Skip to content

v2.1.0

Latest
Latest
Compare
Choose a tag to compare
@nataliagranato nataliagranato released this 16 May 13:28
· 26 commits to main since this release
v2.1.0
52f2353
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

v2.1.0 — Hardening de Segurança e Melhores Práticas

image

  • Adicionado permissions: read-all no topo dos workflows para seguir o princípio do menor privilégio.
  • Permissões de escrita agora são concedidas apenas nos jobs que realmente precisam.
  • Actions do GitHub agora estão pinadas por SHA.
  • Instalação de dependências Python agora utiliza arquivos requirements.txt com hashes, garantindo integridade e segurança.
  • Ajustes gerais para atender recomendações do Scorecard e StepSecurity.

Essas mudanças aumentam a segurança do pipeline CI/CD, reduzem riscos de uso indevido do GITHUB_TOKEN e melhoram a rastreabilidade das dependências.

What's Changed

  • chore(deps): bump actions/checkout from 3 to 4 by @dependabot in #63
  • [ImgBot] Optimize images by @imgbot in #73
  • chore(deps): bump docker/setup-buildx-action from 1 to 3 by @dependabot in #72
  • chore(deps): bump docker/login-action from 2 to 3 by @dependabot in #69
  • chore(deps): bump werkzeug from 3.0.3 to 3.0.4 by @dependabot in #68
  • chore(deps): bump slsa-framework/slsa-github-generator from 1.4.0 to 2.0.0 by @dependabot in #71
  • Implementação de Melhorias e Novas Funcionalidades by @nataliagranato in #74
  • chore(deps): bump actions/upload-artifact from 97a0fba1372883ab732affbe8f94b823f91727db to c24449f33cd45d4826c6702db7e49f7cdb9b551d by @dependabot in #75
  • chore(deps): bump ossf/scorecard-action from 2.3.1 to 2.4.0 by @dependabot in #76
  • chore(deps): bump actions/upload-artifact from 3.2.1.pre.node20 to 4.4.0 by @dependabot in #77
  • chore(deps): bump azure/setup-helm from 1 to 4 by @dependabot in #78
  • chore(deps): bump prometheus-client from 0.16.0 to 0.21.0 by @dependabot in #79
  • chore(deps): bump sigstore/cosign-installer from 3.6.0 to 3.7.0 by @dependabot in #81
  • chore(deps): bump actions/upload-artifact from 4.4.0 to 4.4.3 by @dependabot in #87
  • chore(deps): bump aquasecurity/trivy-action from 0.24.0 to 0.28.0 by @dependabot in #89
  • chore(deps): bump chainguard-dev/digestabot from 1.2.0 to 1.2.1 by @dependabot in #92
  • chore(deps): bump redis from 5.1.0b7 to 5.2.0 by @dependabot in #91
  • chore(deps): bump werkzeug from 3.0.4 to 3.1.3 by @dependabot in #98
  • chore(deps): bump the pip group across 3 directories with 1 update by @dependabot in #93
  • chore(deps): bump flask from 3.0.3 to 3.1.0 by @dependabot in #99
  • [StepSecurity] Apply security best practices by @step-security-bot in #100
  • chore(deps): bump aquasecurity/trivy-action from 0.28.0 to 0.29.0 by @dependabot in #101
  • chore(deps): bump prometheus-client from 0.16.0 to 0.21.0 in /chainguard/environments/dev by @dependabot in #102
  • chore(deps): bump flask from 3.0.3 to 3.1.0 in /chainguard/environments/prd by @dependabot in #103
  • chore(deps): bump github/codeql-action from 3.27.4 to 3.27.5 by @dependabot in #115
  • chore(deps): bump prometheus-client from 0.16.0 to 0.21.1 in /chainguard/environments/prd by @dependabot in #133
  • chore(deps): bump redis from 5.1.0b7 to 5.2.0 in /chainguard/environments/staging by @dependabot in #104
  • chore(deps): bump redis from 5.1.0b7 to 5.2.0 in /chainguard/environments/dev by @dependabot in #105
  • chore(deps): bump redis from 5.1.0b7 to 5.2.0 in /chainguard/environments/prd by @dependabot in #107
  • chore(deps): bump werkzeug from 3.0.6 to 3.1.3 in /chainguard/environments/dev by @dependabot in #108
  • chore(deps): bump flask from 3.0.3 to 3.1.0 in /chainguard/environments/dev by @dependabot in #109
  • chore(deps): bump werkzeug from 3.0.6 to 3.1.3 in /chainguard/environments/staging by @dependabot in #111
  • chore(deps): bump flask from 3.0.3 to 3.1.0 in /chainguard/environments/staging by @dependabot in #113
  • chore(deps): bump werkzeug from 3.0.6 to 3.1.3 in /chainguard/environments/prd by @dependabot in #112
  • chore(deps): bump actions/dependency-review-action from 4.4.0 to 4.5.0 by @dependabot in #114
  • chore(deps): bump docker/build-push-action from 6.9.0 to 6.10.0 by @dependabot in #116
  • chore(deps): bump prometheus-client from 0.21.0 to 0.21.1 in /chainguard by @dependabot in #134
  • chore(deps): bump prometheus-client from 0.21.0 to 0.21.1 by @dependabot in #135
  • chore(deps): bump github/codeql-action from 3.27.5 to 3.27.6 by @dependabot in #136
  • chore(deps): bump prometheus-client from 0.16.0 to 0.21.1 in /chainguard/environments/staging by @dependabot in #137
  • chore(deps): bump prometheus-client from 0.21.0 to 0.21.1 in /chainguard/environments/dev by @dependabot in #139
  • chore(deps): bump redis from 5.2.0 to 5.2.1 in /chainguard/environments/dev by @dependabot in #140
  • chore(deps): bump redis from 5.2.0 to 5.2.1 in /src by @dependabot in #141
  • chore(deps): bump redis from 5.2.0 to 5.2.1 by @dependabot in #142
  • chore(deps): bump redis from 5.2.0 to 5.2.1 in /chainguard/environments/prd by @dependabot in #143
  • chore(deps): bump redis from 5.2.0 to 5.2.1 in /chainguard/environments/staging by @dependabot in #145
  • chore(deps): bump github/codeql-action from 3.27.6 to 3.27.9 by @dependabot in #147
  • chore(deps): bump docker/setup-buildx-action from 3.7.1 to 3.8.0 by @dependabot in #148
  • chore(deps): bump actions/upload-artifact from 4.4.3 to 4.5.0 by @dependabot in #149
  • chore(deps): bump github/codeql-action from 3.27.9 to 3.28.0 by @dependabot in #150
  • chore(deps): bump actions/upload-artifact from 4.5.0 to 4.6.0 by @dependabot in #154
  • chore(deps): bump step-security/harden-runner from 2.10.2 to 2.10.4 by @dependabot in #157
  • chore(deps): bump docker/build-push-action from 6.10.0 to 6.13.0 by @dependabot in #161
  • chore(deps): bump docker/setup-qemu-action from 3.2.0 to 3.4.0 by @dependabot in #165
  • chore(deps): bump docker/setup-buildx-action from 3.8.0 to 3.9.0 by @dependabot in #167
  • 🔒 Melhorias de Segurança e Otimização by @nataliagranato in #168
  • Create SECURITY.md by @nataliagranato in #182
  • Update and rename OWNERS to CODEOWNERS by @nataliagranato in #183
  • chore(deps): bump sigstore/cosign-installer from 3.7.0 to 3.8.0 by @dependabot in #184
  • chore(deps): bump step-security/harden-runner from 2.10.4 to 2.11.0 by @dependabot in #185
  • chore(deps): bump docker/build-push-action from 6.13.0 to 6.14.0 by @dependabot in #186
  • chore(deps): bump actions/upload-artifact from 4.6.0 to 4.6.1 by @dependabot in #188
  • chore(deps): bump sigstore/cosign-installer from 3.8.0 to 3.8.1 by @dependabot in #187
  • chore(deps): bump ossf/scorecard-action from 2.4.0 to 2.4.1 by @dependabot in #189
  • chore(deps): bump github/codeql-action from 3.28.0 to 3.28.10 by @dependabot in #190
  • chore(deps): bump slsa-framework/slsa-github-generator from 2.0.0 to 2.1.0 by @dependabot in #191
  • chore(deps): bump docker/setup-buildx-action from 3.9.0 to 3.10.0 by @dependabot in #192
  • chore(deps): bump docker/setup-qemu-action from 3.4.0 to 3.6.0 by @dependabot in #196
  • chore(deps): bump docker/build-push-action from 6.14.0 to 6.15.0 by @dependabot in #195
  • chore(deps): bump github/codeql-action from 3.28.10 to 3.28.11 by @dependabot in #197
  • chore(deps): bump chainguard-dev/digestabot from 1.2.1 to 1.2.2 by @dependabot in #198
  • chore(deps): bump docker/login-action from 3.3.0 to 3.4.0 by @dependabot in #199
  • chore(deps): bump aquasecurity/trivy-action from 0.29.0 to 0.30.0 by @dependabot in #200
  • chore(deps): bump docker/metadata-action from 5.6.1 to 5.7.0 by @dependabot in #194
  • chore(deps): bump github/codeql-action from 3.28.11 to 3.28.12 by @dependabot in #201
  • chore(deps): bump actions/upload-artifact from 4.6.1 to 4.6.2 by @dependabot in #202
  • chore(deps): bump github/codeql-action from 3.28.12 to 3.28.13 by @dependabot in #203
  • chore(deps): bump actions/dependency-review-action from 4.5.0 to 4.6.0 by @dependabot in #204
  • chore(deps): bump step-security/harden-runner from 2.11.0 to 2.11.1 by @dependabot in #205
  • chore(deps): bump github/codeql-action from 3.28.13 to 3.28.14 by @dependabot in #206
  • chore(deps): bump github/codeql-action from 3.28.14 to 3.28.15 by @dependabot in #207
  • chore(deps): bump step-security/harden-runner from 2.11.1 to 2.12.0 by @dependabot in #208
  • chore(deps): bump sigstore/cosign-installer from 3.8.1 to 3.8.2 by @dependabot in #209
  • chore(deps): bump github/codeql-action from 3.28.15 to 3.28.16 by @dependabot in #210
  • chore(deps): bump docker/build-push-action from 6.15.0 to 6.16.0 by @dependabot in #211
  • chore(deps): bump github/codeql-action from 3.28.16 to 3.28.17 by @dependabot in #212
  • chore(deps): bump actions/dependency-review-action from 4.6.0 to 4.7.0 by @dependabot in #213
  • chore(deps): bump flask from 3.1.0 to 3.1.1 in /chainguard in the pip group by @dependabot in #214
  • chore(deps): bump flask from 3.1.0 to 3.1.1 in /src in the pip group by @dependabot in #215
  • chore(deps): bump flask from 3.1.0 to 3.1.1 in /chainguard/environments/prd in the pip group by @dependabot in #216
  • chore(deps): bump flask from 3.1.0 to 3.1.1 in /chainguard/environments/staging in the pip group by @dependabot in #217
  • chore(deps): bump flask from 3.1.0 to 3.1.1 in /chainguard/environments/dev in the pip group by @dependabot in #218
  • chore(deps): bump redis from 5.2.1 to 6.1.0 in /chainguard/environments/prd by @dependabot in #219
  • chore(deps): bump redis from 5.2.1 to 6.1.0 in /chainguard/environments/dev by @dependabot in #220
  • chore(deps): bump redis from 5.2.1 to 6.1.0 in /chainguard by @dependabot in #221
  • chore(deps): bump actions/dependency-review-action from 4.7.0 to 4.7.1 by @dependabot in #222
  • chore(deps): bump redis from 5.2.1 to 6.1.0 by @dependabot in #224
  • chore(deps): bump redis from 5.2.1 to 6.1.0 in /chainguard/environments/staging by @dependabot in #225
  • Adiciona hashes de integridade ao requirements.txt para maior segurança by @nataliagranato in #227
  • Integridade ao processo de instalação do Docker no script tools.sh by @nataliagranato in #228
  • chore(deps): bump github/codeql-action from 3.28.17 to 3.28.18 by @dependabot in #229
  • chore(deps): bump docker/build-push-action from 6.16.0 to 6.17.0 by @dependabot in #230
  • Melhorias de Segurança em Workflows GitHub Actions by @nataliagranato in #231

New Contributors

Full Changelog: v2.0.0...v2.1.0

Contributors

dependabot, imgbot, and 2 other contributors
Assets 2
Loading