DopplerUniversity · mikesellitto · Oct 17, 2025 · Oct 17, 2025 · Oct 17, 2025 · Oct 17, 2025
diff --git a/.github/actions/e2e/action.yml b/.github/actions/e2e/action.yml
@@ -6,7 +6,7 @@ runs:
   steps:
 
     - name: Configure AWS Credentials
-      uses: aws-actions/configure-aws-credentials@v1
+      uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v1
       with:
         role-to-assume: ${{ env.AWS_OIDC_ROLE_ARN }}
         aws-region: ${{ env.AWS_REGION }}
@@ -31,22 +31,24 @@ runs:
         restore-keys: ${{ runner.os }}-build-unit-tests-${{ github.sha }}-
 
     - name: Cache Go Dependencies
-      uses: actions/cache@v3
+      uses: actions/cache@0400d5f644dc74513175e3cd8d07132dd4860809 # v4.2.4
       with:
         path: ${{ steps.go.outputs.mod-cache }}
         key: ${{ runner.os }}-pkg-${{ github.sha }}-${{ hashFiles('**/go.sum') }}
         restore-keys: ${{ runner.os }}-pkg-${{ github.sha }}-
 
     - name: Setup kind
-      uses: engineerd/setup-kind@v0.5.0
+      # https://github.com/engineerd/setup-kind/releases/tag/v0.5.0
+      uses: engineerd/setup-kind@aa272fe2a7309878ffc2a81c56cfe3ef108ae7d0 # v0.5.0
       with:
         version: ${{ env.KIND_VERSION }}
         wait: 10m
         image: ${{ env.KIND_IMAGE }}
         name: external-secrets
 
     - name: Setup Docker Buildx
-      uses: docker/setup-buildx-action@v2
+      # https://github.com/docker/setup-buildx-action/releases/tag/v2.10.0
+      uses: docker/setup-buildx-action@885d1462b80bc1c1c7f0b00334ad271f09369c55 # v2.10.0
       with:
         version: ${{ env.DOCKER_BUILDX_VERSION }}
         install: true

diff --git a/.github/actions/sign/action.yml b/.github/actions/sign/action.yml
@@ -18,12 +18,14 @@ runs:
   steps:
 
     - name: Install cosign
-      uses: sigstore/cosign-installer@v2
+      # https://github.com/sigstore/cosign-installer/releases/tag/v2.8.1
+      uses: sigstore/cosign-installer@c85d0e205a72a294fe064f618a87dbac13084086 # v2.8.1
       with:
         cosign-release: v1.13.6
 
     - name: Install Syft
-      uses: anchore/sbom-action/download-syft@v0.7.0
+      # https://github.com/anchore/sbom-action/releases/tag/v0.7.0
+      uses: anchore/sbom-action/download-syft@ce4a7cf05d7b684693d7b6bba97bfbee56806edb # v0.7.0
 
     - name: Check Cosign install
       shell: bash
@@ -48,33 +50,43 @@ runs:
     - name: Get docker image tag
       id: container_info
       shell: bash
-      run: echo "digest=$(crane digest ${{ inputs.image-name }}:${{ inputs.image-tag }})" >> $GITHUB_OUTPUT
+      env:
+        IMAGE_NAME: ${{ inputs.image-name }}
+        IMAGE_TAG: ${{ inputs.image-tag }}
+      run: echo "digest=$(crane digest ${IMAGE_NAME}:${IMAGE_TAG})" >> $GITHUB_OUTPUT
 
     - name: Sign image
       shell: bash
       env:
         COSIGN_EXPERIMENTAL: "1"
-      run: cosign sign -a GITHUB_ACTOR=${{ github.triggering_actor }} "${{ inputs.image-name }}@${{ steps.container_info.outputs.digest }}"
+        IMAGE_NAME: ${{ inputs.image-name }}
+        CONTAINER_DIGEST: ${{ steps.container_info.outputs.digest }}
+        GITHUB_TRIGGERING_ACTOR: ${{ github.triggering_actor }}
+      run: cosign sign -a GITHUB_ACTOR=${GITHUB_TRIGGERING_ACTOR} "${IMAGE_NAME}@${CONTAINER_DIGEST}"
 
     - name: Attach SBOM to image
       shell: bash
       id: sbom
       env:
         COSIGN_EXPERIMENTAL: "1"
+        IMAGE_NAME: ${{ inputs.image-name }}
+        IMAGE_TAG: ${{ inputs.image-tag }}
+        CONTAINER_DIGEST: ${{ steps.container_info.outputs.digest }}
       run: |
         # Image SBOM (OS + application libs contained in the image)
-        syft "${{ inputs.image-name }}@${{ steps.container_info.outputs.digest }}" -o spdx-json=sbom.${{ inputs.image-tag }}.spdx.json
-        cosign attest --predicate sbom.${{ inputs.image-tag }}.spdx.json --type spdx "${{ inputs.image-name }}@${{ steps.container_info.outputs.digest }}"
-        cosign verify-attestation --type spdx ${{ inputs.image-name }}@${{ steps.container_info.outputs.digest }} | jq '.payload |= @base64d | .payload | fromjson'
+        syft "${IMAGE_NAME}@${CONTAINER_DIGEST}" -o spdx-json=sbom.${IMAGE_TAG}.spdx.json
+        cosign attest --predicate sbom.${IMAGE_TAG}.spdx.json --type spdx "${IMAGE_NAME}@${CONTAINER_DIGEST}"
+        cosign verify-attestation --type spdx ${IMAGE_NAME}@${CONTAINER_DIGEST} | jq '.payload |= @base64d | .payload | fromjson'
 
         # Go modules SBOM (dependencies from the source tree)
         # Requires repository to be checked out before this composite action runs.
-        syft dir:. -o spdx-json=sbom.gomod.${{ inputs.image-tag }}.spdx.json
-        cosign attest --predicate sbom.gomod.${{ inputs.image-tag }}.spdx.json --type spdx "${{ inputs.image-name }}@${{ steps.container_info.outputs.digest }}"
-        cosign verify-attestation --type spdx ${{ inputs.image-name }}@${{ steps.container_info.outputs.digest }} | jq '.payload |= @base64d | .payload | fromjson'
+        syft dir:. -o spdx-json=sbom.gomod.${IMAGE_TAG}.spdx.json
+        cosign attest --predicate sbom.gomod.${IMAGE_TAG}.spdx.json --type spdx "${IMAGE_NAME}@${CONTAINER_DIGEST}"
+        cosign verify-attestation --type spdx ${IMAGE_NAME}@${CONTAINER_DIGEST} | jq '.payload |= @base64d | .payload | fromjson'
 
     - name: Generate provenance
-      uses: philips-labs/slsa-provenance-action@v0.7.2
+      # https://github.com/philips-labs/slsa-provenance-action/releases/tag/v0.7.2
+      uses: philips-labs/slsa-provenance-action@dddb40e199ae28d4cd2f17bad7f31545556fdd3d # v0.7.2
       with:
         command: generate
         subcommand: container
@@ -88,7 +100,10 @@ runs:
       id: provenance
       env:
         COSIGN_EXPERIMENTAL: "1"
+        IMAGE_NAME: ${{ inputs.image-name }}
+        IMAGE_TAG: ${{ inputs.image-tag }}
+        CONTAINER_DIGEST: ${{ steps.container_info.outputs.digest }}
       run: |
-        jq '.predicate' provenance.${{ inputs.image-tag }}.intoto.jsonl > provenance-predicate.att
-        cosign attest --predicate provenance-predicate.att --type slsaprovenance "${{ inputs.image-name }}@${{ steps.container_info.outputs.digest }}"
-        cosign verify-attestation --type slsaprovenance ${{ inputs.image-name }}@${{ steps.container_info.outputs.digest }}
+        jq '.predicate' provenance.${IMAGE_TAG}.intoto.jsonl > provenance-predicate.att
+        cosign attest --predicate provenance-predicate.att --type slsaprovenance "${IMAGE_NAME}@${CONTAINER_DIGEST}"
+        cosign verify-attestation --type slsaprovenance ${IMAGE_NAME}@${CONTAINER_DIGEST}
diff --git a/.github/config/codeql-config.yaml b/.github/config/codeql-config.yaml
@@ -0,0 +1,88 @@
+name: "Synthetic Apps All Queries Config"
+
+# expand thread model - https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning#extending-codeql-coverage-with-threat-models
+threat-models: local
+
+# start from scratch - https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning#disabling-the-default-queries
+disable-default-queries: true
+
+packs:
+  # All queries from the CodeQL Built in packs (including low/no precision queries)
+  - codeql/actions-queries:.
+  - codeql/go-queries:.
+  ### GitHub Security Lab###
+  # Queries via Community Packs https://github.com/GitHubSecurityLab/CodeQL-Community-Packs (NOTE: the default suites do not include audit/debugging queries)
+  - githubsecuritylab/codeql-go-queries
+  - trailofbits/go-queries
+
+# Start with Security Experimental (lightly documented: https://github.com/github/codeql/pull/11702) : https://github.com/github/codeql/blob/main/misc/suite-helpers/security-experimental-selectors.yml
+# - precision ( low + Low or EXCLUDED precision)
+# + problem.severity: recommendation
+# - restriction of no experimental folder
+# - restriction of audit/debugging queries from community packs
+query-filters:
+  - include:
+      kind:
+        - problem
+        - path-problem
+      tags contain:
+        - security
+  - include:
+      kind:
+        - diagnostic
+  - include:
+      kind:
+        - metric
+      tags contain:
+        - summary
+  - exclude:
+      deprecated: //
+  - exclude:
+      query path:
+        # REMOVE exclude - OK even if they exist in experimental folder
+        #- /^experimental\/.*/
+        - Metrics/Summaries/FrameworkCoverage.ql
+        - /Diagnostics/Internal/.*/
+  - exclude:
+      tags contain:
+        - modeleditor
+        - modelgenerator
+  # Exclude audit queries from the CodeQL Built in packs
+  - exclude:
+      id:
+        - go/untrusted-data-to-external-api
+
+  # Remove debugging, and audit queries used by community packs (this is duplicative of the default suites from those community packs)
+  - exclude:
+      tags contain:
+        - debugging
+        - audit
+
+#Additional extractor excludes:  https://github.com/github/codeql/blob/768e5190a1c9d40a4acc7143c461c3b114e7fd59/javascript/extractor/src/com/semmle/js/extractor/AutoBuild.java#L421-L427C42
+paths-ignore:
+  # Python
+  - "vendor/**"
+  - "examples/**"
+  - "tests/**"
+  - "test/**"
+  - "site-packages/**"
+
+  # JavaScript
+  - "node_modules"
+  - "**/*.test.js"
+  - "**/*.test.tsx"
+  - "**/*.spec.ts"
+  - "**/*.spec.tsx"
+  - "dist"
+  - "CoverageResults"
+  - "**/wwwroot/lib/**"
+  - "**/deps/**"
+  - "**/third_party/**"
+  - "**/wp-includes/**"
+  - "**/wp-admin/**"
+
+  # Ruby
+  - "**/gems/**"
+  - "**/spec/**/*_spec.rb"
+  - "**/test/**/*_test.rb"
+
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -5,23 +5,28 @@ updates:
     directory: "/"
     schedule:
       interval: "weekly"
+    open-pull-requests-limit: 10
 
   - package-ecosystem: "docker"
     directory: "/"
     schedule:
       interval: "weekly"
+    open-pull-requests-limit: 10
 
   - package-ecosystem: docker
     directory: /e2e
     schedule:
       interval: weekly
+    open-pull-requests-limit: 10
 
   - package-ecosystem: docker
     directory: /hack/api-docs
     schedule:
       interval: weekly
+    open-pull-requests-limit: 10
 
   - package-ecosystem: pip
     directory: /hack/api-docs
     schedule:
       interval: weekly
+    open-pull-requests-limit: 10
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -26,7 +26,7 @@ jobs:
     outputs:
       noop: ${{ steps.noop.outputs.should_skip }}
     steps:
-      - uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1
+      - uses: step-security/harden-runner@df199fb7be9f65074067a9eb93f12bb4c5547cf2 # v2.13.3
         with:
           egress-policy: audit
       - name: Detect No-op Changes
@@ -47,14 +47,14 @@ jobs:
     if: needs.detect-noop.outputs.noop != 'true' && github.ref != 'refs/heads/main'
 
     steps:
-      - uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1
+      - uses: step-security/harden-runner@df199fb7be9f65074067a9eb93f12bb4c5547cf2 # v2.13.3
         with:
           egress-policy: audit
       - name: Checkout
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
 
       - name: Setup Go
-        uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0
+        uses: actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c # v6.1.0
         id: setup-go
         with:
           go-version-file: "go.mod"
@@ -63,12 +63,8 @@ jobs:
         if: ${{ steps.setup-go.outputs.cache-hit != 'true' }}
         run: go mod download
 
-      - name: Lint
-        uses: golangci/golangci-lint-action@4afd733a84b1f43292c63897423277bb7f4313a9 # v8.0.0
-        with:
-          version: ${{ env.GOLANGCI_VERSION }}
-          skip-pkg-cache: true
-          skip-build-cache: true
+      - name: Run lint
+        run: make lint
 
   license-check:
     permissions:
@@ -79,28 +75,28 @@ jobs:
     if: needs.detect-noop.outputs.noop != 'true' && github.ref != 'refs/heads/main'
 
     steps:
-      - uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1
+      - uses: step-security/harden-runner@df199fb7be9f65074067a9eb93f12bb4c5547cf2 # v2.13.3
         with:
           egress-policy: audit
       - name: Checkout
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
       - name: Check License Headers
-        uses: apache/skywalking-eyes/header@5c5b974209f0de5d905f37deb69369068ebfc15c # v0.7.0
+        uses: apache/skywalking-eyes/header@61275cc80d0798a405cb070f7d3a8aaf7cf2c2c1 # v0.8.0
 
   check-diff:
     runs-on: ubuntu-latest
     needs: detect-noop
     if: needs.detect-noop.outputs.noop != 'true' && github.ref != 'refs/heads/main'
 
     steps:
-      - uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1
+      - uses: step-security/harden-runner@df199fb7be9f65074067a9eb93f12bb4c5547cf2 # v2.13.3
         with:
           egress-policy: audit
       - name: Checkout
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
-      - uses: hashicorp/setup-terraform@c529327889820530c60b4ce5bbc8d6099e166666 # v3
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+      - uses: hashicorp/setup-terraform@712b43959e9be7e82c34d18450fa5ec3237af3f1 # v3
       - name: Setup Go
-        uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0
+        uses: actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c # v6.1.0
         id: setup-go
         with:
           go-version-file: "go.mod"
@@ -124,17 +120,17 @@ jobs:
     if: needs.detect-noop.outputs.noop != 'true'
 
     steps:
-      - uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1
+      - uses: step-security/harden-runner@df199fb7be9f65074067a9eb93f12bb4c5547cf2 # v2.13.3
         with:
           egress-policy: audit
       - name: Checkout
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
 
       - name: Fetch History
         run: git fetch --prune --unshallow
 
       - name: Setup Go
-        uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0
+        uses: actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c # v6.1.0
         id: setup-go
         with:
           go-version-file: "go.mod"

diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
@@ -26,17 +26,20 @@ jobs:
           - language: actions
             build-mode: none
     steps:
-    - uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1
+    - uses: step-security/harden-runner@df199fb7be9f65074067a9eb93f12bb4c5547cf2 # v2.13.3
       with:
         egress-policy: audit
     - name: Checkout repository
-      uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
-
+      uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+    # Without this, codeql scan builds databases separately for all modules during every run.
+    - name: Run go work
+      run: make go-work
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@f443b600d91635bebf5b0d9ebc620189c0d6fba5 # v3.29.5
+      uses: github/codeql-action/init@cf1bb45a277cb3c205638b2cd5c984db1c46a412 # v3.29.5
       with:
         languages: ${{ matrix.language }}
         build-mode: ${{ matrix.build-mode }}
+        config-file: ./.github/config/codeql-config.yaml
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@f443b600d91635bebf5b0d9ebc620189c0d6fba5 # v3.29.5
+      uses: github/codeql-action/analyze@cf1bb45a277cb3c205638b2cd5c984db1c46a412 # v3.29.5
diff --git a/.github/workflows/crds.yml b/.github/workflows/crds.yml
@@ -18,11 +18,11 @@ jobs:
   crd-tests:
     runs-on: ubuntu-latest
     steps:
-      - uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1
+      - uses: step-security/harden-runner@df199fb7be9f65074067a9eb93f12bb4c5547cf2 # v2.13.3
         with:
           egress-policy: audit
       - name: Checkout
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
         with:
           fetch-depth: 0
 

diff --git a/.github/workflows/dependabot-approve.yml b/.github/workflows/dependabot-approve.yml
@@ -12,10 +12,10 @@ jobs:
     # PRs but also ensures that it only does work for Dependabot PRs.
     if: ${{ github.actor == 'dependabot[bot]' }}
     steps:
-      - uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1
+      - uses: step-security/harden-runner@df199fb7be9f65074067a9eb93f12bb4c5547cf2 # v2.13.3
         with:
           egress-policy: audit
-      - uses: actions/create-github-app-token@67018539274d69449ef7c02e8e71183d1719ab42 # v2.1.4
+      - uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2.2.1
         id: app-token
         with:
           app-id: ${{ secrets.APP_ID }}