Use version tags for GitHub Actions for better maintainability

Changed from SHA-pinned actions to version tags (e.g., @v3, @v4, @v5) for easier maintenance and automatic security updates via Dependabot. While SHA pinning provides slightly better supply chain security, version tags with Dependabot updates provide a better balance of security and maintainability for most projects. Updated actions: - actions/checkout@v4 - docker/setup-buildx-action@v3 - docker/login-action@v3 - docker/metadata-action@v5 - docker/build-push-action@v5 - aquasecurity/trivy-action@0.24.0 - github/codeql-action/upload-sarif@v3 Dependabot will automatically create PRs for security updates.
2025-11-04 21:36:51 +00:00
parent fdb9ca6786
commit 6dc27cb813
2 changed files with 10 additions and 11 deletions
--- a/.github/workflows/docker-build.yml
+++ b/.github/workflows/docker-build.yml
@@ -64,17 +64,17 @@ jobs:

    steps:
      - name: Checkout repository
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11  # v4.1.1
+        uses: actions/checkout@v4
        with:
          # For pull_request_target, checkout the PR head
          ref: ${{ github.event_name == 'pull_request_target' && github.event.pull_request.head.sha || '' }}

      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226  # v3.0.0
+        uses: docker/setup-buildx-action@v3

      - name: Log in to GitHub Container Registry
        if: github.event_name != 'pull_request' && github.event_name != 'pull_request_target'
-        uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d  # v3.0.0
+        uses: docker/login-action@v3
        with:
          registry: ${{ env.REGISTRY }}
          username: ${{ github.actor }}
@@ -82,7 +82,7 @@ jobs:

      - name: Extract metadata (tags, labels)
        id: meta
-        uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81  # v5.5.1
+        uses: docker/metadata-action@v5
        with:
          images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}-${{ matrix.service }}
          tags: |
@@ -96,7 +96,7 @@ jobs:

      - name: Build and push Docker image
        id: build
-        uses: docker/build-push-action@4a13e500e55cf31b7a5d59a38ab2040ab0f42f56  # v5.1.0
+        uses: docker/build-push-action@v5
        with:
          context: ${{ matrix.context }}
          file: ${{ matrix.dockerfile }}
@@ -111,7 +111,7 @@ jobs:
          provenance: true

      - name: Run Trivy vulnerability scanner
-        uses: aquasecurity/trivy-action@595be6a0f6560a0a8fc419ddf630567fc623531d  # 0.22.0
+        uses: aquasecurity/trivy-action@0.24.0
        with:
          image-ref: ${{ steps.meta.outputs.tags }}
          format: 'sarif'
@@ -121,14 +121,14 @@ jobs:

      - name: Upload Trivy results to GitHub Security
        if: always()
-        uses: github/codeql-action/upload-sarif@e8893c57a1f3a2b659b6b55564fdfdbbd2982911  # v3.24.0
+        uses: github/codeql-action/upload-sarif@v3
        with:
          sarif_file: 'trivy-results-${{ matrix.service }}.sarif'
          category: 'trivy-${{ matrix.service }}'

      - name: Run Trivy in table format
        if: always()
-        uses: aquasecurity/trivy-action@595be6a0f6560a0a8fc419ddf630567fc623531d  # 0.22.0
+        uses: aquasecurity/trivy-action@0.24.0
        with:
          image-ref: ${{ steps.meta.outputs.tags }}
          format: 'table'