hms-dbmi · b32147 · Feb 24, 2025
diff --git a/.github/workflows/actions-update.yml b/.github/workflows/actions-update.yml
@@ -11,7 +11,7 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v4.2.2
         with:
           # [Required] Access token with `workflow` scope.
           token: ${{ secrets.WORKFLOW_TOKEN }}

diff --git a/.github/workflows/code-scan.yml b/.github/workflows/code-scan.yml
@@ -15,20 +15,20 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checking out
-        uses: actions/checkout@master
+        uses: actions/checkout@v4.2.2
         with:
           # Disabling shallow clone is recommended for improving relevancy of reporting
           fetch-depth: 0
       - name: SonarQube Scan
-        uses: sonarsource/sonarqube-scan-action@v3
+        uses: sonarsource/sonarqube-scan-action@v5.0.0
         env:
           SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
           SONAR_HOST_URL: ${{ secrets.SONAR_HOST_URL }}
 
       # Check the Quality Gate status.
       - name: SonarQube Quality Gate check
         id: sonarqube-quality-gate-check
-        uses: sonarsource/sonarqube-quality-gate-action@master
+        uses: sonarsource/sonarqube-quality-gate-action@v1.1.0
         # Force to fail step after specific time.
         timeout-minutes: 5
         env:

diff --git a/.github/workflows/dbmisvc-app-deploy.yml b/.github/workflows/dbmisvc-app-deploy.yml
@@ -52,15 +52,15 @@ jobs:
       released: ${{ steps.semantic.outputs.new_release_published }}
       channel: ${{ steps.semantic.outputs.new_release_channel }}
     steps:
-    - uses: actions/checkout@v4
+    - uses: actions/checkout@v4.2.2
     - name: Set up Python 3.11
-      uses: actions/setup-python@v5
+      uses: actions/setup-python@v5.4.0
       with:
         python-version: 3.11
     - name: Install Python packages
       run: |
         python -m pip install --upgrade pip
-    - uses: cycjimmy/semantic-release-action@v4
+    - uses: cycjimmy/semantic-release-action@v4.1.1
       id: semantic
       env:
         GITHUB_TOKEN: ${{ secrets.GH_TOKEN }}
@@ -89,7 +89,7 @@ jobs:
           git checkout ${{ needs.metadata.outputs.branch }}
     - name: Configure AWS credentials
       if: steps.semantic.outputs.new_release_published == 'true' || inputs.force
-      uses: aws-actions/configure-aws-credentials@v4
+      uses: aws-actions/configure-aws-credentials@v4.1.0
       with:
         aws-region: ${{ env.AWS_REGION }}
         role-to-assume: ${{ inputs.role }}
@@ -101,7 +101,7 @@ jobs:
       run: git rev-parse HEAD > COMMIT
     - name: Zip artifacts
       if: steps.semantic.outputs.new_release_published == 'true' || inputs.force
-      uses: thedoctor0/zip-release@master
+      uses: thedoctor0/zip-release@0.7.6
       with:
         type: "zip"
         filename: "${{ inputs.filename }}"

diff --git a/.github/workflows/requirements-update.yml b/.github/workflows/requirements-update.yml
@@ -32,7 +32,7 @@ jobs:
   stale:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/stale@v9
+      - uses: actions/stale@v9.1.0
         with:
           only-labels: dependencies,automated pr
           stale-pr-message: 'This PR is stale because it has been open 7 days with no activity. Remove stale label or comment or this will be closed in 7 days.'
@@ -60,12 +60,12 @@ jobs:
         echo "dev_requirements=${DEV_REQUIREMENTS:-"dev-requirements.txt"}" >> "$GITHUB_OUTPUT"
 
     - name: Checkout
-      uses: actions/checkout@v4
+      uses: actions/checkout@v4.2.2
       with:
         ref: ${{ steps.set_input_values.outputs.base_branch }}
 
     - name: Setup python
-      uses: actions/setup-python@v5
+      uses: actions/setup-python@v5.4.0
       with:
         python-version: ${{ steps.set_input_values.outputs.python_version }}
 
@@ -83,7 +83,7 @@ jobs:
           ${{ steps.set_input_values.outputs.requirements_input }}
 
     - name: Create Pull Request
-      uses: peter-evans/create-pull-request@v7
+      uses: peter-evans/create-pull-request@v7.0.6
       with:
         token: ${{ secrets.GH_TOKEN }}
         base: ${{ steps.set_input_values.outputs.base_branch }}

diff --git a/.github/workflows/scan.yml b/.github/workflows/scan.yml
@@ -22,13 +22,13 @@ jobs:
 
     steps:
     - name: Checkout
-      uses: actions/checkout@v4
+      uses: actions/checkout@v4.2.2
 
     - name: Set up Docker Buildx
-      uses: docker/setup-buildx-action@v3
+      uses: docker/setup-buildx-action@v3.9.0
 
     - name: Login to DockerHub
-      uses: docker/login-action@v3
+      uses: docker/login-action@v3.3.0
       with:
         username: ${{ secrets.DOCKER_HUB_USERNAME }}
         password: ${{ secrets.DOCKER_HUB_PASSWORD }}
@@ -44,7 +44,7 @@ jobs:
 
     - name: Build the image
       id: buildimage
-      uses: docker/build-push-action@v5
+      uses: docker/build-push-action@v6.14.0
       with:
         load: true
         context: ./
@@ -53,7 +53,7 @@ jobs:
         tags: ${{ steps.setimagename.outputs.imagename }}
 
     - name: Run Trivy vulnerability scanner
-      uses: aquasecurity/trivy-action@master
+      uses: aquasecurity/trivy-action@0.29.0
       env:
         TRIVY_DB_REPOSITORY: "aquasec/trivy-db:2,public.ecr.aws/aquasecurity/trivy-db:2,ghcr.io/aquasecurity/trivy-db:2"
         TRIVY_JAVA_DB_REPOSITORY: "aquasec/trivy-java-db:1,public.ecr.aws/aquasecurity/trivy-java-db:1,ghcr.io/aquasecurity/trivy-java-db:1"

diff --git a/.github/workflows/test-image-build.yml b/.github/workflows/test-image-build.yml
@@ -22,13 +22,13 @@ jobs:
 
     steps:
     - name: Checkout
-      uses: actions/checkout@v4
+      uses: actions/checkout@v4.2.2
 
     - name: Set up Docker Buildx
-      uses: docker/setup-buildx-action@v3
+      uses: docker/setup-buildx-action@v3.9.0
 
     - name: Login to DockerHub
-      uses: docker/login-action@v3
+      uses: docker/login-action@v3.3.0
       with:
         username: ${{ secrets.DOCKER_HUB_USERNAME }}
         password: ${{ secrets.DOCKER_HUB_PASSWORD }}
@@ -44,7 +44,7 @@ jobs:
 
     - name: Build the image
       id: buildimage
-      uses: docker/build-push-action@v5
+      uses: docker/build-push-action@v6.14.0
       with:
         context: ./
         file: ./Dockerfile