Update Github Actions

[Huulivoide]

This change is 

[github-actions]

Dependency Review

The following issues were found:

• ✅ 0 vulnerable package(s)
• ✅ 0 package(s) with incompatible licenses
• ✅ 0 package(s) with invalid SPDX license definitions
• ⚠️ 8 package(s) with unknown licenses.

See the Details below.

License Issues

.github/workflows/shared-build-and-publish-docker-image.yml

Package	Version	License	Issue Type
actions/checkout	7.*.*	Null	Unknown License
actions/download-artifact	8.*.*	Null	Unknown License
azure/login	3.*.*	Null	Unknown License
docker/build-push-action	7.*.*	Null	Unknown License
docker/setup-buildx-action	4.*.*	Null	Unknown License
docker/setup-qemu-action	4.*.*	Null	Unknown License

.github/workflows/shared-secret-scan.yml

Package	Version	License	Issue Type
actions/checkout	7.*.*	Null	Unknown License

.github/workflows/test-setup-e2e-environment-action.yml

Package	Version	License	Issue Type
actions/checkout	7.*.*	Null	Unknown License

Allowed Licenses:

CC0-1.0, CC-BY-4.0, Unlicense, WTFPL, 0BSD, MIT, Apache-2.0, ISC, BSD-2-Clause, BSD-3-Clause, Zlib, MPL-1.1, MPL-2.0, CDDL-1.0, EPL-1.0, EPL-2.0, CECILL-2.1, LGPL-2.1-only, LGPL-2.1-or-later, LGPL-3.0-only, LGPL-3.0-or-later, EUPL-1.0, EUPL-1.1, EUPL-1.2, AAL, AFL-3.0, Apache-1.1, APL-1.0, APSL-2.0, Artistic-1.0-Perl, Artistic-2.0, BlueOak-1.0.0, BSL-1.0, CATOSL-1.1, CPAL-1.0, CUA-OPL-1.0, ECL-2.0, EFL-2.0, Entessa, EUDatagrid, Fair, LPPL-1.3c, LPL-1.02, MirOS, Motosoto, Multics, NASA-1.3, NCSA, NTP, Naumen, Nokia, PostgreSQL, PSF-2.0, RPSL-1.0, RSCPL, SimPL-2.0, Sleepycat, SPL-1.0, VSL-1.0, W3C, W3C-20150513, Xnet, ZPL-2.0

Excluded from license check:

pkg:githubactions/trufflesecurity/trufflehog, pkg:npm/knex, pkg:npm/mapbox-gl

OpenSSF Scorecard

Package	Version	Score	Details
actions/actions/checkout	7.*.*	🟢 6.9	Details Check Score Reason Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Code-Review 🟢 10 all changesets reviewed Maintained 🟢 10 16 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 10 Binary-Artifacts 🟢 10 no binaries found in the repo CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Pinned-Dependencies 🟢 3 dependency not pinned by hash detected -- score normalized to 3 Fuzzing ⚠️ 0 project is not fuzzed License 🟢 10 license file detected Packaging ⚠️ -1 packaging workflow not detected Signed-Releases ⚠️ -1 no releases found Security-Policy 🟢 9 security policy file detected Branch-Protection 🟢 5 branch protection is not maximal on development and all release branches SAST 🟢 10 SAST tool is run on all commits
actions/actions/download-artifact	8.*.*	🟢 5.1	Details Check Score Reason Code-Review 🟢 10 all changesets reviewed Binary-Artifacts 🟢 10 no binaries found in the repo Packaging ⚠️ -1 packaging workflow not detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Maintained ⚠️ 0 0 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 0 Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 Fuzzing ⚠️ 0 project is not fuzzed License 🟢 10 license file detected Signed-Releases ⚠️ -1 no releases found Security-Policy 🟢 9 security policy file detected SAST 🟢 10 SAST tool is run on all commits Branch-Protection ⚠️ 0 branch protection not enabled on development/release branches
actions/azure/login	3.*.*	Unknown	Unknown
actions/docker/build-push-action	7.*.*	🟢 7.5	Details Check Score Reason Code-Review 🟢 10 all changesets reviewed Security-Policy 🟢 9 security policy file detected Maintained 🟢 10 30 commit(s) and 6 issue activity found in the last 90 days -- score normalized to 10 Binary-Artifacts 🟢 10 no binaries found in the repo Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Fuzzing ⚠️ 0 project is not fuzzed License 🟢 10 license file detected Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration Signed-Releases ⚠️ -1 no releases found Packaging 🟢 10 packaging workflow detected Pinned-Dependencies 🟢 7 dependency not pinned by hash detected -- score normalized to 7 SAST 🟢 9 SAST tool detected but not run on all commits
actions/docker/setup-buildx-action	4.*.*	🟢 8.6	Details Check Score Reason Security-Policy 🟢 9 security policy file detected Code-Review 🟢 10 all changesets reviewed Maintained 🟢 10 30 commit(s) and 4 issue activity found in the last 90 days -- score normalized to 10 Binary-Artifacts 🟢 10 no binaries found in the repo Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Token-Permissions 🟢 10 GitHub workflow tokens follow principle of least privilege Fuzzing ⚠️ 0 project is not fuzzed License 🟢 10 license file detected Signed-Releases ⚠️ -1 no releases found Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration Pinned-Dependencies 🟢 7 dependency not pinned by hash detected -- score normalized to 7 Packaging 🟢 10 packaging workflow detected SAST 🟢 10 SAST tool is run on all commits
actions/docker/setup-qemu-action	4.*.*	🟢 8.4	Details Check Score Reason Code-Review 🟢 10 all changesets reviewed Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Binary-Artifacts 🟢 10 no binaries found in the repo Packaging ⚠️ -1 packaging workflow not detected Maintained 🟢 10 30 commit(s) and 5 issue activity found in the last 90 days -- score normalized to 10 Security-Policy 🟢 9 security policy file detected Token-Permissions 🟢 10 GitHub workflow tokens follow principle of least privilege CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Fuzzing ⚠️ 0 project is not fuzzed License 🟢 10 license file detected Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration Signed-Releases ⚠️ -1 no releases found Pinned-Dependencies 🟢 5 dependency not pinned by hash detected -- score normalized to 5 SAST 🟢 10 SAST tool is run on all commits
actions/actions/checkout	7.*.*	🟢 6.9	Details Check Score Reason Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Code-Review 🟢 10 all changesets reviewed Maintained 🟢 10 16 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 10 Binary-Artifacts 🟢 10 no binaries found in the repo CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Pinned-Dependencies 🟢 3 dependency not pinned by hash detected -- score normalized to 3 Fuzzing ⚠️ 0 project is not fuzzed License 🟢 10 license file detected Packaging ⚠️ -1 packaging workflow not detected Signed-Releases ⚠️ -1 no releases found Security-Policy 🟢 9 security policy file detected Branch-Protection 🟢 5 branch protection is not maximal on development and all release branches SAST 🟢 10 SAST tool is run on all commits
actions/dawidd6/action-send-mail	42942bc2f8fba4e611b459a018967a6a7c78c68c	🟢 4.3	Details Check Score Reason Packaging ⚠️ -1 packaging workflow not detected Code-Review 🟢 5 Found 5/10 approved changesets -- score normalized to 5 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Maintained 🟢 10 18 commit(s) and 2 issue activity found in the last 90 days -- score normalized to 10 Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Binary-Artifacts 🟢 10 no binaries found in the repo CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 Security-Policy ⚠️ 0 security policy file not detected License 🟢 10 license file detected Signed-Releases ⚠️ -1 no releases found Branch-Protection ⚠️ 0 branch protection not enabled on development/release branches Fuzzing ⚠️ 0 project is not fuzzed SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0
actions/trufflesecurity/trufflehog	30d5bb91af1a771378349dbbb0c82129392acf70	🟢 7.4	Details Check Score Reason Maintained 🟢 10 30 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 10 Code-Review 🟢 10 all changesets reviewed Security-Policy 🟢 10 security policy file detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Binary-Artifacts 🟢 9 binaries present in source code License 🟢 10 license file detected Fuzzing ⚠️ 0 project is not fuzzed Branch-Protection 🟢 5 branch protection is not maximal on development and all release branches Signed-Releases 🟢 8 4 out of the last 4 releases have a total of 4 signed artifacts. Pinned-Dependencies 🟢 7 dependency not pinned by hash detected -- score normalized to 7 Packaging 🟢 10 packaging workflow detected SAST 🟢 10 SAST tool is run on all commits
actions/actions/checkout	7.*.*	🟢 6.9	Details Check Score Reason Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Code-Review 🟢 10 all changesets reviewed Maintained 🟢 10 16 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 10 Binary-Artifacts 🟢 10 no binaries found in the repo CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Pinned-Dependencies 🟢 3 dependency not pinned by hash detected -- score normalized to 3 Fuzzing ⚠️ 0 project is not fuzzed License 🟢 10 license file detected Packaging ⚠️ -1 packaging workflow not detected Signed-Releases ⚠️ -1 no releases found Security-Policy 🟢 9 security policy file detected Branch-Protection 🟢 5 branch protection is not maximal on development and all release branches SAST 🟢 10 SAST tool is run on all commits

Scanned Files

• .github/workflows/shared-build-and-publish-docker-image.yml
• .github/workflows/shared-secret-scan.yml
• .github/workflows/test-setup-e2e-environment-action.yml

[culka]

@culka reviewed 14 files and all commit messages, and made 4 comments.
Reviewable status: all files reviewed, 4 unresolved discussions (waiting on Huulivoide).

---

.github/workflows/shared-check-renovatebot-config.yml line 30 at r1 (raw file):

      - name: Validate config
        uses: suzuki-shunsuke/github-action-renovate-config-validator@v2.1.0

Ei viitata ulkoisiin repositioreihin tagilla, käytetään tunnettua hashia.

---

.github/workflows/shared-run-e2e.yml line 338 at r1 (raw file):

      - name: Publish Test Report
        uses: ctrf-io/github-test-reporter@v1

Tässäkin pitää viitata hashilla johonkin tiettyy commitiin.

---

.github/workflows/shared-secret-scan.yml line 46 at r1 (raw file):

      - name: Secret Scanning
        uses: trufflesecurity/trufflehog@v3.95.6

Tässäkin tulee käyttää hashia

---

.github/workflows/shared-secret-scan.yml line 65 at r1 (raw file):

      - name: Send ${{ matrix.alert_type }} alert
        if: matrix.enabled
        uses: dawidd6/action-send-mail@v17

Ja tässä myös

[culka]

@culka reviewed 3 files and all commit messages, and resolved 4 discussions.
Reviewable status: complete! all files reviewed, all discussions resolved (waiting on Huulivoide).