akanealw/caddy-proxy-manager
1
0
Fork 0
Code Issues Pull Requests Actions 3 Packages Projects Releases Wiki Activity

Use version tags for GitHub Actions for better maintainability

Browse Source 
Changed from SHA-pinned actions to version tags (e.g., @v3, @v4, @v5)
for easier maintenance and automatic security updates via Dependabot.

While SHA pinning provides slightly better supply chain security, version
tags with Dependabot updates provide a better balance of security and
maintainability for most projects.

Updated actions:
- actions/checkout@v4
- docker/setup-buildx-action@v3
- docker/login-action@v3
- docker/metadata-action@v5
- docker/build-push-action@v5
- aquasecurity/trivy-action@0.24.0
- github/codeql-action/upload-sarif@v3

Dependabot will automatically create PRs for security updates.
This commit is contained in:
Claude
2025-11-04 21:36:51 +00:00
parent fdb9ca6786
commit 6dc27cb813
2 changed files with 10 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files

16
.github/workflows/docker-build.yml vendored
View File

@@ -64,17 +64,17 @@ jobs:
steps:
- name: Checkout repository
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
uses: actions/checkout@v4
with:
# For pull_request_target, checkout the PR head
ref: ${{ github.event_name == 'pull_request_target' && github.event.pull_request.head.sha || '' }}
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3.0.0
uses: docker/setup-buildx-action@v3
- name: Log in to GitHub Container Registry
if: github.event_name != 'pull_request' && github.event_name != 'pull_request_target'
uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0
uses: docker/login-action@v3
with:
registry: ${{ env.REGISTRY }}
username: ${{ github.actor }}
@@ -82,7 +82,7 @@ jobs:
- name: Extract metadata (tags, labels)
id: meta
uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81 # v5.5.1
uses: docker/metadata-action@v5
with:
images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}-${{ matrix.service }}
tags: |
@@ -96,7 +96,7 @@ jobs:
- name: Build and push Docker image
id: build
uses: docker/build-push-action@4a13e500e55cf31b7a5d59a38ab2040ab0f42f56 # v5.1.0
uses: docker/build-push-action@v5
with:
context: ${{ matrix.context }}
file: ${{ matrix.dockerfile }}
@@ -111,7 +111,7 @@ jobs:
provenance: true
- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@595be6a0f6560a0a8fc419ddf630567fc623531d # 0.22.0
uses: aquasecurity/trivy-action@0.24.0
with:
image-ref: ${{ steps.meta.outputs.tags }}
format: 'sarif'
@@ -121,14 +121,14 @@ jobs:
- name: Upload Trivy results to GitHub Security
if: always()
uses: github/codeql-action/upload-sarif@e8893c57a1f3a2b659b6b55564fdfdbbd2982911 # v3.24.0
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: 'trivy-results-${{ matrix.service }}.sarif'
category: 'trivy-${{ matrix.service }}'
- name: Run Trivy in table format
if: always()
uses: aquasecurity/trivy-action@595be6a0f6560a0a8fc419ddf630567fc623531d # 0.22.0
uses: aquasecurity/trivy-action@0.24.0
with:
image-ref: ${{ steps.meta.outputs.tags }}
format: 'table'

5
SECURITY.md
View File

@@ -33,9 +33,8 @@ Our CI/CD pipeline implements multiple security layers:
2. **Vulnerability Scanning**: All images are scanned with Trivy for CRITICAL and HIGH vulnerabilities
3. **SBOM Generation**: Software Bill of Materials is generated for all builds
4. **Provenance Attestation**: Build provenance is recorded for supply chain security
5. **SHA-Pinned Actions**: All GitHub Actions are pinned to specific SHA commits
6. **Limited Permissions**: Workflows use minimal required permissions
7. **No Push from PRs**: Pull requests only build images locally, never push to registry
5. **Limited Permissions**: Workflows use minimal required permissions
6. **No Push from PRs**: Pull requests only build images locally, never push to registry
### Container Security