From 293694b65618ec4e164f5d9722c8fcf8524fd52f Mon Sep 17 00:00:00 2001 From: sophia chen Date: Mon, 4 May 2026 15:44:06 +1000 Subject: [PATCH 01/19] chore(UID2-6742): upgrade Node.js 20 actions to Node.js 24-compatible versions --- .github/actions/build_ami/action.yaml | 2 +- .github/actions/build_aws_eif/action.yaml | 2 +- .github/actions/build_eks_docker_image/action.yaml | 4 ++-- .github/actions/update_operator_version/action.yaml | 4 ++-- .github/workflows/build-uid2-ami.yaml | 4 ++-- .github/workflows/publish-all-operators.yaml | 4 ++-- .../workflows/publish-aws-eks-nitro-enclave-docker.yaml | 4 ++-- .github/workflows/publish-aws-nitro-eif.yaml | 6 +++--- .github/workflows/publish-azure-cc-enclave-docker.yaml | 8 ++++---- .github/workflows/publish-gcp-oidc-enclave-docker.yaml | 6 +++--- 10 files changed, 22 insertions(+), 22 deletions(-) diff --git a/.github/actions/build_ami/action.yaml b/.github/actions/build_ami/action.yaml index 4a88376b9..260163996 100644 --- a/.github/actions/build_ami/action.yaml +++ b/.github/actions/build_ami/action.yaml @@ -56,7 +56,7 @@ runs: GITHUB_CONTEXT: ${{ toJson(github) }} - name: Checkout full history - uses: actions/checkout@v4 + uses: actions/checkout@v6 - name: Get EIF for Release ${{ inputs.operator_release }} uses: ./.github/actions/download_release_artifact diff --git a/.github/actions/build_aws_eif/action.yaml b/.github/actions/build_aws_eif/action.yaml index ddd525855..65e2ed2b8 100644 --- a/.github/actions/build_aws_eif/action.yaml +++ b/.github/actions/build_aws_eif/action.yaml @@ -31,7 +31,7 @@ runs: steps: - name: Checkout full history at commit sha ${{ inputs.commit_sha }} - uses: actions/checkout@v4 + uses: actions/checkout@v6 with: ref: ${{ inputs.commit_sha }} # git-restore-mtime requires full git history. The default fetch-depth value (1) creates a shallow checkout. diff --git a/.github/actions/build_eks_docker_image/action.yaml b/.github/actions/build_eks_docker_image/action.yaml index aecfab69d..f6ac04318 100644 --- a/.github/actions/build_eks_docker_image/action.yaml +++ b/.github/actions/build_eks_docker_image/action.yaml @@ -39,7 +39,7 @@ runs: steps: - name: Checkout repo - uses: actions/checkout@v4 + uses: actions/checkout@v6 - name: Make output dir shell: bash @@ -112,7 +112,7 @@ runs: df -h - name: Log in to the Docker container registry - uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3 + uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0 with: registry: ${{ env.REGISTRY }} username: ${{ github.actor }} diff --git a/.github/actions/update_operator_version/action.yaml b/.github/actions/update_operator_version/action.yaml index ef3756589..9a1726a51 100644 --- a/.github/actions/update_operator_version/action.yaml +++ b/.github/actions/update_operator_version/action.yaml @@ -65,14 +65,14 @@ runs: IS_RELEASE: ${{ steps.checkRelease.outputs.is_release }} - name: Checkout full history on Main - uses: actions/checkout@v4 + uses: actions/checkout@v6 if: ${{ inputs.version_number_input == '' }} with: # git-restore-mtime requires full git history. The default fetch-depth value (1) creates a shallow checkout. fetch-depth: 0 - name: Checkout full history at tag v${{ inputs.version_number_input }} - uses: actions/checkout@v4 + uses: actions/checkout@v6 if: ${{ inputs.version_number_input != '' }} with: ref: v${{ inputs.version_number_input }} diff --git a/.github/workflows/build-uid2-ami.yaml b/.github/workflows/build-uid2-ami.yaml index fcc375978..544ef93ff 100644 --- a/.github/workflows/build-uid2-ami.yaml +++ b/.github/workflows/build-uid2-ami.yaml @@ -38,7 +38,7 @@ jobs: enclave_id: ${{ steps.buildAMI.outputs.enclave_id }} steps: - name: Checkout repo - uses: actions/checkout@v4 + uses: actions/checkout@v6 - name: Build UID2 Operator AMI id: buildAMI @@ -78,7 +78,7 @@ jobs: enclave_id: ${{ steps.buildAMI.outputs.enclave_id }} steps: - name: Checkout repo - uses: actions/checkout@v4 + uses: actions/checkout@v6 - name: Pre-cleanup shell: bash diff --git a/.github/workflows/publish-all-operators.yaml b/.github/workflows/publish-all-operators.yaml index 6c92b3429..6452e59fc 100644 --- a/.github/workflows/publish-all-operators.yaml +++ b/.github/workflows/publish-all-operators.yaml @@ -65,7 +65,7 @@ jobs: release_type: ${{ inputs.release_type }} - name: Checkout repo - uses: actions/checkout@v4 + uses: actions/checkout@v6 with: fetch-depth: 0 @@ -156,7 +156,7 @@ jobs: needs: [start, buildPublic, buildGCP, buildAzure, buildAWS, buildAMI] steps: - name: Checkout repo - uses: actions/checkout@v4 + uses: actions/checkout@v6 with: fetch-depth: 0 diff --git a/.github/workflows/publish-aws-eks-nitro-enclave-docker.yaml b/.github/workflows/publish-aws-eks-nitro-enclave-docker.yaml index 0de600aac..0a4b49d05 100644 --- a/.github/workflows/publish-aws-eks-nitro-enclave-docker.yaml +++ b/.github/workflows/publish-aws-eks-nitro-enclave-docker.yaml @@ -37,7 +37,7 @@ jobs: packages: write steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@v6 - name: Build Docker Image for EKS Pod id: build_docker_image_uid @@ -65,7 +65,7 @@ jobs: packages: write steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@v6 - name: Build Docker Image for EKS Pod id: build_docker_image_euid diff --git a/.github/workflows/publish-aws-nitro-eif.yaml b/.github/workflows/publish-aws-nitro-eif.yaml index 29c4f5f14..b74704c99 100644 --- a/.github/workflows/publish-aws-nitro-eif.yaml +++ b/.github/workflows/publish-aws-nitro-eif.yaml @@ -50,7 +50,7 @@ jobs: GITHUB_CONTEXT: ${{ toJson(github) }} - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@v6 - name: Update Operator Version id: update_version @@ -74,7 +74,7 @@ jobs: needs: start steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@v6 - name: Build UID2 AWS EIF id: build_uid2_eif @@ -113,7 +113,7 @@ jobs: needs: start steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@v6 - name: Build EUID AWS EIF id: build_euid_eif diff --git a/.github/workflows/publish-azure-cc-enclave-docker.yaml b/.github/workflows/publish-azure-cc-enclave-docker.yaml index 288fc5b36..a5486f196 100644 --- a/.github/workflows/publish-azure-cc-enclave-docker.yaml +++ b/.github/workflows/publish-azure-cc-enclave-docker.yaml @@ -75,7 +75,7 @@ jobs: tags: ${{ steps.meta.outputs.tags }} steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@v6 - name: Update Operator Version id: update_version @@ -103,7 +103,7 @@ jobs: cp scripts/confidential_compute.py ${{ env.DOCKER_CONTEXT_PATH }}/ - name: Log in to the Docker container registry - uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3 + uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0 with: registry: ${{ env.REGISTRY }} username: ${{ github.actor }} @@ -174,7 +174,7 @@ jobs: needs: buildImage steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@v6 - name: Install Azure CLI uses: ./.github/actions/install_az_cli @@ -222,7 +222,7 @@ jobs: needs: buildImage steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@v6 - name: Install Azure CLI uses: ./.github/actions/install_az_cli diff --git a/.github/workflows/publish-gcp-oidc-enclave-docker.yaml b/.github/workflows/publish-gcp-oidc-enclave-docker.yaml index 45d68ba8a..60fdc8d7f 100644 --- a/.github/workflows/publish-gcp-oidc-enclave-docker.yaml +++ b/.github/workflows/publish-gcp-oidc-enclave-docker.yaml @@ -73,7 +73,7 @@ jobs: image_tag: ${{ steps.update_version.outputs.image_tag }} steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@v6 - name: Update Operator Version id: update_version @@ -101,7 +101,7 @@ jobs: cp scripts/confidential_compute.py ${{ env.DOCKER_CONTEXT_PATH }}/ - name: Log in to the Docker container registry - uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3 + uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0 with: registry: ${{ env.REGISTRY }} username: ${{ github.actor }} @@ -117,7 +117,7 @@ jobs: access_token_lifetime: 300s - name: Log in to the GCP Registry - uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3 + uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0 with: registry: ${{ env.GCP_REGISTRY }} username: oauth2accesstoken From 633b341a7a1bf3c24ed5fc4d4ffae6cb793d5116 Mon Sep 17 00:00:00 2001 From: sophia chen Date: Mon, 4 May 2026 16:06:38 +1000 Subject: [PATCH 02/19] test(UID2-6742): point shared-actions refs to test branch Temporary: replace uid2-shared-actions@v3 with @sch-UID2-6742-update-node20-actions for CI validation. Revert to @v3 (or drop this commit) once shared-actions PR #227 merges. Co-Authored-By: Claude Sonnet 4.6 --- .github/actions/update_operator_version/action.yaml | 8 ++++---- .github/workflows/build-and-test.yaml | 2 +- .github/workflows/publish-all-operators.yaml | 8 ++++---- .github/workflows/publish-gcp-oidc-enclave-docker.yaml | 2 +- .../workflows/publish-public-operator-docker-image.yaml | 2 +- .github/workflows/run-e2e-tests-on-operator.yaml | 2 +- .github/workflows/validate-image.yaml | 8 ++++---- .github/workflows/vulnerability-scan-failure-notify.yaml | 2 +- 8 files changed, 17 insertions(+), 17 deletions(-) diff --git a/.github/actions/update_operator_version/action.yaml b/.github/actions/update_operator_version/action.yaml index 9a1726a51..f3ae16a57 100644 --- a/.github/actions/update_operator_version/action.yaml +++ b/.github/actions/update_operator_version/action.yaml @@ -37,7 +37,7 @@ runs: steps: - name: Check branch and release type id: checkRelease - uses: IABTechLab/uid2-shared-actions/actions/check_branch_and_release_type@v3 + uses: IABTechLab/uid2-shared-actions/actions/check_branch_and_release_type@sch-UID2-6742-update-node20-actions with: release_type: ${{ inputs.release_type }} @@ -84,7 +84,7 @@ runs: - name: Set version number id: version - uses: IABTechLab/uid2-shared-actions/actions/version_number@v3 + uses: IABTechLab/uid2-shared-actions/actions/version_number@sch-UID2-6742-update-node20-actions with: type: ${{ inputs.release_type }} version_number: ${{ inputs.version_number_input }} @@ -103,7 +103,7 @@ runs: - name: Commit pom.xml and version.json id: commit-without-tag if: ${{ inputs.version_number_input == '' && steps.checkRelease.outputs.is_release != 'true' }} - uses: IABTechLab/uid2-shared-actions/actions/commit_pr_and_merge@v3 + uses: IABTechLab/uid2-shared-actions/actions/commit_pr_and_merge@sch-UID2-6742-update-node20-actions with: add: 'pom.xml version.json' message: 'Released ${{ inputs.release_type }} version: ${{ steps.version.outputs.new_version }}' @@ -112,7 +112,7 @@ runs: - name: Commit pom.xml, version.json and set tag id: commit-and-tag if: ${{ inputs.version_number_input == '' && steps.checkRelease.outputs.is_release == 'true' }} - uses: IABTechLab/uid2-shared-actions/actions/commit_pr_and_merge@v3 + uses: IABTechLab/uid2-shared-actions/actions/commit_pr_and_merge@sch-UID2-6742-update-node20-actions with: add: 'pom.xml version.json' message: 'Released ${{ inputs.release_type }} version: ${{ steps.version.outputs.new_version }}' diff --git a/.github/workflows/build-and-test.yaml b/.github/workflows/build-and-test.yaml index aa13387c6..1263c3553 100644 --- a/.github/workflows/build-and-test.yaml +++ b/.github/workflows/build-and-test.yaml @@ -3,7 +3,7 @@ on: [pull_request, push, workflow_dispatch] jobs: build: - uses: IABTechLab/uid2-shared-actions/.github/workflows/shared-build-and-test.yaml@v3 + uses: IABTechLab/uid2-shared-actions/.github/workflows/shared-build-and-test.yaml@sch-UID2-6742-update-node20-actions with: java_version: 21 secrets: inherit \ No newline at end of file diff --git a/.github/workflows/publish-all-operators.yaml b/.github/workflows/publish-all-operators.yaml index 6452e59fc..62f3ae874 100644 --- a/.github/workflows/publish-all-operators.yaml +++ b/.github/workflows/publish-all-operators.yaml @@ -60,7 +60,7 @@ jobs: GITHUB_CONTEXT: ${{ toJson(github) }} - name: Check branch and release type - uses: IABTechLab/uid2-shared-actions/actions/check_branch_and_release_type@v3 + uses: IABTechLab/uid2-shared-actions/actions/check_branch_and_release_type@sch-UID2-6742-update-node20-actions with: release_type: ${{ inputs.release_type }} @@ -70,7 +70,7 @@ jobs: fetch-depth: 0 - name: Scan vulnerabilities - uses: IABTechLab/uid2-shared-actions/actions/vulnerability_scan@v3 + uses: IABTechLab/uid2-shared-actions/actions/vulnerability_scan@sch-UID2-6742-update-node20-actions with: scan_severity: HIGH,CRITICAL failure_severity: CRITICAL @@ -78,7 +78,7 @@ jobs: - name: Set version number id: version - uses: IABTechLab/uid2-shared-actions/actions/version_number@v3 + uses: IABTechLab/uid2-shared-actions/actions/version_number@sch-UID2-6742-update-node20-actions with: type: ${{ env.RELEASE_TYPE }} branch_name: ${{ github.ref }} @@ -92,7 +92,7 @@ jobs: - name: Commit pom.xml, version.json and set tag id: commit-and-tag - uses: IABTechLab/uid2-shared-actions/actions/commit_pr_and_merge@v3 + uses: IABTechLab/uid2-shared-actions/actions/commit_pr_and_merge@sch-UID2-6742-update-node20-actions with: add: 'pom.xml version.json' message: 'Released ${{ env.RELEASE_TYPE }} version: ${{ steps.version.outputs.new_version }}' diff --git a/.github/workflows/publish-gcp-oidc-enclave-docker.yaml b/.github/workflows/publish-gcp-oidc-enclave-docker.yaml index 60fdc8d7f..b5b88f798 100644 --- a/.github/workflows/publish-gcp-oidc-enclave-docker.yaml +++ b/.github/workflows/publish-gcp-oidc-enclave-docker.yaml @@ -162,7 +162,7 @@ jobs: BUILD_TARGET=${{ env.ENCLAVE_PROTOCOL }} - name: Vulnerability Scan - uses: IABTechLab/uid2-shared-actions/actions/vulnerability_scan@v3 + uses: IABTechLab/uid2-shared-actions/actions/vulnerability_scan@sch-UID2-6742-update-node20-actions with: image_ref: ${{ steps.meta.outputs.tags }} scan_type: 'image' diff --git a/.github/workflows/publish-public-operator-docker-image.yaml b/.github/workflows/publish-public-operator-docker-image.yaml index 9c2898ce0..0f9f90011 100644 --- a/.github/workflows/publish-public-operator-docker-image.yaml +++ b/.github/workflows/publish-public-operator-docker-image.yaml @@ -59,7 +59,7 @@ jobs: image: name: Image - uses: IABTechLab/uid2-shared-actions/.github/workflows/shared-publish-java-to-docker-versioned.yaml@v3 + uses: IABTechLab/uid2-shared-actions/.github/workflows/shared-publish-java-to-docker-versioned.yaml@sch-UID2-6742-update-node20-actions needs: check_major with: release_type: ${{ inputs.release_type }} diff --git a/.github/workflows/run-e2e-tests-on-operator.yaml b/.github/workflows/run-e2e-tests-on-operator.yaml index 462a992e1..c3ba8e084 100644 --- a/.github/workflows/run-e2e-tests-on-operator.yaml +++ b/.github/workflows/run-e2e-tests-on-operator.yaml @@ -117,7 +117,7 @@ on: jobs: e2e-test: name: E2E Test - uses: IABTechLab/uid2-shared-actions/.github/workflows/shared-run-e2e-tests.yaml@v3 + uses: IABTechLab/uid2-shared-actions/.github/workflows/shared-run-e2e-tests.yaml@sch-UID2-6742-update-node20-actions with: operator_type: ${{ inputs.operator_type }} identity_scope: ${{ inputs.identity_scope }} diff --git a/.github/workflows/validate-image.yaml b/.github/workflows/validate-image.yaml index 37b4bf912..3b257a5ae 100644 --- a/.github/workflows/validate-image.yaml +++ b/.github/workflows/validate-image.yaml @@ -19,7 +19,7 @@ on: jobs: build-publish-docker-default: - uses: IABTechLab/uid2-shared-actions/.github/workflows/shared-validate-image.yaml@v3 + uses: IABTechLab/uid2-shared-actions/.github/workflows/shared-validate-image.yaml@sch-UID2-6742-update-node20-actions with: failure_severity: ${{ inputs.failure_severity || 'CRITICAL,HIGH' }} fail_on_error: ${{ inputs.fail_on_error || true }} @@ -27,7 +27,7 @@ jobs: java_version: 21 secrets: inherit build-publish-docker-aws: - uses: IABTechLab/uid2-shared-actions/.github/workflows/shared-validate-image.yaml@v3 + uses: IABTechLab/uid2-shared-actions/.github/workflows/shared-validate-image.yaml@sch-UID2-6742-update-node20-actions with: failure_severity: ${{ inputs.failure_severity || 'CRITICAL,HIGH' }} fail_on_error: ${{ inputs.fail_on_error || true }} @@ -36,7 +36,7 @@ jobs: secrets: inherit needs: [build-publish-docker-default] build-publish-docker-gcp: - uses: IABTechLab/uid2-shared-actions/.github/workflows/shared-validate-image.yaml@v3 + uses: IABTechLab/uid2-shared-actions/.github/workflows/shared-validate-image.yaml@sch-UID2-6742-update-node20-actions with: failure_severity: ${{ inputs.failure_severity || 'CRITICAL,HIGH' }} fail_on_error: ${{ inputs.fail_on_error || true }} @@ -45,7 +45,7 @@ jobs: secrets: inherit needs: [build-publish-docker-aws] build-publish-docker-azure: - uses: IABTechLab/uid2-shared-actions/.github/workflows/shared-validate-image.yaml@v3 + uses: IABTechLab/uid2-shared-actions/.github/workflows/shared-validate-image.yaml@sch-UID2-6742-update-node20-actions with: failure_severity: ${{ inputs.failure_severity || 'CRITICAL,HIGH' }} fail_on_error: ${{ inputs.fail_on_error || true }} diff --git a/.github/workflows/vulnerability-scan-failure-notify.yaml b/.github/workflows/vulnerability-scan-failure-notify.yaml index 7a87e06fc..e59ed7f4d 100644 --- a/.github/workflows/vulnerability-scan-failure-notify.yaml +++ b/.github/workflows/vulnerability-scan-failure-notify.yaml @@ -16,7 +16,7 @@ on: jobs: vulnerability-scan-failure-notify: - uses: IABTechLab/uid2-shared-actions/.github/workflows/shared-vulnerability-scan-failure-notify.yaml@v3 + uses: IABTechLab/uid2-shared-actions/.github/workflows/shared-vulnerability-scan-failure-notify.yaml@sch-UID2-6742-update-node20-actions secrets: SLACK_WEBHOOK : ${{ secrets.SLACK_WEBHOOK }} with: From f7acd3c56287a0eebc081230783fd9029839d3d0 Mon Sep 17 00:00:00 2001 From: Release Workflow Date: Mon, 4 May 2026 06:32:14 +0000 Subject: [PATCH 03/19] [CI Pipeline] Released Snapshot version: 5.70.68-alpha-753-SNAPSHOT --- pom.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pom.xml b/pom.xml index fffbc69e6..6de9ee06b 100644 --- a/pom.xml +++ b/pom.xml @@ -6,7 +6,7 @@ com.uid2 uid2-operator - 5.70.67 + 5.70.68-alpha-753-SNAPSHOT UTF-8 From 023e31d8fd59a08580e399778f3768569bc92814 Mon Sep 17 00:00:00 2001 From: sophia chen Date: Mon, 4 May 2026 16:39:35 +1000 Subject: [PATCH 04/19] chore(UID2-6742): upgrade additional Node.js 20 actions to Node.js 24-compatible versions - actions/github-script: @v7 -> v9.0.0 SHA (download_release_artifact) - github/codeql-action/upload-sarif: @v3 -> v4.35.3 SHA (publish-azure-cc) Co-Authored-By: Claude Sonnet 4.6 --- .github/actions/download_release_artifact/action.yaml | 2 +- .github/workflows/publish-azure-cc-enclave-docker.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/actions/download_release_artifact/action.yaml b/.github/actions/download_release_artifact/action.yaml index 3ad54d6bf..24c6f0530 100644 --- a/.github/actions/download_release_artifact/action.yaml +++ b/.github/actions/download_release_artifact/action.yaml @@ -27,7 +27,7 @@ runs: steps: - name: Get Artifact Ids id: get_asset_id - uses: actions/github-script@v7 + uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 with: github-token: ${{ inputs.github_token }} result-encoding: string diff --git a/.github/workflows/publish-azure-cc-enclave-docker.yaml b/.github/workflows/publish-azure-cc-enclave-docker.yaml index a5486f196..ac5392076 100644 --- a/.github/workflows/publish-azure-cc-enclave-docker.yaml +++ b/.github/workflows/publish-azure-cc-enclave-docker.yaml @@ -141,7 +141,7 @@ jobs: hide-progress: true - name: Upload Trivy scan report to GitHub Security tab - uses: github/codeql-action/upload-sarif@v3 + uses: github/codeql-action/upload-sarif@e46ed2cbd01164d986452f91f178727624ae40d7 # v4.35.3 with: sarif_file: 'trivy-results.sarif' From 4d3e25ff5f688a531052f2452a8d748893df1a80 Mon Sep 17 00:00:00 2001 From: Release Workflow Date: Mon, 4 May 2026 06:42:47 +0000 Subject: [PATCH 05/19] [CI Pipeline] Released Snapshot version: 5.70.69-alpha-754-SNAPSHOT --- pom.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pom.xml b/pom.xml index 6de9ee06b..426d2c355 100644 --- a/pom.xml +++ b/pom.xml @@ -6,7 +6,7 @@ com.uid2 uid2-operator - 5.70.68-alpha-753-SNAPSHOT + 5.70.69-alpha-754-SNAPSHOT UTF-8 From 8f41b33fcc577ca5cc44a31e162884fed42fd80d Mon Sep 17 00:00:00 2001 From: sophia chen Date: Mon, 4 May 2026 16:52:18 +1000 Subject: [PATCH 06/19] chore(UID2-6742): upgrade remaining Node.js 20 actions to Node.js 24-compatible versions - actions/setup-java: v4 -> v5 (multiple workflows) - docker/build-push-action: v5 (ca052bb5) -> v7.1.0 (bcafcacb) - docker/metadata-action: v5 (c299e40c) -> v6.0.0 (030e8812) - google-github-actions/auth: v2 (c200f369) -> v3.0.0 (7c6bc770) - actions/upload-artifact: v4 -> v7 (multiple workflows) Co-Authored-By: Claude Sonnet 4.6 --- .github/actions/build_ami/action.yaml | 2 +- .../actions/build_eks_docker_image/action.yaml | 6 +++--- .github/workflows/build-uid2-ami.yaml | 2 +- .github/workflows/publish-all-operators.yaml | 2 +- .../publish-aws-eks-nitro-enclave-docker.yaml | 2 +- .github/workflows/publish-aws-nitro-eif.yaml | 6 +++--- .../publish-azure-cc-enclave-docker.yaml | 16 ++++++++-------- .../publish-gcp-oidc-enclave-docker.yaml | 18 +++++++++--------- .../publish-public-operator-docker-image.yaml | 2 +- 9 files changed, 28 insertions(+), 28 deletions(-) diff --git a/.github/actions/build_ami/action.yaml b/.github/actions/build_ami/action.yaml index 260163996..55e988cd3 100644 --- a/.github/actions/build_ami/action.yaml +++ b/.github/actions/build_ami/action.yaml @@ -190,7 +190,7 @@ runs: ls -al - name: Upload artifacts - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@v7 with: name: ${{ inputs.identity_scope }}_AMI_measurement path: ./scripts/aws/uid2-operator-ami/${{ inputs.identity_scope }}_AMI_measurement.txt diff --git a/.github/actions/build_eks_docker_image/action.yaml b/.github/actions/build_eks_docker_image/action.yaml index f6ac04318..ebbddddeb 100644 --- a/.github/actions/build_eks_docker_image/action.yaml +++ b/.github/actions/build_eks_docker_image/action.yaml @@ -120,14 +120,14 @@ runs: - name: Extract metadata (tags, labels) for Docker id: meta - uses: docker/metadata-action@c299e40c65443455700f0fdfc63efafe5b349051 # v5 + uses: docker/metadata-action@030e881283bb7a6894de51c315a6bfe6a94e05cf # v6.0.0 with: images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}-eks-${{ inputs.identity_scope }} tags: | type=raw,value=${{ steps.versionNumber.outputs.VERSION_NUMBER }}.${{ github.run_number }} - name: Build and export to Docker - uses: docker/build-push-action@ca052bb54ab0790a636c9b5f226502c73d547a25 # v5 + uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7.1.0 with: context: ${{ inputs.artifacts_output_dir }} load: true @@ -140,7 +140,7 @@ runs: - name: Push to Docker id: push-to-docker - uses: docker/build-push-action@ca052bb54ab0790a636c9b5f226502c73d547a25 # v5 + uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7.1.0 with: context: ${{ inputs.artifacts_output_dir }} push: true diff --git a/.github/workflows/build-uid2-ami.yaml b/.github/workflows/build-uid2-ami.yaml index 544ef93ff..93c5154ce 100644 --- a/.github/workflows/build-uid2-ami.yaml +++ b/.github/workflows/build-uid2-ami.yaml @@ -142,7 +142,7 @@ jobs: euid_AMI_measurement - name: Upload artifacts - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@v7 with: name: aws-ami-ids-${{ needs.buildUID2.outputs.version_number }} path: ./artifacts/ diff --git a/.github/workflows/publish-all-operators.yaml b/.github/workflows/publish-all-operators.yaml index 62f3ae874..948b4731f 100644 --- a/.github/workflows/publish-all-operators.yaml +++ b/.github/workflows/publish-all-operators.yaml @@ -203,7 +203,7 @@ jobs: path: ./deployment - name: Upload artifacts - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@v7 with: name: uid2-operator-release-${{ needs.start.outputs.new_version }}-manifests path: ./manifests diff --git a/.github/workflows/publish-aws-eks-nitro-enclave-docker.yaml b/.github/workflows/publish-aws-eks-nitro-enclave-docker.yaml index 0a4b49d05..7335ae0e4 100644 --- a/.github/workflows/publish-aws-eks-nitro-enclave-docker.yaml +++ b/.github/workflows/publish-aws-eks-nitro-enclave-docker.yaml @@ -128,7 +128,7 @@ jobs: echo "Enclave ID (maybe shared by other images): " ${{ needs.buildEUIDImage.outputs.enclave_id }} >> ${{ env.ARTIFACTS_BASE_OUTPUT_DIR }}/manifests/aws-eks-euid-enclave-id-${{ needs.buildEUIDImage.outputs.image_tag }}.txt - name: Save Manifests as build artifacts - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@v7 with: name: aws-eks-enclave-ids-${{ needs.buildUID2Image.outputs.image_tag }} path: ${{ env.ARTIFACTS_BASE_OUTPUT_DIR }}/manifests diff --git a/.github/workflows/publish-aws-nitro-eif.yaml b/.github/workflows/publish-aws-nitro-eif.yaml index b74704c99..2c5f5965b 100644 --- a/.github/workflows/publish-aws-nitro-eif.yaml +++ b/.github/workflows/publish-aws-nitro-eif.yaml @@ -93,7 +93,7 @@ jobs: df -h - name: Save UID2 eif artifact - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@v7 with: name: aws-uid2-deployment-files-${{ needs.start.outputs.new_version }} path: ${{ env.ARTIFACTS_BASE_OUTPUT_DIR }}/uid2 @@ -132,7 +132,7 @@ jobs: df -h - name: Save EUID eif artifact - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@v7 with: name: aws-euid-deployment-files-${{ needs.start.outputs.new_version }} path: ${{ env.ARTIFACTS_BASE_OUTPUT_DIR }}/euid @@ -173,7 +173,7 @@ jobs: echo ${{ needs.buildEUIDEIF.outputs.euid_enclave_id }} >> ${{ env.ARTIFACTS_BASE_OUTPUT_DIR }}/manifests/aws-euid-enclave-id-${{ needs.start.outputs.new_version }}.txt - name: Save Manifests as build artifacts - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@v7 with: name: aws-eif-enclave-ids-${{ needs.start.outputs.new_version }} path: ${{ env.ARTIFACTS_BASE_OUTPUT_DIR }}/manifests diff --git a/.github/workflows/publish-azure-cc-enclave-docker.yaml b/.github/workflows/publish-azure-cc-enclave-docker.yaml index ac5392076..a41be72ec 100644 --- a/.github/workflows/publish-azure-cc-enclave-docker.yaml +++ b/.github/workflows/publish-azure-cc-enclave-docker.yaml @@ -88,7 +88,7 @@ jobs: github_token: ${{ github.ref_protected && secrets.GH_MERGE_TOKEN || '' }} - name: Set up JDK - uses: actions/setup-java@v4 + uses: actions/setup-java@v5 with: distribution: 'temurin' java-version: '21' @@ -111,14 +111,14 @@ jobs: - name: Extract metadata (tags, labels) for Docker id: meta - uses: docker/metadata-action@c299e40c65443455700f0fdfc63efafe5b349051 # v5 + uses: docker/metadata-action@030e881283bb7a6894de51c315a6bfe6a94e05cf # v6.0.0 with: images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} tags: | type=raw,value=${{ steps.update_version.outputs.image_tag }} - name: Build and export to Docker - uses: docker/build-push-action@ca052bb54ab0790a636c9b5f226502c73d547a25 # v5 + uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7.1.0 with: context: ${{ env.DOCKER_CONTEXT_PATH }} load: true @@ -157,7 +157,7 @@ jobs: - name: Push to Docker id: push-to-docker - uses: docker/build-push-action@ca052bb54ab0790a636c9b5f226502c73d547a25 # v5 + uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7.1.0 with: context: ${{ env.DOCKER_CONTEXT_PATH }} push: true @@ -193,14 +193,14 @@ jobs: bash ./scripts/azure-cc/deployment/generate-deployment-artifacts.sh - name: Upload deployment artifacts - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@v7 with: name: azure-cc-deployment-files-${{ needs.buildImage.outputs.jar_version }} path: ${{ env.ARTIFACTS_OUTPUT_DIR }} if-no-files-found: error - name: Upload manifest - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@v7 with: name: azure-cc-enclave-id-${{ needs.buildImage.outputs.jar_version }} path: ${{ env.MANIFEST_OUTPUT_DIR }} @@ -241,14 +241,14 @@ jobs: bash ./scripts/azure-aks/deployment/generate-deployment-artifacts.sh - name: Upload deployment artifacts - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@v7 with: name: azure-aks-deployment-files-${{ needs.buildImage.outputs.jar_version }} path: ${{ env.ARTIFACTS_OUTPUT_DIR }} if-no-files-found: error - name: Upload manifest - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@v7 with: name: azure-aks-enclave-id-${{ needs.buildImage.outputs.jar_version }} path: ${{ env.MANIFEST_OUTPUT_DIR }} diff --git a/.github/workflows/publish-gcp-oidc-enclave-docker.yaml b/.github/workflows/publish-gcp-oidc-enclave-docker.yaml index b5b88f798..468ee5c4d 100644 --- a/.github/workflows/publish-gcp-oidc-enclave-docker.yaml +++ b/.github/workflows/publish-gcp-oidc-enclave-docker.yaml @@ -86,7 +86,7 @@ jobs: github_token: ${{ github.ref_protected && secrets.GH_MERGE_TOKEN || '' }} - name: Set up JDK - uses: actions/setup-java@v4 + uses: actions/setup-java@v5 with: distribution: 'temurin' java-version: '21' @@ -109,7 +109,7 @@ jobs: - name: Authenticate with Google Cloud id: gcp_auth - uses: google-github-actions/auth@c200f3691d83b41bf9bbd8638997a462592937ed # v2 + uses: google-github-actions/auth@7c6bc770dae815cd3e89ee6cdf493a5fab2cc093 # v3.0.0 with: token_format: access_token workload_identity_provider: ${{ vars.GCP_WORKLOAD_IDENTITY_PROVIDER_ID }} @@ -125,7 +125,7 @@ jobs: - name: Extract metadata (tags, labels) for Docker id: meta - uses: docker/metadata-action@c299e40c65443455700f0fdfc63efafe5b349051 # v5 + uses: docker/metadata-action@030e881283bb7a6894de51c315a6bfe6a94e05cf # v6.0.0 with: images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} tags: | @@ -133,7 +133,7 @@ jobs: - name: Extract metadata (tags, labels) for GCP image id: meta-gcp - uses: docker/metadata-action@c299e40c65443455700f0fdfc63efafe5b349051 # v5 + uses: docker/metadata-action@030e881283bb7a6894de51c315a6bfe6a94e05cf # v6.0.0 with: images: ${{ env.GCP_REGISTRY }}/${{ env.GCP_GAR_PROJECT }}/${{ env.IMAGE_NAME }} tags: | @@ -141,7 +141,7 @@ jobs: - name: Extract metadata (tags, labels) for all Docker images id: meta-all - uses: docker/metadata-action@c299e40c65443455700f0fdfc63efafe5b349051 # v5 + uses: docker/metadata-action@030e881283bb7a6894de51c315a6bfe6a94e05cf # v6.0.0 with: images: | ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} @@ -150,7 +150,7 @@ jobs: type=raw,value=${{ steps.update_version.outputs.new_version }}-${{ env.ENCLAVE_PROTOCOL }} - name: Build and export to Docker - uses: docker/build-push-action@ca052bb54ab0790a636c9b5f226502c73d547a25 # v5 + uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7.1.0 with: context: ${{ env.DOCKER_CONTEXT_PATH }} load: true @@ -171,7 +171,7 @@ jobs: - name: Push to Docker id: push-to-docker - uses: docker/build-push-action@ca052bb54ab0790a636c9b5f226502c73d547a25 # v5 + uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7.1.0 with: context: ${{ env.DOCKER_CONTEXT_PATH }} push: true @@ -192,14 +192,14 @@ jobs: bash ./scripts/gcp-oidc/generate-deployment-artifacts.sh - name: Upload deployment artifacts - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@v7 with: name: gcp-oidc-deployment-files-${{ steps.update_version.outputs.new_version }} path: ${{ env.ARTIFACTS_OUTPUT_DIR }} if-no-files-found: error - name: Upload manifest artifacts - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@v7 with: name: gcp-oidc-enclave-ids-${{ steps.update_version.outputs.new_version }} path: ${{ env.MANIFEST_OUTPUT_DIR }} diff --git a/.github/workflows/publish-public-operator-docker-image.yaml b/.github/workflows/publish-public-operator-docker-image.yaml index 0f9f90011..2c70afb16 100644 --- a/.github/workflows/publish-public-operator-docker-image.yaml +++ b/.github/workflows/publish-public-operator-docker-image.yaml @@ -91,7 +91,7 @@ jobs: echo $IMAGE > image-details/public-image-$IMAGE_TAG.json - name: Upload artifacts - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@v7 with: name: public-image-${{ needs.image.outputs.image_tag }} path: image-details/ From b680f52a66562d0095eebfc8b9757eb9941e85e1 Mon Sep 17 00:00:00 2001 From: Release Workflow Date: Mon, 4 May 2026 07:01:10 +0000 Subject: [PATCH 07/19] [CI Pipeline] Released Snapshot version: 5.70.70-alpha-755-SNAPSHOT --- pom.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pom.xml b/pom.xml index 426d2c355..3a0a35725 100644 --- a/pom.xml +++ b/pom.xml @@ -6,7 +6,7 @@ com.uid2 uid2-operator - 5.70.69-alpha-754-SNAPSHOT + 5.70.70-alpha-755-SNAPSHOT UTF-8 From e0151cad2fc8c90ef00ae775ae0f4d1a5840ad3f Mon Sep 17 00:00:00 2001 From: Release Workflow Date: Mon, 4 May 2026 07:23:07 +0000 Subject: [PATCH 08/19] [CI Pipeline] Released Snapshot version: 5.70.71-alpha-756-SNAPSHOT --- pom.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pom.xml b/pom.xml index 3a0a35725..f89db44ec 100644 --- a/pom.xml +++ b/pom.xml @@ -6,7 +6,7 @@ com.uid2 uid2-operator - 5.70.70-alpha-755-SNAPSHOT + 5.70.71-alpha-756-SNAPSHOT UTF-8 From 35bc8ab3f88c086e7df1c46e0c8ed39f25bc4cf0 Mon Sep 17 00:00:00 2001 From: sophia chen Date: Mon, 4 May 2026 17:59:36 +1000 Subject: [PATCH 09/19] =?UTF-8?q?chore(UID2-6742):=20upgrade=20trivy-actio?= =?UTF-8?q?n=20v0.35.0=E2=86=92v0.36.0=20and=20download-artifact=20v4?= =?UTF-8?q?=E2=86=92v8?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit trivy-action v0.36.0 eliminates the transitive actions/cache@0400d5f6 (v4.2.4) Node.js 20 dependency. download-artifact v8 replaces deprecated v4. Co-Authored-By: Claude Sonnet 4.6 --- .github/workflows/build-uid2-ami.yaml | 4 ++-- .github/workflows/publish-all-operators.yaml | 14 +++++++------- .github/workflows/publish-aws-nitro-eif.yaml | 4 ++-- .../workflows/publish-azure-cc-enclave-docker.yaml | 4 ++-- 4 files changed, 13 insertions(+), 13 deletions(-) diff --git a/.github/workflows/build-uid2-ami.yaml b/.github/workflows/build-uid2-ami.yaml index 93c5154ce..8727ea43f 100644 --- a/.github/workflows/build-uid2-ami.yaml +++ b/.github/workflows/build-uid2-ami.yaml @@ -123,13 +123,13 @@ jobs: needs: [buildUID2, testUID2Ami, testEUIDAmi] steps: - name: Download UID2 artifacts - uses: actions/download-artifact@v4 + uses: actions/download-artifact@v8 with: name: uid2_AMI_measurement path: ./artifacts - name: Download EUID artifacts - uses: actions/download-artifact@v4 + uses: actions/download-artifact@v8 with: name: euid_AMI_measurement path: ./artifacts diff --git a/.github/workflows/publish-all-operators.yaml b/.github/workflows/publish-all-operators.yaml index 948b4731f..79a3f2528 100644 --- a/.github/workflows/publish-all-operators.yaml +++ b/.github/workflows/publish-all-operators.yaml @@ -161,43 +161,43 @@ jobs: fetch-depth: 0 - name: Download public manifest - uses: actions/download-artifact@v4 + uses: actions/download-artifact@v8 with: pattern: public-image-* path: ./manifests/public_operator - name: Download GCP manifest - uses: actions/download-artifact@v4 + uses: actions/download-artifact@v8 with: pattern: gcp-oidc-enclave-ids-* path: ./manifests/gcp_oidc_operator - name: Download Azure CC manifest - uses: actions/download-artifact@v4 + uses: actions/download-artifact@v8 with: pattern: azure-cc-enclave-id-* path: ./manifests/azure_cc_operator - name: Download Azure AKS manifest - uses: actions/download-artifact@v4 + uses: actions/download-artifact@v8 with: pattern: azure-aks-enclave-id-* path: ./manifests/azure_aks_operator - name: Download EIF manifest - uses: actions/download-artifact@v4 + uses: actions/download-artifact@v8 with: pattern: 'aws-eif-enclave-ids-*' path: ./manifests/aws_eif - name: Download AWS AMI manifest - uses: actions/download-artifact@v4 + uses: actions/download-artifact@v8 with: pattern: 'aws-ami-ids-*' path: ./manifests/aws_ami - name: Download Deployment Files - uses: actions/download-artifact@v4 + uses: actions/download-artifact@v8 with: pattern: '*-deployment-files-*' path: ./deployment diff --git a/.github/workflows/publish-aws-nitro-eif.yaml b/.github/workflows/publish-aws-nitro-eif.yaml index 2c5f5965b..a929682ec 100644 --- a/.github/workflows/publish-aws-nitro-eif.yaml +++ b/.github/workflows/publish-aws-nitro-eif.yaml @@ -157,12 +157,12 @@ jobs: df -h - name: Download UID2 artifacts - uses: actions/download-artifact@v4 + uses: actions/download-artifact@v8 with: path: ${{ env.ARTIFACTS_BASE_OUTPUT_DIR }}/uid2 - name: Download EUID artifacts - uses: actions/download-artifact@v4 + uses: actions/download-artifact@v8 with: path: ${{ env.ARTIFACTS_BASE_OUTPUT_DIR }}/euid diff --git a/.github/workflows/publish-azure-cc-enclave-docker.yaml b/.github/workflows/publish-azure-cc-enclave-docker.yaml index a41be72ec..602a34a90 100644 --- a/.github/workflows/publish-azure-cc-enclave-docker.yaml +++ b/.github/workflows/publish-azure-cc-enclave-docker.yaml @@ -130,7 +130,7 @@ jobs: BUILD_TARGET=${{ env.ENCLAVE_PROTOCOL }} - name: Generate Trivy vulnerability scan report - uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # v0.35.0 + uses: aquasecurity/trivy-action@ed142fd0673e97e23eac54620cfb913e5ce36c25 # v0.36.0 with: image-ref: ${{ steps.meta.outputs.tags }} format: 'sarif' @@ -146,7 +146,7 @@ jobs: sarif_file: 'trivy-results.sarif' - name: Test with Trivy vulnerability scanner - uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # v0.35.0 + uses: aquasecurity/trivy-action@ed142fd0673e97e23eac54620cfb913e5ce36c25 # v0.36.0 with: image-ref: ${{ steps.meta.outputs.tags }} format: 'table' From e59af930b259e015364cd52fa9a6027bba1b4820 Mon Sep 17 00:00:00 2001 From: Release Workflow Date: Mon, 4 May 2026 08:16:08 +0000 Subject: [PATCH 10/19] [CI Pipeline] Released Snapshot version: 5.70.72-alpha-757-SNAPSHOT --- pom.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pom.xml b/pom.xml index f89db44ec..4612b11ab 100644 --- a/pom.xml +++ b/pom.xml @@ -6,7 +6,7 @@ com.uid2 uid2-operator - 5.70.71-alpha-756-SNAPSHOT + 5.70.72-alpha-757-SNAPSHOT UTF-8 From d10b6e1a2cff5b3b1a34d728acae1170d5ea991a Mon Sep 17 00:00:00 2001 From: sophia chen Date: Mon, 4 May 2026 19:56:56 +1000 Subject: [PATCH 11/19] =?UTF-8?q?chore(UID2-6742):=20upgrade=20action-down?= =?UTF-8?q?load-artifact=20v6=E2=86=92v21=20and=20configure-aws-credential?= =?UTF-8?q?s=20v4=E2=86=92v6.1.0?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Both upgraded versions use node24. Fixes Node.js 20 deprecation warnings in build_ami and build_eks_docker_image composite actions. hashicorp/setup-packer@v3.2.0 is blocked on upstream — no node24 release exists yet. Co-Authored-By: Claude Sonnet 4.6 --- .github/actions/build_ami/action.yaml | 6 +++--- .github/actions/build_eks_docker_image/action.yaml | 2 +- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/actions/build_ami/action.yaml b/.github/actions/build_ami/action.yaml index 55e988cd3..c494d7982 100644 --- a/.github/actions/build_ami/action.yaml +++ b/.github/actions/build_ami/action.yaml @@ -71,7 +71,7 @@ runs: - name: Get EIF for Run ${{ inputs.operator_run_number }} id: get_eif_for_run - uses: dawidd6/action-download-artifact@bf251b5aa9c2f7eeb574a96ee720e24f801b7c11 # v6 + uses: dawidd6/action-download-artifact@b6e2e70617bc3265edd6dab6c906732b2f1ae151 # v21 if: ${{ inputs.operator_release == '' }} with: name: 'aws-${{ inputs.identity_scope }}-deployment-files-.*' @@ -94,14 +94,14 @@ runs: ls ./scripts/aws/uid2-operator-ami/artifacts/ -al - name: Configure UID2 AWS credentials - uses: aws-actions/configure-aws-credentials@7474bc4690e29a8392af63c5b98e7449536d5c3a # v4 + uses: aws-actions/configure-aws-credentials@ec61189d14ec14c8efccab744f656cffd0e33f37 # v6.1.0 if: ${{ inputs.identity_scope == 'uid2' }} with: aws-region: ${{ inputs.uid2_aws_region }} role-to-assume: ${{ inputs.uid2_aws_role }} - name: Configure EUID AWS credentials - uses: aws-actions/configure-aws-credentials@7474bc4690e29a8392af63c5b98e7449536d5c3a # v4 + uses: aws-actions/configure-aws-credentials@ec61189d14ec14c8efccab744f656cffd0e33f37 # v6.1.0 if: ${{ inputs.identity_scope == 'euid' }} with: aws-region: ${{ inputs.euid_aws_region }} diff --git a/.github/actions/build_eks_docker_image/action.yaml b/.github/actions/build_eks_docker_image/action.yaml index ebbddddeb..a24696853 100644 --- a/.github/actions/build_eks_docker_image/action.yaml +++ b/.github/actions/build_eks_docker_image/action.yaml @@ -59,7 +59,7 @@ runs: - name: Get EIF for Run ${{ inputs.operator_run_number }} id: get_eif_for_run - uses: dawidd6/action-download-artifact@bf251b5aa9c2f7eeb574a96ee720e24f801b7c11 # v6 + uses: dawidd6/action-download-artifact@b6e2e70617bc3265edd6dab6c906732b2f1ae151 # v21 if: ${{ inputs.operator_release == '' }} with: name: 'aws-${{ inputs.identity_scope }}-deployment-files-.*' From f91a3c7d0c4a78e315fc43c51293938a6b63fc4a Mon Sep 17 00:00:00 2001 From: sophia chen Date: Tue, 5 May 2026 13:31:43 +1000 Subject: [PATCH 12/19] test(UID2-6742): redirect check-stable-dependency to test branch for CI validation --- .github/workflows/check-stable-dependency.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/check-stable-dependency.yaml b/.github/workflows/check-stable-dependency.yaml index f8a417b55..1ad1edd34 100644 --- a/.github/workflows/check-stable-dependency.yaml +++ b/.github/workflows/check-stable-dependency.yaml @@ -3,5 +3,5 @@ on: [pull_request, workflow_dispatch] jobs: check_dependency: - uses: IABTechLab/uid2-shared-actions/.github/workflows/shared-check-stable-dependency.yaml@v2 + uses: IABTechLab/uid2-shared-actions/.github/workflows/shared-check-stable-dependency.yaml@sch-UID2-6742-update-node20-actions secrets: inherit \ No newline at end of file From ed9bdf53e913736bb12e6f23b5febedc7d009779 Mon Sep 17 00:00:00 2001 From: Release Workflow Date: Tue, 5 May 2026 03:35:29 +0000 Subject: [PATCH 13/19] [CI Pipeline] Released Snapshot version: 5.70.73-alpha-759-SNAPSHOT --- pom.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pom.xml b/pom.xml index 4612b11ab..31f1038ad 100644 --- a/pom.xml +++ b/pom.xml @@ -6,7 +6,7 @@ com.uid2 uid2-operator - 5.70.72-alpha-757-SNAPSHOT + 5.70.73-alpha-759-SNAPSHOT UTF-8 From 833380af802c5ddc394c6867bb1f3b22df0a658b Mon Sep 17 00:00:00 2001 From: sophia chen Date: Tue, 5 May 2026 14:32:03 +1000 Subject: [PATCH 14/19] chore(UID2-6742): upgrade remaining @v4 actions and SHA-pin bare tag references --- .github/actions/build_ami/action.yaml | 4 +- .github/actions/build_aws_eif/action.yaml | 2 +- .../build_eks_docker_image/action.yaml | 2 +- .../update_operator_version/action.yaml | 4 +- .github/workflows/build-uid2-ami.yaml | 10 +- .github/workflows/publish-all-operators.yaml | 20 +- .../publish-aws-eks-nitro-enclave-docker.yaml | 6 +- .github/workflows/publish-aws-nitro-eif.yaml | 16 +- .../publish-azure-cc-enclave-docker.yaml | 16 +- .../publish-gcp-oidc-enclave-docker.yaml | 490 +++++++++--------- .../publish-public-operator-docker-image.yaml | 2 +- 11 files changed, 286 insertions(+), 286 deletions(-) diff --git a/.github/actions/build_ami/action.yaml b/.github/actions/build_ami/action.yaml index c494d7982..3b32626ce 100644 --- a/.github/actions/build_ami/action.yaml +++ b/.github/actions/build_ami/action.yaml @@ -56,7 +56,7 @@ runs: GITHUB_CONTEXT: ${{ toJson(github) }} - name: Checkout full history - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Get EIF for Release ${{ inputs.operator_release }} uses: ./.github/actions/download_release_artifact @@ -190,7 +190,7 @@ runs: ls -al - name: Upload artifacts - uses: actions/upload-artifact@v7 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 with: name: ${{ inputs.identity_scope }}_AMI_measurement path: ./scripts/aws/uid2-operator-ami/${{ inputs.identity_scope }}_AMI_measurement.txt diff --git a/.github/actions/build_aws_eif/action.yaml b/.github/actions/build_aws_eif/action.yaml index 65e2ed2b8..df3529d75 100644 --- a/.github/actions/build_aws_eif/action.yaml +++ b/.github/actions/build_aws_eif/action.yaml @@ -31,7 +31,7 @@ runs: steps: - name: Checkout full history at commit sha ${{ inputs.commit_sha }} - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: ref: ${{ inputs.commit_sha }} # git-restore-mtime requires full git history. The default fetch-depth value (1) creates a shallow checkout. diff --git a/.github/actions/build_eks_docker_image/action.yaml b/.github/actions/build_eks_docker_image/action.yaml index a24696853..9ec50bab3 100644 --- a/.github/actions/build_eks_docker_image/action.yaml +++ b/.github/actions/build_eks_docker_image/action.yaml @@ -39,7 +39,7 @@ runs: steps: - name: Checkout repo - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Make output dir shell: bash diff --git a/.github/actions/update_operator_version/action.yaml b/.github/actions/update_operator_version/action.yaml index f3ae16a57..26ae587de 100644 --- a/.github/actions/update_operator_version/action.yaml +++ b/.github/actions/update_operator_version/action.yaml @@ -65,14 +65,14 @@ runs: IS_RELEASE: ${{ steps.checkRelease.outputs.is_release }} - name: Checkout full history on Main - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 if: ${{ inputs.version_number_input == '' }} with: # git-restore-mtime requires full git history. The default fetch-depth value (1) creates a shallow checkout. fetch-depth: 0 - name: Checkout full history at tag v${{ inputs.version_number_input }} - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 if: ${{ inputs.version_number_input != '' }} with: ref: v${{ inputs.version_number_input }} diff --git a/.github/workflows/build-uid2-ami.yaml b/.github/workflows/build-uid2-ami.yaml index 8727ea43f..8c1d39148 100644 --- a/.github/workflows/build-uid2-ami.yaml +++ b/.github/workflows/build-uid2-ami.yaml @@ -38,7 +38,7 @@ jobs: enclave_id: ${{ steps.buildAMI.outputs.enclave_id }} steps: - name: Checkout repo - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Build UID2 Operator AMI id: buildAMI @@ -78,7 +78,7 @@ jobs: enclave_id: ${{ steps.buildAMI.outputs.enclave_id }} steps: - name: Checkout repo - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Pre-cleanup shell: bash @@ -123,13 +123,13 @@ jobs: needs: [buildUID2, testUID2Ami, testEUIDAmi] steps: - name: Download UID2 artifacts - uses: actions/download-artifact@v8 + uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 with: name: uid2_AMI_measurement path: ./artifacts - name: Download EUID artifacts - uses: actions/download-artifact@v8 + uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 with: name: euid_AMI_measurement path: ./artifacts @@ -142,7 +142,7 @@ jobs: euid_AMI_measurement - name: Upload artifacts - uses: actions/upload-artifact@v7 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 with: name: aws-ami-ids-${{ needs.buildUID2.outputs.version_number }} path: ./artifacts/ diff --git a/.github/workflows/publish-all-operators.yaml b/.github/workflows/publish-all-operators.yaml index 79a3f2528..db62b7c67 100644 --- a/.github/workflows/publish-all-operators.yaml +++ b/.github/workflows/publish-all-operators.yaml @@ -65,7 +65,7 @@ jobs: release_type: ${{ inputs.release_type }} - name: Checkout repo - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: fetch-depth: 0 @@ -156,54 +156,54 @@ jobs: needs: [start, buildPublic, buildGCP, buildAzure, buildAWS, buildAMI] steps: - name: Checkout repo - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: fetch-depth: 0 - name: Download public manifest - uses: actions/download-artifact@v8 + uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 with: pattern: public-image-* path: ./manifests/public_operator - name: Download GCP manifest - uses: actions/download-artifact@v8 + uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 with: pattern: gcp-oidc-enclave-ids-* path: ./manifests/gcp_oidc_operator - name: Download Azure CC manifest - uses: actions/download-artifact@v8 + uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 with: pattern: azure-cc-enclave-id-* path: ./manifests/azure_cc_operator - name: Download Azure AKS manifest - uses: actions/download-artifact@v8 + uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 with: pattern: azure-aks-enclave-id-* path: ./manifests/azure_aks_operator - name: Download EIF manifest - uses: actions/download-artifact@v8 + uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 with: pattern: 'aws-eif-enclave-ids-*' path: ./manifests/aws_eif - name: Download AWS AMI manifest - uses: actions/download-artifact@v8 + uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 with: pattern: 'aws-ami-ids-*' path: ./manifests/aws_ami - name: Download Deployment Files - uses: actions/download-artifact@v8 + uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 with: pattern: '*-deployment-files-*' path: ./deployment - name: Upload artifacts - uses: actions/upload-artifact@v7 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 with: name: uid2-operator-release-${{ needs.start.outputs.new_version }}-manifests path: ./manifests diff --git a/.github/workflows/publish-aws-eks-nitro-enclave-docker.yaml b/.github/workflows/publish-aws-eks-nitro-enclave-docker.yaml index 7335ae0e4..6595665eb 100644 --- a/.github/workflows/publish-aws-eks-nitro-enclave-docker.yaml +++ b/.github/workflows/publish-aws-eks-nitro-enclave-docker.yaml @@ -37,7 +37,7 @@ jobs: packages: write steps: - name: Checkout - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Build Docker Image for EKS Pod id: build_docker_image_uid @@ -65,7 +65,7 @@ jobs: packages: write steps: - name: Checkout - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Build Docker Image for EKS Pod id: build_docker_image_euid @@ -128,7 +128,7 @@ jobs: echo "Enclave ID (maybe shared by other images): " ${{ needs.buildEUIDImage.outputs.enclave_id }} >> ${{ env.ARTIFACTS_BASE_OUTPUT_DIR }}/manifests/aws-eks-euid-enclave-id-${{ needs.buildEUIDImage.outputs.image_tag }}.txt - name: Save Manifests as build artifacts - uses: actions/upload-artifact@v7 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 with: name: aws-eks-enclave-ids-${{ needs.buildUID2Image.outputs.image_tag }} path: ${{ env.ARTIFACTS_BASE_OUTPUT_DIR }}/manifests diff --git a/.github/workflows/publish-aws-nitro-eif.yaml b/.github/workflows/publish-aws-nitro-eif.yaml index a929682ec..2f0142519 100644 --- a/.github/workflows/publish-aws-nitro-eif.yaml +++ b/.github/workflows/publish-aws-nitro-eif.yaml @@ -50,7 +50,7 @@ jobs: GITHUB_CONTEXT: ${{ toJson(github) }} - name: Checkout - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Update Operator Version id: update_version @@ -74,7 +74,7 @@ jobs: needs: start steps: - name: Checkout - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Build UID2 AWS EIF id: build_uid2_eif @@ -93,7 +93,7 @@ jobs: df -h - name: Save UID2 eif artifact - uses: actions/upload-artifact@v7 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 with: name: aws-uid2-deployment-files-${{ needs.start.outputs.new_version }} path: ${{ env.ARTIFACTS_BASE_OUTPUT_DIR }}/uid2 @@ -113,7 +113,7 @@ jobs: needs: start steps: - name: Checkout - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Build EUID AWS EIF id: build_euid_eif @@ -132,7 +132,7 @@ jobs: df -h - name: Save EUID eif artifact - uses: actions/upload-artifact@v7 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 with: name: aws-euid-deployment-files-${{ needs.start.outputs.new_version }} path: ${{ env.ARTIFACTS_BASE_OUTPUT_DIR }}/euid @@ -157,12 +157,12 @@ jobs: df -h - name: Download UID2 artifacts - uses: actions/download-artifact@v8 + uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 with: path: ${{ env.ARTIFACTS_BASE_OUTPUT_DIR }}/uid2 - name: Download EUID artifacts - uses: actions/download-artifact@v8 + uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 with: path: ${{ env.ARTIFACTS_BASE_OUTPUT_DIR }}/euid @@ -173,7 +173,7 @@ jobs: echo ${{ needs.buildEUIDEIF.outputs.euid_enclave_id }} >> ${{ env.ARTIFACTS_BASE_OUTPUT_DIR }}/manifests/aws-euid-enclave-id-${{ needs.start.outputs.new_version }}.txt - name: Save Manifests as build artifacts - uses: actions/upload-artifact@v7 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 with: name: aws-eif-enclave-ids-${{ needs.start.outputs.new_version }} path: ${{ env.ARTIFACTS_BASE_OUTPUT_DIR }}/manifests diff --git a/.github/workflows/publish-azure-cc-enclave-docker.yaml b/.github/workflows/publish-azure-cc-enclave-docker.yaml index 602a34a90..b656792e8 100644 --- a/.github/workflows/publish-azure-cc-enclave-docker.yaml +++ b/.github/workflows/publish-azure-cc-enclave-docker.yaml @@ -75,7 +75,7 @@ jobs: tags: ${{ steps.meta.outputs.tags }} steps: - name: Checkout - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Update Operator Version id: update_version @@ -88,7 +88,7 @@ jobs: github_token: ${{ github.ref_protected && secrets.GH_MERGE_TOKEN || '' }} - name: Set up JDK - uses: actions/setup-java@v5 + uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5.2.0 with: distribution: 'temurin' java-version: '21' @@ -174,7 +174,7 @@ jobs: needs: buildImage steps: - name: Checkout - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Install Azure CLI uses: ./.github/actions/install_az_cli @@ -193,14 +193,14 @@ jobs: bash ./scripts/azure-cc/deployment/generate-deployment-artifacts.sh - name: Upload deployment artifacts - uses: actions/upload-artifact@v7 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 with: name: azure-cc-deployment-files-${{ needs.buildImage.outputs.jar_version }} path: ${{ env.ARTIFACTS_OUTPUT_DIR }} if-no-files-found: error - name: Upload manifest - uses: actions/upload-artifact@v7 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 with: name: azure-cc-enclave-id-${{ needs.buildImage.outputs.jar_version }} path: ${{ env.MANIFEST_OUTPUT_DIR }} @@ -222,7 +222,7 @@ jobs: needs: buildImage steps: - name: Checkout - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Install Azure CLI uses: ./.github/actions/install_az_cli @@ -241,14 +241,14 @@ jobs: bash ./scripts/azure-aks/deployment/generate-deployment-artifacts.sh - name: Upload deployment artifacts - uses: actions/upload-artifact@v7 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 with: name: azure-aks-deployment-files-${{ needs.buildImage.outputs.jar_version }} path: ${{ env.ARTIFACTS_OUTPUT_DIR }} if-no-files-found: error - name: Upload manifest - uses: actions/upload-artifact@v7 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 with: name: azure-aks-enclave-id-${{ needs.buildImage.outputs.jar_version }} path: ${{ env.MANIFEST_OUTPUT_DIR }} diff --git a/.github/workflows/publish-gcp-oidc-enclave-docker.yaml b/.github/workflows/publish-gcp-oidc-enclave-docker.yaml index 468ee5c4d..3241e452d 100644 --- a/.github/workflows/publish-gcp-oidc-enclave-docker.yaml +++ b/.github/workflows/publish-gcp-oidc-enclave-docker.yaml @@ -1,245 +1,245 @@ -name: Publish GCP OIDC Operator -run-name: ${{ format('Publish {0} GCP OIDC Operator', inputs.release_type) }} -on: - workflow_dispatch: - inputs: - release_type: - type: choice - description: The type of release - options: - - Snapshot - - Patch - - Minor - - Major - version_number_input: - description: If set, the version number will not be incremented and the given number will be used. - type: string - default: '' - vulnerability_severity: - description: The severity to fail the workflow if such vulnerability is detected. DO NOT override it unless a Jira ticket is raised. - type: choice - options: - - CRITICAL,HIGH - - CRITICAL,HIGH,MEDIUM - - CRITICAL (DO NOT use if JIRA ticket not raised) - workflow_call: - inputs: - release_type: - description: The type of version number to return. Must be one of [Snapshot, Patch, Minor or Major] - required: true - type: string - version_number_input: - description: If set, the version number will not be incremented and the given number will be used. - type: string - default: '' - commit_sha: - description: The commit SHA for committing the new version for pom.xml. - type: string - default: '' - vulnerability_severity: - description: The severity to fail the workflow if such vulnerability is detected. DO NOT override it unless a Jira ticket is raised. Must be one of ['CRITICAL', 'CRITICAL,HIGH' or 'CRITICAL,HIGH,MEDIUM'] (without space in between). - type: string - default: 'CRITICAL,HIGH' - - outputs: - image_tag: - description: The tag used to describe the image in Docker - value: ${{ jobs.buildImage.outputs.image_tag }} - -env: - REGISTRY: ghcr.io - GCP_REGISTRY: us-docker.pkg.dev - GCP_GAR_PROJECT: uid2-prod-project - MAVEN_PROFILE: gcp - ENCLAVE_PROTOCOL: gcp-oidc - IMAGE_NAME: ${{ github.repository }} - DOCKER_CONTEXT_PATH: scripts/gcp-oidc - ARTIFACTS_OUTPUT_DIR: ${{ github.workspace }}/deployment-artifacts - MANIFEST_OUTPUT_DIR: ${{ github.workspace }}/manifests - -jobs: - buildImage: - name: Build Image - runs-on: ubuntu-latest - environment: ${{ github.ref_protected && 'ci-auto-merge' || '' }} - permissions: - contents: write - security-events: write - packages: write - id-token: write - pull-requests: write - outputs: - jar_version: ${{ steps.update_version.outputs.new_version }} - image_tag: ${{ steps.update_version.outputs.image_tag }} - steps: - - name: Checkout - uses: actions/checkout@v6 - - - name: Update Operator Version - id: update_version - uses: ./.github/actions/update_operator_version - with: - release_type: ${{ inputs.release_type }} - version_number_input: ${{ inputs.version_number_input }} - image_tag_suffix: ${{ env.ENCLAVE_PROTOCOL }} - commit_sha: ${{ inputs.commit_sha }} - github_token: ${{ github.ref_protected && secrets.GH_MERGE_TOKEN || '' }} - - - name: Set up JDK - uses: actions/setup-java@v5 - with: - distribution: 'temurin' - java-version: '21' - - - name: Package JAR - id: package - run: | - mvn -B package -P ${{ env.MAVEN_PROFILE }} - echo "jar_version=$(mvn help:evaluate -Dexpression=project.version | grep -e '^[1-9][^\[]')" >> $GITHUB_OUTPUT - echo "git_commit=$(git show --format="%h" --no-patch)" >> $GITHUB_OUTPUT - cp -r target ${{ env.DOCKER_CONTEXT_PATH }}/ - cp scripts/confidential_compute.py ${{ env.DOCKER_CONTEXT_PATH }}/ - - - name: Log in to the Docker container registry - uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0 - with: - registry: ${{ env.REGISTRY }} - username: ${{ github.actor }} - password: ${{ secrets.GITHUB_TOKEN }} - - - name: Authenticate with Google Cloud - id: gcp_auth - uses: google-github-actions/auth@7c6bc770dae815cd3e89ee6cdf493a5fab2cc093 # v3.0.0 - with: - token_format: access_token - workload_identity_provider: ${{ vars.GCP_WORKLOAD_IDENTITY_PROVIDER_ID }} - service_account: ${{ vars.GCP_SERVICE_ACCOUNT }} - access_token_lifetime: 300s - - - name: Log in to the GCP Registry - uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0 - with: - registry: ${{ env.GCP_REGISTRY }} - username: oauth2accesstoken - password: ${{ steps.gcp_auth.outputs.access_token }} - - - name: Extract metadata (tags, labels) for Docker - id: meta - uses: docker/metadata-action@030e881283bb7a6894de51c315a6bfe6a94e05cf # v6.0.0 - with: - images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} - tags: | - type=raw,value=${{ steps.update_version.outputs.image_tag }} - - - name: Extract metadata (tags, labels) for GCP image - id: meta-gcp - uses: docker/metadata-action@030e881283bb7a6894de51c315a6bfe6a94e05cf # v6.0.0 - with: - images: ${{ env.GCP_REGISTRY }}/${{ env.GCP_GAR_PROJECT }}/${{ env.IMAGE_NAME }} - tags: | - type=raw,value=${{ steps.update_version.outputs.image_tag }} - - - name: Extract metadata (tags, labels) for all Docker images - id: meta-all - uses: docker/metadata-action@030e881283bb7a6894de51c315a6bfe6a94e05cf # v6.0.0 - with: - images: | - ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} - ${{ env.GCP_REGISTRY }}/${{ env.GCP_GAR_PROJECT }}/${{ env.IMAGE_NAME }} - tags: | - type=raw,value=${{ steps.update_version.outputs.new_version }}-${{ env.ENCLAVE_PROTOCOL }} - - - name: Build and export to Docker - uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7.1.0 - with: - context: ${{ env.DOCKER_CONTEXT_PATH }} - load: true - tags: ${{ steps.meta-all.outputs.tags }} - labels: ${{ steps.meta-all.outputs.labels }} - build-args: | - JAR_VERSION=${{ steps.update_version.outputs.new_version }} - IMAGE_VERSION=${{ steps.update_version.outputs.new_version }} - BUILD_TARGET=${{ env.ENCLAVE_PROTOCOL }} - - - name: Vulnerability Scan - uses: IABTechLab/uid2-shared-actions/actions/vulnerability_scan@sch-UID2-6742-update-node20-actions - with: - image_ref: ${{ steps.meta.outputs.tags }} - scan_type: 'image' - skip_files: '/venv/lib/python3.12/site-packages/google/auth/crypt/__pycache__/_python_rsa.cpython-312.pyc' # Skip scanning this file as per UID2-4968 - failure_severity: ${{ (inputs.vulnerability_severity == 'CRITICAL (DO NOT use if JIRA ticket not raised)' && 'CRITICAL') || inputs.vulnerability_severity }} - - - name: Push to Docker - id: push-to-docker - uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7.1.0 - with: - context: ${{ env.DOCKER_CONTEXT_PATH }} - push: true - tags: ${{ steps.meta-all.outputs.tags }} - labels: ${{ steps.meta-all.outputs.labels }} - build-args: | - JAR_VERSION=${{ steps.update_version.outputs.new_version }} - IMAGE_VERSION=${{ steps.update_version.outputs.new_version }} - - - name: Generate GCP deployment artifacts - env: - IMAGE: ${{ steps.meta-gcp.outputs.tags }} - IMAGE_DIGEST: ${{ steps.push-to-docker.outputs.digest }} - OUTPUT_DIR: ${{ env.ARTIFACTS_OUTPUT_DIR }} - MANIFEST_DIR: ${{ env.MANIFEST_OUTPUT_DIR}} - VERSION_NUMBER: ${{ steps.update_version.outputs.new_version }} - run: | - bash ./scripts/gcp-oidc/generate-deployment-artifacts.sh - - - name: Upload deployment artifacts - uses: actions/upload-artifact@v7 - with: - name: gcp-oidc-deployment-files-${{ steps.update_version.outputs.new_version }} - path: ${{ env.ARTIFACTS_OUTPUT_DIR }} - if-no-files-found: error - - - name: Upload manifest artifacts - uses: actions/upload-artifact@v7 - with: - name: gcp-oidc-enclave-ids-${{ steps.update_version.outputs.new_version }} - path: ${{ env.MANIFEST_OUTPUT_DIR }} - if-no-files-found: error - - - name: Generate release archive - if: ${{ inputs.version_number_input == '' && steps.update_version.outputs.is_release == 'true' }} - run: | - zip -j ${{ env.ARTIFACTS_OUTPUT_DIR }}/gcp-oidc-deployment-files-${{ steps.update_version.outputs.new_version }}.zip ${{ env.ARTIFACTS_OUTPUT_DIR }}/* - - - name: Build changelog - id: github_release - if: ${{ inputs.version_number_input == '' && steps.update_version.outputs.is_release == 'true' }} - uses: mikepenz/release-changelog-builder-action@32e3c96f29a6532607f638797455e9e98cfc703d # v4 - with: - configurationJson: | - { - "template": "#{{CHANGELOG}}\n## Installation\n```\ndocker pull ${{ steps.meta.outputs.tags }}\n```\n\n## Image reference to deploy: \n```\n${{ steps.update_version.outputs.image_tag }}\n```\n\n## Changelog\n#{{UNCATEGORIZED}}", - "pr_template": " - #{{TITLE}} - ( PR: ##{{NUMBER}} )" - } - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - - - name: Create release - if: ${{ inputs.version_number_input == '' && steps.update_version.outputs.is_release == 'true' }} - uses: softprops/action-gh-release@153bb8e04406b158c6c84fc1615b65b24149a1fe # v2 - with: - name: ${{ steps.update_version.outputs.new_version }} - body: ${{ steps.github_release.outputs.changelog }} - draft: true - files: | - ${{ env.ARTIFACTS_OUTPUT_DIR }}/gcp-oidc-deployment-files-${{ steps.update_version.outputs.new_version }}.zip - ${{ env.MANIFEST_OUTPUT_DIR }}/gcp-oidc-enclave-id-${{ steps.update_version.outputs.new_version }}.txt - ${{ env.MANIFEST_OUTPUT_DIR }}/gcp-oidc-enclave-id-debug-${{ steps.update_version.outputs.new_version }}.txt - - e2e: - name: E2E - uses: ./.github/workflows/run-e2e-tests-on-operator.yaml - needs: buildImage - with: - operator_type: gcp - operator_image_version: ${{ needs.buildImage.outputs.image_tag }} - secrets: inherit +name: Publish GCP OIDC Operator +run-name: ${{ format('Publish {0} GCP OIDC Operator', inputs.release_type) }} +on: + workflow_dispatch: + inputs: + release_type: + type: choice + description: The type of release + options: + - Snapshot + - Patch + - Minor + - Major + version_number_input: + description: If set, the version number will not be incremented and the given number will be used. + type: string + default: '' + vulnerability_severity: + description: The severity to fail the workflow if such vulnerability is detected. DO NOT override it unless a Jira ticket is raised. + type: choice + options: + - CRITICAL,HIGH + - CRITICAL,HIGH,MEDIUM + - CRITICAL (DO NOT use if JIRA ticket not raised) + workflow_call: + inputs: + release_type: + description: The type of version number to return. Must be one of [Snapshot, Patch, Minor or Major] + required: true + type: string + version_number_input: + description: If set, the version number will not be incremented and the given number will be used. + type: string + default: '' + commit_sha: + description: The commit SHA for committing the new version for pom.xml. + type: string + default: '' + vulnerability_severity: + description: The severity to fail the workflow if such vulnerability is detected. DO NOT override it unless a Jira ticket is raised. Must be one of ['CRITICAL', 'CRITICAL,HIGH' or 'CRITICAL,HIGH,MEDIUM'] (without space in between). + type: string + default: 'CRITICAL,HIGH' + + outputs: + image_tag: + description: The tag used to describe the image in Docker + value: ${{ jobs.buildImage.outputs.image_tag }} + +env: + REGISTRY: ghcr.io + GCP_REGISTRY: us-docker.pkg.dev + GCP_GAR_PROJECT: uid2-prod-project + MAVEN_PROFILE: gcp + ENCLAVE_PROTOCOL: gcp-oidc + IMAGE_NAME: ${{ github.repository }} + DOCKER_CONTEXT_PATH: scripts/gcp-oidc + ARTIFACTS_OUTPUT_DIR: ${{ github.workspace }}/deployment-artifacts + MANIFEST_OUTPUT_DIR: ${{ github.workspace }}/manifests + +jobs: + buildImage: + name: Build Image + runs-on: ubuntu-latest + environment: ${{ github.ref_protected && 'ci-auto-merge' || '' }} + permissions: + contents: write + security-events: write + packages: write + id-token: write + pull-requests: write + outputs: + jar_version: ${{ steps.update_version.outputs.new_version }} + image_tag: ${{ steps.update_version.outputs.image_tag }} + steps: + - name: Checkout + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + + - name: Update Operator Version + id: update_version + uses: ./.github/actions/update_operator_version + with: + release_type: ${{ inputs.release_type }} + version_number_input: ${{ inputs.version_number_input }} + image_tag_suffix: ${{ env.ENCLAVE_PROTOCOL }} + commit_sha: ${{ inputs.commit_sha }} + github_token: ${{ github.ref_protected && secrets.GH_MERGE_TOKEN || '' }} + + - name: Set up JDK + uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5.2.0 + with: + distribution: 'temurin' + java-version: '21' + + - name: Package JAR + id: package + run: | + mvn -B package -P ${{ env.MAVEN_PROFILE }} + echo "jar_version=$(mvn help:evaluate -Dexpression=project.version | grep -e '^[1-9][^\[]')" >> $GITHUB_OUTPUT + echo "git_commit=$(git show --format="%h" --no-patch)" >> $GITHUB_OUTPUT + cp -r target ${{ env.DOCKER_CONTEXT_PATH }}/ + cp scripts/confidential_compute.py ${{ env.DOCKER_CONTEXT_PATH }}/ + + - name: Log in to the Docker container registry + uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0 + with: + registry: ${{ env.REGISTRY }} + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + + - name: Authenticate with Google Cloud + id: gcp_auth + uses: google-github-actions/auth@7c6bc770dae815cd3e89ee6cdf493a5fab2cc093 # v3.0.0 + with: + token_format: access_token + workload_identity_provider: ${{ vars.GCP_WORKLOAD_IDENTITY_PROVIDER_ID }} + service_account: ${{ vars.GCP_SERVICE_ACCOUNT }} + access_token_lifetime: 300s + + - name: Log in to the GCP Registry + uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0 + with: + registry: ${{ env.GCP_REGISTRY }} + username: oauth2accesstoken + password: ${{ steps.gcp_auth.outputs.access_token }} + + - name: Extract metadata (tags, labels) for Docker + id: meta + uses: docker/metadata-action@030e881283bb7a6894de51c315a6bfe6a94e05cf # v6.0.0 + with: + images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} + tags: | + type=raw,value=${{ steps.update_version.outputs.image_tag }} + + - name: Extract metadata (tags, labels) for GCP image + id: meta-gcp + uses: docker/metadata-action@030e881283bb7a6894de51c315a6bfe6a94e05cf # v6.0.0 + with: + images: ${{ env.GCP_REGISTRY }}/${{ env.GCP_GAR_PROJECT }}/${{ env.IMAGE_NAME }} + tags: | + type=raw,value=${{ steps.update_version.outputs.image_tag }} + + - name: Extract metadata (tags, labels) for all Docker images + id: meta-all + uses: docker/metadata-action@030e881283bb7a6894de51c315a6bfe6a94e05cf # v6.0.0 + with: + images: | + ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} + ${{ env.GCP_REGISTRY }}/${{ env.GCP_GAR_PROJECT }}/${{ env.IMAGE_NAME }} + tags: | + type=raw,value=${{ steps.update_version.outputs.new_version }}-${{ env.ENCLAVE_PROTOCOL }} + + - name: Build and export to Docker + uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7.1.0 + with: + context: ${{ env.DOCKER_CONTEXT_PATH }} + load: true + tags: ${{ steps.meta-all.outputs.tags }} + labels: ${{ steps.meta-all.outputs.labels }} + build-args: | + JAR_VERSION=${{ steps.update_version.outputs.new_version }} + IMAGE_VERSION=${{ steps.update_version.outputs.new_version }} + BUILD_TARGET=${{ env.ENCLAVE_PROTOCOL }} + + - name: Vulnerability Scan + uses: IABTechLab/uid2-shared-actions/actions/vulnerability_scan@sch-UID2-6742-update-node20-actions + with: + image_ref: ${{ steps.meta.outputs.tags }} + scan_type: 'image' + skip_files: '/venv/lib/python3.12/site-packages/google/auth/crypt/__pycache__/_python_rsa.cpython-312.pyc' # Skip scanning this file as per UID2-4968 + failure_severity: ${{ (inputs.vulnerability_severity == 'CRITICAL (DO NOT use if JIRA ticket not raised)' && 'CRITICAL') || inputs.vulnerability_severity }} + + - name: Push to Docker + id: push-to-docker + uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7.1.0 + with: + context: ${{ env.DOCKER_CONTEXT_PATH }} + push: true + tags: ${{ steps.meta-all.outputs.tags }} + labels: ${{ steps.meta-all.outputs.labels }} + build-args: | + JAR_VERSION=${{ steps.update_version.outputs.new_version }} + IMAGE_VERSION=${{ steps.update_version.outputs.new_version }} + + - name: Generate GCP deployment artifacts + env: + IMAGE: ${{ steps.meta-gcp.outputs.tags }} + IMAGE_DIGEST: ${{ steps.push-to-docker.outputs.digest }} + OUTPUT_DIR: ${{ env.ARTIFACTS_OUTPUT_DIR }} + MANIFEST_DIR: ${{ env.MANIFEST_OUTPUT_DIR}} + VERSION_NUMBER: ${{ steps.update_version.outputs.new_version }} + run: | + bash ./scripts/gcp-oidc/generate-deployment-artifacts.sh + + - name: Upload deployment artifacts + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 + with: + name: gcp-oidc-deployment-files-${{ steps.update_version.outputs.new_version }} + path: ${{ env.ARTIFACTS_OUTPUT_DIR }} + if-no-files-found: error + + - name: Upload manifest artifacts + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 + with: + name: gcp-oidc-enclave-ids-${{ steps.update_version.outputs.new_version }} + path: ${{ env.MANIFEST_OUTPUT_DIR }} + if-no-files-found: error + + - name: Generate release archive + if: ${{ inputs.version_number_input == '' && steps.update_version.outputs.is_release == 'true' }} + run: | + zip -j ${{ env.ARTIFACTS_OUTPUT_DIR }}/gcp-oidc-deployment-files-${{ steps.update_version.outputs.new_version }}.zip ${{ env.ARTIFACTS_OUTPUT_DIR }}/* + + - name: Build changelog + id: github_release + if: ${{ inputs.version_number_input == '' && steps.update_version.outputs.is_release == 'true' }} + uses: mikepenz/release-changelog-builder-action@32e3c96f29a6532607f638797455e9e98cfc703d # v4 + with: + configurationJson: | + { + "template": "#{{CHANGELOG}}\n## Installation\n```\ndocker pull ${{ steps.meta.outputs.tags }}\n```\n\n## Image reference to deploy: \n```\n${{ steps.update_version.outputs.image_tag }}\n```\n\n## Changelog\n#{{UNCATEGORIZED}}", + "pr_template": " - #{{TITLE}} - ( PR: ##{{NUMBER}} )" + } + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + + - name: Create release + if: ${{ inputs.version_number_input == '' && steps.update_version.outputs.is_release == 'true' }} + uses: softprops/action-gh-release@153bb8e04406b158c6c84fc1615b65b24149a1fe # v2 + with: + name: ${{ steps.update_version.outputs.new_version }} + body: ${{ steps.github_release.outputs.changelog }} + draft: true + files: | + ${{ env.ARTIFACTS_OUTPUT_DIR }}/gcp-oidc-deployment-files-${{ steps.update_version.outputs.new_version }}.zip + ${{ env.MANIFEST_OUTPUT_DIR }}/gcp-oidc-enclave-id-${{ steps.update_version.outputs.new_version }}.txt + ${{ env.MANIFEST_OUTPUT_DIR }}/gcp-oidc-enclave-id-debug-${{ steps.update_version.outputs.new_version }}.txt + + e2e: + name: E2E + uses: ./.github/workflows/run-e2e-tests-on-operator.yaml + needs: buildImage + with: + operator_type: gcp + operator_image_version: ${{ needs.buildImage.outputs.image_tag }} + secrets: inherit diff --git a/.github/workflows/publish-public-operator-docker-image.yaml b/.github/workflows/publish-public-operator-docker-image.yaml index 2c70afb16..4929e7658 100644 --- a/.github/workflows/publish-public-operator-docker-image.yaml +++ b/.github/workflows/publish-public-operator-docker-image.yaml @@ -91,7 +91,7 @@ jobs: echo $IMAGE > image-details/public-image-$IMAGE_TAG.json - name: Upload artifacts - uses: actions/upload-artifact@v7 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 with: name: public-image-${{ needs.image.outputs.image_tag }} path: image-details/ From f7cf20b593e4a771664580b75c8f5b0d3a573d11 Mon Sep 17 00:00:00 2001 From: sophia chen Date: Tue, 5 May 2026 16:57:23 +1000 Subject: [PATCH 15/19] chore(UID2-6742): fix outdated softprops/action-gh-release and geekyeggo/delete-artifact SHA pins --- .github/workflows/build-uid2-ami.yaml | 2 +- .github/workflows/publish-all-operators.yaml | 2 +- .github/workflows/publish-aws-nitro-eif.yaml | 2 +- .github/workflows/publish-gcp-oidc-enclave-docker.yaml | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/build-uid2-ami.yaml b/.github/workflows/build-uid2-ami.yaml index 8c1d39148..bc5c24aab 100644 --- a/.github/workflows/build-uid2-ami.yaml +++ b/.github/workflows/build-uid2-ami.yaml @@ -135,7 +135,7 @@ jobs: path: ./artifacts - name: Delete staging artifacts - uses: geekyeggo/delete-artifact@b54d29a59e55046d1f7fc8226cdda507e6b9cf62 # v5 + uses: geekyeggo/delete-artifact@f275313e70c08f6120db482d7a6b98377786765b # v5 with: name: | uid2_AMI_measurement diff --git a/.github/workflows/publish-all-operators.yaml b/.github/workflows/publish-all-operators.yaml index db62b7c67..e9799be61 100644 --- a/.github/workflows/publish-all-operators.yaml +++ b/.github/workflows/publish-all-operators.yaml @@ -231,7 +231,7 @@ jobs: (cd manifests && zip -r ../uid2-operator-release-manifests-${{ needs.start.outputs.new_version }}.zip .) - name: Create draft release - uses: softprops/action-gh-release@153bb8e04406b158c6c84fc1615b65b24149a1fe # v2 + uses: softprops/action-gh-release@3bb12739c298aeb8a4eeaf626c5b8d85266b0e65 # v2 with: name: v${{ needs.start.outputs.new_version }} body: ${{ steps.changelog.outputs.changelog }} diff --git a/.github/workflows/publish-aws-nitro-eif.yaml b/.github/workflows/publish-aws-nitro-eif.yaml index 2f0142519..9dae6b4a9 100644 --- a/.github/workflows/publish-aws-nitro-eif.yaml +++ b/.github/workflows/publish-aws-nitro-eif.yaml @@ -194,7 +194,7 @@ jobs: - name: Create release if: ${{ inputs.version_number_input == '' && needs.start.outputs.is_release == 'true' }} - uses: softprops/action-gh-release@153bb8e04406b158c6c84fc1615b65b24149a1fe # v2 + uses: softprops/action-gh-release@3bb12739c298aeb8a4eeaf626c5b8d85266b0e65 # v2 with: name: ${{ needs.start.outputs.new_version }} body: ${{ steps.github_release.outputs.changelog }} diff --git a/.github/workflows/publish-gcp-oidc-enclave-docker.yaml b/.github/workflows/publish-gcp-oidc-enclave-docker.yaml index 3241e452d..0425463ad 100644 --- a/.github/workflows/publish-gcp-oidc-enclave-docker.yaml +++ b/.github/workflows/publish-gcp-oidc-enclave-docker.yaml @@ -225,7 +225,7 @@ jobs: - name: Create release if: ${{ inputs.version_number_input == '' && steps.update_version.outputs.is_release == 'true' }} - uses: softprops/action-gh-release@153bb8e04406b158c6c84fc1615b65b24149a1fe # v2 + uses: softprops/action-gh-release@3bb12739c298aeb8a4eeaf626c5b8d85266b0e65 # v2 with: name: ${{ steps.update_version.outputs.new_version }} body: ${{ steps.github_release.outputs.changelog }} From c7788c09690ee4195b56662bdf34f5a233ae3fe8 Mon Sep 17 00:00:00 2001 From: sophia chen Date: Tue, 5 May 2026 17:17:42 +1000 Subject: [PATCH 16/19] fix(UID2-6742): correct SHA pins (tag SHA not commit SHA) --- .github/actions/download_release_artifact/action.yaml | 2 +- .github/workflows/build-uid2-ami.yaml | 2 +- .github/workflows/publish-all-operators.yaml | 2 +- .github/workflows/publish-azure-cc-enclave-docker.yaml | 6 +++--- 4 files changed, 6 insertions(+), 6 deletions(-) diff --git a/.github/actions/download_release_artifact/action.yaml b/.github/actions/download_release_artifact/action.yaml index 24c6f0530..dbba87e13 100644 --- a/.github/actions/download_release_artifact/action.yaml +++ b/.github/actions/download_release_artifact/action.yaml @@ -27,7 +27,7 @@ runs: steps: - name: Get Artifact Ids id: get_asset_id - uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 + uses: actions/github-script@d746ffe35508b1917358783b479e04febd2b8f71 # v9.0.0 with: github-token: ${{ inputs.github_token }} result-encoding: string diff --git a/.github/workflows/build-uid2-ami.yaml b/.github/workflows/build-uid2-ami.yaml index bc5c24aab..8c1d39148 100644 --- a/.github/workflows/build-uid2-ami.yaml +++ b/.github/workflows/build-uid2-ami.yaml @@ -135,7 +135,7 @@ jobs: path: ./artifacts - name: Delete staging artifacts - uses: geekyeggo/delete-artifact@f275313e70c08f6120db482d7a6b98377786765b # v5 + uses: geekyeggo/delete-artifact@b54d29a59e55046d1f7fc8226cdda507e6b9cf62 # v5 with: name: | uid2_AMI_measurement diff --git a/.github/workflows/publish-all-operators.yaml b/.github/workflows/publish-all-operators.yaml index e9799be61..1ff87521c 100644 --- a/.github/workflows/publish-all-operators.yaml +++ b/.github/workflows/publish-all-operators.yaml @@ -255,4 +255,4 @@ jobs: SLACK_MESSAGE: ':x: Operator Pipeline failed' SLACK_TITLE: Pipeline Failed in ${{ github.workflow }} SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK }} - uses: rtCamp/action-slack-notify@e31e87e03dd19038e411e38ae27cbad084a90661 # v2 + uses: rtCamp/action-slack-notify@cdf0a2130cbcdfd82ba5fcac8e076370bf381b36 # v2 diff --git a/.github/workflows/publish-azure-cc-enclave-docker.yaml b/.github/workflows/publish-azure-cc-enclave-docker.yaml index b656792e8..ad0f170ae 100644 --- a/.github/workflows/publish-azure-cc-enclave-docker.yaml +++ b/.github/workflows/publish-azure-cc-enclave-docker.yaml @@ -130,7 +130,7 @@ jobs: BUILD_TARGET=${{ env.ENCLAVE_PROTOCOL }} - name: Generate Trivy vulnerability scan report - uses: aquasecurity/trivy-action@ed142fd0673e97e23eac54620cfb913e5ce36c25 # v0.36.0 + uses: aquasecurity/trivy-action@a9c7b0f06e461e9d4b4d1711f154ee024b8d7ab8 # v0.36.0 with: image-ref: ${{ steps.meta.outputs.tags }} format: 'sarif' @@ -141,12 +141,12 @@ jobs: hide-progress: true - name: Upload Trivy scan report to GitHub Security tab - uses: github/codeql-action/upload-sarif@e46ed2cbd01164d986452f91f178727624ae40d7 # v4.35.3 + uses: github/codeql-action/upload-sarif@c3f298df8c1fea2fefe20c785e6aa00f32df8260 # v4.35.3 with: sarif_file: 'trivy-results.sarif' - name: Test with Trivy vulnerability scanner - uses: aquasecurity/trivy-action@ed142fd0673e97e23eac54620cfb913e5ce36c25 # v0.36.0 + uses: aquasecurity/trivy-action@a9c7b0f06e461e9d4b4d1711f154ee024b8d7ab8 # v0.36.0 with: image-ref: ${{ steps.meta.outputs.tags }} format: 'table' From 0a9571ae1193ffd5273a14d1e5aa0a3440c4687a Mon Sep 17 00:00:00 2001 From: sophia chen Date: Wed, 6 May 2026 11:30:12 +1000 Subject: [PATCH 17/19] revert(UID2-6742): restore @v3 refs for internal shared-actions calls (drop test redirects) --- .github/actions/update_operator_version/action.yaml | 8 ++++---- .github/workflows/build-and-test.yaml | 2 +- .github/workflows/check-stable-dependency.yaml | 2 +- .github/workflows/publish-all-operators.yaml | 8 ++++---- .github/workflows/publish-gcp-oidc-enclave-docker.yaml | 2 +- .../workflows/publish-public-operator-docker-image.yaml | 2 +- .github/workflows/run-e2e-tests-on-operator.yaml | 2 +- .github/workflows/validate-image.yaml | 8 ++++---- .github/workflows/vulnerability-scan-failure-notify.yaml | 2 +- 9 files changed, 18 insertions(+), 18 deletions(-) diff --git a/.github/actions/update_operator_version/action.yaml b/.github/actions/update_operator_version/action.yaml index 26ae587de..4ae4406a5 100644 --- a/.github/actions/update_operator_version/action.yaml +++ b/.github/actions/update_operator_version/action.yaml @@ -37,7 +37,7 @@ runs: steps: - name: Check branch and release type id: checkRelease - uses: IABTechLab/uid2-shared-actions/actions/check_branch_and_release_type@sch-UID2-6742-update-node20-actions + uses: IABTechLab/uid2-shared-actions/actions/check_branch_and_release_type@v3 with: release_type: ${{ inputs.release_type }} @@ -84,7 +84,7 @@ runs: - name: Set version number id: version - uses: IABTechLab/uid2-shared-actions/actions/version_number@sch-UID2-6742-update-node20-actions + uses: IABTechLab/uid2-shared-actions/actions/version_number@v3 with: type: ${{ inputs.release_type }} version_number: ${{ inputs.version_number_input }} @@ -103,7 +103,7 @@ runs: - name: Commit pom.xml and version.json id: commit-without-tag if: ${{ inputs.version_number_input == '' && steps.checkRelease.outputs.is_release != 'true' }} - uses: IABTechLab/uid2-shared-actions/actions/commit_pr_and_merge@sch-UID2-6742-update-node20-actions + uses: IABTechLab/uid2-shared-actions/actions/commit_pr_and_merge@v3 with: add: 'pom.xml version.json' message: 'Released ${{ inputs.release_type }} version: ${{ steps.version.outputs.new_version }}' @@ -112,7 +112,7 @@ runs: - name: Commit pom.xml, version.json and set tag id: commit-and-tag if: ${{ inputs.version_number_input == '' && steps.checkRelease.outputs.is_release == 'true' }} - uses: IABTechLab/uid2-shared-actions/actions/commit_pr_and_merge@sch-UID2-6742-update-node20-actions + uses: IABTechLab/uid2-shared-actions/actions/commit_pr_and_merge@v3 with: add: 'pom.xml version.json' message: 'Released ${{ inputs.release_type }} version: ${{ steps.version.outputs.new_version }}' diff --git a/.github/workflows/build-and-test.yaml b/.github/workflows/build-and-test.yaml index 1263c3553..aa13387c6 100644 --- a/.github/workflows/build-and-test.yaml +++ b/.github/workflows/build-and-test.yaml @@ -3,7 +3,7 @@ on: [pull_request, push, workflow_dispatch] jobs: build: - uses: IABTechLab/uid2-shared-actions/.github/workflows/shared-build-and-test.yaml@sch-UID2-6742-update-node20-actions + uses: IABTechLab/uid2-shared-actions/.github/workflows/shared-build-and-test.yaml@v3 with: java_version: 21 secrets: inherit \ No newline at end of file diff --git a/.github/workflows/check-stable-dependency.yaml b/.github/workflows/check-stable-dependency.yaml index 1ad1edd34..38aea7689 100644 --- a/.github/workflows/check-stable-dependency.yaml +++ b/.github/workflows/check-stable-dependency.yaml @@ -3,5 +3,5 @@ on: [pull_request, workflow_dispatch] jobs: check_dependency: - uses: IABTechLab/uid2-shared-actions/.github/workflows/shared-check-stable-dependency.yaml@sch-UID2-6742-update-node20-actions + uses: IABTechLab/uid2-shared-actions/.github/workflows/shared-check-stable-dependency.yaml@v3 secrets: inherit \ No newline at end of file diff --git a/.github/workflows/publish-all-operators.yaml b/.github/workflows/publish-all-operators.yaml index 1ff87521c..71897f94a 100644 --- a/.github/workflows/publish-all-operators.yaml +++ b/.github/workflows/publish-all-operators.yaml @@ -60,7 +60,7 @@ jobs: GITHUB_CONTEXT: ${{ toJson(github) }} - name: Check branch and release type - uses: IABTechLab/uid2-shared-actions/actions/check_branch_and_release_type@sch-UID2-6742-update-node20-actions + uses: IABTechLab/uid2-shared-actions/actions/check_branch_and_release_type@v3 with: release_type: ${{ inputs.release_type }} @@ -70,7 +70,7 @@ jobs: fetch-depth: 0 - name: Scan vulnerabilities - uses: IABTechLab/uid2-shared-actions/actions/vulnerability_scan@sch-UID2-6742-update-node20-actions + uses: IABTechLab/uid2-shared-actions/actions/vulnerability_scan@v3 with: scan_severity: HIGH,CRITICAL failure_severity: CRITICAL @@ -78,7 +78,7 @@ jobs: - name: Set version number id: version - uses: IABTechLab/uid2-shared-actions/actions/version_number@sch-UID2-6742-update-node20-actions + uses: IABTechLab/uid2-shared-actions/actions/version_number@v3 with: type: ${{ env.RELEASE_TYPE }} branch_name: ${{ github.ref }} @@ -92,7 +92,7 @@ jobs: - name: Commit pom.xml, version.json and set tag id: commit-and-tag - uses: IABTechLab/uid2-shared-actions/actions/commit_pr_and_merge@sch-UID2-6742-update-node20-actions + uses: IABTechLab/uid2-shared-actions/actions/commit_pr_and_merge@v3 with: add: 'pom.xml version.json' message: 'Released ${{ env.RELEASE_TYPE }} version: ${{ steps.version.outputs.new_version }}' diff --git a/.github/workflows/publish-gcp-oidc-enclave-docker.yaml b/.github/workflows/publish-gcp-oidc-enclave-docker.yaml index 0425463ad..7b51aa5b6 100644 --- a/.github/workflows/publish-gcp-oidc-enclave-docker.yaml +++ b/.github/workflows/publish-gcp-oidc-enclave-docker.yaml @@ -162,7 +162,7 @@ jobs: BUILD_TARGET=${{ env.ENCLAVE_PROTOCOL }} - name: Vulnerability Scan - uses: IABTechLab/uid2-shared-actions/actions/vulnerability_scan@sch-UID2-6742-update-node20-actions + uses: IABTechLab/uid2-shared-actions/actions/vulnerability_scan@v3 with: image_ref: ${{ steps.meta.outputs.tags }} scan_type: 'image' diff --git a/.github/workflows/publish-public-operator-docker-image.yaml b/.github/workflows/publish-public-operator-docker-image.yaml index 4929e7658..5c0d4a2c6 100644 --- a/.github/workflows/publish-public-operator-docker-image.yaml +++ b/.github/workflows/publish-public-operator-docker-image.yaml @@ -59,7 +59,7 @@ jobs: image: name: Image - uses: IABTechLab/uid2-shared-actions/.github/workflows/shared-publish-java-to-docker-versioned.yaml@sch-UID2-6742-update-node20-actions + uses: IABTechLab/uid2-shared-actions/.github/workflows/shared-publish-java-to-docker-versioned.yaml@v3 needs: check_major with: release_type: ${{ inputs.release_type }} diff --git a/.github/workflows/run-e2e-tests-on-operator.yaml b/.github/workflows/run-e2e-tests-on-operator.yaml index c3ba8e084..462a992e1 100644 --- a/.github/workflows/run-e2e-tests-on-operator.yaml +++ b/.github/workflows/run-e2e-tests-on-operator.yaml @@ -117,7 +117,7 @@ on: jobs: e2e-test: name: E2E Test - uses: IABTechLab/uid2-shared-actions/.github/workflows/shared-run-e2e-tests.yaml@sch-UID2-6742-update-node20-actions + uses: IABTechLab/uid2-shared-actions/.github/workflows/shared-run-e2e-tests.yaml@v3 with: operator_type: ${{ inputs.operator_type }} identity_scope: ${{ inputs.identity_scope }} diff --git a/.github/workflows/validate-image.yaml b/.github/workflows/validate-image.yaml index 3b257a5ae..37b4bf912 100644 --- a/.github/workflows/validate-image.yaml +++ b/.github/workflows/validate-image.yaml @@ -19,7 +19,7 @@ on: jobs: build-publish-docker-default: - uses: IABTechLab/uid2-shared-actions/.github/workflows/shared-validate-image.yaml@sch-UID2-6742-update-node20-actions + uses: IABTechLab/uid2-shared-actions/.github/workflows/shared-validate-image.yaml@v3 with: failure_severity: ${{ inputs.failure_severity || 'CRITICAL,HIGH' }} fail_on_error: ${{ inputs.fail_on_error || true }} @@ -27,7 +27,7 @@ jobs: java_version: 21 secrets: inherit build-publish-docker-aws: - uses: IABTechLab/uid2-shared-actions/.github/workflows/shared-validate-image.yaml@sch-UID2-6742-update-node20-actions + uses: IABTechLab/uid2-shared-actions/.github/workflows/shared-validate-image.yaml@v3 with: failure_severity: ${{ inputs.failure_severity || 'CRITICAL,HIGH' }} fail_on_error: ${{ inputs.fail_on_error || true }} @@ -36,7 +36,7 @@ jobs: secrets: inherit needs: [build-publish-docker-default] build-publish-docker-gcp: - uses: IABTechLab/uid2-shared-actions/.github/workflows/shared-validate-image.yaml@sch-UID2-6742-update-node20-actions + uses: IABTechLab/uid2-shared-actions/.github/workflows/shared-validate-image.yaml@v3 with: failure_severity: ${{ inputs.failure_severity || 'CRITICAL,HIGH' }} fail_on_error: ${{ inputs.fail_on_error || true }} @@ -45,7 +45,7 @@ jobs: secrets: inherit needs: [build-publish-docker-aws] build-publish-docker-azure: - uses: IABTechLab/uid2-shared-actions/.github/workflows/shared-validate-image.yaml@sch-UID2-6742-update-node20-actions + uses: IABTechLab/uid2-shared-actions/.github/workflows/shared-validate-image.yaml@v3 with: failure_severity: ${{ inputs.failure_severity || 'CRITICAL,HIGH' }} fail_on_error: ${{ inputs.fail_on_error || true }} diff --git a/.github/workflows/vulnerability-scan-failure-notify.yaml b/.github/workflows/vulnerability-scan-failure-notify.yaml index e59ed7f4d..7a87e06fc 100644 --- a/.github/workflows/vulnerability-scan-failure-notify.yaml +++ b/.github/workflows/vulnerability-scan-failure-notify.yaml @@ -16,7 +16,7 @@ on: jobs: vulnerability-scan-failure-notify: - uses: IABTechLab/uid2-shared-actions/.github/workflows/shared-vulnerability-scan-failure-notify.yaml@sch-UID2-6742-update-node20-actions + uses: IABTechLab/uid2-shared-actions/.github/workflows/shared-vulnerability-scan-failure-notify.yaml@v3 secrets: SLACK_WEBHOOK : ${{ secrets.SLACK_WEBHOOK }} with: From 7afe3d677de512738d41b04cf6d2ed020b4aa498 Mon Sep 17 00:00:00 2001 From: sophia chen Date: Wed, 6 May 2026 11:45:46 +1000 Subject: [PATCH 18/19] test(UID2-6742): redirect uid2-shared-actions refs to branch for CI validation --- .github/actions/update_operator_version/action.yaml | 8 ++++---- .github/workflows/build-and-test.yaml | 2 +- .github/workflows/check-stable-dependency.yaml | 2 +- .github/workflows/publish-all-operators.yaml | 8 ++++---- .github/workflows/publish-gcp-oidc-enclave-docker.yaml | 2 +- .../workflows/publish-public-operator-docker-image.yaml | 2 +- .github/workflows/run-e2e-tests-on-operator.yaml | 2 +- .github/workflows/validate-image.yaml | 8 ++++---- .github/workflows/vulnerability-scan-failure-notify.yaml | 2 +- 9 files changed, 18 insertions(+), 18 deletions(-) diff --git a/.github/actions/update_operator_version/action.yaml b/.github/actions/update_operator_version/action.yaml index 4ae4406a5..26ae587de 100644 --- a/.github/actions/update_operator_version/action.yaml +++ b/.github/actions/update_operator_version/action.yaml @@ -37,7 +37,7 @@ runs: steps: - name: Check branch and release type id: checkRelease - uses: IABTechLab/uid2-shared-actions/actions/check_branch_and_release_type@v3 + uses: IABTechLab/uid2-shared-actions/actions/check_branch_and_release_type@sch-UID2-6742-update-node20-actions with: release_type: ${{ inputs.release_type }} @@ -84,7 +84,7 @@ runs: - name: Set version number id: version - uses: IABTechLab/uid2-shared-actions/actions/version_number@v3 + uses: IABTechLab/uid2-shared-actions/actions/version_number@sch-UID2-6742-update-node20-actions with: type: ${{ inputs.release_type }} version_number: ${{ inputs.version_number_input }} @@ -103,7 +103,7 @@ runs: - name: Commit pom.xml and version.json id: commit-without-tag if: ${{ inputs.version_number_input == '' && steps.checkRelease.outputs.is_release != 'true' }} - uses: IABTechLab/uid2-shared-actions/actions/commit_pr_and_merge@v3 + uses: IABTechLab/uid2-shared-actions/actions/commit_pr_and_merge@sch-UID2-6742-update-node20-actions with: add: 'pom.xml version.json' message: 'Released ${{ inputs.release_type }} version: ${{ steps.version.outputs.new_version }}' @@ -112,7 +112,7 @@ runs: - name: Commit pom.xml, version.json and set tag id: commit-and-tag if: ${{ inputs.version_number_input == '' && steps.checkRelease.outputs.is_release == 'true' }} - uses: IABTechLab/uid2-shared-actions/actions/commit_pr_and_merge@v3 + uses: IABTechLab/uid2-shared-actions/actions/commit_pr_and_merge@sch-UID2-6742-update-node20-actions with: add: 'pom.xml version.json' message: 'Released ${{ inputs.release_type }} version: ${{ steps.version.outputs.new_version }}' diff --git a/.github/workflows/build-and-test.yaml b/.github/workflows/build-and-test.yaml index aa13387c6..1263c3553 100644 --- a/.github/workflows/build-and-test.yaml +++ b/.github/workflows/build-and-test.yaml @@ -3,7 +3,7 @@ on: [pull_request, push, workflow_dispatch] jobs: build: - uses: IABTechLab/uid2-shared-actions/.github/workflows/shared-build-and-test.yaml@v3 + uses: IABTechLab/uid2-shared-actions/.github/workflows/shared-build-and-test.yaml@sch-UID2-6742-update-node20-actions with: java_version: 21 secrets: inherit \ No newline at end of file diff --git a/.github/workflows/check-stable-dependency.yaml b/.github/workflows/check-stable-dependency.yaml index 38aea7689..1ad1edd34 100644 --- a/.github/workflows/check-stable-dependency.yaml +++ b/.github/workflows/check-stable-dependency.yaml @@ -3,5 +3,5 @@ on: [pull_request, workflow_dispatch] jobs: check_dependency: - uses: IABTechLab/uid2-shared-actions/.github/workflows/shared-check-stable-dependency.yaml@v3 + uses: IABTechLab/uid2-shared-actions/.github/workflows/shared-check-stable-dependency.yaml@sch-UID2-6742-update-node20-actions secrets: inherit \ No newline at end of file diff --git a/.github/workflows/publish-all-operators.yaml b/.github/workflows/publish-all-operators.yaml index 71897f94a..1ff87521c 100644 --- a/.github/workflows/publish-all-operators.yaml +++ b/.github/workflows/publish-all-operators.yaml @@ -60,7 +60,7 @@ jobs: GITHUB_CONTEXT: ${{ toJson(github) }} - name: Check branch and release type - uses: IABTechLab/uid2-shared-actions/actions/check_branch_and_release_type@v3 + uses: IABTechLab/uid2-shared-actions/actions/check_branch_and_release_type@sch-UID2-6742-update-node20-actions with: release_type: ${{ inputs.release_type }} @@ -70,7 +70,7 @@ jobs: fetch-depth: 0 - name: Scan vulnerabilities - uses: IABTechLab/uid2-shared-actions/actions/vulnerability_scan@v3 + uses: IABTechLab/uid2-shared-actions/actions/vulnerability_scan@sch-UID2-6742-update-node20-actions with: scan_severity: HIGH,CRITICAL failure_severity: CRITICAL @@ -78,7 +78,7 @@ jobs: - name: Set version number id: version - uses: IABTechLab/uid2-shared-actions/actions/version_number@v3 + uses: IABTechLab/uid2-shared-actions/actions/version_number@sch-UID2-6742-update-node20-actions with: type: ${{ env.RELEASE_TYPE }} branch_name: ${{ github.ref }} @@ -92,7 +92,7 @@ jobs: - name: Commit pom.xml, version.json and set tag id: commit-and-tag - uses: IABTechLab/uid2-shared-actions/actions/commit_pr_and_merge@v3 + uses: IABTechLab/uid2-shared-actions/actions/commit_pr_and_merge@sch-UID2-6742-update-node20-actions with: add: 'pom.xml version.json' message: 'Released ${{ env.RELEASE_TYPE }} version: ${{ steps.version.outputs.new_version }}' diff --git a/.github/workflows/publish-gcp-oidc-enclave-docker.yaml b/.github/workflows/publish-gcp-oidc-enclave-docker.yaml index 7b51aa5b6..0425463ad 100644 --- a/.github/workflows/publish-gcp-oidc-enclave-docker.yaml +++ b/.github/workflows/publish-gcp-oidc-enclave-docker.yaml @@ -162,7 +162,7 @@ jobs: BUILD_TARGET=${{ env.ENCLAVE_PROTOCOL }} - name: Vulnerability Scan - uses: IABTechLab/uid2-shared-actions/actions/vulnerability_scan@v3 + uses: IABTechLab/uid2-shared-actions/actions/vulnerability_scan@sch-UID2-6742-update-node20-actions with: image_ref: ${{ steps.meta.outputs.tags }} scan_type: 'image' diff --git a/.github/workflows/publish-public-operator-docker-image.yaml b/.github/workflows/publish-public-operator-docker-image.yaml index 5c0d4a2c6..4929e7658 100644 --- a/.github/workflows/publish-public-operator-docker-image.yaml +++ b/.github/workflows/publish-public-operator-docker-image.yaml @@ -59,7 +59,7 @@ jobs: image: name: Image - uses: IABTechLab/uid2-shared-actions/.github/workflows/shared-publish-java-to-docker-versioned.yaml@v3 + uses: IABTechLab/uid2-shared-actions/.github/workflows/shared-publish-java-to-docker-versioned.yaml@sch-UID2-6742-update-node20-actions needs: check_major with: release_type: ${{ inputs.release_type }} diff --git a/.github/workflows/run-e2e-tests-on-operator.yaml b/.github/workflows/run-e2e-tests-on-operator.yaml index 462a992e1..c3ba8e084 100644 --- a/.github/workflows/run-e2e-tests-on-operator.yaml +++ b/.github/workflows/run-e2e-tests-on-operator.yaml @@ -117,7 +117,7 @@ on: jobs: e2e-test: name: E2E Test - uses: IABTechLab/uid2-shared-actions/.github/workflows/shared-run-e2e-tests.yaml@v3 + uses: IABTechLab/uid2-shared-actions/.github/workflows/shared-run-e2e-tests.yaml@sch-UID2-6742-update-node20-actions with: operator_type: ${{ inputs.operator_type }} identity_scope: ${{ inputs.identity_scope }} diff --git a/.github/workflows/validate-image.yaml b/.github/workflows/validate-image.yaml index 37b4bf912..3b257a5ae 100644 --- a/.github/workflows/validate-image.yaml +++ b/.github/workflows/validate-image.yaml @@ -19,7 +19,7 @@ on: jobs: build-publish-docker-default: - uses: IABTechLab/uid2-shared-actions/.github/workflows/shared-validate-image.yaml@v3 + uses: IABTechLab/uid2-shared-actions/.github/workflows/shared-validate-image.yaml@sch-UID2-6742-update-node20-actions with: failure_severity: ${{ inputs.failure_severity || 'CRITICAL,HIGH' }} fail_on_error: ${{ inputs.fail_on_error || true }} @@ -27,7 +27,7 @@ jobs: java_version: 21 secrets: inherit build-publish-docker-aws: - uses: IABTechLab/uid2-shared-actions/.github/workflows/shared-validate-image.yaml@v3 + uses: IABTechLab/uid2-shared-actions/.github/workflows/shared-validate-image.yaml@sch-UID2-6742-update-node20-actions with: failure_severity: ${{ inputs.failure_severity || 'CRITICAL,HIGH' }} fail_on_error: ${{ inputs.fail_on_error || true }} @@ -36,7 +36,7 @@ jobs: secrets: inherit needs: [build-publish-docker-default] build-publish-docker-gcp: - uses: IABTechLab/uid2-shared-actions/.github/workflows/shared-validate-image.yaml@v3 + uses: IABTechLab/uid2-shared-actions/.github/workflows/shared-validate-image.yaml@sch-UID2-6742-update-node20-actions with: failure_severity: ${{ inputs.failure_severity || 'CRITICAL,HIGH' }} fail_on_error: ${{ inputs.fail_on_error || true }} @@ -45,7 +45,7 @@ jobs: secrets: inherit needs: [build-publish-docker-aws] build-publish-docker-azure: - uses: IABTechLab/uid2-shared-actions/.github/workflows/shared-validate-image.yaml@v3 + uses: IABTechLab/uid2-shared-actions/.github/workflows/shared-validate-image.yaml@sch-UID2-6742-update-node20-actions with: failure_severity: ${{ inputs.failure_severity || 'CRITICAL,HIGH' }} fail_on_error: ${{ inputs.fail_on_error || true }} diff --git a/.github/workflows/vulnerability-scan-failure-notify.yaml b/.github/workflows/vulnerability-scan-failure-notify.yaml index 7a87e06fc..e59ed7f4d 100644 --- a/.github/workflows/vulnerability-scan-failure-notify.yaml +++ b/.github/workflows/vulnerability-scan-failure-notify.yaml @@ -16,7 +16,7 @@ on: jobs: vulnerability-scan-failure-notify: - uses: IABTechLab/uid2-shared-actions/.github/workflows/shared-vulnerability-scan-failure-notify.yaml@v3 + uses: IABTechLab/uid2-shared-actions/.github/workflows/shared-vulnerability-scan-failure-notify.yaml@sch-UID2-6742-update-node20-actions secrets: SLACK_WEBHOOK : ${{ secrets.SLACK_WEBHOOK }} with: From 647c655c2448f5af7fd085330aeeaed3f006ddca Mon Sep 17 00:00:00 2001 From: sophia chen Date: Fri, 8 May 2026 09:32:51 +1000 Subject: [PATCH 19/19] revert(UID2-6742): restore @v3 refs (remove CI test redirects) --- .github/actions/update_operator_version/action.yaml | 8 ++++---- .github/workflows/build-and-test.yaml | 2 +- .github/workflows/check-stable-dependency.yaml | 2 +- .github/workflows/publish-all-operators.yaml | 8 ++++---- .github/workflows/publish-gcp-oidc-enclave-docker.yaml | 2 +- .../workflows/publish-public-operator-docker-image.yaml | 2 +- .github/workflows/run-e2e-tests-on-operator.yaml | 2 +- .github/workflows/validate-image.yaml | 8 ++++---- .github/workflows/vulnerability-scan-failure-notify.yaml | 2 +- 9 files changed, 18 insertions(+), 18 deletions(-) diff --git a/.github/actions/update_operator_version/action.yaml b/.github/actions/update_operator_version/action.yaml index 26ae587de..4ae4406a5 100644 --- a/.github/actions/update_operator_version/action.yaml +++ b/.github/actions/update_operator_version/action.yaml @@ -37,7 +37,7 @@ runs: steps: - name: Check branch and release type id: checkRelease - uses: IABTechLab/uid2-shared-actions/actions/check_branch_and_release_type@sch-UID2-6742-update-node20-actions + uses: IABTechLab/uid2-shared-actions/actions/check_branch_and_release_type@v3 with: release_type: ${{ inputs.release_type }} @@ -84,7 +84,7 @@ runs: - name: Set version number id: version - uses: IABTechLab/uid2-shared-actions/actions/version_number@sch-UID2-6742-update-node20-actions + uses: IABTechLab/uid2-shared-actions/actions/version_number@v3 with: type: ${{ inputs.release_type }} version_number: ${{ inputs.version_number_input }} @@ -103,7 +103,7 @@ runs: - name: Commit pom.xml and version.json id: commit-without-tag if: ${{ inputs.version_number_input == '' && steps.checkRelease.outputs.is_release != 'true' }} - uses: IABTechLab/uid2-shared-actions/actions/commit_pr_and_merge@sch-UID2-6742-update-node20-actions + uses: IABTechLab/uid2-shared-actions/actions/commit_pr_and_merge@v3 with: add: 'pom.xml version.json' message: 'Released ${{ inputs.release_type }} version: ${{ steps.version.outputs.new_version }}' @@ -112,7 +112,7 @@ runs: - name: Commit pom.xml, version.json and set tag id: commit-and-tag if: ${{ inputs.version_number_input == '' && steps.checkRelease.outputs.is_release == 'true' }} - uses: IABTechLab/uid2-shared-actions/actions/commit_pr_and_merge@sch-UID2-6742-update-node20-actions + uses: IABTechLab/uid2-shared-actions/actions/commit_pr_and_merge@v3 with: add: 'pom.xml version.json' message: 'Released ${{ inputs.release_type }} version: ${{ steps.version.outputs.new_version }}' diff --git a/.github/workflows/build-and-test.yaml b/.github/workflows/build-and-test.yaml index 1263c3553..aa13387c6 100644 --- a/.github/workflows/build-and-test.yaml +++ b/.github/workflows/build-and-test.yaml @@ -3,7 +3,7 @@ on: [pull_request, push, workflow_dispatch] jobs: build: - uses: IABTechLab/uid2-shared-actions/.github/workflows/shared-build-and-test.yaml@sch-UID2-6742-update-node20-actions + uses: IABTechLab/uid2-shared-actions/.github/workflows/shared-build-and-test.yaml@v3 with: java_version: 21 secrets: inherit \ No newline at end of file diff --git a/.github/workflows/check-stable-dependency.yaml b/.github/workflows/check-stable-dependency.yaml index 1ad1edd34..38aea7689 100644 --- a/.github/workflows/check-stable-dependency.yaml +++ b/.github/workflows/check-stable-dependency.yaml @@ -3,5 +3,5 @@ on: [pull_request, workflow_dispatch] jobs: check_dependency: - uses: IABTechLab/uid2-shared-actions/.github/workflows/shared-check-stable-dependency.yaml@sch-UID2-6742-update-node20-actions + uses: IABTechLab/uid2-shared-actions/.github/workflows/shared-check-stable-dependency.yaml@v3 secrets: inherit \ No newline at end of file diff --git a/.github/workflows/publish-all-operators.yaml b/.github/workflows/publish-all-operators.yaml index 1ff87521c..71897f94a 100644 --- a/.github/workflows/publish-all-operators.yaml +++ b/.github/workflows/publish-all-operators.yaml @@ -60,7 +60,7 @@ jobs: GITHUB_CONTEXT: ${{ toJson(github) }} - name: Check branch and release type - uses: IABTechLab/uid2-shared-actions/actions/check_branch_and_release_type@sch-UID2-6742-update-node20-actions + uses: IABTechLab/uid2-shared-actions/actions/check_branch_and_release_type@v3 with: release_type: ${{ inputs.release_type }} @@ -70,7 +70,7 @@ jobs: fetch-depth: 0 - name: Scan vulnerabilities - uses: IABTechLab/uid2-shared-actions/actions/vulnerability_scan@sch-UID2-6742-update-node20-actions + uses: IABTechLab/uid2-shared-actions/actions/vulnerability_scan@v3 with: scan_severity: HIGH,CRITICAL failure_severity: CRITICAL @@ -78,7 +78,7 @@ jobs: - name: Set version number id: version - uses: IABTechLab/uid2-shared-actions/actions/version_number@sch-UID2-6742-update-node20-actions + uses: IABTechLab/uid2-shared-actions/actions/version_number@v3 with: type: ${{ env.RELEASE_TYPE }} branch_name: ${{ github.ref }} @@ -92,7 +92,7 @@ jobs: - name: Commit pom.xml, version.json and set tag id: commit-and-tag - uses: IABTechLab/uid2-shared-actions/actions/commit_pr_and_merge@sch-UID2-6742-update-node20-actions + uses: IABTechLab/uid2-shared-actions/actions/commit_pr_and_merge@v3 with: add: 'pom.xml version.json' message: 'Released ${{ env.RELEASE_TYPE }} version: ${{ steps.version.outputs.new_version }}' diff --git a/.github/workflows/publish-gcp-oidc-enclave-docker.yaml b/.github/workflows/publish-gcp-oidc-enclave-docker.yaml index 0425463ad..7b51aa5b6 100644 --- a/.github/workflows/publish-gcp-oidc-enclave-docker.yaml +++ b/.github/workflows/publish-gcp-oidc-enclave-docker.yaml @@ -162,7 +162,7 @@ jobs: BUILD_TARGET=${{ env.ENCLAVE_PROTOCOL }} - name: Vulnerability Scan - uses: IABTechLab/uid2-shared-actions/actions/vulnerability_scan@sch-UID2-6742-update-node20-actions + uses: IABTechLab/uid2-shared-actions/actions/vulnerability_scan@v3 with: image_ref: ${{ steps.meta.outputs.tags }} scan_type: 'image' diff --git a/.github/workflows/publish-public-operator-docker-image.yaml b/.github/workflows/publish-public-operator-docker-image.yaml index 4929e7658..5c0d4a2c6 100644 --- a/.github/workflows/publish-public-operator-docker-image.yaml +++ b/.github/workflows/publish-public-operator-docker-image.yaml @@ -59,7 +59,7 @@ jobs: image: name: Image - uses: IABTechLab/uid2-shared-actions/.github/workflows/shared-publish-java-to-docker-versioned.yaml@sch-UID2-6742-update-node20-actions + uses: IABTechLab/uid2-shared-actions/.github/workflows/shared-publish-java-to-docker-versioned.yaml@v3 needs: check_major with: release_type: ${{ inputs.release_type }} diff --git a/.github/workflows/run-e2e-tests-on-operator.yaml b/.github/workflows/run-e2e-tests-on-operator.yaml index c3ba8e084..462a992e1 100644 --- a/.github/workflows/run-e2e-tests-on-operator.yaml +++ b/.github/workflows/run-e2e-tests-on-operator.yaml @@ -117,7 +117,7 @@ on: jobs: e2e-test: name: E2E Test - uses: IABTechLab/uid2-shared-actions/.github/workflows/shared-run-e2e-tests.yaml@sch-UID2-6742-update-node20-actions + uses: IABTechLab/uid2-shared-actions/.github/workflows/shared-run-e2e-tests.yaml@v3 with: operator_type: ${{ inputs.operator_type }} identity_scope: ${{ inputs.identity_scope }} diff --git a/.github/workflows/validate-image.yaml b/.github/workflows/validate-image.yaml index 3b257a5ae..37b4bf912 100644 --- a/.github/workflows/validate-image.yaml +++ b/.github/workflows/validate-image.yaml @@ -19,7 +19,7 @@ on: jobs: build-publish-docker-default: - uses: IABTechLab/uid2-shared-actions/.github/workflows/shared-validate-image.yaml@sch-UID2-6742-update-node20-actions + uses: IABTechLab/uid2-shared-actions/.github/workflows/shared-validate-image.yaml@v3 with: failure_severity: ${{ inputs.failure_severity || 'CRITICAL,HIGH' }} fail_on_error: ${{ inputs.fail_on_error || true }} @@ -27,7 +27,7 @@ jobs: java_version: 21 secrets: inherit build-publish-docker-aws: - uses: IABTechLab/uid2-shared-actions/.github/workflows/shared-validate-image.yaml@sch-UID2-6742-update-node20-actions + uses: IABTechLab/uid2-shared-actions/.github/workflows/shared-validate-image.yaml@v3 with: failure_severity: ${{ inputs.failure_severity || 'CRITICAL,HIGH' }} fail_on_error: ${{ inputs.fail_on_error || true }} @@ -36,7 +36,7 @@ jobs: secrets: inherit needs: [build-publish-docker-default] build-publish-docker-gcp: - uses: IABTechLab/uid2-shared-actions/.github/workflows/shared-validate-image.yaml@sch-UID2-6742-update-node20-actions + uses: IABTechLab/uid2-shared-actions/.github/workflows/shared-validate-image.yaml@v3 with: failure_severity: ${{ inputs.failure_severity || 'CRITICAL,HIGH' }} fail_on_error: ${{ inputs.fail_on_error || true }} @@ -45,7 +45,7 @@ jobs: secrets: inherit needs: [build-publish-docker-aws] build-publish-docker-azure: - uses: IABTechLab/uid2-shared-actions/.github/workflows/shared-validate-image.yaml@sch-UID2-6742-update-node20-actions + uses: IABTechLab/uid2-shared-actions/.github/workflows/shared-validate-image.yaml@v3 with: failure_severity: ${{ inputs.failure_severity || 'CRITICAL,HIGH' }} fail_on_error: ${{ inputs.fail_on_error || true }} diff --git a/.github/workflows/vulnerability-scan-failure-notify.yaml b/.github/workflows/vulnerability-scan-failure-notify.yaml index e59ed7f4d..7a87e06fc 100644 --- a/.github/workflows/vulnerability-scan-failure-notify.yaml +++ b/.github/workflows/vulnerability-scan-failure-notify.yaml @@ -16,7 +16,7 @@ on: jobs: vulnerability-scan-failure-notify: - uses: IABTechLab/uid2-shared-actions/.github/workflows/shared-vulnerability-scan-failure-notify.yaml@sch-UID2-6742-update-node20-actions + uses: IABTechLab/uid2-shared-actions/.github/workflows/shared-vulnerability-scan-failure-notify.yaml@v3 secrets: SLACK_WEBHOOK : ${{ secrets.SLACK_WEBHOOK }} with: