From 6dc27cb8132cb5362778de86cf2ac294c4f4cb6a Mon Sep 17 00:00:00 2001
From: Claude <noreply@anthropic.com>
Date: Tue, 4 Nov 2025 21:36:51 +0000
Subject: [PATCH] Use version tags for GitHub Actions for better
 maintainability

Changed from SHA-pinned actions to version tags (e.g., @v3, @v4, @v5)
for easier maintenance and automatic security updates via Dependabot.

While SHA pinning provides slightly better supply chain security, version
tags with Dependabot updates provide a better balance of security and
maintainability for most projects.

Updated actions:
- actions/checkout@v4
- docker/setup-buildx-action@v3
- docker/login-action@v3
- docker/metadata-action@v5
- docker/build-push-action@v5
- aquasecurity/trivy-action@0.24.0
- github/codeql-action/upload-sarif@v3

Dependabot will automatically create PRs for security updates.
---
 .github/workflows/docker-build.yml | 16 ++++++++--------
 SECURITY.md                        |  5 ++---
 2 files changed, 10 insertions(+), 11 deletions(-)

diff --git a/.github/workflows/docker-build.yml b/.github/workflows/docker-build.yml
index 25f36fe9..9fa8b040 100644
--- a/.github/workflows/docker-build.yml
+++ b/.github/workflows/docker-build.yml
@@ -64,17 +64,17 @@ jobs:
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11  # v4.1.1
+        uses: actions/checkout@v4
         with:
           # For pull_request_target, checkout the PR head
           ref: ${{ github.event_name == 'pull_request_target' && github.event.pull_request.head.sha || '' }}
 
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226  # v3.0.0
+        uses: docker/setup-buildx-action@v3
 
       - name: Log in to GitHub Container Registry
         if: github.event_name != 'pull_request' && github.event_name != 'pull_request_target'
-        uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d  # v3.0.0
+        uses: docker/login-action@v3
         with:
           registry: ${{ env.REGISTRY }}
           username: ${{ github.actor }}
@@ -82,7 +82,7 @@ jobs:
 
       - name: Extract metadata (tags, labels)
         id: meta
-        uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81  # v5.5.1
+        uses: docker/metadata-action@v5
         with:
           images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}-${{ matrix.service }}
           tags: |
@@ -96,7 +96,7 @@ jobs:
 
       - name: Build and push Docker image
         id: build
-        uses: docker/build-push-action@4a13e500e55cf31b7a5d59a38ab2040ab0f42f56  # v5.1.0
+        uses: docker/build-push-action@v5
         with:
           context: ${{ matrix.context }}
           file: ${{ matrix.dockerfile }}
@@ -111,7 +111,7 @@ jobs:
           provenance: true
 
       - name: Run Trivy vulnerability scanner
-        uses: aquasecurity/trivy-action@595be6a0f6560a0a8fc419ddf630567fc623531d  # 0.22.0
+        uses: aquasecurity/trivy-action@0.24.0
         with:
           image-ref: ${{ steps.meta.outputs.tags }}
           format: 'sarif'
@@ -121,14 +121,14 @@ jobs:
 
       - name: Upload Trivy results to GitHub Security
         if: always()
-        uses: github/codeql-action/upload-sarif@e8893c57a1f3a2b659b6b55564fdfdbbd2982911  # v3.24.0
+        uses: github/codeql-action/upload-sarif@v3
         with:
           sarif_file: 'trivy-results-${{ matrix.service }}.sarif'
           category: 'trivy-${{ matrix.service }}'
 
       - name: Run Trivy in table format
         if: always()
-        uses: aquasecurity/trivy-action@595be6a0f6560a0a8fc419ddf630567fc623531d  # 0.22.0
+        uses: aquasecurity/trivy-action@0.24.0
         with:
           image-ref: ${{ steps.meta.outputs.tags }}
           format: 'table'
diff --git a/SECURITY.md b/SECURITY.md
index 6f201201..fffa0a67 100644
--- a/SECURITY.md
+++ b/SECURITY.md
@@ -33,9 +33,8 @@ Our CI/CD pipeline implements multiple security layers:
 2. **Vulnerability Scanning**: All images are scanned with Trivy for CRITICAL and HIGH vulnerabilities
 3. **SBOM Generation**: Software Bill of Materials is generated for all builds
 4. **Provenance Attestation**: Build provenance is recorded for supply chain security
-5. **SHA-Pinned Actions**: All GitHub Actions are pinned to specific SHA commits
-6. **Limited Permissions**: Workflows use minimal required permissions
-7. **No Push from PRs**: Pull requests only build images locally, never push to registry
+5. **Limited Permissions**: Workflows use minimal required permissions
+6. **No Push from PRs**: Pull requests only build images locally, never push to registry
 
 ### Container Security