Skip to content

Commit 546c3b8

Browse files
dpark01dpark01
authored
Merge pull request #1066 from broadinstitute/dp/fix-cve-2026-42246-net-imap
Fix CVE-2026-42246: upgrade Ruby net-imap gem to >=0.6.4
2 parents 1a3a8a7 + bf87b64 commit 546c3b8

9 files changed

Lines changed: 68 additions & 48 deletions

File tree

.github/actions/setup-docker-build/action.yml

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -19,16 +19,16 @@ runs:
1919
steps:
2020
- name: Checkout repository
2121
if: ${{ inputs.checkout == 'true' }}
22-
uses: actions/checkout@v4
22+
uses: actions/checkout@v5
2323
with:
2424
fetch-depth: ${{ inputs.fetch-depth }}
2525
fetch-tags: ${{ inputs.fetch-tags }}
2626

2727
- name: Set up Docker Buildx
28-
uses: docker/setup-buildx-action@v3
28+
uses: docker/setup-buildx-action@v4
2929

3030
- name: Log in to GitHub Container Registry
31-
uses: docker/login-action@v3
31+
uses: docker/login-action@v4
3232
with:
3333
registry: ghcr.io
3434
username: ${{ github.actor }}

.github/workflows/audit-quay-tags.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -17,7 +17,7 @@ jobs:
1717
uses: imjasonh/setup-crane@v0.4
1818

1919
- name: Log in to Quay.io
20-
uses: docker/login-action@v3
20+
uses: docker/login-action@v4
2121
with:
2222
registry: quay.io
2323
username: ${{ secrets.QUAY_USERNAME }}

.github/workflows/cleanup-images.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -34,7 +34,7 @@ jobs:
3434
uses: imjasonh/setup-crane@v0.4
3535

3636
- name: Log in to Quay.io
37-
uses: docker/login-action@v3
37+
uses: docker/login-action@v4
3838
with:
3939
registry: quay.io
4040
username: ${{ secrets.QUAY_USERNAME }}

.github/workflows/container-scan.yml

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -47,7 +47,7 @@ jobs:
4747
password: ${{ secrets.GITHUB_TOKEN }}
4848

4949
- name: Run Trivy vulnerability scanner
50-
uses: aquasecurity/trivy-action@master
50+
uses: aquasecurity/trivy-action@v0.36.0
5151
with:
5252
image-ref: '${{ env.GHCR_REPO }}:main-mega-amd64'
5353
format: 'sarif'
@@ -60,7 +60,7 @@ jobs:
6060
ignore-policy: '.trivy-ignore-policy.rego'
6161

6262
- name: Run Trivy vulnerability scanner (JSON)
63-
uses: aquasecurity/trivy-action@master
63+
uses: aquasecurity/trivy-action@v0.36.0
6464
with:
6565
image-ref: '${{ env.GHCR_REPO }}:main-mega-amd64'
6666
format: 'json'

.github/workflows/docker.yml

Lines changed: 41 additions & 36 deletions
Original file line numberDiff line numberDiff line change
@@ -29,7 +29,7 @@ jobs:
2929
docker: ${{ steps.filter.outputs.docker }}
3030
steps:
3131
- name: Checkout repository
32-
uses: actions/checkout@v4
32+
uses: actions/checkout@v5
3333

3434
- name: Check changed paths
3535
uses: dorny/paths-filter@v3
@@ -85,7 +85,7 @@ jobs:
8585
image-tag-prefix: ${{ steps.image-tag.outputs.prefix }}
8686
steps:
8787
- name: Checkout repository
88-
uses: actions/checkout@v4
88+
uses: actions/checkout@v5
8989
with:
9090
fetch-depth: 0 # Full history for accurate git describe
9191
fetch-tags: true
@@ -146,7 +146,7 @@ jobs:
146146

147147
steps:
148148
- name: Checkout repository
149-
uses: actions/checkout@v4
149+
uses: actions/checkout@v5
150150

151151
- name: Setup Docker build environment
152152
uses: ./.github/actions/setup-docker-build
@@ -182,7 +182,7 @@ jobs:
182182

183183
steps:
184184
- name: Checkout repository
185-
uses: actions/checkout@v4
185+
uses: actions/checkout@v5
186186

187187
- name: Setup Docker build environment
188188
uses: ./.github/actions/setup-docker-build
@@ -218,7 +218,7 @@ jobs:
218218

219219
steps:
220220
- name: Checkout repository
221-
uses: actions/checkout@v4
221+
uses: actions/checkout@v5
222222

223223
- name: Setup Docker build environment
224224
uses: ./.github/actions/setup-docker-build
@@ -283,7 +283,7 @@ jobs:
283283

284284
steps:
285285
- name: Checkout repository
286-
uses: actions/checkout@v4
286+
uses: actions/checkout@v5
287287

288288
- name: Setup Docker build environment
289289
uses: ./.github/actions/setup-docker-build
@@ -324,7 +324,7 @@ jobs:
324324

325325
steps:
326326
- name: Checkout repository
327-
uses: actions/checkout@v4
327+
uses: actions/checkout@v5
328328

329329
- name: Setup Docker build environment
330330
uses: ./.github/actions/setup-docker-build
@@ -365,7 +365,7 @@ jobs:
365365

366366
steps:
367367
- name: Checkout repository
368-
uses: actions/checkout@v4
368+
uses: actions/checkout@v5
369369

370370
- name: Setup Docker build environment
371371
uses: ./.github/actions/setup-docker-build
@@ -428,7 +428,7 @@ jobs:
428428

429429
steps:
430430
- name: Checkout repository
431-
uses: actions/checkout@v4
431+
uses: actions/checkout@v5
432432

433433
- name: Setup Docker build environment
434434
uses: ./.github/actions/setup-docker-build
@@ -469,7 +469,7 @@ jobs:
469469

470470
steps:
471471
- name: Checkout repository
472-
uses: actions/checkout@v4
472+
uses: actions/checkout@v5
473473

474474
- name: Setup Docker build environment
475475
uses: ./.github/actions/setup-docker-build
@@ -510,7 +510,7 @@ jobs:
510510

511511
steps:
512512
- name: Checkout repository
513-
uses: actions/checkout@v4
513+
uses: actions/checkout@v5
514514

515515
- name: Setup Docker build environment
516516
uses: ./.github/actions/setup-docker-build
@@ -573,7 +573,7 @@ jobs:
573573

574574
steps:
575575
- name: Checkout repository
576-
uses: actions/checkout@v4
576+
uses: actions/checkout@v5
577577

578578
- name: Setup Docker build environment
579579
uses: ./.github/actions/setup-docker-build
@@ -614,7 +614,7 @@ jobs:
614614

615615
steps:
616616
- name: Checkout repository
617-
uses: actions/checkout@v4
617+
uses: actions/checkout@v5
618618

619619
- name: Setup Docker build environment
620620
uses: ./.github/actions/setup-docker-build
@@ -655,7 +655,7 @@ jobs:
655655

656656
steps:
657657
- name: Checkout repository
658-
uses: actions/checkout@v4
658+
uses: actions/checkout@v5
659659

660660
- name: Setup Docker build environment
661661
uses: ./.github/actions/setup-docker-build
@@ -718,7 +718,7 @@ jobs:
718718

719719
steps:
720720
- name: Checkout repository
721-
uses: actions/checkout@v4
721+
uses: actions/checkout@v5
722722

723723
- name: Setup Docker build environment
724724
uses: ./.github/actions/setup-docker-build
@@ -759,7 +759,7 @@ jobs:
759759

760760
steps:
761761
- name: Checkout repository
762-
uses: actions/checkout@v4
762+
uses: actions/checkout@v5
763763

764764
- name: Setup Docker build environment
765765
uses: ./.github/actions/setup-docker-build
@@ -800,7 +800,7 @@ jobs:
800800

801801
steps:
802802
- name: Checkout repository
803-
uses: actions/checkout@v4
803+
uses: actions/checkout@v5
804804

805805
- name: Setup Docker build environment
806806
uses: ./.github/actions/setup-docker-build
@@ -863,7 +863,7 @@ jobs:
863863

864864
steps:
865865
- name: Checkout repository
866-
uses: actions/checkout@v4
866+
uses: actions/checkout@v5
867867

868868
- name: Setup Docker build environment
869869
uses: ./.github/actions/setup-docker-build
@@ -904,7 +904,7 @@ jobs:
904904

905905
steps:
906906
- name: Checkout repository
907-
uses: actions/checkout@v4
907+
uses: actions/checkout@v5
908908

909909
- name: Setup Docker build environment
910910
uses: ./.github/actions/setup-docker-build
@@ -943,7 +943,7 @@ jobs:
943943

944944
steps:
945945
- name: Checkout repository
946-
uses: actions/checkout@v4
946+
uses: actions/checkout@v5
947947

948948
- name: Setup Docker build environment
949949
uses: ./.github/actions/setup-docker-build
@@ -1004,17 +1004,22 @@ jobs:
10041004
flavor: [baseimage, core, assemble, classify, phylo, mega]
10051005
steps:
10061006
- name: Checkout repository
1007-
uses: actions/checkout@v4
1007+
uses: actions/checkout@v5
10081008

10091009
- name: Log in to GHCR
1010-
uses: docker/login-action@v3
1010+
uses: docker/login-action@v4
10111011
with:
10121012
registry: ghcr.io
10131013
username: ${{ github.actor }}
10141014
password: ${{ secrets.GITHUB_TOKEN }}
10151015

1016+
- name: Pre-pull image for scan
1017+
uses: ./.github/actions/pull-with-retry
1018+
with:
1019+
image: '${{ env.GHCR_REPO }}:${{ needs.get-version.outputs.image-tag-prefix }}-${{ matrix.flavor }}-amd64'
1020+
10161021
- name: Run Trivy vulnerability scanner
1017-
uses: aquasecurity/trivy-action@master
1022+
uses: aquasecurity/trivy-action@v0.36.0
10181023
with:
10191024
image-ref: '${{ env.GHCR_REPO }}:${{ needs.get-version.outputs.image-tag-prefix }}-${{ matrix.flavor }}-amd64'
10201025
format: 'sarif'
@@ -1027,7 +1032,7 @@ jobs:
10271032
ignore-policy: '.trivy-ignore-policy.rego'
10281033

10291034
- name: Run Trivy vulnerability scanner (JSON)
1030-
uses: aquasecurity/trivy-action@master
1035+
uses: aquasecurity/trivy-action@v0.36.0
10311036
with:
10321037
image-ref: '${{ env.GHCR_REPO }}:${{ needs.get-version.outputs.image-tag-prefix }}-${{ matrix.flavor }}-amd64'
10331038
format: 'json'
@@ -1048,14 +1053,14 @@ jobs:
10481053
10491054
- name: Upload Trivy scan results to GitHub Security tab
10501055
if: always()
1051-
uses: github/codeql-action/upload-sarif@v3
1056+
uses: github/codeql-action/upload-sarif@v4
10521057
with:
10531058
sarif_file: 'trivy-results.sarif'
10541059
category: 'container-${{ matrix.flavor }}'
10551060

10561061
- name: Upload Trivy JSON results
10571062
if: always()
1058-
uses: actions/upload-artifact@v4
1063+
uses: actions/upload-artifact@v6
10591064
with:
10601065
name: trivy-${{ matrix.flavor }}
10611066
path: trivy-results.json
@@ -1080,7 +1085,7 @@ jobs:
10801085

10811086
steps:
10821087
- name: Checkout repository
1083-
uses: actions/checkout@v4
1088+
uses: actions/checkout@v5
10841089

10851090
- name: Pull test image (with retries)
10861091
uses: ./.github/actions/pull-with-retry
@@ -1121,7 +1126,7 @@ jobs:
11211126

11221127
steps:
11231128
- name: Checkout repository
1124-
uses: actions/checkout@v4
1129+
uses: actions/checkout@v5
11251130

11261131
- name: Pull test image (with retries)
11271132
uses: ./.github/actions/pull-with-retry
@@ -1154,7 +1159,7 @@ jobs:
11541159

11551160
steps:
11561161
- name: Checkout repository
1157-
uses: actions/checkout@v4
1162+
uses: actions/checkout@v5
11581163

11591164
- name: Pull test image (with retries)
11601165
uses: ./.github/actions/pull-with-retry
@@ -1195,7 +1200,7 @@ jobs:
11951200

11961201
steps:
11971202
- name: Checkout repository
1198-
uses: actions/checkout@v4
1203+
uses: actions/checkout@v5
11991204

12001205
- name: Pull test image (with retries)
12011206
uses: ./.github/actions/pull-with-retry
@@ -1228,7 +1233,7 @@ jobs:
12281233

12291234
steps:
12301235
- name: Checkout repository
1231-
uses: actions/checkout@v4
1236+
uses: actions/checkout@v5
12321237

12331238
- name: Pull test image (with retries)
12341239
uses: ./.github/actions/pull-with-retry
@@ -1269,7 +1274,7 @@ jobs:
12691274

12701275
steps:
12711276
- name: Checkout repository
1272-
uses: actions/checkout@v4
1277+
uses: actions/checkout@v5
12731278

12741279
- name: Pull test image (with retries)
12751280
uses: ./.github/actions/pull-with-retry
@@ -1302,7 +1307,7 @@ jobs:
13021307

13031308
steps:
13041309
- name: Checkout repository
1305-
uses: actions/checkout@v4
1310+
uses: actions/checkout@v5
13061311

13071312
- name: Pull test image (with retries)
13081313
uses: ./.github/actions/pull-with-retry
@@ -1343,7 +1348,7 @@ jobs:
13431348

13441349
steps:
13451350
- name: Checkout repository
1346-
uses: actions/checkout@v4
1351+
uses: actions/checkout@v5
13471352

13481353
- name: Pull test image (with retries)
13491354
uses: ./.github/actions/pull-with-retry
@@ -1447,14 +1452,14 @@ jobs:
14471452
uses: imjasonh/setup-crane@v0.4
14481453

14491454
- name: Log in to GitHub Container Registry
1450-
uses: docker/login-action@v3
1455+
uses: docker/login-action@v4
14511456
with:
14521457
registry: ghcr.io
14531458
username: ${{ github.actor }}
14541459
password: ${{ secrets.GITHUB_TOKEN }}
14551460

14561461
- name: Log in to Quay.io
1457-
uses: docker/login-action@v3
1462+
uses: docker/login-action@v4
14581463
with:
14591464
registry: quay.io
14601465
username: ${{ secrets.QUAY_USERNAME }}

.github/workflows/docs.yml

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -27,7 +27,7 @@ jobs:
2727

2828
steps:
2929
- name: Checkout repository
30-
uses: actions/checkout@v4
30+
uses: actions/checkout@v5
3131
with:
3232
fetch-depth: 0 # Full history for git describe version
3333

@@ -47,7 +47,7 @@ jobs:
4747
sphinx-build -W -b html . _build/html
4848
4949
- name: Upload documentation artifact
50-
uses: actions/upload-artifact@v4
50+
uses: actions/upload-artifact@v6
5151
with:
5252
name: documentation
5353
path: docs/_build/html/

0 commit comments

Comments
 (0)