chore(deps): Pin GitHub Actions and Docker image, configure Dependabot

[kotakanbe]

This pull request includes several updates to the GitHub Actions workflows and configuration files. The main changes involve updating the versions of various GitHub Actions and adding a new schedule for Docker dependencies.

Why did you implement:

The primary motivation for this pull request is to improve the security and reliability of our build and deployment processes by addressing the "Pinned Dependencies" check flagged by the OSF Scorecard.

1. Low OSSF Scorecard Score: Currently, the Vuls OSSF Scorecard shows a score of 0 for the Pinned Dependencies check . This check verifies if dependencies are pinned to specific, immutable versions (like commit SHAs or digests).
2. Unpinned Dependencies: Our project was not pinning dependencies for GitHub Actions (in workflow files) and the Docker base image (in the Dockerfile). While Go application dependencies were already pinned, these other areas were left unaddressed.
3. Security Risks: Using floating versions (like branches or tags, e.g., @v1 or @latest) for dependencies, especially in CI/CD pipelines, introduces a security risk. If the source repository for an action or a base image tag is compromised, malicious code could be injected into our build process without our immediate knowledge. This practice essentially means we always pull the latest code available at runtime for that tag/branch, potentially including unwanted or harmful changes. There have been real-world instances where similar vulnerabilities were exploited (as highlighted in security reports like this example .
4. Solution: Pinning Dependencies: This PR addresses the risk by explicitly pinning:
   • GitHub Actions in our workflows (*.yml) to specific commit SHAs (e.g., uses: actions/checkout@a12a3943b4bdde767164d792f33f40b04645d846 instead of uses: actions/checkout@v3).
   • The Docker base image in our Dockerfile to a specific SHA256 digest (e.g., FROM alpine:3.21@sha256:... instead of FROM alpine:3.16).
     This ensures that we always use the exact, verified version of the dependency, mitigating the risk of supply chain attacks through compromised dependencies.
5. Managing Updates with Dependabot: Pinning dependencies manually creates the overhead of checking for and applying updates. To manage this efficiently and keep our dependencies up-to-date securely, this PR also configures Dependabot. Dependabot will now automatically monitor and create pull requests for updates to both GitHub Actions and the Docker base image, allowing us to review and merge updates systematically with reduced manual effort. We have configured it for weekly checks to balance security with manageable update frequency.

By implementing these changes, we significantly enhance the security posture of the Vuls project according to OSSF Scorecard best practices and reduce the risk associated with dependency management.

Workflow updates:

• Updated the uses references to specific commit SHAs for increased reliability and security in multiple workflow files, including build.yml, codeql-analysis.yml, docker-publish.yml, golangci.yml, goreleaser.yml, and test.yml. [1] [2] [3] [4] [5] [6]

Configuration updates:

• Changed the update interval for GitHub Actions dependencies from monthly to weekly and added a new schedule for Docker dependencies in .github/dependabot.yml.

Dockerfile update:

• Updated the base image in the Dockerfile from alpine:3.16 to alpine:3.21 using a specific SHA256 digest to ensure image integrity.

Type of change

Please delete options that are not relevant.

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to not work as expected)
• This change requires a documentation update

How Has This Been Tested?

Please describe the tests that you ran to verify your changes. Provide instructions so we can reproduce.

Checklist:

You don't have to satisfy all of the following.

• Write tests
• Write documentation
• Check that there aren't other open pull requests for the same issue/feature
• Format your source code by make fmt
• Pass the test by make test
• Provide verification config / commands
• Enable "Allow edits from maintainers" for this PR
• Update the messages below

Is this ready for review?: NO

Reference

• https://blog.github.com/2015-01-21-how-to-write-the-perfect-pull-request/

[Copilot]

Pull Request Overview

This pull request updates various GitHub Actions workflows and configuration files to address the "Pinned Dependencies" check by explicitly pinning action versions to commit SHAs and updating the Dependabot schedules. Key changes include:

• Updating workflow “uses” references to commit SHAs for enhanced security.
• Changing Dependabot update intervals from monthly to weekly and adding a schedule for Docker dependencies.
• Updating the Dockerfile base image to a pinned SHA256 digest for image integrity.

Reviewed Changes

Copilot reviewed 7 out of 8 changed files in this pull request and generated no comments.

Show a summary per file

File	Description
.github/dependabot.yml	Updated Dependabot schedule for GitHub Actions and Docker dependencies.
.github/workflows/goreleaser.yml	Pinned workflow actions to commit SHAs; note the “version: latest” input remains.
.github/workflows/docker-publish.yml	Pinned workflow actions to commit SHAs for Docker publishing.
.github/workflows/test.yml	Pinned workflow actions to commit SHAs for testing.
.github/workflows/golangci.yml	Pinned workflow actions to commit SHAs for linting.
.github/workflows/build.yml	Pinned workflow actions to commit SHAs for builds.
.github/workflows/codeql-analysis.yml	Pinned workflow actions to commit SHAs for CodeQL analysis.

Files not reviewed (1)

• Dockerfile: Language not supported

Comments suppressed due to low confidence (1)

.github/workflows/goreleaser.yml:40

• Using 'latest' for the goreleaser version may reintroduce floating dependency risks. Consider pinning this value to a specific, tested version to ensure build reproducibility.

version: latest

[Copilot]

Pull Request Overview

This PR addresses dependency pinning in GitHub Actions workflows and the Docker base image to improve security and reliability.

• Updated Dependabot configuration to check GitHub Actions and Docker updates on a weekly schedule.
• Pinned GitHub Actions references in workflows to specific commit SHAs.
• Updated the Dockerfile to use an immutable base image via a specific SHA256 digest.

Reviewed Changes

Copilot reviewed 7 out of 8 changed files in this pull request and generated no comments.

Show a summary per file

File	Description
.github/dependabot.yml	Changed schedule intervals for GitHub Actions and added Docker updates
.github/workflows/goreleaser.yml	Updated action references to specific commit SHAs for various steps
.github/workflows/golangci.yml	Updated action references to specific commit SHAs for checkout, setup-go, and golangci-lint
.github/workflows/docker-publish.yml	Changed action references to specific commit SHAs across multiple steps
.github/workflows/codeql-analysis.yml	Pinned commit SHAs for CodeQL actions and setup steps
.github/workflows/test.yml	Updated action references to specific commit SHAs for checkout and setup-go
.github/workflows/build.yml	Updated action references to specific commit SHAs for checkout and setup-go

Files not reviewed (1)

• Dockerfile: Language not supported

[kotakanbe]

• Using 'latest' for the goreleaser version may reintroduce floating dependency risks. Consider pinning this value to a specific, tested version to ensure build reproducibility.

version: latest

Dependabot’s standard functionality does not support automatically updating the version: x.y.z specified in the GoReleaser Action’s with: section, so it is excluded from Dependabot’s scope.

[shino]

Discussion memo:

As discussed in Slack, monthly is preferable for the moment.
The reason is review cost for reusable workflows itself is a little burden and much much more for their dependencies.
Once dependabot cooldown period feature come, we may (had better to?) change interval to weekly.
cf. dependabot/dependabot-core#3651

[shino]

🍻