CHORE: Update GitHub actions dependencies (#1448)

jychp · web-flow · commit afd2a7d8df9f · 2025-02-03T10:04:07.000-05:00
While investigating why the latest Scorecard workflows failed (https://github.com/cartography-cncf/cartography/actions/runs/13084015053 and https://github.com/cartography-cncf/cartography/actions/runs/13090489797), I noticed that several GitHub Actions were outdated, particularly: - **Upload Artifact** in OSSF Scorecard has been deprecated since November 2024. - **Cache V2** in Sphinx relies on an API that has been unavailable since February 1st, 2025. I checked, and we use these actions in a fairly standard way, with minimal breaking changes. These updates should not impact the workflows. I also think it would be beneficial to enable **Dependabot**, but I haven't included it in this PR while we discuss the topic. --------- Signed-off-by: Jeremy Chapeau <jeremy.chapeau@resilience.care>
diff --git a/.github/workflows/ossf-scorecard.yml b/.github/workflows/ossf-scorecard.yml
@@ -1,14 +1,12 @@
----
-# https://github.com/marketplace/actions/ossf-scorecard-action
+# Based on: https://github.com/marketplace/actions/ossf-scorecard-action
 name: Scorecards supply-chain security
 on:
-  # Only the default branch is supported.
-  branch_protection_rule:
   schedule:
     # Weekly on Saturdays.
     - cron: '30 1 * * 6'
   push:
-    branches: [ main, master ]
+    branches:
+    - master
 
 # Declare default permissions as read only.
 permissions: read-all
@@ -27,12 +25,12 @@ jobs:
 
     steps:
       - name: "Checkout code"
-        uses: actions/checkout@a12a3943b4bdde767164f792f33f40b04645d846 # tag=v3.0.0
+        uses: actions/checkout@v4
         with:
           persist-credentials: false
 
       - name: "Run analysis"
-        uses: ossf/scorecard-action@3e15ea8318eee9b333819ec77a36aca8d39df13e # tag=v1.1.1
+        uses: ossf/scorecard-action@v2.4.0
         with:
           results_file: results.sarif
           results_format: sarif
@@ -51,14 +49,14 @@ jobs:
       # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
       # format to the repository Actions tab.
       - name: "Upload artifact"
-        uses: actions/upload-artifact@6673cd052c4cd6fcf4b4e6e60ea986c889389535 # tag=v3.0.0
+        uses: actions/upload-artifact@v4.6.0
         with:
           name: SARIF file
           path: results.sarif
           retention-days: 5
 
       # Upload the results to GitHub's code scanning dashboard.
       - name: "Upload to code-scanning"
-        uses: github/codeql-action/upload-sarif@5f532563584d71fdef14ee64d17bafb34f751ce5 # tag=v1.0.26
+        uses: github/codeql-action/upload-sarif@v3.28.5
         with:
           sarif_file: results.sarif
diff --git a/.github/workflows/publish-to-ghcr-and-pypi.yml b/.github/workflows/publish-to-ghcr-and-pypi.yml
@@ -17,9 +17,9 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       # 1. Publish to PyPI
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v4
       - name: Set up Python 3.10
-        uses: actions/setup-python@v1
+        uses: actions/setup-python@v5
         with:
           python-version: "3.10"
 
@@ -48,18 +48,18 @@ jobs:
           skip_existing: true
 
       # 2. Publish to GHCR
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v4
       - name: Extract metadata (tags, labels) for Docker
         id: meta
-        uses: docker/metadata-action@v4
+        uses: docker/metadata-action@v5
         with:
           images: ghcr.io/${{ github.repository }}
 
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v2
+        uses: docker/setup-buildx-action@v3
 
       - name: Login to GitHub Container Registry
-        uses: docker/login-action@v2
+        uses: docker/login-action@v3
         with:
           registry: ghcr.io
           # This is the user that triggered the Workflow. In this case, it will
@@ -81,7 +81,7 @@ jobs:
           sleep 10
 
       - name: Build and push
-        uses: docker/build-push-action@v3
+        uses: docker/build-push-action@v6
         with:
           file: Dockerfile
           context: .
diff --git a/.github/workflows/sphinx.yml b/.github/workflows/sphinx.yml
@@ -15,20 +15,20 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       # https://github.com/marketplace/actions/checkout
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v4
         with:
           fetch-depth: 0
           lfs: true
       # https://github.com/marketplace/actions/setup-python
       # ^-- This gives info on matrix testing.
       - name: Install Python
-        uses: actions/setup-python@v2
+        uses: actions/setup-python@v5
         with:
           python-version: "3.10"
       # https://docs.github.com/en/actions/guides/building-and-testing-python#caching-dependencies
       # ^-- How to set up caching for pip on Ubuntu
       - name: Cache pip
-        uses: actions/cache@v2
+        uses: actions/cache@v4
         with:
           path: ~/.cache/pip
           key: ${{ runner.os }}-pip-${{ hashFiles('requirements.txt') }}
@@ -100,7 +100,7 @@ jobs:
       # Deploy
       # https://github.com/peaceiris/actions-gh-pages
       - name: Deploy
-        uses: peaceiris/actions-gh-pages@v3.8.0
+        uses: peaceiris/actions-gh-pages@v4.0.0
         if: ${{ github.event_name == 'push' }}
         with:
           publish_branch: gh-pages
diff --git a/.github/workflows/test_suite.yml b/.github/workflows/test_suite.yml
@@ -14,18 +14,18 @@ jobs:
   linter:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
-      - uses: actions/setup-python@v3
+      - uses: actions/checkout@v4
+      - uses: actions/setup-python@v5
         with:
           python-version: "3.10"
-      - uses: pre-commit/action@v3.0.0
+      - uses: pre-commit/action@v3.0.1
         with:
           extra_args: --all-files --show-diff-on-failure
 
   unit-and-integration-tests:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v4
       # https://stackoverflow.com/a/64592785
       - name: neo4j 4 instance setup
         run: |
@@ -36,11 +36,11 @@ jobs:
             --publish 7473:7473 \
             --publish 7687:7687 \
             neo4j:4.4-community
-      - uses: actions/setup-python@v2
+      - uses: actions/setup-python@v5
         with:
           python-version: "3.10"
       # Cache our pip dir for efficiency; see https://medium.com/ai2-blog/python-caching-in-github-actions-e9452698e98d.
-      - uses: actions/cache@v2
+      - uses: actions/cache@v4
         with:
           path: ~/.cache/pip
           key: ${{ hashFiles('setup.py') }}-${{ hashFiles('pyproject.toml') }}
@@ -59,7 +59,7 @@ jobs:
   unit-and-integration-tests-neo4j5:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v4
       # https://stackoverflow.com/a/64592785
       - name: neo4j 5 setup
         run: |
@@ -70,11 +70,11 @@ jobs:
             --publish 7473:7473 \
             --publish 7687:7687 \
             neo4j:5
-      - uses: actions/setup-python@v2
+      - uses: actions/setup-python@v5
         with:
           python-version: "3.10"
       # Cache our pip dir for efficiency; see https://medium.com/ai2-blog/python-caching-in-github-actions-e9452698e98d.
-      - uses: actions/cache@v2
+      - uses: actions/cache@v4
         with:
           path: ~/.cache/pip
           key: ${{ hashFiles('setup.py') }}-${{ hashFiles('pyproject.toml') }}
@@ -94,18 +94,18 @@ jobs:
   build-docker-image:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v4
       - name: Extract metadata (tags, labels) for Docker
         id: meta
-        uses: docker/metadata-action@v4
+        uses: docker/metadata-action@v5
         with:
           images: ghcr.io/${{ github.repository }}
 
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v2
+        uses: docker/setup-buildx-action@v3
 
       - name: Build
-        uses: docker/build-push-action@v3
+        uses: docker/build-push-action@v6
         with:
           file: Dockerfile
           push: false # only build the image, don't push it anywhere
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
@@ -18,13 +18,13 @@ repos:
     hooks:
     -   id: flake8
 -   repo: https://github.com/hhatto/autopep8
-    rev: v2.3.1
+    rev: v2.3.2
     hooks:
     -   id: autopep8
         # disable a few rewrites which will cause autopep8 to reflow
         args: [--in-place, '--ignore=E265,E501,W504']
 -   repo: https://github.com/asottile/pyupgrade
-    rev: v3.19.0
+    rev: v3.19.1
     hooks:
     -   id: pyupgrade
         args: [--py36-plus]
@@ -39,7 +39,7 @@ repos:
     -   id: reorder-python-imports
         args: [--py3-plus]
 -   repo: https://github.com/pre-commit/mirrors-mypy
-    rev: v1.13.0
+    rev: v1.14.1
     hooks:
     -   id: mypy
         additional_dependencies:
diff --git a/MAINTAINERS.md b/MAINTAINERS.md
@@ -6,7 +6,7 @@ List of community members who have shown they are committed to Cartography's con
 
 - Alex Chantavy (https://github.com/achantavy): General catch-all
 - Ramon Petgrave (https://github.com/ramonpetgrave64): General catch-all
-- Jérémy Chapeau (https://github.com/resilience-jychp): Plugin development
+- Jérémy Chapeau (https://github.com/jychp): Plugin development
 - Ryan Lane (https://github.com/ryan-lane): Plugin development, general engineering best practices
 - Marco Lancini (https://github.com/marco-lancini): Deployment and use-cases
 - Kedar Ghule (https://github.com/kedarghule): Plugin development
