chore: fixes for ossf scorecard

.devcontainer/Dockerfile

@@ -12,17 +12,20 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-FROM gcr.io/projectsigstore/cosign:latest as cosign
+FROM gcr.io/projectsigstore/cosign:latest@sha256:b03690aa52bfe94054187142fba24dc54137650682810633901767d8a3e15b31 AS cosign
 
-FROM mcr.microsoft.com/devcontainers/go:1-1.22-bookworm
+FROM mcr.microsoft.com/devcontainers/go:1.23-bookworm@@sha256:2e00578e7c526e76ebd51597260928d8542d27c17ffe6390d79200638c51a3e6
 
 COPY --from=cosign /ko-app/cosign /usr/bin
 
-RUN go install github.com/google/addlicense@latest
+#v1.1.1
+RUN go install github.com/google/addlicense@@dc31ac9ffcca99c9457226366135701794b128c0
 
-RUN go install github.com/google/go-licenses@latest
+# v1.6.0
+RUN go install github.com/google/go-licenses@5348b744d0983d85713295ea08a20cca1654a45e
 
-RUN go install mvdan.cc/gofumpt@latest
+# v0.7.0
+RUN go install mvdan.cc/gofumpt@86bffd62437a3c437c0b84d5d5ab244824e762fc
 
 RUN curl -sSfL https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh | sh -s -- -b $(go env GOPATH)/bin v1.60.2
 

.github/workflows/codeql-analysis.yml

@@ -24,7 +24,7 @@
 # supported CodeQL languages.
 #
 name: "CodeQL"
-
+permissions: read-all
 on:
   push:
     branches: [ "main" ]
@@ -52,7 +52,7 @@ jobs:
 
     steps:
     - name: Checkout repository
-      uses: actions/checkout@v3
+      uses: actions/checkout@1e31de5234b9f8995739874a8ce0492dc87873e2 #v4
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
@@ -62,11 +62,11 @@ jobs:
         # If you wish to specify custom queries, you can do so here or in a config file.
         # By default, queries listed here will override any specified in a config file.
         # Prefix the list here with "+" to use these queries and those in the config file.
-        
+
         # Details on CodeQL's query packs refer to : https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs
         # queries: security-extended,security-and-quality
 
-        
+
     # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
     # If this step fails, then you should remove it and run the build manually (see below)
     - name: Autobuild
@@ -75,7 +75,7 @@ jobs:
     # ℹ️ Command-line programs to run using the OS shell.
     # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun
 
-    #   If the Autobuild fails above, remove it and uncomment the following three lines. 
+    #   If the Autobuild fails above, remove it and uncomment the following three lines.
     #   modify them (or add more) to build your code if your project, please refer to the EXAMPLE below for guidance.
 
     # - run: |

.github/workflows/gen-docs.yml

@@ -16,26 +16,32 @@
 name: integrationcli Github Pages Pipeline
 
 on:
-  push:
+  #push:
     # Publish semver tags as releases.
-    tags:
-      - v[0-9].[0-9]+.[0-9]
+  #  tags:
+  #    - v[0-9].[0-9]+.[0-9]
+  workflow_dispatch:
 
 jobs:
   publish-gh-pages:
     name: Publish integrationcli Documentation
     runs-on: ubuntu-latest
     steps:
       - name: Checkout Code
-        uses: actions/checkout@v3
-      - uses: actions/setup-go@v3
+        uses: actions/checkout@1e31de5234b9f8995739874a8ce0492dc87873e2 #v4
+      - uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 #v5
         with:
           go-version-file: './go.mod'
           check-latest: true
       - name: Push GH Pages
         run: |
-          git config --global user.name "integrationcli Publish Action"
-          git config --global user.email "[email protected]"
+          SHORT_SHA=$(git rev-parse --short $GITHUB_SHA)
+          git config pull.rebase false
+          git config --global user.name "$(git log -n 1 --pretty=format:%an)"
+          git config --global user.email "$(git log -n 1 --pretty=format:%ae)"
+
+          git pull origin main --allow-unrelated-histories
+          git checkout -b docs_$SHORT_SHA
 
           GOBIN=/tmp/ go install github.com/google/[email protected]
           /tmp/go-licenses csv ./cmd/integrationcli > third-party-licenses.txt || echo "Ignore warnings"
@@ -47,4 +53,4 @@ jobs:
           go run docs/docs.go
           git add --all
           git commit -m "Update GH Pages - $GITHUB_SHA" || echo "No Changes in docs"
-          git push origin HEAD:refs/heads/main
+          git push origin docs_$SHORT_SHA

.github/workflows/golangci-lint.yml

@@ -13,27 +13,27 @@
 # limitations under the License.
 
 name: golangci-lint
+permissions: read-all
 on:
   push:
     branches:
       - main
   pull_request:
     branches:
       - '**'
-permissions:
-  contents: read
+
 jobs:
   golangci:
     name: lint
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/setup-go@v4
+      - uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 #v5
         with:
           go-version: '1.20'
           cache: false
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@1e31de5234b9f8995739874a8ce0492dc87873e2 #v4
       - name: golangci-lint
-        uses: golangci/golangci-lint-action@v3
+        uses: golangci/golangci-lint-action@971e284b6050e8a5849b72094c50ab08da042db8 #v6.1.1
         with:
           version: latest
           args: --timeout=4m

.github/workflows/gorelease-action.yml

@@ -13,7 +13,7 @@
 # limitations under the License.
 
 name: integrationcli-release
-
+permissions: read-all
 on:
   push:
     # Publish semver tags as releases.
@@ -29,8 +29,8 @@ jobs:
   goreleaser:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
-      - uses: actions/setup-go@v3
+      - uses: actions/checkout@1e31de5234b9f8995739874a8ce0492dc87873e2 #v4
+      - uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 #v5
         with:
           go-version-file: './go.mod'
           check-latest: true
@@ -43,10 +43,10 @@ jobs:
       - name: Write private key to disk
         run: echo "${{ secrets.COSIGN_PRIVATE_KEY }}" > /tmp/cosign.key
 
-      - uses: sigstore/cosign-installer@main
+      - uses: sigstore/cosign-installer@dc72c7d5c4d10cd6bcb8cf6e3fd625a9e5e537da #v3.7.0
 
       - name: Run GoReleaser
-        uses: goreleaser/goreleaser-action@v6
+        uses: goreleaser/goreleaser-action@286f3b13b1b49da4ac219696163fb8c1c93e1200 #v6
         with:
           distribution: goreleaser
           version: latest
@@ -56,7 +56,7 @@ jobs:
           GITHUB_TOKEN: ${{ secrets.TOKEN }}
 
       - name: Upload assets
-        uses: actions/upload-artifact@v3
+        uses: actions/upload-artifact@97a0fba1372883ab732affbe8f94b823f91727db # v3.pre.node20
         with:
           name: integrationcli
           path: dist/*

Dockerfile

@@ -12,7 +12,7 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-FROM golang:1.21 as builder
+FROM golang:1.23.2@sha256:a7f2fc9834049c1f5df787690026a53738e55fc097cd8a4a93faa3e06c67ee32 AS builder
 
 ARG TAG
 ARG COMMIT
@@ -29,7 +29,7 @@ RUN go mod download
 RUN date +%FT%H:%I:%M+%Z > /tmp/date
 RUN CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build -trimpath -buildvcs=true -a -gcflags='all="-l"' -ldflags='-s -w -extldflags "-static" -X main.version='${TAG}' -X main.commit='${COMMIT}' -X main.date='$(cat /tmp/date) -o /go/bin/integrationcli /go/src/integrationcli/cmd/integrationcli/integrationcli.go
 
-FROM us-docker.pkg.dev/appintegration-toolkit/internal/jq:latest as jq
+FROM us-docker.pkg.dev/appintegration-toolkit/internal/jq:latest@sha256:d3a1c8a88f9223eab96bda760efab08290d274249581d2db6db010cbe20c232b AS jq
 
 # use debug because it includes busybox
 FROM gcr.io/distroless/static-debian11:debug-nonroot

Dockerfile.cosign

@@ -14,8 +14,8 @@
 
 #Usage: https://github.com/sigstore/cosign#dockerfile
 
-FROM gcr.io/projectsigstore/cosign:latest as cosign
+FROM gcr.io/projectsigstore/cosign:latest@sha256:b03690aa52bfe94054187142fba24dc54137650682810633901767d8a3e15b31 AS cosign
 
 
-FROM gcr.io/distroless/static-debian11:debug
-COPY --from=cosign /ko-app/cosign /usr/bin
+FROM gcr.io/distroless/static-debian11:debug-nonroot@sha256:55716e80a7d4320ce9bc2dc8636fc193b418638041b817cf3306696bd0f975d1
+COPY --from=cosign /ko-app/cosign /usr/bin

Dockerfile.deploy

@@ -11,8 +11,7 @@
 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 # See the License for the specific language governing permissions and
 # limitations under the License.
-
-FROM golang:1.21 as builder
+FROM golang:1.23.2@sha256:a7f2fc9834049c1f5df787690026a53738e55fc097cd8a4a93faa3e06c67ee32 AS builder
 
 ARG TAG
 ARG COMMIT
@@ -29,7 +28,7 @@ RUN go mod download
 RUN date +%FT%H:%I:%M+%Z > /tmp/date
 RUN CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build -trimpath -buildvcs=true -a -gcflags='all="-l"' -ldflags='-s -w -extldflags "-static" -X main.version='${TAG}' -X main.commit='${COMMIT}' -X main.date='$(cat /tmp/date) -o /go/bin/integrationcli /go/src/integrationcli/cmd/integrationcli/integrationcli.go
 
-FROM us-docker.pkg.dev/appintegration-toolkit/internal/jq:latest as jq
+FROM us-docker.pkg.dev/appintegration-toolkit/internal/jq:latest@sha256:d3a1c8a88f9223eab96bda760efab08290d274249581d2db6db010cbe20c232b AS jq
 
 FROM alpine:latest
 LABEL org.opencontainers.image.url='https://github.com/GoogleCloudPlatform/application-integration-management-toolkit' \

SECURITY.md

@@ -0,0 +1,4 @@
+To report a security issue, please use [https://g.co/vulnz](https://g.co/vulnz).
+We use g.co/vulnz for our intake, and do coordination and disclosure here on
+GitHub (including using GitHub Security Advisory). The Google Security Team will
+respond within 5 working days of your report on g.co/vulnz.