Sub-workflow versioning feature

.github/workflows/ci-main-pull-request.yml

@@ -96,6 +96,11 @@ on:
         required: false
         type: string
         default: 'scc-complexity'
+      scc-version:
+        description: 'Version of SCC workflow to use (e.g., main, v1.0.7)'
+        required: false
+        type: string
+        default: 'main'
       perform-language-linting:
         description: 'Perform language-specific linting and pre-compilation checks'
         required: false
@@ -111,6 +116,11 @@ on:
         required: false
         type: boolean
         default: true
+      trufflehog-version:
+        description: 'Version of Trufflehog workflow to use (e.g., main, v1.0.7)'
+        required: false
+        type: string
+        default: 'main'
       perform-trivy-scan:
         description: 'Perform Trivy scan'
         required: false
@@ -146,6 +156,11 @@ on:
         required: false
         type: boolean
         default: false
+      grype-version:
+        description: 'Version of Grype workflow to use (e.g., main, v1.0.7)'
+        required: false
+        type: string
+        default: 'main'
       grype-image-fail-on-high:
         description: 'Fail pipeline if Grype image scan finds HIGH vulnerabilities'
         required: false
@@ -166,6 +181,11 @@ on:
         required: false
         type: boolean
         default: false
+      grype-hab-workflow-version:
+        description: 'Version of Grype Habitat package scan workflow to use (e.g., main, v1.0.7)'
+        required: false
+        type: string
+        default: 'main'
       grype-hab-build-package:
         description: 'Build Habitat package from source before scanning (requires checkout)'
         required: false
@@ -248,6 +268,11 @@ on:
         required: false
         type: boolean
         default: false
+      polaris-version:
+        description: 'Version of Polaris SAST workflow to use (e.g., main, v1.0.7)'
+        required: false
+        type: string
+        default: 'main'
       polaris-application-name:
         description: 'Polaris application name, one of these {Chef-Agents | Chef-Automate | Chef-Chef360 | Chef-Habitat | Chef-Infrastructure-Server | Chef-Shared-Services}'
         required: false
@@ -347,7 +372,12 @@ on:
         description: 'Report Sonar test coverage and other metrics to Atlassian dashboard (Irfans QA dashboard)'
         required: false
         type: boolean
-        default: true     
+        default: true
+      quality-dashboard-version:
+        description: 'Version of quality dashboard workflow to use (e.g., main, v1.0.7)'
+        required: false
+        type: string
+        default: 'main'
       quality-product-name:
         description: 'Product name for quality reporting (Chef360, Courier, Inspec)'
         required: false
@@ -440,6 +470,11 @@ on:
         required: false
         type: boolean
         default: true
+      sbom-version:
+        description: 'Version of SBOM workflow to use (e.g., main, v1.0.7)'
+        required: false
+        type: string
+        default: 'main'
       export-github-sbom:
         description: 'Export SBOM to GitHub'
         required: false
@@ -734,7 +769,7 @@ jobs:
   scc:
     name: 'Source code complexity checks'
     if: ${{ inputs.perform-complexity-checks == true }}
-    uses: chef/common-github-actions/.github/workflows/scc.yml@main
+    uses: chef/common-github-actions/.github/workflows/scc.yml@${{ inputs.scc-version }}
     needs: checkout
     with:
       outputfilename: ${{ inputs.scc-output-filename }}
@@ -859,7 +894,7 @@ jobs:
   run-trufflehog:
     name: 'Trufflehog scan'
     if: ${{ inputs.perform-trufflehog-scan }}
-    uses: chef/common-github-actions/.github/workflows/trufflehog.yml@main
+    uses: chef/common-github-actions/.github/workflows/trufflehog.yml@${{ inputs.trufflehog-version }}
     needs: checkout
     with:
       github-event-name: ${{ inputs.github-event-name }}
@@ -979,7 +1014,7 @@ jobs:
   run-grype-image:
     name: 'Grype Docker image scan'
     if: ${{ inputs.perform-grype-image-scan }}
-    uses: chef/common-github-actions/.github/workflows/grype.yml@main
+    uses: chef/common-github-actions/.github/workflows/grype.yml@${{ inputs.grype-version }}
     needs: checkout
     secrets: inherit
     with:
@@ -990,7 +1025,7 @@ jobs:
   run-grype-hab-package-scan:
     name: 'Grype scan Habitat packages from bldr.habitat.sh'
     if: ${{ inputs.perform-grype-hab-scan == true }}
-    uses: chef/common-github-actions/.github/workflows/grype-hab-package-scan.yml@main
+    uses: chef/common-github-actions/.github/workflows/grype-hab-package-scan.yml@${{ inputs.grype-hab-workflow-version }}
     needs: checkout
     secrets: inherit
     with:
@@ -1301,7 +1336,7 @@ jobs:
   BlackDuck-Polaris-SAST:
     name: 'BlackDuck Polaris SAST scan'
     if: ${{ inputs.perform-blackduck-polaris }}
-    uses: chef/common-github-actions/.github/workflows/polaris-sast.yml@main
+    uses: chef/common-github-actions/.github/workflows/polaris-sast.yml@${{ inputs.polaris-version }}
     needs: checkout
     secrets: inherit
     with:
@@ -1568,7 +1603,7 @@ jobs:
     name: 'Generating SBOM'
     #    Create software bill-of-materials (SBOM) using SPDX format
     if: ${{ inputs.generate-sbom == true }}
-    uses: chef/common-github-actions/.github/workflows/sbom.yml@main
+    uses: chef/common-github-actions/.github/workflows/sbom.yml@${{ inputs.sbom-version }}
     needs: checkout # TODO: fix set-application-version
     secrets: inherit
     with:
@@ -1599,7 +1634,7 @@ jobs:
       id-token: write
       contents: read
     if: ${{ inputs.report-to-atlassian-dashboard == true && success() }}
-    uses: chef/common-github-actions/.github/workflows/irfan-quality-dashboard.yml@main
+    uses: chef/common-github-actions/.github/workflows/irfan-quality-dashboard.yml@${{ inputs.quality-dashboard-version }}
     with:
       perform-build: ${{ inputs.build }} # was ${{ inputs.perform-sonar-build }}
       build-profile: ${{ inputs.build-profile }}

.github/workflows/stubs/ci-main-pull-request-stub.yml

@@ -38,18 +38,23 @@ jobs:
 
       # complexity-checks
       perform-complexity-checks: true
+      # scc-version: 'main'  # Version of SCC workflow (main, v1.0.7, etc.)
       # scc-output-filename: 'scc-output.txt'
       perform-language-linting: false    # Perform language-specific linting and pre-compilation checks
 
       # trufflehog secret scanning
       perform-trufflehog-scan: true
+      # trufflehog-version: 'main'  # Version of Trufflehog workflow (main, v1.0.7, etc.)
 
       # trivy dependency and container scanning
       perform-trivy-scan: true
+      # grype-version: 'main'  # Version of Grype workflow for source/image scans (main, v1.0.7, etc.)
+      # grype-hab-version: 'main'  # Version of Grype Habitat package scan workflow (main, v1.0.7, etc.)
 
       # BlackDuck SAST (Polaris) and SCA scans (requires a build or download to do SAST)
       # requires these secrets: POLARIS_SERVER_URL, POLARIS_ACCESS_TOKEN
       perform-blackduck-polaris: true
+      # polaris-version: 'main'  # Version of Polaris SAST workflow (main, v1.0.7, etc.)
       polaris-application-name: "Chef-Chef360"  # one of these: Chef-Agents, Chef-Automate, Chef-Chef360, Chef-Habitat, Chef-Infrastructure-Server, Chef-Shared-Services, Chef-Other, Chef-Non-Product
       polaris-project-name: ${{ github.event.repository.name }}
       # polaris-blackduck-executable: 'path/to/blackduck/binary'
@@ -82,6 +87,7 @@ jobs:
       perform-docker-scan: false  # scan Dockerfile and built images with Docker Scout or Trivy; see repo custom properties matching "container"
 
       # report to central developer dashboard
+      # quality-dashboard-version: 'main'  # Version of quality dashboard workflow (main, v1.0.7, etc.)
       report-to-atlassian-dashboard: false
       quality-product-name: 'Chef-360'   # product name for quality reporting, like Chef360, Courier, Inspec
       # quality-product-name: ${{ github.event.repository.name }}   # like 'Chef-360' - the product name for quality reporting, like Chef360, Courier, Inspec
@@ -105,6 +111,7 @@ jobs:
       publish-packages: false     # Publish packages (e.g., container from Dockerfile to ECR, go-releaser binary to releases page, omnibus to artifactory, gems, choco, homebrew, other app stores)
 
       # generate and export Software Bill of Materials (SBOM) in various formats
+      # sbom-version: 'main'  # Version of SBOM workflow (main, v1.0.7, etc.)
       generate-sbom: true
       export-github-sbom: true      # SPDX JSON artifact on job instance  
       perform-blackduck-sca-scan: true # combined with generate sbom & generate github-sbom, also needs version above

HOW-TO-USE.md

@@ -48,6 +48,12 @@ jobs:
     with:   
       visibility: ${{ github.event.repository.visibility }}
       language: 'go'  # go, ruby, rust
+
+      # Optionally pin individual scan versions (all default to 'main')
+      # trufflehog-version: 'v1.0.7'
+      # grype-version: 'v1.0.7'
+      # sbom-version: 'v1.0.7'
+
       perform-complexity-checks: true
       perform-trufflehog-scan: true
       perform-trivy-scan: true
@@ -102,6 +108,43 @@ Tags follow semantic versioning: `v{MAJOR}.{MINOR}.{PATCH}`
 
 When code is merged to `main` in `common-github-actions`, a new patch tag is automatically created via the `create-release-tag.yml` workflow. Manual version bumps can be triggered via workflow dispatch.
 
+### Sub-Workflow Versioning (NEW)
+
+**Each security scan can be pinned to its own version independently**, giving you fine-grained control over which scan versions to use:
+
+```yaml
+jobs:
+  ci:
+    uses: chef/common-github-actions/.github/workflows/ci-main-pull-request.yml@v1.0.7
+    with:
+      # Pin individual scan versions
+      scc-version: 'v1.0.7'              # Use stable SCC
+      trufflehog-version: 'v1.0.7'       # Use stable TruffleHog
+      grype-version: 'main'              # Use latest Grype
+      grype-hab-workflow-version: 'v1.0.6' # Use older Habitat scan
+      polaris-version: 'v1.0.7'          # Use stable Polaris
+      sbom-version: 'v1.0.7'             # Use stable SBOM
+      quality-dashboard-version: 'main'  # Use latest dashboard
+```
+
+**Benefits:**
+- Pin versions that work well with your project
+- Update individual scans without affecting others
+- Test new scan versions without full pipeline upgrade
+- Avoid breaking changes in production workflows
+- Roll back specific scans if issues arise
+
+**Available Version Inputs:**
+- `scc-version` - Source code complexity checks
+- `trufflehog-version` - Secret scanning
+- `grype-version` - Grype image/source scanning
+- `grype-hab-workflow-version` - Grype Habitat package scanning
+- `polaris-version` - BlackDuck Polaris SAST
+- `sbom-version` - SBOM generation and BlackDuck SCA
+- `quality-dashboard-version` - Quality dashboard reporting
+
+**Default:** All sub-workflows default to `'main'` if not specified.
+
 ---
 
 ## Available Workflows
@@ -166,6 +209,12 @@ jobs:
       version: '1.0.0'
       build-profile: 'cli'
 
+      # Pin scan versions for stability (optional)
+      trufflehog-version: 'v1.0.7'
+      grype-version: 'v1.0.7'
+      polaris-version: 'v1.0.7'
+      sbom-version: 'v1.0.7'
+
       # Code Quality
       perform-complexity-checks: true
       perform-language-linting: true
@@ -259,6 +308,9 @@ jobs:
       visibility: ${{ github.event.repository.visibility }}
       language: 'go'
 
+      # Use specific versions for critical scans
+      trufflehog-version: 'v1.0.7'  # Pin to stable version
+
       # Disable everything except security scans
       perform-complexity-checks: false
       perform-language-linting: false