diff --git a/.github/workflows/add-guidelines.yml b/.github/workflows/add-guidelines.yml index b087ce2b8..d190e4616 100644 --- a/.github/workflows/add-guidelines.yml +++ b/.github/workflows/add-guidelines.yml @@ -9,7 +9,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Check out the repository - uses: actions/checkout@v4 + uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4 - name: Set environment variable for early exit control id: check_label @@ -47,14 +47,14 @@ jobs: - name: Fail if no relevant labels are found if: env.GUIDELINES_FILE == '' - uses: actions/github-script@v7 + uses: actions/github-script@f28e40c7f34bde8b3046d885e986cb6290c5673b # v7 with: script: | core.setFailed('No appropriate GitHub label found in the PR. Failing the job.') - name: Add Guidelines Comment if: env.CONTINUE_JOB == 'true' && (github.event.action == 'opened' || github.event.action == 'labeled') - uses: mshick/add-pr-comment@v2 + uses: mshick/add-pr-comment@b8f338c590a895d50bcbfa6c5859251edc8952fc # v2 with: message-path: ${{ env.GUIDELINES_FILE }} repo-token: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/backport.yml b/.github/workflows/backport.yml index 3d8dbf796..e045d9339 100644 --- a/.github/workflows/backport.yml +++ b/.github/workflows/backport.yml @@ -21,7 +21,7 @@ jobs: github.event.pull_request.state == 'open' && !github.event.pull_request.draft steps: - name: 'Apply default "backport: auto" label' - uses: actions/github-script@v4 + uses: actions/github-script@10b53a9ec6c222bb4ce97aa6bd2b5f739696b536 # v4 if: | !contains(github.event.pull_request.labels.*.name, 'backport: auto') && !contains(github.event.pull_request.labels.*.name, 'backport: skip') @@ -34,7 +34,7 @@ jobs: labels: ['backport: auto'] }) - name: 'Remove "backport: auto" if "backport: skip" is set' - uses: actions/github-script@v4 + uses: actions/github-script@10b53a9ec6c222bb4ce97aa6bd2b5f739696b536 # v4 if: | contains(github.event.pull_request.labels.*.name, 'backport: auto') && contains(github.event.pull_request.labels.*.name, 'backport: skip') @@ -65,7 +65,7 @@ jobs: steps: - name: Checkout repo - uses: actions/checkout@v4 + uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4 with: token: ${{ secrets.WRITE_TRADEBOT_DETECTION_RULES_TOKEN }} ref: main @@ -91,7 +91,7 @@ jobs: git reset --soft HEAD^ - name: Setup Python 3.12 - uses: actions/setup-python@v5 + uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5 with: python-version: '3.12' @@ -159,7 +159,7 @@ jobs: git push - name: "Notify slack on failure" - uses: craftech-io/slack-action@v1 + uses: craftech-io/slack-action@fb1d4e50375d7758efb90fa0564734bae931f84f # v1 with: slack_webhook_url: ${{ secrets.EXTERNAL_SLACK_DETECTION_RULES_URL }} status: failure diff --git a/.github/workflows/branch-status-checks.yml b/.github/workflows/branch-status-checks.yml index 4c3490fe4..3b1e72c48 100644 --- a/.github/workflows/branch-status-checks.yml +++ b/.github/workflows/branch-status-checks.yml @@ -18,14 +18,14 @@ jobs: steps: - name: Get Backport Status id: get_backport_status - uses: fjogeleit/http-request-action@v1 + uses: fjogeleit/http-request-action@bf78da14118941f7e940279dd58f67e863cbeff6 # v1 with: url: "https://api.github.com/repos/elastic/detection-rules/actions/workflows/pythonpackage.yml/runs?per_page=1&branch=${{matrix.target_branch}}" method: 'GET' bearerToken: ${{ secrets.READ_ELASTIC_DETECTION_RULES_ORG_TOKEN }} - name: Check Backport Status - uses: actions/github-script@v6 + uses: actions/github-script@d7906e4ad0b1822421a7e6a35d5ca353c962f410 # v6 with: script: | const workflow_status = ${{ toJSON(fromJSON(steps.get_backport_status.outputs.response).workflow_runs[0].status) }} diff --git a/.github/workflows/code-checks.yml b/.github/workflows/code-checks.yml index 64004a2b5..f553284e0 100644 --- a/.github/workflows/code-checks.yml +++ b/.github/workflows/code-checks.yml @@ -17,12 +17,12 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4 with: fetch-depth: 1 - name: Set up Python 3.13 - uses: actions/setup-python@v5 + uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5 with: python-version: '3.13' diff --git a/.github/workflows/community.yml b/.github/workflows/community.yml index 5869e7fbb..907de02b8 100644 --- a/.github/workflows/community.yml +++ b/.github/workflows/community.yml @@ -12,7 +12,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Check if member of elastic org - uses: actions/github-script@v6 + uses: actions/github-script@d7906e4ad0b1822421a7e6a35d5ca353c962f410 # v6 id: membership with: github-token: ${{ secrets.READ_ELASTIC_DETECTION_RULES_ORG_TOKEN }} @@ -40,7 +40,7 @@ jobs: - name: Add label for community members - uses: actions/github-script@v6 + uses: actions/github-script@d7906e4ad0b1822421a7e6a35d5ca353c962f410 # v6 if: ${{ steps.membership.outputs.result == 'notMember' }} with: script: | diff --git a/.github/workflows/get-target-branches.yml b/.github/workflows/get-target-branches.yml index 4c36d9c5b..4dd9c95eb 100644 --- a/.github/workflows/get-target-branches.yml +++ b/.github/workflows/get-target-branches.yml @@ -14,10 +14,10 @@ jobs: outputs: matrix: ${{ steps.get-branch-list.outputs.matrix }} steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4 - name: Set up Python 3.12 - uses: actions/setup-python@v5 + uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5 with: python-version: '3.12' diff --git a/.github/workflows/kibana-mitre-update.yml b/.github/workflows/kibana-mitre-update.yml index 1360c8ab0..734748254 100644 --- a/.github/workflows/kibana-mitre-update.yml +++ b/.github/workflows/kibana-mitre-update.yml @@ -14,7 +14,7 @@ jobs: KIBANA_ISSUE_NUMBER: 166152 # Define the Kibana issue number as a variable steps: - name: Checkout code - uses: actions/checkout@v4 + uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4 - name: Get MITRE Attack changed files id: changed-attack-files diff --git a/.github/workflows/lock-versions.yml b/.github/workflows/lock-versions.yml index 85e6c68cf..9c25b25c6 100644 --- a/.github/workflows/lock-versions.yml +++ b/.github/workflows/lock-versions.yml @@ -14,7 +14,7 @@ jobs: steps: - name: Validate the source branch - uses: actions/github-script@v3 + uses: actions/github-script@ffc2c79a5b2490bd33e0a41c1de74b877714d736 # v3 with: script: | if ('refs/heads/main' !== '${{github.event.ref}}') { @@ -22,12 +22,12 @@ jobs: } - name: Checkout detection-rules - uses: actions/checkout@v4 + uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4 with: fetch-depth: 0 - name: Set up Python 3.12 - uses: actions/setup-python@v5 + uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5 with: python-version: '3.12' @@ -62,7 +62,7 @@ jobs: - name: Create Pull Request id: cpr - uses: peter-evans/create-pull-request@v3 + uses: peter-evans/create-pull-request@18f7dc018cc2cd597073088f7c7591b9d1c02672 # v3 with: assignees: '${{github.actor}}' delete-branch: true @@ -78,7 +78,7 @@ jobs: labels: "backport: auto" - name: Archive production artifacts - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4 with: name: release-files path: | diff --git a/.github/workflows/manual-backport.yml b/.github/workflows/manual-backport.yml index 886331ad5..73b248750 100644 --- a/.github/workflows/manual-backport.yml +++ b/.github/workflows/manual-backport.yml @@ -19,7 +19,7 @@ jobs: steps: - name: Checkout detection-rules - uses: actions/checkout@v4 + uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4 with: token: ${{ secrets.WRITE_TRADEBOT_DETECTION_RULES_TOKEN }} fetch-depth: 0 @@ -46,7 +46,7 @@ jobs: git reset --soft HEAD^ - name: Setup Python 3.12 - uses: actions/setup-python@v5 + uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5 with: python-version: '3.12' @@ -79,7 +79,7 @@ jobs: ./detection_rules/etc/commit-and-push.sh $TARGET_BRANCH $COMMIT_SHA - name: "Notify slack on failure" - uses: craftech-io/slack-action@v1 + uses: craftech-io/slack-action@fb1d4e50375d7758efb90fa0564734bae931f84f # v1 with: slack_webhook_url: ${{ secrets.READ_DETECTION_RULES_SLACK_WEBHOOK_TOKEN }} status: failure diff --git a/.github/workflows/pythonpackage.yml b/.github/workflows/pythonpackage.yml index 14be3d40b..314be2fd1 100644 --- a/.github/workflows/pythonpackage.yml +++ b/.github/workflows/pythonpackage.yml @@ -12,7 +12,7 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4 with: fetch-depth: 1 @@ -21,7 +21,7 @@ jobs: git fetch origin main:refs/remotes/origin/main - name: Set up Python 3.13 - uses: actions/setup-python@v5 + uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5 with: python-version: '3.13' @@ -48,7 +48,7 @@ jobs: python -m detection_rules dev build-release $GENERATE_NAVIGATOR_FILES - name: Archive production artifacts for branch builds - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4 if: | github.event_name == 'push' with: diff --git a/.github/workflows/release-docs.yml b/.github/workflows/release-docs.yml index d3cca39e2..ffd23c58e 100644 --- a/.github/workflows/release-docs.yml +++ b/.github/workflows/release-docs.yml @@ -23,13 +23,13 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout detection-rules - uses: actions/checkout@v4 + uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4 with: path: detection-rules fetch-depth: 0 - name: Checkout elastic/security-docs - uses: actions/checkout@v4 + uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4 with: token: ${{ secrets.WRITE_SECURITY_DOCS_DETECTION_RULES_TOKEN }} repository: "elastic/security-docs" @@ -38,7 +38,7 @@ jobs: ref: ${{ github.event.inputs.target_branch }} - name: Set up Python 3.12 - uses: actions/setup-python@v5 + uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5 with: python-version: '3.12' diff --git a/.github/workflows/release-fleet.yml b/.github/workflows/release-fleet.yml index b33e3ff83..48f5ba21b 100644 --- a/.github/workflows/release-fleet.yml +++ b/.github/workflows/release-fleet.yml @@ -39,14 +39,14 @@ jobs: runs-on: ubuntu-latest steps: - name: Validate the source branch - uses: actions/github-script@v3 + uses: actions/github-script@ffc2c79a5b2490bd33e0a41c1de74b877714d736 # v3 with: script: | if ('refs/heads/main' === '${{github.ref}}') { core.setFailed('Forbidden branch') } - name: Checkout detection-rules - uses: actions/checkout@v4 + uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4 with: path: detection-rules fetch-depth: 0 @@ -66,7 +66,7 @@ jobs: git checkout $COMMIT_HASH - name: Checkout elastic/integrations - uses: actions/checkout@v4 + uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4 with: token: ${{ secrets.WRITE_INTEGRATIONS_DETECTION_RULES_TOKEN }} repository: ${{github.event.inputs.target_repo}} @@ -74,7 +74,7 @@ jobs: fetch-depth: 0 - name: Set up Python 3.12 - uses: actions/setup-python@v5 + uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5 with: python-version: '3.12' @@ -123,7 +123,7 @@ jobs: git config --global user.name "tradebot-elastic" - name: Setup go - uses: actions/setup-go@v3 + uses: actions/setup-go@be3c94b385c4f180051c996d336f57a34c397495 # v3 with: go-version: '^1.20.1' check-latest: true @@ -149,7 +149,7 @@ jobs: $DRAFT_ARGS - name: Archive production artifacts - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4 with: name: release-files path: | diff --git a/.github/workflows/version-code-and-release.yml b/.github/workflows/version-code-and-release.yml index b66b95aba..39d7f2f40 100644 --- a/.github/workflows/version-code-and-release.yml +++ b/.github/workflows/version-code-and-release.yml @@ -27,7 +27,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Ensure PR has Version Bump Label - uses: actions/github-script@v6 + uses: actions/github-script@d7906e4ad0b1822421a7e6a35d5ca353c962f410 # v6 with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | @@ -44,7 +44,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout repository - uses: actions/checkout@v4 + uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4 with: fetch-depth: 0 @@ -75,7 +75,7 @@ jobs: contents: write steps: - name: Checkout repository - uses: actions/checkout@v4 + uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4 with: fetch-depth: 0 diff --git a/pyproject.toml b/pyproject.toml index 85c1850f1..4e6a06c16 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -1,6 +1,6 @@ [project] name = "detection_rules" -version = "1.4.0" +version = "1.4.1" description = "Detection Rules is the home for rules used by Elastic Security. This repository is used for the development, maintenance, testing, validation, and release of rules for Elastic Security’s Detection Engine." readme = "README.md" requires-python = ">=3.12" @@ -38,7 +38,7 @@ dependencies = [ "typing-inspect==0.9.0", "typing-extensions>=4.12", "XlsxWriter~=3.2.0", - "semver==3.0.2", + "semver==3.0.4", "PyGithub==2.2.0", "detection-rules-kql @ git+https://github.com/elastic/detection-rules.git#subdirectory=lib/kql", "detection-rules-kibana @ git+https://github.com/elastic/detection-rules.git#subdirectory=lib/kibana",