker-build-push-action@a8c3d08b23f8be6aeed43eb1a14ce6fe51284438 # v6.18.0 with: context: . file: ./indexer-web-proxy/Dockerfile @@ -491,7 +491,7 @@ jobs: - name: indexer-web-proxy if: ${{ steps.latestTag.outputs.value == 'hotfix'}} - uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6.19.2 + uses: step-security/docker-build-push-action@a8c3d08b23f8be6aeed43eb1a14ce6fe51284438 # v6.18.0 with: context: . file: ./indexer-web-proxy/Dockerfile